WO2022094976A1 - 密钥生成方法及装置 - Google Patents

密钥生成方法及装置 Download PDF

Info

Publication number
WO2022094976A1
WO2022094976A1 PCT/CN2020/127300 CN2020127300W WO2022094976A1 WO 2022094976 A1 WO2022094976 A1 WO 2022094976A1 CN 2020127300 W CN2020127300 W CN 2020127300W WO 2022094976 A1 WO2022094976 A1 WO 2022094976A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
network device
base station
iab
secondary base
Prior art date
Application number
PCT/CN2020/127300
Other languages
English (en)
French (fr)
Inventor
郭龙华
朱元萍
胡力
吴�荣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to AU2020476322A priority Critical patent/AU2020476322B2/en
Priority to CA3200852A priority patent/CA3200852A1/en
Priority to EP20960437.0A priority patent/EP4231717A4/en
Priority to PCT/CN2020/127300 priority patent/WO2022094976A1/zh
Priority to CN202080106763.8A priority patent/CN116508356A/zh
Publication of WO2022094976A1 publication Critical patent/WO2022094976A1/zh
Priority to US18/311,998 priority patent/US20230319554A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/80Ingress point selection by the source endpoint, e.g. selection of ISP or POP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/02Communication route or path selection, e.g. power-based or shortest path routing
    • H04W40/22Communication route or path selection, e.g. power-based or shortest path routing using selective relaying for reaching a BTS [Base Transceiver Station] or an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/15Setup of multiple wireless link connections
    • H04W76/16Involving different core network technologies, e.g. a packet-switched [PS] bearer in combination with a circuit-switched [CS] bearer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/047Public Land Mobile systems, e.g. cellular systems using dedicated repeater stations

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method and device for generating a key.
  • the 5th generation (5G) mobile communication system uses integrated access backhaul (IAB) technology.
  • IAB integrated access backhaul
  • base stations can be divided into IAB nodes (nodes) and IAB donor base stations (donors).
  • the IAB donor is used to provide the user equipment interface to the core network and support the wireless backhaul function of the IAB node.
  • the IAB node can support wireless access of terminal equipment and wireless backhaul of data. Since the data exchange between the IAB donor and the IAB node can be carried out through the wireless backhaul link, there is no need to lay cables between the IAB donor and the IAB node. This makes the deployment of IAB nodes more flexible.
  • a secure tunnel for example, an internet protocol security (IPsec) secure tunnel
  • IPsec internet protocol security
  • the IAB node can be enabled to support dual connectivity (DC) to deal with possible abnormal situations in the wireless backhaul link, such as interruption or blocking of the wireless backhaul link, etc. .
  • DC dual connectivity
  • the present application provides a key generation method and device, which are used to ensure that the IAB donor and the IAB node generate the same K IAB in a dual connection scenario.
  • a method for generating a key including: a first access network device determines that a first device registered to a 5G core network through the first access network device is an IAB node; and when a secondary base station needs to be selected for the first device If the first access network device does not have the IAB donor function, the first access network device selects the second access network device with the IAB donor function if the first access network device does not have the IAB donor function.
  • the first access network device obtains the first key input parameter associated with the second access network device; the first access network device inputs the parameter according to the primary base station key and the first key, Generate the first IAB key K IAB1 , the master base station key is used to secure the communication between the master base station (the first access network device) and the first device, and K IAB1 is used to establish the connection between the second access network device and the first device.
  • K IAB1 is used to establish the connection between the second access network device and the first device.
  • the first access network device may select for the first device if it does not have the IAB donor function.
  • the second access network device with the IAB donor function is used as a secondary base station to ensure that there is an access network device as an IAB donor to provide corresponding services for the first device in a dual-connection scenario.
  • the first access network device in a dual-connection scenario such as NE-DC, NR-DC, or NGEN-DC, the first access network device generates a first IAB key K IAB1 according to the master base station key and the first key input parameter, and uses K IAB1 is sent to the first access network device.
  • the IAB key generated by the master base station key is uniformly used between the IAB node and the IAB donor, thereby ensuring that the same IAB key can be used as the authentication credential to establish a secure tunnel between the IAB node and the IAB donor.
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device, including: the first access network device sends a first request message to the second device. , the first request message includes the identifier of the first device; the first access network device receives the first response message sent by the second device, and the first response message includes the identifier of the second access network device.
  • the first key input parameter includes a first IP address and a second IP address
  • the first IP address is the IP address used by the first device to communicate with the IAB donor
  • the second IP address is the second IP address.
  • acquiring the first key input parameter associated with the second access network device by the first access network device includes: the first access network device sends a secondary base station configuration message to the second access network device , the secondary base station configuration message is used to configure the second access network device as the secondary base station of the first device, the secondary base station configuration message includes first indication information and/or second indication information, and the first indication information is used to request the first IP address , the second indication information is used to request the second IP address; the first access network device receives the secondary base station configuration response message sent by the second access network device, and the secondary base station configuration response message includes the first IP address and/or the second IP address address.
  • the first access network device obtains the first key input parameter by reusing the existing process, which is beneficial to saving signaling overhead , and simplify the operation process.
  • the secondary base station configuration message includes the secondary base station key derived from the primary base station key, and the secondary base station key is used for security protection of the communication between the secondary base station and the first device.
  • the above key generation method further includes: the first access network device sends the first IP address to the first device.
  • obtaining the first key input parameter associated with the second access network device by the first access network device includes: the first access network device receives an IP address notification message sent by the first device, and the IP address
  • the address notification message includes the first IP address; the first access network device sends a secondary base station configuration message to the second access network device, and the secondary base station configuration message is used to configure the second access network device as the secondary base station of the first device.
  • the base station configuration message includes second indication information, and the second indication information is used to request a second IP address; the first access network device receives the secondary base station configuration response message sent by the second access network device, and the secondary base station configuration response message includes the second IP address.
  • the first access network device can obtain the first IP address through the first device, and obtain the second IP address through the second access network device .
  • the above key generation method further includes: if the first access network device has an IAB donor function, the first access network device selects a third access network device as the secondary base station of the first device; An access network device obtains a second key input parameter associated with the first access network device; the first access network device generates a second IAB key K IAB2 according to the master base station key and the second key input parameter, K IAB2 is used to establish a secure tunnel between the first access network device and the first device.
  • the second key input parameter includes: the first IP address and the third IP address, the first IP address is the IP address that the first device is used to communicate with the IAB donor, and the third IP address is the first IP address.
  • obtaining the second key input parameter associated with the first access network device by the first access network device includes: the first access network device assigns the first IP address to the first device; the first The access network device obtains the third IP address from the database.
  • acquiring the second key input parameter associated with the first access network device by the first access network device includes: the first access network device receives an IP address notification message sent by the first device, the IP address The address notification message includes the first IP address; the first access network device obtains the third IP address from the database.
  • a second aspect provides a key generation method, including: a second access network device receiving a secondary base station configuration message sent by a first access network device, where the secondary base station configuration message is used to configure the second access network device as the first access network device The secondary base station of the device; when the secondary base station configuration message includes the third indication information, the second access network device determines whether it has the IAB donor function, and the third indication information is used to indicate that the first device is an IAB node; When the network device has the IAB hosting function, the second access network device obtains the first IAB key K IAB1 from the first access network device, and the K IAB1 is used to establish the relationship between the second access network device and the first access network device. A secure tunnel between devices, the K IAB1 is generated according to the master base station key, and the master base station key is used to secure the communication between the first access network device and the first device .
  • the second access network device with the IAB donor function as the secondary base station of the first device it is ensured that the access network device as the IAB donor is the IAB node (that is, the first device in the dual-connection scenario). ) to provide corresponding services.
  • the second access network device enables the IAB node and the IAB donor to uniformly use the IAB key generated with the master base station key, thereby ensuring the connection between the IAB node and the IAB donor.
  • a secure tunnel can be established with the same IAB key as the authentication credential.
  • K IAB1 is generated according to the master base station key, including: K IAB1 is generated according to the master base station key and the first key input parameter.
  • the first key input parameter includes a first IP address and a second IP address, the first IP address is the IP address used by the first device to communicate with the IAB donor, and the second IP address is the second access network device used to communicate with the IAB The IP address of node communication.
  • the secondary base station configuration message further includes first indication information and/or second indication information, where the first indication information is used to request the first IP address, and the second indication information is used to request the second IP address.
  • the above key generation method further includes: the second access network device sends a secondary base station configuration response message to the first access network device, where the secondary base station configuration response message includes the first IP address and/or the second IP address.
  • the second access network device acquiring KIAB1 from the first access network device includes: the second access network device receiving the auxiliary information sent by the first access network device.
  • the base station reconfiguration complete message, the secondary base station reconfiguration complete message includes the K IAB1 .
  • the second access network device acquiring KIAB1 from the first access network device includes: the second access network device sending a key to the first access network device request message, the key request message is used to request the K IAB1 ; the second access network device receives a key response message sent by the first access network device, and the key response message includes the K IAB1 .
  • the key request message further includes the first IP address and/or the second IP address.
  • a method for generating a key is provided, which is applied to a scenario where a first device is connected to a primary base station and a secondary base station, and the first device has an IAB node function.
  • the key generation method includes: the first device determines the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station and the communication standard supported by the core network; when the type of dual connection is NE-DC, NR-DC In the case of DC or NGEN-DC, the first device generates an IAB key K IAB according to the master base station key, and the master base station key is used for security protection of the communication security between the first device and the master base station.
  • the IAB node determines the type of dual connection, so in the NE-DC, NR-DC or NGEN-DC scenario, the IAB node uses the master base station key to generate the IAB key K IAB , so that the IAB node and the The IAB key generated by the master base station key is uniformly used among the IAB donors, thereby ensuring that the same IAB key can be used as the authentication credential to establish a secure tunnel between the IAB node and the IAB donor.
  • the above-mentioned key generation method further includes: the first device receives a broadcast message of the main base station; the first device determines a communication standard supported by the main base station according to a configuration parameter in the broadcast message, and the configuration parameter includes one of the following or multiple items: base station identifier, logical cell identifier, physical cell identifier, uplink frequency point or downlink frequency point.
  • the first device determines the communication standard supported by the main base station according to the configuration parameters in the broadcast message, including: when the configuration parameters in the broadcast message belong to the 5G communication system, the first device determines that the main base station supports 5G communication. standard; or, when the configuration parameter in the broadcast message belongs to the 4G communication system, the first device determines that the primary base station supports the 4G communication standard.
  • the above key generation method further includes: the first device receives an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message includes configuration information of the secondary cell group; and the first device determines the configuration information of the secondary cell group according to the configuration information of the secondary cell group.
  • the communication standard supported by the secondary base station is not limited to: the first device receives an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message includes configuration information of the secondary cell group; and the first device determines the configuration information of the secondary cell group according to the configuration information of the secondary cell group.
  • the first device determines the communication standard supported by the secondary base station according to the RRC reconfiguration message, including: when the configuration information of the secondary cell group belongs to the 5G communication standard, the first device determines that the secondary base station supports the 5G communication standard; or , when the configuration information of the secondary cell group belongs to the 4G communication standard, the first device determines that the secondary base station supports the 4G communication standard.
  • the above key generation method further includes: the first device receives a broadcast message sent by the primary base station; and the first device determines a communication standard supported by the core network according to the cell configuration information in the broadcast message.
  • the first device determines the communication standard supported by the core network according to the cell configuration information in the broadcast message, including: when the cell configuration information belongs to the 5G communication standard, the first device determines that the core network supports the 5G communication standard; Or, when the cell configuration information belongs to the 4G communication standard, the first device determines that the core network supports the 4G communication standard.
  • the first device determines the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station, and the communication standard supported by the core network, including: when the primary base station supports the 5G network standard, the secondary base station supports 4G network standard, when the core network supports the 5G network standard, the first device determines that the dual connection type is NE-DC; or, when the primary base station supports the 5G network standard, the secondary base station supports the 5G network standard, and the core network supports the 5G network standard, the first device supports the 5G network standard.
  • the device determines that the dual connection type is NR-DC; or, when the primary base station supports the 4G network standard, the secondary base station supports the 5G network standard, and the core network supports the 5G network standard, the first device determines that the dual connection type is NGEN-DC; or, when the primary base station supports the 5G network standard When the 4G network standard is supported, the secondary base station supports the 5G network standard, and the core network supports the 4G network standard, the first device determines that the dual connection type is EN-DC.
  • a method for generating a key comprising: determining, by a first access network device, that a first device registered to a network through the first access network device is an IAB node; if the first access network device has an IAB donor function, the first access network device selects the third access network device as the secondary base station of the first device; the first access network device generates a second IAB key KIAB2 according to the secondary base station key, and KIAB2 is used to establish A secure tunnel between the first access network device and the first device, and the secondary base station key is used to secure the communication between the secondary base station and the first device.
  • the first access network device since the first access network device determines that the first device is an IAB node, and the first access network device has the IAB donor function, the first access network device can serve as the IAB donor of the first device. Furthermore, in the dual-connection scenario, the first access network device generates K IAB2 according to the secondary base station key, thereby ensuring that the IAB node and the IAB donor use the IAB key generated with the secondary base station key uniformly, thereby ensuring that the IAB node A secure tunnel can be established with the IAB donor using the same IAB key as the authentication credential.
  • the secondary base station key is derived from the primary base station key, and the primary base station key is used for security protection of the communication between the first access network device and the first device.
  • the method further includes: the first access network device sends a secondary base station configuration message to the second access network device, and the secondary base station The configuration message includes the secondary base station key; the first access network device receives the secondary base station configuration response message sent by the second access network device.
  • the first access network device generates KIAB2 according to the secondary base station key, including: after the first access network device sends the secondary base station configuration message, generating KIAB2 according to the secondary base station key.
  • the first access network device generates KIAB2 according to the secondary base station key, including: after the first access network device receives the secondary base station configuration response message, generating KIAB2 according to the secondary base station key. .
  • the above-mentioned key generation method also includes: if the first access network device does not have the IAB donor function, then the first access network device selects the second access network device with the IAB donor function as the first access network device.
  • a method for generating a key is provided, which is applied to a scenario where a first device is connected to a primary base station and a secondary base station, and the first device has an IAB node function.
  • the key generation method includes: the first device determines the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station and the communication standard supported by the core network; when the type of dual connection is NE-DC, NR-DC In the case of DC or NGEN-DC, the first device generates an IAB key K IAB according to the secondary base station key, and the secondary base station key is used for security protection of communication security between the first device and the secondary base station.
  • the IAB node determines the type of dual connectivity, so that in the NE-DC, NR-DC or NGEN-DC scenario, the IAB node uses the secondary base station key to generate the IAB key K IAB , so that the IAB node and the The IAB key generated by the secondary base station key is uniformly used among the IAB donors, thereby ensuring that the same IAB key can be used as the authentication credential to establish a secure tunnel between the IAB node and the IAB donor.
  • the above-mentioned key generation method further includes: the first device receives a broadcast message of the main base station; the first device determines a communication standard supported by the main base station according to a configuration parameter in the broadcast message, and the configuration parameter includes one of the following or multiple items: base station identifier, logical cell identifier, physical cell identifier, uplink frequency point or downlink frequency point.
  • the first device determines the communication standard supported by the main base station according to the configuration parameters in the broadcast message, including: when the configuration parameters in the broadcast message belong to the 5G communication system, the first device determines that the main base station supports 5G communication. standard; or, when the configuration parameter in the broadcast message belongs to the 4G communication system, the first device determines that the primary base station supports the 4G communication standard.
  • the above key generation method further includes: the first device receives an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message includes configuration information of the secondary cell group; and the first device determines the configuration information of the secondary cell group according to the configuration information of the secondary cell group.
  • the communication standard supported by the secondary base station is not limited to: the first device receives an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message includes configuration information of the secondary cell group; and the first device determines the configuration information of the secondary cell group according to the configuration information of the secondary cell group.
  • the first device determines the communication standard supported by the secondary base station according to the RRC reconfiguration message, including: when the configuration information of the secondary cell group belongs to the 5G communication standard, the first device determines that the secondary base station supports the 5G communication standard; or , when the configuration information of the secondary cell group belongs to the 4G communication standard, the first device determines that the secondary base station supports the 4G communication standard.
  • the above key generation method further includes: the first device receives a broadcast message sent by the primary base station; and the first device determines a communication standard supported by the core network according to the cell configuration information in the broadcast message.
  • the first device determines the communication standard supported by the core network according to the cell configuration information in the broadcast message, including: when the cell configuration information belongs to the 5G communication standard, the first device determines that the core network supports the 5G communication standard; Or, when the cell configuration information belongs to the 4G communication standard, the first device determines that the core network supports the 4G communication standard.
  • the first device determines the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station, and the communication standard supported by the core network, including: when the primary base station supports the 5G network standard, the secondary base station supports 4G network standard, when the core network supports the 5G network standard, the first device determines that the dual connection type is NE-DC; or, when the primary base station supports the 5G network standard, the secondary base station supports the 5G network standard, and the core network supports the 5G network standard, the first device supports the 5G network standard.
  • the device determines that the dual connection type is NR-DC; or, when the primary base station supports the 4G network standard, the secondary base station supports the 5G network standard, and the core network supports the 5G network standard, the first device determines that the dual connection type is NGEN-DC; or, when the primary base station supports the 5G network standard When the 4G network standard is supported, the secondary base station supports the 5G network standard, and the core network supports the 4G network standard, the first device determines that the dual connection type is EN-DC.
  • a method for generating a key is provided, which is applied to a scenario where a first device is connected to a primary base station and a secondary base station, and the first device has an IAB node function.
  • the key generation method includes: the first device knows the primary base station or the secondary base station as the IAB donor; when the primary base station is the IAB donor, the first device generates the IAB key according to the primary base station key and the key input parameters, and the IAB key uses For establishing a secure tunnel between the IAB node and the IAB donor, the primary base station key is used to secure the communication between the first device and the primary base station; or, when the secondary base station is an IAB donor, the primary base station The key and key input parameters are used to generate an IAB key, and the secondary base station key is used to secure the communication between the first device and the secondary base station.
  • the main base station is used as the IAB donor, it is ensured that both the IAB node and the IAB donor use the main base station key to generate the IAB key.
  • the secondary base station is used as the IAB donor, ensure that both the IAB node and the IAB donor use the secondary base station key to generate the IAB key. In this way, it is guaranteed that in the dual connection scenario, the same IAB key can be used as the authentication credential to establish a secure tunnel between the IAB donor and the IAB node.
  • the first device learns that the primary base station or the secondary base station is used as the IAB donor, including: when the first device receives the fourth indication information, the first device learns that the primary base station is the IAB donor, and the fourth indication information is used for Indicate that the primary base station is an IAB donor; or, when the first device receives the fifth indication information, the first device learns that the secondary base station is an IAB donor, and the fifth indication information is used to indicate that the secondary base station is an IAB donor.
  • the first device learns that the primary base station or the secondary base station is the IAB donor, including: when a wireless backhaul link is established between the first device and the primary base station, the first device learns that the primary base station is the IAB donor; Or, When a wireless backhaul link is established between the first device and the secondary base station, the first device learns that the secondary base station is an IAB donor.
  • the first device obtains the primary base station or the secondary base station as the IAB donor, including: the first device obtains the frequency band supported by the primary base station and the frequency band supported by the secondary base station; when the frequency band supported by the primary base station is higher than the frequency band supported by the secondary base station.
  • the first device learns that the primary base station is an IAB donor; or, when the frequency band supported by the primary base station is lower than the frequency band supported by the secondary base station, the first device learns that the secondary base station is an IAB donor.
  • the first device learns that the primary base station or the secondary base station is used as the IAB donor, including: when the first device receives the sixth indication information broadcast by the primary base station, the first device learns that the primary base station is the IAB donor; or, when When the first device receives the sixth indication information broadcast by the secondary base station, the first device learns that the secondary base station is an IAB donor; wherein, the sixth indication information is used to indicate that the base station has an IAB donor function.
  • a communication apparatus which is applied to a first access network device.
  • the communication device includes: a processing module and a communication module.
  • the processing module is used to determine that the first device registered to the 5G core network is an IAB node; when it is necessary to select a secondary base station for the first device, determine whether it has the IAB donor function; if it does not have the IAB donor function, choose to have the IAB donor function.
  • the second access network device of the IAB donor function acts as the secondary base station of the first device; obtains the first key input parameter associated with the second access network device; generates the first key input parameter according to the primary base station key and the first key input parameter
  • An IAB key K IAB1 the master base station key is used to secure the communication between the master base station (the first access network device) and the first device, and K IAB1 is used to establish the connection between the second access network device and the first device. Secure tunnel between devices.
  • a communication module configured to send K IAB1 to the second access network device.
  • the communication module is further configured to send a first request message to the second device, where the first request message includes the identifier of the first device; and receive a first response message sent by the second device, where the first response message includes The identifier of the second access network device.
  • the first key input parameter includes a first IP address and a second IP address
  • the first IP address is the IP address used by the first device to communicate with the IAB donor
  • the second IP address is the second IP address.
  • the communication module is configured to send a secondary base station configuration message to the second access network device, the secondary base station configuration message is used to configure the second access network device as a secondary base station of the first device, and the secondary base station configuration message Including first indication information and/or second indication information, the first indication information is used to request the first IP address, and the second indication information is used to request the second IP address; receive the secondary base station configuration response sent by the second access network device message, the secondary base station configuration response message includes the first IP address and/or the second IP address.
  • the secondary base station configuration message includes the secondary base station key derived from the primary base station key, and the secondary base station key is used for security protection of the communication between the secondary base station and the first device.
  • the communication module is further configured to send the first IP address to the first device.
  • the communication module is further configured to receive an IP address notification message sent by the first device, where the IP address notification message includes the first IP address; send a secondary base station configuration message to the second access network device, and the secondary base station configures The message is used to configure the second access network device as the secondary base station of the first device, the secondary base station configuration message includes second indication information, and the second indication information is used to request the second IP address; receive the secondary base station sent by the second access network device.
  • the base station configuration response message, and the secondary base station configuration response message includes the second IP address.
  • the processing module is further configured to select the third access network device as the secondary base station of the first device if it has the IAB donor function; obtain the second key associated with the first access network device Input parameters; generate a second IAB key K IAB2 according to the master base station key and the second key input parameter, and K IAB2 is used to establish a secure tunnel between itself and the first device.
  • the second key input parameter includes: the first IP address and the third IP address, the first IP address is the IP address that the first device is used to communicate with the IAB donor, and the third IP address is the first IP address.
  • the processing module is further configured to assign the first IP address to the first device; and obtain the third IP address from the database.
  • the communication module is further configured to receive an IP address notification message sent by the first device, where the IP address notification message includes the first IP address.
  • the processing module is also used to obtain the third IP address from the database.
  • a communication apparatus which is applied to a second access network device.
  • the communication device includes: a communication module and a processing module.
  • the communication module is configured to receive a secondary base station configuration message sent by the first access network device, where the secondary base station configuration message is used to configure the second access network device as a secondary base station of the first device.
  • the processing module is configured to determine whether the secondary base station has an IAB donor function when the configuration message of the secondary base station includes third indication information, and the third indication information is used to indicate that the first device is an IAB node.
  • the communication module is further configured to obtain the first IAB key K IAB1 from the first access network device when it has the IAB host function, and the K IAB1 is used to establish the connection between the second access network device and the first access network device.
  • a secure tunnel between devices, the K IAB1 is generated according to the master base station key, and the master base station key is used to secure the communication between the first access network device and the first device .
  • K IAB1 is generated according to the master base station key, including: K IAB1 is generated according to the master base station key and the first key input parameter.
  • the first key input parameter includes a first IP address and a second IP address, the first IP address is the IP address used by the first device to communicate with the IAB donor, and the second IP address is the second access network device used to communicate with the IAB The IP address of node communication.
  • the secondary base station configuration message further includes first indication information and/or second indication information, where the first indication information is used to request the first IP address, and the second indication information is used to request the second IP address.
  • the communication module is further configured to send a secondary base station configuration response message to the first access network device, where the secondary base station configuration response message includes the first IP address and/or the second IP address.
  • the communication module is specifically configured to receive a secondary base station reconfiguration complete message sent by the first access network device, where the secondary base station reconfiguration complete message includes the K IAB1 .
  • the communication module is specifically configured to send a key request message to the first access network device, where the key request message is used to request the K IAB1 ; receive the first access network device The key response message sent by the device, the key response message includes the K IAB1 .
  • the key request message further includes the first IP address and/or the second IP address.
  • a communication apparatus which is applied to the first device.
  • the communication device includes: a processing module.
  • the processing module is used to determine the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station, and the communication standard supported by the core network; when the type of dual connection is NE-DC, NR-DC or NGEN-DC
  • K IAB is generated according to the key of the master base station and the key input parameter, and the key of the master base station is used for security protection of the communication security between the first device and the master base station.
  • the communication device further includes a communication module.
  • the communication module is used for receiving the broadcast message of the main base station.
  • the processing module is further configured to determine the communication standard supported by the main base station according to the configuration parameters in the broadcast message, and the configuration parameters include one or more of the following: base station identification, logical cell identification, physical cell identification, uplink frequency point or downlink frequency point .
  • the processing module is specifically used to determine that the main base station supports the 5G communication system when the configuration parameters in the broadcast message belong to the 5G communication system; or, when the configuration parameters in the broadcast message belong to the 4G communication system, determine The main base station supports 4G communication standard.
  • the communication device further includes a communication module.
  • the communication module is configured to receive an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message includes configuration information of the secondary cell group.
  • the processing module is configured to determine the communication standard supported by the secondary base station according to the configuration information of the secondary cell group.
  • the processing module is specifically configured to determine that the secondary base station supports the 5G communication mode when the configuration information of the secondary cell group belongs to the 5G communication mode; or, when the configuration information of the secondary cell group belongs to the 4G communication mode, to determine the secondary base station.
  • Support 4G communication standard is specifically configured to determine that the secondary base station supports the 5G communication mode when the configuration information of the secondary cell group belongs to the 5G communication mode; or, when the configuration information of the secondary cell group belongs to the 4G communication mode, to determine the secondary base station. Support 4G communication standard.
  • the communication device further includes a communication module.
  • the communication module is used for receiving broadcast messages sent by the main base station.
  • the processing module is configured to determine the communication standard supported by the core network according to the cell configuration information in the broadcast message.
  • the processing module is specifically used to determine that the core network supports the 5G communication mode when the cell configuration information belongs to the 5G communication mode; or, when the cell configuration information belongs to the 4G communication mode, determine that the core network supports the 4G communication mode.
  • the processing module is specifically used to determine the dual connection type as NE-DC when the primary base station supports the 5G network standard, the secondary base station supports the 4G network standard, and the core network supports the 5G network standard; or, when the primary base station supports 5G Network standard, when the secondary base station supports the 5G network standard and the core network supports the 5G network standard, determine the dual connection type as NR-DC; or, when the primary base station supports the 4G network standard, the secondary base station supports the 5G network standard, and the core network supports the 5G network standard , determine that the dual connection type is NGEN-DC; or, when the primary base station supports the 4G network standard, the secondary base station supports the 5G network standard, and the core network supports the 4G network standard, the dual connection type is determined to be EN-DC.
  • a tenth aspect provides a communication apparatus, which is applied to a first access network device.
  • the communication device includes: a processing module.
  • the processing module is used to determine that the first device registered to the network is an IAB node; when it is necessary to select a secondary base station for the first device, determine whether it has the IAB donor function; if it has the IAB donor function, select the third connection.
  • the network access device acts as the secondary base station of the first device; according to the secondary base station key, an IAB key KIAB is generated, and KIAB is used to establish a secure tunnel between itself and the first device, and the secondary base station key is used to The communication between the secondary base station and the first device is securely protected.
  • the secondary base station key is derived from the primary base station key, and the primary base station key is used for security protection of the communication between the first access network device and the first device.
  • the communication device further includes a communication module.
  • a communication module configured to send a secondary base station configuration message to the second access network device after the processing module generates the K IAB , where the secondary base station configuration message includes the secondary base station key; and receives a secondary base station configuration response sent by the second access network device information.
  • the processing module is specifically configured to generate KIAB according to the secondary base station key after the communication module sends the secondary base station configuration message.
  • the processing module is specifically configured to generate KIAB according to the secondary base station key after receiving the secondary base station configuration response message.
  • the processing module is also used to select the second access network device with the IAB donor function as the secondary base station of the first device if it does not have the IAB donor function;
  • the secondary base station configuration message, the secondary base station configuration message includes the secondary base station key.
  • a communication apparatus which is applied to a first device.
  • the communication device includes: a processing module.
  • the processing module is used to determine the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station, and the communication standard supported by the core network; when the type of dual connection is NE-DC, NR-DC or NGEN-DC
  • K IAB is generated according to the secondary base station key, and the secondary base station key is used for security protection of the communication security between the first device and the secondary base station.
  • the communication device further includes a communication module.
  • the communication module is used for receiving the broadcast message of the main base station.
  • the processing module is further configured to determine the communication standard supported by the main base station according to the configuration parameters in the broadcast message, and the configuration parameters include one or more of the following: base station identification, logical cell identification, physical cell identification, uplink frequency point or downlink frequency point .
  • the processing module is specifically used to determine that the main base station supports the 5G communication system when the configuration parameters in the broadcast message belong to the 5G communication system; or, when the configuration parameters in the broadcast message belong to the 4G communication system, determine The main base station supports 4G communication standard.
  • the communication device further includes a communication module.
  • the communication module is configured to receive an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message includes configuration information of the secondary cell group.
  • the processing module is configured to determine the communication standard supported by the secondary base station according to the configuration information of the secondary cell group.
  • the processing module is specifically configured to determine that the secondary base station supports the 5G communication mode when the configuration information of the secondary cell group belongs to the 5G communication mode; or, when the configuration information of the secondary cell group belongs to the 4G communication mode, to determine the secondary base station.
  • Support 4G communication standard is specifically configured to determine that the secondary base station supports the 5G communication mode when the configuration information of the secondary cell group belongs to the 5G communication mode; or, when the configuration information of the secondary cell group belongs to the 4G communication mode, to determine the secondary base station. Support 4G communication standard.
  • the communication device further includes a communication module.
  • the communication module is used for receiving broadcast messages sent by the main base station.
  • the processing module is configured to determine the communication standard supported by the core network according to the cell configuration information in the broadcast message.
  • the processing module is specifically used to determine that the core network supports the 5G communication mode when the cell configuration information belongs to the 5G communication mode; or, when the cell configuration information belongs to the 4G communication mode, determine that the core network supports the 4G communication mode.
  • the processing module is specifically used to determine the dual connection type as NE-DC when the primary base station supports the 5G network standard, the secondary base station supports the 4G network standard, and the core network supports the 5G network standard; or, when the primary base station supports 5G Network standard, when the secondary base station supports the 5G network standard and the core network supports the 5G network standard, determine the dual connection type as NR-DC; or, when the primary base station supports the 4G network standard, the secondary base station supports the 5G network standard, and the core network supports the 5G network standard , determine that the dual connection type is NGEN-DC; or, when the primary base station supports the 4G network standard, the secondary base station supports the 5G network standard, and the core network supports the 4G network standard, the dual connection type is determined to be EN-DC.
  • a twelfth aspect provides a communication apparatus, which is applied to a first device, where the first device has an IAB node function.
  • the communication device includes: a processing module.
  • the processing module is used to know the primary base station or the secondary base station as the IAB donor; when the primary base station is the IAB donor, the IAB key is generated according to the primary base station key and key input parameters, and the IAB key is used to establish the relationship between the IAB node and the IAB donor. or, when the secondary base station is an IAB donor, generate an IAB key according to the secondary base station key and key input parameters.
  • the processing module is specifically used to know that the primary base station is an IAB donor when receiving the fourth indication information, and the fourth indication information is used to indicate that the primary base station is an IAB donor; or, when receiving the fifth indication information, it is learned that the secondary base station is an IAB donor, and the fifth indication information is used to indicate that the secondary base station is an IAB donor.
  • the processing module is specifically used to know that the primary base station is an IAB donor when a wireless backhaul link is established between the communication device and the primary base station; or, when a wireless backhaul link is established between the communication device and the secondary base station When , it is learned that the secondary base station is an IAB donor.
  • the processing module is specifically used to obtain the frequency band supported by the primary base station and the frequency band supported by the secondary base station; when the frequency band supported by the primary base station is higher than the frequency band supported by the secondary base station, it is known that the primary base station is an IAB donor; When the frequency band supported by the base station is lower than the frequency band supported by the secondary base station, it is learned that the secondary base station is an IAB donor.
  • the processing module is specifically configured to learn that the primary base station is an IAB donor when receiving the sixth indication information broadcast by the primary base station; or, when receiving the sixth indication information broadcasted by the secondary base station, learn that the secondary base station is an IAB donor. IAB donor; wherein, the sixth indication information is used to indicate that the base station has the IAB donor function.
  • a thirteenth aspect provides a communication device, including a processor and a communication port, the processor is configured to execute computer program instructions, so that the communication device implements any one of the designs provided in any one of the first to sixth aspects.
  • a computer-readable storage medium stores instructions, when the instructions are executed on a computer, the computer is made to implement any one of the first to sixth aspects.
  • a fifteenth aspect provides a computer program product, the computer program product comprising instructions, when the computer program product runs on a computer, causing the computer to implement any one of the designs provided in any one of the first to sixth aspects the methods involved.
  • a sixteenth aspect provides a chip, the chip includes a processor, and when the processor executes computer program instructions, the computer enables the computer to implement the method involved in any one of the designs provided in any one of the first to sixth aspects .
  • the technical effect brought by any one of the design methods in the above seventh aspect to the sixteenth aspect can refer to the beneficial effects in the corresponding method provided above and the technical effect brought by the design method, and no Repeat.
  • FIG. 2 is a schematic diagram of an IAB networking scenario provided by an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a user plane protocol stack in an IAB network according to an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a control plane protocol stack in an IAB network according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of an IAB node adopting an EN-DC mode provided by an embodiment of the present application
  • FIG. 6 is a flowchart of generating an IAB key in an EN-DC scenario provided by an embodiment of the present application
  • FIG. 7 is a schematic diagram of an IAB node adopting an NE-DC mode provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of an IAB node adopting an NR-DC mode according to an embodiment of the present application.
  • FIG. 9 is a schematic diagram of an IAB node adopting NGEN-DC mode provided by an embodiment of the present application.
  • FIG. 10 is a flowchart of a method for generating a key provided by an embodiment of the present application.
  • FIG. 11 is a flowchart of another key generation method provided by an embodiment of the present application.
  • FIG. 13 is a flowchart of another key generation method provided by an embodiment of the present application.
  • 16 is a flowchart of another key generation method provided by an embodiment of the present application.
  • 17 is a flowchart of another key generation method provided by an embodiment of the present application.
  • 21 is a flowchart of another key generation method provided by an embodiment of the present application.
  • 25 is a flowchart of another key generation method provided by an embodiment of the present application.
  • 26 is a flowchart of another key generation method provided by an embodiment of the present application.
  • FIG. 28 is a schematic structural diagram of a communication device according to an embodiment of the present application.
  • FIG. 29 is a schematic diagram of a hardware structure of a communication device according to an embodiment of the present application.
  • DC can support two or more base stations to provide data transmission service for one terminal device at the same time.
  • These base stations include a primary base station and one or more secondary base stations.
  • the above-mentioned primary base station may also be referred to as a master node (master node, MN) or a main access network device, and the above-mentioned secondary base station may also be referred to as a secondary node (secondary node, SN) or an auxiliary access network device.
  • master node master node
  • secondary node secondary node
  • SN secondary node
  • the main base station and the core network are connected through the S1/NG interface.
  • the main base station and the core network at least include a control plane connection, and may also have a user plane connection.
  • the S1 interface includes S1-U and S1-C.
  • the NG interface includes NG-U and NG-C. Among them, S1-U/NG-U represents the user plane connection, and S1-C/NG-C represents the control plane connection.
  • the secondary base station There may or may not be a user plane connection between the secondary base station and the core network.
  • the data of the terminal equipment can be offloaded by the primary base station to the secondary base station at the packet data convergence protocol (PDCP) layer.
  • PDCP packet data convergence protocol
  • the primary base station According to the communication standards supported by the primary base station, the secondary base station, and the core network to which the primary base station is connected, there can be multiple types of dual connectivity.
  • the following table 1 is used as an example to describe the type of dual connection.
  • the primary base station manages a primary cell (PCell).
  • the primary cell refers to a cell deployed at the primary frequency point and accessed when the terminal initiates the initial connection establishment process or the RRC connection re-establishment process, or is indicated as the primary cell during the handover process.
  • the primary base station may also manage one or more secondary cells (secondary cells, SCells).
  • secondary cells secondary cells, SCells.
  • the cells under the main base station that provide services for the terminal, such as the main cell and the secondary cells under the main base station, can be formed (master cell group, MCG).
  • the secondary base station manages a primary secondary cell (primary secondary cell, PSCell).
  • the primary and secondary cell may be a cell accessed by the terminal during the random access process initiated by the terminal to the secondary base station, or a cell on another secondary base station where the terminal skips the random access process to initiate data transmission during the secondary base station change process, or executes When synchronizing the reconfiguration process, initiate the cell on the secondary base station accessed in the random access process.
  • the secondary base station may also manage one or more secondary cells.
  • the cells on the secondary base station that provide services for the terminal, such as primary and secondary cells and secondary cells on the secondary base station may form a secondary cell group (SCG).
  • SCG secondary cell group
  • the terminal device is a device with a wireless transceiver function.
  • Terminal equipment can be deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons and satellites, etc.).
  • the terminal equipment may be user equipment (user equipment, UE).
  • the UE includes a handheld device, a vehicle-mounted device, a wearable device or a computing device with a wireless communication function.
  • the UE may be a mobile phone, a tablet computer, or a computer with a wireless transceiver function.
  • the terminal device may also be a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device in industrial control, a wireless terminal device in unmanned driving, and a wireless terminal device in telemedicine.
  • VR virtual reality
  • AR augmented reality
  • Terminal equipment wireless terminal equipment in smart grid, wireless terminal equipment in smart city, wireless terminal equipment in smart home, etc.
  • the above-mentioned primary base station and secondary base station may be collectively referred to as network equipment.
  • the network equipment includes but is not limited to: evolved Node B (evolved Node B, eNB), radio network controller (radio network controller, RNC), Node B (Node B, NB), base station controller (base station controller, BSC) ), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved Node B, or home Node B, HNB), baseband unit (baseband unit, BBU), wireless relay node, wireless backhaul node,
  • the transmission point (transmission and reception point, TRP or transmission point, TP), etc. can also be 5G, such as the gNB in the new radio (new radio, NR) system, or the transmission point (TRP or TP), in the 5G system
  • One or a group (including multiple antenna panels) antenna panels of the base station or, it can also be a network node that constitutes a gNB
  • the network device may adopt a centralized unit (centralized unit, CU)-DU architecture. That is, the network device may be composed of a CU and at least one DU. In this case, some functions of the network device are deployed on the CU, and another part of the functions of the network device are deployed on the DU.
  • CU and DU are functionally divided according to the protocol stack.
  • the CU deploys the RRC layer in the protocol stack, the packet data convergence protocol (PDCP) layer, and the service data adaptation protocol (SDAP) layer;
  • the DU deploys the protocol The radio link control (RLC) layer, the media access control (MAC) layer, and the physical layer (PHY) in the stack.
  • RLC radio link control
  • MAC media access control
  • PHY physical layer
  • the CU has the processing capabilities of RRC, PDCP and SDAP.
  • DU has the processing capability of RLC, MAC and PHY. It can be understood that the division of the above functions is only an example, and does not constitute a limitation on the CU and the DU. That is to say, there may also be other functional division manners between the CU and the DU, which are not described in detail in this embodiment of the present application.
  • a dual-connection configuration process includes the following steps:
  • the terminal device registers with the network through the main base station.
  • the master base station may deliver a measurement event to the terminal device, so that the terminal device reports a measurement report to the master base station.
  • the primary base station can determine whether to add a secondary base station for the terminal device according to the measurement report. If it is determined to add a secondary base station for the terminal device, the primary base station may perform the following step S11.
  • the primary base station determines to add a secondary base station for the terminal device.
  • the primary base station sends a secondary node addition/modification request (SN addition/modification request) message to the secondary base station.
  • the SN addition/modification request message includes the relevant configuration information of the secondary base station.
  • the primary base station may generate the secondary base station key. After that, the SN addition/modification request message sent by the primary base station may carry the secondary base station key. Since the primary base station does not use the secondary base station key, the primary base station can delete the secondary base station key after sending the SN addition/modification request message.
  • the secondary base station sends a secondary node addition/modification request acknowledgment (SN addition/modification request ack) message to the primary base station.
  • SN addition/modification request ack secondary node addition/modification request acknowledgment
  • the SN addition/modification request ack message is used to express agreement to use the configuration information carried in the SN addition/modification request message.
  • the primary base station sends an RRC reconfiguration message to the terminal device.
  • the RRC reconfiguration message is used to configure the radio bearer between the terminal device and the secondary base station.
  • the terminal device sends an RRC reconfiguration complete message to the master base station.
  • the primary base station sends a secondary node reconfiguration complete (SN reconfiguration complete) message to the secondary base station.
  • SN reconfiguration complete secondary node reconfiguration complete
  • the terminal device and the secondary base station can perform a random access procedure (random access procedure). After the random access procedure, an RRC connection is established between the terminal device and the secondary base station.
  • the K gNB is derived from the terminal equipment and the access and mobility management function (AMF) respectively according to the K AMF .
  • AMF access and mobility management function
  • the AMF After the AMF derives the K gNB , it will send the K gNB to the access network device connected to the terminal device. In this way, the terminal device and the access network device maintain the same K gNB , so that the terminal device and the access network device can use the K gNB and its derived key for secure communication.
  • K eNB is obtained by terminal equipment and a mobility management entity (mobility management entity, MME) according to K ASME , respectively.
  • MME mobility management entity
  • K ASME mobility management entity
  • Security protection refers to data encryption/decryption, and/or integrity protection/verification, etc., to avoid risks such as data leakage or data tampering.
  • Encryption/Decryption Protect the confidentiality of data during transmission (so it can also be called confidentiality protection). Confidentiality means that the real content cannot be directly seen. Encryption protection can generally be achieved by encrypting data using a key and an encryption algorithm.
  • Integrity protection/verification to determine whether the content of the message has been changed during the delivery process, and it can also be used as an identity verification to confirm the source of the message.
  • Anti-replay protection/verification determine whether the message is replayed to confirm the freshness of the message.
  • the 5G mobile communication system puts forward more stringent requirements in all aspects for various network performance indicators. For example, the capacity index has been increased by 1000 times, wider coverage requirements, ultra-high reliability and ultra-low latency, etc.
  • the integrated access and backhaul (IAB) technology provides an idea for solving the above two problems: both the access link and the backhaul link use a wireless transmission scheme to avoid Fiber deployment.
  • an IAB node can provide wireless access services for terminal equipment, and connect to an IAB donor (donor) through a wireless backhaul link to transmit user service data.
  • the IAB node is connected to the core network via the host node through a wired link.
  • the IAB node is connected to the core network (5G core, 5GC) of the 5G network through a wired link through the host node.
  • the IAB node is connected to the evolved packet core (EPC) via the evolved NodeB (eNB) on the control plane, and is connected to the EPC via the host node and eNB on the user plane.
  • EPC evolved packet core
  • eNB evolved NodeB
  • the IAB network supports the networking of multi-hop IAB nodes and multi-connection IAB nodes. Therefore, there may be multiple transmission paths between the terminal served by the IAB node and the host node.
  • a transmission path may include multiple nodes, such as terminals, one or more IAB nodes, and host nodes.
  • the parent node of IAB node 1 is the host node
  • IAB node 1 is the parent node of IAB node 2 and IAB node 3
  • IAB node 2 and IAB node. 3 is the parent node of IAB node 4
  • the parent node of IAB node 5 is IAB node 2.
  • the uplink data packets of the terminal can be transmitted to the host node through one or more IAB nodes, and then sent by the host node to the mobile gateway device (such as the user plane function (UPF) network element in the 5G network), and the downlink data The packet will be received by the host node from the mobile gateway device, and then sent to the terminal via one or more IAB nodes.
  • the mobile gateway device such as the user plane function (UPF) network element in the 5G network
  • a transmission path between the terminal and the host node may include one or more IAB nodes.
  • Each IAB node needs to maintain the wireless backhaul link facing the parent node, and also needs to maintain the wireless link with the child nodes.
  • a wireless access link is formed between the IAB node and a sub-node (ie, a terminal).
  • an IAB node is a node that provides backhaul services for other IAB nodes, there is a wireless backhaul link between the IAB node and child nodes (ie, other IAB nodes).
  • Terminal 1 accesses IAB node 4 through a wireless access link
  • IAB node 4 accesses IAB node 3 through a wireless backhaul link
  • IAB node 3 accesses IAB node 1 through a wireless backhaul link
  • IAB node 1 accesses IAB node 1 through a wireless backhaul link.
  • the transmission link is connected to the host node.
  • the IAB node may include a mobile terminal (mobile terminal, MT) and a centralized unit (distributed unit, DU).
  • the MT included in the IAB node has part or all of the functions of the terminal equipment.
  • the IAB node faces its parent node, the IAB node can be regarded as a terminal device, that is, the IAB node plays the role of the MT.
  • the IAB node faces its child nodes (the child node may be a terminal or a terminal part of another IAB node), the IAB node can be regarded as a network device, that is, the IAB node plays the role of DU.
  • an IAB node can establish a backhaul connection with at least one parent node of the IAB node through the MT part.
  • the DU part of an IAB node can provide access services for terminal equipment or the MT part of other IAB nodes.
  • An IAB host can be a complete entity.
  • the IAB host may also be a centralized unit (centralized unit, CU) (herein referred to as Donor-CU, also referred to as CU) and a distributed unit (distributed unit, DU) (herein referred to as Donor-DU)
  • the isolated form, the IAB host consists of Donor-CU and Donor-DU.
  • the Donor-CU may also be a form in which the user plane (UP) (herein referred to as CU-UP) and the control plane (Control plane, CP) (herein referred to as CU-CP) are separated, that is, the Donor-CU CU consists of CU-CP and CU-UP.
  • UP user plane
  • CP Control plane
  • the IAB host may have other names, such as a host base station, a host node, a DgNB (that is, a donor gNB), etc., which are not limited.
  • the F1 interface may also be called an F1* interface, which is not limited.
  • the F1 interface supports the user plane protocol of F1-U (or F1*-U) and the control plane protocol of F1-C (or F1*-C).
  • FIG. 3 is a schematic diagram of a user plane protocol stack in an IAB network according to an embodiment of the present application.
  • the user plane protocol stack includes one or more of the following protocol layers: general packet radio service (GPRS) tunneling protocol user plane (GTP-U), user plane Datagram protocol (user datagram protocol, UDP), internet protocol (internet protocol, IP), wireless backhaul link introduction backhaul adaptation protocol (Backhaul Adaptation Protocol, BAP), radio link control (radio link control, RLC) , media access control (media access control, MAC), physical layer (PHY layer).
  • GPRS general packet radio service
  • GTP-U general packet radio service
  • UDP user plane Datagram protocol
  • IP internet protocol
  • BAP wireless backhaul link introduction backhaul adaptation protocol
  • RLC radio link control
  • media access control media access control
  • MAC physical layer
  • PHY layer physical layer
  • the L2 layer may be the data link layer in the open systems interconnection (open systems interconnection, OSI) reference model
  • the L1 layer
  • FIG. 4 is a schematic diagram of a control plane protocol stack in an IAB network according to an embodiment of the present application.
  • the control plane protocol stack includes one or more of the following protocol layers: F1 application protocol (F1 application protocol, F1AP), stream control transport protocol (stream control transport protocol, SCTP), IP, BAP, RLC, MAC, PHY, etc.
  • an Internet Protocol Security (IPSec) secure connection may be established between the IAB node and the IAB host.
  • IKE internet key exchange
  • PSK pre-shared secret key
  • the IAB node and the IAB host can configure the PSK in advance and use it as an authentication credential in the subsequent IPSec establishment process.
  • IAB node and IAB donor can calculate K IAB as PSK.
  • the IAB node can be made to support dual connectivity (DC) to deal with possible abnormal situations in the wireless backhaul link, such as wireless backhaul link interruption or blocking etc.
  • DC dual connectivity
  • FIG. 5 is a schematic diagram of IAB node using EN-DC mode.
  • the 4G base station ie eNB
  • the IAB donor acts as the secondary base station.
  • EPC evolved packet core
  • the IAB donor-CU-UP can be connected to the EPC through the S1-U interface, for example, connected to a service gateway (serving gateway, SGW).
  • SGW service gateway
  • the process of generating the K IAB between the IAB node and the IAB donor includes the following steps:
  • the IAB node accesses the core network through the MeNB.
  • both the IAB node and the MeNB store the same K eNB .
  • the MeNB After the MeNB generates the S-Kgnb, the MeNB sends an SN additional/modification request message to the IAB donor.
  • the SN additional/modification request message includes S-Kgnb.
  • S-Kgnb is derived from K eNB .
  • the MeNB can optionally delete the S-Kgnb. That is, the purpose of calculating the S-Kgnb by the MeNB is to send it to the secondary base station for use, but the MeNB does not use the S-Kgnb.
  • the IAB donor sends an SN additional/modification request ACK message to the MeNB.
  • the MeNB sends an RRC reconfiguration message to the IAB node.
  • the IAB node after receiving the RRC reconfiguration message, the IAB node can derive the S-Kgnb according to the K eNB .
  • the IAB node sends an RRC reconfiguration complete message to the MeNB.
  • the MeNB sends an SN reconfiguration complete message to the IAB donor.
  • the IAB node generates an IAB key according to S-Kgnb.
  • IAB donor generates an IAB key according to S-Kgnb.
  • the IAB donor can and can only be the secondary base station, so the input key to generate the IAB key can be S-Kgnb, that is, the secondary base station uses S-Kgnb to deduce the IAB key.
  • the IAB node and the IAB donor can use the same IAB key as the authentication credential to establish a secure tunnel.
  • IAB node can also adopt other types of dual connections (such as NE-DC, NR-DC, NGEN-DC, etc.).
  • FIG. 7 is a schematic diagram of the IAB node adopting the NE-DC mode.
  • the IAB donor CU-UP is connected to the user plane network element in the 5G core network (5G core, 5GC) through the NG-U interface, and the IAB donor CU-CP Connect to the control plane network elements in the 5GC through the NG-C interface.
  • the IAB donor CU-CP Connects to the control plane network elements in the 5GC through the NG-C interface.
  • FIG 8 is a schematic diagram of the IAB node adopting the NR-DC mode.
  • the IAB node when the IAB node works in NR-DC mode, the IAB node connects an IAB donor and a gNB.
  • the IAB donor CU-UP is connected to the user plane network element in the 5GC through the NG-U interface
  • the IAB donor CU-CP is connected to the control plane network element in the 5GC through the NG-C interface.
  • Figure 9 is a schematic diagram of the IAB node adopting the NGEN-DC mode.
  • the primary base station connected to the IAB node is the NG-eNB
  • the secondary base station connected to the IAB node is the IAB donor.
  • the IAB donor CU-UP is connected to the user plane network element in the 5GC through the NG-U interface.
  • the industry does not provide a technical solution for IAB node and IAB donor to generate KIAB .
  • the KIAB generated by the IAB node may be different from the KIAB generated by the IAB donor, so that the IPsec secure connection cannot be normally established between the IAB node and the IAB donor.
  • the IAB node uses NR-DC to access the network, and both the primary base station and the secondary base station are gNBs.
  • the IAB donor may be the primary base station or the secondary base station.
  • the IAB node establishes a connection with the IAB donor based on the IP address, but does not need to sense whether the IAB donor is the primary base station or the secondary base station. In this way, when the IAB donor is the secondary base station, the IAB donor may use the secondary base station key to calculate the IAB key, while the IAB node may use the primary base station key to calculate the IAB key, resulting in IAB donor and IAB node.
  • the IAB keys maintained by each are not the same.
  • the IAB donor may use the master base station key to calculate the IAB key
  • the IAB node may use the secondary base station key to calculate the IAB key, resulting in IAB donor and IAB node respectively.
  • the IAB keys maintained are not the same.
  • the embodiments of the present application provide three technical solutions.
  • the following is an introduction to the ideas of the three technical solutions.
  • the idea of the technical solution 1 is: in the scenario of other types of dual connections (such as NE-DC, NR-DC or NGEN-DC) except EN-DC, both the IAB donor and the IAB node use the master base station key to Calculate K IAB .
  • the idea of technical solution 3 is: in the scenario of other types of dual connections (such as NE-DC, NR-DC or NGEN-DC) other than EN-DC, the IAB donor and the IAB node are based on the local encryption of the IAB donor. key to calculate K IAB .
  • the primary base station is an IAB donor
  • the local key is the primary base station key
  • the secondary base station is an IAB donor
  • the local key is the secondary base station key.
  • the above technical solutions 1 to 3 can all ensure that the IAB donor and the IAB node maintain the same K IAB . It should be understood that, in practical applications, any one of the technical solutions from the above-mentioned technical solutions 1 to 3 can be selected for implementation.
  • the master base station key is used to secure the communication between the master base station (eg, the first access network device hereinafter) and the first device.
  • the master base station key may be K gNB , K RRCint , K RRCenc , K UPint , or K UPenc or the like.
  • KRRCint, K RRCenc , KUPint and K UPenc are all derived from K gNB .
  • K RRCint is used to perform integrity protection on the RRC signaling between the master base station and the first device.
  • K RRCenc is used to encrypt and protect the RRC signaling between the master base station and the first device.
  • K UPint is used for integrity protection of user plane data between the primary base station and the first device.
  • K UPenc is used to encrypt and protect user plane data between the primary base station and the first device.
  • the master base station key is uniformly described here, and will not be repeated below.
  • the secondary base station key is used to secure the communication between the secondary base station (eg, the second access network device or the third access network device hereinafter) and the first device.
  • the secondary base station key may be Ksn, SK RRCint , SK RRCenc , SK UPint , or SK UPenc , etc., which is not limited.
  • SK RRCint , SK RRCenc , SK UPint , or SK UPenc are obtained through Ksn deduction.
  • SK RRCint is used for integrity protection of RRC signaling between the secondary base station and the first device.
  • the SK RRCenc is used to encrypt and protect the RRC signaling between the secondary base station and the first device.
  • SK UPint is used for integrity protection of user plane data between the secondary base station and the first device.
  • SK UPenc is used to encrypt and protect user plane data between the secondary base station and the first device.
  • the master base station key is uniformly described here, and will not be repeated below.
  • the network side can refer to the embodiment shown in FIG. 10 to obtain the IAB key
  • the IAB node can refer to the embodiment shown in FIG. 11 to obtain the IAB key.
  • a method for generating a key includes the following steps:
  • the first access network device determines that the first device registered to the 5G core network through the first access network device is an IAB node.
  • the first access network device receives the IAB indication information sent by the first device, and the IAB indication information is used to indicate that the first device is an IAB node. Therefore, the first access network device can learn that the first device is an IAB node according to the IAB indication information.
  • the IAB indication information may be recorded as "IAB-indication".
  • the first access network device receives the IAB authorization information of the core network element, and the IAB authorization information is used to indicate that the first device has the authority to act as an IAB node. Therefore, the first access network device can learn that the first device is an IAB node according to the IAB authorization information.
  • the IAB authorization information may be recorded as "IAB-authorized".
  • the core network element may actively send the IAB authorization information to the first access network device.
  • the core network element may verify the subscription data of the first device according to the request of the first access network device, and determine whether to reply the IAB authorization information to the first access network device.
  • both the first access network device and the first device can obtain the same master base station key.
  • the first access network device determines whether it has the IAB donor function.
  • the first access network device searches whether there is an identifier of the first access network device in the IAB donor configuration information.
  • the first access network device determines that it has the IAB donor function.
  • the IAB donor configuration information does not have the identifier of the first access network device, the first access network device determines that it does not have the IAB donor function.
  • the IAB donor configuration information is used to record the identifiers of one or more access network devices with the IAB donor function.
  • the IAB donor configuration information may be configured by an operation and maintenance management (operation administration and maintenance) system or other devices to the first access network device.
  • the first access network device may check whether it stores a donor configuration file. When the first access network device stores the donor configuration file, the first access network device may determine that it has the IAB donor function. Otherwise, the first access network device determines that it does not have the IAB donor function.
  • the Donor configuration file is used to configure the functions of the access network device as an IAB donor.
  • the Donor configuration file may be configured locally by the first access network device, or configured by the OAM system to the first access network device.
  • the first access network device when the first access network device does not have the IAB donor function, the first access network device performs the following steps S103-S106. When the first access network device has the IAB donor function, the first access network device executes the following steps S107-S109.
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device.
  • the second device pre-configures the first access network device with the identifier of the second access network device. Therefore, in the case where a secondary base station needs to be added to the IAB node (for example, the first device), the first access network device can select the second access network device as the secondary base station according to the identifier of the second access network device.
  • the first access network device sends a first request message to the second device, where the first request message includes the identifier of the first device.
  • the second device may determine the access network device (that is, the second access network device) that is the IAB donor of the first device. After that, the first access network device receives the first response message sent by the second device, where the first response message includes the identifier of the second access network device. Therefore, the first access network device may select the second access network device as the secondary base station of the first device.
  • the identifier of the first device may include a cell-radio network temporary identifier (cell-radio network temporary identifier, C-RNTI), a device number, etc., which are not limited.
  • a cell-radio network temporary identifier cell-radio network temporary identifier, C-RNTI
  • a device number etc., which are not limited.
  • the identifier of the second access network device may include an IP address, a device number, etc., which is not limited.
  • the above-mentioned second device may be an OAM system or a core network element, which is not limited.
  • the second device has pre-stored the mapping relationship between the first device and the second access network device. Therefore, the second device can find the identifier of the second access network device according to the identifier of the first device and the mapping relationship between the first device and the second access network device.
  • Case 2 The second device does not store the mapping relationship between the first device and the second access network device. Therefore, the second device can determine the second access network device according to factors such as topology information.
  • the second device since the second device is responsible for determining the second access network device, the second device may send the IP address used by the second access network device to communicate with the IAB node to the first device, so that the first device can communicate with the second device. Access network devices can communicate based on IP addresses.
  • the first access network device after selecting the second access network device as the secondary base station, the first access network device will send a secondary base station configuration message to the second access network device, so that the second access network device can know itself as the secondary base station of the first device.
  • the secondary base station configuration message may be the SN addition/modification request message in the dual connectivity configuration process shown in FIG. 1 .
  • the secondary base station configuration message may include third indication information, where the third indication information is used to indicate that the first device is an IAB node. Therefore, the second access network device can learn that the first device is the IAB node according to the third indication information.
  • the second access network device determines whether it has the IAB donor function. When the second access network device determines that it has the IAB donor function, the second access network device needs to acquire K IAB1 from the first access network device.
  • the specific implementation manner of the second access network device judging whether it has the IAB donor function can refer to the specific implementation manner of the first access network device judging whether it has the IAB donor function above, which will not be repeated here.
  • the first access network device acquires a first key input parameter associated with the second access network device.
  • the first key input parameter includes: a first IP address and/or a second IP address.
  • the first IP address is the IP address used by the first device to communicate with the IAB donor. Since the first device acts as an IAB node, the first IP address may also be called the IP address of the IAB node, or the IP address of the MT in the IAB node.
  • the second IP address is the IP address used by the second access network device to communicate with the IAB node. Since the second access network device serves as the IAB donor of the first device, the second IP address may also be called the IP address of the IAB donor, or the IP address of the CU in the IAB donor.
  • any one of the following implementation modes 1-1 or 1-2 may be adopted:
  • Implementation Mode 1-1 The first access network device acquires the first IP address from the second device.
  • the first response message sent by the second device to the first access network device may further include the first IP address.
  • Implementation mode 1-2 The first access network device acquires the first IP address from the second access network device.
  • the first access network device sends first indication information to the second access network device, where the first indication information is used to request the first IP address. After that, the first access network device receives the first IP address sent by the second access network device.
  • the first indication information may be carried in newly added signaling.
  • the first indication information may be carried in existing signaling, such as an SN addition/modification request message.
  • the first IP address sent by the second access network device may be borne in the newly added signaling.
  • the first IP address sent by the second access network device may be borne in existing signaling, such as an SN addition/modification request ACK message.
  • any one of the following implementation modes 2-1 to 2-3 may be adopted:
  • Implementation mode 2-1 The first access network device acquires the second IP address from the second device.
  • the second device stores the IP addresses of each access network device with the IAB donor function. Therefore, the first response message sent by the second device to the first access network device may further include the second IP address.
  • the first access network device may use the IP address of the Xn interface of the second access network device as the second IP address.
  • implementation mode 2-2 is generally based on the default IP address of the Xn interface of the access network device in the communication system, which is the IP address of the access network device as the IAB donor.
  • the first access network device acquires the second IP address from the second access network device.
  • the first access network device sends second indication information to the second access network device, where the second indication information is used to request the second IP address.
  • the first access network device receives the second IP address sent by the second access network device.
  • the second indication information may be carried in newly added signaling.
  • the second indication information may be carried in existing signaling, such as an SN addition/modification request message.
  • the second indication information and the first indication information may be carried in the same signaling or in different signaling.
  • the second indication information and the first indication information may be integrated into one indication information, such as parameter request indication information (para_request_indicator).
  • parameter request indication information is used to request the IP address of the IAB donor and the IP address of the IAB node.
  • the second IP address sent by the second access network device may be borne in the newly added signaling.
  • the second IP address sent by the second access network device may be borne in existing signaling, such as an SN addition/modification request ACK message.
  • the first access network device generates a first IAB key K IAB1 according to the first key input parameter and the master base station key.
  • K IAB1 is used to establish a secure tunnel between the second access network device and the first device.
  • the first access network device sends K IAB1 to the second access network device.
  • K IAB1 may be carried in a newly added message.
  • the sending timing of the newly added message for carrying KIAB1 may be located after the SN additional/modification Request ACK message, or after the SN reconfiguration complete message.
  • K IAB1 can be carried in an existing message.
  • the first access network device may send an SN reconfiguration complete message to the second access network device, where the SN reconfiguration complete message includes K IAB1 .
  • the second access network device After receiving the K IAB1 , the second access network device will save the K IAB1 .
  • the primary base station that is, the first access network device
  • the primary base station can actively generate the KIAB with the master base station key , and send the K IAB to the secondary base station to ensure that the IAB donor and the IAB node maintain the same K IAB .
  • the first access network device selects the third access network device as the secondary base station of the first device.
  • the first access network device selects an appropriate access network device (that is, the first access network device) from the surrounding access network devices according to factors such as the location of the first device and the measurement report of the first device. three access network devices) as the secondary base station of the first device.
  • this embodiment of the present application does not limit whether the third access network device has the IAB donor function. That is, the third access network device may or may not have the IAB donor function.
  • the first access network device with the IAB donor function is the IAB donor of the first device.
  • the first access network device acquires a second key input parameter associated with the first access network device.
  • the second key input parameter includes the first IP address and the third IP address.
  • the third IP address is the IP address used by the first access network device to communicate with the IAB node.
  • the first access network device may acquire the third IP address locally (ie, the database of the first access network device).
  • the first access network device serving as the IAB donor assigns the first IP address to the first device. Based on this design, the first access network device also needs to send the first IP address to the first device.
  • the first access network device may obtain the first IP address from the second device or the first device.
  • the first access network device sends an IP address request message to the first device. After that, the first access network device receives the IP address notification message sent by the first device, where the IP address notification message includes the first IP address.
  • the first access network device generates a second IAB key K IAB2 according to the second key input parameter and the master base station key.
  • K IAB2 is used to establish a secure tunnel between the first access network device and the first device.
  • the first access network device will save the K IAB2 .
  • the primary base station ie, the first access network device
  • the primary base station actively generates K IAB with the primary base station key to ensure that the IAB donor and the IAB node maintain the same KIAB .
  • a method for generating a key provided by an embodiment of the present application is applied in a scenario where a first device (IAB node) is connected to a primary base station and a secondary base station.
  • the method includes the following steps:
  • the IAB node determines the type of dual connection according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station, and the communication standard supported by the core network.
  • the IAB node determines the communication standard supported by the main base station, which may be specifically implemented as: the supported communication standard.
  • the configuration parameters in the broadcast message include one or more of the following: base station identifier, logical cell identifier, physical cell identifier, uplink frequency band or downlink frequency band. It should be understood that when the configuration parameters in the broadcast message belong to the configuration parameters of the 5G communication system, the IAB node can determine that the primary base station supports the 5G communication standard. Or, when the configuration parameters in the just broadcast message belong to the configuration parameters of the 4G communication system, the IAB node can determine that the primary base station supports the 4G communication standard.
  • the 4G frequencies are A1, A2, and A3, and the 5G frequencies are B1, B2, and B3.
  • the IAB node can determine that the main base station supports the 5G communication standard.
  • the IAB node determines the communication standard supported by the secondary base station, which may be specifically implemented as follows: the IAB node receives an RRC reconfiguration message sent by the primary base station, where the RRC reconfiguration message is used to configure the radio bearer between the IAB node and the secondary base station,
  • the RRC reconfiguration message includes secondary cell group configuration information.
  • the IAB node determines the communication standard supported by the secondary base station according to the configuration information of the secondary cell group. It should be understood that when the configuration information of the secondary cell group belongs to the 5G communication standard, the IAB node can determine that the secondary base station supports the 5G communication standard. Alternatively, when the configuration information of the secondary cell group belongs to the 4G communication standard, the IAB node may determine that the secondary base station supports the 4G communication standard.
  • the configuration information of the secondary cell group belonging to the 5G communication standard may be recorded as nr-SecondaryCellGroupConfig or sourceSCG-NR-Config.
  • the configuration information of the secondary cell group belonging to the 4G communication standard may be recorded as sourceSCG-EUTRA-Config.
  • the IAB node determines the communication standard supported by the core network, which may be specifically implemented as: the IAB node receives the broadcast message sent by the main base station. The IAB node determines the communication standard supported by the core network according to the cell configuration information in the broadcast message. It should be understood that if the cell configuration information in the broadcast message belongs to the 5G communication standard, the IAB node determines that the core network supports the 5G communication standard. If the cell configuration information in the broadcast message belongs to the 4G communication standard, the IAB node determines that the core network supports the 4G communication standard.
  • the cell configuration information may include cell access related information (cellAccessRelatedInfo).
  • the cell access related information belonging to the 5G communication standard may be recorded as cellAccessRelatedInfo-5GC.
  • the cell access related information belonging to the 4G communication standard may be recorded as cellAccessRelatedInfo-EUTRA-EPC.
  • the IAB node determines the type of dual connection, including one of the following:
  • the IAB node determines that the type of dual connection is NE-DC.
  • the IAB node When the type of dual connectivity is NE-DC, NR-DC or NGEN-DC, the IAB node generates K IAB according to the master base station key.
  • the IAB node generates K IAB according to the master base station key and key input parameters.
  • the key input parameters include the IP address of the IAB donor and the IP address of the IAB node.
  • the IAB node can obtain the IP address of the IAB donor from the second device.
  • the second device may be an OAM system or a core network element.
  • the IAB node can obtain the IP address of the IAB node from the second device.
  • the second device may encapsulate the IP address of the IAB node and the IP address of the IAB donor into a message, and send the message to the IAB node.
  • the IAB node can obtain the IP address of the IAB node from the primary base station or the secondary base station.
  • the master base station acts as an IAB donor, and the master base station assigns an IP address to the IAB node.
  • the IAB node sends an IP address request message to the main base station; after that, the IAB node receives the IP address notification message sent by the main base station, where the IP address notification message includes the IP address of the IAB node.
  • the master base station acts as an IAB donor, and the master base station assigns an IP address to the IAB node. Therefore, the IAB node receives the RRC reconfiguration message sent by the master base station, where the RRC reconfiguration message includes the IP address of the IAB node.
  • the secondary base station acts as an IAB donor, and the secondary base station allocates an IP address to the IAB node.
  • the IAB node can send an IP address request message to the secondary base station; after that, the IAB node receives an IP address notification message sent by the secondary base station, where the IP address notification message includes the IP address of the IAB node.
  • the IAB node will save the K IAB after generating the K IAB .
  • the IAB node can accurately determine the type of dual connectivity used by the IAB node according to the communication standard supported by the primary base station, the communication standard supported by the secondary base station, and the communication standard supported by the core network. Furthermore, when the type of dual connectivity is NE-DC, NR-DC or NGEN-DC, the IAB node can generate K IAB according to the master base station key to ensure that the IAB donor and the IAB node maintain the same K IAB .
  • the IAB node when the type of dual connectivity is EN-DC, the IAB node generates K IAB according to the secondary base station key and the key input parameters.
  • the first device (that is, the IAB node) registers with the network through the first access network device that does not have the IAB donor function. After that, the first access network device selects the second access network device with the IAB donor function as the secondary base station for the first device, and the second access network device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • a first device registers with a network through a first access network device.
  • the first device may perform procedures such as authentication and security context negotiation.
  • the first device and the first access network device acquire the same AS layer key.
  • the AS layer key between the first device and the first access network device is used for security protection of the AS layer communication between the first device and the first access network device.
  • the AS layer key between the first device and the first access network device may be referred to as the primary base station key.
  • the first access network device determines that the first device is an IAB node.
  • the first access network device determines whether it has the IAB node function.
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device.
  • the first access network device sends an SN addition/modification request message to the second access network device.
  • the SN addition/modification request message includes the third indication information.
  • the third indication information is used to indicate that the first device is an IAB node.
  • the second access network device can learn that the first device is an IAB node based on the third indication information. Furthermore, since the second access network device has the IAB donor function, the second access network device can serve as the IAB donor of the first device, and assign the IP address of the IAB node to the first device. It should be understood that the IP address of the IAB node here is the first IP address in the embodiment shown in FIG. 10 .
  • the SN addition/modification request message may include first indication information and second indication information in addition to related information elements in the prior art.
  • the first access network device receives the SN addition/modification request ACK message sent by the second access network device.
  • the SN addition/modification request ACK message includes the IP address of the IAB donor and the IP address of the IAB node.
  • the first access network device generates K IAB according to the master base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the first access network device sends an RRC reconfiguration message to the first device.
  • the RRC reconfiguration message includes the IP address of the IAB node.
  • the first access network device receives the RRC reconfiguration complete message sent by the first device.
  • the first access network device sends an SN reconfiguration complete message to the second access network device.
  • the SN reconfiguration complete message includes K IAB .
  • the second access network device obtains KIAB from the SN reconfiguration complete message. Afterwards, the second access network device will save K IAB .
  • the first device receives an IP address notification (IP address notification) message sent by the second device.
  • IP address notification IP address notification
  • the IP address notification message includes the IP address of the IAB donor.
  • step S311 is only after step S304, and the specific execution timing of step S312 is not limited.
  • the execution timing of step S311 may be before step S310.
  • the first device determines the type of dual connection.
  • the first device When the type of dual connectivity is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the master base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • steps S312-S313 may refer to the embodiment shown in FIG. 11 , which will not be repeated here.
  • steps S312-S313 may be executed at any time after step S308, which is not limited in this embodiment of the present application.
  • the first device and the second access network device establish a secure tunnel by using the K IAB .
  • the primary base station when the secondary base station is the IAB donor, the primary base station generates KIAB with the primary base station key, and transmits KIAB to the secondary base station.
  • the IAB node generates K IAB with the master base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device that is, the IAB node registers with the network through the first access network device that does not have the IAB donor function. After that, the first access network device selects the second access network device with the IAB donor function as the secondary base station for the first device. The second device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • S401-S404 are the same as steps S301-S304, and the specific description can refer to the embodiment shown in FIG. 12, and details are not repeated here.
  • the first device receives the first IP address notification message sent by the second device.
  • the first IP address notification message includes the IP address of the IAB donor and the IP address of the IAB node.
  • step S405 may be performed before or after any one of steps S406-S410.
  • the first access network device sends an SN addition/modification request message to the second access network device.
  • the SN addition/modification request message includes the third indication information.
  • the third indication information is used to indicate that the first device is an IAB node.
  • the SN addition/modification request message may include first indication information and second indication information in addition to related information elements in the prior art.
  • the first access network device receives the SN addition/modification request ACK message sent by the second access network device.
  • the first access network device sends an RRC reconfiguration message to the first device.
  • the first access network device receives the RRC reconfiguration complete message sent by the first device.
  • the first access network device sends an SN reconfiguration complete message to the second access network device.
  • the first device sends a second IP address notification message to the second access network device.
  • the second IP address notification message includes the IP address of the IAB node.
  • the second access network device sends an SN key request message to the first access network device.
  • the SN key request message is used to request K IAB .
  • the SN key request message includes the IP address of the IAB donor and the IP address of the IAB node.
  • the first access network device generates K IAB according to the master base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the first access network device sends an SN key response message to the second access network device.
  • the SN key response message includes K IAB .
  • the first device determines the type of dual connection.
  • the first device When the dual connection type is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the master base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • the first device and the second access network device establish a secure tunnel by using the K IAB .
  • the primary base station when the secondary base station is the IAB donor, the primary base station generates KIAB with the primary base station key, and transmits KIAB to the secondary base station.
  • the IAB node generates K IAB with the master base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device (that is, the IAB node) registers with the network through the first access network device with the IAB donor function. Therefore, the first access network device serves as the IAB donor of the first device, and the first access network device allocates the IP address of the IAB node to the first device. The first access network device selects a third access network device as the secondary base station for the first device.
  • a method for generating a key provided in the embodiment of the present application, the method comprises the following steps:
  • a first device registers with a network through a first access network device.
  • the first access network device determines that the first device is an IAB node.
  • the first access network device If the first access network device has the IAB node function, the first access network device sends a notification message to the second device.
  • the notification message is used to indicate that the first device is registered to the network through the first access network device with the IAB donor function.
  • the notification message is used to indicate that the first access network device is the IAB donor of the first device.
  • the notification message may include the identifier of the first device and the identifier of the first access network device.
  • the second device sends an IP address notification message to the first device.
  • the IP address notification information includes the IP address of the IAB donor.
  • step S504 may be executed at any time before step S513, which is not limited in this embodiment of the present application.
  • the first access network device selects a third access network device as the secondary base station of the first device.
  • the first access network device sends an SN addition/modification request message to the third access network device.
  • the first access network device receives the SN addition/modification request ACK message sent by the third access network device.
  • the first access network device sends an RRC reconfiguration message to the first device.
  • the RRC reconfiguration message may include the IP address of the IAB node.
  • the first access network device receives the RRC reconfiguration complete message sent by the first device.
  • the first access network device sends an SN reconfiguration complete message to the third access network device.
  • the first access network device generates K IAB according to the master base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • step S511 may be performed before or after any one of steps S504-S510.
  • the first device determines the type of dual connection.
  • the first device When the dual connection type is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the master base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • the first device and the first access network device establish a secure tunnel by using the K IAB .
  • both the master base station and the IAB node when the master base station is the IAB donor, both the master base station and the IAB node generate K IAB with the master base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device (that is, the IAB node) registers with the network through the first access network device with the IAB donor function. Therefore, the first access network device acts as the IAB donor of the first device.
  • the first access network device selects a third access network device as the secondary base station for the first device.
  • the second device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key provided in the embodiment of the present application, the method comprises the following steps:
  • a first device registers with a network through a first access network device.
  • the first access network device determines that the first device is an IAB node.
  • the first access network device If the first access network device has the IAB node function, the first access network device sends a notification message to the second device.
  • the notification message is used to indicate that the first device is registered to the network through the first access network device with the IAB donor function.
  • the notification message is used to indicate that the first access network device is the IAB donor of the first device.
  • the second device sends a first IP address notification message to the first device.
  • the first IP address notification message includes the IP address of the IAB node and the IP address of the IAB donor.
  • steps S603-S604 may be performed before or after any one of steps S606-S610.
  • the first access network device selects a third access network device as the secondary base station of the first device.
  • the first access network device sends an SN addition/modification request message to the third access network device.
  • the first access network device receives the SN addition/modification request ACK message sent by the third access network device.
  • the first access network device sends an RRC reconfiguration message to the first device.
  • the first access network device receives the RRC reconfiguration complete message sent by the first device.
  • the first access network device sends an SN reconfiguration complete message to the third access network device.
  • the first access network device receives the second IP address notification message sent by the first device.
  • the second IP address notification message includes the IP address of the IAB node.
  • the first access network device generates K IAB according to the master base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • steps S611-S612 may be performed at any time after step S604, which is not limited in this embodiment of the present application.
  • the first device determines the type of dual connection.
  • the first device When the type of dual connectivity is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the master base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • the first device and the first access network device establish a secure tunnel by using the K IAB .
  • both the master base station and the IAB node when the master base station is the IAB donor, both the master base station and the IAB node generate K IAB with the master base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the network side can obtain the IAB key according to the embodiment shown in FIG. 16 , and the IAB node can follow the embodiment shown in FIG. 17 . to get the IAB key.
  • a method for generating a key includes the following steps:
  • the first access network device determines that the first device registered to the network through the first access network device is an IAB node.
  • the first access network device determines whether it has the IAB node function.
  • steps S701-S702 are similar to steps S101-S102 in FIG. 10 , and reference may be made to the description in the embodiment shown in FIG. 10 for the specific implementation manner.
  • the first access network device may generate the secondary base station key according to the primary base station key and the SN count value.
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device.
  • the first access network device sends a secondary base station configuration message to the second access network device.
  • the secondary base station configuration message is used to configure the second access network device as the secondary base station of the first device.
  • the secondary base station configuration message includes third indication information and a secondary base station key.
  • the third indication information is used to indicate that the first device is an IAB node.
  • the second access network device can learn that the first device is the IAB node according to the third indication information. Further, the second access network device determines whether it has the IAB donor function. In the case that the second access network device has the IAB donor function, the second access network device may consider itself to be the IAB donor of the first device, so that the second access network device may perform the following step S705.
  • the second access network device generates K IAB1 according to the secondary base station key.
  • the second access network device generates K IAB1 according to the secondary base station key and the first key input parameter.
  • the first key input parameter includes a first IP address and a second IP address.
  • the first IP address is the IP address used by the first device to communicate with the IAB donor.
  • the second IP address is the IP address used by the second access network device to communicate with the IAB node.
  • the second access network device may acquire the second IP address from its own database.
  • the second access network device may determine the first IP address. Or, the second access network device obtains the first IP address from the first device or the second device.
  • the secondary base station that is, the second access network device
  • the secondary base station actively uses the secondary base station key to generate K IAB to ensure that the IAB donor and the IAB node maintain the same KIAB .
  • the first access network device selects the third access network device as the secondary base station of the first device.
  • the first access network device generates K IAB2 according to the secondary base station key.
  • the first access network device generates K IAB2 according to the secondary base station key and the second key input parameter.
  • the second key input parameter includes the first IP address and the third IP address.
  • the first IP address is the IP address used by the first device to communicate with the IAB donor.
  • the third IP address is the IP address used by the first access network device to communicate with the IAB node.
  • the first access network device may acquire the third IP address from its own database.
  • the first access network device may determine the first IP address. Or, the first access network device obtains the first IP address from the first device or the second device.
  • the primary base station ie, the first access network device
  • the primary base station actively uses the secondary base station key to generate K IAB to ensure that the IAB donor and the IAB node maintain the same KIAB .
  • a method for generating a key provided by an embodiment of the present application is applied in a scenario where an IAB node is connected to a primary base station and a secondary base station.
  • the method includes the following steps:
  • step S801 which is the same as step S20 , and the specific description thereof may refer to the embodiment shown in FIG. 11 , which will not be repeated here.
  • the IAB node When the type of dual connection is NE-DC, NR-DC or NGEN-DC, the IAB node generates K IAB according to the secondary base station key.
  • the IAB node can deduce the key of the secondary base station according to the key of the primary base station.
  • the IAB node generates K IAB according to the secondary base station key and the key input parameter.
  • step S202 for the specific introduction and acquisition method of the key input parameter, reference may be made to the relevant description of step S202 in the embodiment shown in FIG. 11 , and details are not repeated here.
  • the IAB node in the NE-DC, NR-DC or NGEN-DC scenario, it is ensured that the IAB node generates KIAB with the secondary base station key, thereby ensuring that the IAB donor and the IAB node maintain the same KIAB .
  • the first device (that is, the IAB node) registers with the network through the first access network device that does not have the IAB donor function. After that, the first access network device selects the second access network device with the IAB donor function as the secondary base station for the first device, and the second access network device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • the first device registers with the network through the first access network device.
  • the first access network device determines that the first device is an IAB node.
  • the first access network device determines whether it has the IAB node function.
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device.
  • the first access network device may deduce the secondary base station key according to the primary base station key and the SN count value.
  • the first access network device sends an SN addition/modification request message to the second access network device.
  • the SN addition/modification request message includes the secondary base station key and the third indication information.
  • the third indication information is used to indicate that the first device is an IAB node.
  • the second access network device may determine whether it has the IAB donor function. In the case that the second access network device has the IAB donor function, the second access network device can be considered as the IAB donor of the first device, so the second access network device needs to perform the following step S910.
  • the first access network device receives the SN addition/modification request ACK message sent by the second access network device.
  • the first access network device sends an RRC reconfiguration message to the first device.
  • the RRC reconfiguration message is used to configure the radio bearer between the second access network device and the first device. Therefore, based on the RRC reconfiguration message, the first device can learn that the second access network device is the secondary base station.
  • the RRC reconfiguration message also includes the SN count value. Therefore, the first device can deduce the secondary base station key according to the primary base station key and the SN count value.
  • the first access network device receives the RRC reconfiguration complete message sent by the first device.
  • the first access network device sends an SN reconfiguration complete message to the second access network device.
  • the second access network device can establish an RRC connection with the first device, so that the second access network device can communicate directly with the first device.
  • the second access network device generates K IAB according to the secondary base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the second access network device obtains the IP address of the IAB donor locally. And, the second access network device allocates the IP address of the IAB node to the first device.
  • step S910 may be executed at any time after step S905, which is not limited in this embodiment of the present application.
  • the second access network device sends a first IP address notification message to the first device.
  • the first IP address notification message includes the IP address of the IAB node.
  • the second device sends a second IP address notification message to the first device.
  • the second IP address notification message includes the IP address of the IAB donor.
  • step S912 may be executed at any time after step S904, which is not limited in this embodiment of the present application.
  • the first device can obtain the IP address of the IAB donor and the IP address of the IAB node.
  • the first device determines the type of dual connection.
  • the first device When the dual connectivity type is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the secondary base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • the first device and the second access network device establish a secure tunnel by using the K IAB .
  • the secondary base station when the secondary base station is the IAB donor, the secondary base station generates KIAB with the secondary base station key, and the IAB node generates KIAB with the secondary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device that is, the IAB node registers with the network through the first access network device that does not have the IAB donor function. After that, the first access network device selects the second access network device with the IAB donor function as the secondary base station for the first device. The second device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • a first device registers with a network through a first access network device.
  • the first access network device determines that the first device is an IAB node.
  • the first access network device determines whether it has an IAB node function.
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device.
  • the second device sends a first IP address notification message to the first device.
  • the first IP address notification message includes the IP address of the IAB node and the IP address of the IAB donor.
  • step S1005 may be executed at any time after step S1004 and before step S1011, which is not limited in this embodiment of the present application.
  • the first access network device sends an SN addition/modification request message to the second access network device.
  • the SN addition/modification request message includes the secondary base station key and the third indication information.
  • the third indication information is used to indicate that the first device is an IAB node.
  • the second access network device may determine whether it has the IAB donor function. In the case that the second access network device has the IAB donor function, the second access network device can be considered as the IAB donor of the first device, so the second access network device needs to perform the following step S1012.
  • the first access network device receives the SN addition/modification request ACK message sent by the second access network device.
  • the first access network device sends an RRC reconfiguration message to the first device.
  • the RRC reconfiguration message is used to configure the radio bearer between the second access network device and the first device. Therefore, based on the RRC reconfiguration message, the first device can learn that the second access network device is the secondary base station.
  • the RRC reconfiguration message also includes the SN count value. Therefore, the first device can deduce the secondary base station key according to the primary base station key and the SN count value.
  • the first access network device receives the RRC reconfiguration complete message sent by the first device.
  • the first access network device sends an SN reconfiguration complete message to the second access network device.
  • the second access network device can establish an RRC connection with the first device, so that the second access network device can communicate directly with the first device.
  • the first device sends a second IP address notification message to the second access network device.
  • the second IP address notification message includes the IP address of the IAB donor.
  • the second access network device generates K IAB according to the secondary base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the second access network device obtains the IP address of the IAB donor locally. And, the second access network device obtains the IP address of the IAB node according to the second IP address notification message.
  • the first device determines the type of dual connection.
  • the first device When the type of dual connectivity is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the secondary base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • steps S1013-S1014 may be executed at any time after step S1008, which is not limited in this embodiment of the present application.
  • the first device and the second access network device establish a secure tunnel by using the K IAB .
  • the secondary base station when the secondary base station is the IAB donor, the secondary base station generates KIAB with the secondary base station key, and the IAB node generates KIAB with the secondary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device (that is, the IAB node) registers with the network through the first access network device with the IAB donor function. Therefore, the first access network device serves as the IAB donor of the first device, and the first access network device allocates the IP address of the IAB node to the first device. The first access network device selects a third access network device as the secondary base station for the first device.
  • a method for generating a key includes the following steps:
  • S1101-S1110 are the same as steps S501-S510, and the specific description can refer to the embodiment shown in FIG. 14, and details are not repeated here.
  • the first access network device after selecting the third access network device as the secondary base station, the first access network device will generate the secondary base station key, and send the secondary base station key to the third access network device through the SN addition/modification request message.
  • the first access network device generates K IAB according to the secondary base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • step S1111 may be executed at any time after S1105, which is not limited in this embodiment of the present application.
  • the first access network device may delete the secondary base station key after performing step S1106.
  • step S1111 is performed after step S1106, the first access network device needs to save the secondary base station key before performing step S1106 until step S1111 is performed.
  • the first device determines the type of dual connection.
  • the first device When the type of dual connectivity is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the secondary base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • steps S1112-S1113 may be executed at any time after step S1108, which is not limited in this embodiment of the present application.
  • the first device and the first access network device establish a secure tunnel by using the K IAB .
  • both the primary base station and the IAB node when the primary base station serves as the IAB donor, both the primary base station and the IAB node generate K IAB with the secondary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device (that is, the IAB node) registers with the network through the first access network device with the IAB donor function. Therefore, the first access network device acts as the IAB donor of the first device.
  • the first access network device selects a third access network device as the secondary base station for the first device.
  • the second device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • S1201-S1211 are the same as steps S601-S611, and the specific description can refer to the embodiment shown in FIG. 15, and details are not repeated here.
  • the first access network device after selecting the third access network device as the secondary base station, the first access network device will generate the secondary base station key, and send the secondary base station key to the third access network device through the SN addition/modification request message.
  • the first access network device generates K IAB according to the secondary base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • step S1211 can be executed at any time after step S1204.
  • Step S1212 can be executed at any time after steps S1205 and S1211.
  • the first access network device may delete the secondary base station key after performing step S1206.
  • step S1212 is performed after step S1206, the first access network device needs to save the secondary base station key before performing step S1206 until step S1212 is performed.
  • the first device determines the type of dual connection.
  • the first device When the dual connectivity type is NE-DC, NR-DC or NGEN-DC, the first device generates K IAB according to the secondary base station key, the IP address of the IAB donor and the IP address of the IAB node.
  • steps S1213-S1214 may be performed at any time after step S1208, which is not limited in this embodiment of the present application.
  • the first device and the first access network device establish a secure tunnel by using the K IAB .
  • both the primary base station and the IAB node when the primary base station serves as the IAB donor, both the primary base station and the IAB node generate K IAB with the secondary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the IAB node can obtain K IAB according to the embodiment shown in FIG. 22 , and the network side can follow the embodiment shown in FIG. 23 . to get KIAB .
  • a method for generating a key provided by an embodiment of the present application is applied to a scenario where a first device (IAB node) is connected to a primary base station and a secondary base station, and the method includes the following steps:
  • the IAB node learns that the primary base station or the secondary base station is used as the IAB donor.
  • step S1301 may adopt any one of the following implementation manners:
  • Implementation mode 1 When the IAB node receives the fourth indication information, the IAB node learns that the primary base station is the IAB donor, and the fourth indication information is used to indicate that the primary base station is the IAB donor. Or, when the IAB node receives the fifth indication information, the IAB node learns that the secondary base station is the IAB donor, and the fifth indication information is used to indicate that the secondary base station is the IAB donor.
  • the IAB node receives the fourth indication information, which may be specifically implemented as: the IAB node receives the fourth indication information sent by the primary base station.
  • the fourth indication information may be carried in the RRC reconfiguration message sent by the primary base station to the IAB node.
  • the IAB node receives the fifth indication information, which may be specifically implemented as: the IAB node receives the fifth indication information sent by the primary base station or the secondary base station.
  • the fifth indication information may be carried in the RRC reconfiguration message sent by the master base station to the IAB node.
  • the fifth indication information may be carried in the AS message sent by the secondary base station to the IAB node.
  • Implementation mode 2 When a wireless backhaul link is established between the IAB node and the main base station, the IAB node learns that the main base station is an IAB donor. Or, when a wireless backhaul link is established between the IAB node and the secondary base station, the IAB node learns that the secondary base station is an IAB donor.
  • Implementation mode 3 The IAB node obtains the frequency band supported by the primary base station and the frequency band supported by the secondary base station. When the frequency band supported by the primary base station is higher than the frequency band supported by the secondary base station, the IAB node learns that the primary base station is an IAB donor. Or, when the frequency band of the primary base station is lower than the frequency band supported by the secondary base station, the IAB node learns that the secondary base station is an IAB donor.
  • Implementation Mode 4 When the IAB node receives the sixth indication information broadcast by the main base station, the IAB node learns that the main base station is an IAB donor. Or, when the IAB node receives the sixth indication information broadcast by the secondary base station, the IAB node learns that the secondary base station is an IAB donor. Wherein, the sixth indication information is used to indicate that the base station has the IAB donor function.
  • the IAB node When the primary base station acts as the IAB donor, the IAB node generates K IAB according to the key of the primary base station.
  • the IAB node generates K IAB according to the master base station key and key input parameters.
  • the master base station key is generated by the IAB node in the process of registering to the network through the master base station.
  • the IAB node When the secondary base station acts as the IAB donor, the IAB node generates K IAB according to the secondary base station key.
  • the IAB node generates K IAB according to the secondary base station key and the key input parameter.
  • the secondary base station key is generated by the IAB node according to the primary base station key.
  • the IAB node can use the local key of the IAB donor to generate K IAB to ensure that the IAB node and the IAB donor maintain the same K IAB .
  • a method for generating a key includes the following steps:
  • the first access network device determines that the first device registered to the network through the first access network device is an IAB node.
  • the first access network device determines whether it has the IAB node function.
  • steps S1401-S1402 are similar to steps S101-S102 in FIG. 10 , and the specific implementation thereof may refer to the description in the embodiment shown in FIG. 10 .
  • the first access network device selects the second access network device with the IAB donor function as the secondary base station of the first device.
  • the first access network device sends a secondary base station configuration message to the second access network device.
  • the secondary base station configuration message is used to configure the second access network device as the secondary base station of the first device.
  • the secondary base station configuration message includes third indication information and a secondary base station key.
  • the third indication information is used to indicate that the first device is an IAB node.
  • the second access network device may learn that the first device is the IAB node. Therefore, the second access network device can determine whether it has the IAB donor function. In the case that the second access network device has the IAB donor function, the second access network device may consider itself to be the IAB donor of the first device, so that the second access network device may perform the following step S1405.
  • the second access network device generates K IAB1 according to the secondary base station key.
  • the second access network device generates K IAB1 according to the secondary base station key and the first key input parameter.
  • the first key input parameter includes a first IP address and a second IP address.
  • the first IP address is the IP address used by the first device to communicate with the IAB donor.
  • the second IP address is the IP address used by the second access network device to communicate with the IAB node.
  • the second access network device may acquire the second IP address from its own database.
  • the second access network device may determine the first IP address. Or, the second access network device obtains the first IP address from the first device or the second device.
  • the secondary base station that is, the second access network device
  • the secondary base station actively generates K IAB with the secondary base station key to ensure that the IAB donor and the IAB node maintain the same KIAB .
  • the first access network device selects the third access network device as the secondary base station of the first device.
  • the first access network device generates K IAB2 according to the master base station key.
  • the first access network device generates K IAB2 according to the master base station key and the second key input parameter.
  • the second key input parameter includes the first IP address and the third IP address.
  • the first IP address is the IP address used by the first device to communicate with the IAB donor.
  • the third IP address is the IP address used by the first access network device to communicate with the IAB node.
  • the first access network device may acquire the third IP address from its own database.
  • the first access network device may determine the first IP address. Or, the first access network device obtains the first IP address from the first device or the second device.
  • the primary base station ie, the first access network device
  • the primary base station actively generates KIAB with the primary base station key to ensure that the IAB donor and the IAB node maintain the same KIAB .
  • the first device (that is, the IAB node) registers with the network through the first access network device that does not have the IAB donor function. After that, the first access network device selects the second access network device with the IAB donor function as the secondary base station for the first device, and the second access network device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • S1501-S1512 are similar to steps S901-S912, and the specific description can refer to the embodiment shown in FIG. 18, and details are not repeated here.
  • the SN addition/modification request ACK message sent by the second access network device may include fifth indication information.
  • the RRC reconfiguration message sent by the first access network device may include fifth indication information, so that the first device can learn about the secondary base station (that is, the second access network device). ) is the IAB donor.
  • the first device learns that the second access network device is an IAB donor.
  • the first device generates K IAB according to the secondary base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the first device and the second access network device establish a secure tunnel by using the K IAB .
  • the secondary base station when the secondary base station is the IAB donor, the secondary base station generates KIAB with the secondary base station key, and the IAB node generates KIAB with the secondary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device that is, the IAB node registers with the network through the first access network device that does not have the IAB donor function. After that, the first access network device selects the second access network device with the IAB donor function as the secondary base station for the first device. The second device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • S1601-S1612 are similar to steps S1001-S1012, and the specific description can refer to the embodiment shown in FIG. 19, and details are not repeated here.
  • the SN addition/modification request ACK message sent by the second access network device may include fifth indication information.
  • the RRC reconfiguration message sent by the first access network device may include fifth indication information, so that the first device can learn about the secondary base station (that is, the second access network device). ) is the IAB donor.
  • the first device learns that the second access network device is an IAB donor.
  • the first device generates K IAB according to the secondary base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the first device and the second access network device establish a secure tunnel by using the K IAB .
  • the secondary base station when the secondary base station is the IAB donor, the secondary base station generates KIAB with the secondary base station key, and the IAB node generates KIAB with the secondary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device (that is, the IAB node) registers with the network through the first access network device with the IAB donor function. Therefore, the first access network device serves as the IAB donor of the first device, and the first access network device allocates the IP address of the IAB node to the first device. The first access network device selects a third access network device as the secondary base station for the first device.
  • a method for generating a key includes the following steps:
  • S1701-S1711 are similar to steps S501-S511, and the specific description can refer to the embodiment shown in FIG. 14, and details are not repeated here.
  • the RRC reconfiguration message sent by the first access network device may include fourth indication information, so that the first device can know the primary base station (that is, the first access network device). ) is the IAB donor.
  • the first device learns that the first access network device is an IAB donor.
  • the first device generates K IAB according to the master base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the first device and the first access network device establish a secure tunnel using the K IAB .
  • both the primary base station and the IAB node when the primary base station is the IAB donor, both the primary base station and the IAB node generate K IAB with the primary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • the first device (that is, the IAB node) registers with the network through the first access network device with the IAB donor function. Therefore, the first access network device acts as the IAB donor of the first device.
  • the first access network device selects a third access network device as the secondary base station for the first device.
  • the second device is responsible for allocating the IP address of the IAB node to the first device.
  • a method for generating a key includes the following steps:
  • S1801-S1812 are similar to steps S601-S612, and the specific description thereof may refer to the embodiment shown in FIG. 15, which will not be repeated here.
  • the RRC reconfiguration message sent by the first access network device may include fourth indication information, so that the first device can know the primary base station (that is, the first access network device). ) is the IAB donor.
  • the first device learns that the first access network device is an IAB donor.
  • the first device generates K IAB according to the master base station key, the IP address of the IAB donor, and the IP address of the IAB node.
  • the first device and the first access network device establish a secure tunnel by using the K IAB .
  • both the primary base station and the IAB node when the primary base station serves as the IAB donor, both the primary base station and the IAB node generate K IAB with the primary base station key. Therefore, the IAB node and the IAB donor maintain the same K IAB , so that a secure tunnel can be established between the IAB node and the IAB donor according to the K IAB , and it is advantageous for the IAB node to use the dual connection mode for networking.
  • a communication apparatus eg, a first device, a first access network device, and a second access network device
  • a communication apparatus includes corresponding hardware structures and/or software modules for performing each function.
  • the embodiments of the present application can be implemented in hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of the technical solutions of the embodiments of the present application.
  • the communication device may be divided into functional units according to the foregoing method examples.
  • each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit.
  • the above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and other division methods may be used in actual implementation.
  • a communication device provided by an embodiment of the present application includes a processing module 101 and a communication module 102 .
  • the processing module 101 is used to support the IAB node to perform steps S201-S202 in FIG. 11 , steps S801-S805 in FIG. S1303, and/or other processing operations that need to be performed by the IAB node in this embodiment of the present application.
  • the communication module 102 is used to support the IAB node to perform steps S308, S309, and S311 in FIG. 12 , steps S405, S408, S409, and S411 in FIG. 13 , and/or other communication operations that the IAB node needs to perform in the embodiments of the present application.
  • the processing module 101 is configured to support the first access network device to perform steps S101-S105, S107-S109 in FIG. 10 , and in FIG. 16 . steps S701-S703, S706-S707, steps S1401-S1403, S1406-S1407 in FIG. 23, and/or other processing operations that need to be performed by the first access network device in this embodiment of the present application.
  • the communication module 102 is configured to support the first access network device to perform step S106 in FIG. 10 , step S704 in FIG. 16 , step S1404 in FIG. 23 , and/or the first access network device in this embodiment of the present application needs to perform other communication operations.
  • the processing module 101 is configured to support the second access network device to perform step S705 in FIG. 16 , step S1405 in FIG. 23 , and/or Or other processing operations that need to be performed by the second access network device in the embodiment of the present application.
  • the communication module 102 is configured to support the second access network device to perform step S106 in FIG. 10 , step S704 in FIG. 16 , step S1404 in FIG. 23 , and/or the second access network device in this embodiment of the present application needs to perform other communication operations.
  • the communication device may further include a storage module 103 for storing program codes and data of the communication device, and the data may include but not limited to original data or intermediate data.
  • the processing module 101 may be a processor or a controller, such as a CPU, a general-purpose processor, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other Programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various exemplary logical blocks, modules and circuits described in connection with this disclosure.
  • a processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.
  • the communication module 102 may be a communication interface, a transceiver or a transceiver circuit, etc., where the communication interface is a general term, and in a specific implementation, the communication interface may include multiple interfaces, for example, may include: an interface between a base station and a terminal and/or or other interfaces.
  • the storage module 103 may be a memory.
  • the processing module 101 is a processor
  • the communication module 102 is a communication interface
  • the storage module 103 is a memory
  • the communication device involved in the embodiment of the present application may be as shown in FIG. 29 .
  • the communication device includes: a processor 201 , a communication interface 202 , and a memory 203 .
  • the communication device may further include a bus 204 .
  • the communication interface 202, the processor 201 and the memory 203 can be connected to each other through a bus 204; the bus 204 can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus etc.
  • the bus 204 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is shown in FIG. 29, but it does not mean that there is only one bus or one type of bus.
  • the embodiment of the present application further provides a computer program product carrying computer instructions, when the computer instructions are executed on the computer, the computer is made to execute the method described in the foregoing embodiments.
  • the embodiments of the present application further provide a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and when the computer instructions are executed on the computer, the computer executes the methods described in the foregoing embodiments.
  • an embodiment of the present application further provides a chip, including: a processing circuit and a transceiver pin, where the processing circuit and the transceiver pin are used to implement the method introduced in the foregoing embodiment.
  • the processing circuit is used for executing the processing actions in the corresponding method
  • the transceiver pins are used for executing the actions of receiving/transmitting in the corresponding method.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server or data center by wire (eg coaxial cable, optical fiber, Digital Subscriber Line, DSL) or wireless (eg infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that a computer can access, or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media.
  • the available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, Digital Video Disc (DVD)), or semiconductor media (eg, Solid State Disk (SSD)) Wait.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple devices. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each functional unit may exist independently, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional units.
  • the present application can be implemented by means of software plus necessary general-purpose hardware, and of course hardware can also be used, but in many cases the former is a better implementation manner .
  • the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that make contributions to the prior art.
  • the computer software products are stored in a readable storage medium, such as a floppy disk of a computer. , a hard disk or an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the various embodiments of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Diaphragms For Electromechanical Transducers (AREA)
  • Crystals, And After-Treatments Of Crystals (AREA)

Abstract

一种密钥生成方法及装置,涉及通信技术领域,用于在双连接场景下,使得IABdonor和IAB node使用相同的K IAB。密钥生成方法包括以下步骤:第一接入网设备确定通过第一接入网设备注册到5G核心网的第一设备为IAB node;在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB donor功能;若第一接入网设备具备IAB donor功能,则第一接入网设备选择第三接入网设备作为第一设备的辅基站;第一接入网设备根据辅基站密钥,生成第二IAB密钥K IAB2,K IAB2用于建立第一接入网设备与第一设备之间的安全隧道。

Description

密钥生成方法及装置 技术领域
本申请涉及通信技术领域,尤其涉及一种密钥生成方法及装置。
背景技术
为了减轻有线传输网络的建设负担,提供灵活和密集的新空口(new radio,NR)部署,第五代(5th generation,5G)移动通信系统使用接入回传一体化(integrated access backhaul,IAB)技术。基于IAB技术,基站可以分为IAB节点(node)和IAB宿主基站(donor)。IAB donor用于提供到核心网的用户设备接口,以及支持IAB node无线回传功能。IAB node能够支持终端设备的无线接入和数据的无线回传。由于IAB donor和IAB node之间可以通过无线回传链路进行数据交互,因此IAB donor和IAB node之间可以不用铺设线缆。这使得IAB node的部署更加灵活。
为了保证IAB node和IAB donor之间的F1接口的通信安全,IAB node与IAB donor之间可以建立安全隧道(例如互联网安全协议(internet protocol security,IPsec)安全隧道)。在建立安全隧道的过程中,IAB node与IAB donor之间需要使用相同的IAB密钥K IAB来作为认证凭证。
为了保障网络的覆盖性能以及业务传输可靠性的要求,可以使IAB node支持双连接(dual connectivity,DC),以应对无线回传链路可能发生的异常情况,例如无线回程链路中断或者阻塞等。
目前,对于除了演进的移动通信系统陆地无线接入(evolved-universal mobile telecommunications system terrestrial radio access,EUTRA)-NR双连接(EUTRA-NR dual connection,EN-DC)之外的其他双连接类型,例如NR-EUTRA双连接(NR-EUTRA dual connection,NE-DC)、NR-DC等,业界并未提供K IAB生成方案。这样一来,可能会导致IAB node生成的K IAB与IAB donor生成的K IAB不相同,从而使得IAB node与IAB donor之间不能正常建立安全隧道。
发明内容
本申请提供一种密钥生成方法及装置,用于在双连接场景下保证IAB donor与IAB node生成相同的K IAB
第一方面,提供一种密钥生成方法,包括:第一接入网设备确定通过第一接入网设备注册到5G核心网的第一设备为IAB node;在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB donor功能;若第一接入网设备不具备IAB donor功能,则第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站;第一接入网设备获取与第二接入网设备关联的第一密钥输入参数;第一接入网设备根据主基站密钥和第一密钥输入参数,生成第一IAB密钥K IAB1,主基站密钥用于对主基站(第一接入网设备)与第一设备之间的通信进行安全保护,K IAB1用于建立第二接入网设备与第一设备之间的安全隧道;第一接入网设备向第二接入网设备发送K IAB1
基于上述技术方案,在IAB node(例如第一设备)通过第一接入网设备接入5G 核心网之后,第一接入网设备可以在自身不具备IAB donor功能的情况下为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站,以保证双连接场景下存在一个接入网设备作为IAB donor为第一设备提供相应的服务。并且,在NE-DC、NR-DC或者NGEN-DC等双连接场景下,第一接入网设备根据主基站密钥和第一密钥输入参数,生成第一IAB密钥K IAB1,并将K IAB1发送给第一接入网设备。这样一来,IAB node和IAB donor之间统一使用以主基站密钥生成的IAB密钥,从而保证IAB node和IAB donor之间能够以相同的IAB密钥作为认证凭证来建立安全隧道。
一种可能的设计中,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站,包括:第一接入网设备向第二设备发送第一请求消息,第一请求消息包括第一设备的标识;第一接入网设备接收第二设备发送的第一响应消息,第一响应消息包括第二接入网设备的标识。
一种可能的设计中,第一密钥输入参数包括第一IP地址和第二IP地址,第一IP地址为第一设备用于与IAB donor通信的IP地址,第二IP地址为第二接入网设备用于与IAB node通信的IP地址。
一种可能的设计中,第一接入网设备获取与第二接入网设备关联的第一密钥输入参数,包括:第一接入网设备向第二接入网设备发送辅基站配置消息,辅基站配置消息用于配置第二接入网设备为第一设备的辅基站,辅基站配置消息包括第一指示信息和/或第二指示信息,第一指示信息用于请求第一IP地址,第二指示信息用于请求第二IP地址;第一接入网设备接收第二接入网设备发送的辅基站配置响应消息,辅基站配置响应消息包括第一IP地址和/或第二IP地址。基于该设计,在第一IP地址由第二接入网设备负责分配的情况下,第一接入网设备通过复用现有的流程来获取第一密钥输入参数,有利于节省信令开销,以及简化操作流程。
一种可能的设计中,辅基站配置消息包括由主基站密钥推演得到的辅基站密钥,辅基站密钥用于对辅基站和第一设备之间的通信进行安全保护。
一种可能的设计中,上述密钥生成方法还包括:第一接入网设备向第一设备发送第一IP地址。
一种可能的设计中,第一接入网设备获取与第二接入网设备关联的第一密钥输入参数,包括:第一接入网设备接收第一设备发送的IP地址通知消息,IP地址通知消息包括第一IP地址;第一接入网设备向第二接入网设备发送辅基站配置消息,辅基站配置消息用于配置第二接入网设备为第一设备的辅基站,辅基站配置消息包括第二指示信息,第二指示信息用于请求第二IP地址;第一接入网设备接收第二接入网设备发送的辅基站配置响应消息,辅基站配置响应消息包括第二IP地址。基于该设计,在第一IP地址由第二设备负责分配的情况下,第一接入网设备可以通过第一设备获取到第一IP地址,通过第二接入网设备获取到第二IP地址。
一种可能的设计中,上述密钥生成方法还包括:若第一接入网设备具备IAB donor功能,则第一接入网设备选择第三接入网设备作为第一设备的辅基站;第一接入网设备获取与第一接入网设备关联的第二密钥输入参数;第一接入网设备根据主基站密钥和第二密钥输入参数,生成第二IAB密钥K IAB2,K IAB2用于建立第一接入网设备与第一设备之间的安全隧道。
一种可能的设计中,第二密钥输入参数包括:第一IP地址和第三IP地址,第一IP地址为第一设备用于与IAB donor通信的IP地址,第三IP地址为第一接入网设备用于与IAB node通信的IP地址。
一种可能的设计中,第一接入网设备获取与第一接入网设备关联的第二密钥输入参数,包括:第一接入网设备为第一设备分配第一IP地址;第一接入网设备从数据库中获取第三IP地址。
一种可能的设计中,第一接入网设备获取与第一接入网设备关联的第二密钥输入参数,包括:第一接入网设备接收第一设备发送的IP地址通知消息,IP地址通知消息包括第一IP地址;第一接入网设备从数据库中获取第三IP地址。
第二方面,提供一种密钥生成方法,包括:第二接入网设备接收第一接入网设备发送的辅基站配置消息,辅基站配置消息用于配置第二接入网设备作为第一设备的辅基站;当辅基站配置消息包括第三指示信息时,第二接入网设备确定自身是否具备IAB donor功能,第三指示信息用于指示第一设备为IAB节点;当第二接入网设备具备IAB宿主功能时,第二接入网设备从第一接入网设备获取第一IAB密钥K IAB1,所述K IAB1用于建立所述第二接入网设备与所述第一设备之间的安全隧道,所述K IAB1是根据主基站密钥生成的,所述主基站密钥用于对所述第一接入网设备和所述第一设备之间的通信进行安全保护。
基于上述技术方案,通过以具备IAB donor功能的第二接入网设备作为第一设备的辅基站,从而保证在双连接场景下存在接入网设备作为IAB donor为IAB node(也即第一设备)提供相应的服务。第二接入网设备通过接收第一接入网设备发送的K IAB1,从而使得IAB node和IAB donor之间统一使用以主基站密钥生成的IAB密钥,进而保证IAB node和IAB donor之间能够以相同的IAB密钥作为认证凭证来建立安全隧道。
一种可能的设计中,K IAB1是根据主基站密钥生成的,包括:K IAB1是根据主基站密钥和第一密钥输入参数生成的。第一密钥输入参数包括第一IP地址和第二IP地址,第一IP地址为第一设备用于与IAB donor通信的IP地址,第二IP地址为第二接入网设备用于与IAB node通信的IP地址。
一种可能的设计中,辅基站配置消息还包括第一指示信息和/或第二指示信息,第一指示信息用于请求第一IP地址,第二指示信息用于请求第二IP地址。
一种可能的设计中,上述密钥生成方法还包括:第二接入网设备向第一接入网设备发送辅基站配置响应消息,辅基站配置响应消息包括第一IP地址和/或第二IP地址。
一种可能的设计中,所述第二接入网设备从所述第一接入网设备获取K IAB1,包括:所述第二接入网设备接收所述第一接入网设备发送的辅基站重配置完成消息,所述辅基站重配置完成消息包括所述K IAB1
一种可能的设计中,所述第二接入网设备从所述第一接入网设备获取K IAB1,包括:所述第二接入网设备向所述第一接入网设备发送密钥请求消息,所述密钥请求消息用于请求所述K IAB1;所述第二接入网设备接收所述第一接入网设备发送的密钥响应消息,所述密钥响应消息包括所述K IAB1
一种可能的设计中,所述密钥请求消息还包括所述第一IP地址和/或第二IP地址。
第三方面,提供一种密钥生成方法,应用于第一设备连接主基站和辅基站的场景, 第一设备具备IAB node功能。该密钥生成方法包括:第一设备根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型;当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据主基站密钥,生成IAB密钥K IAB,所述主基站密钥用于对所述第一设备与主基站之间的通信安全进行安全保护。
基于上述技术方案,IAB node通过确定双连接的类型,从而在NE-DC、NR-DC或者NGEN-DC场景下,IAB node使用主基站密钥,生成IAB密钥K IAB,从而使得IAB node和IAB donor之间统一使用以主基站密钥生成的IAB密钥,进而保证IAB node和IAB donor之间能够以相同的IAB密钥作为认证凭证来建立安全隧道。
一种可能的设计中,上述密钥生成方法还包括:第一设备接收主基站的广播消息;第一设备根据广播消息中的配置参数,确定主基站支持的通信制式,配置参数包括以下一项或者多项:基站标识、逻辑小区标识、物理小区标识、上行频点或下行频点。
一种可能的设计中,第一设备根据广播消息中的配置参数,确定主基站支持的通信制式,包括:当广播消息中的配置参数属于5G通信系统时,第一设备确定主基站支持5G通信制式;或者,当广播消息中的配置参数属于4G通信系统时,第一设备确定主基站支持4G通信制式。
一种可能的设计中,上述密钥生成方法还包括:第一设备接收主基站发送的RRC重配置消息,RRC重配置消息包括辅小区组配置信息;第一设备根据辅小区组配置信息,确定辅基站支持的通信制式。
一种可能的设计中,第一设备根据RRC重配置消息,确定辅基站支持的通信制式,包括:当辅小区组配置信息属于5G通信制式时,第一设备确定辅基站支持5G通信制式;或者,当辅小区组配置信息属于4G通信制式时,第一设备确定辅基站支持4G通信制式。
一种可能的设计中,上述密钥生成方法还包括:第一设备接收主基站发送的广播消息;第一设备根据广播消息中的小区配置信息,确定核心网支持的通信制式。
一种可能的设计中,第一设备根据广播消息中的小区配置信息,确定核心网支持的通信制式,包括:当小区配置信息属于5G通信制式时,第一设备确定核心网支持5G通信制式;或者,当小区配置信息属于4G通信制式时,第一设备确定核心网支持4G通信制式。
一种可能的设计中,第一设备根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型,包括:当主基站支持5G网络制式,辅基站支持4G网络制式,核心网支持5G网络制式时,第一设备确定双连接类型为NE-DC;或者,当主基站支持5G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,第一设备确定双连接类型为NR-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,第一设备确定双连接类型为NGEN-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持4G网络制式时,第一设备确定双连接类型为EN-DC。
第四方面,提供一种密钥生成方法,方法包括:第一接入网设备确定通过第一接入网设备注册到网络的第一设备为IAB node;若第一接入网设备具备IAB donor功能, 则第一接入网设备选择第三接入网设备作为第一设备的辅基站;第一接入网设备根据辅基站密钥,生成第二IAB密钥K IAB2,K IAB2用于建立第一接入网设备与第一设备之间的安全隧道,所述辅基站密钥用于对所述辅基站和所述第一设备之间的通信进行安全保护。
基于上述技术方案,由于第一接入网设备确定第一设备为IAB node,并且第一接入网设备具备IAB donor功能,因此第一接入网设备可以作为第一设备的IAB donor。进而,在双连接场景下,第一接入网设备根据辅基站密钥,生成K IAB2,从而保证IAB node和IAB donor之间统一使用以辅基站密钥生成的IAB密钥,进而保证IAB node和IAB donor之间能够以相同的IAB密钥作为认证凭证来建立安全隧道。
一种可能的设计中,辅基站密钥是根据主基站密钥推演得到的,所述主基站密钥用于对第一接入网设备和第一设备之间的通信进行安全保护。
一种可能的设计中,在第一接入网设备根据辅基站密钥,生成K IAB2之后,方法还包括:第一接入网设备向第二接入网设备发送辅基站配置消息,辅基站配置消息包括辅基站密钥;第一接入网设备接收第二接入网设备发送的辅基站配置响应消息。
一种可能的设计中,第一接入网设备根据辅基站密钥,生成K IAB2,包括:第一接入网设备在发送辅基站配置消息之后,根据辅基站密钥,生成K IAB2
一种可能的设计中,第一接入网设备根据辅基站密钥,生成K IAB2,包括:第一接入网设备在接收到辅基站配置响应消息之后,根据辅基站密钥,生成K IAB2
一种可能的设计中,上述密钥生成方法还包括:若第一接入网设备不具备IAB donor功能,则第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站;第一接入网设备向第二接入网设备发送辅基站配置消息,辅基站配置消息包括辅基站密钥。
第五方面,提供一种密钥生成方法,应用于第一设备连接主基站和辅基站的场景,第一设备具备IAB node功能。该密钥生成方法包括:第一设备根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型;当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据辅基站密钥,生成IAB密钥K IAB,所述辅基站密钥用于对所述第一设备与辅基站之间的通信安全进行安全保护。
基于上述技术方案,IAB node通过确定双连接的类型,从而在NE-DC、NR-DC或者NGEN-DC场景下,IAB node使用辅基站密钥,生成IAB密钥K IAB,从而使得IAB node和IAB donor之间统一使用以辅基站密钥生成的IAB密钥,进而保证IAB node和IAB donor之间能够以相同的IAB密钥作为认证凭证来建立安全隧道。
一种可能的设计中,上述密钥生成方法还包括:第一设备接收主基站的广播消息;第一设备根据广播消息中的配置参数,确定主基站支持的通信制式,配置参数包括以下一项或者多项:基站标识、逻辑小区标识、物理小区标识、上行频点或下行频点。
一种可能的设计中,第一设备根据广播消息中的配置参数,确定主基站支持的通信制式,包括:当广播消息中的配置参数属于5G通信系统时,第一设备确定主基站支持5G通信制式;或者,当广播消息中的配置参数属于4G通信系统时,第一设备确定主基站支持4G通信制式。
一种可能的设计中,上述密钥生成方法还包括:第一设备接收主基站发送的RRC重配置消息,RRC重配置消息包括辅小区组配置信息;第一设备根据辅小区组配置信息,确定辅基站支持的通信制式。
一种可能的设计中,第一设备根据RRC重配置消息,确定辅基站支持的通信制式,包括:当辅小区组配置信息属于5G通信制式时,第一设备确定辅基站支持5G通信制式;或者,当辅小区组配置信息属于4G通信制式时,第一设备确定辅基站支持4G通信制式。
一种可能的设计中,上述密钥生成方法还包括:第一设备接收主基站发送的广播消息;第一设备根据广播消息中的小区配置信息,确定核心网支持的通信制式。
一种可能的设计中,第一设备根据广播消息中的小区配置信息,确定核心网支持的通信制式,包括:当小区配置信息属于5G通信制式时,第一设备确定核心网支持5G通信制式;或者,当小区配置信息属于4G通信制式时,第一设备确定核心网支持4G通信制式。
一种可能的设计中,第一设备根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型,包括:当主基站支持5G网络制式,辅基站支持4G网络制式,核心网支持5G网络制式时,第一设备确定双连接类型为NE-DC;或者,当主基站支持5G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,第一设备确定双连接类型为NR-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,第一设备确定双连接类型为NGEN-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持4G网络制式时,第一设备确定双连接类型为EN-DC。
第六方面,提供一种密钥生成方法,应用于第一设备连接主基站和辅基站的场景下,第一设备具备IAB node功能。该密钥生成方法包括:第一设备获知主基站或者辅基站作为IAB donor;当主基站为IAB donor时,第一设备根据主基站密钥和密钥输入参数,生成IAB密钥,IAB密钥用于建立IAB node和IAB donor之间的安全隧道,主基站密钥用于对第一设备与主基站之间的通信进行安全保护;或者,当辅基站为IAB donor时,第一设备根据辅基站密钥和密钥输入参数,生成IAB密钥,辅基站密钥用于对第一设备与辅基站之间的通信进行安全保护。
基于上述技术方案,在主基站作为IAB donor的情况下,保证IAB node和IAB donor均采用主基站密钥来生成IAB密钥。在辅基站作为IAB donor的情况下,保证IAB node和IAB donor均采用辅基站密钥来生成IAB密钥。这样一来,保证在双连接场景下,IAB donor和IAB node之间能够以相同的IAB密钥作为认证凭证来建立安全隧道。
一种可能的设计中,第一设备获知主基站或者辅基站作为IAB donor,包括:当第一设备接收到第四指示信息时,第一设备获知主基站为IAB donor,第四指示信息用于指示主基站为IAB donor;或者,当第一设备接收到第五指示信息时,第一设备获知辅基站为IAB donor,第五指示信息用于指示辅基站为IAB donor。
一种可能的设计中,第一设备获知主基站或者辅基站作为IAB donor,包括:当第一设备与主基站之间建立无线回程链路时,第一设备获知主基站为IAB donor;或者, 当第一设备与辅基站之间建立无线回程链路时,第一设备获知辅基站为IAB donor。
一种可能的设计中,第一设备获知主基站或者辅基站作为IAB donor,包括:第一设备获取主基站支持的频段以及辅基站支持的频段;当主基站支持的频段高于辅基站支持的频段时,第一设备获知主基站为IAB donor;或者,当主基站支持的频段低于辅基站支持的频段时,第一设备获知辅基站为IAB donor。
一种可能的设计中,第一设备获知主基站或者辅基站作为IAB donor,包括:当第一设备接收主基站广播的第六指示信息时,第一设备获知主基站为IAB donor;或者,当第一设备接收辅基站广播的第六指示信息时,第一设备获知辅基站为IAB donor;其中,第六指示信息用于指示基站具有IAB donor功能。
第七方面,提供一种通信装置,应用于第一接入网设备。所述通信装置包括:处理模块和通信模块。处理模块,用于确定注册到5G核心网的第一设备为IAB node;在需要为第一设备选择辅基站的情况下,判断自身是否具备IAB donor功能;若不具备IAB donor功能,则选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站;获取与第二接入网设备关联的第一密钥输入参数;根据主基站密钥和第一密钥输入参数,生成第一IAB密钥K IAB1,主基站密钥用于对主基站(第一接入网设备)与第一设备之间的通信进行安全保护,K IAB1用于建立第二接入网设备与第一设备之间的安全隧道。通信模块,用于向第二接入网设备发送K IAB1
一种可能的设计中,通信模块,还用于向第二设备发送第一请求消息,第一请求消息包括第一设备的标识;接收第二设备发送的第一响应消息,第一响应消息包括第二接入网设备的标识。
一种可能的设计中,第一密钥输入参数包括第一IP地址和第二IP地址,第一IP地址为第一设备用于与IAB donor通信的IP地址,第二IP地址为第二接入网设备用于与IAB node通信的IP地址。
一种可能的设计中,通信模块,用于向第二接入网设备发送辅基站配置消息,辅基站配置消息用于配置第二接入网设备为第一设备的辅基站,辅基站配置消息包括第一指示信息和/或第二指示信息,第一指示信息用于请求第一IP地址,第二指示信息用于请求第二IP地址;接收第二接入网设备发送的辅基站配置响应消息,辅基站配置响应消息包括第一IP地址和/或第二IP地址。
一种可能的设计中,辅基站配置消息包括由主基站密钥推演得到的辅基站密钥,辅基站密钥用于对辅基站和第一设备之间的通信进行安全保护。
一种可能的设计中,通信模块,还用于向第一设备发送第一IP地址。
一种可能的设计中,通信模块,还用于接收第一设备发送的IP地址通知消息,IP地址通知消息包括第一IP地址;向第二接入网设备发送辅基站配置消息,辅基站配置消息用于配置第二接入网设备为第一设备的辅基站,辅基站配置消息包括第二指示信息,第二指示信息用于请求第二IP地址;接收第二接入网设备发送的辅基站配置响应消息,辅基站配置响应消息包括第二IP地址。
一种可能的设计中,处理模块,还用于若自身具备IAB donor功能,则选择第三接入网设备作为第一设备的辅基站;获取与第一接入网设备关联的第二密钥输入参数;根据主基站密钥和第二密钥输入参数,生成第二IAB密钥K IAB2,K IAB2用于建立自身 与第一设备之间的安全隧道。
一种可能的设计中,第二密钥输入参数包括:第一IP地址和第三IP地址,第一IP地址为第一设备用于与IAB donor通信的IP地址,第三IP地址为第一接入网设备用于与IAB node通信的IP地址。
一种可能的设计中,处理模块,还用于为第一设备分配第一IP地址;从数据库中获取第三IP地址。
一种可能的设计中,通信模块,还用于接收第一设备发送的IP地址通知消息,IP地址通知消息包括第一IP地址。处理模块,还用于备从数据库中获取第三IP地址。
第八方面,提供一种通信装置,应用于第二接入网设备。所述通信装置包括:通信模块和处理模块。通信模块,用于接收第一接入网设备发送的辅基站配置消息,辅基站配置消息用于配置第二接入网设备作为第一设备的辅基站。处理模块,用于当辅基站配置消息包括第三指示信息时,确定自身是否具备IAB donor功能,第三指示信息用于指示第一设备为IAB节点。通信模块,还用于当自身具备IAB宿主功能时,从第一接入网设备获取第一IAB密钥K IAB1,所述K IAB1用于建立所述第二接入网设备与所述第一设备之间的安全隧道,所述K IAB1是根据主基站密钥生成的,所述主基站密钥用于对所述第一接入网设备和所述第一设备之间的通信进行安全保护。
一种可能的设计中,K IAB1是根据主基站密钥生成的,包括:K IAB1是根据主基站密钥和第一密钥输入参数生成的。第一密钥输入参数包括第一IP地址和第二IP地址,第一IP地址为第一设备用于与IAB donor通信的IP地址,第二IP地址为第二接入网设备用于与IAB node通信的IP地址。
一种可能的设计中,辅基站配置消息还包括第一指示信息和/或第二指示信息,第一指示信息用于请求第一IP地址,第二指示信息用于请求第二IP地址。
一种可能的设计中,通信模块,还用于向第一接入网设备发送辅基站配置响应消息,辅基站配置响应消息包括第一IP地址和/或第二IP地址。
一种可能的设计中,通信模块,具体用于接收所述第一接入网设备发送的辅基站重配置完成消息,所述辅基站重配置完成消息包括所述K IAB1
一种可能的设计中,通信模块,具体用于向所述第一接入网设备发送密钥请求消息,所述密钥请求消息用于请求所述K IAB1;接收所述第一接入网设备发送的密钥响应消息,所述密钥响应消息包括所述K IAB1
一种可能的设计中,所述密钥请求消息还包括所述第一IP地址和/或第二IP地址。
第九方面,提供一种通信装置,应用于第一设备。所述通信装置包括:处理模块。处理模块,用于根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型;当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,根据主基站密钥和密钥输入参数,生成K IAB,所述主基站密钥用于对所述第一设备与主基站之间的通信安全进行安全保护。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于接收主基站的广播消息。处理模块,还用于根据广播消息中的配置参数,确定主基站支持的通信制式,配置参数包括以下一项或者多项:基站标识、逻辑小区标识、物理小区标识、上行频点或下行频点。
一种可能的设计中,处理模块,具体用于当广播消息中的配置参数属于5G通信系统时,确定主基站支持5G通信制式;或者,当广播消息中的配置参数属于4G通信系统时,确定主基站支持4G通信制式。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于接收主基站发送的RRC重配置消息,RRC重配置消息包括辅小区组配置信息。处理模块,用于根据辅小区组配置信息,确定辅基站支持的通信制式。
一种可能的设计中,处理模块,具体用于当辅小区组配置信息属于5G通信制式时,确定辅基站支持5G通信制式;或者,当辅小区组配置信息属于4G通信制式时,确定辅基站支持4G通信制式。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于接收主基站发送的广播消息。处理模块,用于根据广播消息中的小区配置信息,确定核心网支持的通信制式。
一种可能的设计中,处理模块,具体用于当小区配置信息属于5G通信制式时,确定核心网支持5G通信制式;或者,当小区配置信息属于4G通信制式时,确定核心网支持4G通信制式。
一种可能的设计中,处理模块,具体用于当主基站支持5G网络制式,辅基站支持4G网络制式,核心网支持5G网络制式时,确定双连接类型为NE-DC;或者,当主基站支持5G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,确定双连接类型为NR-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,确定双连接类型为NGEN-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持4G网络制式时,确定双连接类型为EN-DC。
第十方面,提供一种通信装置,应用于第一接入网设备。所述通信装置包括:处理模块。处理模块,用于确定注册到网络的第一设备为IAB node;在需要为第一设备选择辅基站的情况下,判断自身是否具备IAB donor功能;若自身具备IAB donor功能,则选择第三接入网设备作为第一设备的辅基站;根据辅基站密钥,生成IAB密钥K IAB,K IAB用于建立自身与第一设备之间的安全隧道,所述辅基站密钥用于对所述辅基站和所述第一设备之间的通信进行安全保护。
一种可能的设计中,辅基站密钥是根据主基站密钥推演得到的,所述主基站密钥用于对第一接入网设备和第一设备之间的通信进行安全保护。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于在处理模块生成生成K IAB之后,向第二接入网设备发送辅基站配置消息,辅基站配置消息包括辅基站密钥;接收第二接入网设备发送的辅基站配置响应消息。
一种可能的设计中,处理模块,具体用于在通信模块发送辅基站配置消息之后,根据辅基站密钥,生成K IAB
一种可能的设计中,处理模块,具体用于在接收到辅基站配置响应消息之后,根据辅基站密钥,生成K IAB
一种可能的设计中,处理模块,还用于若自身不具备IAB donor功能,则选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站;向第二接入网设备发送 辅基站配置消息,辅基站配置消息包括辅基站密钥。
第十一方面,提供一种通信装置,应用于第一设备。所述通信装置包括:处理模块。处理模块,用于根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型;当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,根据辅基站密钥,生成K IAB,所述辅基站密钥用于对所述第一设备与辅基站之间的通信安全进行安全保护。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于接收主基站的广播消息。处理模块,还用于根据广播消息中的配置参数,确定主基站支持的通信制式,配置参数包括以下一项或者多项:基站标识、逻辑小区标识、物理小区标识、上行频点或下行频点。
一种可能的设计中,处理模块,具体用于当广播消息中的配置参数属于5G通信系统时,确定主基站支持5G通信制式;或者,当广播消息中的配置参数属于4G通信系统时,确定主基站支持4G通信制式。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于接收主基站发送的RRC重配置消息,RRC重配置消息包括辅小区组配置信息。处理模块,用于根据辅小区组配置信息,确定辅基站支持的通信制式。
一种可能的设计中,处理模块,具体用于当辅小区组配置信息属于5G通信制式时,确定辅基站支持5G通信制式;或者,当辅小区组配置信息属于4G通信制式时,确定辅基站支持4G通信制式。
一种可能的设计中,通信装置还包括通信模块。通信模块,用于接收主基站发送的广播消息。处理模块,用于根据广播消息中的小区配置信息,确定核心网支持的通信制式。
一种可能的设计中,处理模块,具体用于当小区配置信息属于5G通信制式时,确定核心网支持5G通信制式;或者,当小区配置信息属于4G通信制式时,确定核心网支持4G通信制式。
一种可能的设计中,处理模块,具体用于当主基站支持5G网络制式,辅基站支持4G网络制式,核心网支持5G网络制式时,确定双连接类型为NE-DC;或者,当主基站支持5G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,确定双连接类型为NR-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持5G网络制式时,确定双连接类型为NGEN-DC;或者,当主基站支持4G网络制式,辅基站支持5G网络制式,核心网支持4G网络制式时,确定双连接类型为EN-DC。
第十二方面,提供一种通信装置,应用于第一设备,所述第一设备具备IAB node功能。所述通信装置包括:处理模块。处理模块,用于获知主基站或者辅基站作为IAB donor;当主基站为IAB donor时,根据主基站密钥和密钥输入参数,生成IAB密钥,IAB密钥用于建立IAB node和IAB donor之间的安全隧道;或者,当辅基站为IAB donor时,根据辅基站密钥和密钥输入参数,生成IAB密钥。
一种可能的设计中,处理模块,具体用于当接收到第四指示信息时,获知主基站为IAB donor,第四指示信息用于指示主基站为IAB donor;或者,当接收到第五指示 信息时,获知辅基站为IAB donor,第五指示信息用于指示辅基站为IAB donor。
一种可能的设计中,处理模块,具体用于当通信装置与主基站之间建立无线回程链路时,获知主基站为IAB donor;或者,当通信装置与辅基站之间建立无线回程链路时,获知辅基站为IAB donor。
一种可能的设计中,处理模块,具体用于获取主基站支持的频段以及辅基站支持的频段;当主基站支持的频段高于辅基站支持的频段时,获知主基站为IAB donor;或者,当主基站支持的频段低于辅基站支持的频段时,获知辅基站为IAB donor。
一种可能的设计中,处理模块,具体用于当接收主基站广播的第六指示信息时,获知主基站为IAB donor;或者,当接收辅基站广播的第六指示信息时,获知辅基站为IAB donor;其中,第六指示信息用于指示基站具有IAB donor功能。
第十三方面,提供一种通信装置,包括处理器和通信端口,处理器用于执行计算机程序指令,使得通信装置实现第一方面至第六方面中任一方面所提供的任一种设计所涉及的方法。
第十四方面,提供一种计算机可读存储介质,该计算机可读存储介质存储有指令,当指令在计算机上运行时,使得计算机实现第一方面至第六方面中任一方面所提供的任一种设计所涉及的方法。
第十五方面,提供一种计算机程序产品,该计算机程序产品包括指令,当计算机程序产品在计算机上运行时,使得计算机实现第一方面至第六方面中任一方面所提供的任一种设计所涉及的方法。
第十六方面,提供一种芯片,该芯片包括处理器,当处理器执行计算机程序指令时,使得计算机实现第一方面至第六方面中任一方面所提供的任一种设计所涉及的方法。
其中,上述第七方面至第十六方面中任一种设计方式所带来的技术效果可参见上文所提供的对应的方法中的有益效果同设计方式所带来的技术效果,此处不再赘述。
附图说明
图1为相关技术提供的一种双连接配置的流程图;
图2为本申请实施例提供的一种IAB组网场景的示意图;
图3为本申请实施例提供的一种IAB网络中用户面协议栈的示意图;
图4为本申请实施例提供的一种IAB网络中控制面协议栈的示意图;
图5为本申请实施例提供的一种IAB node采用EN-DC模式的示意图;
图6为本申请实施例提供的一种EN-DC场景下生成IAB密钥的流程图;
图7为本申请实施例提供的一种IAB node采用NE-DC模式的示意图;
图8为本申请实施例提供的一种IAB node采用NR-DC模式的示意图;
图9为本申请实施例提供的一种IAB node采用NGEN-DC模式的示意图;
图10为本申请实施例提供的一种密钥生成方法的流程图;
图11为本申请实施例提供的另一种密钥生成方法的流程图;
图12为本申请实施例提供的另一种密钥生成方法的流程图;
图13为本申请实施例提供的另一种密钥生成方法的流程图;
图14为本申请实施例提供的另一种密钥生成方法的流程图;
图15为本申请实施例提供的另一种密钥生成方法的流程图;
图16为本申请实施例提供的另一种密钥生成方法的流程图;
图17为本申请实施例提供的另一种密钥生成方法的流程图;
图18为本申请实施例提供的另一种密钥生成方法的流程图;
图19为本申请实施例提供的另一种密钥生成方法的流程图;
图20为本申请实施例提供的另一种密钥生成方法的流程图;
图21为本申请实施例提供的另一种密钥生成方法的流程图;
图22为本申请实施例提供的另一种密钥生成方法的流程图;
图23为本申请实施例提供的另一种密钥生成方法的流程图;
图24为本申请实施例提供的另一种密钥生成方法的流程图;
图25为本申请实施例提供的另一种密钥生成方法的流程图;
图26为本申请实施例提供的另一种密钥生成方法的流程图;
图27为本申请实施例提供的另一种密钥生成方法的流程图;
图28为本申请实施例提供的一种通信装置的结构示意图;
图29为本申请实施例提供的一种通信装置的硬件结构示意图。
具体实施方式
在本申请的描述中,除非另有说明,“/”表示“或”的意思,例如,A/B可以表示A或B。本文中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。此外,“至少一个”是指一个或多个,“多个”是指两个或两个以上。“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。
需要说明的是,本申请中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。
为了便于理解本申请的技术方案,下面对一些技术术语进行介绍。
1、双连接
在无线通信技术领域中,为了提升用户的吞吐率,引入了双连接(dual connectivity,DC)技术。DC可以支持两个或两个以上基站同时为一个终端设备提供数据传输服务。这些基站中包括一个主基站以及一个或多个辅基站。
上述主基站又可以被称为主节点(master node,MN)或者主接入网设备,上述辅基站又可以被称为辅节点(secondary node,SN)或者辅接入网设备,本申请实施例对此不作限定。
主基站与核心网(core network,CN)之间通过S1/NG接口连接。主基站与核心网之间至少包括控制面连接,还可以有用户面连接。S1接口包括S1-U和S1-C。NG接口包括NG-U和NG-C。其中,S1-U/NG-U代表用户面连接,S1-C/NG-C代表控制面连接。
辅基站与核心网之间可以具有用户面连接,也可以不具有用户面连接。当辅基站与核心网之间不具有用户面连接时,终端设备的数据可以由主基站在分组数据汇聚协 议(packet data convergence protocol,PDCP)层分流给辅基站。
依据主基站、辅基站以及主基站连接的核心网各自支持的通信制式,双连接可以有多种类型。示例性的,下面以表1为例对双连接的类型进行说明。
表1
双连接类型 主基站 辅基站 核心网
EN-DC 4G基站 4G基站 4G核心网
NE-DC 5G基站 4G基站 5G核心网
NR-DC 5G基站 5G基站 5G核心网
NGEN-DC 4G基站 4G基站 5G核心网
在双连接场景下,主基站管理一个主小区(primary cell,PCell)。其中,主小区是指部署在主频点,且在终端发起初始连接建立过程或RRC连接重建立过程中接入的小区,或者在切换过程中指示为主小区的小区。进一步地,除主小区外,主基站还可以管理一个或多个辅小区(secondary cell,SCell)。主基站下为终端提供服务的小区,如主小区、主基站下的辅小区,可以构成(master cell group,MCG)。
辅基站管理一个主辅小区(primary secondary cell,PSCell)。其中,主辅小区可以是终端向辅基站发起随机接入过程中接入的小区,或者终端在辅基站改变过程中跳过随机接入过程发起数据传输的另一辅基站上的小区,或者执行同步重配置流程时发起随机接入过程中接入的辅基站上的小区。进一步地,除主辅小区外,辅基站还可以管理一个或多个辅小区。辅基站上为终端提供服务的小区,如主辅小区、辅基站上的辅小区,可以构成辅小区组(secondary cell group,SCG)。
在本申请实施例中,终端设备是一种具有无线收发功能的设备。终端设备可以被部署在陆地上,包括室内或室外、手持或车载;也可以被部署在水面上(如轮船等);还可以被部署在空中(例如飞机、气球和卫星上等)。终端设备可以是用户设备(user equipment,UE)。其中,UE包括具有无线通信功能的手持式设备、车载设备、可穿戴设备或计算设备。示例性地,UE可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。终端设备还可以是虚拟现实(virtual reality,VR)终端设备设备、增强现实(augmented reality,AR)终端设备、工业控制中的无线终端设备、无人驾驶中的无线终端设备、远程医疗中的无线终端设备、智能电网中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备等等。
上述主基站和辅基站可以统称为网络设备。该网络设备包括但不限于:演进型节点B(evolved Node B,eNB)、无线网络控制器(radio network controller,RNC)、节点B(Node B,NB)、基站控制器(base station controller,BSC)、基站收发台(base transceiver station,BTS)、家庭基站(例如,home evolved Node B,或home Node B,HNB)、基带单元(baseband unit,BBU),无线中继节点、无线回传节点、传输点(transmission and reception point,TRP或者transmission point,TP)等,还可以为5G,如,新空口(new radio,NR)系统中的gNB,或,传输点(TRP或TP),5G系统中的基站的一个或一组(包括多个天线面板)天线面板,或者,还可以为构成gNB或传输点的网络节点,如基带单元(baseband unit,BBU),或,分布式单元(distributed unit, DU)、具有基站功能的路边单元(road side unit,RSU)等。
在本申请实施例中,网络设备可以采用集中式单元(centralized unit,CU)-DU架构。也即,网络设备可以由CU和至少一个DU构成。这种情况下,网络设备的部分功能部署在CU上,网络设备的另一部分功能部署在DU上。CU和DU是按照协议栈进行功能切分。作为一种实现方式,CU部署有协议栈中的RRC层,分组数据汇聚层协议(packet data convergence protocol,PDCP)层,以及业务数据适应协议(service data adaptation protocol,SDAP)层;DU部署有协议栈中的无线链路控制(radio link control,RLC)层,媒体介入控制(media access control,MAC)层,以及物理层(physical layer,PHY)。从而,CU具有RRC、PDCP和SDAP的处理能力。DU具有RLC、MAC和PHY的处理能力。可以理解的是,上述功能的切分仅为一个示例,不构成对CU和DU的限定。也就是说,CU和DU之间还可以有其他功能切分的方式,本申请实施例在此不予赘述。
2、双连接配置流程
如图1所示,相关技术中提供的一种双连接配置流程包括以下步骤:
S10、终端设备通过主基站注册到网络。
可选的,在终端设备注册到网络之后,主基站可以向终端设备下发测量事件,以使得终端设备向主基站上报测量报告。之后,主基站可以根据测量报告,确定是否为终端设备添加辅基站。如果确定为终端设备添加辅基站,主基站可以执行下述步骤S11。
S11、主基站确定为终端设备添加辅基站。
S12、主基站向辅基站发送辅节点增加/调整请求(SN addition/modification request)消息。
其中,SN addition/modification request消息包含辅基站的相关配置信息。
需要说明的是,主基站可以生成辅基站密钥。之后,主基站发送的SN addition/modification request消息可以携带辅基站密钥。由于主基站不使用辅基站密钥,因此主基站可以在发送SN addition/modification request消息之后,删除辅基站密钥。
S13、辅基站向主基站发送辅节点增加/调整请求确认(SN addition/modification request ack)消息。
其中,SN addition/modification request ack消息用于表示同意使用SN addition/modification request消息所携带的配置信息。
S14、主基站向终端设备发送RRC重配置消息。
其中,RRC重配置消息用于配置终端设备与辅基站之间的无线承载。
S15、终端设备向主基站发送RRC重配置完成消息。
S16、主基站向辅基站发送辅节点重配置完成(SN reconfiguration complete)消息。
之后,终端设备和辅基站可以执行随机接入流程(random access procedure)。在经过随机接入流程之后,终端设备和辅基站之间建立RRC连接。
3、K gNB
在5G网络中,K gNB是终端设备和接入与移动管理功能(access and mobility management function,AMF)分别根据K AMF推演得到的。AMF在推演得到K gNB之后,会将K gNB发送给终端设备所连接的接入网设备。这样一来,终端设备和接入网设备维 护同一个K gNB,从而终端设备和接入网设备可以利用K gNB及其推演出来的密钥进行安全通信。
4、K eNB
在4G网络中,K eNB是终端设备和移动管理实体(mobility management entity,MME)分别根据K ASME推演得到的。MME在推演得到K eNB之后,会将会将K eNB发送给终端设备所连接的接入网设备。这样一来,终端设备和接入网设备维护同一个K eNB,从而终端设备和接入网设备可以利用K eNB及其推演出来的密钥进行安全通信。
5、安全保护
安全保护是指对数据进行加密/解密,和/或完整性保护/校验等处理,以避免数据泄露或者数据被篡改等风险。
1)加密/解密:保护数据在传输过程中的机密性(因此又可以被称作机密性保护),机密性是指无法被直接看出真实内容。加密保护一般可以使用密钥和加密算法对数据进行加密来实现。
2)完整性保护/校验:判断消息在传递过程中,其内容是否被更改,也可以用于作为身份验证,以确认消息的来源。
3)防重放保护/校验:判断消息是否被重放,以确认消息的新鲜性。
以上是对本申请实施例所涉及的技术术语的介绍,以下不再赘述。
相比较于4G移动通信系统,5G移动通信系统针对网络各项性能指标,在全方位上都提出了更严苛的要求。例如,容量指标提升1000倍,更广的覆盖需求、超高可靠超低时延等。
一方面,为满足5G移动通信系统对超高容量的需求,并且考虑到高频载波频率资源丰富,运营商普遍在热点区域利用高频小站进行组网。但是,高频载波传播特性较差,受遮挡衰减严重,覆盖范围不广,故而需要大量密集部署小站。相应地,为这些大量密集部署的小站提供光纤回传的代价很高,施工难度大,因此需要经济便捷的回传方案。另一方面,从广覆盖需求的角度出发,在一些偏远地区提供网络覆盖,光纤的部署难度大,成本高,也需要设计灵活便利的接入和回传方案。
接入回传一体化(integrated access and backhaul,IAB)技术为解决上述两个问题提供了思路:其接入链路(access link)和回传链路(backhaul link)皆采用无线传输方案,避免光纤部署。
在IAB网络中,IAB节点可以为终端设备提供无线接入服务,并通过无线回传链路连接到IAB宿主(donor)传输用户的业务数据。
IAB节点经宿主节点通过有线链路连接到核心网。例如,在独立组网的5G架构下,IAB节点经宿主节点通过有线链路连接到5G网络的核心网(5G core,5GC)。在非独立组网的5G架构下,IAB节点在控制面经演进型基站(evolved NodeB,eNB)连接到演进分组核心网(evolved packet core,EPC),在用户面经宿主节点以及eNB连接到EPC。
为了保证IAB网络的覆盖性能以及业务传输的可靠性,IAB网络支持多跳IAB节点和多连接IAB节点组网。因此,在IAB节点服务的终端和宿主节点之间可能存在多条传输路径。在一条传输路径上可能包括多个节点,例如终端、一个或多个IAB节点、 宿主节点。IAB节点之间,以及IAB节点和为IAB节点服务的宿主节点有确定的层级关系,每个IAB节点将为其提供回传服务的节点视为父节点。相应地,每个IAB节点可视为其父节点的子节点。
示例性的,如图2所示,在IAB独立组网场景中,IAB节点1的父节点为宿主节点,IAB节点1又为IAB节点2和IAB节点3的父节点,IAB节点2和IAB节点3均为IAB节点4的父节点,IAB节点5的父节点为IAB节点2。终端的上行数据包可以经一个或多个IAB节点传输至宿主节点后,再由宿主节点发送至移动网关设备(例如5G网络中的用户面功能(user plane function,UPF)网元),下行数据包将由宿主节点从移动网关设备处接收后,再经一个或多个IAB节点发送至终端。
可以理解的是,在IAB网络中,终端和宿主节点之间的一条传输路径上,可以包含一个或多个IAB节点。每个IAB节点需要维护面向父节点的无线回传链路,还需要维护和子节点的无线链路。若一个IAB节点是终端接入的节点,该IAB节点和子节点(即终端)之间是无线接入链路。若一个IAB节点是为其他IAB节点提供回传服务的节点,该IAB节点和子节点(即其他IAB节点)之间是无线回传链路。示例性的,参见图2,在路径“终端1→IAB节点4→IAB节点3→IAB节点1→宿主节点”中。终端1通过无线接入链路接入IAB节点4,IAB节点4通过无线回传链路接入IAB节点3,IAB节点3通过无线回传链路接入IAB节点1,IAB节点1通过无线回传链路接入宿主节点。
IAB节点可以包括移动终端(mobile terminal,MT)以及集中式单元(distributed unit,DU)。IAB节点所包括的MT具有终端设备的部分或者全部功能。当IAB节点面向其父节点时,IAB节点可以被看做是终端设备,也即IAB节点扮演MT的角色。当IAB节点面向其子节点(子节点可能是终端或另一IAB节点的终端部分)时,IAB节点可以被看做是网络设备,也即IAB节点扮演DU的角色。换而言之,一个IAB节点可以通过MT部分与该IAB节点的至少一个父节点之间建立回传连接。一个IAB节点的DU部分可以为终端设备或其他IAB节点的MT部分提供接入服务。
IAB宿主可以是一个具有完整的实体。或者,IAB宿主还可以是集中式单元(centralized unit,CU)(本文中简称为Donor-CU,也可以简称为CU)和分布式单元(distributed unit,DU)(本文中简称为Donor-DU)分离的形态,也即IAB宿主由Donor-CU和Donor-DU组成。其中,Donor-CU还可以是用户面(User plane,UP)(本文中简称为CU-UP)和控制面(Control plane,CP)(本文中简称为CU-CP)分离的形态,即Donor-CU由CU-CP和CU-UP组成。
本申请实施例中,IAB宿主可以有其他名称,例如宿主基站、宿主节点、DgNB(即donor gNB)等,对此不作限定。
在IAB节点和IAB宿主之间,需要建立F1接口。F1接口还可以被称为F1*接口,对此不作限定。F1接口支持F1-U(或者说F1*-U)的用户面协议和F1-C(或者说F1*-C)的控制面协议。
示例性的,图3为本申请实施例提供的IAB网络中用户面协议栈的示意图。如图6所示,用户面协议栈包括以下协议层中的一个或多个:通用分组无线服务(general packet radio service,GPRS)隧道协议用户面(GPRS tunnelling protocol user plane, GTP-U),户数据报协议(user datagram protocol,UDP),因特网协议(internet protocol,IP),无线回传链路引入回传适配协议(Backhaul Adaptation Protocol,BAP),无线链路控制(radio link control,RLC),媒体接入控制(media access control,MAC),物理层(PHY layer)。图3中,L2层可以为开放式通信系统互联(open systems interconnection,OSI)参考模型中的数据链路层,L1层可以为物理层。
示例性的,图4为本申请实施例提供的IAB网络中控制面协议栈的示意图。如图4所示,控制面协议栈包括以下协议层中的一个或多个:F1应用协议(F1application protocol,F1AP),流控传输协议(stream control transport protocol,SCTP),IP,BAP,RLC,MAC,PHY等。
为了保护F1接口的安全,IAB节点和IAB宿主之间可以建立互联网安全协议(internet protocol security,IPSec)安全连接。其中,互联网密钥交换(internet key exchange,IKE)V2协议中支持使用预共享密钥(pre-shared secret key,PSK)的方式来进行安全认证。例如,IAB节点和IAB宿主可以提前配置好PSK,在后续IPSec建立过程中作为认证凭证来使用。当前,为了省去预配置PSK的过程,实现IAB node与IAB donor的即插即用,IAB node与IAB donor可以通过计算K IAB来作为PSK。
当前,为了保障网络的覆盖性能以及业务传输可靠性的要求,可以使IAB node支持双连接(dual connectivity,DC),以应对无线回传链路可能发生的异常情况,例如无线回程链路中断或者阻塞等。
图5为IAB node采用EN-DC模式的示意图。如图5所示,当IAB node工作在EN-DC模式时,4G基站(也即eNB)作为主基站,IAB donor作为辅基站。MeNB与IAB node的MT之间有LTE Uu空口连接,MeNB与IAB donor-CU-CP之间有X2-C接口连接,MeNB通过S1接口连接到4G核心网(evolved packet core,EPC)。可选的,IAB donor-CU-UP可以通过S1-U接口连接到EPC,例如连接到业务网关(serving gateway,SGW)。
目前,在IAB node采用EN-DC模式的场景下,如图6所示,IAB node与IAB donor生成K IAB的流程包括以下步骤:
S20、IAB node通过MeNB接入核心网。
应理解,在IAB node接入核心网之后,IAB node和MeNB均存储相同的K eNB
S21、在MeNB生成S-Kgnb之后,MeNB向IAB donor发送SN additional/modification request消息。
其中,SN additional/modification request消息包括S-Kgnb。S-Kgnb是根据K eNB推演得到的。
可以理解的是,MeNB在将S-Kgnb发送给辅基站后,可选删除S-Kgnb。也即,MeNB计算S-Kgnb的目的是发给辅基站使用,而MeNB并不使用S-Kgnb。
S22、IAB donor向MeNB发送SN additional/modification request ACK消息。
S23、MeNB向IAB node发送RRC重配置消息。
应理解,在接收到RRC重配置消息之后,IAB node可以根据K eNB推演得到S-Kgnb。
S24、IAB node向MeNB发送RRC重配置完成消息。
S25、MeNB向IAB donor发送SN reconfiguration complete消息。
S26、IAB node根据S-Kgnb,生成IAB密钥。
S27、IAB donor根据S-Kgnb,生成IAB密钥。
在EN-DC模式下,IAB donor能且只能是辅基站,所以生成IAB密钥的输入密钥可以为S-Kgnb,即辅基站使用S-Kgnb推演IAB密钥。
这样一来,IAB node和IAB donor能够以相同的IAB密钥作为认证凭证,建立安全隧道。
但是,随着通信技术的发展,IAB node也可以采用其他类型的双连接(例如NE-DC、NR-DC、NGEN-DC等)。
图7为IAB node采用NE-DC模式的示意图。如图7所示,当IAB node工作在NE-DC模式时,IAB donor CU-UP通过NG-U接口连接到5G核心网(5G core,5GC)中的用户面网元,IAB donor CU-CP通过NG-C接口连接到5GC中的控制面网元。SeNB与IAB node中的MT之间有LTE Uu空口连接。IAB donor CU-CP与SeNB之间有X2-C接口。
图8为IAB node采用NR-DC模式的示意图。如图8所示,当IAB node工作在NR-DC模式时,IAB node连接一个IAB donor和一个gNB。其中,IAB donor CU-UP通过NG-U接口连接到5GC中的用户面网元,IAB donor CU-CP通过NG-C接口连接到5GC中的控制面网元。gNB与IAB node中的MT之间有NR Uu接口。
图9为IAB node采用NGEN-DC模式的示意图。如图9所示,当IAB node工作在NGEN-DC时,IAB node连接的主基站为NG-eNB,IAB node连接的辅基站为IAB donor。其中,IAB donor CU-UP通过NG-U接口连接到5GC中的用户面网元。IAB node中的MT与NG-enB之间有LTE Uu接口。
目前,对于除了EN-DC之外的其他类型的双连接,业界并未提供IAB node与IAB donor生成K IAB的技术方案。这样一来,可能会导致IAB node生成的K IAB与IAB donor生成的K IAB不相同,从而使得IAB node与IAB donor之间不能正常建立IPsec安全连接。
举例来说,假设IAB node采用NR-DC接入网络中,主基站和辅基站均为gNB。IAB donor可能为主基站,也可能为辅基站。IAB node根据IP地址与IAB donor建立连接,但无需感知IAB donor为主基站还是辅基站。这样一来,在IAB donor为辅基站的情况下,IAB donor可能采用辅基站密钥来计算IAB密钥,而IAB node可能采用主基站密钥来计算IAB密钥,从而导致IAB donor和IAB node各自维护的IAB密钥不相同。又或者,在IAB donor为主基站的情况下,IAB donor可能采用主基站密钥来计算IAB密钥,而IAB node可能采用辅基站密钥来计算IAB密钥,从而导致IAB donor和IAB node各自维护的IAB密钥不相同。
为了解决上述技术问题,本申请实施例提供三个技术方案。下面先对三个技术方案的思路进行介绍。
技术方案一的思路在于:对于除了EN-DC之外的其他类型的双连接(例如NE-DC、NR-DC或者NGEN-DC)的场景下,IAB donor和IAB node均采用主基站密钥来计算K IAB
技术方案二的思路在于:对于除了EN-DC之外的其他类型的双连接(例如NE-DC、 NR-DC或者NGEN-DC)的场景下,IAB donor和IAB node均采用辅基站密钥来计算K IAB
技术方案三的思路在于:对于除了EN-DC之外的其他类型的双连接(例如NE-DC、NR-DC或者NGEN-DC)的场景下,IAB donor和IAB node均根据IAB donor的本地密钥来计算K IAB。其中,若主基站为IAB donor,则上述本地密钥为主基站密钥;若辅基站为IAB donor,则本地密钥为辅基站密钥。
上述技术方案一至技术方案三,均能保证IAB donor和IAB node维护相同的K IAB。应理解,在实际应用中,可以从上述技术方案一至技术方案三中选择任意一个技术方案来执行。
示例性的,主基站密钥用于对主基站(例如下文中的第一接入网设备)与第一设备之间的通信进行安全保护。例如,主基站密钥可以为K gNB、K RRCint、K RRCenc、K UPint、或者K UPenc等。其中,KRRCint、K RRCenc、KUPint和K UPenc均是通过K gNB推演得到的。K RRCint用于对主基站与第一设备之间的RRC信令进行完整性保护。K RRCenc用于对主基站与第一设备之间的RRC信令进行加密保护。K UPint用于对主基站与第一设备之间的用户面数据进行完整性保护。K UPenc用于对主基站与第一设备之间的用户面数据进行加密保护。在此对主基站密钥进行统一说明,以下不再赘述。
示例性的,辅基站密钥用于对辅基站(例如下文中的第二接入网设备或者第三接入网设备)和第一设备之间的通信进行安全保护。例如,辅基站密钥可以为Ksn、S-K RRCint、S-K RRCenc、S-K UPint、或者S-K UPenc等,对此不作限定。S-K RRCint、S-K RRCenc、S-K UPint、或者S-K UPenc均通过Ksn推演得到。S-K RRCint用于对辅基站与第一设备之间的RRC信令进行完整性保护。S-K RRCenc用于对辅基站与第一设备之间的RRC信令进行加密保护。S-K UPint用于对辅基站与第一设备之间的用户面数据进行完整性保护。S-K UPenc用于对辅基站与第一设备之间的用户面数据进行加密保护。在此对主基站密钥进行统一说明,以下不再赘述。
下面结合说明书附图对三个实施例的具体实现方式进行详细说明。需要说明的是,下述实施例中各个消息/信息的名称仅是一个示例,具体实现中可以是其他的名称,对此不作限定。
技术方案一
在除了EN-DC之外的其他类型的双连接场景下,网络侧可参照图10所示的实施例来获取IAB密钥,IAB node可参照图11所示的实施例来获取IAB密钥。
如图10所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S101、第一接入网设备确定通过第一接入网设备注册到5G核心网的第一设备为IAB node。
作为一种可能的实现方式,第一接入网设备接收到第一设备发送的IAB指示信息,IAB指示信息用于指示第一设备为IAB node。从而,第一接入网设备根据IAB指示信息,可以获知第一设备为IAB node。
示例性的,IAB指示信息可以记为“IAB-indication”。
作为另一种可能的实现方式,第一接入网设备接收到核心网网元的IAB授权信息,IAB授权信息用于指示第一设备具有作为IAB node的权限。从而,第一接入网设备根 据IAB授权信息,可以获知第一设备为IAB node。
示例性的,IAB授权信息可以记为“IAB-authorized”。
应理解,核心网网元可以主动地向第一接入网设备发送IAB授权信息。或者,核心网网元可以根据第一接入网设备的请求,校验第一设备的签约数据,确定是否向第一接入网设备回复IAB授权信息。
应理解,在第一设备注册到5G核心网的过程中,第一接入网设备和第一设备均能获取到相同的主基站密钥。
S102、在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB donor功能。
作为一种可能的实现方式,第一接入网设备查找IAB donor配置信息中是否存在第一接入网设备的标识。当IAB donor配置信息存在第一接入网设备的标识时,第一接入网设备确定自身具备IAB donor功能。当IAB donor配置信息不存在第一接入网设备的标识时,第一接入网设备确定自身不具备IAB donor功能。
其中,IAB donor配置信息用于记录一个或多个具备IAB donor功能的接入网设备的标识。可选的,IAB donor配置信息可以是操作维护管理(operation administration and maintenance)系统或者其他设备配置给第一接入网设备的。
作为另一种可能的实现方式,第一接入网设备可以检查自身是否存储有donor配置文件。在第一接入网设备存储有donor配置文件时,第一接入网设备可以确定自身具备IAB donor功能。否则,第一接入网设备确定自身不具备IAB donor功能。
应理解,上述donor配置文件用于配置接入网设备作为IAB donor时的功能。Donor配置文件可以是第一接入网设备本地配置的,或者OAM系统配置给第一接入网设备的。
可选的,当第一接入网设备不具备IAB donor功能时,第一接入网设备执行下述步骤S103-S106。当第一接入网设备具备IAB donor功能时,第一接入网设备执行下述步骤S107-S109。
S103、在第一接入网设备不具备IAB donor功能的情况下,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站。
作为一种可能的实现方式中,第二设备预先为第一接入网设备配置了第二接入网设备的标识。从而,在需要为IAB node(例如第一设备)添加辅基站的情况下,第一接入网设备可以根据第二接入网设备的标识,选择第二接入网设备作为辅基站。
作为一种可能的实现方式,第一接入网设备向第二设备发送第一请求消息,该第一请求消息包括第一设备的标识。第二设备根据第一请求消息,可以确定作为第一设备的IAB donor的接入网设备(也即第二接入网设备)。之后,第一接入网设备接收第二设备发送的第一响应消息,第一响应消息包括第二接入网设备的标识。从而,第一接入网设备可以选择第二接入网设备作为第一设备的辅基站。
可选的,上述第一设备的标识可以包括小区无线网络临时标识(cell-radio network temporary identifier,C-RNTI),设备编号等,对此不作限定。
可选的,上述第二接入网设备的标识可以包括IP地址、设备编号等,对此不作限定。
可选的,上述第二设备可以为OAM系统或者核心网网元,对此不作限定。
需要说明的是,第二设备根据第一请求消息,确定第二接入网设备,存在以下两种情况:
情况1、第二设备已经预先存储第一设备与第二接入网设备之间的映射关系。从而,第二设备根据第一设备的标识,以及第一设备与第二接入网设备之间的映射关系,可以查找到第二接入网设备的标识。
情况2、第二设备未存储第一设备与第二接入网设备之间的映射关系。从而,第二设备可以根据拓扑信息等因素,确定第二接入网设备。
应理解,由于第二设备负责确定第二接入网设备,因此第二设备可以向第一设备发送第二接入网设备用于与IAB node通信的IP地址,以便于第一设备与第二接入网设备之间能够根据IP地址进行通信。
在本申请实施例中,第一接入网设备在选择第二接入网设备作为辅基站之后,会向第二接入网设备发送辅基站配置消息,以使得第二接入网设备获知自身作为第一设备的辅基站。示例性的,辅基站配置消息可以为图1所示的双连接配置流程中的SN addition/modification request消息。
可选的,在第一设备为IAB node的情况下,辅基站配置消息可以包括第三指示信息,第三指示信息用于指示第一设备为IAB node。从而,第二接入网设备可以根据第三指示信息,获知第一设备为IAB node。
对于第二接入网设备来说,在辅基站配置消息包括第三指示信息的情况下,第二接入网设备判断自身是否具备IAB donor功能。在第二接入网设备确定自身具备IAB donor功能的情况下,第二接入网设备需要从第一接入网设备获取K IAB1
其中,第二接入网设备判断自身是否具备IAB donor功能的具体实现方式可以参考上文中第一接入网设备判断自身是否具备IAB donor功能的具体实现方式,在此不再赘述。
S104、第一接入网设备获取与第二接入网设备关联的第一密钥输入参数。
其中,第一密钥输入参数包括:第一IP地址和/或第二IP地址。
第一IP地址为第一设备用于与IAB donor通信的IP地址。由于第一设备作为IAB node,因此第一IP地址也可以被称为IAB node的IP地址,或者IAB node中MT的IP地址。
第二IP地址为第二接入网设备用于与IAB node通信的IP地址。由于第二接入网设备作为第一设备的IAB donor,因此第二IP地址也可以被称为IAB donor的IP地址,或者IAB donor中CU的IP地址。
可选的,第一接入网设备获取第一IP地址,可以采用以下实现方式1-1或者实现方式1-2中的任意一种:
实现方式1-1、第一接入网设备从第二设备获取到第一IP地址。
例如,在第一设备的IP地址是由第二设备负责分配的情况下,第二设备向第一接入网设备发送的第一响应消息还可以包括第一IP地址。
实现方式1-2、第一接入网设备从第二接入网设备获取到第一IP地址。
例如,第一接入网设备向第二接入网设备发送第一指示信息,第一指示信息用于 请求第一IP地址。之后,第一接入网设备接收第二接入网设备发送的第一IP地址。
示例性的,第一指示信息可以承载于新增的信令中。或者,第一指示信息可以承载于现有的信令中,例如SN addition/modification request消息。
示例性的,第二接入网设备发送的第一IP地址可以承载于新增的信令中。或者,第二接入网设备发送的第一IP地址可以承载于现有的信令中,例如SN addition/modification request ACK消息。
可选的,第一接入网设备获取第二IP地址,可以采用以下实现方式2-1至实现方式2-3中的任意一种:
实现方式2-1、第一接入网设备从第二设备获取到第二IP地址。
例如,若第二设备存储具备IAB donor功能的各个接入网设备的IP地址,则第二设备存储有第二IP地址。因此,第二设备向第一接入网设备发送的第一响应消息还可以包括第二IP地址。
实现方式2-2、第一接入网设备可以以第二接入网设备的Xn接口的IP地址作为第二IP地址。
应理解,实现方式2-2一般基于通信系统默认接入网设备的Xn接口的IP地址即为接入网设备作为IAB donor时的IP地址。
实现方式2-3、第一接入网设备从第二接入网设备获取到第二IP地址。
例如,第一接入网设备向第二接入网设备发送第二指示信息,第二指示信息用于请求第二IP地址。第一接入网设备接收第二接入网设备发送的第二IP地址。
示例性的,第二指示信息可以承载于新增的信令中。或者,第二指示信息可以承载于现有的信令中,例如SN addition/modification request消息。
应理解,第二指示信息和第一指示信息可以承载于同一信令中,或者不同信令中。当第二指示信息和第一指示信息承载于同一信令时,第二指示信息和第一指示信息可以集成为一个指示信息,例如参数请求指示信息(para_request_indicator)。从而,参数请求指示信息用于请求IAB donor的IP地址和IAB node的IP地址。
示例性的,第二接入网设备发送的第二IP地址可以承载于新增的信令中。或者,第二接入网设备发送的第二IP地址可以承载于现有的信令中,例如SN addition/modification request ACK消息。
S105、第一接入网设备根据第一密钥输入参数和主基站密钥,生成第一IAB密钥K IAB1
其中,K IAB1用于建立第二接入网设备与第一设备之间的安全隧道。
S106、第一接入网设备向第二接入网设备发送K IAB1
一种可能的设计中,K IAB1可以承载于一条新增的消息中。示例性的,结合图1所示的双连接配置流程进行举例说明,新增的用于承载K IAB1的消息的发送时机可以位于SN additional/modification Request ACK消息之后,或者位于SN reconfiguration complete消息之后。
另一种可能的设计中,K IAB1可以承载于现有的消息中。示例性的,结合图1所示的双连接配置流程进行举例说明,第一接入网设备可以向第二接入网设备发送SN reconfiguration complete消息,该SN reconfiguration complete消息包括K IAB1
应理解,第二接入网设备在接收到K IAB1之后,会保存K IAB1
基于上述步骤S103-S106,在辅基站(也即第二接入网设备)作为IAB donor的情况下,主基站(也即第一接入网设备)能够主动地以主基站密钥生成K IAB,并将该K IAB发送给辅基站,以保证IAB donor和IAB node维护相同的K IAB
S107、在第一接入网设备具备IAB donor功能的情况下,第一接入网设备选择第三接入网设备作为第一设备的辅基站。
作为一种可能的实现方式中,第一接入网设备根据第一设备的位置、第一设备的测量报告等因素,从周围的接入网设备中选择合适的接入网设备(也即第三接入网设备)作为第一设备的辅基站。
应理解,本申请实施例对第三接入网设备是否具备IAB donor功能不进行限定。也即,第三接入网设备可以具备IAB donor功能,也可以不具备IAB donor功能。
这种情况下,具备IAB donor功能的第一接入网设备即作为第一设备的IAB donor。
S108、第一接入网设备获取与第一接入网设备关联的第二密钥输入参数。
其中,第二密钥输入参数包括第一IP地址和第三IP地址。
第三IP地址为第一接入网设备用于与IAB node通信的IP地址。
应理解,第一接入网设备可以从本地(也即第一接入网设备的数据库)获取第三IP地址。
一种可能的设计中,作为IAB donor的第一接入网设备为第一设备分配第一IP地址。基于该设计,第一接入网设备还需要向第一设备发送第一IP地址。
另外一种可能的设计中,在第二设备为第一设备分配第一IP地址的情况下,第一接入网设备可以从第二设备或者第一设备获取第一IP地址。
示例性的,第一接入网设备向第一设备发送IP地址请求消息。之后,第一接入网设备接收第一设备发送的IP地址通知消息,IP地址通知消息包括第一IP地址。
S109、第一接入网设备根据第二密钥输入参数和主基站密钥,生成第二IAB密钥K IAB2
其中,K IAB2用于建立第一接入网设备与第一设备之间的安全隧道。
应理解,第一接入网设备在生成K IAB2之后,会保存该K IAB2
基于上述步骤107-S109,在主基站(也即第一接入网设备)作为IAB donor的情况下,主基站主动地以主基站密钥生成K IAB,以保证IAB donor和IAB node维护相同的K IAB
如图11所示,为本申请实施例提供的一种密钥生成方法,该方法应用于第一设备(IAB node)连接主基站和辅基站的场景下。该方法包括以下步骤:
S201、IAB node根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,确定双连接的类型。
可选的,IAB node确定主基站支持的通信制式,可以具体实现为:支持的通信制式。其中,广播消息中的配置参数包括以下一项或者多项:基站标识、逻辑小区标识、物理小区标识、上行频段或者下行频段。应理解,当广播消息中的配置参数属于5G通信系统的配置参数时,IAB node可以确定主基站支持5G通信制式。或者,当刚播消息中的配置参数属于4G通信系统的配置参数时,IAB node可以确定主基站支持4G 通信制式。
举例来说,假设4G频点为A1、A2、A3,5G频点为B1、B2、B3。当主基站发送的广播消息中频点为B1,IAB node可以确定主基站支持5G通信制式。
可选的,IAB node确定辅基站支持的通信制式,可以具体实现为:IAB node接收主基站发送的RRC重配置消息,该RRC重配置消息用于配置IAB node和辅基站之间的无线承载,RRC重配置消息包括辅小区组配置信息。IAB node根据辅小区组配置信息,确定辅基站支持的通信制式。应理解,当辅小区组配置信息属于5G通信制式时,IAB node可以确定辅基站支持5G通信制式。或者,当辅小区组配置信息属于4G通信制式时,IAB node可以确定辅基站支持4G通信制式。
示例性的,属于5G通信制式的辅小区组配置信息可以记为nr-SecondaryCellGroupConfig或者sourceSCG-NR-Config。属于4G通信制式的辅小区组配置信息可以记为sourceSCG-EUTRA-Config。
可选的,IAB node确定核心网支持的通信制式,可以具体实现为:IAB node接收主基站发送的广播消息。IAB node根据广播消息中的小区配置信息,确定核心网支持的通信制式。应理解,若广播消息中的小区配置信息属于5G通信制式,则IAB node确定核心网支持5G通信制式。若广播消息中的小区配置信息属于4G通信制式,则IAB node确定核心网支持4G通信制式。
示例性的,小区配置信息可以包括小区接入相关信息(cellAccessRelatedInfo)。属于5G通信制式的小区接入相关信息可以记为cellAccessRelatedInfo-5GC。属于4G通信制式的小区接入相关信息可以记为cellAccessRelatedInfo-EUTRA-EPC。
可选的,IAB node确定双连接的类型,包括以下情况之一:
情况1、当主基站支持5G通信制式,辅基站支持4G通信制式,核心网支持5G通信制式时,IAB node确定双连接的类型为NE-DC。
情况2、当主基站支持4G通信制式,辅基站支持5G通信制式,核心网支持5G通信制式时,IAB node确定双连接的类型为NGEN-DC。
情况3、当主基站支持5G通信制式,辅基站支持5G通信制式,核心网支持5G通信制式时,IAB node确定双连接的类型为NR-DC。
情况4、当主基站支持4G通信制式,辅基站支持5G通信制式,核心网支持4G通信制式时,IAB node确定双连接的类型为EN-DC。
S202、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,IAB node根据主基站密钥,生成K IAB
作为一种可能的实现方式,IAB node根据主基站密钥和密钥输入参数,生成K IAB
其中,密钥输入参数包括IAB donor的IP地址和IAB node的IP地址。
可选的,IAB node可以从第二设备获取到IAB donor的IP地址。示例性的,第二设备可以为OAM系统或者核心网网元。
可选的,在IAB node的IP地址由第二设备分配的情况下,IAB node可以从第二设备获取到IAB node的IP地址。这种情况下,第二设备可以将IAB node的IP地址和IAB donor的IP地址封装到一条消息中,并将该消息发送给IAB node。
可选的,在IAB node的IP地址由IAB donor分配的情况下,IAB node可以从主 基站或者辅基站获取到IAB node的IP地址。
例如,主基站作为IAB donor,并且主基站为IAB node分配IP地址。从而,IAB node向主基站发送IP地址请求消息;之后,IAB node接收主基站发送的IP地址通知消息,该IP地址通知消息包括IAB node的IP地址。
又例如,主基站作为IAB donor,并且主基站为IAB node分配IP地址。从而,IAB node接收主基站发送的RRC重配置消息,该RRC重配置消息包括IAB node的IP地址。
又例如,辅基站作为IAB donor,并且辅基站为IAB node分配IP地址。从而,IAB node可以向辅基站发送IP地址请求消息;之后,IAB node接收辅基站发送的IP地址通知消息,该IP地址通知消息包括IAB node的IP地址。
应理解,IAB node在生成K IAB之后,会保存K IAB
基于图11所示的实施例,IAB node可以根据主基站支持的通信制式、辅基站支持的通信制式以及核心网支持的通信制式,准确确定IAB node使用的双连接的类型。进而,当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,IAB node可以根据主基站密钥生成K IAB,以保证IAB donor和IAB node维护相同的K IAB
应理解,当双连接的类型为EN-DC时,IAB node根据辅基站密钥和密钥输入参数,生成K IAB
下面结合具体应用场景以举例的方式来对技术方案一进行详细说明。
场景1、第一设备(也即IAB node)通过不具备IAB donor功能的第一接入网设备注册到网络。之后,第一接入网设备为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站,并且第二接入网设备负责为第一设备分配IAB node的IP地址。
基于场景1,如图12所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S301、第一设备通过第一接入网设备注册到网络。
在注册到网络的过程中,第一设备可以执行鉴权、安全上下文协商等流程。
在第一设备的注册过程中,第一设备和第一接入网设备获取到相同的AS层密钥。第一设备与第一接入网设备之间的AS层密钥用于对第一设备与第一接入网设备之间的AS层通信进行安全保护。在双连接场景下,由于第一接入网设备作为第一设备的主基站,因此第一设备和第一接入网设备之间的AS层密钥可以被称为主基站密钥。
S302、第一接入网设备确定第一设备为IAB node。
S303、在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB node功能。
S304、在第一接入网设备不具备IAB node功能的情况下,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站。
S305、第一接入网设备向第二接入网设备发送SN addition/modification request消息。
其中,SN addition/modification request消息包括第三指示信息。第三指示信息用于指示第一设备为IAB node。
这样一来,第二接入网设备能够基于第三指示信息,获知第一设备为IAB node。 进而,由于第二接入网设备具有IAB donor功能,因此第二接入网设备可以作为第一设备的IAB donor,并为第一设备分配IAB node的IP地址。应理解,这里的IAB node的IP地址即为图10所示实施例中的第一IP地址。
可选的,SN addition/modification request消息除了包括现有技术中的相关信元之外,还可以包括第一指示信息和第二指示信息。
S306、第一接入网设备接收第二接入网设备发送的SN addition/modification request ACK消息。
可选的,在SN addition/modification request消息包括第一指示信息和第二指示信息的情况下,SN addition/modification request ACK消息包括IAB donor的IP地址和IAB node的IP地址。
S307、第一接入网设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S308、第一接入网设备向第一设备发送RRC重配置消息。
其中,RRC重配置消息包括IAB node的IP地址。
S309、第一接入网设备接收第一设备发送的RRC重配置完成消息。
S310、第一接入网设备向第二接入网设备发送SN reconfiguration complete消息。
其中,SN reconfiguration complete消息包括K IAB
应理解,第二接入网设备从SN reconfiguration complete消息获取到K IAB。之后,第二接入网设备会保存K IAB
S311、第一设备接收第二设备发送的IP地址通知(IP address notification)消息。
其中,IP地址通知消息包括IAB donor的IP地址。
应理解,步骤S311的执行时机仅在步骤S304之后,不对步骤S312的具体执行时机进行限定。例如,步骤S311的执行时机可以位于步骤S310之前。
S312、第一设备确定双连接的类型。
S313、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
其中,步骤S312-S313的具体实现细节可以参考图11所示的实施例,在此不再赘述。另外,步骤S312-S313可以在步骤S308之后的任意时刻执行,本申请实施例对此不作限定。
S314、第一设备和第二接入网设备使用K IAB建立安全隧道。
基于图12所示的实施例,在辅基站作为IAB donor的情况下,主基站以主基站密钥生成K IAB,并将K IAB发送给辅基站。IAB node以主基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景2、第一设备(也即IAB node)通过不具备IAB donor功能的第一接入网设备注册到网络。之后,第一接入网设备为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站。第二设备负责为第一设备分配IAB node的IP地址。
基于场景2、如图13所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S401-S404、与步骤S301-S304相同,其具体描述可以参考图12所示的实施例,在此不再赘述。
S405、第一设备接收第二设备发送的第一IP地址通知消息。
其中,第一IP地址通知消息包括IAB donor的IP地址和IAB node的IP地址。
应理解,本申请实施例不限制步骤S405与步骤S406-S410之间的执行顺序。也即,步骤S405可以在步骤S406-S410中的任意一个步骤之前或者之后执行。
S406、第一接入网设备向第二接入网设备发送SN addition/modification request消息。
其中,SN addition/modification request消息包括第三指示信息。第三指示信息用于指示第一设备为IAB node。
可选的,SN addition/modification request消息除了包括现有技术中的相关信元之外,还可以包括第一指示信息和第二指示信息。
S407、第一接入网设备接收第二接入网设备发送的SN addition/modification request ACK消息。
S408、第一接入网设备向第一设备发送RRC重配置消息。
S409、第一接入网设备接收第一设备发送的RRC重配置完成消息。
S410、第一接入网设备向第二接入网设备发送SN reconfiguration complete消息。
S411、第一设备向第二接入网设备发送第二IP地址通知消息。
其中,第二IP地址通知消息包括IAB node的IP地址。
S412、第二接入网设备向第一接入网设备发送SN key request消息。
其中,SN key request消息用于请求K IAB
SN key request消息包括IAB donor的IP地址和IAB node的IP地址。
S413、第一接入网设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S414、第一接入网设备向第二接入网设备发送SN key response消息。
其中,SN key response消息包括K IAB
S415、第一设备确定双连接的类型。
S416、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S417、第一设备和第二接入网设备使用K IAB建立安全隧道。
基于图13所示的实施例,在辅基站作为IAB donor的情况下,主基站以主基站密钥生成K IAB,并将K IAB发送给辅基站。IAB node以主基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景3、第一设备(也即IAB node)通过具备IAB donor功能的第一接入网设备注册到网络。从而,第一接入网设备作为第一设备的IAB donor,并且第一接入网设备为第一设备分配IAB node的IP地址。第一接入网设备为第一设备选择第三接入网设备作为辅基站。
基于场景3,如图14所示,为本申请实施例提供的一种密钥生成方法,该方法包 括以下步骤:
S501、第一设备通过第一接入网设备注册到网络。
S502、第一接入网设备确定第一设备为IAB node。
S503、在第一接入网设备具备IAB node功能的请下,第一接入网设备向第二设备发送通知消息。
其中,通知消息用于表示第一设备通过具备IAB donor功能的第一接入网设备注册到网络中。或者说,通知消息用于表示第一接入网设备作为第一设备的IAB donor。
可选的,通知消息可以包含第一设备的标识和第一接入网设备的标识。
S504、第二设备向第一设备发送IP地址通知消息。
其中,IP地址通知信息包括IAB donor的IP地址。
应理解,步骤S504可以在步骤S513之前的任意时刻执行,本申请实施例对此不作限定。
S505、第一接入网设备选择第三接入网设备作为第一设备的辅基站。
S506、第一接入网设备向第三接入网设备发送SN addition/modification request消息。
S507、第一接入网设备接收第三接入网设备发送的SN addition/modification request ACK消息。
S508、第一接入网设备向第一设备发送RRC重配置消息。
由于第一接入网设备作为IAB donor负责为第一设备分配IAB node的IP地址,因此RRC重配置消息可以包括IAB node的IP地址。
S509、第一接入网设备接收第一设备发送的RRC重配置完成消息。
S510、第一接入网设备向第三接入网设备发送SN reconfiguration complete消息。
S511、第一接入网设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,本申请实施例不限制步骤S511与步骤S504-S510之间的执行顺序。也即,步骤S511可以在步骤S504-S510中的任意一个步骤之前或者之后执行。
S512、第一设备确定双连接的类型。
S513、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S514、第一设备和第一接入网设备使用K IAB建立安全隧道。
基于图14所示的实施例,在主基站作为IAB donor的情况下,主基站和IAB node均以主基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景4、第一设备(也即IAB node)通过具备IAB donor功能的第一接入网设备注册到网络。从而,第一接入网设备作为第一设备的IAB donor。第一接入网设备为第一设备选择第三接入网设备作为辅基站。第二设备负责为第一设备分配IAB node的IP地址。
基于场景4,如图15所示,为本申请实施例提供的一种密钥生成方法,该方法包 括以下步骤:
S601、第一设备通过第一接入网设备注册到网络。
S602、第一接入网设备确定第一设备为IAB node。
S603、在第一接入网设备具备IAB node功能的请下,第一接入网设备向第二设备发送通知消息。
其中,通知消息用于表示第一设备通过具备IAB donor功能的第一接入网设备注册到网络中。或者说,通知消息用于表示第一接入网设备作为第一设备的IAB donor。
S604、第二设备向第一设备发送第一IP地址通知消息。
其中,第一IP地址通知消息包括IAB node的IP地址和IAB donor的IP地址。
应理解,本申请实施例不限制步骤S603-S604与步骤S605-S610之间的执行顺序。也即,步骤S603-S604可以在步骤S606-S610中的任意一个步骤之前或者之后执行。
S605、第一接入网设备选择第三接入网设备作为第一设备的辅基站。
S606、第一接入网设备向第三接入网设备发送SN addition/modification request消息。
S607、第一接入网设备接收第三接入网设备发送的SN addition/modification request ACK消息。
S608、第一接入网设备向第一设备发送RRC重配置消息。
S609、第一接入网设备接收第一设备发送的RRC重配置完成消息。
S610、第一接入网设备向第三接入网设备发送SN reconfiguration complete消息。
S611、第一接入网设备接收第一设备发送的第二IP地址通知消息。
其中,第二IP地址通知消息包括IAB node的IP地址。
S612、第一接入网设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,步骤S611-S612可以在步骤S604之后的任意时刻执行,本申请实施例对此不作限定。
S613、第一设备确定双连接的类型。
S614、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S615、第一设备和第一接入网设备使用K IAB建立安全隧道。
基于图15所示的实施例,在主基站作为IAB donor的情况下,主基站和IAB node均以主基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
技术方案二
在双连接场景(例如NE-DC、NR-DC或者NGEN-DC等场景)下,网络侧可以按照图16所示的实施例来获取IAB密钥,IAB node可以按照图17所示的实施例来获取IAB密钥。
如图16所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S701、第一接入网设备确定通过第一接入网设备注册到网络的第一设备为IAB  node。
S702、在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB node功能。
其中,步骤S701-S702与图10中的步骤S101-S102相似,其具体实现方式可以参考图10所示实施例中的描述。
应理解,第一接入网设备可以根据主基站密钥和SN计数值,生成辅基站密钥。
可选的,当第一接入网设备不具备IAB donor功能时,执行下述步骤S703-S705;当第一接入网设备具备IAB donor功能时,执行下述步骤S706-S707。
S703、在第一接入网设备不具备IAB donor功能的情况下,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站。
S704、第一接入网设备向第二接入网设备发送辅基站配置消息。
其中,辅基站配置消息用于将第二接入网设备配置为第一设备的辅基站。
在本申请实施例中,辅基站配置消息包括第三指示信息和辅基站密钥。第三指示信息用于指示第一设备为IAB node。
应理解,在辅基站配置消息包括第三指示信息的情况下,第二接入网设备能够根据第三指示信息获知第一设备为IAB node。进而,第二接入网设备确定自身是否具备IAB donor功能。在第二接入网设备具备IAB donor功能的情况下,第二接入网设备可以认为自身是第一设备的IAB donor,从而第二接入网设备可以执行下述步骤S705。
S705、第二接入网设备根据辅基站密钥,生成K IAB1
作为一种可能的实现方式,第二接入网设备根据辅基站密钥和第一密钥输入参数,生成K IAB1。其中,第一密钥输入参数包括第一IP地址和第二IP地址。第一IP地址为第一设备用于与IAB donor通信的IP地址。第二IP地址为第二接入网设备用于与IAB node通信的IP地址。
在本申请实施例中,第二接入网设备可以从自身的数据库中获取到第二IP地址。
在本申请实施例中,第二接入网设备可以确定第一IP地址。或者,第二接入网设备从第一设备或者第二设备获取到第一IP地址。
基于上述步骤S703-S705,在辅基站(也即第二接入网设备)作为IAB donor的情况下,辅基站主动地以辅基站密钥生成K IAB,以保证IAB donor和IAB node维护相同的K IAB
S706、在第一接入网设备具备IAB donor功能的情况下,第一接入网设备选择第三接入网设备作为第一设备的辅基站。
S707、第一接入网设备根据辅基站密钥,生成K IAB2
作为一种可能的实现方式,第一接入网设备根据辅基站密钥和第二密钥输入参数,生成K IAB2。其中,第二密钥输入参数包括第一IP地址和第三IP地址。第一IP地址为第一设备用于与IAB donor通信的IP地址。第三IP地址为第一接入网设备用于与IAB node通信的IP地址。
在本申请实施例中,第一接入网设备可以从自身的数据库中获取到第三IP地址。
在本申请实施例中,第一接入网设备可以确定第一IP地址。或者,第一接入网设备从第一设备或者第二设备获取到第一IP地址。
基于上述步骤S706-S707,在主基站(也即第一接入网设备)作为IAB donor的情况下,主基站主动地以辅基站密钥生成K IAB,以保证IAB donor和IAB node维护相同的K IAB
如图17所示,为本申请实施例提供的一种密钥生成方法,该方法应用于IAB node连接主基站和辅基站的场景下。该方法包括以下步骤:
S801、与步骤S20相同,其具体描述可以参考图11所示的实施例,在此不再赘述。
S802、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,IAB node根据辅基站密钥,生成K IAB
其中,IAB node可以根据主基站密钥,推演出辅基站密钥。
作为一种可能的实现方式,IAB node根据辅基站密钥和密钥输入参数,生成K IAB
应理解,密钥输入参数的具体介绍以及获取方式可以参考图11所示实施例中步骤S202的相关描述,在此不再赘述。
基于图17所示的实施例,在NE-DC、NR-DC或者NGEN-DC场景下,保证IAB node以辅基站密钥生成K IAB,进而保证IAB donor和IAB node维护相同的K IAB
下面结合具体应用场景以举例的方式来对技术方案二进行详细说明。
场景1、第一设备(也即IAB node)通过不具备IAB donor功能的第一接入网设备注册到网络。之后,第一接入网设备为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站,并且第二接入网设备负责为第一设备分配IAB node的IP地址。
基于场景1,如图18所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S901、第一设备通过第一接入网设备注册到网络。
S902、第一接入网设备确定第一设备为IAB node。
S903、在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB node功能。
S904、在第一接入网设备不具备IAB node功能的情况下,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站。
在选择辅基站之后,第一接入网设备可以根据主基站密钥和SN计数值,推演出辅基站密钥。
S905、第一接入网设备向第二接入网设备发送SN addition/modification request消息。
其中,SN addition/modification request消息包括辅基站密钥和第三指示信息。第三指示信息用于指示第一设备为IAB node。
在SN addition/modification request消息包括第三指示信息的情况下,第二接入网设备可以确定自身是否具备IAB donor功能。在第二接入网设备具备IAB donor功能的情况下,第二接入网设备可以认为是第一设备的IAB donor,从而第二接入网设备需要执行下述步骤S910。
S906、第一接入网设备接收第二接入网设备发送的SN addition/modification request ACK消息。
S907、第一接入网设备向第一设备发送RRC重配置消息。
其中,RRC重配置消息用于配置第二接入网设备与第一设备之间的无线承载。从而,基于RRC重配置消息,第一设备能够获知第二接入网设备作为辅基站。
另外,RRC重配置消息还包括SN计数值。从而,第一设备能够根据主基站密钥和SN计数值,推演出辅基站密钥。
S908、第一接入网设备接收第一设备发送的RRC重配置完成消息。
S909、第一接入网设备向第二接入网设备发送SN reconfiguration complete消息。
应理解,第二接入网设备在接收到SN reconfiguration complete消息之后,第二接入网设备可以与第一设备建立RRC连接,从而第二接入网设备与第一设备之间可以直接通信。
S910、第二接入网设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,第二接入网设备从本地获取IAB donor的IP地址。并且,第二接入网设备为第一设备分配IAB node的IP地址。
应理解,步骤S910可以在步骤S905之后的任意时刻执行,本申请实施例对此不作限定。
S911、第二接入网设备向第一设备发送第一IP地址通知消息。
其中,第一IP地址通知消息包括IAB node的IP地址。
S912、第二设备向第一设备发送第二IP地址通知消息。
其中,第二IP地址通知消息包括IAB donor的IP地址。
应理解,步骤S912可以在步骤S904之后的任意时刻执行,本申请实施例对此不作限定。
基于步骤S911和S912,第一设备能够获取到IAB donor的IP地址和IAB node的IP地址。
S913、第一设备确定双连接的类型。
S914、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S915、第一设备和第二接入网设备使用K IAB建立安全隧道。
基于图18所示的实施例,在辅基站作为IAB donor的情况下,辅基站以辅基站密钥生成K IAB,IAB node以辅基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景2、第一设备(也即IAB node)通过不具备IAB donor功能的第一接入网设备注册到网络。之后,第一接入网设备为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站。第二设备负责为第一设备分配IAB node的IP地址。
基于场景2,如图19所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1001、第一设备通过第一接入网设备注册到网络。
S1002、第一接入网设备确定第一设备为IAB node。
S1003、在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具 备IAB node功能。
S1004、在第一接入网设备不具备IAB node功能的情况下,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站。
S1005、第二设备向第一设备发送第一IP地址通知消息。
其中,第一IP地址通知消息包括IAB node的IP地址和IAB donor的IP地址。
应理解,步骤S1005可以在步骤S1004之后,步骤S1011之前的任意时刻执行,本申请实施例对此不作限定。
S1006、第一接入网设备向第二接入网设备发送SN addition/modification request消息。
其中,SN addition/modification request消息包括辅基站密钥和第三指示信息。第三指示信息用于指示第一设备为IAB node。
在SN addition/modification request消息包括第三指示信息的情况下,第二接入网设备可以确定自身是否具备IAB donor功能。在第二接入网设备具备IAB donor功能的情况下,第二接入网设备可以认为是第一设备的IAB donor,从而第二接入网设备需要执行下述步骤S1012。
S1007、第一接入网设备接收第二接入网设备发送的SN addition/modification request ACK消息。
S1008、第一接入网设备向第一设备发送RRC重配置消息。
其中,RRC重配置消息用于配置第二接入网设备与第一设备之间的无线承载。从而,基于RRC重配置消息,第一设备能够获知第二接入网设备作为辅基站。
另外,RRC重配置消息还包括SN计数值。从而,第一设备能够根据主基站密钥和SN计数值,推演出辅基站密钥。
S1009、第一接入网设备接收第一设备发送的RRC重配置完成消息。
S1010、第一接入网设备向第二接入网设备发送SN reconfiguration complete消息。
应理解,第二接入网设备在接收到SN reconfiguration complete消息之后,第二接入网设备可以与第一设备建立RRC连接,从而第二接入网设备与第一设备之间可以直接通信。
S1011、第一设备向第二接入网设备发送第二IP地址通知消息。
其中,第二IP地址通知消息包括IAB donor的IP地址。
S1012、第二接入网设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,第二接入网设备从本地获取IAB donor的IP地址。以及,第二接入网设备根据上述第二IP地址通知消息,获取IAB node的IP地址。
S1013、第一设备确定双连接的类型。
S1014、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,步骤S1013-S1014可以在步骤S1008之后的任意时刻执行,本申请实施例对此不作限定。
S1015、第一设备和第二接入网设备使用K IAB建立安全隧道。
基于图19所示的实施例,在辅基站作为IAB donor的情况下,辅基站以辅基站密钥生成K IAB,IAB node以辅基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景3、第一设备(也即IAB node)通过具备IAB donor功能的第一接入网设备注册到网络。从而,第一接入网设备作为第一设备的IAB donor,并且第一接入网设备为第一设备分配IAB node的IP地址。第一接入网设备为第一设备选择第三接入网设备作为辅基站。
基于场景3,如图20所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1101-S1110、与步骤S501-S510相同,其具体描述可以参考图14所示实施例,在此不再赘述。
其中,在选择第三接入网设备作为辅基站之后,第一接入网设备会生成辅基站密钥,并通过SN addition/modification request消息向第三接入网设备发送辅基站密钥。
S1111、第一接入网设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,步骤S1111可以在S1105之后的任意时刻执行,本申请实施例对此不作限定。
可选的,若步骤S1111在步骤S1106之前执行,则第一接入网设备在执行完步骤S1106之后,可以删除辅基站密钥。
可选的,若步骤S1111在步骤S1106之后执行,则第一接入网设备在执行完步骤S1106之前,需要保存辅基站密钥,直至执行完步骤S1111。
S1112、第一设备确定双连接的类型。
S1113、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,步骤S1112-S1113可以在步骤S1108之后的任意时刻执行,本申请实施例对此不作限定。
S1114、第一设备和第一接入网设备使用K IAB建立安全隧道。
基于图20所示的实施例,在主基站作为IAB donor的情况下,主基站和IAB node均以辅基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景4、第一设备(也即IAB node)通过具备IAB donor功能的第一接入网设备注册到网络。从而,第一接入网设备作为第一设备的IAB donor。第一接入网设备为第一设备选择第三接入网设备作为辅基站。第二设备负责为第一设备分配IAB node的IP地址。
基于场景4,如图21所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1201-S1211、与步骤S601-S611相同,其具体描述可以参考图15所示的实施例, 在此不再赘述。
其中,在选择第三接入网设备作为辅基站之后,第一接入网设备会生成辅基站密钥,并通过SN addition/modification request消息向第三接入网设备发送辅基站密钥。
S1212、第一接入网设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,步骤S1211可以在步骤S1204之后的任意时刻执行。步骤S1212可以在步骤S1205和S1211之后的任意时刻执行。
可选的,若步骤S1212在步骤S1206之前执行,则第一接入网设备在执行完步骤S1206之后,可以删除辅基站密钥。
可选的,若步骤S1212在步骤S1206之后执行,则第一接入网设备在执行完步骤S1206之前,需要保存辅基站密钥,直至执行完步骤S1212。
S1213、第一设备确定双连接的类型。
S1214、当双连接的类型为NE-DC、NR-DC或者NGEN-DC时,第一设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
应理解,步骤S1213-S1214可以在步骤S1208之后的任意时刻执行,本申请实施例对此不作限定。
S1215、第一设备和第一接入网设备使用K IAB建立安全隧道。
基于图21所示的实施例,在主基站作为IAB donor的情况下,主基站和IAB node均以辅基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
技术方案三
在一些双连接场景(例如NE-DC、NR-DC或者NGEN-DC等场景)下,IAB node可以按照图22所示的实施例来获取K IAB,网络侧可以按照图23所示的实施例来获取K IAB
如图22所示,为本申请实施例提供的一种密钥生成方法,应用于第一设备(IAB node)连接主基站和辅基站的场景,该方法包括以下步骤:
S1301、IAB node获知主基站或者辅基站作为IAB donor。
可选的,步骤S1301可以采用以下实现方式中的任意一种:
实现方式一、当IAB node接收到第四指示信息时,IAB node获知主基站为IAB donor,第四指示信息用于指示主基站为IAB donor。或者,当IAB node接收到第五指示信息时,IAB node获知辅基站为IAB donor,第五指示信息用于指示辅基站为IAB donor。
可选的,IAB node接收第四指示信息,可以具体实现为:IAB node接收主基站发送的第四指示信息。示例性的,这种情况下,第四指示信息可以承载于主基站发送给IAB node的RRC重配置消息中。
可选的,IAB node接收第五指示信息,可以具体实现为:IAB node接收主基站或者辅基站发送的第五指示信息。示例性的,这种情况下,第五指示信息可以承载于主基站发送给IAB node的RRC重配置消息中。或者,第五指示信息可以承载于辅基站 发送给IAB node的AS消息中。
实现方式二、当IAB node与主基站之间建立无线回程链路时,IAB node获知主基站为IAB donor。或者,当IAB node与辅基站之间建立无线回程链路时,IAB node获知辅基站为IAB donor。
实现方式三、IAB node获取主基站支持的频段以及辅基站支持的频段。当主基站支持的频段高于辅基站支持的频段时,IAB node获知主基站为IAB donor。或者,当主基站的频段低于辅基站支持的频段时,IAB node获知辅基站为IAB donor。
实现方式四、当IAB node接收到主基站广播的第六指示信息时,IAB node获知主基站为IAB donor。或者,当IAB node接收到辅基站广播的第六指示信息时,IAB node获知辅基站为IAB donor。其中,第六指示信息用于指示基站具备IAB donor功能。
S1302、当主基站作为IAB donor时,IAB node根据主基站密钥生成K IAB
作为一种可能的实现方式,IAB node根据主基站密钥和密钥输入参数,生成K IAB
其中,主基站密钥是IAB node在通过主基站注册到网络的过程中生成的。
S1303、当辅基站作为IAB donor时,IAB node根据辅基站密钥,生成K IAB
作为一种可能的实现方式,IAB node根据辅基站密钥和密钥输入参数,生成K IAB
其中,辅基站密钥是IAB node根据主基站密钥生成的。
基于图22所示的实施例,无论主基站作为IAB donor还是辅基站作为IAB donor,IAB node均能使用IAB donor的本地密钥来生成K IAB,以保证IAB node和IAB donor维护相同的K IAB
如图23所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1401、第一接入网设备确定通过第一接入网设备注册到网络的第一设备为IAB node。
S1402、在需要为第一设备选择辅基站的情况下,第一接入网设备判断自身是否具备IAB node功能。
其中,步骤S1401-S1402与图10中的步骤S101-S102相似,其具体实现方式可以参考图10所示实施例中的描述。
可选的,当第一接入网设备不具备IAB donor功能时,执行下述步骤S1403-S1405;当第一接入网设备具备IAB donor功能时,执行下述步骤S1406-S1407。
S1403、在第一接入网设备不具备IAB donor功能的情况下,第一接入网设备选择具备IAB donor功能的第二接入网设备作为第一设备的辅基站。
S1404、第一接入网设备向第二接入网设备发送辅基站配置消息。
其中,辅基站配置消息用于将第二接入网设备配置为第一设备的辅基站。
在本申请实施例中,辅基站配置消息包括第三指示信息和辅基站密钥。第三指示信息用于指示第一设备为IAB node。
应理解,在辅基站配置消息包括第三指示信息的情况下,第二接入网设备可以获知第一设备为IAB node。从而,第二接入网设备可以判断自身是否具备IAB donor功能。在第二接入网设备具备IAB donor功能的情况下,第二接入网设备可以认为自身是第一设备的IAB donor,从而第二接入网设备可以执行下述步骤S1405。
S1405、第二接入网设备根据辅基站密钥,生成K IAB1
作为一种可能的实现方式,第二接入网设备根据辅基站密钥和第一密钥输入参数,生成K IAB1。其中,第一密钥输入参数包括第一IP地址和第二IP地址。第一IP地址为第一设备用于与IAB donor通信的IP地址。第二IP地址为第二接入网设备用于与IAB node通信的IP地址。
在本申请实施例中,第二接入网设备可以从自身的数据库中获取到第二IP地址。
在本申请实施例中,第二接入网设备可以确定第一IP地址。或者,第二接入网设备从第一设备或者第二设备获取到第一IP地址。
基于上述步骤S1403-S1405,在辅基站(也即第二接入网设备)作为IAB donor的情况下,辅基站主动地以辅基站密钥生成K IAB,以保证IAB donor和IAB node维护相同的K IAB
S1406、在第一接入网设备具备IAB donor功能的情况下,第一接入网设备选择第三接入网设备作为第一设备的辅基站。
S1407、第一接入网设备根据主基站密钥,生成K IAB2
作为一种可能的实现方式,第一接入网设备根据主基站密钥和第二密钥输入参数,生成K IAB2。其中,第二密钥输入参数包括第一IP地址和第三IP地址。第一IP地址为第一设备用于与IAB donor通信的IP地址。第三IP地址为第一接入网设备用于与IAB node通信的IP地址。
在本申请实施例中,第一接入网设备可以从自身的数据库中获取到第三IP地址。
在本申请实施例中,第一接入网设备可以确定第一IP地址。或者,第一接入网设备从第一设备或者第二设备获取到第一IP地址。
基于上述步骤S1406-S1407,在主基站(也即第一接入网设备)作为IAB donor的情况下,主基站主动地以主基站密钥生成K IAB,以保证IAB donor和IAB node维护相同的K IAB
下面结合具体应用场景以举例的方式来对技术方案三进行详细说明。
场景1、第一设备(也即IAB node)通过不具备IAB donor功能的第一接入网设备注册到网络。之后,第一接入网设备为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站,并且第二接入网设备负责为第一设备分配IAB node的IP地址。
基于场景1,如图24所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1501-S1512、与步骤S901-S912相似,其具体描述可以参考图18所示实施例,在此不再赘述。
可选的,区别于步骤S906,在步骤S1506中,第二接入网设备发送的SN addition/modification request ACK消息可以包括第五指示信息。
可选的,区别于步骤S907,在步骤S1507中,第一接入网设备发送的RRC重配置消息可以包括第五指示信息,以便于第一设备获知辅基站(也即第二接入网设备)为IAB donor。
S1513、第一设备获知第二接入网设备为IAB donor。
S1514、第一设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S1515、第一设备和第二接入网设备使用K IAB建立安全隧道。
基于图24所示的实施例,在辅基站作为IAB donor的情况下,辅基站以辅基站密钥生成K IAB,IAB node以辅基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景2、第一设备(也即IAB node)通过不具备IAB donor功能的第一接入网设备注册到网络。之后,第一接入网设备为第一设备选择具备IAB donor功能的第二接入网设备作为辅基站。第二设备负责为第一设备分配IAB node的IP地址。
基于场景2,如图25所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1601-S1612、与步骤S1001-S1012相似,其具体描述可以参考图19所示实施例,在此不再赘述。
可选的,区别于步骤S1007,在步骤S1607中,第二接入网设备发送的SN addition/modification request ACK消息可以包括第五指示信息。
可选的,区别于步骤S1008,在步骤S1608中,第一接入网设备发送的RRC重配置消息可以包括第五指示信息,以便于第一设备获知辅基站(也即第二接入网设备)为IAB donor。
S1613、第一设备获知第二接入网设备为IAB donor。
S1614、第一设备根据辅基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S1615、第一设备和第二接入网设备使用K IAB建立安全隧道。
基于图25所示的实施例,在辅基站作为IAB donor的情况下,辅基站以辅基站密钥生成K IAB,IAB node以辅基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景3、第一设备(也即IAB node)通过具备IAB donor功能的第一接入网设备注册到网络。从而,第一接入网设备作为第一设备的IAB donor,并且第一接入网设备为第一设备分配IAB node的IP地址。第一接入网设备为第一设备选择第三接入网设备作为辅基站。
基于场景3,如图26所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1701-S1711、与步骤S501-S511相似,其具体描述可以参考图14所示实施例,在此不再赘述。
可选的,区别于步骤S508,在步骤S1708中,第一接入网设备发送的RRC重配置消息可以包括第四指示信息,以便于第一设备获知主基站(也即第一接入网设备)为IAB donor。
S1712、第一设备获知第一接入网设备为IAB donor。
S1713、第一设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S1714、第一设备和第一接入网设备使用K IAB建立安全隧道。
基于图26所示的实施例,在主基站作为IAB donor的情况下,主基站和IAB node均以主基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
场景4、第一设备(也即IAB node)通过具备IAB donor功能的第一接入网设备注册到网络。从而,第一接入网设备作为第一设备的IAB donor。第一接入网设备为第一设备选择第三接入网设备作为辅基站。第二设备负责为第一设备分配IAB node的IP地址。
基于场景4,如图27所示,为本申请实施例提供的一种密钥生成方法,该方法包括以下步骤:
S1801-S1812、与步骤S601-S612相似,其具体描述可以参考图15所示实施例,在此不再赘述。
可选的,区别于步骤S608,在步骤S1808中,第一接入网设备发送的RRC重配置消息可以包括第四指示信息,以便于第一设备获知主基站(也即第一接入网设备)为IAB donor。
S1813、第一设备获知第一接入网设备为IAB donor。
S1814、第一设备根据主基站密钥、IAB donor的IP地址和IAB node的IP地址,生成K IAB
S1815、第一设备和第一接入网设备使用K IAB建立安全隧道。
基于图27所示的实施例,在主基站作为IAB donor的情况下,主基站和IAB node均以主基站密钥生成K IAB。从而,IAB node和IAB donor维护相同的K IAB,以便于IAB node和IAB donor之间根据K IAB建立安全隧道,有利于IAB node采用双连接方式进行组网。
上述主要从方法的角度对本申请实施例提供的方案进行了介绍。可以理解的是,通信装置(例如第一设备、第一接入网设备、第二接入网设备)为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。结合本申请中所公开的实施例描述的各示例的单元及算法步骤,本申请实施例能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。本领域技术人员可以对每个特定的应用来使用不同的方法来实现所描述的功能,但是这种实现不应认为超出本申请实施例的技术方案的范围。
本申请实施例可以根据上述方法示例对通信装置进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的功能集成在一个处理单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。需要说明的是,本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
如图28所示,为本申请实施例提供的一种通信装置,该通信装置包括处理模块101和通信模块102。
一种可能的示例中,以通信装置为IAB node为例,处理模块101用于支持IAB node执行图11中的步骤S201-S202,图17中的步骤S801-S805,图22中的步骤S1301-S1303,和/或本申请实施例中IAB node需要执行的其他处理操作。通信模块102用于支持IAB node执行图12中的步骤S308、S309、S311,图13中的步骤S405、S408、S409、S411,和/或本申请实施例中IAB node需要执行的其他通信操作。
另一种可能的示例中,以通信装置为第一接入网设备为例,处理模块101用于支持第一接入网设备执行图10中的步骤S101-S105、S107-S109,图16中的步骤S701-S703、S706-S707,图23中的步骤S1401-S1403、S1406-S1407,和/或本申请实施例中第一接入网设备需要执行的其他处理操作。通信模块102用于支持第一接入网设备执行图10中的步骤S106,图16中的步骤S704,图23中的步骤S1404,和/或本申请实施例中第一接入网设备需要执行的其他通信操作。
另一种可能的示例中,以通信装置为第二接入网设备为例,处理模块101用于支持第二接入网设备执行图16中的步骤S705,图23中的步骤S1405,和/或本申请实施例中第二接入网设备需要执行的其他处理操作。通信模块102用于支持第二接入网设备执行图10中的步骤S106,图16中的步骤S704,图23中的步骤S1404,和/或本申请实施例中第二接入网设备需要执行的其他通信操作。
可选,该通信装置还可以包括存储模块103,用于存储通信装置的程序代码和数据,数据可以包括不限于原始数据或者中间数据等。
其中,处理模块101可以是处理器或控制器,例如可以是CPU,通用处理器,专用集成电路(application specific integrated circuit,ASIC),现场可编程逻辑门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。
通信模块102可以是通信接口、收发器或收发电路等,其中,该通信接口是统称,在具体实现中,该通信接口可以包括多个接口,例如可以包括:基站和终端之间的接口和/或其他接口。
存储模块103可以是存储器。
当处理模块101为处理器,通信模块102为通信接口,存储模块103为存储器时,本申请实施例所涉及的通信装置可以为图29所示。
参阅图29所示,该通信装置包括:处理器201、通信接口202、存储器203。可选的,通信装置还可以包括总线204。其中,通信接口202、处理器201以及存储器203可以通过总线204相互连接;总线204可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。所述总线204可以分为地址总线、数据总线、控制总线等。为便于表示,图29中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
可选的,本申请实施例还提供一种携带计算机指令的计算机程序产品,当该计算机指令在计算机上运行时,使得计算机执行上述实施例所介绍的方法。
可选的,本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质存储计算机指令,当该计算机指令在计算机上运行时,使得计算机执行上述实施例所介绍的方法。
可选的,本申请实施例还提供一种芯片,包括:处理电路和收发管脚,处理电路和收发管脚用于实现上述实施例所介绍的方法。其中,处理电路用于执行相应方法中的处理动作,收发管脚用于执行相应方法中的接收/发送的动作。
本领域普通技术人员可以理解:在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(Digital Subscriber Line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,数字视频光盘(Digital Video Disc,DVD))、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个设备上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个功能单元独立存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,如计算机的软盘,硬盘或光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (28)

  1. 一种密钥生成方法,其特征在于,所述方法包括:
    第一接入网设备确定通过所述第一接入网设备注册到5G核心网的第一设备为接入回传一体化IAB节点;
    在需要为所述第一设备选择辅基站的情况下,所述第一接入网设备判断自身是否具备IAB宿主功能;
    若所述第一接入网设备不具备IAB宿主功能,则所述第一接入网设备选择具备IAB宿主功能的第二接入网设备作为所述第一设备的辅基站;
    所述第一接入网设备获取第一密钥输入参数;
    所述第一接入网设备根据主基站密钥和所述第一密钥输入参数,生成第一IAB密钥K IAB1,所述主基站密钥用于对所述第一接入网设备与所述第一设备之间的通信进行安全保护,所述K IAB1用于建立所述第二接入网设备与所述第一设备之间的安全隧道;
    所述第一接入网设备向所述第二接入网设备发送所述K IAB1
  2. 根据权利要求1所述的方法,其特征在于,所述第一接入网设备选择具备IAB宿主功能的第二接入网设备作为所述第一设备的辅基站,包括:
    所述第一接入网设备向第二设备发送第一请求消息,所述第一请求消息包括所述第一设备的标识;
    所述第一接入网设备接收所述第二设备发送的第一响应消息,所述第一响应消息包括所述第二接入网设备的标识。
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一密钥输入参数包括第一IP地址和第二IP地址,所述第一IP地址为所述第一设备用于与IAB宿主通信的IP地址,所述第二IP地址为所述第二接入网设备用于与IAB节点通信的IP地址。
  4. 根据权利要求3所述的方法,其特征在于,所述第一接入网设备获取第一密钥输入参数,包括:
    所述第一接入网设备向所述第二接入网设备发送辅基站配置消息,所述辅基站配置消息用于配置所述第二接入网设备为所述第一设备的辅基站,所述辅基站配置消息包括第一指示信息和/或第二指示信息,所述第一指示信息用于请求所述第一IP地址,所述第二指示信息用于请求所述第二IP地址;
    所述第一接入网设备接收所述第二接入网设备发送的辅基站配置响应消息,所述辅基站配置响应消息包括所述第一IP地址和/或所述第二IP地址。
  5. 根据权利要求4所述的方法,其特征在于,所述辅基站配置消息包括由所述主基站密钥推演得到的辅基站密钥,所述辅基站密钥用于对所述辅基站和所述第一设备之间的通信进行安全保护。
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:
    所述第一接入网设备向所述第一设备发送所述第一IP地址。
  7. 根据权利要求3所述的方法,其特征在于,所述第一接入网设备获取第一密钥输入参数,包括:
    所述第一接入网设备接收所述第一设备发送的IP地址通知消息,所述IP地址通知消息包括所述第一IP地址;
    所述第一接入网设备向所述第二接入网设备发送辅基站配置消息,所述辅基站配置消息用于配置所述第二接入网设备为所述第一设备的辅基站,所述辅基站配置消息包括第二指示信息,所述第二指示信息用于请求所述第二IP地址;
    所述第一接入网设备接收所述第二接入网设备发送的辅基站配置响应消息,所述辅基站配置响应消息包括所述第二IP地址。
  8. 根据权利要求1至7任一项所述的方法,其特征在于,所述方法还包括:
    若所述第一接入网设备具备IAB宿主功能,则所述第一接入网设备选择第三接入网设备作为所述第一设备的辅基站;
    所述第一接入网设备获取第二密钥输入参数;
    所述第一接入网设备根据所述主基站密钥和所述第二密钥输入参数,生成第二IAB密钥K IAB2,所述K IAB2用于建立所述第一接入网设备与所述第一设备之间的安全隧道。
  9. 根据权利要求8所述的方法,其特征在于,所述第二密钥输入参数包括:第一IP地址和第三IP地址,所述第一IP地址为所述第一设备用于与IAB宿主通信的IP地址,所述第三IP地址为所述第一接入网设备用于与IAB节点通信的IP地址。
  10. 根据权利要求9所述的方法,其特征在于,所述第一接入网设备获取第二密钥输入参数,包括:
    所述第一接入网设备为所述第一设备分配所述第一IP地址;
    所述第一接入网设备从数据库中获取所述第三IP地址。
  11. 根据权利要求9所述的方法,其特征在于,所述第一接入网设备获取第二密钥输入参数,包括:
    所述第一接入网设备接收所述第一设备发送的IP地址通知消息,所述IP地址通知消息包括所述第一IP地址;
    所述第一接入网设备从数据库中获取所述第三IP地址。
  12. 一种密钥生成方法,其特征在于,所述方法包括:
    第二接入网设备接收第一接入网设备发送的辅基站配置消息,所述辅基站配置消息用于配置所述第二接入网设备作为第一设备的辅基站;
    当所述辅基站配置消息包括第三指示信息时,所述第二接入网设备确定自身是否具备IAB宿主功能,所述第三指示信息用于指示所述第一设备为IAB节点;
    当所述第二接入网设备具备IAB宿主功能时,所述第二接入网设备从所述第一接入网设备获取第一IAB密钥K IAB1,所述K IAB1用于建立所述第二接入网设备与所述第一设备之间的安全隧道,所述K IAB1是根据主基站密钥生成的,所述主基站密钥用于对所述第一接入网设备和所述第一设备之间的通信进行安全保护。
  13. 根据权利要求12所述的方法,其特征在于,所述K IAB1是根据主基站密钥生成的,包括:
    所述K IAB1是根据所述主基站密钥和所述第一密钥输入参数生成的,所述第一密钥输入参数包括第一IP地址和第二IP地址,所述第一IP地址为所述第一设备用于与IAB宿主通信的IP地址,所述第二IP地址为所述第二接入网设备用于与IAB节点通信的IP地址。
  14. 根据权利要求13所述的方法,其特征在于,所述辅基站配置消息还包括第一指示信息和/或第二指示信息,所述第一指示信息用于请求所述第一IP地址,所述第二指示信息用于请求所述第二IP地址。
  15. 根据权利要求14所述的方法,其特征在于,所述方法还包括:
    所述第二接入网设备向所述第一接入网设备发送辅基站配置响应消息,所述辅基站配置响应消息包括所述第一IP地址和/或所述第二IP地址。
  16. 根据权利要求15所述的方法,其特征在于,所述第二接入网设备从所述第一接入网设备获取K IAB1,包括:
    所述第二接入网设备接收所述第一接入网设备发送的辅基站重配置完成消息,所述辅基站重配置完成消息包括所述K IAB1
  17. 根据权利要求14所述的方法,其特征在于,所述第二接入网设备从所述第一接入网设备获取K IAB1,包括:
    所述第二接入网设备向所述第一接入网设备发送密钥请求消息,所述密钥请求消息用于请求所述K IAB1
    所述第二接入网设备接收所述第一接入网设备发送的密钥响应消息,所述密钥响应消息包括所述K IAB1
  18. 根据权利要求17所述的方法,其特征在于,所述密钥请求消息还包括所述第一IP地址和/或第二IP地址。
  19. 一种密钥生成方法,其特征在于,所述方法包括:
    第一接入网设备确定通过所述第一接入网设备注册到网络的第一设备为IAB节点;
    在需要为所述第一设备选择辅基站的情况下,所述第一接入网设备判断自身是否具备IAB宿主功能;
    若所述第一接入网设备具备IAB宿主功能,则所述第一接入网设备选择第三接入网设备作为所述第一设备的辅基站;
    所述第一接入网设备根据辅基站密钥,生成第二IAB密钥K IAB2,所述K IAB2用于建立所述第一接入网设备与所述第一设备之间的安全隧道,所述辅基站密钥用于对所述辅基站和所述第一设备之间的通信进行安全保护。
  20. 根据权利要求19所述的方法,其特征在于,所述辅基站密钥是根据主基站密钥推演得到的,所述主基站密钥用于对所述第一接入网设备和所述第一设备之间的通信进行安全保护。
  21. 根据权利要求19或20所述的方法,其特征在于,在所述第一接入网设备根据辅基站密钥,生成K IAB2之后,所述方法还包括:
    所述第一接入网设备向所述第二接入网设备发送辅基站配置消息,所述辅基站配置消息包括所述辅基站密钥;
    所述第一接入网设备接收所述第二接入网设备发送的辅基站配置响应消息。
  22. 根据权利要求20或21所述的方法,其特征在于,所述第一接入网设备根据辅基站密钥,生成K IAB2,包括:
    所述第一接入网设备在发送辅基站配置消息之后,根据所述辅基站密钥,生成所述K IAB2
  23. 根据权利要求20或21所述的方法,其特征在于,所述第一接入网设备根据辅基站密钥,生成K IAB2,包括:
    所述第一接入网设备在接收到辅基站配置响应消息之后,根据所述辅基站密钥,生成所述K IAB2
  24. 根据权利要求19至23任一项所述的方法,其特征在于,所述方法还包括:
    若所述第一接入网设备不具备IAB宿主功能,则所述第一接入网设备选择具备IAB宿主功能的第二接入网设备作为所述第一设备的辅基站;
    所述第一接入网设备向所述第二接入网设备发送辅基站配置消息,所述辅基站配置消息包括所述辅基站密钥。
  25. 一种通信装置,其特征在于,所述通信装置包括用于执行权利要求1至24中任一项所涉及的方法中的各个步骤的模块。
  26. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储计算机指令,当所述计算机指令在计算机上运行时,使得所述计算机执行权利要求1至24任一项所述的方法。
  27. 一种计算机程序产品,其特征在于,所述计算机程序产品包括指令,当所述指令在计算机上运行时,使得计算机执行权利要求1至24任一项所述的方法。
  28. 一种芯片,其特征在于,所述芯片包括处理单元和收发管脚;所述处理单元用于执行权利要求1至24中任一项所涉及的方法中的处理操作,所述收发管脚用于执行权利要求1至24中任一项所涉及的方法中的通信操作。
PCT/CN2020/127300 2020-11-06 2020-11-06 密钥生成方法及装置 WO2022094976A1 (zh)

Priority Applications (6)

Application Number Priority Date Filing Date Title
AU2020476322A AU2020476322B2 (en) 2020-11-06 Key generation method and apparatus
CA3200852A CA3200852A1 (en) 2020-11-06 2020-11-06 Key generation method and apparatus
EP20960437.0A EP4231717A4 (en) 2020-11-06 2020-11-06 KEY GENERATION METHOD AND DEVICE
PCT/CN2020/127300 WO2022094976A1 (zh) 2020-11-06 2020-11-06 密钥生成方法及装置
CN202080106763.8A CN116508356A (zh) 2020-11-06 2020-11-06 密钥生成方法及装置
US18/311,998 US20230319554A1 (en) 2020-11-06 2023-05-04 Key generation method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/127300 WO2022094976A1 (zh) 2020-11-06 2020-11-06 密钥生成方法及装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/311,998 Continuation US20230319554A1 (en) 2020-11-06 2023-05-04 Key generation method and apparatus

Publications (1)

Publication Number Publication Date
WO2022094976A1 true WO2022094976A1 (zh) 2022-05-12

Family

ID=81458518

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/127300 WO2022094976A1 (zh) 2020-11-06 2020-11-06 密钥生成方法及装置

Country Status (5)

Country Link
US (1) US20230319554A1 (zh)
EP (1) EP4231717A4 (zh)
CN (1) CN116508356A (zh)
CA (1) CA3200852A1 (zh)
WO (1) WO2022094976A1 (zh)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220225451A1 (en) * 2021-01-14 2022-07-14 Qualcomm Incorporated Modes of simultaneous connectivity in integrated access and backhaul

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110536377A (zh) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 父节点选择方法、装置、设备及介质
WO2020036527A1 (en) * 2018-08-13 2020-02-20 Telefonaktiebolaget Lm Ericsson (Publ) Secondary network node selection for dual connectivity

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020036527A1 (en) * 2018-08-13 2020-02-20 Telefonaktiebolaget Lm Ericsson (Publ) Secondary network node selection for dual connectivity
CN110536377A (zh) * 2019-08-15 2019-12-03 中兴通讯股份有限公司 父节点选择方法、装置、设备及介质

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Security for NR Integrated Access and Backhaul; (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.824, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V0.6.0, 2 January 2020 (2020-01-02), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , pages 1 - 22, XP051841102 *
ANONYMOUS : "Security architecture and procedures for 5G System (3GPP TS 33.501 version 16.3.0 Release 16)", ETSI TS 133 501 V16.3.0 (2020-08), TECHNICAL SPECIFICATION, 30 August 2020 (2020-08-30), XP055928472, Retrieved from the Internet <URL:https://www.etsi.org/deliver/etsi_ts/133500_133599/133501/16.03.00_60/ts_133501v160300p.pdf> *
SAMSUNG: "LTE eNB - 5G gNB dual connectivity (EN-DC)", 18 December 2017 (2017-12-18), XP055611951, Retrieved from the Internet <URL:https://www.eventhelix.com/5G/non-standalone-access-en-dc/en-dc-secondary-node-addition.pdf> [retrieved on 20190809] *
See also references of EP4231717A4 *

Also Published As

Publication number Publication date
CN116508356A (zh) 2023-07-28
AU2020476322A1 (en) 2023-06-15
CA3200852A1 (en) 2022-05-12
EP4231717A1 (en) 2023-08-23
US20230319554A1 (en) 2023-10-05
EP4231717A4 (en) 2023-11-29

Similar Documents

Publication Publication Date Title
EP3063972B1 (en) Method to enable multiple wireless connections
CN104219722B (zh) 双连接无线承载的迁移处理、迁移方法及装置
JP6120865B2 (ja) 無線通信システムにおける端末との通信認証のためのセキュリティキーを管理する方法及び装置
CN104185227B (zh) 一种双连接架构下的csg接入控制方法及系统
KR102401279B1 (ko) 무선 통신 네트워크에서 통신 방법 및 이를 위한 시스템
KR20210024985A (ko) 무선 네트워크에서 IAB(Integrated Access and Backhaul) 노드의 인증을 위한 방법 및 장치
WO2019184832A1 (zh) 一种密钥生成方法和相关装置
WO2014169748A1 (zh) 一种双连接的实现方法及基站
JP7516578B2 (ja) Iabネットワーク通信方法及び関連デバイス
JP7255949B2 (ja) 通信方法および装置
CN113923799A (zh) 一种无线回传通信处理方法和相关设备
WO2019158117A1 (en) System and method for providing security in a wireless communications system with user plane separation
CN112738898A (zh) 电信方法、电信系统、主节点、辅节点和用户设备
EP4016949A1 (en) Communication method and device
US20230319554A1 (en) Key generation method and apparatus
WO2017219365A1 (zh) 数据传输的方法和装置
CN110167019A (zh) 通信方法及装置
WO2023186028A1 (zh) 通信方法及装置
AU2020476322B2 (en) Key generation method and apparatus
WO2021088090A1 (zh) 接入控制方法及通信装置
KR20230091962A (ko) Iab 네트워크를 위한 rlf 복구 방법과 장치, 및 관련 디바이스
CN107466074B (zh) 一种处理数据链路的方法和装置
WO2022155915A1 (zh) 网络互通的方法及装置
WO2024032207A1 (zh) 通信方法、装置和系统
EP4336782A1 (en) Communication method, apparatus, and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20960437

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202080106763.8

Country of ref document: CN

ENP Entry into the national phase

Ref document number: 3200852

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 202327034634

Country of ref document: IN

ENP Entry into the national phase

Ref document number: 2020960437

Country of ref document: EP

Effective date: 20230519

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020476322

Country of ref document: AU

Date of ref document: 20201106

Kind code of ref document: A