WO2022104617A1

WO2022104617A1 - Communication method, apparatus and system

Info

Publication number: WO2022104617A1
Application number: PCT/CN2020/129914
Authority: WO
Inventors: 雷骜; 李�赫; 吴义壮; 吴�荣
Original assignee: 华为技术有限公司
Priority date: 2020-11-18
Filing date: 2020-11-18
Publication date: 2022-05-27
Also published as: CN116671235A

Abstract

Embodiments of the present application provide a communication method, apparatus and system, for use in solving the problem that the consistency of the user plane security of C2 communication between a UAV and a UAVC cannot be guaranteed at present. The method comprises: a management device obtains a first user plane security protection enabling indication, the first user plane security protection enabling indication being used for indicating whether the user plane security protection of a first session is enabled, the first session being a session used by a first terminal device to carry C2 communication, the first terminal device being an initiating end device of the C2 communication, a second terminal device being a peer end device of the C2 communication, and the C2 communication being communication between the first terminal device and the second terminal device; and the management device triggers the second terminal device to initiate establishment of a second session, whether the user plane security protection of the second session is enabled being determined by the first user plane security protection enabling indication, and the second session being a session used by the second terminal device to carry the C2 communication.

Description

Communication method, device and system

technical field

The present application relates to the field of communication technologies, and in particular, to a communication method, device, and system.

Background technique

In the current discussion of 5th generation (5G) wireless communication network-enabled unmanned aerial systems, an unmanned aerial system (UAS) includes an unmanned aerial vehicle (UAV) and an unmanned aerial vehicle (UAV) Unmanned aerial vehicle controller (UAV controller, UAVC). A first protocol data unit (PDU) session used by UAV to carry C2 communication and a second session of UAVC used to carry C2 communication are established between UAV and UAVC through a command and control (C2) communication establishment process In the PDU session, the UAS traffic management (UAS traffic management, UTM)/UAS service provider (UAS service supplier, USS) associates the first PDU session with the second PDU session to implement C2 communication between the UAV and the UAVC. Of course, if one of the UAV and UAVC already has a PDU session used for the non-C2 communication carrying the UAS, the session management function (SMF) serving it can be used for the non-C2 communication carrying the UAS. The PDU session is modified to meet the conditions of C2 communication.

In the current standard discussion, the security issue of the C2 communication establishment process between UAV and UAVC has not been discussed yet. In this way, in the scenario where the UAVC performs flight control on the UAV, the user plane security protection mode of the UAV segment for C2 communication may be inconsistent with the user plane security protection mode of the UAVC segment for C2 communication. Furthermore, in the scenario where the C2 communication needs to ensure a certain degree of security performance, the attacker can interfere with the C2 communication between the entire UAV and UAVC through the end without security protection, thereby reducing the security of the C2 communication; In the scenario where the C2 communication needs to ensure the transmission efficiency, the end with the security protection turned on will affect the transmission efficiency of the entire C2. In conclusion, how to ensure the consistency of user plane security of C2 communication between UAV and UAVC is an urgent problem to be solved at present.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a communication method, apparatus and system, which are used to solve the problem that the consistency of user plane security of C2 communication between UAV and UAVC cannot be guaranteed at present.

To achieve the above object, the embodiments of the present application adopt the following technical solutions:

In a first aspect, a communication method is provided, and a communication apparatus for executing the communication method may be a management device or a module applied in the management device, such as a chip or a chip system. The following description takes the execution subject as the management device as an example. The management device acquires a first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein the first session is the first terminal device used to bear the C2 communication session, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device; management The device triggers the second terminal device to initiate the establishment of a second session, wherein whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the second session is used by the second terminal device. in the session that carries the C2 communication. In this solution, the management device may acquire the first user plane security protection opening instruction, and trigger the second terminal device to initiate the establishment of the second session. Wherein, whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry C2 communication, and the second session is a session used by the second terminal device to carry C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device , so based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

It should be noted that, in this embodiment of the present application, the first user plane security protection activation indication may also be understood as an indication of the first user plane security protection activation result. The first user plane security protection enabling result indication may include, for example, a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enabling result indication. Wherein, the first user plane confidentiality protection enable result indication is used to indicate whether the user plane confidentiality protection is enabled or not; the first user plane integrity protection enable result indication is used to indicate whether the user plane integrity protection is enabled or disabled. This description is applicable to all the embodiments of the present application, and is uniformly described here, and will not be repeated below.

With reference to the above first aspect, in a possible implementation manner, the management device triggering the second terminal device to initiate the establishment of the second session includes: the management device sends a first message to the second terminal device, the first message using triggering the second terminal device to initiate the establishment of the second session; and, the management device sending the first user plane security protection opening instruction to a second unified data management entity, wherein the second unified data management entity is for the The unified data management entity served by the second terminal device. Based on this solution, the second unified data management entity serving the second terminal device can obtain the first user plane security protection opening instruction from the management device. Further, in the process of establishing the second session, the second session management entity serving the second terminal device may acquire the first user plane security protection enabling instruction from the second unified data management entity. The first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled.

With reference to the above first aspect, in a possible implementation manner, the management device triggering the second terminal device to initiate the establishment of the second session includes: the management device sends a first message to the second terminal device, the first message using triggering the second terminal device to initiate the establishment of the second session; and the management device receives the second message from the second proxy function entity, and sends the first user plane security protection opening instruction to the second proxy function entity; Wherein, the second message includes the identification information of the second terminal device, the second message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the second session management entity to the management The interface of the device, the second session management entity is a session management entity serving the second terminal device. Based on this solution, the second session management entity serving the second terminal device can obtain the first user plane security protection opening instruction from the management device through the second proxy function entity. The first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled.

With reference to the above-mentioned first aspect, in a possible implementation manner, obtaining the first user plane security protection enable instruction by the management device includes: the management device receiving the first user plane security protection enable instruction from the first session management entity, the The first session management entity is a session management entity serving the first terminal device. That is, the management device may obtain the first user plane security protection opening instruction through the control plane between the first terminal device and the management device.

With reference to the above first aspect, in a possible implementation manner, acquiring the first user plane security protection opening instruction by the management device includes: the management device receiving the first user plane security protection opening instruction from the first terminal device. That is, the management device may obtain the first user plane security protection opening instruction through the user plane between the first terminal device and the management device.

With reference to the above-mentioned first aspect, in a possible implementation manner, obtaining the first user plane security protection opening instruction by the management device includes: the management device receiving the first user plane security protection opening instruction from the first proxy function entity, the The first proxy function entity is used to provide an interface from the first session management entity to the management device. That is, the management device may acquire the first user plane security protection opening instruction from the first proxy function entity for providing the interface of the first session management entity to the management device.

With reference to the above-mentioned first aspect, in a possible implementation manner, obtaining the first user plane security protection opening instruction by the management device includes: the management device determines that the pairing authorization between the first terminal device and the second terminal device is successful; The first proxy function entity sends a third message, where the third message includes the identification information of the first terminal device, and the third message is used to request the first user plane security protection opening instruction; wherein, the first proxy function entity uses for providing an interface from a first session management entity to the management device, where the first session management entity is a session management entity serving the first terminal device; the management device receives the first user plane security information from the first proxy function entity Protection on indication. That is, the management device may obtain the first user plane security protection opening instruction through the first proxy function entity for providing an interface of the first session management entity to the management device based on the triggering of the pairing authorization process.

In a second aspect, a communication method is provided, and a communication device executing the communication method may be a first session management entity or a module applied in the first session management entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the first session management entity as an example. The first session management entity obtains a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is used by the first terminal device. In a session carrying C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device. communication, the first session management entity is a session management entity serving the first terminal device; the first session management entity sends the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to determine the first Whether the user plane security protection of the second session is enabled, the second session is the session used by the second terminal device to carry the C2 communication. In this solution, the first session management entity acquires the first user plane security protection opening instruction, and sends the first user plane security protection opening instruction. The first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication, the second session is a session used by the second terminal device to carry the C2 communication, and the C2 communication is a session between the first terminal device and the second terminal device. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

With reference to the above second aspect, in a possible implementation manner, sending the first user plane security protection opening instruction by the first session management entity includes: the first session management entity sending the first user plane security protection opening instruction to the management device instruct.

With reference to the above second aspect, in a possible implementation manner, sending the first user plane security protection enabling instruction by the first session management entity includes: the first session management entity sending the first user plane to the first proxy function entity A face security protection opening instruction; wherein, the first proxy function entity is used to provide an interface from the first session management entity to the management device.

With reference to the above second aspect, in a possible implementation manner, before the first session management entity sends the first user plane security protection opening instruction to the first proxy function entity, the method further includes: the first session management entity receives A fourth message from the first proxy function entity, where the fourth message includes identification information of the first terminal device, and the fourth message is used to request the first user plane security protection opening instruction.

With reference to the above-mentioned second aspect, in a possible implementation manner, the first session management entity obtains the first user plane security protection opening instruction, including: the first session management entity obtains the first unified data serving the first terminal device from the first unified data The management entity obtains the first user plane security protection policy; the first session management entity sends the first user plane security protection policy to the first access network device serving the first terminal device; the first session management entity receives information from the first user plane security protection policy; A first user plane security protection opening instruction of an access network device, wherein the first user plane security protection enabling instruction is determined according to a first user plane security protection policy. For example, when the first user plane security protection policy is optional to enable security protection, the first access network device can use the first user plane security protection policy (which may be combined with other information, such as the use of resources on the first access network device) situation or the maximum integrity protection rate that the first terminal device can support), determine the first user plane security protection enable instruction and send the first user plane security protection enable instruction to the first session management entity. A possible embodiment is that the first user plane security protection policy includes that the user plane confidentiality protection is optionally enabled (PREFERRED) and the user plane integrity protection is optionally enabled; the first access network device is currently idle, and there are If there are enough resources to provide security protection for the user plane data of the first terminal device, the first access network device can enable user plane confidentiality protection and user plane integrity protection, and send the first user plane security to the first session management entity. The protection enable instruction, at this time, the first user plane security protection enable instruction is used to instruct to enable the user plane confidentiality protection and the user plane integrity protection.

With reference to the above-mentioned second aspect, in a possible implementation manner, the first session management entity obtains the first user plane security protection opening instruction, including: the first session management entity obtains the first unified data serving the first terminal device from the first unified data The management entity obtains the first user plane security protection policy; the first session management entity sends the first user plane security protection policy to the first access network device serving the first terminal device; the first session management entity receives the The seventh message of the access network device, the seventh message is used to indicate that the first access network device has established the first session according to the first user plane security protection policy; in response to the seventh message, the first session management entity The user plane security protection policy determines the first user plane security protection opening instruction. For example, when the first user plane security protection policy includes that the user plane confidentiality protection is forcibly turned on (REQUIRED)/forcibly not turned on (NOT NEEDED) and the user plane integrity protection is forcibly turned on/forcibly not turned on, then when the first session When the management entity receives the seventh message from the first access network device, it can accurately determine whether user plane confidentiality protection and user plane integrity protection are enabled according to the first user plane security protection policy. For example, the first user plane security protection policy includes that the user plane confidentiality protection is forcibly turned on and the user plane integrity protection is forcibly turned on, and it is determined that the user plane confidentiality protection and the user plane integrity protection are turned on. For another example, if the first user plane security protection policy includes that the user plane confidentiality protection is forcibly disabled and the user plane integrity protection is forcibly disabled, it is determined that the user plane confidentiality protection and the user plane integrity protection are not enabled. Other situations are similar and will not be repeated here. In other words, when the first user plane security protection policy is a deterministic policy (for example, the user plane confidentiality protection is forcibly turned on/forcibly turned off and the user plane integrity protection is forcibly turned on/forcibly turned off), the first access network The device may not explicitly notify the first session management entity of the result of enabling user plane security. When the first session management entity determines that the session has been established, it can determine whether the user plane confidentiality protection and the user plane integrity protection are enabled according to the first user plane security protection policy.

In a third aspect, a communication method is provided, and a communication device executing the communication method may be a second session management entity or a module applied in the second session management entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the second session management entity as an example. The second session management entity obtains the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is used by the first terminal device In a session carrying C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device. communication, the second session management entity is a session management entity serving the second terminal device; the second session management entity sends the first user plane security protection enable to the second access network device serving the second terminal device wherein, the first user plane security protection opening instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is a session used by the second terminal device to carry the C2 communication. In this solution, the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication, the second session is a session used by the second terminal device to carry the C2 communication, and the C2 communication is a session between the first terminal device and the second terminal device. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

In a fourth aspect, a communication method is provided, and a communication device for executing the communication method may be a second session management entity or a module applied in the second session management entity, such as a chip or a chip system. The following description will be given by taking the execution subject as the second session management entity as an example. The second session management entity obtains the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is used by the first terminal device In a session carrying C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device. communication, the second session management entity is a session management entity serving the second terminal device; the second session management entity determines a third user plane security protection policy according to the first user plane security protection opening instruction, and the third user plane The security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection; the second session management entity sends the third user plane security protection policy to the second access network device serving the second terminal device; The three user plane security protection policy is used to determine the second user plane security protection enable instruction, and the second user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is the second terminal The session used by the device to carry this C2 communication. In this solution, the third user plane security protection policy is used to determine the second user plane security protection enable instruction indicating whether the user plane security protection of the second session is enabled, and the third user plane security protection policy is used to indicate the first session. Whether the user plane security protection is enabled is determined by the first user plane security protection enable instruction, and the third user plane security protection policy only includes forcibly enabling the security protection or forcibly not enabling the security protection. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication, the second session is a session used by the second terminal device to carry the C2 communication, and the C2 communication is a session between the first terminal device and the second terminal device. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

It should be noted that, in the embodiment of the present application, the indication of enabling the security protection of the second user plane may also be understood as an indication of the result of enabling the security protection of the second user plane. The second user plane security protection enabling result indication may include, for example, a second user plane confidentiality protection enabling result indication and a second user plane integrity protection enabling result indication. Wherein, the second user plane confidentiality protection enable result indication is used to indicate whether the user plane confidentiality protection is enabled or not; the second user plane integrity protection enable result indication is used to indicate whether the user plane integrity protection is enabled or disabled. This description is applicable to all the embodiments of the present application, and is uniformly described here, and will not be repeated below.

With reference to the above fourth aspect, in a possible implementation manner, the second session management entity determines a third user plane security protection policy according to the first user plane security protection enabling instruction, including: when the first user plane security protection enabling instruction It includes the first user plane confidentiality protection opening result indication and the first user plane integrity protection opening result indication, and the first user plane confidentiality protection opening result indication is used to indicate that the user plane confidentiality protection is turned on, and the first user plane integrity protection is turned on. When the protection enable result indication is used to indicate that the user plane integrity protection is enabled, the second session management entity determines that the third user plane security protection policy includes that the user plane confidentiality protection is forcibly enabled and the user plane integrity protection is forcibly enabled; or, when The first user plane security protection enable instruction includes a first user plane confidentiality protection enable result instruction and a first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used to indicate the user plane confidentiality protection If it is not enabled, the first user plane integrity protection enable result indication is used to indicate that the user plane integrity protection is not enabled, and the second session management entity determines that the third user plane security protection policy includes that the user plane confidentiality protection is forcibly disabled and User plane integrity protection is forcibly disabled. When the first user plane security protection enable indication includes the first user plane confidentiality protection enable result indication and the first user plane integrity protection enable result indication, and the first user plane confidentiality protection enable result indication is used to indicate the user plane confidentiality When the protection is not enabled, the first user plane integrity protection enable result indication is used to indicate that the user plane integrity protection is enabled, the second session management entity determines that the third user plane security protection policy includes that the user plane confidentiality protection is forcibly disabled and the user plane Integrity protection is forcibly turned on; or, when the first user plane security protection turning on instruction includes the first user plane confidentiality protection turning on result indication and the first user plane integrity protection turning on result indication, and the first user plane confidentiality protection turning on result The indication is used to indicate that the user plane confidentiality protection is turned on, and the first user plane integrity protection turn-on result indication is used to indicate that the user plane integrity protection is not turned on, and the second session management entity determines that the third user plane security protection policy includes the user Face confidentiality protection is forcibly turned on and user face integrity protection is forcibly turned off.

With reference to the third aspect or the fourth aspect, in a possible implementation manner, the second session management entity acquiring the first user plane security protection opening instruction includes: The second unified data management entity sends a fifth message, where the fifth message includes the identification information of the second terminal device, and the fifth message is used to request the second user plane security protection policy; the second session management entity receives information from the second terminal device. The second user plane security protection policy and the first user plane security protection opening instruction of the unified data management entity are unified. That is, the second session management entity may acquire the first user plane security protection opening instruction from the second unified data management entity serving the second terminal device.

With reference to the above third aspect or the fourth aspect, in a possible implementation manner, the second session management entity acquiring the first user plane security protection enable instruction includes: the second session management entity sends a sixth to the second proxy function entity. message, the sixth message includes the identification information of the second terminal device, the sixth message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the second session management entity to the management The interface of the device; the second session management entity receives the first user plane security protection opening instruction from the second proxy function entity. That is, the second session management entity may obtain the first user plane security protection opening instruction from the management device through the second proxy function entity for providing an interface of the second session management entity to the management device.

With reference to the third aspect or the fourth aspect, in a possible implementation manner, before the second session management entity sends the sixth message to the second proxy function entity, the method further includes: the second session management entity receives a message from the second session management entity. Indication information of the second terminal device, where the indication information indicates that the second session requested by the second terminal device to be established is used in response to the C2 communication initiated by the first terminal device. That is, the second session management entity can directly provide the second session management entity to the management device after learning that the second session requested by the second terminal device is used to respond to the C2 communication initiated by the first terminal device. The second proxy function entity of the interface obtains the first user plane security protection opening instruction from the management device.

In a fifth aspect, a communication apparatus is provided for performing the above-mentioned first aspect or the method in any possible implementation manner of the first aspect. The communication apparatus may be the management device in the first aspect or any possible implementation manner of the first aspect, or a module applied in the management device, such as a chip or a chip system. Wherein, the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.

With reference to the fifth aspect, in a possible implementation manner, the communication device includes a processing module and a transceiver module; the processing module is used to obtain the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device; the transceiver module is used to trigger the second terminal device to initiate the establishment of a second session, wherein the first terminal device Whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the second session is a session used by the second terminal device to carry the C2 communication.

With reference to the fifth aspect, in a possible implementation manner, the transceiver module, configured to trigger the second terminal device to initiate the establishment of the second session, includes: sending a first message to the second terminal device, the first The message is used to trigger the second terminal device to initiate the establishment of the second session; and send the first user plane security protection opening instruction to the second unified data management entity, wherein the second unified data management entity is for the first unified data management entity. Two unified data management entities served by terminal equipment.

With reference to the fifth aspect, in a possible implementation manner, the transceiver module, configured to trigger the second terminal device to initiate the establishment of the second session, includes: sending a first message to the second terminal device, the first The message is used to trigger the second terminal device to initiate the establishment of the second session; and, receiving the second message from the second proxy function entity, and sending the first user plane security protection opening indication to the second proxy function entity; wherein , the second message includes the identification information of the second terminal device, the second message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the second session management entity to the management device interface, the second session management entity is a session management entity serving the second terminal device.

With reference to the above fifth aspect, in a possible implementation manner, the processing module is specifically configured to: receive, through the transceiver module, an instruction to enable the first user plane security protection from a first session management entity, and the first session management entity is a session management entity serving the first terminal device; or, receives the first user plane security protection opening instruction from the first terminal device through the transceiver module; or, receives from the first proxy function entity through the transceiver module The first user plane security protection opening instruction of the first proxy function entity is used to provide an interface from the first session management entity to the management device.

With reference to the fifth aspect, in a possible implementation manner, the processing module is specifically configured to: determine that the first terminal device and the second terminal device are paired and authorized successfully; send the first proxy function entity through the transceiver module Three messages, the third message includes the identification information of the first terminal device, and the third message is used to request the first user plane security protection opening indication; wherein, the first proxy function entity is used to provide the first session management entity An interface to the management device, where the first session management entity is a session management entity serving the first terminal device; receiving the first user plane security protection opening instruction from the first proxy function entity through the transceiver module.

With reference to the fifth aspect, in a possible implementation manner, the communication device includes a processor and a transceiver; the processor is used to obtain a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the peer device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device; the transceiver is used to trigger the second terminal device to initiate the establishment of the second session, wherein the first terminal device Whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the second session is a session used by the second terminal device to carry the C2 communication.

With reference to the fifth aspect, in a possible implementation manner, the transceiver, configured to trigger the second terminal device to initiate the establishment of the second session, includes: sending a first message to the second terminal device, the first The message is used to trigger the second terminal device to initiate the establishment of the second session; and send the first user plane security protection opening instruction to the second unified data management entity, wherein the second unified data management entity is for the first unified data management entity. Two unified data management entities served by terminal equipment.

With reference to the fifth aspect, in a possible implementation manner, the transceiver, configured to trigger the second terminal device to initiate the establishment of the second session, includes: sending a first message to the second terminal device, the first The message is used to trigger the second terminal device to initiate the establishment of the second session; and, receiving the second message from the second proxy function entity, and sending the first user plane security protection opening indication to the second proxy function entity; wherein , the second message includes the identification information of the second terminal device, the second message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the second session management entity to the management device interface, the second session management entity is a session management entity serving the second terminal device.

With reference to the fifth aspect, in a possible implementation manner, the processor is specifically configured to: receive, through the transceiver, an instruction to enable the first user plane security protection from a first session management entity, and the first session management entity is a session management entity serving the first terminal device; or, receiving the first user plane security protection opening instruction from the first terminal device through the transceiver; or, receiving through the transceiver from the first proxy function entity The first user plane security protection opening instruction of the first proxy function entity is used to provide an interface from the first session management entity to the management device.

With reference to the fifth aspect, in a possible implementation manner, the processor is specifically configured to: determine that the first terminal device and the second terminal device are paired and authorized successfully; send the first proxy function entity through the transceiver Three messages, the third message includes the identification information of the first terminal device, and the third message is used to request the first user plane security protection opening indication; wherein, the first proxy function entity is used to provide the first session management entity An interface to the management device, the first session management entity is a session management entity serving the first terminal device; the transceiver receives the first user plane security protection opening instruction from the first proxy function entity through the transceiver.

For the technical effect of the fifth aspect or any possible implementation manner of the fifth aspect, reference may be made to the first aspect, which will not be repeated here.

In a sixth aspect, a communication apparatus is provided for performing the second aspect or the method in any possible implementation manner of the second aspect. The communication apparatus may be the first session management entity in the second aspect or any possible implementation manner of the second aspect, or a module applied in the first session management entity, such as a chip or a system of chips. Wherein, the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.

With reference to the above sixth aspect, in a possible implementation manner, the communication device includes a processing module and a transceiver module; the processing module is used to obtain the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the peer device of the C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device, and the first session management entity is a session management entity serving the first terminal device; the transceiver module, It is used to send the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is used by the second terminal device to carry the Session for C2 communication.

With reference to the sixth aspect, in a possible implementation manner, the transceiver module is specifically configured to: send the first user plane security protection opening instruction to the management device.

With reference to the above sixth aspect, in a possible implementation manner, the transceiver module is specifically configured to: send the first user plane security protection opening instruction to the first proxy function entity; wherein, the first proxy function entity is used to provide The interface of the first session management entity to the management device.

With reference to the above sixth aspect, in a possible implementation manner, the transceiver module is further configured to receive a message from the first session management entity before the first session management entity sends the first user plane security protection opening instruction to the first proxy function entity. The fourth message of the first proxy function entity, where the fourth message includes the identification information of the first terminal device, and the fourth message is used to request the first user plane security protection opening instruction.

With reference to the sixth aspect, in a possible implementation manner, the processing module is specifically configured to: obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; Send the first user plane security protection policy to the first access network device serving the first terminal device; receive the first user plane security protection opening instruction from the first access network device through the transceiver module, wherein , the first user plane security protection enabling instruction is determined according to the first user plane security protection policy.

With reference to the sixth aspect, in a possible implementation manner, the processing module is specifically configured to: obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; Send the first user plane security protection policy to the first access network device serving the first terminal device; after receiving the seventh message from the first access network device through the transceiver module, in response to the seventh message, according to The first user plane security protection policy determines an indication that the first user plane security protection is enabled, wherein the seventh message is used to indicate that the first access network device has established the first session according to the first user plane security protection policy.

With reference to the above sixth aspect, in a possible implementation manner, the communication device includes a processor and a transceiver; the processor is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the opposite end device of the C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device, and the first session management entity is a session management entity serving the first terminal device; the transceiver, It is used to send the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is used by the second terminal device to carry the Session for C2 communication.

With reference to the above sixth aspect, in a possible implementation manner, the transceiver is specifically configured to: send the first user plane security protection opening indication to the management device.

With reference to the above sixth aspect, in a possible implementation manner, the transceiver is specifically configured to: send the first user plane security protection opening instruction to the first proxy function entity; wherein the first proxy function entity is used to provide The interface of the first session management entity to the management device.

With reference to the above sixth aspect, in a possible implementation manner, the transceiver is further configured to receive a message from the first session management entity before the first session management entity sends the first user plane security protection opening instruction to the first proxy function entity The fourth message of the first proxy function entity, where the fourth message includes the identification information of the first terminal device, and the fourth message is used to request the first user plane security protection opening instruction.

With reference to the above sixth aspect, in a possible implementation manner, the processor is specifically configured to: obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; Sending the first user plane security protection policy to the first access network device serving the first terminal device; receiving the first user plane security protection opening instruction from the first access network device through the transceiver, wherein , the first user plane security protection enabling instruction is determined according to the first user plane security protection policy.

With reference to the above sixth aspect, in a possible implementation manner, the processor is specifically configured to: obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; Send the first user plane security protection policy to the first access network device serving the first terminal device; after receiving the seventh message from the first access network device through the transceiver, in response to the seventh message, according to The first user plane security protection policy determines an indication that the first user plane security protection is enabled, wherein the seventh message is used to indicate that the first access network device has established the first session according to the first user plane security protection policy.

For the technical effect of the sixth aspect or any possible implementation manner of the sixth aspect, reference may be made to the second aspect, which will not be repeated here.

In a seventh aspect, a communication apparatus is provided for performing the third aspect or the method in any possible implementation manner of the third aspect. The communication apparatus may be the second session management entity in the third aspect or any possible implementation manner of the third aspect, or a module applied in the second session management entity, such as a chip or a system of chips. Wherein, the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.

With reference to the above seventh aspect, in a possible implementation manner, the communication device includes a processing module and a transceiver module; the processing module is used to obtain the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication between the first terminal device and the second terminal device, and the first terminal device is The initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, the second session management entity is the session management entity serving the second terminal device; The second access network device served by the second terminal device sends the first user plane security protection enable instruction; wherein, the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled. The second session is a session used by the second terminal device to carry the C2 communication.

With reference to the above seventh aspect, in a possible implementation manner, the communication device includes a processor and a transceiver; the processor is used to obtain the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the peer device of the C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device, and the second session management entity is a session management entity serving the second terminal device; the transceiver, is used to send the first user plane security protection opening instruction to the second access network device serving the second terminal device; wherein the first user plane security protection opening instruction is used to determine the user plane security protection of the second session Whether it is enabled, the second session is a session used by the second terminal device to carry the C2 communication.

In an eighth aspect, a communication apparatus is provided for performing the above fourth aspect or the method in any possible implementation manner of the fourth aspect. The communication apparatus may be the second session management entity in the fourth aspect or any possible implementation manner of the fourth aspect, or a module applied in the second session management entity, such as a chip or a system of chips. Wherein, the communication device includes corresponding modules, units, or means (means) for implementing the above method, and the modules, units, or means may be implemented by hardware, software, or by executing corresponding software in hardware. The hardware or software includes one or more modules or units corresponding to the above functions.

With reference to the above eighth aspect, in a possible implementation manner, the communication device includes a processing module and a transceiver module; the processing module is used to obtain the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the peer device of the C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device, and the second session management entity is the session management entity serving the second terminal device; the processing module, It is also used to determine a third user plane security protection policy according to the first user plane security protection opening instruction, and the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection; the transceiver module is used to send The second access network device serving the second terminal device sends the third user plane security protection policy; wherein the third user plane security protection policy is used to determine the second user plane security protection opening instruction, and the second user The plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is a session used by the second terminal device to carry the C2 communication.

With reference to the above-mentioned eighth aspect, in a possible implementation manner, for the solution of the processing module for determining the third user-plane security protection policy according to the first user-plane security protection opening instruction, reference may be made to the above-mentioned fourth aspect, and here No longer.

With reference to the above-mentioned eighth aspect, in a possible implementation manner, the communication device includes a processor and a transceiver; the processor is used to obtain the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used for Indicates whether the user plane security protection of the first session is enabled; wherein, the first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, and the second terminal device is the peer device of the C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device, and the second session management entity is a session management entity serving the second terminal device; the processor, It is also used for determining a third user plane security protection policy according to the first user plane security protection opening instruction, and the third user plane security protection policy only includes forcibly turning on the security protection or forcibly not turning on the security protection; the transceiver is used for sending The second access network device serving the second terminal device sends the third user plane security protection policy; wherein the third user plane security protection policy is used to determine the second user plane security protection opening instruction, and the second user The plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is a session used by the second terminal device to carry the C2 communication.

With reference to the above-mentioned eighth aspect, in a possible implementation manner, the processor for determining the third user-plane security protection policy according to the first user-plane security protection enabling instruction may refer to the above-mentioned fourth aspect, and here No longer.

With reference to the above seventh aspect or the eighth aspect, in a possible implementation manner, the processing module, configured to obtain the first user plane security protection opening instruction, includes: sending the sending and receiving module to a server serving the second terminal device through the transceiver module. The second unified data management entity sends a fifth message, where the fifth message includes the identification information of the second terminal device, and the fifth message is used to request the second user plane security protection policy; The second user plane security protection policy and the first user plane security protection opening instruction of the data management entity.

With reference to the above seventh aspect or the eighth aspect, in a possible implementation manner, the processing module, configured to obtain the first user plane security protection opening instruction, includes: sending a sixth to the second proxy function entity through the transceiver module. message, the sixth message includes the identification information of the second terminal device, the sixth message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the second session management entity to the management The interface of the device; receiving the first user plane security protection opening instruction from the second proxy function entity through the transceiver module.

With reference to the seventh aspect or the eighth aspect, in a possible implementation manner, the transceiver module is further configured to receive the indication information from the second terminal device before sending the sixth message to the second proxy function entity, The indication information indicates that the second session requested by the second terminal device to be established is used in response to the C2 communication initiated by the first terminal device.

With reference to the above seventh aspect or the eighth aspect, in a possible implementation manner, the processor, configured to obtain the first user plane security protection opening instruction, includes: sending a message to the server serving the second terminal device through the transceiver. The second unified data management entity sends a fifth message, where the fifth message includes the identification information of the second terminal device, and the fifth message is used to request the second user plane security protection policy; The second user plane security protection policy and the first user plane security protection opening instruction of the data management entity.

With reference to the seventh aspect or the eighth aspect, in a possible implementation manner, the processor, configured to obtain the first user plane security protection enabling instruction, includes: sending a sixth to the second proxy function entity through the transceiver message, the sixth message includes the identification information of the second terminal device, the sixth message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the second session management entity to the management The interface of the device; receiving the first user plane security protection opening instruction from the second proxy function entity through the transceiver.

With reference to the seventh aspect or the eighth aspect, in a possible implementation manner, the transceiver is further configured to receive the indication information from the second terminal device before sending the sixth message to the second proxy function entity, The indication information indicates that the second session requested by the second terminal device to be established is used in response to the C2 communication initiated by the first terminal device.

For the technical effect of the seventh aspect or any possible implementation manner of the seventh aspect, reference may be made to the third aspect, which will not be repeated here.

For the technical effect of the above-mentioned eighth aspect or any possible implementation manner of the eighth aspect, reference may be made to the above-mentioned fourth aspect, which will not be repeated here.

In a ninth aspect, a communication device is provided, comprising: a memory and a processor coupled with the memory, the memory is used for storing a program, and the processor is used for executing the program stored in the memory; when the communication device is running, the processing The computer runs the program, so that the communication device executes the method described in any one of the above-mentioned aspects.

With reference to the above ninth aspect, in a possible implementation manner, the communication device may be a chip or a chip system. Wherein, when the communication device is a chip system, the communication device may be constituted by a chip, or may include a chip and other discrete devices.

With reference to the above ninth aspect, in a possible implementation manner, when the communication device is a chip or a chip system, the above-mentioned processor may also be embodied as a processing circuit or a logic circuit.

In a tenth aspect, a computer-readable storage medium is provided, and instructions are stored in the computer-readable storage medium, which, when executed on a computer, enable the computer to execute the method described in any one of the above aspects.

In an eleventh aspect, there is provided a computer program product comprising instructions which, when run on a computer, enable the computer to perform the method of any of the preceding aspects.

Wherein, for the technical effects brought by any of the possible implementation manners of the ninth aspect to the eleventh aspect, reference may be made to the technical effects brought about by different implementation manners in the first aspect or the second aspect or the third aspect or the fourth aspect. The technical effect will not be repeated here.

A twelfth aspect provides a communication system, which includes the management device described in the first aspect and the second session management entity described in the third aspect or the fourth aspect.

With reference to the twelfth aspect above, in a possible implementation manner, the management device is configured to obtain a first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate the user plane security of the first session Whether the protection is enabled; the first session is a session used by the first terminal device to carry C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device; the management device is also used to trigger the second terminal device. The terminal device initiates establishment of a second session, and the second session is a session used by the second terminal device to carry the C2 communication; a second session management entity is configured to receive the first user plane security protection enabled by the management device. and send the first user plane security protection opening instruction to the second access network device serving the second terminal device; wherein, the first user plane security protection opening instruction is used to determine the user plane of the second session Whether security protection is enabled.

With reference to the above twelfth aspect, in another possible implementation manner, the management device is configured to obtain a first user plane security protection enabling instruction, where the first user plane security protection enabling instruction is used to indicate the user plane of the first session Whether security protection is enabled; the first session is a session used by the first terminal device to carry the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device; the management device is also used to trigger the first terminal device. The second terminal device initiates the establishment of a second session, and the second session is the session used by the second terminal device to carry the C2 communication; the second session management entity is configured to receive the first user plane security protection obtained by the management device an enabling instruction, and after determining a third user plane security protection policy according to the first user plane security protection enabling instruction, send the third user plane security protection policy to the second access network device serving the second terminal device; wherein , the third user plane security protection policy only includes forcibly turning on the security protection or forcibly not turning on the security protection; the third user plane security protection policy is used to determine the second user plane security protection opening instruction, and the second user plane security protection is turned on Indicates whether the user plane security protection used for determining the second session is enabled, where the second session is a session used by the second terminal device to carry the C2 communication.

With reference to the above twelfth aspect, in another possible implementation manner, the communication system further includes the first session management entity described in the above second aspect; wherein, the first session management entity is used to send to the management device The first user plane security protection opening instruction; the management device, configured to obtain the first user plane security protection opening instruction, includes: being used for receiving the first user plane security protection opening instruction from the first session management entity.

With reference to the above twelfth aspect, in another possible implementation manner, the communication system further includes the first terminal device; the first terminal device is configured to send the first user plane security protection opening instruction to the management device; management The device, configured to acquire the first user plane security protection opening instruction, includes: being configured to receive the first user plane security protection opening instruction from the first terminal device.

For the technical effects of the twelfth aspect, reference may be made to the technical effects brought about by different implementations in the first aspect or the second aspect or the third aspect or the fourth aspect, which will not be repeated here.

Description of drawings

Figure 1 is a schematic diagram of the architecture of the currently discussed 5G wireless communication network-enabled UAV system;

2a is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application;

FIG. 2b is a schematic diagram of the architecture of another communication system provided by an embodiment of the present application;

FIG. 2c is a schematic diagram of the architecture of another communication system provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of the architecture when the communication system provided by the embodiment of the present application is applied to a 5G network;

FIG. 4 is a schematic structural diagram of a communication device according to an embodiment of the present application;

FIG. 5 is a schematic flowchart of a communication method provided by an embodiment of the present application;

6 is a schematic flowchart of another communication method provided by an embodiment of the present application;

FIG. 7a is a schematic flowchart of another communication method provided by an embodiment of the present application;

FIG. 7b is a schematic flowchart of another communication method provided by an embodiment of the present application;

FIG. 8 is an interactive schematic diagram of a communication method provided by an embodiment of the present application;

FIG. 9 is an interactive schematic diagram of another communication method provided by an embodiment of the present application;

FIG. 10 is an interactive schematic diagram of still another communication method provided by an embodiment of the present application;

FIG. 11 is an interactive schematic diagram of still another communication method provided by an embodiment of the present application;

FIG. 12 is a schematic structural diagram of another communication apparatus provided by an embodiment of the present application.

Detailed ways

In order to facilitate understanding of the technical solutions of the embodiments of the present application, a brief introduction of the related technologies of the present application is first given as follows.

First, C2 communication:

In the 3rd generation partnership project (3GPP) network requirements working group (SA1), C2 communication is defined as: UAVC or UTM/USS uses user plane connection to transmit command and control signaling to UAV. Among them, according to different requirements (such as information exchange frequency, traffic size, end-to-end delay, etc.), UAVC or UTM/USS has four operation modes for UAV, including waypoint steering, direct control of steering stick, automatic flight and approaching automatic Navigation facilities. Since the embodiments of the present application do not involve specific C2 communication operations, the above-mentioned four operation modes are not described in detail in the embodiments of the present application.

In the 3GPP Network Architecture Working Group (SA2), some new descriptions have been added to the definition of C2 communication. C2 communication is defined as: UAVC or UTM/USS uses user plane connection to transmit command and control signaling to UAV, or UAV to UAVC Or UTM/USS to report remote sensing monitoring information. That is, current C2 communication includes bidirectional communication between UAVC and UAV, and bidirectional communication between UTM/USS and UAV.

It should be noted that the C2 communication referred to in the following embodiments of the embodiments of this application only involves the C2 communication between the UAV and the UAVC, and does not involve the C2 communication between the UAV and the UTM/USS. Repeat.

Second, the architecture of the 5G network-enabled UAS:

Figure 1 is a schematic diagram of the architecture of the currently discussed 5G wireless communication network-enabled unmanned aerial system. As shown in Figure 1, a UAS includes a UAV and a UAVC. In 5G networks, UAVs are designed to communicate with peers over 3GPP networks. Wherein, the opposite end may be, for example, UAVC; or, the opposite end may be, for example, UTM/USS; or, for example, the opposite end may be, for example, an authorized third party entity (third party authorized entity, TPAE). As shown in Figure 1, the interface between UAV or UAVC and 3GPP network for UAS service authentication, authorization, identification and tracking is UAV1; the interface between TPAE and 3GPP network for remote identification (Remote ID) and tracking is UAV2; The interface when UAV communicates with UAVC through C2 through 3GPP network is UAV3, and the interface when UAV communicates with UTM/USS through 3GPP network is UAV9. In addition, as shown in Figure 1, UAV can communicate with TPAE through UAV7, UAV can communicate with other UAVs other than UAS to which UAV belongs through U2U; UAV can communicate with UAVC through UAV8; UAV can communicate with UAVC through C2 through the Internet When the interface is UAV5. Among them, the UAV5, UAV7, UAV8 and U2U interfaces are not controlled by the 3GPP network, and therefore are not within the scope of the discussion of the embodiments of the present application, which are uniformly described here, and will not be repeated below.

In the embodiments of the present application, both UAV and UAVC can be regarded as terminal equipment or called user equipment (user equipment, UE) by the 3GPP network. UTM is responsible for drone communication management, and USS is the provider of drone services. Among them, the services of UTM/USS include authentication and authorization of whether UAV/UAVC can use drone services, and authorization of whether UAV and UAVC can be paired. TPAEs are equipment held by agencies with regulatory needs other than UAVC and UTM/USS (such as police).

In the embodiment of the present application, the communication between the UAV and the opposite end through the 3GPP network includes three types:

1. UAVC or UTM/USS performs C2 communication with UAV, used to control UAV flight, or used to control UAV to send measurement and control data to UAVC or UTM/USS. It should be noted that when UAV and UAVC communicate in C2, they can be in different public land mobile network (PLMN) connections. For example, the UAV in a UAS in Figure 1 can be in 3GPP PLMN-a During the connection, the UAVC may be in the 3GPP PLMN-b connection, which is described in a unified manner here, and will not be repeated below.

2. UTM/USS or TPAE performs remote identification of UAV, and the UAV in flight provides its own identification information to UTM/USS or TPAE to assist regulatory agencies (such as UTM or Civil Aviation Administration) to identify the UAV status in time to fill in the safety hidden danger.

3. The UAV performs other UAS services with the UTM/USS, for example, the UAV obtains UAS service parameters from the UTM/USS, or obtains the authentication and authorization for using the UAS service.

Third, the user plane security protection policy and the user plane security protection enable instruction:

The user plane security protection policy is a policy used to describe whether to enable the user plane security protection, and can be used to determine the instruction to enable the user plane security protection. In this embodiment of the present application, the user plane security protection policy includes a user plane confidentiality protection policy and/or a user plane integrity protection policy. The user plane confidentiality protection policy is a policy used to describe whether to enable the user plane confidentiality protection, and can be used to determine the user plane confidentiality protection enabling instruction. The user plane integrity protection policy is a policy used to describe whether to enable the user plane integrity protection, and can be used to determine the user plane integrity protection enable instruction. The user plane confidentiality protection enable instruction is used to indicate the enable result of the user plane confidentiality protection. When the value is set, the result of turning on the confidentiality protection of the user plane is that the confidentiality protection of the user plane is turned on; when the second value is taken, the result of turning on the confidentiality protection of the user plane is that the confidentiality protection of the user plane is not turned on). The user plane integrity protection enable instruction is used to indicate the result of enabling the user plane integrity protection. When the value is set, the result of turning on the confidentiality protection of the user plane is that the integrity protection of the user plane is turned on; when the fourth value is taken, the result of turning on the confidentiality protection of the user plane is that the integrity protection of the user plane is not turned on). In this embodiment of the present application, the user plane confidentiality protection is to protect the confidentiality of user plane data during transmission. User plane integrity protection protects the integrity of user plane data during transmission. The integrity means that the acquired signaling or data is consistent with the original signaling or data and has not been modified. Therefore, integrity protection is to prevent an attacker from "attacking". Confidentiality means that the real content cannot be seen directly, so confidentiality protection is to make the attacker "unreadable". In addition, the confidentiality protection in the embodiments of the present application may also be referred to as encryption protection, which is uniformly described here, and will not be repeated below.

In this embodiment of the present application, the user plane security protection policy (including the user plane confidentiality protection policy and the user plane integrity protection policy) may have three values: REQUIRED, NOT NEEDED, and PREFERRED. REQUIRED means that the security protection needs to be forced to be turned on, NOT NEEDED means that the security protection needs to be forced not to be turned on, and PREFERRED means that the security protection is preferably turned on or optional, that is, the security protection can be turned on but not turned on.

It should be noted that, in this embodiment of the present application, the user plane security protection policy and the user plane security protection enable instruction are used to establish a session that bears C2 communication or a session that bears non-C2 communication. Repeat.

It should be noted that, in this embodiment of the present application, when the user plane confidentiality protection policy or the user plane integrity protection policy is sent, generally only one of the three values (REQUIRED, NOT NEEDED, and PREFERRED) is selected. In some special scenarios, at least 2 types of transmissions may be selected, and one of them is PREFERRED. For example, when sending NOT NEEDED and PREFERRED, it means that the security protection is not turned on; when sending REQUIRED and PREFERRED, it means that the security protection is turned on.

It should be noted that, in this embodiment of the present application, the user plane confidentiality protection policy and the user plane integrity protection policy may be the same, and the user plane confidentiality protection enabling instruction and the user plane integrity protection enabling instruction may be the same. This is not specifically limited.

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. Wherein, in the description of this application, unless otherwise specified, "/" indicates that the objects associated before and after are an "or" relationship, for example, A/B can indicate A or B; in this application, "and/or" "It is only an association relationship that describes an associated object, which means that there can be three kinds of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A exists , B can be singular or plural. Also, in the description of the present application, unless stated otherwise, "plurality" means two or more than two. "At least one item(s) below" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c may be single or multiple . In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like are not necessarily different. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner to facilitate understanding.

In addition, the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new service scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

As shown in FIG. 2a, a communication system 20 is provided in an embodiment of the present application. The communication system 20 includes a management device 201 and a second session management entity 202 serving the second terminal device. The second terminal device is the opposite end device of the C2 communication, the C2 communication is the communication between the first terminal device and the second terminal device, and the first terminal device is the initiating end device of the C2 communication. Wherein, the management device 201 and the second session management entity 202 may communicate directly, or may communicate through the forwarding of other devices (for example, the second proxy function entity 203 in FIG. 2a ), which is not specifically described in this embodiment of the present application. limited.

In a possible implementation manner, the management device 201 is configured to obtain the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry C2 communication. The management device 201 is further configured to trigger the second terminal device to initiate establishment of a second session, where the second session is a session used by the second terminal device to carry C2 communication. The second session management entity 202 is configured to receive the first user plane security protection enable instruction obtained by the management device 201, and send the first user plane security protection enable instruction to the second access network device serving the second terminal device. The first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled. For the specific implementation of this solution, reference may be made to subsequent method embodiments, which will not be repeated here. In the communication system provided by the embodiment of the present application, the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the first user plane security protection enable instruction is used to indicate the user plane of the first session. Whether security protection is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication between the first terminal device and the second terminal device, the second session is a session used by the second terminal device to carry the C2 communication. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

In another possible implementation manner, the management device 201 is configured to obtain the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; A session is a session used by the first terminal device to carry the C2 communication. The management device 201 is further configured to trigger the second terminal device to initiate establishment of a second session, where the second session is a session used by the second terminal device to carry C2 communication. The second session management entity 202 is configured to receive the first user plane security protection enable instruction obtained by the management device 201, and after determining the third user plane security protection policy according to the first user plane security protection enable instruction, send a message to the second terminal device The serving second access network device sends the third user plane security protection policy. The third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection. The third user plane security protection policy is used to determine the second user plane security protection enable instruction, and the second user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is used by the second terminal device. for sessions that carry C2 communications. For the specific implementation of this solution, reference may be made to subsequent method embodiments, which will not be repeated here. In the communication system provided by the embodiment of the present application, the third user plane security protection policy is used to determine the second user plane security protection enable instruction indicating whether the user plane security protection of the second session is enabled, and the third user plane security protection policy is It is determined by the first user plane security protection enable instruction indicating whether the user plane security protection of the first session is enabled, and the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication, the second session is a session used by the second terminal device to carry the C2 communication, and the C2 communication is a session between the first terminal device and the second terminal device. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

Optionally, as shown in FIG. 2b, the communication system 20 may further include a first session management entity 204 serving the first terminal device. Wherein, the management device 201 and the first session management entity 204 may communicate directly, or may communicate through the forwarding of other devices (for example, the first proxy function entity 205 in FIG. 2b ), which is not specifically described in this embodiment of the present application. limited.

The first session management entity 204 is configured to send the first user plane security protection opening instruction to the management device 201 . Correspondingly, the management device 201, configured to obtain the first user plane security protection opening instruction, includes: being configured to receive the first user plane security protection opening instruction from the first session management entity 204. That is, in this embodiment of the present application, the management device may obtain the first user plane security protection opening instruction through the control plane between the first terminal device and the management device.

Optionally, as shown in FIG. 2c , the communication system 20 may further include a first terminal device 206 . Wherein, the management device 201 and the first terminal device 206 may communicate directly or communicate through forwarding by other devices, which is not specifically limited in this embodiment of the present application.

The first terminal device 206 is configured to send the first user plane security protection opening instruction to the management device 201 . Correspondingly, the management device 201 , configured to obtain the first user plane security protection opening instruction, includes: being configured to receive the first user plane security protection opening instruction from the first terminal device 206 . That is, in this embodiment of the present application, the management device may obtain the first user plane security protection opening instruction through the user plane between the first terminal device and the management device.

Optionally, the communication system 20 shown in FIG. 2a to FIG. 2c may be applicable to the 5G network currently under discussion, and may also be applicable to other future networks, etc., which is not specifically limited in this embodiment of the present application.

Exemplarily, the communication system 20 shown in Fig. 2a to Fig. 2c is applied to the 5G network currently under discussion as an example, then as shown in Fig. 3, the first session management in the communication system 20 shown in Fig. 2a to Fig. 2c The network element or entity corresponding to the entity or the second session management entity may be the SMF of the 5G network; the management device in the communication system 20 shown in FIG. 2a to FIG. UTM/USS; the network element or entity corresponding to the first proxy functional entity or the second proxy functional entity in the communication system 20 shown in FIG. 2a to FIG. 2c may be a UAV for providing an interface from a 3GPP network to UTM/USS Flight enablement subsystem (UAV flight enablement subsystem, UFES), which can reduce the impact on the existing 3GPP network. In the embodiment of this application, the functions of UFES include at least providing UTM/USS selective addressing for 3GPP networks, mapping of external UAV IDs of terminal equipment (including the first terminal equipment and second terminal equipment) and 3GPP identifiers, and replacing UTM /USS obtains the subscription and policy control information of the terminal device from the 3GPP network, which is described here uniformly and will not be repeated below.

In addition, as shown in Figure 3, a 5G network may also include radio access network (RAN) equipment, user plane functions (UPF), access and mobility management functions (core access and mobility management) function, AMF), authentication server function (AUSF), network slice selection function (NSSF), network exposure function (NEF), network exposure function (Repository Function) , NRF), policy control function (PCF), unified data management (UDM), unified data repository (UDR), application function (application function, AF) or billing function ( charging function, CHF), etc. The terminal device accesses the 5G network through the RAN device, and the terminal device communicates with the AMF through the N1 interface (N1 for short); the RAN device communicates with the AMF through the N2 interface (N2 for short); the RAN device communicates with the UPF through the N3 interface (N3 for short) RAN equipment can also communicate with UTM/USS; SMF communicates with UP through N4 interface (N4 for short), and UPF accesses data network through N6 interface (N6 for short). In addition, the control plane functions such as AUSF, AMF, SMF, NSSF, NEF, NRF, PCF, UDM, UDR, CHF, UFES or AF shown in FIG. 3 use service interfaces to interact. For example, the service interface provided by AUSF is Nausf; the service interface provided by AMF is Namf; the service interface provided by SMF is Nsmf; the service interface provided by NSSF is Nnssf; the service interface provided by NEF is Nnef; the service interface provided by NRF is Nnrf; the service interface provided by PCF is Npcf; the service interface provided by UDM is Nudm; the service interface provided by UDR is Nudr; the service interface provided by CHF is Nchf; the service interface provided by UFES is Nufes; the service interface provided by AF is Naf. For related function descriptions and interface descriptions, please refer to the 5G system architecture diagram in the 23501 standard, which will not be repeated here.

It should be noted that, in the embodiment of the present application, the UFES may be deployed independently of the network element of the 5G network, or may be deployed on the network element of the 5G network, such as being deployed on the NEF, which is not done in the embodiment of the present application. Specific restrictions.

Optionally, the terminal device (including the above-mentioned first terminal device or the second terminal device) in this embodiment of the present application may be a device for implementing a wireless communication function, such as a terminal or a chip that can be used in the terminal, etc., which may be Deployed on land, including indoor or outdoor, handheld or vehicle; can also be deployed on water (such as ships, etc.); can also be deployed in the air (such as aircraft, balloons and satellites, etc.). In a possible implementation manner, the above-mentioned first terminal device may be, for example, a 5G wireless communication network-enabled UAV or a chip that can be used on the UAV, and the above-mentioned second terminal device may be, for example, a 5G wireless communication network. UAV-enabled UAVC or chip that can be used on UAVC. In another possible implementation manner, the above-mentioned first terminal device may be, for example, a UAVC of a 5G wireless communication network-enabled unmanned aerial vehicle system or a chip that can be used on a UAVC, and the above-mentioned second terminal device may be, for example, a 5G wireless communication Network-enabled UAVs for unmanned aerial systems or chips that can be used on UAVs. Of course, the above-mentioned first terminal device and second terminal device may also be other terminal devices that can be used to implement C2 communication or similar to C2 communication, such as terminal devices in scenarios such as remote control of car driving, remote control of industrial machinery, and monitoring backhaul. This embodiment of the present application does not specifically limit this.

Optionally, the RAN device in this embodiment of the present application is a device that provides a wireless communication function for a terminal device. Access network equipment includes, but is not limited to, next-generation base stations (gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio network controller, RNC), node B (node B) in 5G. B, NB), base station controller (BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved nodeB, or home node B, HNB), baseband unit (baseBand unit, BBU), transmission point (transmitting and receiving point, TRP), transmitting point (transmitting point, TP), mobile switching center, etc.

Optionally, the management device, the first session management entity, or the second session management entity in this embodiment of the present application may also be referred to as a communication device, which may be a general-purpose device or a dedicated device. There is no specific limitation.

Optionally, the related functions of the management device, the first session management entity, or the second session management entity in this embodiment of the present application may be implemented by one device, may be implemented jointly by multiple devices, or may be implemented by a device within one device. One or more functional modules are implemented, which is not specifically limited in this embodiment of the present application. It is to be understood that the above-mentioned functions can be either network elements in hardware devices, or software functions running on dedicated hardware, or a combination of hardware and software, or instantiated on a platform (eg, a cloud platform). Virtualization capabilities.

For example, the related functions of the management device, the first session management entity, or the second session management entity in the embodiment of the present application may be implemented by the communication apparatus 400 in FIG. 4 . FIG. 4 is a schematic structural diagram of a communication apparatus 400 according to an embodiment of the present application. The communication device 400 includes one or more processors 401, a communication line 402, and at least one communication interface (in FIG. 4, the communication interface 404 and one processor 401 are used as an example for illustration only), optional may also include memory 403 .

The processor 401 may be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more processors for controlling the execution of the programs of the present application. integrated circuit.

Communication line 402 may include a path for connecting the various components.

The communication interface 404 can be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (wireless local area networks, WLAN) and the like. For example, the transceiver module may be a device such as a transceiver or a transceiver. Optionally, the communication interface 404 may also be a transceiver circuit located in the processor 401 to implement signal input and signal output of the processor.

The memory 403 may be a device having a storage function. For example, it may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or other types of storage devices that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage ( including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this. The memory may be separate and connected to the processor through communication line 402. The memory can also be integrated with the processor.

The memory 403 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 401 . The processor 401 is configured to execute the computer-executed instructions stored in the memory 403, so as to implement the communication method provided in the embodiments of the present application.

Or, optionally, in this embodiment of the present application, the processor 401 may also perform processing-related functions in the communication methods provided in the following embodiments of the present application, and the communication interface 404 is responsible for communicating with other devices or communication networks. The embodiment does not specifically limit this.

Optionally, the computer-executed instructions in the embodiment of the present application may also be referred to as application code, which is not specifically limited in the embodiment of the present application.

In a specific implementation, as an embodiment, the processor 401 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 4 .

In a specific implementation, as an embodiment, the communication apparatus 400 may include multiple processors, such as the processor 401 and the processor 408 in FIG. 4 . Each of these processors can be a single-core processor or a multi-core processor. The processor here may include, but is not limited to, at least one of the following: a central processing unit (CPU), a microprocessor, a digital signal processor (DSP), a microcontroller (MCU), or artificial intelligence Processors and other types of computing devices that run software, each computing device may include one or more cores for executing software instructions to perform operations or processing.

In a specific implementation, as an embodiment, the communication apparatus 400 may further include an output device 405 and an input device 406 . The output device 405 is in communication with the processor 401 and can display information in a variety of ways. For example, the output device 405 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait. Input device 406 is in communication with processor 401 and can receive user input in a variety of ways. For example, the input device 406 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.

The above-mentioned communication apparatus 400 may also be sometimes referred to as a communication apparatus, which may be a general-purpose device or a dedicated device. For example, the communication device 400 may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, an embedded device, the above-mentioned terminal device, the above-mentioned network device, or a 4 devices of similar structure. This embodiment of the present application does not limit the type of the communication apparatus 400 .

The communication method provided by the embodiments of the present application will be described below with reference to the accompanying drawings.

As shown in FIG. 5, a communication method provided by an embodiment of the present application includes the following steps:

S501. The management device acquires a first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device Communication with the second terminal device.

In the embodiments of the present application and the following embodiments, reference may be made to the content of the invention for a description of the first user plane security protection enabling indication, which will not be repeated here.

In a possible implementation manner, obtaining the first user plane security protection opening instruction by the management device includes: the management device receiving the first user plane security protection opening instruction from the first session management entity, where the first session management entity is the first session management entity. The session management entity served by the terminal device. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 8 or FIG. 9 , which will not be repeated here.

In another possible implementation manner, acquiring the first user plane security protection opening instruction by the management device includes: the management device receiving the first user plane security protection opening instruction from the first terminal device. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 9 , which will not be repeated here.

In another possible implementation manner, the obtaining of the first user plane security protection opening instruction by the management device includes: the management device receiving the first user plane security protection opening instruction from the first proxy function entity, and the first proxy function entity is used to provide The interface of the first session management entity to the management device. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 11 , which will not be repeated here.

In another possible implementation manner, the management device acquiring the first user plane security protection opening instruction includes: the management device determining that the pairing authorization between the first terminal device and the second terminal device is successful; the management device sending a third message, the third message includes identification information of the first terminal device, and the third message is used to request the first user plane security protection opening instruction. The first proxy function entity is used to provide an interface from the first session management entity to the management device, and the first session management entity is a session management entity serving the first terminal device. The management device receives the first user plane security protection opening instruction from the first proxy function entity. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 10 or FIG. 11 , which will not be repeated here.

S502. The management device triggers the second terminal device to initiate the establishment of the second session. Wherein, whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the second session is a session used by the second terminal device to carry the C2 communication.

In a possible implementation manner, the management device triggering the second terminal device to initiate the establishment of the second session includes: the management device sends a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate the second session. and, the management device sends the first user plane security protection opening indication to the second unified data management entity, where the second unified data management entity is a unified data management entity serving the second terminal device. For specific implementation, reference may be made to the embodiment shown in FIG. 8 , which will not be repeated here.

In another possible implementation manner, the management device triggering the second terminal device to initiate the establishment of the second session includes: the management device sends a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate the second session. establishing a session; and, the management device receives a second message from the second proxy function entity, and sends the first user plane security protection opening instruction to the second proxy function entity; wherein, the second message includes the identification information of the second terminal device , the second message is used to request the first user plane security protection opening instruction, the second proxy function entity is used to provide the interface of the second session management entity to the management device, and the second session management entity is the session management for the second terminal device. entity. For specific implementation, reference may be made to the embodiment shown in FIG. 8 , which will not be repeated here.

In the communication method provided by the embodiment of the present application, the management device may acquire the first user plane security protection opening instruction, and trigger the second terminal device to initiate the establishment of the second session. Wherein, whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication between the first terminal device and the second terminal device, the second session is a session used by the second terminal device to carry the C2 communication. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

Wherein, the actions of the management device in the above steps S501 to S502 may be executed by the processor 401 in the communication apparatus 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the management device to execute, which is not limited in this embodiment. .

As shown in FIG. 6 , a communication method provided by an embodiment of the present application includes the following steps:

S601. The first session management entity acquires a first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device In the communication with the second terminal device, the first session management entity is a session management entity serving the first terminal device.

In a possible implementation manner, obtaining the first user plane security protection enabling instruction by the first session management entity includes: the first session management entity obtains the first user plane security protection from a first unified data management entity serving the first terminal device. protection policy; the first session management entity sends the first user plane security protection policy to the first access network device serving the first terminal device; the first session management entity receives the first user plane security protection policy from the first access network device A protection opening instruction, wherein the first user plane security protection opening instruction is determined according to a first user plane security protection policy.

In another possible implementation manner, acquiring the first user plane security protection enabling instruction by the first session management entity includes: the first session management entity acquires the first user plane from a first unified data management entity serving the first terminal device a security protection policy; the first session management entity sends a first user plane security protection policy to the first access network device serving the first terminal device; the first session management entity receives the seventh message from the first access network device, The seventh message is used to indicate that the first access network device has established the first session according to the first user plane security protection policy; in response to the seventh message, the first session management entity determines the first user according to the first user plane security protection policy Face safety protection on instruction.

For the specific implementation of the above solution, reference may be made to the embodiment shown in FIG. 8 , which will not be repeated here.

S602. The first session management entity sends a first user plane security protection enabling instruction. The first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is a session used by the second terminal device to carry the C2 communication.

In a possible implementation manner, sending the first user plane security protection opening instruction by the first session management entity includes: the first session management entity sending the first user plane security protection opening instruction to the management device. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 8 or FIG. 9 , which will not be repeated here.

In another possible implementation manner, sending the first user plane security protection opening instruction by the first session management entity includes: the first session management entity sending the first user plane security protection opening instruction to the first proxy function entity; A proxy function entity is used to provide an interface from the first session management entity to the management device. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 10 or FIG. 11 , which will not be repeated here. Optionally, before the first session management entity sends the first user plane security protection opening indication to the first proxy functional entity, the method further includes: the first session management entity receives a fourth message from the first proxy functional entity, and the first session management entity receives a fourth message from the first proxy functional entity. The fourth message includes identification information of the first terminal device, and the fourth message is used to request the first user plane security protection opening instruction. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 10 , which will not be repeated here.

In the communication method provided by the embodiment of the present application, the first session management entity acquires the first user plane security protection opening instruction, and sends the first user plane security protection opening instruction. The first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication between the first terminal device and the second terminal device, the second session is a session used by the second terminal device to carry the C2 communication. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

Wherein, the actions of the first session management entity in the above steps S601 to S602 may be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the first session management entity to execute. The example does not impose any restrictions on this.

As shown in FIG. 7a, a communication method provided by an embodiment of the present application includes the following steps:

S701a, the second session management entity acquires the first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is used by the first terminal device For a session carrying C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the second terminal device, and the second terminal device is the peer device of the C2 communication. The second session management entity is a session management entity serving the second terminal device.

In a possible implementation manner, the second session management entity acquiring the first user plane security protection opening instruction includes: the second session management entity sends a fifth message to the second unified data management entity serving the second terminal device, the first The fifth message includes the identification information of the second terminal device, and the fifth message is used to request the second user plane security protection policy; the second session management entity receives the second user plane security protection policy from the second unified data management entity and the first user Face safety protection on instruction. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 8 , which will not be repeated here.

In another possible implementation manner, the second session management entity acquiring the first user plane security protection enabling instruction includes: the second session management entity sends a sixth message to the second proxy function entity, where the sixth message includes the second terminal device The sixth message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide an interface from the second session management entity to the management device. The second session management entity receives the first user plane security protection opening instruction from the second proxy function entity. Optionally, before the second session management entity sends the sixth message to the second proxy function entity, the method further includes: the second session management entity receives indication information from the second terminal device, where the indication information indicates that the second terminal device requests The established second session is used to respond to the C2 communication initiated by the first terminal device. For the specific implementation of this solution, reference may be made to the embodiment shown in FIG. 8 , which will not be repeated here.

S702a. The second session management entity sends a first user plane security protection enable instruction to the second access network device serving the second terminal device; wherein the first user plane security protection enable instruction is used to determine the user plane of the second session Whether security protection is enabled, the second session is a session used by the second terminal device to carry C2 communication.

In the communication method provided by the embodiment of the present application, the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the first user plane security protection enable instruction is used to indicate the user plane of the first session. Whether security protection is enabled. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication between the first terminal device and the second terminal device, the second session is a session used by the second terminal device to carry the C2 communication. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

Wherein, the actions of the second session management entity in the above steps S701a to S702a may be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the second session management entity to execute. The example does not impose any restrictions on this.

As shown in FIG. 7b, a communication method provided by an embodiment of the present application includes the following steps:

S701b is the same as step S701a, and the related description may refer to the embodiment shown in FIG. 7a, which will not be repeated here.

S702b, the second session management entity determines a third user plane security protection policy according to the first user plane security protection enabling instruction, and the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection.

In a possible implementation manner, in this embodiment of the present application, for the solution in which the second session management entity determines the third user plane security protection policy according to the first user plane security protection enable instruction, reference may be made to the foregoing section of the content of the invention, and details are not repeated here. .

S703b: The second session management entity sends a third user plane security protection policy to the second access network device serving the second terminal device. The third user plane security protection policy is used to determine the second user plane security protection enable instruction, and the second user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is the second terminal A session used by the device to carry C2 communications.

In the embodiments of the present application and the following embodiments, reference may be made to the content of the invention for the relevant description of the indication of enabling the security protection of the second user plane, which will not be repeated here.

In the communication method provided by the embodiment of the present application, the third user plane security protection policy is used to determine the second user plane security protection enable instruction indicating whether the user plane security protection of the second session is enabled, and the third user plane security protection policy is It is determined by the first user plane security protection enable instruction indicating whether the user plane security protection of the first session is enabled, and the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection. In other words, whether the user plane security protection of the first session is enabled and whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction. Since the first session is a session used by the first terminal device to carry the C2 communication between the first terminal device and the second terminal device, the second session is a session used by the second terminal device to carry the C2 communication. Therefore, based on this solution, the consistency of user plane security protection of the C2 communication between the first terminal device and the second terminal device can be guaranteed.

Wherein, the actions of the second session management entity in the above steps S701b to S703b may be executed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct the second session management entity to execute. The example does not impose any restrictions on this.

The communication system described in Figures 2a to 2c is applied to the 5G network shown in Figure 3 below. The first terminal device is UAV, the second terminal device is UAVC, and the management device is UTM/USS, serving the first terminal device. The first access network device is RAN device 1, the second access network device serving the second terminal device is RAN device 2, and the first session management entity serving the first terminal device is SMF1, which is the second terminal device. The second session management entity serving is SMF2, the first unified data management entity serving the first terminal device is UDM1, the second unified data management entity serving the second terminal device is UDM2, and the first unified data management entity serving the first terminal device is UDM2. The first proxy function entity is UFES1, and the second proxy function entity serving the second terminal device is UFES2 as an example, and the communication method provided by the embodiment of the present application is described in detail. Of course, in the embodiment of the present application, the first terminal device may also be a UAVC, and the second terminal device may be a UAV. In this case, the operations of the UAV and UAVC in the following embodiments only need to be exchanged. No longer.

It should be noted that the names of messages between network elements or the names of parameters in the messages in the following embodiments of the present application are just an example, and other names may also be used in specific implementations, which are not specified in the embodiments of the present application. limited.

It should be noted that, the following examples of this application are all described by taking the UFES existing between the 3GPP network and the UTM/USS, and the UFES being an independent network element as an example. Of course, the UFES can also be a part of the functions of the existing 3GPP network element (for example, a part of the functions of the NEF). In this case, in the following example, the process of the interaction between the UFES and the 3GPP network or the UTM/USS can be replaced by the 3GPP network element (for example, NEF) and the The 3GPP network or UTM/USS interaction is described in a unified manner here, and will not be repeated below.

In a possible implementation manner, the UTM/USS may be acquired during the process of the UAV establishing the first PDU session for carrying the C2 communication between the UAV and the UAVC (hereinafter referred to as the C2 communication between the UAV and the UAVC). The first user plane security protection enable indication is used to indicate whether the user plane security protection of the first PDU session is enabled. Further, the SMF2 serving the UAVC may acquire the first user plane security protection opening indication during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. Exemplarily, as shown in FIG. 8 , a communication method is provided in an embodiment of the present application. The communication method includes a registration process of UAV and UAVC in a 3GPP network, such as the following steps S801a and S801b:

S801a, the UAV is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

Wherein, in the embodiment of the present application, the UAV can obtain the 3GPP device ID (hereinafter referred to as 3GPP UAV ID) allocated by the 3GPP network for the UAV during the process of registering with the 3GPP network, and the 3GPP UAV ID is used for the unique 3GPP network registered in the UAV. Identifies this UAV. Exemplarily, the 3GPP UAV ID may be, for example, a subscription permanent identifier (SUPI) or a subscription concealed identifier (SUCI).

S801b and UAVC are registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

Wherein, in the embodiment of the present application, the UAVC can obtain the 3GPP device ID (hereinafter referred to as the 3GPP UAVC ID) allocated by the 3GPP network for the UAVC during the process of registering with the 3GPP network, and the 3GPP UAVC ID is used for the unique 3GPP network registered in the UAVC. Identifies this UAVC. Exemplarily, the 3GPP UAVC ID may be, for example, SUPI or SUCI.

It should be noted that, in the embodiment of the present application, the 3GPP network registered by the UAV and the 3GPP network registered by the UAVC may be the same 3GPP network or different 3GPP networks, which are not specifically limited in the embodiment of the present application.

It should be noted that, in addition to the above-mentioned respective 3GPP device IDs, the UAVs and UAVCs in the embodiments of the present application are also preconfigured with external UAV IDs, respectively. The external UAV ID here is assigned by a non-3GPP network, such as the UAV ID assigned by the Civil Aviation Authority (CAA) for UAV or UAVC.

Further, the communication method provided by the embodiment of the present application further includes a process of triggering the establishment of a first PDU session by the UAV, as follows in steps S802-S813:

S802, the UAV sends a session establishment request 1 to the SMF1 in the 3GPP network. Accordingly, SMF1 receives session establishment request 1 from the UAV. The session establishment request 1 includes a 3GPP UAV ID and indication information 1, where the indication information 1 is used to indicate that the first PDU session that the UAV requests to establish is used to bear C2 communication.

In a possible implementation manner, the indication information 1 may be a display indication. For example, the indication information 1 may be a UAS operation request indication (UAS operation request indication), and the UAS operation request indication is a C2 request, which is used to display and indicate that the first PDU session established by the UAV request is used to carry the C2 communication. Optionally, in this embodiment of the present application, the UAS operation request indication may further indicate that the C2 request is an active C2 request.

In another possible implementation manner, the indication information 1 may be an implicit indication. For example, the indication information 1 may be data network name (data network name, DNN) information dedicated to C2 communication, or DNN and slice combination information dedicated to C2 communication, and the like.

Of course, if the UAV and the UAVC have been paired offline in a non-3GPP manner (for example, the two devices are paired via Bluetooth) or in other manners before step S802, the UAV can obtain the pairing identifier of the UAVC paired with it. Further, the session establishment request 1 may include the pairing identifier of the UAVC, and the pairing identifier of the UAVC may be used to implicitly indicate that the first PDU session established by the UAV request is used to carry the C2 communication. Exemplarily, the pairing identifier of the UAVC may be, for example, the 3GPP UAVC ID or the external UAV ID of the UAVC.

Optionally, in this embodiment of the present application, when the pairing identifier of the UAVC is the external UAV ID of the UAVC, the external UAV ID of the UAVC may be included in the container (container) of the session establishment request 1. In this way, on the one hand, since the intermediate node transparently transmits the container without tampering with the contents in the container, the security of the above parameters can be guaranteed; Processing efficiency of intermediate nodes.

S803. After determining that the first PDU session requested to be established by the UAV is used to carry the C2 communication according to the indication information 1, the SMF1 obtains the first user plane security protection policy from the UDM1, where the first user plane security protection policy is used to establish the first PDU session .

In this embodiment of the present application, for the relevant description of the first user plane security protection policy, reference may be made to the description of the "user plane security protection policy" in the preamble of the specific implementation manner, and details are not repeated here.

In a possible implementation manner, the SMF1 sends a request message to the UDM1 after determining, according to the indication information 1, that the first PDU session requested by the UAV is used for the C2 communication. The request message includes the 3GPP UAV ID, and the request message is used to request the first user plane security protection policy. After receiving the request message, UDM1 determines the first user plane security protection policy according to the 3GPP UAV ID, and carries the first user plane security protection policy in the response message sent to SMF1.

S804 , the SMF1 sends the first user plane security protection policy to the RAN device 1 . Correspondingly, the RAN device 1 receives the first user plane security protection policy from the SMF1.

S805. The RAN device 1 determines the first user plane security protection enable instruction according to the first user plane security protection policy, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first PDU session is enabled.

In the embodiment of the present application, when the RAN device 1 determines the first user plane security protection enable instruction according to the first user plane security protection policy, it may combine other information (such as the usage of resources on the first access network device or the first terminal device The maximum integrity protection rate that can be supported) is determined.

For example, when the first user plane security protection policy includes that user plane confidentiality protection is optionally enabled and user plane integrity protection is optionally enabled; RAN device 1 is currently idle and has sufficient resources to provide security for UAV user plane data protection, the RAN device 1 may determine to enable user plane confidentiality protection and user plane integrity protection, that is, the first user plane security protection enable instruction is used to indicate that user plane confidentiality protection and user plane integrity protection are enabled. For another example, when the first user plane security protection policy includes that the user plane confidentiality protection is optionally enabled and the user plane integrity protection is optionally enabled; the RAN device 1 currently does not have enough resources to provide security protection for the user plane data of the UAV, Then the RAN device 1 may determine not to enable the user plane confidentiality protection and the user plane integrity protection, that is, the first user plane security protection enable instruction is used to indicate that the user plane confidentiality protection and the user plane integrity protection are not enabled.

For example, in the embodiment of the present application, when the first user plane security protection policy includes that the user plane confidentiality protection is forcibly turned on and the user plane integrity protection is forcibly turned on, and the RAN device 1 is currently idle, there are enough resources for UAV The user plane data provides security protection, then the RAN device 1 can determine to enable the user plane confidentiality protection and the user plane integrity protection, that is, the first user plane security protection enable instruction is used to indicate that the user plane confidentiality protection is enabled and the user plane integrity protection is enabled. Protection is on. For another example, the first user plane security protection policy includes that the user plane confidentiality protection is forcibly disabled and the user plane integrity protection is forcibly disabled, then the RAN device 1 may determine that the user plane confidentiality protection is not enabled and the user plane integrity protection is disabled. The security protection of the first user plane is used to indicate that the confidentiality protection of the user plane is not enabled and the integrity protection of the user plane is not enabled. The other situations are similar and will not be repeated here.

Of course, in the embodiment of the present application, when the first user plane security protection policy includes that the user plane confidentiality protection is forcibly turned on and the user plane integrity protection is forcibly turned on, but the RAN device 1 currently does not have enough resources for the user plane data of the UAV When providing security protection, the RAN device 1 may determine to reject the establishment of the first PDU session, and then the RAN device may send an indication of rejecting the establishment of the first PDU session to the SMF1 to terminate the subsequent process, which is not specifically described in this embodiment of the present application . In this way, it can be ensured that all nodes on the path carrying the C2 communication on the UAV side can support the first user plane security protection opening instruction, thereby ensuring normal C2 communication between the UAV and the UAVC.

Further, in the case that the establishment of the first PDU session is not rejected by the RAN device 1, the communication method provided by the embodiment of the present application further includes the following step S806:

S806, RAN device 1 sends a PDU session resource setup response transfer (PDU session resource setup response transfer) message to SMF1. Correspondingly, the SMF1 receives the PDU session resource establishment response transmission message from the RAN device 1 . The PDU session resource establishment response transmission message is used to indicate that the RAN device 1 has established the first PDU session according to the first user plane security protection policy.

It should be noted that, in the embodiment of the present application, the PDU session resource establishment response transmission message sent by the RAN device 1 to the SMF1 is only an example of the seventh message in the embodiment shown in FIG. 6 , and the seventh message may also be other , which is not specifically limited in the embodiments of the present application.

In the embodiment of the present application, in the case that the first user plane security protection policy is optional to enable security protection, the above-mentioned PDU session resource establishment response transmission message includes the first user plane security protection enable instruction. When the above-mentioned PDU session resource establishment response transmission message does not include the first user plane security protection opening indication (that is, when the first user plane security protection policy is forcibly enabling security protection or forcibly not enabling security protection), the embodiments of the present application provide The communication method further includes the following steps S807:

S807. In response to the PDU session resource establishment response transmission message, the SMF1 determines the first user plane security protection opening instruction according to the first user plane security protection policy.

That is, in this embodiment of the present application, the first user plane security protection policy is a deterministic policy (for example, the first user plane security protection policy includes that the user plane confidentiality protection is forcibly turned on/not turned on and the user plane integrity protection is forcibly turned on /Forcibly disabled), the RAN device 1 may not explicitly notify the SMF1 of the result of enabling the security protection on the user plane. When SMF1 determines that the first session has been established, it can determine whether user plane confidentiality protection and user plane integrity protection are enabled according to the first user plane security protection policy.

Based on the above step S806 or step S807, the SMF1 may acquire the first user plane security protection opening instruction. Furthermore, the first PDU session establishment process further includes the following steps:

S808, SMF1 sends message 1 to UFES1. Correspondingly, UFES1 receives message 1 from SMF1. The message 1 includes the 3GPP UAV ID and the first user plane security protection opening indication.

S809, UFES1 sends message 2 to the UTM/USS. Correspondingly, UTM/USS receives message 2 from UFES1. The message 2 includes the external UAV ID of the UAV and the first user plane security protection opening indication.

For the above steps S808-S809:

In a possible implementation manner, the above message 1 and message 2 may be messages used for pairing authorization in the session establishment process (such as a C2 pairing request); or the above message 1 and message 2 may be used in the session establishment process for the second time. Authentication message, optionally, UAV can use this secondary authentication process to complete USS UAV authentication and authorization (USS UAV authorization/authentication, UUAA) and/or pairing authorization; or the above message 1 and message 2 can be used in the session establishment process. message for UUAA; or the above message 1 and message 2 may be other existing messages or newly defined messages in the session establishment process, which are not specifically limited in this embodiment of the present application.

In another possible implementation manner, before SMF1 sends message 1 to UFES1, SMF1 sends message a to UFES1. After receiving message a from SMF1, UFES1 determines, according to message a, that the first PDU session requested by the UAV is used to carry C2 communication, and then requests SMF1 to obtain the first user plane security protection opening indication. Further, SMF1 sends message 1 to UFES1. In this scenario, message a and message 2 can be messages used for pairing authorization in the session establishment process (such as a C2 pairing request); or message a and message 2 can be messages used for secondary authentication in the session establishment process, optional Yes, UAV can complete UUAA and/or pairing authorization with the help of this secondary authentication process; or message a and message 2 can be the messages used for UUAA in the session establishment process; or the above message a and message 2 can be the messages in the session establishment process Other information is not specifically limited in this embodiment of the present application.

In the embodiment of this application, after UFES1 obtains the 3GPP UAV ID from the 3GPP network, it can “translate” the 3GPP UAV ID into a UAV ID that can be identified by UTM/USS according to the stored mapping relationship between the 3GPP UAV ID and the external UAV ID of the UAV. The external UAV ID, and the external UAV ID of the UAV is sent to the UTM/USS, which is explained here and will not be repeated below.

In this embodiment of the present application, if the above session establishment request 1 includes the pairing identifier of the UAVC, the above message 1 and message 2 also include the pairing identifier of the UAVC. Among them, when the pairing identifier of UAVC is 3GPP UAVC ID, after UFES1 obtains the 3GPP UAVC ID from the 3GPP network, it can “translate” the 3GPP UAVC ID into UTM according to the stored mapping relationship between the 3GPP UAVC ID and the external UAV ID of UAVC. /The external UAV ID of the UAVC that the USS can identify, and sends the external UAV ID of the UAVC to the UTM/USS, which is described here uniformly and will not be repeated below.

Based on the foregoing step S808 or step S809, the UTM/USS may acquire the first user plane security protection opening instruction. Optionally, in the embodiment of the present application, if the C2 pairing authorization is implemented in the first PDU session establishment process, the communication method provided by the embodiment of the present application further includes the following step S810:

S810: After the UTM/USS determines that the UAVC paired with the UAV is on the network, it authorizes the C2 pairing request.

It should be noted that, in the embodiment of the present application, the UAVC on the network may be the UAVC and the UTM/USS connected through 3GPP, and then the 3GPP access method is used to execute the UUAA process to obtain the authentication and authorization of the UTM/USS; or, the embodiment of the present application In the UAVC network, the UAVC may be connected to the UTM/USS in a non-3GPP manner, and then use a non-3GPP access manner to obtain the authentication and authorization of the UTM/USS, which is not specifically limited in this embodiment of the present application.

In a possible implementation manner, if before step S802, UAV and UAVC have been paired offline in a non-3GPP manner (for example, two devices are paired via Bluetooth) or paired in other manners, UTM/USS can obtain from the received message. The external UAV ID of the UAVC, and according to the external UAV ID of the UAVC, determine whether the UAVC has been authorized by the UTM/USS. If the UAVC has been authorized by the UTM/USS, the UTM/USS can determine that the UAVC is on the network. Wherein, the way that the UTM/USS obtains the external UAV ID of the UAVC from the received message includes: parsing the container in the received message, and obtaining the external UAV ID of the UAVC contained in the container; or, directly from the received message Get the external UAV ID of the UAVC.

In another possible implementation, the pairing relationship between UAV and UAVC can be stored in UTM/USS (for example, the manufacturer of UAV and UAVC pairs UAV and UAVC when the device leaves the factory, and registers the pairing relationship in UTM/USS middle). The pairing relationship can be characterized by the mapping relationship between the external UAV ID of the UAV and the external UAV ID of the UAVC. Further, after the UTM/USS determines the external UAV ID of the UAVC according to the received external UAV ID of the UAV and the pairing relationship between the UAV and the UAVC, it determines whether the UAVC has obtained the authentication authorization of the UTM/USS according to the external UAV ID of the UAVC. If the UAVC has been authorized by the UTM/USS, the UTM/USS can determine that the UAVC is on the network.

In the embodiment of the present application, the UTM/USS authorizing the C2 pairing request includes: the UTM/USS determines whether the UAV and the UAVC match according to the obtained external UAV ID of the UAVC and the external UAV ID of the UAV.

In the embodiment of the present application, after the UTM/USS determines that the C2 pairing authorization between the UAV and the UAVC is successful, it can store the mapping relationship between the external UAV ID of the UAV, the external UAV ID of the UAVC, and the first user plane security protection opening instruction for subsequent use. .

Further, the first PDU session establishment process provided by the embodiment of the present application further includes the following steps:

S811 . Other procedures for establishing the first PDU session between the 3GPP network and the UTM/USS may refer to the prior art for details, which will not be repeated here.

It should be noted that, in this embodiment of the present application, if the above step S810 is executed, in other establishment procedures between the 3GPP network and the UTM/USS for the first PDU session, the UTM/USS needs to send the UAV and UAVC information to the SMF1 through the UFES1. The indication information that the C2 pairing authorization is successful, and then the SMF1 can learn that the C2 pairing authorization of the UAV and the UAVC is successful. Of course, the C2 pairing authorization between the UAV and the UAVC may also be completed in the registration process in steps S801a and S801b. In this scenario, when the C2 pairing authorization between the UAV and the UAVC is successful, the SMF1 can also obtain the indication information that the C2 pairing authorization of the UAV and the UAVC is successful, so as to know that the C2 pairing authorization of the UAV and the UAVC is successful.

S812 , after determining that the first PDU session is successfully established, the SMF1 sends a session establishment acceptance message 1 to the RAN device 1 . Correspondingly, the RAN device 1 receives the session establishment accept message 1 from the SMF1. The session establishment accept message 1 includes the N1 session management container (N1 session management container) sent by SMF1 to the UAV and the N2 session management information (N2 Session Management Information) sent by SMF1 to the RAN device 1. Wherein, the N2 session management information includes the session identification information of the first PDU session, the core network tunnel information (CN Tunnel Info) for configuring the N3 tunnel, and/or the QoS profile (QoS Profile) and other information. For specific information, please refer to the prior art , and will not be repeated here.

S813 , the RAN device 1 sends a session establishment accept message 2 to the UAV. Correspondingly, the UAV receives the session establishment accept message 2 of SMF1. The session establishment accept message 2 includes the first user plane security protection opening indication, the N1 session management container, and the session identification information of the first PDU session. Certainly, the session establishment acceptance message 2 may also include some other parameters, which are not specifically limited in this embodiment of the present application.

Since both the UAV and the RAN device 1 can obtain the first user plane security protection enable instruction, during subsequent C2 communication between the UAV and the UAVC, the UAV and the RAN device 1 can perform the UAV side according to the first user plane security protection enable instruction. user plane security protection.

Further, the communication method provided by the embodiment of the present application further includes a process of obtaining the first user plane security protection opening indication when the SMF2 serving the UAVC establishes the second PDU session, as shown in the following steps S814-S818. Mode B shown in S819-S821.

Method A is as follows:

S814, UTM/USS sends message 3 to UFES2 serving UAVC. Correspondingly, UFES2 receives message 3 from UTM/USS. Message 3 includes the external UAV ID of the UAVC and the first user plane security protection opening indication.

S815. UFES2 sends message 4 to UDM2 serving UAVC. Correspondingly, UDM2 receives message 4 from UFES2. Message 4 includes the 3GPP UAVC ID and the first user plane security protection opening indication.

Exemplarily, message 3 in this embodiment of the present application may be, for example, a message used by UTM/USS to update UAS service-related parameters in UFES2, and message 4 may be, for example, a message used by UFES2 to update UAS service-related parameters in UDM2.

Optionally, in the embodiment of this application, after the UDM2 obtains the 3GPP UAVC ID and the first user plane security protection opening instruction, it can store the mapping relationship between the 3GPP UAVC ID and the first user plane security protection opening instruction for subsequent use. Optionally, in this embodiment of the present application, before the UDM2 stores the mapping relationship between the 3GPP UAVC ID and the first user plane security protection opening indication, it may be determined whether the second user plane security protection policy corresponding to the UAVC stored in the UDM2 is based on the 3GPP UAVC ID. The first user plane security protection activation instruction obtained by UDM2 from the UTM/USS is satisfied. If UDM2 determines that the second user plane security protection policy satisfies the first user plane security protection opening instruction, UDM2 may store the mapping relationship between the 3GPP UAVC ID and the first user plane security protection opening instruction. If UDM2 determines that the second user plane security protection policy does not satisfy the first user plane security protection opening indication, UDM2 may send a rejection indication to UTM/USS through UFES2, where the rejection indication is used to instruct UAVC to reject the establishment of a PDU session carrying C2 communication. Of course, if UDM2 determines that the second user plane security protection policy satisfies the first user plane security protection opening instruction, UDM2 may also send instruction information to UTM/USS through UFES2 to allow UAVC to establish a PDU session carrying C2 communication. This is not specifically limited. Based on this solution, on the one hand, the subsequent problem of C2 communication failure that may be caused when the second user plane security protection policy does not satisfy the first user plane security protection opening instruction can be avoided. On the other hand, when the second user plane security protection policy does not satisfy the first user plane security protection enable instruction, the process of initiating the establishment of the second PDU session by the UAVC can be terminated in time to avoid excessive signaling waste.

Exemplarily, it is assumed that the first user plane security protection enable instruction indicates that the user plane confidentiality protection is enabled and the user plane integrity protection is enabled, and the second user plane security protection policy includes that the user plane confidentiality protection is forcibly enabled and the user plane integrity protection is enabled. For forced opening, UDM2 may determine that the second user plane security protection policy satisfies the first user plane security protection opening instruction; or, it is assumed that the first user plane security protection opening instruction indicates that the user plane confidentiality protection is enabled and the user plane integrity protection is enabled. , the second user plane security protection policy includes that the user plane confidentiality protection is forcibly disabled and the user plane integrity protection is forcibly disabled, then UDM2 may determine that the second user plane security protection policy does not satisfy the first user plane security protection opening instruction Or, assuming that the first user plane security protection opening instruction indicates that the user plane confidentiality protection is enabled and the user plane integrity protection is enabled, the second user plane security protection policy includes that the user plane confidentiality protection is optional and the user plane integrity protection is enabled. For optional activation, UDM2 may determine that the second user plane security protection policy satisfies the first user plane security protection activation instruction. Other situations are similar and will not be repeated here.

S816, the UTM/USS sends message 5 to the UAVC. Correspondingly, the UAVC receives the message 5 from the UTM/USS. The message 5 is used to trigger the UAVC to initiate the establishment process of the second PDU session.

In the embodiment of the present application, the message 5 may be sent through the control plane or the user plane of the 3GPP network, or may be sent through the non-3GPP network, which is not specifically limited in the embodiment of the present application.

Exemplarily, message 5 in this embodiment of the present application may be, for example, a C2 communication trigger request sent by UTM/USS through a 3GPP network control plane or user plane; or, message 5 in this embodiment of the present application may be, for example, a UTM/USS passing through The C2 communication trigger request sent by the non-3GPP network, the C2 communication trigger request is used to request the UAVC to respond to the C2 communication request of the UAV through the 3GPP network.

It should be noted that, in the embodiment of the present application, the message 5 sent by the UTM/USS to the UAVC is only an example of the first message in the embodiment shown in FIG. 5 , and the first message may also be other. This embodiment of the present application There is no specific limitation on this.

S817. The UAVC sends a session establishment request 2 to the SMF2 in the 3GPP network. Correspondingly, SMF2 receives session establishment request 2 from UAVC. The session establishment request 2 includes the 3GPP UAVC ID and indication information 2, where the indication information 2 is used to indicate that the second PDU session requested by the UAVC to be established is used to bear C2 communication.

In a possible implementation manner, the indication information 2 may be a display indication. For example, the indication information 2 may be a UAS operation request indication (UAS operation request indication), and the UAS operation request indication is a C2 request, which is used to display and indicate that the second PDU session established by the UAVC request is used to carry the C2 communication. Optionally, in this embodiment of the present application, the UAS operation request indication may further indicate that the C2 request is a passive C2 request.

In another possible implementation manner, the indication information 2 may be an implicit indication. For example, the indication information 2 may be DNN information dedicated to C2 communication, or DNN and slice combination information dedicated to C2 communication.

Of course, if the UAV and the UAVC have been paired offline in a non-3GPP manner (eg, the two devices are paired via Bluetooth) or in other manners before step S802, the UAVC can obtain the pairing identifier of the UAV paired with it. Further, the session establishment request 2 may include the pairing identifier of the UAV, and the pairing identifier of the UAV implicitly indicates that the second PDU session requested by the UAVC to be established is used to carry the C2 communication. Exemplarily, the pairing identifier of the UAV may be, for example, a 3GPP UAV ID or an external UAV ID of the UAV.

S818. After determining that the second PDU session requested by the UAVC to be established is used to carry the C2 communication according to the indication information 2, the SMF2 obtains the first user plane security protection opening indication from the UDM2.

In a possible implementation manner, the SMF2 sends a request message to the UDM2 after determining, according to the indication information 2, that the second PDU session requested by the UAVC to be established is used to carry the C2 communication. The request message includes the 3GPP UAVC ID, and the request message is used to request the second user plane security protection policy corresponding to the UAVC. After receiving the request message, UDM2 determines the second user plane security protection policy corresponding to UAVC according to the 3GPP UAVC ID, and carries the second user plane security protection policy corresponding to UAVC in the response message sent to SMF2. In this embodiment of the present application, for the relevant description of the second user plane security protection policy, reference may be made to the description of the "user plane security protection policy" in the preamble of the specific implementation manner, which will not be repeated here. In addition, in this embodiment of the present application, since the UDM2 stores the first user plane security protection opening indication, the response message may further include the first user plane security protection opening indication.

It should be noted that, in the embodiment of the present application, the request message sent by the SMF2 to the UDM2 is only an example of the fifth message in the embodiment shown in FIG. 7a, and the fifth message may also be other, which the embodiment of the present application does not No specific limitation is made.

It should be noted that, in this embodiment of the present application, if the UDM2 determines the second user plane security protection policy corresponding to the UAVC stored in the UDM2 according to the 3GPP UAVC ID in step S815, the security protection policy of the first user plane obtained by the UDM2 from the UTM/USS is enabled. indication, the UTM/USS may send message 5 to the UAVC after receiving the indication information from the UDM2 that allows the UAVC to establish a PDU session carrying the C2 communication (step S816 is executed). Of course, the UDM2 may also directly default the second user plane security protection policy corresponding to the UAVC to satisfy the first user plane security protection activation instruction obtained by the UDM2 from the UTM/USS. At this time, steps S814 and S816 do not have a necessary order of execution. Step S814 may be executed first, and then step S816 may be executed; or step S816 may be executed first, and then step S814 may be executed; steps S814 and S816 may also be executed simultaneously, and this application implements The example does not specifically limit this.

Method B is as follows:

S819, the same as step S816, the related description can refer to the above-mentioned step S816, which will not be repeated here.

S820. The UAVC sends a session establishment request 2 to the SMF2 in the 3GPP network. Correspondingly, SMF2 receives session establishment request 2 from UAVC. The session establishment request 2 includes the 3GPP UAVC ID and indication information 3, where the indication information 3 is used to indicate that the second PDU session requested by the UAVC to be established is used in response to the C2 communication initiated by the UAV.

In a possible implementation manner, the indication information 3 may be a display indication. For example, the indication information 3 may be a UAS operation request indication (UAS operation request indication), the UAS operation request indication is a passive C2 request, which is used to display and indicate that the second PDU session established by the UAVC request is used to respond to the C2 communication initiated by the UAV.

S821. After determining that the second PDU session requested by the UAVC to be established is used to respond to the C2 communication initiated by the UAV according to the indication information 3, the SMF2 obtains the first user plane security protection opening indication from the UTM/USS through the UFES2.

In a possible implementation manner, after determining that the second PDU session requested by UAVC to be established is used to respond to the C2 communication initiated by UAV according to the indication information 3, SMF2 sends a request message to UFES2, the request message including the 3GPP UAVC ID, the request message. It is used to request the first user plane security protection on instruction. Further, UFES2 sends a request message to the UTM/USS, where the request message includes the external UAV ID of the UAVC, and the request message is used to request the first user plane security protection opening indication. After the UTM/USS receives the request message, it can determine that the first user plane security protection is enabled according to the external UAV ID of the UAVC, and the mapping relationship between the external UAV ID of the UAV, the external UAV ID of the UAVC, and the first user plane security protection opening instruction instruction, and send the first user plane security protection opening instruction to the SMF2.

It should be noted that, in the embodiment of the present application, the request message sent by the UFES2 to the UTM/USS is only an example of the second message in the embodiment shown in FIG. 5 , and the second message may also be other, the embodiment of the present application There is no specific limitation on this.

It should be noted that, in the embodiment of the present application, the request message sent by the SMF2 to the UFES2 is only an example of the sixth message in the embodiment shown in FIG. 7a, and the sixth message may also be other, and the embodiment of the present application is for this No specific limitation is made.

In the embodiment of this application, after UFES2 obtains the 3GPP UAVC ID from the 3GPP network, it can “translate” the 3GPP UAVC ID into a UAVC ID that can be identified by UTM/USS according to the stored mapping relationship between the 3GPP UAVC ID and the external UAV ID of the UAVC. The external UAV ID, and the external UAV ID of the UAVC is sent to the UTM/USS, which is described in a unified manner here, and will not be repeated below.

Optionally, in this embodiment of the present application, after determining that the second PDU session requested by the UAVC to be established is used to respond to the C2 communication initiated by the UAV according to the indication information 3, the SMF2 may also obtain the second user plane security protection policy corresponding to the UAVC from the UDM2. , which is not specifically limited in the embodiments of the present application. Wherein, when SMF2 obtains the second user plane security protection policy corresponding to UAVC and the first user plane security protection enable instruction from UDM2 at the same time, SMF2 may determine whether the second user plane security protection policy satisfies the first user plane security protection enablement indicates that, in the case where SMF2 determines whether the second user plane security protection policy satisfies the first user plane security protection opening instruction, SMF2 continues the second PDU session establishment process; or, when SMF2 determines that the second user plane security protection policy does not satisfy the first user plane security protection In the case of a user plane security protection open indication, the SMF2 rejects the establishment of the second PDU session. The method for SMF2 to determine whether the second user plane security protection policy satisfies the first user plane security protection enable instruction can refer to the above-mentioned method of UDM2 for determining whether the second user plane security protection policy meets the first user plane security protection enable instruction, which is not repeated here. Repeat. Of course, when SMF2 obtains the second user plane security protection policy corresponding to UAVC and the first user plane security protection enable instruction from UDM2 at the same time, SMF2 can also use the first user plane security protection enable instruction by default, ignoring the second user plane The security protection policy is not specifically limited in this embodiment of the present application.

Further, the communication method provided by the embodiment of the present application may further include other procedures for establishing a second PDU session, such as the first manner shown in the following steps S822-S825 or the second manner shown in the steps S826-S827.

The first method is as follows:

S822, SMF2 determines a third user plane security protection policy according to the first user plane security protection enabling instruction. The third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection. For the specific implementation of step S822, reference may be made to the foregoing summary of the invention, which will not be repeated here.

S823 , the SMF2 sends the third user plane security protection policy to the RAN device 2 . Correspondingly, the RAN device 2 receives the third user plane security protection policy from the SMF2.

S824. The RAN device 2 determines the second user plane security protection enable instruction according to the third user plane security protection policy, and the second user plane security protection enable instruction is used to indicate whether the user plane security protection of the second PDU session is enabled.

In this embodiment of the present application, the RAN device 2 determines a related example of the indication of enabling the second user plane security protection according to the third user plane security protection policy, please refer to step S805 in which the RAN device 1 determines the first user according to the first user plane security protection policy The method of instructing the face security protection on is not repeated here.

Of course, in the embodiment of the present application, when the third user plane security protection policy includes that the user plane confidentiality protection is forcibly turned on and the user plane integrity protection is forcibly turned on, but the RAN device 2 currently does not have enough resources for the user plane data of UAVC When providing security protection, the RAN device 2 may determine to reject the establishment of the second PDU session, and then the RAN device may send an indication of rejecting the establishment of the second PDU session to the SMF2 to terminate the subsequent process, which is not specifically described in this embodiment of the present application . In this way, it can be ensured that all nodes on the path carrying the C2 communication on the UAVC side can support the second user plane security protection opening instruction, thereby ensuring the normal C2 communication between the UAV and the UAVC.

S825. For other procedures of establishing the second PDU session, reference may be made to the prior art for details, and details are not described herein again. Wherein, in other procedures of establishing the second PDU session, the RAN device 2 may send the second user plane security protection opening indication to the UAVC. Since both RAN device 2 and UAVC can obtain the second user plane security protection enable instruction, during subsequent C2 communication between UAV and UAVC, UAVC and RAN device 2 can perform the UAVC side according to the second user plane security protection enable instruction. user plane security protection.

In the first method, since the method of enabling the user plane security protection indicated by the second user plane security protection enabling instruction is the same as the enabling manner of the user plane security protection indicated by the third user plane security protection policy, the third user plane security protection policy instruction The way of opening the user plane security protection of the first user plane security protection is the same as that of the user plane security protection indicated by the first user plane security protection opening instruction, so the way of opening the user plane security protection indicated by the first user plane security protection opening instruction The method of turning on the user face security protection indicated by the face security protection turning on instruction is the same. Since the first user plane security protection enable instruction indicates that the user plane security protection is enabled in the manner in which the user plane security protection is enabled on the UAV side for the first PDU session carrying the C2 communication, the second user plane security protection enable instruction indicates The user plane security protection is enabled on the UAVC side for the second PDU session carrying the C2 communication. Therefore, based on this solution, the user plane security of the C2 communication between the UAV and the UAVC can be guaranteed. Consistency of protection.

The second way is as follows:

S826. The SMF2 sends the first user plane security protection opening instruction to the RAN device 2. Correspondingly, the RAN device 2 receives the first user plane security protection opening instruction from the SMF2.

S827. For other procedures of establishing the second PDU session, reference may be made to the prior art for details, and details are not described herein again. Wherein, in other procedures of establishing the second PDU session, the RAN device 2 may send the second user plane security protection opening indication to the UAVC. Since both RAN device 2 and UAVC can obtain the second user plane security protection enable instruction, during subsequent C2 communication between UAV and UAVC, UAVC and RAN device 2 can perform the UAVC side according to the second user plane security protection enable instruction. user plane security protection.

In the second method, since the method of enabling the user plane security protection of the first PDU session for carrying the C2 communication on the UAV side and the method of enabling the user plane security protection of the second PDU session for carrying the C2 communication on the UAVC side are both Indicated by the first user plane security protection on instruction. Therefore, based on this scheme, the consistency of user plane security protection of C2 communication between UAV and UAVC can be guaranteed.

Optionally, as an alternative solution, in this embodiment of the present application, after the above step S815, the UDM2 may also update the second user corresponding to the UAVC stored in the UDM2 according to the first user plane security protection opening instruction obtained from the UTM/USS. face security protection strategy. Wherein, the updated second user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection. Specifically, the UDM determines the updated second user plane security protection policy according to the first user plane security protection opening instruction and the SMF2 in step S822 determines the third user plane security protection policy according to the first user plane security protection opening instruction. The examples are similar and will not be repeated here. Further, when the SMF2 receives the session establishment request 2 from the UAVC, and determines according to the indication information 2 that the second PDU session established by the UAVC request is used to carry the C2 communication, or determines that the second PDU session established by the UAVC request is used for the response according to the indication information 3 After the C2 communication initiated by the UAV, a request message may be sent to the UDM2. The request message includes the 3GPP UAVC ID, and the request message is used to request the second user plane security protection policy corresponding to the UAVC. After receiving the request message, UDM2 determines the second user plane security protection policy corresponding to UAVC according to the 3GPP UAVC ID, and carries the second user plane security protection policy corresponding to UAVC in the response message sent to SMF2. Further, the SMF2 may send the second user plane security protection policy to the RAN device 2 . Correspondingly, the RAN device 2 receives the second user plane security protection policy from the SMF2, and determines the second user plane security protection enable instruction according to the second user plane security protection policy, and the second user plane security protection enable instruction is used to indicate the second user plane. Whether the user plane security protection of the PDU session is enabled. Based on this solution, since the method of enabling the user plane security protection indicated by the second user plane security protection enabling instruction is the same as the enabling manner of the user plane security protection indicated by the second user plane security protection policy, the second user plane security protection policy indicates The way to turn on the security protection of the user plane is the same as the way of turning on the security protection of the user plane indicated by the first user plane security protection turning on instruction. The security protection of the user plane indicated by the security protection opening instruction is activated in the same manner. Since the first user plane security protection enable instruction indicates that the user plane security protection is enabled in the manner in which the user plane security protection is enabled on the UAV side for the first PDU session carrying the C2 communication, the second user plane security protection enable instruction indicates The user plane security protection is enabled on the UAVC side for the second PDU session carrying the C2 communication. Therefore, based on this solution, the user plane security of the C2 communication between the UAV and the UAVC can be guaranteed. Consistency of protection.

Optionally, as an alternative solution, after the SMF2 obtains the first user plane security protection opening instruction, it can also send the first user plane security protection opening instruction to other network elements (such as PCF), and the other network elements are based on the first user plane. After the user plane security protection enable instruction determines the third user plane security protection policy, the third user plane security protection policy is sent to the SMF2, which is not specifically limited in this embodiment of the present application.

Further, the communication method provided by the embodiment of the present application may further include the following step S828:

S828. After the establishment of the second PDU session is completed, the 3GPP network registered by the UAV and the 3GPP network registered by the UAVC configure the information used for the session, and the subsequent C2 communication process starts after establishing the C2 communication channel between the UAV and the UAVC. The configuration of the information used in the session includes routing information configuration, PDU session modification and other processes, and related implementations may refer to the prior art, which will not be repeated here.

Based on the communication method provided by the embodiment of the present application, since the UTM/USS can obtain the first user used to indicate whether the user plane security protection of the first PDU session is enabled during the process of establishing the first PDU session for carrying the C2 communication by the UAV and the SMF2 serving the UAVC can obtain the first user plane security protection enable instruction or obtain the first user plane security protection enable instruction during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. Indicates the second user plane security protection policy corresponding to the updated UAVC. Wherein, whether the user plane security protection of the second PDU session is enabled is determined by the first user plane security protection enable instruction or the second user plane security protection policy. Therefore, based on this solution, it is possible to ensure the enabling method of the user plane security protection on the UAV side for carrying the first PDU session of the C2 communication and the enabling method of the user plane security protection on the UAVC side for carrying the second PDU session of the C2 communication. The same, so that the consistency of the user plane security protection of the C2 communication between the UAV and the UAVC can be guaranteed.

Wherein, the actions of SMF1, UTM/USS, SMF2, UFES1 or UFES2 in the above steps S801a to S828 can be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct SMF1, UTM /USS, SMF2, UFES1, or UFES2 is executed, which is not limited in this embodiment.

In another possible implementation manner, the UTM/USS may end the process of establishing the first PDU session in the UAV for carrying the C2 communication between the UAV and the UAVC (hereinafter referred to as the C2 communication between the UAV and the UAVC) Afterwards, a first user plane security protection enable instruction for indicating whether the user plane security protection of the first PDU session is enabled is obtained through the user plane or the control plane. Further, the SMF2 serving the UAVC may acquire the first user plane security protection enable instruction or acquire the UAVC updated according to the first user plane security protection enable instruction during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. The corresponding second user plane security protection policy. Exemplarily, as shown in FIG. 9 , a communication method is provided in an embodiment of the present application. The communication method includes a registration process of UAV and UAVC in a 3GPP network, such as the following steps S901a and S901b:

S901a, the UAV is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

S901b, the UAVC is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

For the specific implementation of step S901a and step S901b, reference may be made to steps S801a and S801b in the embodiment shown in FIG. 8 respectively, and details are not repeated here.

Further, the communication method provided by the embodiment of the present application further includes a process of triggering the establishment of a first PDU session by the UAV, such as the following step S902:

S902 , the UAV triggers the process of establishing the first PDU session, for details, reference may be made to the prior art, which will not be repeated here.

Wherein, after the establishment of the first PDU session is completed, the UAV, the RAN device 1 and the SMF1 can all learn the first user plane security protection opening instruction. Further, the communication method provided by the embodiment of the present application further includes a process for the UTM/USS to obtain the first user plane security protection opening instruction, such as the following way M shown in step S903 or way N shown in steps S904-S905.

The way M is as follows:

S903, the UAV sends the UAV's external UAV ID and the first user plane security protection opening indication to the UTM/USS through the user of the already established first PDU session. Correspondingly, the UTM/USS receives the UAV's external UAV ID and the first user plane security protection opening instruction from the UAV.

The way N is as follows:

S904. After determining that the establishment of the first PDU session is completed, the SMF1 sends a message 6 to the UFES1. Accordingly, UFES1 receives message 6 from SMF1. The message 6 includes the 3GPP UAV ID and the first user plane security protection opening indication.

S905, UFES1 sends message 7 to the UTM/USS. Accordingly, UTM/USS receives message 7 from UFES1. The message 7 includes the external UAV ID of the UAV and the first user plane security protection opening indication.

For the above steps S904-S905:

The above message 6 and message 7 can be the messages that SMF1 notifies the UTM/USS of the session parameters (such as the IP address used by the UAV for C2 communication) used for C2 communication on the UAV side after the session establishment process ends; or the above messages 6 and 7 can be It is other existing control plane messages or newly defined control plane messages after the session establishment process ends, which is not specifically limited in this embodiment of the present application.

Based on the foregoing manner M or manner N, the UTM/USS may acquire the first user plane security protection opening instruction. Further, the SMF2 serving the UAVC may acquire the first user plane security protection enable instruction or acquire the UAVC updated according to the first user plane security protection enable instruction during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. The corresponding second user plane security protection policy. Wherein, whether the user plane security protection of the second PDU session is enabled is determined by the first user plane security protection enable instruction or the second user plane security protection policy. For related implementation, reference may be made to steps S814-S828 in the embodiment shown in FIG. 8 , and details are not described herein again.

Based on the communication method provided by the embodiments of the present application, since the UTM/USS can obtain the first information indicating whether the user plane security protection of the first PDU session is enabled after the process of establishing the first PDU session for carrying the C2 communication by the UAV ends The user plane security protection enable instruction, and the SMF2 serving the UAVC can obtain the first user plane security protection enable instruction during the process of UAVC establishing the second PDU session for carrying the C2 communication or obtain the first user plane security protection according to the first user plane. Enable the second user plane security protection policy corresponding to the updated UAVC. Wherein, whether the user plane security protection of the second PDU session is enabled is determined by the first user plane security protection enable instruction or the second user plane security protection policy. Therefore, based on this solution, it is possible to ensure the enabling method of the user plane security protection on the UAV side for carrying the first PDU session of the C2 communication and the enabling method of the user plane security protection on the UAVC side for carrying the second PDU session of the C2 communication. The same, so that the consistency of the user plane security protection of the C2 communication between the UAV and the UAVC can be guaranteed.

Wherein, the actions of SMF1, UTM/USS, SMF2, UFES1 or UFES2 in the above steps S901a to S905 can be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct SMF1, UTM /USS, SMF2, UFES1, or UFES2 is executed, which is not limited in this embodiment.

In another possible implementation manner, the UTM/USS may, based on the triggering of the pairing authorization process, obtain through the UFES1 serving the UAV to indicate the first PDU session (that is, the UAV is used to carry the C2 communication between the UAV and the UAVC (below). The C2 communication between the UAV and the UAVC is referred to as the C2 communication session) of the user plane security protection is the first user plane security protection open indication. Further, the SMF2 serving the UAVC may acquire the first user plane security protection enable instruction or acquire the UAVC updated according to the first user plane security protection enable instruction during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. The corresponding second user plane security protection policy. Exemplarily, as shown in FIG. 10 , a communication method is provided in an embodiment of the present application. The communication method includes a registration process of UAV and UAVC in a 3GPP network, such as the following steps S1001a and S1001b:

S1001a, the UAV is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

S1001b, the UAVC is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

For the specific implementation of steps S1001a and S1001b, reference may be made to steps S801a and S801b in the embodiment shown in FIG. 8 respectively, and details are not repeated here.

Further, the communication method provided by the embodiment of the present application further includes a process in which the UAV triggers the establishment of a PDU session (referred to as the third PDU session) used for non-C2 communication, as shown in the following step S1002:

S1002 , the UAV triggers the process of establishing the third PDU session. For details, reference may be made to the prior art, which will not be repeated here.

Further, the communication method provided by the embodiment of the present application further includes a pairing authorization process, as shown in the following steps S1003-S1004:

S1003 , the UAV sends a C2 pairing request 1 to the UTM/USS through the user of the established third PDU session. Accordingly, the UTM/USS receives the C2 pairing request 1 from the UAV. The C2 pairing request 1 includes the UAV's external UAV ID.

Of course, if before step S1003, the UAV and the UAVC have been paired offline in a non-3GPP manner (for example, the two devices are paired via Bluetooth) or in other ways, the UAV can obtain the pairing identifier of the UAVC paired with it. Further, the C2 pairing request 1 may include the pairing identifier of the UAVC. Exemplarily, the pairing identifier of the UAVC may be, for example, the 3GPP UAVC ID or the external UAV ID of the UAVC.

Optionally, in this embodiment of the present application, when the pairing identifier of the UAVC is the external UAV ID of the UAVC, the external UAV ID of the UAVC may be included in the container (container) of the C2 pairing request 1. In this way, on the one hand, since the intermediate node transparently transmits the container without tampering with the contents in the container, the security of the above parameters can be guaranteed; Processing efficiency of intermediate nodes.

S1004: After the UTM/USS determines that the UAVC paired with the UAV is on the network, it authorizes the C2 pairing request.

For the relevant description of the authorization of the C2 pairing request by the UAVC on the network and the UTM/USS, reference may be made to step S810 of the embodiment shown in FIG. 8 , which will not be repeated here.

In a possible implementation manner, if the C2 pairing request 1 includes the external UAV ID of the UAVC, the UTM/USS can determine whether the UAVC has obtained the authentication and authorization of the UTM/USS according to the external UAV ID of the UAVC. If the UAVC has been authorized by the UTM/USS, the UTM/USS can determine that the UAVC is on the network. The manner in which the UTM/USS obtains the external UAV ID of the UAVC from the received C2 pairing request 1 includes: parsing the container in the received C2 pairing request 1, and obtaining the external UAV ID of the UAVC contained in the container; or, from The external UAV ID of the UAVC is directly obtained from the received C2 pairing request 1.

When it needs to be explained, the embodiment of the present application is described by taking an example that a user accessing the UAV through 3GPP sends a C2 pairing request to the UTM/USS. Optionally, the UAV may also send a C2 pairing request to the UTM/USS through a non-3GPP access, where the C2 pairing request includes an external UAV ID of the UAV, which is not specifically limited in this embodiment of the present application.

Further, the communication method provided by the embodiment of the present application further includes a process in which the UTM/USS obtains a first user plane security protection opening instruction for indicating whether the user plane security protection of the first PDU session is enabled based on the triggering of the pairing authorization process, as follows: The above steps S1005-S1013 are shown:

S1005. After the pairing authorization is completed, the UTM/USS sends a request message 1 to the UFES1. Correspondingly, UFES1 receives request message 1 from UTM/USS. The request message 1 includes the external UAV ID of the UAV, and the request message 1 is used to request the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to indicate whether the user plane security protection of the first PDU session is enabled.

For the relevant description of the first user plane security protection opening instruction, reference may be made to the description of the "user plane security protection opening instruction" in the preamble of the specific implementation manner, which will not be repeated here.

It should be noted that, in the embodiment of the present application, the request message 1 sent by the UTM/USS to the UFES1 is only an example of the third message in the embodiment shown in FIG. 5 , and the third message may also be other. There is no specific limitation on this.

In a possible implementation manner, in this embodiment of the present application, the request message 1 may include indication information 4, where the indication information 4 is used to indicate that the request message 1 is used to request an indication of enabling the security protection of the first user plane.

In another possible implementation manner, the request message 1 itself may indicate that the request message 1 is used to request the first user plane security protection opening instruction. For example, the request message 1 may be a user plane security protection opening indication request message, which is not specifically limited in this embodiment of the present application.

S1006, UFES1 sends request message 2 to SMF1. Correspondingly, SMF1 receives request message 2 from UFES1. The request message 2 includes the 3GPP UAV ID, and the request message 2 is used to request the first user plane security protection opening instruction.

It should be noted that, in this embodiment of the present application, the request message 2 sent by UFES1 to SMF1 is only an example of the fourth message in the embodiment shown in FIG. 6 , and the fourth message may also be other. This is not specifically limited.

In the embodiment of the present application, after UFES1 obtains the external UAV ID of the UAV, it can "translate" the external UAV ID of the UAV in the request message 1 into a 3GPP network according to the stored mapping relationship between the 3GPP UAV ID and the external UAV ID of the UAV The 3GPP UAV ID that can be identified, and the 3GPP UAV ID is sent to the SMF1 through the request message 2, which is described here uniformly and will not be repeated below.

In a possible implementation manner, in this embodiment of the present application, the request message 2 may include indication information 5, where the indication information 5 is used to indicate that the request message 2 is used to request an indication of enabling the security protection of the first user plane.

In another possible implementation manner, the request message 2 itself may indicate that the request message 2 is used to request the first user plane security protection opening instruction. For example, the request message 2 may be a user plane security protection opening indication request message, which is not specifically limited in this embodiment of the present application.

S1007-S1011 are the same as S803-S807 in the embodiment shown in FIG. 8 , and the related description may refer to the embodiment shown in FIG. 8 , which will not be repeated here.

S1012, SMF1 sends response message 2 to UFES1. Correspondingly, UFES1 receives response message 2 from SMF1. The response message 2 includes the 3GPP UAV ID and the first user plane security protection opening indication.

S1013. UFES1 sends response message 1 to UTM/USS. Correspondingly, UTM/USS receives response message 1 from UFES1. The response message 1 includes the external UAV ID of the UAV and the first user plane security protection opening indication.

In the embodiment of the present application, the external UAV ID of the UAV in the response message 1 is obtained by "translation" of the 3GPP UAV ID in the response message 2, and the conversion method can refer to the above-mentioned step S809, which is not repeated here.

In this embodiment of the present application, after learning the first user plane security protection opening instruction, the SMF1 may further perform the following step S1014:

S1014. The SMF1 triggers the process of establishing the first PDU session. The first PDU session in the embodiment of the present application may be obtained by modifying the above-mentioned third PDU session, or may be obtained by creating a new UAV triggered by the SMF, which is not specifically limited in the embodiment of the present application. The process of modifying and obtaining the first PDU session based on the third PDU session and the process of creating the first PDU session can refer to the prior art, and details are not repeated here.

Based on the above solutions, the UTM/USS can obtain the first user plane security protection opening instruction. Further, the SMF2 serving the UAVC may acquire the first user plane security protection enable instruction or acquire the UAVC updated according to the first user plane security protection enable instruction during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. The corresponding second user plane security protection policy. Wherein, whether the user plane security protection of the second PDU session is enabled is determined by the first user plane security protection enable instruction or the second user plane security protection policy. For related implementation, reference may be made to steps S814-S828 in the embodiment shown in FIG. 8 , and details are not described herein again.

Based on the communication method provided by the embodiment of the present application, since the UTM/USS can be triggered based on the pairing authorization process, the UFES1 serving the UAV can obtain the first information for indicating whether the user plane security protection of the first PDU session carrying the C2 communication is enabled or not. The user plane security protection enable instruction, and the SMF2 serving the UAVC can obtain the first user plane security protection enable instruction or obtain the first user plane security protection enable instruction in the process of establishing the second PDU session carrying the C2 communication in the UAVC The second user plane security protection policy corresponding to the updated UAVC. Wherein, whether the user plane security protection of the second PDU session is enabled is determined by the first user plane security protection enable instruction or the second user plane security protection policy. Therefore, based on this solution, it is possible to ensure the enabling method of the user plane security protection on the UAV side for carrying the first PDU session of the C2 communication and the enabling method of the user plane security protection on the UAVC side for carrying the second PDU session of the C2 communication. The same, so that the consistency of the user plane security protection of the C2 communication between the UAV and the UAVC can be guaranteed.

Wherein, the actions of SMF1, UTM/USS, SMF2, UFES1 or UFES2 in the above steps S1001a to S1014 can be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct SMF1, UTM /USS, SMF2, UFES1, or UFES2 is executed, which is not limited in this embodiment.

In yet another possible implementation, the UFES1, which is a UAV, can be acquired in the UUAA process or triggered by the UUAA process to indicate the first PDU session (that is, the UAV is used to carry the C2 communication between the UAV and the UAVC (hereinafter referred to as the UAV). The C2 communication with the UAVC (referred to as the session of C2 communication) is the first user plane security protection opening instruction indicating whether the user plane security protection is enabled, and the mapping relationship between the first user plane security protection opening instruction and the external UAV ID of the UAV is maintained. . Furthermore, in the pairing authorization process triggered by the UAV, the UFES1 serving the UAV may send the first user plane security protection activation instruction to the UTM/USS. Further, the SMF2 serving the UAVC may acquire the first user plane security protection enable instruction or acquire the UAVC updated according to the first user plane security protection enable instruction during the process of establishing the second PDU session for carrying the C2 communication by the UAVC. The corresponding second user plane security protection policy. Exemplarily, as shown in FIG. 11 , a communication method is provided in an embodiment of the present application. The communication method includes a registration process of UAV and UAVC in a 3GPP network, such as the following steps S1101a and S1101b:

S1101a, the UAV is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

S1101b, the UAVC is registered to the 3GPP network, and the specific registration process may refer to the prior art, which will not be repeated here.

For the specific implementation of step S1101a and step S1101b, reference may be made to steps S801a and S801b in the embodiment shown in FIG. 8 respectively, and details are not repeated here.

Further, the communication method provided by the embodiment of the present application also includes a process in which the UAV triggers the establishment of a PDU session (referred to as the third PDU session) used for non-C2 communication, as follows in steps S1102-S1112:

S1102, the UAV sends a session establishment request 3 to the SMF1 in the 3GPP network. Correspondingly, SMF1 receives the session establishment request 3 from the UAV. The session establishment request 3 includes the 3GPP UAV ID and indication information 6, where the indication information 6 is used to indicate that the third PDU session that the UAV requests to establish is used for the non-C2 communication of the UAS.

In a possible implementation manner, the indication information 6 may be a display indication. For example, the indication information 6 may be a UAS operation request indication (UAS operation request indication), and the UAS operation request indication is a request other than the C2 request.

In another possible implementation manner, the indication information 6 may be an implicit indication. For example, the indication information 6 may be DNN information dedicated to the non-C2 communication of the UAS, or DNN and slice combination information dedicated to the non-C2 communication of the UAS, or the like.

S1103. After determining that the third PDU session requested to be established by the UAV is used for the non-C2 communication of the UAS according to the instruction information 6, the SMF1 obtains the first user plane security protection policy and the fourth user plane security protection policy from the UDM1. The security protection policy is used to establish the first PDU session, and the fourth user plane security protection policy is used to establish the third PDU session.

In the embodiment of the present application, for the related descriptions of the first user plane security protection policy and the fourth user plane security protection policy, reference may be made to the description of the "user plane security protection policy" in the preamble of the specific implementation manner, which will not be repeated here.

In a possible implementation manner, SMF1 sends a request message to UDM1, where the request message includes a 3GPP UAV ID, and the request message is used to request the user plane security policy of the third PDU session. After receiving the request message, UDM1 determines the subscription information of the UAV according to the 3GPP UAV ID. The subscription information of the UAV includes a first user plane security protection policy and a fourth user plane security protection policy. Furthermore, the UDM1 may carry the first user plane security protection policy and the fourth user plane security protection policy in the response message sent to the SMF1.

In another possible implementation manner, SMF1 may determine, according to the information in session establishment request 3, that the node requesting session establishment is a UAV, and then SMF1 sends a request message to UDM1, where the request message includes a 3GPP UAV ID, and the request message is used to request The first user plane security protection policy and the fourth user plane security protection policy. After receiving the request message, UDM1 obtains the first user plane security protection policy and the fourth user plane security protection policy from the subscription information of the UAV according to the 3GPP UAV ID. Furthermore, the UDM1 may carry the first user plane security protection policy and the fourth user plane security protection policy in the response message sent to the SMF1.

It should be noted that, in this embodiment of the present application, the first user plane security protection policy and the fourth user plane security protection policy may be the same user plane security protection policy, which is not specifically limited in this embodiment of the present application.

It should be noted that the embodiments of the present application are described by taking the UDM2 separately storing corresponding user plane security protection policies for different types of PDU sessions as an example. Of course, the user plane security protection policy corresponding to the UAV stored in UDM2 can also be one, and the user plane security protection policy can be used to establish the first PDU session or the third PDU session. The obtained user plane security protection policy corresponding to the UAV is also one, which is not specifically limited in this embodiment of the present application.

S1104 , the SMF1 sends the first user plane security protection policy and the fourth user plane security protection policy to the RAN device 1 . Correspondingly, the RAN device 1 receives the first user plane security protection policy and the fourth user plane security protection policy from the SMF1.

S1105. The RAN device 1 determines a fourth user plane security protection enable instruction according to the fourth user plane security protection policy, and the fourth user plane security protection enable instruction is used to indicate whether the user plane security protection of the third PDU session is enabled.

For the relevant description of the fourth user plane security protection enable instruction, reference may be made to the description of the "user plane security protection enable instruction" in the preamble of the specific implementation manner, and details are not repeated here. In addition, for the manner in which the RAN device 1 determines the fourth user plane security protection enable instruction according to the fourth user plane security protection policy, reference may be made to the RAN device 1 determining the first user plane according to the first user plane security protection policy in the embodiment shown in FIG. 8 . The manner of the security protection opening instruction will not be repeated here.

S1106-S1108 are the same as S805-S807 in the embodiment shown in FIG. 8 , and the related description can refer to the embodiment shown in FIG. 8 , and details are not repeated here.

Further, the UFES1 may obtain the first user plane security protection opening instruction by means of step S1109 or steps S1110-S1111 in the third PDU session establishment process.

The way P is as follows:

S1109, SMF1 sends UUAA request 1 to UFES1. Correspondingly, UFES1 receives UUAA request 1 from SMF1. The UUAA request 1 includes the 3GPP UAV ID and the first user plane security protection opening indication.

That is, in the embodiment of the present application, the SMF1 relies on the UUAA request 1 in the session establishment process to send the 3GPP UAV ID and the first user plane security protection opening instruction to the UFES1.

The way Q is as follows:

S1110, SMF1 sends UUAA request 2 to UFES1. Correspondingly, UFES1 receives UUAA request 2 from SMF1. The UUAA Request 2 includes the 3GPP UAV ID.

S1111. UFES1 obtains the first user plane security protection enabling instruction from SMF1.

In a possible implementation manner, UFES1 sends a request message to SMF1, where the request message includes a 3GPP UAV ID, and the request message is used to request a first user plane security protection opening indication. After receiving the request message, SMF1 sends a response message to UFES 1, where the response message includes the first user plane security protection opening indication.

Further, the third PDU session establishment process provided by the embodiment of the present application further includes the following steps:

S1112. Other procedures for establishing a third PDU session, such as UFES1 sending a UUAA request 3 including the external UAV ID of the UAV to the UTM/USS. After the UTM/USS receives the UUAA request 3 from UFES1, it performs UUAA on the UAV according to the UAV's external UAV ID. For related implementation, reference may be made to the prior art, and specific reference may be made to the prior art, which will not be repeated here.

Further, the communication method provided by the embodiment of the present application may further include the following step S511:

S1113. UFES1 stores the mapping relationship between the external UAV ID of the UAV and the first user plane security protection opening indication.

In the embodiment of the present application, after the UFES1 obtains the 3GPP UAV ID, the external UAV ID of the UAV corresponding to the 3GPP UAV ID can be determined according to the stored mapping relationship between the 3GPP UAV ID and the external UAV ID of the UAV. Then, the mapping relationship between the external UAV ID of the UAV and the first user plane security protection opening instruction is stored. Of course, in the embodiment of the present application, the UFES1 may store the mapping relationship between the external UAV ID of the UAV, the 3GPP UAV ID, and the first user plane security protection opening instruction, which is not specifically limited in the embodiment of the present application.

Further, the communication method provided by the embodiment of the present application further includes a process in which the UTM/USS obtains the first user plane security protection opening instruction through the pairing authorization process, as shown in the following steps S1114-S1116 in manner X or steps S1117-S1119. way Y.

The way X is as follows:

S1114. The UAV sends a C2 pairing request 2 to the UFES1 through the SMF1. Correspondingly, UFES1 receives C2 pairing request 2 from UAV. The C2 pairing request 2 includes the 3GPP UAV ID.

Of course, if the UAV and the UAVC have been paired offline in a non-3GPP manner (for example, the two devices are paired via Bluetooth) or in other manners before step S1114, the UAV can obtain the pairing identifier of the UAVC paired with it. Further, the C2 pairing request 2 may include the pairing identifier of the UAVC. Exemplarily, the pairing identifier of the UAVC may be, for example, the 3GPP UAVC ID or the external UAV ID of the UAVC.

Optionally, in this embodiment of the present application, when the pairing identifier of the UAVC is the external UAV ID of the UAVC, the external UAV ID of the UAVC may be included in the container (container) of the C2 pairing request 2. In this way, on the one hand, since the intermediate node transparently transmits the container without tampering with the contents in the container, the security of the above parameters can be guaranteed; Processing efficiency of intermediate nodes.

S1115. UFES1 sends C2 pairing request 3 to UTM/USS. Correspondingly, UTM/USS receives C2 pairing request 3 from UFES1. The C2 pairing request 3 includes the external UAV ID of the UAV and the first user plane security protection opening instruction.

In the embodiment of the present application, the external UAV ID of the UAV in the C2 pairing request 3 is obtained by "translation" of the 3GPP UAV ID in the C2 pairing request 2, and the conversion method can refer to the above step S809, which will not be repeated here.

In addition, in the embodiment of the present application, after the UFES1 obtains the external UAV ID of the UAV, it can determine the first user plane security protection opening instruction according to the stored mapping relationship between the external UAV ID of the UAV and the first user plane security protection opening instruction, and Sent to UTM/USS via C2 pairing request 3.

In the embodiment of the present application, if the above-mentioned C2 pairing request 2 includes the pairing identifier of the UAVC, the above-mentioned C2 pairing request 3 also includes the pairing identifier of the UAVC. Among them, when the pairing identifier of UAVC is 3GPP UAVC ID, UFES1 also needs to "translate" the 3GPP UAVC ID into the external UAV ID of UAVC that can be recognized by UTM/USS, and send the external UAV ID of UAVC to UTM/USS, For the conversion method, reference may be made to the above-mentioned step S809, which will not be repeated here.

S1116: After the UTM/USS determines that the UAVC paired with the UAV is on the network, it authorizes the C2 pairing request.

For the related implementation of step S1116, reference may be made to the description of step S1004 in the embodiment shown in FIG. 10 . The difference is, for example, that the C2 pairing request 1 in step S1004 is replaced with the C2 pairing request 3 in this embodiment of the present application, which will not be repeated here. .

The way Y is as follows:

S1117: The UAV sends a C2 pairing request 1 to the UTM/USS through the user of the established third PDU session. Accordingly, the UTM/USS receives the C2 pairing request 1 from the UAV. The C2 pairing request includes the UAV's external UAV ID.

For the related implementation of step S1117, reference may be made to the description of step S1003 in the embodiment shown in FIG. 10, and details are not repeated here.

S1118: After the UTM/USS determines that the UAVC paired with the UAV is on the network, it authorizes the C2 pairing request.

The specific implementation of step S1118 can refer to the above-mentioned step S1116. The difference is, for example, that the C2 pairing request 3 in step S1116 is replaced with the C2 pairing request 1 in step S1118, which will not be repeated here.

S1119. After the pairing authorization is completed, the UTM/USS obtains the first user plane security protection opening instruction from the UFES1.

In a possible implementation manner, UTM/USS sends a request message to UFES1. The request message includes the external UAV ID of the UAV, and the request message is used to request the first user plane security protection opening instruction. After UFES1 receives the request message, it can determine the first user plane security protection opening instruction according to the stored mapping relationship between the external UAV ID of the UAV and the first user plane security protection opening instruction, and send it to the UTM/USS in the response message. Carry the first user plane security protection opening instruction.

It should be noted that, in the embodiment of the present application, the request message sent by the UTM/USS to the UFES1 is only an example of the third message in the embodiment shown in FIG. 5 , and the third message may also be other. This is not specifically limited.

When it needs to be explained, the foregoing manner X or manner Y is described by taking the UAV sending a C2 pairing request to the UTM/USS through 3GPP access as an example for description. Optionally, the UAV may also send a C2 pairing request to the UTM/USS through a non-3GPP access, where the C2 pairing request includes the UAV's external UAV ID. After the UTM/USS receives the C2 pairing request, it can obtain the first user plane security protection opening instruction in the manner of the above steps S1118-S1119, which will not be repeated here.

Based on the foregoing manner X or manner Y, the UTM/USS may obtain the first user plane security protection activation instruction through the pairing authorization process. Further, the communication method provided by the embodiment of the present application further includes the following steps S1120-S1121:

S1120. After the pairing authorization is completed, the UTM/USS sends the indication information 7 to the SMF1 through the UFES1. Correspondingly, the SMF1 receives the indication information 7 from the UTM/USS. The indication information 7 is used to indicate that the C2 pairing authorization between the UAV and the UAVC is successful.

S1121. SMF1 triggers the process of establishing the first PDU session. The first PDU session in the embodiment of the present application may be obtained by modifying the third PDU session, or may be obtained by creating a new UAV triggered by the SMF, which is not specifically limited in the embodiment of the present application. The process of modifying and obtaining the first PDU session based on the third PDU session and the process of creating the first PDU session can refer to the prior art, and details are not repeated here.

Wherein, the actions of SMF1, UTM/USS, SMF2, UFES1 or UFES2 in the above steps S1101a to S1121 can be performed by the processor 401 in the communication device 400 shown in FIG. 4 calling the application code stored in the memory 403 to instruct SMF1, UTM /USS, SMF2, UFES1, or UFES2 is executed, which is not limited in this embodiment.

As an alternative, in the embodiment shown in FIG. 11 , after the UFES1 obtains the first user plane security protection opening instruction in the process of establishing the third PDU session, it can establish other other functions in the third PDU session described in step S1112. The process sends the first user plane security protection opening indication to the UTM/USS. For example, the UFES1 may send the first user plane security protection opening indication to the UTM/USS through the above-mentioned UUAA request 3. In this way, after receiving the UUAA request 3, UFES1 can obtain the first user plane security protection opening instruction, and does not need to obtain the first user plane security protection opening instruction through the mode X or mode Y in the embodiment shown in FIG. 11 . This solution is not described in detail in the application examples, and for details, reference may be made to the relevant steps in the embodiment shown in FIG. 11 .

It can be understood that, in the above embodiments, the methods and/or steps implemented by the management device may also be implemented by a component (such as a chip or circuit) that can be used to manage the device; the session management entity (including the first session management entity) or the second session management entity), the methods and/or steps implemented by the session management entity may also be implemented by components (eg, chips or circuits) available for the session management entity.

The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspective of interaction between various network elements. Correspondingly, an embodiment of the present application further provides a communication device, where the communication device is used to implement the above-mentioned various methods. The communication device may be the management device in the above method embodiment, or a device including the above management device, or a component that can be used to manage the device; or, the communication device may be the session management entity in the above method embodiment (including the first A session management entity or a second session management entity), or a device including the above session management entity, or a component available for the session management entity. It can be understood that, in order to realize the above-mentioned functions, the communication apparatus includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

In this embodiment of the present application, the communication device may be divided into functional modules according to the above method embodiments. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.

FIG. 12 shows a schematic structural diagram of a communication device 120 . The communication device 120 includes a transceiver module 1201 and a processing module 1202 . The transceiver module 1201 may also be called a transceiver unit to implement a transceiver function, for example, a transceiver circuit, a transceiver, a transceiver or a communication interface.

Wherein, take the communication device 120 as the management device in the above method embodiment as an example:

In a possible implementation manner, the processing module 1202 is configured to obtain the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the C2 communication device. Communication between second terminal devices. The transceiver module 1201 is configured to trigger the second terminal device to initiate the establishment of a second session, wherein whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the second session is used by the second terminal device. for sessions that carry C2 communications.

In a possible implementation manner, the transceiver module 1201, configured to trigger the second terminal device to initiate the establishment of the second session, includes: sending a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate the second session. Two sessions are established; and sending a first user plane security protection opening indication to a second unified data management entity, where the second unified data management entity is a unified data management entity serving the second terminal device.

In another possible implementation manner, the transceiver module 1201, configured to trigger the second terminal device to initiate the establishment of the second session, includes: sending a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate the establishment of the second session establishment of a second session; and, receiving a second message from the second proxy function entity, and sending a first user plane security protection opening indication to the second proxy function entity; wherein the second message includes the identification information of the second terminal device , the second message is used to request the first user plane security protection opening instruction, the second proxy function entity is used to provide the interface of the second session management entity to the management device, and the second session management entity is the session management for the second terminal device. entity.

In a possible implementation manner, the processing module 1202 is specifically configured to: receive, through the transceiver module 1201, a first user plane security protection opening instruction from a first session management entity, where the first session management entity is a session serving the first terminal device. management entity; or, receive the first user plane security protection opening instruction from the first terminal device through the transceiver module 1201; or, receive the first user plane security protection opening instruction from the first proxy function entity through the transceiver module 1201, the first The proxy function entity is used to provide an interface from the first session management entity to the management device.

In another possible implementation manner, the processing module 1202 is specifically configured to: determine that the pairing authorization between the first terminal device and the second terminal device is successful; send a third message to the first proxy function entity through the transceiver module 1201, where the third message includes the first The identification information of the terminal device, and the third message is used to request the first user plane security protection opening instruction; wherein, the first proxy function entity is used to provide the interface from the first session management entity to the management device, and the first session management entity is for The session management entity served by the first terminal device; the receiving and sending module 1201 receives the first user plane security protection opening instruction from the first proxy function entity.

Taking the communication device 120 as the first session management entity in the above method embodiment as an example:

In a possible implementation manner, the processing module 1202 is configured to obtain the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the C2 communication device. In the communication between the second terminal devices, the first session management entity is a session management entity serving the first terminal device. The transceiver module 1201 is configured to send a first user plane security protection enable instruction, the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is the second terminal device for carrying C2 communication session.

In a possible implementation manner, the transceiver module 1201 is specifically configured to: send the first user plane security protection opening instruction to the management device.

In another possible implementation manner, the transceiver module 1201 is specifically configured to: send the first user plane security protection enabling instruction to the first proxy function entity; wherein the first proxy function entity is configured to provide the first session management entity to the management device Interface.

Optionally, in this embodiment of the present application, the transceiver module 1201 is further configured to receive a fourth message from the first proxy functional entity before the first session management entity sends the first user plane security protection opening instruction to the first proxy functional entity. message, the fourth message includes identification information of the first terminal device, and the fourth message is used to request the first user plane security protection opening instruction.

In a possible implementation manner, the processing module 1202 is specifically configured to: obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; The first access network device sends the first user plane security protection policy; the transceiver module 1201 receives the first user plane security protection enable instruction from the first access network device, wherein the first user plane security protection enable instruction is based on the first user plane security protection enable instruction. A user plane security protection policy is determined.

In a possible implementation manner, the processing module 1202 is specifically configured to: obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; The first access network device sends the first user plane security protection policy; the transceiver module 1201 receives a seventh message from the first access network device, where the seventh message is used to indicate that the first access network device has The security protection policy establishes a first session; and in response to the seventh message, the first user plane security protection opening indication is determined according to the first user plane security protection policy.

Taking the communication device 120 as the second session management entity in the above method embodiment as an example:

In a possible implementation manner, the processing module 1202 is configured to obtain the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the C2 communication device. For communication between second terminal devices, the second session management entity is a session management entity serving the second terminal device. The transceiver module 1201 is configured to send a first user plane security protection opening instruction to a second access network device serving the second terminal device; wherein the first user plane security protection opening instruction is used to determine the user plane security of the second session Whether protection is enabled, the second session is a session used by the second terminal device to carry C2 communication.

In a possible implementation manner, the processing module 1202 is configured to obtain the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled. The first session is a session used by the first terminal device to carry the C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the C2 communication device. For communication between second terminal devices, the second session management entity is a session management entity serving the second terminal device. The processing module 1202 is further configured to determine a third user plane security protection policy according to the first user plane security protection enabling instruction, where the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection. The transceiver module 1201 is configured to send a third user plane security protection policy to a second access network device serving the second terminal device; wherein, the third user plane security protection policy is used to determine an instruction to enable the second user plane security protection, The second user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is a session used by the second terminal device to carry C2 communication.

In this embodiment of the present application, for the solution of the processing module 1202 for determining the third user plane security protection policy according to the first user plane security protection enable instruction, reference may be made to the foregoing summary of the invention, which will not be repeated here.

In a possible implementation manner, the processing module 1202, configured to obtain the first user plane security protection opening instruction, includes: sending a fifth message to the second unified data management entity serving the second terminal device through the transceiver module 1201, the first The fifth message includes the identification information of the second terminal device, and the fifth message is used to request the second user plane security protection policy; the second user plane security protection policy and the first user plane security protection policy from the second unified data management entity are received through the transceiver module 1201 Safety protection on indication.

In another possible implementation manner, the processing module 1202, configured to obtain the first user plane security protection enabling indication, includes: sending a sixth message to the second proxy function entity through the transceiver module 1201, where the sixth message includes the second terminal device The sixth message is used to request the first user plane security protection opening instruction, and the second proxy function entity is used to provide the interface from the second session management entity to the management device; The first user plane security protection activation instruction.

Optionally, in this embodiment of the present application, the transceiver module 1201 is further configured to receive indication information from the second terminal device before sending the sixth message to the second proxy function entity, where the indication information indicates that the second terminal device requests to establish a The second session is used to respond to the C2 communication initiated by the first terminal device.

Wherein, all relevant contents of the steps involved in the above method embodiments can be cited in the functional descriptions of the corresponding functional modules, which will not be repeated here.

In this embodiment, the communication apparatus 120 is presented in the form of dividing each functional module in an integrated manner. "Module" herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above. In a simple embodiment, those skilled in the art can imagine that the communication device 120 may take the form of the communication device 400 shown in FIG. 4 .

For example, the processor 401 in the communication apparatus 400 shown in FIG. 4 may execute the instructions by calling the computer stored in the memory 403, so that the communication apparatus 400 executes the communication method in the above method embodiment.

Specifically, the functions/implementation process of the transceiver module 1201 and the processing module 1202 in FIG. 12 can be implemented by the processor 401 in the communication apparatus 400 shown in FIG. 4 calling the computer execution instructions stored in the memory 403 . Alternatively, the function/implementation process of the processing module 1202 in FIG. 12 can be implemented by the processor 401 in the communication device 400 shown in FIG. 4 calling the computer execution instructions stored in the memory 403, and the function of the transceiver module 1201 in FIG. 12 can be implemented. The implementation process can be implemented through the communication interface 404 in the communication device 400 shown in FIG. 4 .

Since the communication apparatus 120 provided in this embodiment can execute the above communication method, the technical effects that can be obtained by the communication apparatus 120 may refer to the above method embodiments, which will not be repeated here.

It should be noted that, one or more of the above modules or units may be implemented by software, hardware or a combination of both. When any of the above modules or units are implemented in software, the software exists in the form of computer program instructions and is stored in the memory, and the processor can be used to execute the program instructions and implement the above method flow. The processor can be built into a SoC (system on chip) or an ASIC, or it can be an independent semiconductor chip. In addition to the core for executing software instructions for operation or processing, the internal processing of the processor may further include necessary hardware accelerators, such as field programmable gate array (FPGA), PLD (Programmable Logic Device) , or a logic circuit that implements dedicated logic operations.

When the above modules or units are implemented in hardware, the hardware can be CPU, microprocessor, digital signal processing (DSP) chip, microcontroller unit (MCU), artificial intelligence processor, ASIC, Any or any combination of SoCs, FPGAs, PLDs, dedicated digital circuits, hardware accelerators, or non-integrated discrete devices that may or may not run the necessary software to perform the above method flows.

Optionally, an embodiment of the present application further provides a chip system, including: at least one processor and an interface, the at least one processor is coupled to the memory through the interface, and when the at least one processor executes the computer program or instructions in the memory , the method in any of the above method embodiments is executed. In a possible implementation, the communication device further includes a memory. Optionally, the chip system may be composed of chips, or may include chips and other discrete devices, which are not specifically limited in this embodiment of the present application.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.

Although the application is described herein in conjunction with the various embodiments, those skilled in the art will understand and understand from a review of the drawings, the disclosure, and the appended claims in practicing the claimed application. Other variations of the disclosed embodiments are implemented. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.

Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made therein without departing from the spirit and scope of the application. Accordingly, this specification and drawings are merely exemplary illustrations of the application as defined by the appended claims, and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims

A communication method, characterized in that the method comprises:

The management device acquires a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is used by the first terminal device for A session carrying C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the communication between the first terminal device and the C2 communication. communication between second terminal devices;

The management device triggers the second terminal device to initiate the establishment of a second session, wherein whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the second session is the session used by the second terminal device to carry the C2 communication.
The method according to claim 1, wherein the management device triggering the second terminal device to initiate the establishment of the second session comprises:

sending, by the management device, a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate establishment of the second session;

And, the management device sends the first user plane security protection opening indication to a second unified data management entity, where the second unified data management entity is a unified data management entity serving the second terminal device.
The method according to claim 1, wherein the management device triggering the second terminal device to initiate the establishment of the second session comprises:

sending, by the management device, a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate establishment of a second session;

And, the management device receives the second message from the second proxy function entity, and sends the first user plane security protection opening indication to the second proxy function entity; wherein, the second message includes the first The identification information of the second terminal device, the second message is used to request the first user plane security protection opening instruction, the second proxy function entity is used to provide the interface from the second session management entity to the management device, so The second session management entity is a session management entity serving the second terminal device.
The method according to any one of claims 1-3, wherein the obtaining, by the management device, the first user plane security protection enabling instruction, comprises:

receiving, by the management device, an indication of enabling the security protection of the first user plane from a first session management entity, where the first session management entity is a session management entity serving the first terminal device;

Or, the management device receives the first user plane security protection opening instruction from the first terminal device;

Alternatively, the management device receives the first user plane security protection opening instruction from a first proxy function entity, where the first proxy function entity is configured to provide an interface from the first session management entity to the management device.
The method according to any one of claims 1-3, wherein the obtaining, by the management device, the first user plane security protection enabling instruction, comprises:

The management device determines that the pairing authorization between the first terminal device and the second terminal device is successful;

The management device sends a third message to the first proxy function entity, where the third message includes identification information of the first terminal device, and the third message is used to request the first user plane security protection opening instruction; wherein, the first proxy function entity is used to provide an interface from a first session management entity to the management device, where the first session management entity is a session management entity serving the first terminal device;

The management device receives the first user plane security protection opening instruction from the first proxy function entity.
The method according to any one of claims 1-5, wherein the first user plane security protection enabling indication comprises a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enabling result indication The first user plane confidentiality protection opening result indication is used to indicate that the user plane confidentiality protection is turned on or not turned on; the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is turned on or not turned on .
A communication method, characterized in that the method comprises:

The first session management entity obtains a first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein the first session is a first terminal The device is used to carry the session of C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device Communication with the second terminal device, the first session management entity is a session management entity serving the first terminal device;

The first session management entity sends the first user plane security protection enable instruction, and the first user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is all The second terminal device is used to carry the session of the C2 communication.
The method according to claim 7, wherein the sending, by the first session management entity, the first user plane security protection enabling instruction comprises:

The first session management entity sends the first user plane security protection opening instruction to the management device.
The method according to claim 7, wherein the sending, by the first session management entity, the first user plane security protection enabling instruction comprises:

The first session management entity sends the first user plane security protection opening instruction to the first proxy function entity; wherein the first proxy function entity is used to provide the first session management entity to the management device. interface.
The method according to claim 9, wherein before the first session management entity sends the first user plane security protection opening instruction to the first proxy function entity, the method further comprises:

The first session management entity receives a fourth message from the first proxy function entity, where the fourth message includes identification information of the first terminal device, and the fourth message is used to request the first user Face safety protection on instruction.
The method according to any one of claims 7-10, wherein the obtaining, by the first session management entity, the first user plane security protection enabling instruction comprises:

obtaining, by the first session management entity, a first user plane security protection policy from a first unified data management entity serving the first terminal device;

sending, by the first session management entity, the first user plane security protection policy to a first access network device serving the first terminal device;

The first session management entity receives the first user plane security protection opening instruction from the first access network device, wherein the first user plane security protection enabling instruction is based on the first user plane security The protection strategy is determined.
The method according to any one of claims 7-10, wherein the obtaining, by the first session management entity, the first user plane security protection enabling instruction comprises:

obtaining, by the first session management entity, a first user plane security protection policy from a first unified data management entity serving the first terminal device;

sending, by the first session management entity, the first user plane security protection policy to a first access network device serving the first terminal device;

The first session management entity receives a seventh message from the first access network device, where the seventh message is used to indicate that the first access network device has established a security protection policy according to the first user plane the first session;

In response to the seventh message, the first session management entity determines the first user plane security protection opening indication according to the first user plane security protection policy.
The method according to any one of claims 7-12, wherein the first user plane security protection enabling indication comprises a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enabling result indication The first user plane confidentiality protection opening result indication is used to indicate that the user plane confidentiality protection is turned on or not turned on; the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is turned on or not turned on .
A communication method, characterized in that the method comprises:

The second session management entity obtains the first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein the first session is the first terminal The device is used to carry the session of C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device communication with the second terminal device, the second session management entity is a session management entity serving the second terminal device;

The second session management entity sends the first user plane security protection opening instruction to the second access network device serving the second terminal device; wherein the first user plane security protection opening instruction is used to determine Whether the user plane security protection of the second session is enabled, where the second session is a session used by the second terminal device to carry the C2 communication.
A communication method, characterized in that the method comprises:

The second session management entity obtains the first user plane security protection enable instruction, where the first user plane security protection enable instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein the first session is the first terminal The device is used to carry the session of C2 communication, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device communication with the second terminal device, the second session management entity is a session management entity serving the second terminal device;

determining, by the second session management entity, a third user plane security protection policy according to the first user plane security protection enabling instruction, where the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection;

The second session management entity sends the third user plane security protection policy to the second access network device serving the second terminal device; wherein the third user plane security protection policy is used to determine the second User plane security protection enable instruction, the second user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is used by the second terminal device to carry the C2 communication session.
The method according to claim 15, wherein the second session management entity determines a third user plane security protection policy according to the first user plane security protection enable instruction, comprising:

When the first user plane security protection enabling indication includes a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enabling result indication, and the first user plane confidentiality protection enabling result indication is used to indicate When user plane confidentiality protection is enabled, and the first user plane integrity protection enable result indication is used to indicate that user plane integrity protection is enabled, the second session management entity determines that the third user plane security protection policy is the user plane. Confidentiality protection is forced to be turned on and user plane integrity protection is forced to be turned on;

Or, when the first user plane security protection enable instruction includes the first user plane confidentiality protection enable result instruction and the first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used. When indicating that the user plane confidentiality protection is not enabled, and the first user plane integrity protection enabling result indication is used to indicate that the user plane integrity protection is not enabled, the second session management entity determines the third user plane security protection. The policy is that the user plane confidentiality protection is forcibly disabled and the user plane integrity protection is forcibly disabled;

Or, when the first user plane security protection enable instruction includes the first user plane confidentiality protection enable result instruction and the first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used. When indicating that the user plane confidentiality protection is not turned on, and the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is turned on, the second session management entity determines the third user plane security protection policy It is mandatory to disable user plane confidentiality protection and mandatory enable user plane integrity protection;

Or, when the first user plane security protection enable instruction includes the first user plane confidentiality protection enable result instruction and the first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used. When indicating that the user plane confidentiality protection is turned on, and the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is not turned on, the second session management entity determines the third user plane security protection policy It is mandatory to enable user plane confidentiality protection and mandatory to disable user plane integrity protection.
The method according to any one of claims 14-16, wherein the obtaining, by the second session management entity, the first user plane security protection enabling instruction comprises:

The second session management entity sends a fifth message to the second unified data management entity serving the second terminal device, the fifth message includes the identification information of the second terminal device, and the fifth message uses for requesting the second user plane security protection policy;

The second session management entity receives the second user plane security protection policy and the first user plane security protection opening instruction from the second unified data management entity.
The method according to any one of claims 14-16, wherein the obtaining, by the second session management entity, the first user plane security protection enabling instruction comprises:

The second session management entity sends a sixth message to the second proxy function entity, where the sixth message includes identification information of the second terminal device, and the sixth message is used to request security protection of the first user plane an opening instruction, the second proxy function entity is used to provide an interface from the second session management entity to a management device;

The second session management entity receives the first user plane security protection opening instruction from the second proxy function entity.
The method according to claim 18, wherein before the second session management entity sends the sixth message to the second proxy function entity, the method further comprises:

The second session management entity receives indication information from the second terminal device, where the indication information indicates that the second session requested by the second terminal device to be established is used to respond to all requests initiated by the first terminal device. C2 communication described above.
A management device, characterized in that the management device comprises: a processing module and a transceiver module;

The processing module is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is the first session. A terminal device is used to carry a C2 communication session, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device communication between the terminal device and the second terminal device;

The transceiver module is configured to trigger the second terminal device to initiate the establishment of a second session, wherein whether the user plane security protection of the second session is enabled is determined by the first user plane security protection enable instruction, and the The second session is a session used by the second terminal device to carry the C2 communication.
The management device according to claim 20, wherein the transceiver module is configured to trigger the second terminal device to initiate the establishment of the second session, comprising:

sending a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate the establishment of the second session; and sending the first user to a second unified data management entity A face security protection opening instruction, wherein the second unified data management entity is a unified data management entity serving the second terminal device.
The management device according to claim 20, wherein the transceiver module is configured to trigger the second terminal device to initiate the establishment of the second session, comprising:

Sending a first message to the second terminal device, where the first message is used to trigger the second terminal device to initiate the establishment of a second session; and, receiving the second message from the second proxy function entity, and sending the second message to all The second proxy function entity sends the first user plane security protection opening instruction; wherein, the second message includes the identification information of the second terminal device, and the second message is used to request the first user plane. The security protection opening indication, the second proxy function entity is used to provide an interface from a second session management entity to the management device, where the second session management entity is a session management entity serving the second terminal device.
The management device according to any one of claims 20-22, wherein the processing module is specifically configured to:

receiving, by the transceiver module, the first user plane security protection opening instruction from a first session management entity, where the first session management entity is a session management entity serving the first terminal device;

Or, receiving, by the transceiver module, the first user plane security protection opening instruction from the first terminal device;

Or, receive, through the transceiver module, the first user plane security protection enabling instruction from a first proxy function entity, where the first proxy function entity is configured to provide an interface from the first session management entity to the management device .
The management device according to any one of claims 20-22, wherein the processing module is specifically configured to:

Determine that the pairing authorization of the first terminal device and the second terminal device is successful; send a third message to the first proxy function entity through the transceiver module, where the third message includes the identification information of the first terminal device, The third message is used to request the first user plane security protection opening instruction; wherein, the first proxy function entity is used to provide an interface from a first session management entity to the management device, and the first session management entity The entity is a session management entity serving the first terminal device; receiving the first user plane security protection opening instruction from the first proxy function entity through the transceiver module.
The management device according to any one of claims 20 to 24, wherein the first user plane security protection enabling indication comprises a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enabling result instruction; the first user plane confidentiality protection enable result indication is used to indicate whether the user plane confidentiality protection is enabled or disabled; the first user plane integrity protection enable result indication is used to indicate whether the user plane integrity protection is enabled or disabled on.
A first session management entity, characterized in that the first session management entity comprises: a processing module and a transceiver module;

The processing module is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection enabling instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is the first session. A terminal device is used to carry a C2 communication session, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device communication between a terminal device and the second terminal device, the first session management entity is a session management entity serving the first terminal device;

The transceiver module is configured to send the first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is all The second terminal device is used to carry the C2 communication session.
The first session management entity according to claim 26, wherein the transceiver module is specifically configured to:

Send the first user plane security protection opening instruction to the management device.
The first session management entity according to claim 26, wherein the transceiver module is specifically configured to:

Sending the first user plane security protection opening indication to a first proxy function entity; wherein the first proxy function entity is configured to provide an interface from the first session management entity to the management device.
The first session management entity according to claim 28, wherein,

The transceiver module is further configured to receive a fourth message from the first proxy functional entity before the first session management entity sends the first user plane security protection opening instruction to the first proxy functional entity, where the The fourth message includes identification information of the first terminal device, and the fourth message is used to request the first user plane security protection opening instruction.
The first session management entity according to any one of claims 26-29, wherein the processing module is specifically configured to:

Obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; send the first user plane security protection policy to the first access network device serving the first terminal device through the transceiver module; a user plane security protection policy; the first user plane security protection enabling instruction from the first access network device is received by the transceiver module, wherein the first user plane security protection enabling instruction is based on the The first user plane security protection policy is determined.
The first session management entity according to any one of claims 26-29, wherein the processing module is specifically configured to:

Obtain the first user plane security protection policy from the first unified data management entity serving the first terminal device; send the first user plane security protection policy to the first access network device serving the first terminal device through the transceiver module; a user plane security protection policy; after receiving the seventh message from the first access network device through the transceiver module, in response to the seventh message, determine the first user plane security protection policy according to the first user plane security protection policy A user plane security protection enable instruction, wherein the seventh message is used to indicate that the first access network device has established the first session according to the first user plane security protection policy.
The first session management entity according to any one of claims 26 to 31, wherein the first user plane security protection enabling indication comprises a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enable result indication; the first user plane confidentiality protection enable result indication is used to indicate whether user plane confidentiality protection is enabled or not enabled; the first user plane integrity protection enable result indication is used to indicate user plane integrity protection On or off.
A second session management entity, characterized in that the second session management entity comprises: a processing module and a transceiver module;

The processing module is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is the first session. A terminal device is used to carry a C2 communication session, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device communication between a terminal device and the second terminal device, where the second session management entity is a session management entity serving the second terminal device;

The transceiver module is configured to send the first user plane security protection opening instruction to a second access network device serving the second terminal device; wherein the first user plane security protection opening instruction is used to determine Whether the user plane security protection of the second session is enabled, where the second session is a session used by the second terminal device to carry the C2 communication.
A second session management entity, characterized in that the second session management entity comprises: a processing module and a transceiver module;

The processing module is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection opening instruction is used to indicate whether the user plane security protection of the first session is enabled; wherein, the first session is the first session. A terminal device is used to carry a C2 communication session, the first terminal device is the initiating end device of the C2 communication, the second terminal device is the opposite end device of the C2 communication, and the C2 communication is the first terminal device communication between a terminal device and the second terminal device, where the second session management entity is a session management entity serving the second terminal device;

The processing module is further configured to determine a third user plane security protection policy according to the first user plane security protection opening instruction, where the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection;

The transceiver module is configured to send the third user plane security protection policy to the second access network device serving the second terminal device; wherein the third user plane security protection policy is used to determine the second User plane security protection enable instruction, the second user plane security protection enable instruction is used to determine whether the user plane security protection of the second session is enabled, and the second session is used by the second terminal device to carry the C2 communication session.
The second session management entity according to claim 34, wherein the processing module, configured to determine a third user plane security protection policy according to the first user plane security protection enable instruction, comprises:

When the first user plane security protection enabling indication includes a first user plane confidentiality protection enabling result indication and a first user plane integrity protection enabling result indication, and the first user plane confidentiality protection enabling result indication is used to indicate The user plane confidentiality protection is turned on, and the first user plane integrity protection turning on result indication is used to indicate that when the user plane integrity protection is turned on, it is determined that the third user plane security protection policy is that the user plane confidentiality protection is forcibly turned on and the user Face integrity protection is forced to be turned on;

Or, when the first user plane security protection enable instruction includes the first user plane confidentiality protection enable result instruction and the first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used. When indicating that the user plane confidentiality protection is not turned on, and the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is not turned on, it is determined that the third user plane security protection policy is user plane confidentiality protection Mandatory not to open and user plane integrity protection mandatory to not open;

Or, when the first user plane security protection enable instruction includes the first user plane confidentiality protection enable result instruction and the first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used. When indicating that the user plane confidentiality protection is not turned on, and the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is turned on, it is determined that the third user plane security protection policy is user plane confidentiality protection mandatory It is not turned on and the user plane integrity protection is forced to be turned on;

Or, when the first user plane security protection enable instruction includes the first user plane confidentiality protection enable result instruction and the first user plane integrity protection enable result instruction, and the first user plane confidentiality protection enable result instruction is used. When indicating that the user plane confidentiality protection is turned on, and the first user plane integrity protection turning on result indication is used to indicate that the user plane integrity protection is not turned on, it is determined that the third user plane security protection policy is user plane confidentiality protection mandatory It is enabled and the user plane integrity protection is forcibly disabled.
The second session management entity according to any one of claims 33 to 35, wherein the processing module, configured to obtain the first user plane security protection opening instruction, includes:

A fifth message is sent to the second unified data management entity serving the second terminal device through the transceiver module, where the fifth message includes identification information of the second terminal device, and the fifth message is used to request The second user plane security protection policy; the second user plane security protection policy and the first user plane security protection enabling instruction from the second unified data management entity are received by the transceiver module.
The second session management entity according to any one of claims 33 to 35, wherein the processing module, configured to obtain the first user plane security protection opening instruction, includes:

A sixth message is sent to the second proxy function entity through the transceiver module, where the sixth message includes the identification information of the second terminal device, and the sixth message is used to request the first user plane security protection opening instruction , the second proxy function entity is configured to provide an interface from the second session management entity to a management device; and receive the first user plane security protection opening instruction from the second proxy function entity through the transceiver module.
The second session management entity according to claim 37, wherein,

The transceiver module is further configured to receive indication information from the second terminal device before sending the sixth message to the second proxy function entity, where the indication information indicates that the second terminal device requests the establishment of the first message. The second session is used to respond to the C2 communication initiated by the first terminal device.
A communication device, comprising:

a memory and a processor coupled to the memory, the memory for storing a program, the processor for executing the program stored in the memory; the processor executes the program when the communication device operates , so that the communication device performs the method of any one of the above claims 1-6 or 7-13 or 14-19.
The communication device according to claim 39, wherein the communication device is a chip or a chip system.
A computer-readable storage medium, characterized in that a computer program is stored thereon, and when the computer program is executed by a computer, the computer is made to execute any one of claims 1-6 or 7-13 or 14-19 the method described.
A computer program product, characterized by comprising: instructions, when the computer program product runs on a computer, causing the computer to execute the method of any one of claims 1-6 or 7-13 or 14-19 .
A communication system, characterized in that the communication system includes a management device and a second session management entity serving a second terminal device, the second terminal device is a peer device of C2 communication, and the C2 communication is a second session management entity. Communication between a terminal device and the second terminal device, where the first terminal device is the initiating end device of the C2 communication;

The management device is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection enabling instruction is used to indicate whether the user plane security protection of the first session is enabled; the first session is the first session. A terminal device is used to carry the C2 communication session;

The management device is further configured to trigger the second terminal device to initiate establishment of a second session, where the second session is a session used by the second terminal device to carry the C2 communication;

The second session management entity is configured to receive the first user plane security protection opening indication obtained by the management device, and send the first access network device serving the second terminal device to the second access network device. A user plane security protection opening instruction; wherein the first user plane security protection enabling instruction is used to determine whether the user plane security protection of the second session is enabled.
A communication system, characterized in that the communication system includes a management device and a second session management entity serving a second terminal device, the second terminal device is a peer device of C2 communication, and the C2 communication is a second session management entity. Communication between a terminal device and the second terminal device, where the first terminal device is the initiating end device of the C2 communication;

The management device is configured to obtain a first user plane security protection opening instruction, and the first user plane security protection enabling instruction is used to indicate whether the user plane security protection of the first session is enabled; the first session is the first session. A terminal device is used to carry the C2 communication session;

The management device is further configured to trigger the second terminal device to initiate establishment of a second session, where the second session is a session used by the second terminal device to carry the C2 communication;

The second session management entity is configured to receive the first user plane security protection enable instruction obtained by the management device, and after determining a third user plane security protection policy according to the first user plane security protection enable instruction, sending the third user plane security protection policy to the second access network device serving the second terminal device; wherein the third user plane security protection policy only includes forcibly enabling security protection or forcibly not enabling security protection ; The third user plane security protection policy is used to determine the second user plane security protection opening instruction, and the second user plane security protection opening instruction is used to determine whether the user plane security protection of the second session is enabled, and the second user plane security protection opening instruction is used to determine whether the second session is enabled. The session is a session used by the second terminal device to carry the C2 communication.
The communication system according to claim 43 or 44, wherein the communication system further comprises a first session management entity serving the first terminal device;

the first session management entity, configured to send the first user plane security protection opening indication to the management device;

The management device, configured to obtain the first user plane security protection opening instruction, includes: receiving the first user plane security protection opening instruction from the first session management entity.
The communication system according to claim 43 or 44, wherein the communication system further comprises the first terminal device;

the first terminal device, configured to send the first user plane security protection opening instruction to the management device;

The management device, configured to obtain the first user plane security protection opening instruction, includes: receiving the first user plane security protection opening instruction from the first terminal device.