WO2022141132A1

WO2022141132A1 - Resource checking method for service-based interface and related device

Info

Publication number: WO2022141132A1
Application number: PCT/CN2020/141127
Authority: WO
Inventors: 张金碧; 靳炜; 郑小青
Original assignee: 华为技术有限公司
Priority date: 2020-12-29
Filing date: 2020-12-29
Publication date: 2022-07-07

Abstract

The present application provides a resource checking method for a service-based interface and a related device. The method comprises: a server network element receives a first request message sent by a client network element, wherein the first request message carries information to be checked, and the information to be checked is used for performing legitimacy verification on the client network element; the server network element performs legitimacy verification on the client network element according to the information to be checked; and upon verifying that the client network element is legitimate, the server network element executes the first request message. The method can check the legitimacy of the client network element, and reduce the risks such as the deletion by mistake, accidental tampering and improper transmission of resources.

Description

A service-oriented interface-oriented resource verification method and related equipment

technical field

The present application relates to the field of communications, and in particular, to a service-oriented interface-oriented resource verification method and related equipment.

Background technique

At present, the 5G system architecture control plane adopts service-oriented interface technology. In the service-based architecture, the communication between the client and the server needs to be legalized, and the user resource identifier is one of the methods of legalization. However, the 3GPP Release 16 protocol does not provide a reliable verification method for the user resource identifier of the application layer. Therefore, a new service-oriented interface resource verification method is required to solve the verification problem of the user resource identifier of the application layer.

SUMMARY OF THE INVENTION

The present application provides a service-oriented interface-oriented resource verification method and related equipment, which can verify the validity of client requests, avoid the server from operating resources according to unexpected client requests, and improve the operation efficiency of the server. Accuracy and Safety.

In a first aspect, the present application provides a resource verification method for a service-oriented interface, the method may include: a server network element receiving a first request message sent by a first client network element, the first request message carrying Information to be verified, the information to be verified is used to verify the validity of the first client network element; the server network element performs verification on the first client network element according to the information to be verified Legality verification; the server network element executes the first request message after verifying that the first client network element is legal.

In the solution provided by the present application, after receiving the message from the client network element, the server network element will verify the validity of the client network element, which prevents the server network element from operating resources according to unexpected client requests. , that is, to avoid misoperation, reduce the risk of wrong deletion of resources, accidental tampering and improper transmission, etc., and improve the accuracy and security of network element operations on the server side.

With reference to the first aspect, in a possible implementation manner of the first aspect, the server network element receiving the first request message sent by the first client network element includes: receiving, by the server network element, the first request message sent by the first client network element. An HTTP request message sent by a client network element according to the hypertext transfer protocol, the HTTP request message includes an HTTP protocol header and a message body, and the HTTP protocol header includes the type of the first client network element and the identifier of the first client network element .

In the solution provided in this application, the message sent by the client network element to the server network element may be an HTTP request message, the HTTP request includes information to be verified, and the server network element can The client-side network element performs legality verification, which prevents the server-side network element from operating resources according to unexpected client requests, and improves the accuracy and security of the server-side network element operation.

With reference to the first aspect, in a possible implementation manner of the first aspect, the message body includes the identifier of the first client network element, and the server network element interprets the first client network element according to the information to be verified. A client-side network element performing legality verification, comprising: comparing, by the server-side network element, whether the first client-side network element identifier in the HTTP protocol header is consistent with the first client-side network element identifier in the message body; If they are consistent, it is confirmed that the first client network element is legal.

In the solution provided by this application, the server network element can judge whether the client network element is legal by comparing the client network element identifier in the HTTP protocol header with the client network element identifier in the message body, avoiding the need for When the client network element is illegal, the server network element is still operating, and the resources are deleted by mistake, accidentally tampered with, and improperly transmitted, which improves the accuracy and security of the server network element operation.

With reference to the first aspect, in a possible implementation manner of the first aspect, the server network element performs legality verification on the first client network element according to the information to be verified, including: when the When the type of the first client network element in the HTTP protocol header is consistent with the network element type of the server network element itself, the server network element compares the identifier of the first client network element in the HTTP protocol header with that of the server network element. Whether the identity of the network element instance of the server network element itself is consistent, if not, confirming that the first client network element is legal.

In the solution provided in this application, if the client network element is changed, the server network element can verify the network element type and network element identification respectively when verifying the legitimacy of the client network element, so as to avoid wrong execution of the old client network element. The resource deletion, tampering, and improper transmission may occur due to the request of the network element, which improves the accuracy and security of the operation of the network element on the server side.

With reference to the first aspect, in a possible implementation manner of the first aspect, after confirming that the first client network element is legal, the method further includes: the server network element saves the first client After the server network element performs legality verification on the first client network element according to the information to be verified, the method further includes: the server network element receives the first A second request message sent by the client network element, where the second request message carries the identifier of the first client network element; the server network element compares the identifier of the first client network element in the second request message Whether it is consistent with the identifier of the first client network element saved by the server network element, if they are consistent, confirm that the first client network element is legal; the server network element is verifying the first client network element. The second request message is executed after being valid.

In the solution provided by this application, after the server network element receives the message sent by the client network element for the first time, it will verify the legitimacy of the client network element. The client network element identifier is saved locally, and when the message sent by the client network element is received again, the server network element compares the client network element identifier carried in the request with the saved client network element. The element identifier is used to verify the legitimacy of the client network element, which prevents the server from operating resources according to unexpected client requests, and improves the accuracy and security of the server operation.

With reference to the first aspect, in a possible implementation manner of the first aspect, before the server network element receives the first request message sent by the first client network element, the method further includes: the server network element element receives the third request message sent by the second client network element, the third request message carries the identifier of the second client network element; the server network element performs legality verification according to the identifier of the second client network element ; the server network element saves the identifier of the second client network element after verifying that the first client network element is legal; after the server network element receives the first request message sent by the first client network element , the method further includes: comparing, by the server network element, whether the identifier of the first client network element in the HTTP protocol header is consistent with the stored identifier of the second client network element.

In the solution provided by this application, if the client network element is changed, the new client network element sends a message to the server network element, and the server network element can perform two verifications, and compare the client network element carried in the message. Whether the element identifier is consistent with the client network element stored locally by the server network element, if not, then compare the HTTP protocol header in the request with the client network element identifier in the message body, which improves the accuracy of legality verification. This means that the accuracy and security of server-side operations are improved.

With reference to the first aspect, in a possible implementation manner of the first aspect, the information to be verified includes a first resource verification identifier, and before the server network element receives the first request message sent by the first client network element , the method further includes: receiving, by the server network element, a fourth request message sent by the first client network element, where the fourth request message carries the first resource verification identifier, and the first resource verification The identifier is used to uniquely identify the first client network element; the server network element saves the first resource verification identifier; the server network element checks the first client network element according to the information to be verified. The validity verification of the element includes: comparing, by the server network element, whether the first resource verification identifier carried in the first request message is consistent with the stored first resource verification identifier, and if they are consistent, confirming the first client The network element is legal.

In the solution provided by this application, the server network element can also verify the client network element according to the resource verification identifier, and the server network element to verify the legitimacy of the client through the resource verification identifier needs to first save the resource verification identifier, which can be It is understood that when the client network element sends a message to the server network element for the first time, the server network element will save the resource verification identifier in the message. If the client network element sends a message to the server network element again, the server network element will The element verifies the legitimacy of the client network element by comparing the saved resource verification identifier with the resource verification identifier in the message received later, which prevents the server from operating resources according to unexpected client requests, and improves the operation efficiency of the server. Accuracy and Safety.

With reference to the first aspect, in a possible implementation manner of the first aspect, after confirming that the first client network element is legal, the method further includes: receiving, by the server network element, a third client network element The fifth request message sent by the client, the fifth request message carries the first resource verification identifier and the second resource verification identifier, and the second resource verification identifier is used to uniquely identify the third client network element; the The server network element compares whether the first resource verification identifier carried in the fifth request message is consistent with the saved first resource verification identifier, and if they are consistent, the server network element deletes the first resource verification identifier, The second resource verification identifier is saved.

In the solution provided by the present application, if the update of the client network element is involved, the server network element will update the resource verification identifier of the old client network element stored locally to the changed resource verification identifier of the client network element , so as to facilitate the subsequent legality verification of the changed client network element, so that the accuracy and security of the server operation are greatly improved.

With reference to the first aspect, in a possible implementation manner of the first aspect, the server network element includes an address mapping table, and the address mapping table includes a first client network element identifier and the first client network element. The client address information corresponding to the element identifier, the information to be verified includes the client address information, and the server network element performs legality verification on the first client network element according to the information to be verified, Including: the server network element traverses the address mapping table, and determines whether the address mapping table contains the client address information carried in the first request message, if the address mapping table contains the client address information, it is confirmed that the first client network element is legal.

In the solution provided by this application, the server network element can also verify the legitimacy of the client network element through the client address information, thereby avoiding the server operating resources according to unexpected client requests, and improving the accuracy of the server operation. sex and safety.

In a second aspect, a network device is provided. The network device may include: a receiving unit configured to receive a first request message sent by a first client network element, where the first request message carries information to be verified, and the The information to be verified is used to verify the validity of the first client network element; the processing unit is used to verify the legality of the first client network element according to the information to be verified; The first request message is executed after the first client network element is legal.

With reference to the second aspect, in a possible implementation manner of the second aspect, when the receiving unit is configured to receive the first request message sent by the first client network element, the receiving unit is specifically configured to: receive the first request message sent by the first client network element. The HTTP request message sent by the client network element according to the hypertext transfer protocol, the HTTP request message includes an HTTP protocol header and a message body, and the HTTP protocol header includes the first client network element type and the first client network element identifier.

With reference to the second aspect, in a possible implementation manner of the second aspect, the message body includes the identifier of the network element of the first client, and the processing unit is configured to perform an analysis on the information to be verified according to the information to be verified. When the first client network element performs legality verification, it is specifically used to: compare whether the first client network element identifier in the HTTP protocol header is consistent with the first client network element identifier in the message body, and if If they are consistent, it is confirmed that the first client network element is legal.

With reference to the second aspect, in a possible implementation manner of the second aspect, when the processing unit is used to verify the validity of the first client network element according to the information to be verified, specifically use In: when the first client network element type in the HTTP protocol header is consistent with the network element type of the server network element itself, compare the first client network element identifier in the HTTP protocol header with the Whether the network element instance identifiers of the server network element itself are consistent, if not, it is confirmed that the first client network element is legal.

With reference to the second aspect, in a possible implementation manner of the second aspect, after the receiving unit receives the first request message sent by the first client network element, the processing unit is further configured to save the first request message Client network element identifier; after the processing unit verifies the validity of the first client network element according to the information to be verified, the receiving unit is further configured to receive the information sent by the first client network element a second request message, where the second request message carries the identifier of the network element of the first client; the processing unit is further configured to: compare the identifier of the network element of the first client in the second request message with the identifier of the network element of the first client Whether the identifiers of the first client NEs saved by the server NE are consistent, if they are consistent, confirm that the first client NE is legal; execute the second request message after verifying that the first client NE is legal .

With reference to the second aspect, in a possible implementation manner of the second aspect, before the receiving unit receives the first request message sent by the first client network element, the receiving unit is further configured to: receive the second client a third request message sent by the end network element, where the third request message carries the identifier of the second client network element; the processing unit is further configured to: perform legality verification according to the identifier of the second client network element; After verifying that the first client network element is legal, save the identifier of the second client network element; after the receiving unit receives the first request message sent by the first client network element, the processing unit is further configured to: Compare whether the identifier of the first client network element in the HTTP protocol header is consistent with the stored identifier of the second client network element.

With reference to the second aspect, in a possible implementation manner of the second aspect, the information to be verified includes a first resource verification identifier, and before the receiving unit receives the first request message sent by the first client network element, The receiving unit is further configured to: receive a fourth request message sent by the first client network element, where the fourth request message carries the first resource verification identifier, and the first resource verification identifier is used to uniquely Identifies the first client network element; the processing unit is further configured to: save the first resource verification identifier; perform legality verification on the first client network element according to the information to be verified, including : Compare whether the first resource verification identifier carried in the first request message is consistent with the stored first resource verification identifier, and if they are consistent, confirm that the first client network element is legal.

With reference to the second aspect, in a possible implementation manner of the second aspect, after confirming that the first client network element is legal, the receiving unit is further configured to: receive the data sent by the third client network element. a fifth request message, where the fifth request message carries the first resource verification identifier and the second resource verification identifier, and the second resource verification identifier is used to uniquely identify the third client network element; the processing unit , and is also used to: compare whether the first resource verification identifier carried in the fifth request message is consistent with the saved first resource verification identifier, and if they are consistent, delete the first resource verification identifier and save the second resource Check mark.

With reference to the second aspect, in a possible implementation manner of the second aspect, the device includes an address mapping table, and the address mapping table includes a first client network element identifier corresponding to the first client network element identifier The client address information, the information to be verified includes the client address information, and the processing unit, when used to verify the validity of the first client network element according to the information to be verified, It is specifically used for: traversing the address mapping table, judging whether the address mapping table contains the client address information carried in the first request message, and confirming if the address mapping table contains the client address information The first client network element is legal.

In a third aspect, a computing device is provided, the computing device includes a processor, and the processor is configured to support the electronic device to implement the first aspect and the service-oriented provided in combination with any one of the above-mentioned first aspects. The corresponding function in the resource verification method of the interface. The computing device may also include a memory for coupling with the processor that holds program instructions and data necessary for the electronic device. The computing device may also include a communication interface for the computing device to communicate with other devices or a communication network.

In a fourth aspect, a computer-readable storage medium is provided, and the computer-readable storage medium stores a computer program. When the computer program is executed by the processor, the first aspect and any one of the first aspect can be implemented. The function of the resource verification method for the service-oriented interface provided by this implementation.

In a fifth aspect, the present application provides a computer program product, the computer program includes instructions that, when the computer program is executed by a computer, enables the computer to execute the above-mentioned first aspect and any implementation manner in combination with the above-mentioned first aspect The process of the provided service-oriented interface resource verification method.

In a sixth aspect, the present application provides a chip system, the chip system includes a processor for supporting a network device to implement the functions involved in the first aspect, for example, generating or processing the service-oriented interface of the first aspect. Information involved in the resource verification method. In a possible design, the chip system further includes a memory for storing necessary program instructions and data of the data sending device. The chip system may be composed of chips, or may include chips and other discrete devices.

It can be understood that the network device provided by the second aspect, the computing device provided by the third aspect, the computer-readable storage medium provided by the fourth aspect, and the computer program product provided by the fifth aspect , and the chip system provided by the sixth aspect is used to execute the service-oriented interface-oriented resource verification method provided by the first aspect. Therefore, for the beneficial effects that can be achieved, reference may be made to the beneficial effects of the service-oriented interface-oriented resource verification method provided in the first aspect, which will not be repeated here.

Description of drawings

1 is a schematic diagram of a session creation process provided by an embodiment of the present application;

FIG. 2 is a schematic diagram of a PDU session reconstruction process provided by an embodiment of the present application;

FIG. 3 is a schematic diagram of a 5G service-oriented architecture provided by an embodiment of the present application;

4 is a schematic flowchart of a resource verification method for a service-oriented interface provided by an embodiment of the present application;

FIG. 5 is a schematic flowchart of a user mobile update provided by an embodiment of the present application;

6 is a schematic diagram of a correspondence between a first client network element identifier and client address information according to an embodiment of the present application;

7 is a schematic diagram of an address mapping table provided by an embodiment of the present application;

FIG. 8 is a schematic flowchart of yet another service-oriented interface-oriented resource verification method provided by an embodiment of the present application;

9 is a schematic flowchart of yet another service-oriented interface-oriented resource verification method provided by an embodiment of the present application;

10 is a schematic flowchart of yet another service-oriented interface-oriented resource verification method provided by an embodiment of the present application;

11 is a schematic flowchart of yet another service-oriented interface-oriented resource verification method provided by an embodiment of the present application;

FIG. 12 is a schematic diagram of AMF and SMF registering NRF provided by an embodiment of the present application;

FIG. 13 is a schematic diagram of an AMF client address information configuration provided by an embodiment of the present application;

14 is a schematic diagram of the SMF verifying the validity of the AMF provided by the embodiment of the present application;

FIG. 15 is a schematic diagram of an AMF verifying the validity of an SMF provided by an embodiment of the present application;

FIG. 16 is a schematic diagram of a network device according to an embodiment of the present application;

FIG. 17 is a schematic structural diagram of a computing device according to an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

First, some terms and related technologies involved in this application are explained so as to facilitate the understanding of those skilled in the art.

Uniform Resource Identifier (URI) means that every resource available on the web, such as HTML documents, images, video clips, programs, etc., is identified by a URI.

The International Mobile Subscriber Identity (IMSI) is an identification code used to distinguish different users in a cellular network and will not be repeated in all cellular networks. The phone stores the IMSI in a 64-bit field and sends it to the network. The IMSI can be used to query the user's information in the Home Location Register (HLR) or the Visitor Location Register (VLR).

The 5G Globally Unique Temporary UE Identity (5G-GUTI) consists of two parts: the first part identifies the 5G-GUTI allocated by which AMF; the second part represents the UE's unique id within the AMF. The purpose of using 5G-GUTI under the 5G system is to reduce the display of the permanent identity of the UE in communication, which can improve security.

Generic Public Subscription Identifier (GPSI) is equivalent to 4G MSISDN. There is not necessarily a one-to-one correspondence between Subscription Permanent Identifier (SUPI) and GPSI. If users access different data networks, there will be Multiple GPSI identifiers, the network needs to establish a relationship between the external network GPSI and SUPI.

The PDU Session ID (PDU Session ID) is an ID used to identify the PDU session. This ID is unique to each terminal, and the number range is limited to the UE that initiated the PDU session.

The session context identifier (SM context reference assigned by the SMF during the Create SM Context service operation, smContextRef) assigned by the SMF is used to respond to the AMF request, indicating that the SMF can process subsequent processes.

User equipment (User Equipment, UE), also known as terminal equipment, mobile station (Mobile Station, MS), mobile terminal (Mobile Terminal, MT), etc., is a device that provides voice and/or data connectivity to users. device of. The terminal device can be a handheld terminal, a notebook computer, a subscriber unit (Subscriber Unit), a cellular phone (Cellular Phone), a smart phone (Smart Phone), a wireless data card, a personal digital assistant (Personal Digital Assistant, PDA) computer, tablet computer , Wireless Modem (Modem), Handheld Device (Handheld), Laptop Computer (Laptop Computer), Cordless Phone (Cordless Phone) or Wireless Local Loop (WLL) station, Machine Type Communication, MTC) terminals, wearable devices (such as smart watches, smart bracelets, pedometers, etc.), in-vehicle devices (such as cars, bicycles, electric vehicles, airplanes, ships, trains, high-speed rail, etc.), virtual reality (Virtual Reality, VR) equipment, Augmented Reality (AR) equipment, wireless terminals in industrial control (Industrial Control), smart home equipment (for example, refrigerators, TVs, air conditioners, electricity meters, etc.), intelligent robots, workshop equipment, unmanned driving Wireless Terminals in Self-Driving, Wireless Terminals in Remote Medical Surgery, Wireless Terminals in Smart Grid, Wireless Terminals in Transportation Safety, Smart City Wireless terminals in smart homes, or wireless terminals in Smart Homes, flying devices (eg, smart robots, hot air balloons, drones, airplanes), or other devices that can access the network. The terminal device in FIG. 3 is shown as a UE, which is only an example and does not limit the terminal device. The UE can access the DN by establishing a session between the UE-(R)AN device-UPF-DN, that is, a protocol data unit (Protocol Data Unit, PDU) session.

The (Radio) Access Network ((R)AN) device is a device that provides wireless access to the UE, and is mainly responsible for radio resource management, Quality of Service (QoS) flow management on the air interface side, Features such as data compression and encryption. (R)AN devices may include various forms of base stations, such as: macro base stations, micro base stations (also called small stations), relay stations, access points, and the like. The (R)AN device may also include a Wireless Fidelity (Wi-Fi) access node (Access Point, AP). The (R)AN device may also include a Worldwide Interoperability for Microwave Access (WiMAX) base station (Base Station, BS).

The user plane function (UPF) network element is mainly responsible for processing user packets, such as forwarding and charging. The user packet can be received from the DN and transmitted to the UE through the RAN device; the user packet can also be received from the UE through the RAN device and forwarded to the DN. The transmission resources and scheduling functions provided by the UPF network element to serve the UE are managed and controlled by the SMF network element.

The data network (Data Network, DN) can be the Internet (Internet), IP Multimedia Service (IP Multimedia Service, IMS) network, regional network, that is, local network, such as Multi-Access Edge Computing (Multi-Access Edge Computing, MEC) network ,Wait. The DN is the destination of the UE's PDU session access. An application server is included or deployed in the DN, and the application server can perform data transmission with the UE and provide business services for the UE.

The authentication server function (Authentication Server Function, AUSF) network element can be responsible for the authentication and authentication of the access of the UE, and also responsible for the charging.

The Access and Mobility Management Function (AMF) network element can access the UE's non-access stratum (Non Access Stratum, NAS) signaling (including session management (Session Management, SM) signaling through the N1 interface. Command) and the N2 interface to access the RAN signaling to complete the UE registration process and SM signaling forwarding and mobility management.

The session management function (Session Management Function, SMF) network element is mainly responsible for session management in the mobile network, such as session establishment, modification, release, update and other processes. Specific functions include assigning IP addresses to users and selecting UPF network elements that provide packet forwarding functions.

The Network Slice Selection Function (NSSF) network element is a new network element of 5G. It is mainly used in 5G slice services and is responsible for managing network slice-related confidence.

The Network Exposure Function (NEF) network element is responsible for opening network data to the outside world.

The network element data warehouse function (NF Repository Function, NRF) network element is responsible for the registration, management and status detection of the NF, which can realize the automatic management of all NFs. When each NF is started, it must register with the NRF before it can provide services.

The Policy Control Function (PCF) network element can be responsible for terminal device policy management, including both mobility-related policies and PDU session-related policies, such as QoS policies and charging policies.

The Unified Data Management (UDM) network element is responsible for user key management, user identification processing, access authorization for subscription data, UE network function entity management, session and business continuity management, short message push, legal interception, Contract management, short message management, used to manage and control user data, such as contract information management.

The Application Function (AF) network element mainly supports interaction with the 3rd Generation Partnership Project (3GPP) core network to provide services to affect service flow routing, access network capability opening, policy control, etc. .

The service-oriented interface is a modeled interaction method between different network entities introduced by the 5G architecture. Through the flexible definition of the interfaces and connections between network function blocks and network entities, the 5G network can be used for various specific tasks. The realization of flexible processing methods and processing flow of the service types at each protocol layer. Generally speaking, a service interface is only for one network function block, the network function block interacts with other function blocks through this interface, and other function blocks interact with this function block through another corresponding interface.

Policy and Charging Control is an architecture that maps the QoS requirements of application-level session service data streams to IP-CAN, and accesses the QoS requirements of transport network bearer-level services to ensure data transmission. The operator's charging policy implements the charging function at the service data flow level.

Hyper Text Transfer Protocol (HTTP) is a simple request-response protocol that usually runs on top of TCP. It specifies what kind of messages the client might send to the server and what kind of response it gets. The headers of the request and response messages are given in ASCII; the message content has a format similar to Multipurpose Internet Mail Extensions (MIME).

HTTP messages consist of client-to-server requests and server-to-client responses. Both the request message and the response message consist of a start line (for a request message, the start line is the request line, for a response message, the start line is the status line), message header (optional), blank line (only CRLF lines), message body (Optional) Composition.

HTTP message headers include normal headers, request headers, response headers, and entity headers.

1. Ordinary header

Among the normal headers, there are a few header fields that are used for all request and response messages, but not for the entity being transported, only for the message being transported.

2. Request header

Request headers allow the client to pass additional information about the request to the server as well as information about the client itself.

Commonly used request headers are as follows:

Accept, which is used to specify what types of information the client accepts.

For example: Accept: image/gif, indicating that the client wants to accept resources in GIF image format; Accept: text/html, indicating that the client wants to accept html text.

Accept-Charset, which is used to specify the character set accepted by the client.

For example: Accept-Charset: iso-8859-1, gb2312, indicating that if this field is not set in the request message, the default is that any character set is acceptable.

Accept-Encoding, similar to Accept, but it is used to specify acceptable content encodings.

For example: Accept-Encoding: gzip.deflate. If this is not set in the request message, the domain server assumes that the client accepts various content encodings.

Accept-Language, similar to Accept, but it is used to specify a natural language.

For example: Accept-Language: zh-cn. If this header field is not set in the request message, the server assumes that all languages are acceptable to the client.

Authorization is mainly used to prove that the client has the right to view a resource. When a browser accesses a page, if it receives a response code of 401 (unauthorized) from the server, it can send a request containing the Authorization request header field, asking the server to authenticate it.

Host (this header field is required when sending a request) is mainly used to specify the Internet host and port number of the requested resource, which is usually extracted from the HTTP URL.

User-Agent, used to obtain the client's operating system, browser and other properties.

For example, when you log in to a forum online, you will often see some information, including the name and version of the operating system, and the name and version of the browser. In fact, this information is obtained by the server application from the User-Agent request header field. arrived. The User-Agent request header field allows the client to tell the server its operating system, browser, and other attributes.

3. Response header

Response headers allow the server to pass additional response information that cannot be placed in the status line, as well as information about the server and further access to the resource identified by the Request-URI.

Commonly used response headers are as follows:

Location, which redirects the recipient to a new location. The Location response header field is often used when changing the domain name.

Server, contains software information that the server uses to process requests. Corresponds to the User-Agent request header field.

4. Entity header

Both request and response messages can convey an entity. An entity consists of the entity header field and the entity body, but it does not mean that the entity header field and the entity body should be sent together, and only the entity header field can be sent. The entity header defines meta-information about the entity body (eg, the presence or absence of an entity body) and the resource identified by the request.

Commonly used entity headers are as follows:

Content-Encoding, used as a modifier for the media type, its value indicates the encoding of the additional content that has been applied to the entity body, so to obtain the media type referenced in the Content-Type header field, the corresponding decoding must be used mechanism.

Content-Language, which describes the natural language used by the resource. If this header field is not set, the entity content is assumed to be available to all language readers.

Content-Length, used to indicate the length of the entity body, expressed as a decimal number stored in bytes.

Content-Type, used to indicate the media type of the entity body sent to the recipient.

Last-Modified, which indicates the date and time when the resource was last modified.

Expires, giving the date and time when the response expires.

Universally Unique Identifier (UUID) is defined as a string primary key, which is composed of 32 digits and encoded in hexadecimal, which defines system information that is completely unique in time and space. The UUID includes the current date and time, the clock sequence, and the globally unique IEEE machine identification number. The only drawback of UUIDs is that the resulting string of results can be long. The most commonly used standard for UUID is Microsoft's Globals Unique Identifiers (GUID).

In addition, the standard UUID format is: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (8-4-4-4-12), and the encoding rules are as follows:

(1) Bits 1 to 8 adopt the system time, and the system time is accurate to the millisecond level to ensure the uniqueness of time;

(2) 9 to 16 bits use the underlying IP address to ensure uniqueness in the server cluster;

(3) Bits 17 to 24 adopt the Hash Code value of the current object to ensure uniqueness on an internal object;

(4) 25-32 bits use a random number of the calling method to ensure millisecond-level uniqueness within an object.

At present, the request message sent by the client will carry URI, user identifier (such as IMSI, 5G-GUTI, GPSI, etc.) and special resource identifiers (such as PDU Session ID, smContextRef, subscription identifier, etc.), and the server uses these identifiers Locate the local user context, and then complete the client request operation. However, the above-mentioned identifiers are general identifiers, and some identifiers have a limited scope, which means that these identifiers cannot support the validity of the server-side verification, which is likely to cause misoperation, resulting in incorrect deletion of resources, accidental tampering of resources, and improper transmission. Insecure situations such as resources occur.

Taking a session creation process as an example, as shown in FIG. 1 , FIG. 1 is a schematic diagram of a session creation process provided by an embodiment of the present application. In Figure 1, the user requests to create a PDU session, the session ID of the PDU session is 5, the SMF associated before PDU5 is SMF1, and the currently associated SMF is SMF2, because it is the same session - PDU5, so both SMF1 and SMF2 are in the same session. There is a context for session PDU5. If the SMF1 requests the AMF to release the user's session, the AMF performs the service request incorrectly.

As shown in FIG. 2 again, FIG. 2 is a schematic diagram of a PDU session reestablishment process provided by an embodiment of the present application. In Figure 2, the SMF associated with PDU5 before is SMF1, and now AMF selects a new SMF-SMF2 for session PDU5, so the SMF associated with PDU5 is SMF2 at this time. Due to an abnormal communication failure, the AMF notifies the SMF1 that the request to delete the context of the PDU5 is not sent successfully, resulting in the context of the PDU5 still existing in the SMF1, and the AMF continues to process the session re-establishment process. The SMF1 releases the context of the PDU5 and notifies the AMF to delete the context of the PDU5 due to reasons such as the maintenance command triggering or the resource release timer timeout triggering the resource release. If the SMF2 then requests to process the context of PDU5 at this time, the AMF will reply abnormally because there is no context, resulting in an abnormal session re-establishment process.

In Figure 1, SMF1 is the client network element, and its identifier is PDU5, which is a general identifier and has a limited range (1-15). As a server network element, AMF cannot verify the legitimacy of the client network element, which will lead to wrong operation. In Figure 2, when SMF1 notifies AMF to delete the context of PDU5, SMF1 is a client network element, and the identifier it carries is PDU5, which is a general identifier and has a limited range (1-15). AMF, as a server network element, cannot verify the client The validity of the network element causes the AMF to delete the PDU5 context by mistake, resulting in an abnormality in the subsequent session re-establishment process.

Based on the above content, the present application provides a service-oriented interface-oriented resource verification method and related equipment, which can allow the client network element to carry more information, so as to support the server network element to perform legal verification and avoid occurrence of Misoperations such as wrong deletion, wrong tampering, and improper transmission of resources improve the accuracy and security of server-side network element operations.

The technical solutions of the embodiments of the present application can be applied to various scenarios requiring legality verification of client requests under service-based interface communication, including but not limited to session creation procedures, session reconstruction procedures, and user mobility update procedures.

In order to better understand a service-oriented interface-oriented resource verification method and related devices disclosed in the embodiments of the present application, the network architecture used in the embodiments of the present application is first described below. Please refer to FIG. 3. FIG. 3 is a schematic diagram of a 5G service-oriented architecture disclosed in an embodiment of the present application. As shown in Figure 3, the 5G service-oriented architecture may include UE, (R)AN equipment, UPF network element, DN, AUSF network element, AMF network element, SMF network element, NSSF network element, NEF network element, NRF network element element, PCF network element, UDM network element, AF network element, etc., also includes Service Based Interface (SBI), such as Nnssf, Nnef, Nnrf, Npcf, etc., and also includes reference points, such as N1, N2, N3, N4, N6, where N1 is the reference point between UE and AMF, N2 is the reference point between (R)AN and AMF, N3 is the reference point between (R)AN and UPF, and N4 is SMF and UPF N6 is the reference point between UPF and DN. Different network elements or devices may communicate through interfaces and reference points. The interface names and reference points shown in FIG. 3 are just an example, which is not specifically limited in this embodiment of the present application.

Each of the above network elements in the core network can also be referred to as functional entities, which can be either network elements implemented on dedicated hardware, software instances running on dedicated hardware, or instances of virtualized functions on an appropriate platform For example, the above-mentioned virtualization platform may be a cloud platform.

It should be noted that when the network element in FIG. 3 performs specific functions, it may be a server network element or a client network element. After the information is sent, it is necessary to verify the validity of the client network element, and then determine whether to perform subsequent operations according to the verification result.

It should be noted that the system architecture shown in FIG. 3 is not limited to the network elements shown in the figure, and may also include other devices not shown in the figure, which will not be listed one by one here.

It should be noted that the embodiments of the present application do not limit the distribution form of each network element in the core network, and the distribution form shown in FIG. 3 is only exemplary and is not limited in the present application.

It should be understood that the names of all network elements in this application are only examples, and in future communications, such as 6G, they may also be called other names, or in future communications, such as 6G, the network elements involved in this application can also be referred to by It can be replaced by other entities or devices with the same function, which are not limited in this application. A unified description is made here, and will not be repeated in the future.

It should be noted that the 5G network architecture shown in FIG. 3 does not constitute a limitation on the 5G network. Optionally, the methods in the embodiments of the present application are also applicable to various future communication systems, such as 6G or other communication networks.

In order to avoid the occurrence of misoperations such as wrong deletion of resources, wrong tampering, and improper transmission, solve the problem of insufficient legality verification of the client network element by the server network element, and improve the security and reliability of operation, this application implements This example provides a service-oriented interface-oriented resource verification method. Please refer to FIG. 4. FIG. 4 is a schematic flowchart of a service-oriented interface-oriented resource verification method provided by an embodiment of the present application. The method can be applied to the 5G service-oriented architecture shown in FIG. 3. The The method includes but is not limited to the following steps:

S401: The server network element receives the first request message sent by the first client network element.

Specifically, the first client network element sends a first request message to the server network element, and the server network element receives the first request message sent by the first client network element, where the first request message carries the information to be verified, The to-be-verified information is used to verify the validity of the first client network element.

In an embodiment of the present application, the server network element receives an HTTP request message sent by the first client network element according to the hypertext transfer protocol, that is, the first request message may be an HTTP request message, and the The HTTP request message includes an HTTP protocol header and a message body, the HTTP protocol header includes the first client network element type and the first client network element identifier, and the message body includes the first client network element identifier, that is, the The information to be verified includes the first client network element type and the first client network element identifier.

It can be understood that the first client network element identifier can be a network element instance identifier. Specifically, according to the 3GPP TS 29.500 service-oriented interface protocol, the HTTP protocol header includes Accept, Accept-Encoding, Context-Length, Context-Type, User -Agent and other information, where the protocol defines User-Agent in the form of "NF Type-", NF Type refers to the network element type, and the content after "-" is optional information, which can be customized by equipment manufacturers. In an implementation manner, the optional information can be customized as a network element instance ID (NF Instance ID), and the NF Instance ID can be changed to mandatory content in the User-Agent, that is, the customization operation is completed The form of the latter User-Agent is "NF Type-NF Instance ID", which means that the HTTP protocol header can include the NE type and NE instance ID. Exemplarily, for the AMF network element, the User-Agent in the HTTP protocol header is the AMF-AMF Instance ID, and the AMF Instance ID refers to the instance identifier of the AMF. For example, the User-Agent may be AMF-00000000-0000 -0000-0000-000000000011, at this time, the instance identifier of AMF is 00000000-0000-0000-0000-000000000011. In addition, the first client network element identifier may also be a serving network element identifier (Serving NF ID), and the Serving NF ID may be carried by the HTTP protocol header like the above-mentioned NF Instance ID.

In an embodiment of the present application, the first request message carries information to be verified, the information to be verified includes a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the first client The end network element, that is, the first request information carries the first resource verification identifier. It can be understood that the first request message may be an HTTP request message or other types of messages. Therefore, the first resource verification identifier may be carried by the HTTP request message or by the HTTP protocol layer. This is not limited. In addition, the resource verification identifier includes but is not limited to a network element instance identifier (NF Instance ID), and the network element instance identifier can be carried through the HTTP protocol layer.

In an embodiment of the present application, the server network element includes an address mapping table, and the information to be verified includes a first client network element identifier and client address information corresponding to the first client network element identifier , it can be understood that there is a mapping relationship between the first client network element identifier and the client address information, which means that the client address information can be found through the first client network element identifier . It can be understood that, as described above, the first client network element identifier may be a network element instance identifier or a service network element identifier.

S402: The server network element performs legality verification on the first client network element.

Specifically, after receiving the first request message sent by the first client network element, the server network element performs legality verification on the first client network element according to the information to be verified carried in the first request message.

It can be obtained from step S401 that the first request message is an HTTP request message, the HTTP request message includes an HTTP protocol header and a message body, and the HTTP protocol header includes the first client network element type and the first client network element identifier, The message body includes the network element identifier of the first client. In this case, the legality verification may have the following forms:

In an embodiment of the present application, the server network element compares whether the first client network element identifier in the HTTP protocol header is consistent with the first client network element identifier in the message body, and if they are consistent, confirms The first client network element is legal. The above-mentioned validity process may occur when the server network element receives the message from the first client network element for the first time, that is, the first request message may be the message sent by the first client network element to the server network element for the first time.

In an embodiment of the present application, after the server network element confirms that the first client network element that sent the first request message is legal, the server network element saves the identifier of the first client network element. The network element sends a second request message to the server network element, where the second request message includes the first client network element identifier, and the server network element checks the validity of the first client network element according to the first client network element identifier Verification, specifically, the server network element compares whether the first client network element identifier in the second request message is consistent with the first client network element identifier saved by the server network element, and if they are consistent, confirms sending the second request The first client network element of the message is legal.

In addition, when the network element is changed (that is, the network element is changed to another network element of the same type), the validity of the network element also needs to be checked. In an embodiment of the present application, the server network element and the first client The end network elements are different network elements of the same type. When the server network element needs to be changed to the first client network element, the first client network element sends a first request message to the server network element to obtain the information in the server network element. At this time, after receiving the first request message, the server network element will compare whether the first client network element type in the HTTP protocol header is consistent with the server network element's own network element type. , the server network element continues to compare whether the identifier of the first client network element in the HTTP protocol header is consistent with the identifier of the network element instance of the server network element itself, and if not, confirm the first client network element legitimate.

Exemplarily, as shown in FIG. 5 , which is a schematic flowchart of a user mobility update provided by an embodiment of the present application, the UE sends a registration request to the NEW AMF, and the NEW AMF determines that the UE initiates a registration request after receiving the registration request sent by the UE. After the mobile update process of AMF changes, the NEW AMF sends a context transfer request to the OLD AMF to obtain the user context. It can be understood that the NEW AMF and the OLD AMF are different network elements of the same type. At this time, the NEW AMF is the first client network element, the OLD AMF is the server network element, and the context transmission request is the first request message. It can be understood that the context transfer request is an HTTP request message, and the User-Agent in the HTTP protocol header is the AMF-AMF Instance ID, that is, the first client network element type in the HTTP protocol header is AMF, and the HTTP protocol header is AMF. The first client network element identifier in the header is AMF Instance ID, for example, the first client network element identifier may be AMF-00000000-0000-0000-0000-000000000011. Correspondingly, the OLD AMF receives the context transmission request, and compares whether the first client network element type in the HTTP protocol header is consistent with the network element type of the OLD AMF itself. It can be seen that both the NEW AMF and the OLD AMF are AMF network elements. , that is, the first client network element type in the HTTP protocol header is consistent with the network element type of the OLD AMF itself, and the OLD AMF continues to compare the first client network element identifier in the HTTP protocol header with the server network element. Whether the identity of the network element instance of the element itself is consistent, that is, compare whether the AMF Instance ID in the HTTP protocol header is consistent with the AMF Instance ID of the OLD AMF itself. At this point, the NEW AMF may continue to process the context transfer request and send a context transfer response to the OLD AMF.

It can be understood that, in an implementation manner, the context transfer request may be a Namf_Communication_UEContextTransfer Request.

In an embodiment of the present application, the first client network element is a changed network element of the second client network element, which means that the first client network element sends the first request message to the server network element. A process occurs after the above modification process. It can be understood that before the server network element receives the first request message sent by the first client, the server network element receives the third request message sent by the second client network element. The third request message carries the identifier of the second client network element, the server network element will verify the validity of the second client network element according to the second client network element identifier, and the server network element is verifying the second client network element. After the end network element is legal, the second client instance identifier will be saved. After the server-side network element receives the first request message sent by the first client-side network element, the server-side network element compares the identifier of the first client-side network element in the HTTP protocol header with the second client-side network element stored therein If they are inconsistent, the server network element will continue to compare whether the first client network element identifier in the HTTP protocol header is consistent with the first client network element identifier in the message body. The element confirms that the first client network element is legal.

Exemplarily, as shown in Figure 5, after the OLD AMF is changed to the NEW AMF, the NEW AMF may initiate a session update process. Specifically, the NEW AMF sends a context update request to the SMF. At this time, the NEW AMF is the first client network. element, SMF is a server network element, and the update context request is a first request message.

It can be understood that the update context request is an HTTP request message, and the User-Agent in the HTTP protocol header is the AMF-AMF Instance ID, that is, the first client network element type in the HTTP protocol header is AMF, and the HTTP protocol The first client network element identifier in the header is AMF Instance ID, for example, the User-Agent may be AMF-00000000-0000-0000-0000-000000000012.

It can be understood that, in an implementation manner, the update context request may be an Nsmf_PDUSession_UpdateSMContext Request.

It should be noted that before the OLD AMF is changed to the NEW AMF, the OLD AMF will send a session creation request to the SMF, that is, before the SMF receives the update context request sent by the NEW AMF, the SMF will receive the session creation request sent by the OLD AMF. It can be understood that the OLD AMF is the second client network element, the SMF is the server network element, the session creation request is a third request message, and the third request message carries the identifier of the second client network element. After the SMF receives the session creation request sent by the OLD AMF, it will verify the validity of the OLD AMF. For the specific verification process, please refer to the above. Client NE ID.

It can be understood that the session creation request is an HTTP request message, and the User-Agent in the HTTP protocol header is the AMF-AMF Instance ID, that is, the first client network element type in the HTTP protocol header is AMF, and the HTTP protocol header is AMF. The second client network element identifier in the header is AMF Instance ID, for example, the User-Agent may be AMF-00000000-0000-0000-0000-000000000011.

After the SMF receives the update context request sent by the NEW AMF, the SMF will compare whether the first client network element identifier in the HTTP protocol header of the update context request is consistent with the second client network element identifier stored in it. SMF will continue to compare whether the first client network element identifier in the HTTP protocol header is consistent with the first client network element identifier in the message body of the update context request. If they are consistent, SMF confirms the first client network element identifier. The end network element is legal. At this time, the SMF can continue to process the update context request and send the update context response to the NEW AMF.

It should be noted that the NEW AMF can also send a context release request to the SMF, and the process of SMF's verification of the validity of the NEW AMF can be referred to above, and will not be repeated here. It can be understood that the above-mentioned relevant process of the NEW AMF sending the update context request and the release context request to the SMF is an optional process of the user mobile update process shown in FIG. 5. In addition, some content is omitted in the user mobile update process shown in FIG. 5. , for details, please refer to 3GPP related protocols, which will not be repeated here.

It can be obtained from step S401 that: the first request message includes the information to be verified, the information to be verified includes a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the first client A network element, that is, the first request information carries the first resource verification identifier. In this case, the legality verification may have the following forms:

In an embodiment of the present application, before sending the first request message to the server network element, the first client network element will also send a fourth request message to the server network element, where the fourth request message carries the first request message. A resource verification identifier, the first resource verification identifier is used to uniquely identify the first client network element, after receiving the fourth request message, the server network element will save the first resource verification identifier, and then The client network element performs legality verification. Specifically, the server network element compares the first resource verification identifier carried in the first request message with the stored first resource verification identifier. If they are consistent, the server network element confirms the first resource verification identifier. A client NE is legal.

It can be understood that the fourth request message may be an HTTP request message or other types of messages, and the first resource verification identifier may be carried by the HTTP request message or by the HTTP protocol layer, which is not made in this application. limit.

It can be understood that when the network element is changed (that is, the network element is changed to another network element of the same type), the legality verification process is different from the above content. For example, the first client network element is changed to a third client network element. After the server network element confirms that the first client network element is legal, the server network element receives the fifth request message sent by the third client network element, and the fifth request message carries the first resource verification identifier and the third request message. Two resource verification identifiers, the second resource verification identifier is used to uniquely identify the third client network element, and the server network element will compare the first resource verification identifier carried in the fifth request message with the saved Whether the first resource verification identifier of the first client is consistent, and if so, the server network element updates the resource verification identifier (first resource verification identifier) of the first client network element before the change to the changed resource of the third client network element The verification identifier (second resource verification identifier), that is, the server network element deletes the first resource verification identifier and saves the second resource verification identifier.

It can be obtained from step S401 that the server network element includes an address mapping table, and the information to be verified includes a first client network element identifier and client address information corresponding to the first client network element identifier. In this case, the legality verification may have the following forms:

In an embodiment of the present application, the server network element traverses the address mapping table to determine whether the address mapping table contains the client address information carried in the first request message, if the address mapping table contains If the address information of the client is present, it is confirmed that the network element of the first client is legal. When the server network element performs legality verification, it can first check whether the first client network element identifier is included in the address mapping table. If so, the server network element then checks the address mapping table for the first client network element identifier. Whether the address information corresponding to the association includes the client address information, and if so, confirming that the first client network element is legal.

Exemplarily, as shown in FIG. 6 , FIG. 6 is a schematic diagram of a correspondence between a first client network element identifier and client address information provided by an embodiment of the present application. The first client network element identifier may correspond to one or more client address information, where the client address information may be the IP address of the client.

It can be understood that the address mapping table in the server network element may include one or more client address information, and may also include one or more client network element identifiers, and the one or more client address information may be the same as the One or more client network element identifiers are associated with each other, and may not be associated with the one or more client network element identifiers, and may also be partially associated with the one or more client network element identifiers, and some are not associated with the one or more client network element identifiers. Corresponding to the one or more client network element identifiers. For example, as shown in FIG. 7 , which is a schematic diagram of an address mapping table provided by an embodiment of the present application, the address mapping table shown in FIG. 7 includes a first client network element identifier and a second client network element identifier, The first client network element identifier corresponds to the IP addresses of the three clients, the second client network element identifier also corresponds to the IP addresses of the three clients, and four client addresses are not associated with the client network element identifiers. correspond.

S403: The server network element executes the first request message after verifying that the first client network element is legal.

Specifically, after verifying the validity of the first client network element according to the information to be verified, the server network element can confirm that the first client network element sending the first request message is a legal network element, and execute the first client network element. a request message.

An embodiment of the present application further provides a resource verification method for a service-oriented interface, as shown in FIG. 8 , which is a schematic flowchart of another resource verification method for a service-oriented interface. The method may include the following step:

S801: The UE sends a session creation request.

Specifically, the UE sends a session creation request to the AMF, where the session creation request includes a session identifier.

In an implementation manner, the session creation request may be a PDU Session Establishment Request, the session identifier may be a PDU Session ID, and the PDU Session Establishment Request includes the PDU Session ID.

S802: The AMF sends a context creation request to the SMF.

Specifically, the AMF sends a context creation request to the SMF. At this time, the AMF is the first client network element, the SMF is the server network element, and the context creation request is the first request message. It can be understood that the context creation request is HTTP request message, the context creation request includes an HTTP protocol header and a message body, the HTTP protocol header includes the first client network element type and the first client network element identifier, and the message body includes the first client NE ID.

It can be understood that the first client network element identifier may be a network element instance identifier, that is, the first client network element identifier may be an AMF-AMF Instance ID, for example, the first client network element identifier may be AMF-00000000-0000-0000-0000-000000000011, for details, please refer to step S401, which will not be repeated here.

In one implementation, the create context request may be an Nsmf_PDUSession_CreateSMContext Request.

It can be understood that the SMF is the SMF selected by the AMF. In the 3GPP related protocols, there are roughly two methods for the AMF to select the SMF: one is to use the local configuration of the AMF; the other is to use the NRF discover service, which will not be repeated here, refer to 3GPP relevant agreement. It should be noted that the AMF will save the network element identifier of the selected SMF locally.

Correspondingly, the SMF receives the context creation request sent by the AMF, and verifies the validity of the AMF. Specifically, the first client network element identifier in the HTTP protocol header is matched with the first client network element in the message body. The identifiers are compared, and if they are consistent, the SMF confirms that the AMF is legal, saves the first client network element identifier locally, and performs subsequent operations; if not, the SMF replies a rejection response, and the process ends.

S803: The SMF sends a registration request, an acquisition request and a subscription request to the UDM.

Specifically, the SMF selects the UDM, sends a registration request, an acquisition request, and a subscription request to the UDM to register with the UDM, and acquires contract data and subscribes to the contract data. The specific content of the process refers to the relevant 3GPP protocol, which will not be repeated here.

In an implementation manner, the registration request may be a Numd_UECM_Registration Request, the acquisition request may be a Numd_SDM_Get Request, and the subscription request may be a Numd_SDM_Subscribe Request.

It should be noted that if the SMF initiates a registration request to the UDM, the Nudm_Registration SMF Request service can be used. At this time, the SMF is the first client network element, the UDM is the server network element, and the registration request is the first request message. The registration request includes an HTTP protocol header and a message body, the HTTP protocol header includes a first client network element type and a first client network element identifier, and the message body includes the first client network element identifier.

It can be understood that the first client network element identifier may be a network element instance identifier, that is, the first client network element identifier may be an SMF-SMF Instance ID, for example, the first client network element identifier may be SMF-00000000-0000-0000-0000-000000000012.

Correspondingly, after receiving the registration request sent by the SMF, the UDM verifies the validity of the SMF, and specifically, compares the first client network element identifier in the HTTP protocol header with the first client network element identifier in the message body. , if they are consistent, the UDM confirms that the SMF network element is legal, saves the identifier of the first client network element locally, and returns a registration response to the SMF, and then continues to process the subsequent process; if not, the UDM responds with a rejection response, and the process ends.

In addition, the SMF sends an acquisition request and a subscription request to the UDM. At this time, the SMF is the first client network element, the UDM is the server network element, and the acquisition request and the subscription request are the first request messages. Correspondingly, the UDM After receiving the acquisition request and subscription request sent by the SMF, the validity of the SMF will be verified. For the specific process, please refer to the relevant content of the registration request initiated by the SMF to the UDM, and will not be repeated here.

S804: The SMF sends a create context response to the AMF.

Correspondingly, the AMF receives the context creation response sent by the SMF, and the specific content of the process refers to 3GPP related protocols, which will not be repeated here.

S805: The SMF sends a session policy creation request to the PCF.

Specifically, if a dynamic PCC is deployed for the created session, the SMF sends a session policy creation request to the PCF. At this time, the SMF is the first client network element and the PCF is the server network element, and the session policy creation request is the first request message, the session policy creation request includes an HTTP protocol header and a message body, the HTTP protocol header includes the first client network element type and the first client network element identifier, and the message body includes the first client network element. Meta ID.

In an implementation manner, the session policy creation request may be an Npcf_SMPolicyControl_Create Request, and the SMF determines that PCC authorization is required by sending the Npcf_SMPolicyControl_Create Request and requests to establish an SMPolicy association with the PCF.

Correspondingly, the PCF receives the session policy creation request sent by the SMF, and verifies the validity of the SMF. For details, refer to the processing of the UDM in step 803, and details are not repeated here.

S806: The SMF sends an N4 session establishment request to the UPF.

Correspondingly, the UPF receives the N4 session establishment request sent by the SMF, and the specific content of the process refers to 3GPP related protocols, which will not be repeated here.

S807: The SMF sends an N1N2 information transmission request to the AMF.

Specifically, the SMF sends an N1N2 information transmission request to the AMF. At this time, the SMF is the first client network element, and the PCF is the server network element. The N1N2 information transmission request is a second request message, and the N1N2 information transmission request includes An HTTP protocol header and a message body, where the HTTP protocol header includes the first client network element type and the first client network element identifier, and the message body includes the first client network element identifier.

In an implementation manner, the N1N2 information transfer request may be a Namf_Communication_N1N2MessageTransfer Request.

Correspondingly, the AMF receives the N1N2 information transmission request sent by the SMF, verifies the validity of the SMF, and compares the locally stored first client network element identifier (step S802) with the first client network element identifier in the message body. If they are consistent, the AMF will reply to the SMF with a N1N2 information transmission response, and continue to process the subsequent process; if not, the AMF will reply with a rejection response, and the process will end.

It can be understood that when the SMF sends an N1N2 information transmission request to the AMF, and the AMF responds, the AMF also needs to interact with the (R)AN and the UE, that is, the N2 interface process. For the specific content of the N2 interface process, refer to 3GPP related protocols. , and will not be repeated here.

S808: The AMF sends an update context request to the SMF.

Specifically, the AMF sends an update context request to the SMF. At this time, the AMF is the first client network element, the SMF is the server network element, the update context request is the second request message, and the context creation request in step S802 is a first request message, the update context request includes an HTTP protocol header and a message body, and the HTTP protocol header includes the first client network element type and the first client network element identifier (for example, AMF-AMF Instance ID), The message body includes the network element identifier of the first client. It can be understood that, for the specific content of the first client network element identifier, reference may be made to step S401 and step S802, and details are not repeated here.

In one implementation, the update context request may be an Nsmf_PDUSession_UpdateSMContext Request.

Correspondingly, the SMF receives the update context request sent by the AMF, and verifies the validity of the AMF, specifically, compares the first client network element identifier stored locally by the SMF (step S802 ) with the first client in the message body If the identifiers of the network elements are consistent, the SMF confirms that the AMF is valid and performs subsequent operations; if not, the SMF replies with a rejection response, and the process ends.

S809: The SMF sends an N4 session modification request to the UPF.

Correspondingly, the UPF receives the N4 session modification request sent by the SMF. For the specific content of the process, refer to the relevant 3GPP protocol, which will not be repeated here.

S810: The SMF sends an update context response to the AMF.

Correspondingly, the AMF receives the update context response sent by the SMF, and the specific content of the process refers to the relevant 3GPP protocol, which will not be repeated here.

In one implementation, the update context response may be an Nsmf_PDUSession_UpdateSMContext Response.

Optionally, after the SMF replies to the AMF (step S804), if the session creation fails, the SMF notifies the AMF by sending Nsmf_PDUSession_SMContextStatusNotify (context status notification) to the AMF. The specific content of the process refers to 3GPP related protocols, which will not be repeated here. .

In addition, it should be noted that, as described above, part of the process is omitted in FIG. 8 , and for details, please refer to 3GPP related protocols, which will not be repeated here.

An embodiment of the present application further provides a resource verification method for a service-oriented interface, as shown in FIG. 9 , which is a schematic flowchart of another resource verification method for a service-oriented interface. The method may include the following step:

S901: The UE sends a session creation request.

S902: The AMF sends a context creation request to the SMF.

Specifically, the AMF sends a context creation request to the SMF. At this time, the AMF is the first client network element, the SMF is the server network element, and the context creation request is a fourth request message, and the fourth request message carries the first A resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-A.

As described above (step S402), the fourth request message may be an HTTP request message or other types of messages, and the resource verification identifier may be carried by the HTTP request message or by the HTTP protocol layer. There are no restrictions on the application.

Correspondingly, the SMF receives the context creation request sent by the AMF, allocates session resources, and then saves the first resource verification identifier (ID-A).

S903: The SMF sends a registration request to the UDM.

Specifically, the SMF selects the UDM and sends a registration request to the UDM. At this time, the SMF is the first client network element, the UDM is the server network element, and the registration request is a fourth request message, and the fourth request message carries the first A resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-C.

In one implementation, the registration request may be a Numd_UECM_Registration Request.

Correspondingly, the UDM receives the registration request sent by the UDM, and saves the first resource verification identifier (ID-C).

S904: The UDM sends a registration response to the SMF.

Specifically, the UDM sends a registration response to the SMF. At this time, the UDM is the first client network element, the SMF is the server network element, and the registration response is a fourth request message, and the fourth request message carries the first resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-D.

In one implementation, the registration response may be a Numd_UECM_Registration Response.

Correspondingly, the SMF receives the registration response sent by the UDM, and saves the first resource verification identifier (ID-D).

S905: The SMF sends an acquisition request and a subscription request to the UDM.

Specifically, the SMF sends an acquisition request and a subscription request to the UDM, thereby acquiring the subscription data and subscribing the subscription data. At this time, the SMF is the first client network element, and the UDM is the server network element, and the acquisition request and the subscription request are the first network element. A request message, the registration request is a fourth request message, the first request message carries information to be verified, and the information to be verified includes a first resource verification identifier, that is, the acquisition request and the subscription request carry the first Resource verification ID. Exemplarily, the first resource verification identifier may be ID-C.

In an implementation manner, the get request may be a Numd_SDM_Get Request, and the subscription request may be a Numd_SDM_Subscribe Request.

Correspondingly, the UDM receives the acquisition request and the subscription request sent by the SMF, and verifies the validity of the SMF. Specifically, the UDM compares the stored first resource verification identifier (step S903) with the information carried in the acquisition request and the subscription request. The first resource checks whether the identifiers are consistent. If they are consistent, the UDM continues to process the subsequent process, and sends an acquisition response and a subscription response to the SMF. Otherwise, the UDM replies with an abnormal response.

S906: The SMF sends an update context response to the AMF.

Specifically, the SMF sends an update context response to the AMF. At this time, the SMF is the first client network element, the AMF is the server network element, and the update context response is a fourth request message, and the fourth request message carries the first A resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-B.

Correspondingly, the AMF receives the update context response sent by the SMF, and saves the first resource verification identifier (ID-B).

S907: The SMF sends a session policy creation request to the PCF.

Specifically, if the created session deploys a dynamic PCC, the SMF sends a session policy creation request to the PCF. At this time, the SMF is the first client network element, the PCF is the server network element, and the session policy creation request is the fourth request message, the fourth request message carries a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-E.

In an implementation manner, the session policy creation request may be an Npcf_SMPolicyControl_Create Request.

Correspondingly, the PCF receives the session policy creation request sent by the SMF, and stores the first resource verification identifier (ID-E).

S908: The PCF sends a session policy creation response to the SMF.

Specifically, the PCF sends a session policy creation response to the SMF. At this time, the PCF is the first client network element, the SMF is the server network element, and the session policy creation response is a fourth request message, and the fourth request message carries A first resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-F.

In an implementation manner, the session policy creation response may be Npcf_SMPolicyControl_Create Response.

Correspondingly, the SMF receives the session creation response sent by the PCF, and stores the first resource verification identifier (ID-F).

S909: The SMF sends a session policy update request to the PCF.

Specifically, the SMF sends a session policy update request to the PCF. At this time, the SMF is the first client network element, the PCF is the server network element, the session policy update request is the first request message, and the session policy creation request is A fourth request message, where the first request message carries information to be verified, and the information to be verified includes a first resource verification identifier, that is, the session policy update request carries the first resource verification identifier, and the fourth request message Carrying a first resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-E.

In an implementation manner, the session policy update request may be an Npcf_SMPolicyControl_Update Request.

Correspondingly, the PCF receives the session policy update request sent by the SMF, and verifies the validity of the SMF. Specifically, the PCF compares the saved first resource verification identifier (step S907) with the first resource verification identifier carried in the session policy update request. Check whether the resource verification identifiers are consistent. If they are consistent, the PCF replies with a session policy update response and continues to process the subsequent process. Otherwise, the PCF replies with an abnormal response.

It can be understood that part of the N4 interface process is omitted after step S909, and the relevant specific content refers to the relevant 3GPP protocol, which will not be repeated here.

S910: The SMF sends an N1N2 information transmission request to the AMF.

Specifically, the SMF sends an N1N2 information transmission request to the AMF. At this time, the SMF is the first client network element, the AMF is the server network element, the N1N2 information transmission request is the first request message, and the update context response is the first request message. Four request messages, the first request message carries the information to be verified, and the information to be verified includes the first resource verification identifier, that is, the N1N2 information transmission request carries the first resource verification identifier, and the fourth request message carries the first resource verification identifier. A first resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-B.

Correspondingly, the AMF receives the N1N2 information transmission request sent by the SMF, and verifies the validity of the SMF. Specifically, the AMF compares the stored first resource verification identifier (step S906) with the first resource carried in the N1N2 information transmission request. Check whether the resource verification identifiers are consistent. If they are consistent, the AMF will reply to the N1N2 information transmission response and continue to process the subsequent process. Otherwise, the AMF will reply with an abnormal response.

S911: The AMF sends an update context request to the SMF.

Specifically, the AMF sends an update context request to the SMF. At this time, the AMF is the first client network element, the SMF is the server network element, the update context request is the first request message, and the context creation request is the fourth request message, the first request message carries the information to be verified, and the information to be verified includes the first resource verification identifier, that is, the update context request carries the first resource verification identifier, and the fourth request message carries the first resource A verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-A.

Correspondingly, the SMF receives the update context request sent by the AMF, and verifies the validity of the AMF. Specifically, the SMF compares the saved first resource verification identifier (step S902) with the first resource verification carried in the update context request. Whether the identifiers are consistent, if so, SMF sends an update context response to AMF, and continues to process the subsequent process, otherwise, SMF replies with an abnormal response.

It can be understood that after step S911, part of the N4 interface process is omitted. For example, the SMF sends an N4 session modification request to the UPF. The specific content of the process refers to 3GPP related protocols, and details are not repeated here.

S912: The SMF sends a request for releasing session resources to the AMF.

Specifically, the SMF sends a session resource release request to the AMF. At this time, the SMF is the first client network element, the AMF is the server network element, the session resource release request is the first request message, and the update context response is the first request message. Four request messages, the first request message carries the information to be verified, and the information to be verified includes the first resource verification identifier, that is, the release session resource request carries the first resource verification identifier, and the fourth request message carries the first resource verification identifier. A first resource verification identifier, where the first resource verification identifier is used to uniquely identify the first client network element. Exemplarily, the first resource verification identifier may be ID-B.

In an implementation manner, the request for releasing session resources may be Nsmf_PDUSession_SMContextStatusNotify.

Correspondingly, the AMF receives the request for releasing session resources sent by the SMF, and verifies the validity of the SMF. It can be understood that the verification process here is the same as the verification process in step S911 , and reference may be made to step S911 , and details are not repeated here.

In addition, it should be noted that step S909 and step S912 are optional processes of the above session creation process, that is, step S909 and step S912 are optional steps.

It should also be noted that, as described above, part of the process is omitted in FIG. 9 , for details, please refer to the 3GPP related protocols, which will not be repeated here.

An embodiment of the present application further provides a resource verification method for a service-oriented interface, as shown in FIG. 10 , which is a schematic flowchart of another resource verification method for a service-oriented interface. The method may include the following step:

S1001: The UE sends a registration request to the NEW AMF.

Correspondingly, the NEW AMF receives the registration request sent by the UE, and the specific content of the process refers to 3GPP related protocols, which will not be repeated here.

In an implementation manner, the registration request may be a Registration Request.

S1002: The NEW AMF sends a context transfer request to the OLD AMF.

In one implementation, the context transfer request may be a Namf_Communication_UEContextTransfer Request.

Correspondingly, the OLD AMF receives the context transmission request sent by the NEW AMF, and the specific content of the process refers to 3GPP related protocols, which will not be repeated here.

S1003: The OLD AMF sends a context transfer response to the NEW AMF.

Specifically, after receiving the context transfer request sent by the NEW AMF, the OLD AMF locates user resources, checks the integrity of the context transfer request, and then sends a context transfer response to the NEW AMF, where the context transfer response carries the data stored in the OLD AMF. Resource verification marks, the resource verification marks saved in the OLD AMF include but are not limited to session-related resource verification marks and policy-related resource verification marks, and the session-related resource verification marks include but are not limited to session-related network elements The identifier of the first client network element when serving as the first client network element, the resource verification identifier related to the policy includes but is not limited to the first client network element when the network element related to the policy is used as the first client network element logo. Exemplarily, session-related network elements include AMF, SMF, UDM, etc., so the session-related resource verification identifiers include the first client network element identifier when the AMF is the first client network element, and the SMF as the first client network element. The identifier of the first client network element when the client network element is used, and the identifier of the first client network element when the UDM is used as the first client network element.

In one implementation, the context transfer response may be a Namf_Communication_UEContextTransfer Response.

Correspondingly, the NEW AMF receives the context transmission response sent by the OLD AMF, and the specific content of the process refers to 3GPP related protocols, which will not be repeated here.

It is understandable that the NEW AMF needs to register with the UDM, obtain the subscription data, and subscribe to the subscription data. The specific content of these processes refers to the relevant 3GPP protocols, and will not be repeated here.

S1004: The UDM sends a deregistration request to the OLD AMF.

Specifically, the UDM sends a deregistration request to the OLD AMF. At this time, the UDM is the first client network element, the OLD AMF is the server network element, and the deregistration request is a first request message, and the first request message carries Information to be verified, the information to be verified includes a first resource verification identifier, that is, the deregistration request carries a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the first client network element .

Understandably, before the UDM sends the deregistration request to the OLD AMF, the UDM sends the fourth request message to the OLD AMF. At this time, the UDM is the first client network element, the OLD AMF is the server network element, and the fourth request message Carrying the first resource verification identifier, the first resource verification identifier is used to uniquely identify the first client network element, and the OLD AMF saves the first resource verification identifier.

In an implementation manner, the deregistration request may be Nudm_UECM_DeregistrationNotify Request.

Correspondingly, the OLD AMF receives the de-registration request sent by the UDM, and verifies the validity of the UDM. Specifically, the OLD AMF compares the stored first resource verification identifier with the first resource verification identifier carried by the de-registration request. If they are consistent, OLD AMF sends a deregistration response to UDM and continues to process the subsequent process, otherwise, OLD AMF replies with an abnormal response.

S1005: The OLD AMF sends an unsubscribe request to the UDM.

Specifically, the OLD AMF sends an unsubscribe request to the UDM. At this time, the OLD AMF is the first client network element, the UDM is the server network element, and the unsubscribe request is a first request message, and the first request message carries Information to be verified, the information to be verified includes a first resource verification identifier, that is, the deregistration request carries a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the first client network element .

It can be understood that before the OLD AMF sends the de-subscription request to the UDM, the OLD AMF sends the fourth request message to the UDM. At this time, the OLD AMF is the first client network element, and the UDM is the server network element. The fourth request message Carrying the first resource verification identifier, the first resource verification identifier is used to uniquely identify the first client network element, and the UDM saves the first resource verification identifier.

In an implementation manner, the unsubscribe request may be Nudm_SDM_Unsubscribe Request.

Correspondingly, UDM receives the de-subscription request sent by OLD AMF, and verifies the legitimacy of OLD AMF, specifically, UDM compares the first resource verification identifier of the preservation and the first resource verification identifier carried by the de-subscription request. If they are consistent, the UDM sends an unsubscribe response to the OLD AMF and continues to process the subsequent process. Otherwise, the UDM responds with an abnormal response.

S1006: NEW AMF sends a policy update request to the PCF.

Specifically, the NEW AMF sends a policy update request to the PCF. At this time, the NEW AMF is the third client network element, and the OLD AMF is the server network element. The policy update request is a fifth request message, and the policy update request carries The second resource verification identifier, the second resource verification identifier is used to uniquely identify the NEW AMF.

Before the change occurs, the OLD AMF sends a first request message to the PCF, and the first request message may be a policy update request. At this time, the OLD AMF is the first client network element, and the PCF is the server network element. The first request message includes information to be verified, and the information to be verified includes a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the OLD AMF. It is understandable that the PCF will verify the validity of the OLD AMF, and after verifying that the OLD AMF is legal, the PCF will save the first resource verification identifier.

It should be noted that the policy update request sent by the NEW AMF to the PCF also carries the first resource verification identifier. It is understandable that after the PCF receives the policy update request sent by the NEW AMF, it will verify the validity of the NEW AMF, and the PCF will compare the Whether the first resource verification identifier carried in the policy update request sent by the NEW AMF to the PCF is consistent with the saved first resource verification identifier, and if they are consistent, the PCF updates the saved first resource verification identifier to the second resource verification identifier , that is, delete the saved first resource verification identifier, save the second resource verification identifier, the PCF replies with a policy update response, and continues to process the subsequent process.

In one implementation, the policy update request may be an Npcf_AMPolicyControl_Update Request.

S1007: NEW AMF sends an update context request to SMF.

Specifically, the NEW AMF sends an update context request to the SMF, at this time, the NEW AMF is the third client network element, the OLD AMF is the server network element, the update context request is a fifth request message, and the update context request carries The second resource verification identifier, the second resource verification identifier is used to uniquely identify the NEW AMF.

Before the change occurs, the OLD AMF sends a first request message to the SMF, and the first request message may be an update context request. At this time, the OLD AMF is the first client network element, and the SMF is the server network element. The first request message includes information to be verified, and the information to be verified includes a first resource verification identifier, and the first resource verification identifier is used to uniquely identify the OLD AMF. Understandably, the SMF will verify the validity of the OLD AMF, and after the SMF verifies that the OLD AMF is legal, it will save the first resource verification identifier.

It should be noted that the policy update request sent by the NEW AMF to the SMF also carries the first resource verification identifier. It is understandable that after receiving the policy update request sent by the NEW AMF, the SMF will verify the validity of the NEW AMF, and the SMF will compare the Whether the first resource verification identifier carried in the policy update request sent by the NEW AMF to the PCF is consistent with the stored first resource verification identifier, and if they are consistent, the SMF updates the stored first resource verification identifier to the second resource verification identifier , that is, delete the saved first resource verification identifier, save the second resource verification identifier, and the SMF responds with an update context response, and continues to process the subsequent process.

S1008: NEW AMF sends a context release request to SMF.

Specifically, the NEW AMF sends a context release request to the SMF, and accordingly, the SMF receives the release context request sent by the NEW AMF, and verifies the validity of the NEW AMF. The specific process is the same as that of step S1007, and reference may be made to step S1007, which will not be repeated here. . After the SMF verifies that the NEW AMF is valid, it responds to the release context request and continues to process the subsequent process.

In an implementation manner, the release context request may be an Nsmf_PDUSession_ReleaseSMContext Request.

S1009: NEW AMF sends a registration response to the UE.

It is understandable that the NEW AMF will send a registration response to the UE, and the specific content of the process refers to 3GPP related protocols, which will not be repeated here.

In addition, it should be noted that, as mentioned above, part of the process is omitted in FIG. 10 , for details, please refer to the relevant 3GPP protocol, which will not be repeated here.

An embodiment of the present application further provides a resource verification method for a service-oriented interface, as shown in FIG. 11 , which is a schematic flowchart of another resource verification method for a service-oriented interface. The method may include the following step:

S1101: The UE sends a session creation request.

It should be noted that when the network element registers the NRF, the network element can add the client address information planned by the network element in the registration request, that is, the registration request will carry the client address information planned by the network element. Therefore, the NRF receives the After the registration request, the client address information of the network element can be obtained. Understandably, the client address information includes but is not limited to the user's IP address.

Exemplarily, as shown in FIG. 12, FIG. 12 is a schematic diagram of an AMF and an SMF registering an NRF according to an embodiment of the present application. The AMF sends a registration request to the NRF, and the registration request carries the client address information planned by the AMF, and the SMF sends a registration request to the NRF. A registration request is sent, where the registration request carries the client address information planned by the SMF.

S1102: The AMF sends a request for querying network elements to the NRF.

Specifically, the AMF sends a query network element request to the NRF, where the query network element request is used to query the Nsmf_PDUSession service.

In an implementation manner, the request for querying network elements may be an Nnrf_NFDiscovery Request.

S1103: The NRF sends a query network element response to the AMF.

Specifically, after receiving the query network element request sent by the AMF, the NRF queries the SMF that meets the query network element request, and sends a query network element response to the AMF, where the query network element response includes the query network element request that meets the query network element request. SMF planning client address information.

In an implementation manner, the query network element response may be Nnrf_NFDiscovery Response.

Correspondingly, the AMF receives the query network element response sent by the NRF, and saves the client address information planned by the SMF included in the query network element response into the address mapping table of the AMF.

S1104: The AMF sends a context creation request to the SMF.

Specifically, the AMF sends a context creation request to the SMF. At this time, the AMF is the first client network element, the SMF is the server network element, and the SMF network element includes an address mapping table, and the address mapping table includes the first client network element. The client address information corresponding to the meta identifier and the first client network element identifier, that is, the address mapping table includes the network element identifier of the AMF and its corresponding client address information, and the context creation request is the first request message , the first request message includes information to be verified, and the information to be verified includes the client address information, that is, the context creation request includes the client address information.

It should be noted that, according to the relevant requirements of the HTTP protocol stack, the client address and the server address must be available to send and/or receive HTTP requests. It can be understood that the context creation request belongs to an HTTP request. Therefore, the context creation request It also includes the client address and the server address, that is, the context creation request also includes the client address of the AMF.

It can be known from step S401 that the first client network element identifier includes but is not limited to a network element instance identifier (NF Instance ID), and the NF Instance ID can be carried through the HTTP protocol layer, or can be carried through an HTTP request.

It should be noted that, during networking planning, the SMF can configure the client address information of one or more AMFs into the address mapping table of the SMF, and associate one or more network element identifiers with the one or more AMFs. The client address information is associated and corresponding, thereby distinguishing the one or more AMFs, and the SMF only uses the client address information of the currently associated AMF (restricts the use of the client address information of other AMFs).

It can be understood that, as described in step S402, the SMF may also not store the network element identifier of the AMF in the address mapping table of the SMF, that is, only the client address information of the AMF is stored in the SMF, and the client address information is not associated with the SMF. The network element identification of the AMF is associated.

Exemplarily, as shown in FIG. 13, FIG. 13 is a schematic diagram of the configuration of AMF client address information provided by an embodiment of the present application. The SMF configures and saves the client address information of the AMF The network element identifier of the AMF is associated with its client address information, so that the SMF can query the corresponding client address information of the AMF through the network element identifier of the AMF.

It is understandable that the above method for configuring client address information can also be applied to other network elements, which is not limited in this application.

Correspondingly, the SMF receives the context creation request sent by the AMF, and verifies the validity of the AMF. Specifically, as shown in FIG. 14 , FIG. 14 is a schematic diagram of the SMF verifying the validity of the AMF provided by the embodiment of the present application. After creating the context request, traverse its address mapping table, specifically, query the address mapping table of the SMF according to the identifier of the first client network element in the creating context request, if the address mapping table of the SMF contains the address mapping table The identifier of the first client network element is to search for the client address information carried in the context creation request in the client address information corresponding to the identifier of the first client network element in the address mapping table of the SMF. The client address information carried in the context request is included, and the SMF continues to process the subsequent process and sends a context creation response to the AMF, otherwise, the process terminates; if there is no identifier of the first client network element in the address mapping table of the SMF related records, then directly look up the client address information carried in the context creation request in the address mapping table of the SMF. If the client address information carried in the context creation request is in it, the SMF continues to process the subsequent process and sends the AMF sends a create context response, otherwise, the process terminates.

S1105: The SMF sends an N1N2 information transmission request to the AMF.

Specifically, the SMF sends an N1N2 information transmission request to the AMF. At this time, the SMF is the first client network element, the AMF is the server network element, and the AMF network element includes an address mapping table, and the address mapping table includes the first client network element. The network element identifier and the client address information corresponding to the first client network element identifier, that is, the address mapping table includes the network element identifier of the SMF and its corresponding client address information, and the context creation request is the first request message, the first request message includes information to be verified, and the information to be verified includes the client address information, that is, the context creation request includes the client address information.

It should be noted that, according to the relevant requirements of the HTTP protocol stack, the client address and the server address must be available to send and/or receive HTTP requests. It is understood that the N1N2 information transmission request is an HTTP request. Therefore, the N1N2 information The transmission request further includes the client address and the server address, that is, the N1N2 information transmission request further includes the client address of the SMF.

It can be understood that the AMF can configure one or more SMF client address information into the address mapping table of the AMF, and the related content of the configuration is the same as that of step S1104.

Correspondingly, the AMF receives the N1N2 information transmission request sent by the SMF, and verifies the validity of the SMF. Specifically, as shown in FIG. 15 , FIG. 15 is a schematic diagram of the AMF verifying the validity of the SMF provided by the embodiment of the present application. After the N1N2 information transmission request, traverse its address mapping table, specifically, query the address mapping table of the AMF according to the first client network element identifier in the N1N2 information transmission request, if the address mapping table of the AMF is in the address mapping table The first client network element identifier exists, and the client address information carried in the N1N2 information transmission request is searched for in the client address information corresponding to the first client network element identifier in the address mapping table of the AMF, If the client address information carried in the N1N2 information transmission request is included, the AMF continues to process the subsequent process and sends an N1N2 information transmission response to the SMF, otherwise, the process terminates; if the AMF address mapping table does not contain the first The relevant record of the client network element identifier, then directly look up the client address information carried in the N1N2 information transmission request in the address mapping table of the AMF, if the client address information carried in the N1N2 information transmission request is in it, The AMF continues to process the subsequent process and sends a N1N2 information transmission response to the SMF, otherwise, the process terminates.

S1106: The AMF sends an update context request to the SMF.

Correspondingly, the SMF receives the update context request sent by the AMF, and verifies the validity of the AMF. The specific verification method may refer to step S1104, which will not be repeated here.

It should be noted that, if the update context request involves the change of AMF, the SMF will verify the validity of the NEW AMF, and the specific content can refer to step S1104, which will not be repeated here. After the SMF verifies that the NEW AMF is valid, it continues to process the subsequent process, and returns an update context response to the AMF.

Optionally, the SMF may send a session resource release request to the AMF. In an implementation manner, the session resource release request may be Nsmf_PDUSession_SMContextStatusNotify (context status notification). Accordingly, the AMF will verify the session resource release request after receiving the request. For the validity of the SMF, refer to step S1105 for details of the verification method, and refer to the relevant 3GPP protocol for the specific content of the process, which will not be repeated here.

It should be noted that, the above session creation process omits part of the process after AMF sends a context creation request to SMF, after AMF sends a N1N2 information transmission response to SMF, and after AMF sends an update context request to SMF, the omitted part of the process and For the processes not described in detail in the above steps S1101-S1106, reference may be made to 3GPP related protocols, which will not be repeated here.

The methods of the embodiments of the present application are described in detail above. In order to facilitate better implementation of the above solutions in the embodiments of the present application, correspondingly, related equipment for implementing the above solutions is also provided below.

As shown in FIG. 16 , FIG. 16 is a schematic diagram of a network device provided by this application, and the network device is used to execute the service-oriented interface described in FIG. 4 , FIG. 8 , FIG. 9 , FIG. 10 and FIG. 11 . Resource verification method. This application does not limit the division of the functional units of the network device, and each unit in the network device can be added, decreased or combined as required. In addition, the operations and/or functions of each unit in the network device are respectively to implement the corresponding processes of the methods described in the above-mentioned FIG. 4 , FIG. 8 , FIG. 9 , FIG. 10 and FIG. . Figure 16 exemplarily provides a division of functional units:

The network device 1600 includes a receiving unit 1610 and a processing unit 1620 .

The receiving unit 1610 is configured to receive a first request message sent by a first client network element, where the first request message carries information to be verified, and the information to be verified is used to perform verification on the first client network element. Legality verification.

The processing unit 1620 is configured to verify the validity of the first client network element according to the information to be verified; and execute the first request message after verifying that the first client network element is legal.

The above-mentioned two units can transmit data to each other through a communication channel. It should be understood that each unit included in the network device 1600 may be a software unit, a hardware unit, or a part of a software unit and a part of a hardware unit.

It can be understood that the network device shown in FIG. 16 is only an exemplary implementation in the embodiment of the present application, and the network device applicable to the resource verification method for the service-oriented interface in the embodiment of the present application includes but Not limited to the above structure.

Referring to FIG. 17 , FIG. 17 is a schematic structural diagram of a computing device provided by an embodiment of the present application. As shown in FIG. 17 , the computing device 1700 includes a processor 1710 , a communication interface 1720 and a memory 1730 , and the processor 1710 , the communication interface 1720 and the memory 1730 are connected to each other through an internal bus 1740 .

The computing device 1700 may be the network device in FIG. 16 , and the functions performed by the network device 1600 in FIG. 16 are actually performed by the processor 1710 of the network device 1600 .

The processor 1710 may be composed of one or more general-purpose processors, such as a central processing unit (Central Processing Unit, CPU), or a combination of a CPU and a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (Application-Specific Integrated Circuit, ASIC), a programmable logic device (Programmable Logic Device, PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.

The communication interface 1720 is used to communicate with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Core Network, Wireless Local Area Networks (WLAN) and the like.

The bus 1740 may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The bus 1740 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is shown in Figure 17, but it does not mean that there is only one bus or one type of bus.

The memory 1730 may include a volatile memory (Volatile Memory), such as a random access memory (Random Access Memory, RAM); the memory 1730 may also include a non-volatile memory (Non-Volatile Memory), such as a read-only memory (Read- Only Memory (ROM), flash memory (Flash Memory), hard disk (Hard Disk Drive, HDD) or solid-state drive (Solid-State Drive, SSD); the memory 1730 may also include a combination of the above types. The memory 1730 is used to store the program code for executing the above embodiment of the resource verification method for the service-oriented interface. In one embodiment, the memory 1730 can also cache other data, and the execution is controlled by the processor 1710 to realize the above. The functional units shown in the network device 1600 are used to implement the method steps in the method embodiments shown in FIG. 4 , FIG. 8 , FIG. 9 , FIG. 10 and FIG. details as follows:

The processor 1710 controls the communication interface 1720 to receive a first request message sent by the first client network element, where the first request message carries information to be verified, and the to-be-verified information is used to communicate to the first client network element. conduct legality verification;

The processor 1710 performs legality verification on the first client network element according to the information to be verified;

The processor 1710 executes the first request message after verifying that the first client network element is legitimate.

In one implementation manner, the processor 1710 controls the communication interface 1720 to receive the first request message sent by the first client network element, including: the processor 1710 controls the communication interface 1720 to receive the first client network element according to the hypertext An HTTP request message sent by a transmission protocol, the HTTP request message includes an HTTP protocol header and a message body, the HTTP protocol header includes the first client network element type and the first client network element identifier, and the message body includes the The identifier of the first client network element.

In one implementation manner, the processor 1710 performs legality verification on the first client network element according to the information to be verified, including: the processor 1710 compares the first client network element in the HTTP protocol header Whether the element identifier and the first client network element identifier in the message body are consistent, if they are consistent, it is confirmed that the first client network element is legal.

In one implementation manner, the processor 1710 performs legality verification on the first client network element according to the to-be-verified information, including: when the first client network element type in the HTTP protocol header is the same as the When the network element types of the server network element are consistent, the processor 1710 compares whether the first client network element identifier in the HTTP protocol header is consistent with the network element instance identifier of the server network element itself. , it is confirmed that the first client network element is legal.

In one implementation manner, after the processor 1710 confirms that the first client network element is legal, the method further includes: the processor 1710 saves the identifier of the first client network element; After verifying the validity of the first client network element with the verification information, the method further includes: the processor 1710 controls the communication interface 1720 to receive a second request message sent by the first client network element, the first client network element The second request message carries the identifier of the first client network element; the processor 1710 verifies the validity of the first client network element according to the identifier of the first client network element; the processor 1710 compares the second request Whether the identifier of the first client network element in the message is consistent with the identifier of the first client network element stored by the server network element, if they are the same, the first client network element is confirmed to be legal; the processor 1710 is verifying The second request message is executed after the first client network element is legal.

In one implementation manner, before the processor 1710 controls the communication interface 1720 to receive the first request message sent by the first client network element, the method further includes: the processor 1710 controls the communication interface 1720 to receive the second client network element The third request message sent, the third request message carries the network element identifier of the second client; the processor 1710 performs legality verification according to the identifier of the second client network element; the processor 1710 is verifying the first client After the end network element is legal, the identifier of the second client network element is stored; before the processor 1710 controls the communication interface 1720 to receive the first request message sent by the first client network element, the method further includes: the processor 1710 compares the Whether the identifier of the first client network element in the HTTP protocol header is consistent with the stored identifier of the second client network element.

In one implementation manner, the information to be verified includes a first resource verification identifier, and before the processor 1710 controls the communication interface 1720 to receive the first request message sent by the first client network element, the method further includes: processing The controller 1710 controls the communication interface 1720 to receive a fourth request message sent by the first client network element, the fourth request message carries the first resource verification identifier, and the first resource verification identifier is used to uniquely identify the the first client network element; the processor 1710 saves the first resource verification identifier; the processor 1710 performs legality verification on the first client network element according to the information to be verified, including: the processor 1710 compares the Whether the first resource verification identifier carried in the first request message and the stored first resource verification identifier are consistent, and if they are consistent, it is confirmed that the first client network element is legal.

In one implementation manner, after the processor 1710 confirms that the first client network element is legal, the method further includes: the processor 1710 controls the communication interface 1720 to receive the fifth request message sent by the third client network element, The fifth request message carries the first resource verification identifier and the second resource verification identifier, and the second resource verification identifier is used to uniquely identify the third client network element; the processor 1710 compares the fifth request Whether the first resource verification identifier carried in the message is consistent with the stored first resource verification identifier, and if so, the processor 1710 deletes the first resource verification identifier and saves the second resource verification identifier.

In one implementation manner, the memory 1730 includes an address mapping table, and the address mapping table includes a first client network element identifier and client address information corresponding to the first client network element identifier. The information includes the client address information, and the processor 1710 performs legality verification on the first client network element according to the information to be verified, including: the processor 1710 traverses the address mapping table to determine the address mapping Whether the table contains the client address information carried in the first request message, and if the address mapping table contains the client address information, it is confirmed that the first client network element is legal.

Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored. When the program is executed by a processor, it can implement some or all of the steps described in the above method embodiments, and realize the above The function of any one of the functional units described in Figure 16.

Embodiments of the present application also provide a computer program product, which, when run on a computer or a processor, causes the computer or processor to execute one or more steps in any one of the above methods. If each component module of the above-mentioned device is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in the computer-readable storage medium.

Embodiments of the present application further provide a chip system, where the chip system includes a processor, configured to support the network device 1600 to implement one or more steps of the method steps in any of the above methods with the network device 1600 as the main body of execution. In a possible design, the chip system further includes a memory for storing necessary program instructions and data of the data sending device. The chip system may be composed of chips, or may include chips and other discrete devices.

In the above-mentioned embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference may be made to the relevant descriptions of other embodiments.

It should be understood that the first, the second, the third, the fourth and various numeral numbers mentioned herein are only for the convenience of description, and are not used to limit the scope of the present application.

It should be understood that the term "and/or" in this document is only an association relationship to describe associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, and A and B exist at the same time , there are three cases of B alone. In addition, the character "/" in this document generally indicates that the related objects are an "or" relationship.

It should also be understood that, in various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be implemented in the present application. The implementation of the examples constitutes no limitation.

Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .

The steps in the method of the embodiment of the present application may be adjusted, combined and deleted in sequence according to actual needs.

The modules in the apparatus of the embodiment of the present application may be combined, divided and deleted according to actual needs.

As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present application.

Claims

A service-oriented interface-oriented resource verification method, characterized in that the method includes:

The server network element receives the first request message sent by the first client network element, the first request message carries information to be verified, and the to-be-verified information is used to verify the validity of the first client network element verify;

The server network element performs legality verification on the first client network element according to the information to be verified;

The server network element executes the first request message after verifying that the first client network element is legal.
The method according to claim 1, wherein the server network element receiving the first request message sent by the first client network element comprises:

The server network element receives an HTTP request message sent by the first client network element according to the hypertext transfer protocol, the HTTP request message includes an HTTP protocol header and a message body, and the HTTP protocol header includes the first client network element. The element type and the identifier of the first client network element.
The method according to claim 2, wherein the message body includes the identifier of the first client network element, and the server network element sends a message to the first client network element according to the information to be verified. Conduct legality verification, including:

The server network element compares whether the first client network element identifier in the HTTP protocol header and the first client network element identifier in the message body are consistent, and if they are consistent, confirms the first client network element. Yuan is legal.
The method according to claim 2, wherein the server network element performs legality verification on the first client network element according to the information to be verified, comprising:

When the type of the first client network element in the HTTP protocol header is consistent with the network element type of the server network element itself, the server network element compares the first client network element in the HTTP protocol header Whether the identifier is consistent with the identifier of the network element instance of the server network element itself, if not, confirming that the first client network element is legal.
The method according to claim 2 or 3, wherein after confirming that the first client network element is legal, the method further comprises:

The server network element saves the first client network element identifier;

After the server network element performs legality verification on the first client network element according to the information to be verified, the method further includes:

receiving, by the server network element, a second request message sent by the first client network element, where the second request message carries the identifier of the first client network element;

The server network element compares whether the first client network element identifier in the second request message is consistent with the first client network element identifier saved by the server network element, and if they are consistent, confirms the first client network element identifier. The client network element is legal;

The server network element executes the second request message after verifying that the first client network element is legal.
The method according to claim 3, wherein before the server network element receives the first request message sent by the first client network element, the method further comprises:

receiving, by the server network element, a third request message sent by the second client network element, where the third request message carries the identifier of the second client network element;

The server network element performs legality verification according to the identifier of the second client network element;

The server network element saves the identifier of the second client network element after verifying that the first client network element is legal;

After the server network element receives the first request message sent by the first client network element, the method further includes:

The server network element compares whether the identifier of the first client network element in the HTTP protocol header is consistent with the stored identifier of the second client network element.
The method according to claim 1, wherein the information to be verified includes a first resource verification identifier, and before the server network element receives the first request message sent by the first client network element, the method further comprises: include:

The server network element receives a fourth request message sent by the first client network element, where the fourth request message carries the first resource verification identifier, and the first resource verification identifier is used to uniquely identify the the first client network element;

The server network element saves the first resource verification identifier;

The server network element performs legality verification on the first client network element according to the information to be verified, including:

The server network element compares whether the first resource verification identifier carried in the first request message is consistent with the stored first resource verification identifier, and if they are consistent, confirms that the first client network element is legal.
The method according to claim 7, wherein after confirming that the first client network element is legal, the method further comprises:

The server network element receives the fifth request message sent by the third client network element, the fifth request message carries the first resource verification identifier and the second resource verification identifier, and the second resource verification identifier is used for uniquely identify the third client network element;

The server network element compares whether the first resource verification identifier carried in the fifth request message is consistent with the saved first resource verification identifier, and if they are consistent, the server network element deletes the first resource verification identifier , and save the second resource verification identifier.
The method of claim 1, wherein the server network element includes an address mapping table, and the address mapping table includes a first client network element identifier and a client corresponding to the first client network element identifier terminal address information, the information to be verified includes the client address information, and the server network element performs legality verification on the first client network element according to the information to be verified, including:

The server network element traverses the address mapping table, and determines whether the address mapping table includes the client address information carried in the first request message, and if the address mapping table includes the client address information, Then, it is confirmed that the first client network element is legal.
A network device, characterized in that the network device includes:

A receiving unit, configured to receive a first request message sent by a first client network element, where the first request message carries information to be verified, and the to-be-verified information is used for validating the first client network element sexual verification;

The processing unit is configured to verify the validity of the first client network element according to the information to be verified; and execute the first request message after verifying that the first client network element is legal.
The method according to claim 10, wherein, when the receiving unit is configured to receive the first request message sent by the first client network element, it is specifically configured to:

Receive an HTTP request message sent by the first client network element according to the hypertext transfer protocol, the HTTP request message includes an HTTP protocol header and a message body, and the HTTP protocol header includes the first client network element type and the first client End network element identification The message body includes the first client network element identification.
The method according to claim 11, wherein the message body includes the network element identifier of the first client, and the processing unit is configured to perform an operation on the first client according to the information to be verified. When the NE performs legality verification, it is specifically used for:

Compare whether the first client network element identifier in the HTTP protocol header and the first client network element identifier in the message body are consistent, and if they are consistent, confirm that the first client network element is legal.
The method according to claim 11, wherein, when the processing unit is used to verify the validity of the first client network element according to the information to be verified, the processing unit is specifically configured to:

When the type of the first client network element in the HTTP protocol header is consistent with the network element type of the server network element itself, compare the identifier of the first client network element in the HTTP protocol header with that of the server network element Whether the identifiers of the network element instances of the network elements themselves are consistent, and if they are inconsistent, it is confirmed that the first client network element is legal.
The method according to claim 11 or 12, wherein after the receiving unit receives the first request message sent by the first client network element, the processing unit is further configured to save the first client network element meta-id;

After the processing unit verifies the validity of the first client network element according to the information to be verified, the receiving unit is further configured to receive the second request message sent by the first client network element, where the The second request message carries the identifier of the network element of the first client; the processing unit is further configured to: compare the identifier of the network element of the first client in the second request message with the identifier of the network element of the server saved Whether the identifiers of the first client network elements are the same, if they are consistent, it is confirmed that the first client network element is legal; the second request message is executed after verifying that the first client network element is legal.
The method according to claim 12, wherein before the receiving unit receives the first request message sent by the first client network element, the receiving unit is further configured to: receive the first request message sent by the second client network element a third request message, where the third request message carries the identifier of the network element of the second client; the processing unit is further configured to: perform legality verification according to the identifier of the network element of the second client; After the client network element is legal, the identifier of the second client network element is stored;

After the receiving unit receives the first request message sent by the first client network element, the processing unit is further configured to: compare the identifier of the first client network element in the HTTP protocol header with the stored second request message. Check whether the client NE IDs are consistent.
The method according to claim 10, wherein the information to be verified includes a first resource verification identifier, and before the receiving unit receives the first request message sent by the first client network element, the receiving unit: is further used for: receiving a fourth request message sent by the first client network element, where the fourth request message carries the first resource verification identifier, and the first resource verification identifier is used to uniquely identify the first client network element;

The processing unit is further configured to: save the first resource verification identifier; perform legality verification on the first client network element according to the information to be verified, including: comparing the information carried in the first request message Whether the first resource verification identifier and the stored first resource verification identifier are consistent, and if they are consistent, it is confirmed that the first client network element is legal.
The method according to claim 16, wherein after confirming that the first client network element is legal, the receiving unit is further configured to: receive a fifth request message sent by a third client network element, The fifth request message carries the first resource verification identifier and a second resource verification identifier, where the second resource verification identifier is used to uniquely identify the third client network element;

The processing unit is further configured to: compare whether the first resource verification identifier carried in the fifth request message is consistent with the saved first resource verification identifier, and if they are consistent, delete the first resource verification identifier, and save the saved first resource verification identifier. The second resource verification identifier is described.
The method of claim 10, wherein the device comprises an address mapping table, and the address mapping table comprises a first client network element identifier and client address information corresponding to the first client network element identifier , the to-be-verified information includes the client address information, and the processing unit, when used to verify the validity of the first client network element according to the to-be-verified information, is specifically configured to:

Traverse the address mapping table, determine whether the address mapping table contains the client address information carried in the first request message, and if the address mapping table contains the client address information, confirm the first The client NE is legal.
A computing device, characterized in that the computing device includes a memory and a processor, and the processor executes computer instructions stored in the memory, so that the computing device executes the method according to any one of claims 1-9 .
A computer-readable storage medium, characterized in that, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the method described in any one of the preceding claims 1-9 is implemented.