WO2022178888A1 - Communication method and apparatus - Google Patents

Abstract

The present application discloses a communication method and apparatus, used for solving the problem of switching process complexity. A first security gateway is used for establishing an IKE SA with a terminal device. A second security gateway used for user plane data transmission is used for establishing a user plane sub-SA with the terminal device, encrypting data, and for integrity protection. An IPsec sub-SA of the second security gateway is established by the first security gateway. In this way, when needing to switch application servers, the terminal device does not need to establish an IKE SA with the second security gateway after switching, thereby simplifying the switching process, and reducing switching complexity. Moreover, the terminal device does not need to perceive the presence of the second security gateway, and only interacts with the first security gateway.

Description

A communication method and device technical field

The present application relates to the field of communication technologies, and in particular, to a communication method and apparatus.

Background technique

Mobile edge computing (MEC) is a technology that deeply integrates access network and Internet services based on the evolution architecture of the fifth generation (5rd generation, 5G) system.

Currently, in the MEC scenario, in order to ensure the security requirements of user plane data transmission, a security gateway is deployed between a central user plane function or an uplink classifier (ULCL) and an application server. The Internet Key Exchange Protocol (IKE) Security Association (SA) and the Internet Protocol Security (IPsec) SA are created between the terminal device and the security gateway. However, due to the change of the terminal device service, the application server changes, so that the ULCL and the security gateway need to be switched. Further, the terminal device needs to re-establish IKE SA and IPsec SA with the switched security gateway, which makes the switching process more complicated.

SUMMARY OF THE INVENTION

The present application provides a communication method and device, which are used to solve the problem of complicated handover procedures.

In a first aspect, an embodiment of the present application provides a communication method, and the method may be implemented by a first security gateway or a chip or a chip system in the first security gateway. The communication method includes: a first security gateway establishes an Internet Key Security Protocol IKE Security Association SA connection with a terminal device; when the first security gateway determines that the terminal device needs to perform secure transmission of user plane data through the second security gateway, An Internet Protocol Security Protocol IPsec sub-SA connection is established for the second security gateway; the IPsec sub-SA connection is used for secure transmission of user plane data between the second security gateway and the terminal device.

In the solution provided by this application, the first security gateway is used to establish the IKE SA with the terminal device. The second security gateway used for user plane data transmission is used for establishing a user plane SA with the terminal device, encrypting data and protecting integrity. The IPsec sub-SA of the second security gateway is established on behalf of the first security gateway. Therefore, when the terminal device needs to switch the application server, there is no need to establish an IKE SA with the switched second security gateway, which reduces the switching process and reduces the switching complexity. In addition, the terminal device does not need to perceive the existence of the second security gateway, and only interacts with the first security gateway. Therefore, the terminal device does not need to perceive the insertion of the ULCL and the change of the application server, and the switching of the security gateway can also be realized.

In a possible design, establishing an IPsec sub-SA connection for the second security gateway includes: negotiating an IPsec sub-SA connection between the first security gateway and the terminal device to obtain a first security parameter ; the first security gateway configures the first security parameter to the second security gateway; wherein, the first security parameter is used for user plane data between the second security gateway and the terminal device secure transmission.

Through the above design, the first security gateway replaces the second security gateway to establish an IPSec sub-SA connection with the terminal device for transmitting user plane data, and then configure the security parameters of the established IPSec sub-SA connection to the second security gateway. The terminal device does not need to sense the existence of the second security gateway through control plane signaling. The terminal device only interacts with the first security gateway to establish an IPsec sub-SA connection. Subsequently, when the second security gateway is changed (such as the MEC scenario of ULCL insertion), the update and establishment of the IPSec sub-SA connection can also be completed without additional control plane signaling overhead. In addition, every time the second gateway changes, there is no need to establish an IKE SA connection, which reduces signaling overhead.

In a possible design, the first security parameter includes material for generating a key for user plane data transmission with the terminal device. In the above design, the first security gateway configures the second security gateway with the material for generating the key for user plane data transmission with the terminal device, so that the second security gateway can communicate with the terminal device according to the key. Secure transmission of user plane data.

In a possible design, the material for generating a key for user plane data transmission with the terminal device includes one or more of the following:

key material generated by the first security gateway, key exchange material of the terminal device, key exchange material configured for the second security gateway, random numbers of the terminal device or generated for the second security gateway of random numbers.

In a possible design, the first security parameter further includes one or more of the following: an encryption algorithm of the terminal device, an encryption algorithm allocated to the second security gateway, used for the terminal device to communicate with all Describe the packet filtering rules for user plane data transmission between the second security gateways.

In a possible design, the first security gateway establishing an Internet Protocol Security Protocol (IPsec) sub-SA for the second security gateway includes: the first security gateway receives a setup request initiated by a terminal device, and the setup request uses upon requesting to establish an Internet Protocol Security Protocol IPsec sub-SA connection with the second security gateway; the first security gateway sends a configuration context of the IPsec sub-SA connection to the second security gateway, and the configuration context includes the configuration context for the The second security parameter configured by the second security gateway for establishing an IPsec sub-SA connection with the terminal device; the first security gateway receives the third security parameter from the second security gateway, and the third security parameter is the first security parameter. The second security gateway updates or confirms the second security parameter; the first security gateway sends an establishment response to the terminal device, and the establishment response includes the third security parameter; wherein the third security The parameter is used for secure transmission of user plane data between the second security gateway and the terminal device.

Through the above design, the first security gateway interacts with the terminal device instead of the second security gateway, and the second security gateway updates or confirms the second security parameter configured by the first security gateway. Furthermore, when the second security gateway switches, there is no need to re-establish the IKE SA, which reduces the signaling interaction process.

In a possible design, the second security parameter includes material for the second security gateway to generate a key for user plane data transmission between the second security gateway and the terminal device.

In a possible design, the material for generating the key for user plane data transmission with the terminal device includes one or more of the following: the key material generated by the first security gateway, The key exchange material of the terminal device, the first key exchange material of the first security gateway, the first random number used by the terminal device, or the second random number used by the first security gateway.

In a possible design, the third security parameter includes one or more of the following: a second key exchange material for updating the first key exchange material, and a second key exchange material for updating the first random number the third random number.

Through the above design, the first security gateway interacts with the terminal device instead of the second security gateway, and the second security gateway updates the key exchange material or random number configured by the first security gateway to improve the security of the generated key.

In a possible design, the second security parameter further includes one or more of the following: an encryption algorithm of the terminal device, an encryption algorithm allocated to the second security gateway, or an encryption algorithm for the terminal device to communicate with the The first packet filtering rule for user plane data transmission between the second security gateways.

In a possible design, the third security parameter further includes a second data packet filtering rule for updating the first data packet filtering rule.

In a possible design, the third security parameter further includes an encryption algorithm selected by the second security gateway.

In a second aspect, an embodiment of the present application provides a communication method, including: a first core network network element determining a first security gateway that provides security services for a terminal device, where the first security gateway is used to establish an Internet connection with the terminal device The key security protocol IKE SA is connected to the SA connection; the first core network element configures the user plane network element with a first forwarding rule, and the first forwarding rule is used to instruct the user plane network element to belong to the data packet of the IKE SA connection Forwarding to the first security gateway; after determining that the Internet Protocol Security Protocol IPsec sub-SA connection is established between the terminal device and the second security gateway, the first core network element configures the user plane network element with the first Two forwarding rules, where the second forwarding rule is used to instruct the user plane network element to forward the data packets belonging to the IPsec sub-SA connection to the second security gateway.

In the above solution, the first core network element configures the first forwarding rule for the user plane network element, so as to realize the security protection of the data packets belonging to the IKE SA connection through the first security gateway. When the IPsec sub-SA connection is established, the second forwarding rule is configured for the user plane network element, so as to realize the security protection of the user plane data through the second security gateway.

In a possible design, the first core network element determining the first security gateway that provides security services for the terminal device includes: determining, by the first core network element, as the terminal according to the subscription data of the terminal device the first security gateway that provides security services for the device; or, the first core network element determines the first security gateway that provides security services for the terminal device according to local configuration information; or, the first core network element receives address information of the first security gateway from the network element of the second core network, and determine the first security gateway that provides security services for the terminal device according to the address information of the first security gateway; or, the first core network network The element receives address information from a first security gateway of a terminal device, where the first security gateway is one of at least one security gateway configured by a policy control network element for the terminal device.

In the above design, several possible ways to determine the first security gateway are provided, such as selecting the first security gateway for the terminal device by the first core network element or selecting the first security gateway for the terminal device by the second core network element, and Alternatively, the policy control network element may send the address of at least one security gateway capable of serving the terminal device to the terminal device, and the terminal device selects the first security gateway from the at least one security gateway.

In a possible design, the first core network element is a session management network element, and the second core network element is a mobility management network element.

In a possible design, the method further includes: the first core network element sends the determined address information of the first security gateway to the terminal device, where the address information of the first security gateway is used for The terminal device triggers the establishment of an IKE SA connection. The above design provides a way to trigger the creation of an IKE SA, which is simple and easy to implement.

In a possible design, the method further includes: sending, by the first core network element, the address information of the terminal device to the first security gateway, where the address information of the terminal device is used for the first security gateway. The security gateway triggers the establishment of an IKE SA connection. The above design provides a way to trigger the creation of an IKE SA, which is simple and easy to implement.

In a third aspect, an embodiment of the present application provides a communication method, which is applied to a terminal device or a chip or a chip system of the terminal device. The terminal device receives the address information of the first security gateway from the network element of the first core network, and triggers the establishment of the IKE SA to the first security gateway according to the address information. After completing the establishment of the IKE SA, a request message for establishing an IPsec sub-SA is triggered to the first security gateway. The request message carries the address segment of the second security gateway.

The terminal device receives the address information of at least one security gateway from the policy control network element, and triggers the establishment of the IKE SA to the first security gateway. The first security gateway is one of the security gateways indicated by the address information of the at least one security gateway. After completing the establishment of the IKE SA, a request message for establishing an IPsec sub-SA is triggered to the first security gateway. The request message carries the address segment of the second security gateway.

In a fourth aspect, a communication device is provided, for example, the communication device is the aforementioned first security gateway. The communication device has the function of implementing the behavior in the method embodiment of the first aspect. The functions can be implemented by hardware, and can also be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the communication device includes, for example, a transceiver module and a processing module coupled with each other.

The processing module is used for establishing an Internet Key Security Protocol IKE Security Alliance SA connection with the terminal device through the transceiver module; the processing module is also used for determining that the terminal device needs to perform secure transmission of user plane data through the second security gateway At the time, an Internet Protocol security protocol IPsec sub-SA connection is established for the second security gateway; the IPsec sub-SA connection is used for secure transmission of user plane data between the second security gateway and the terminal device.

These modules can perform the corresponding functions in the method examples of the first aspect. For details, please refer to the detailed descriptions in the method examples, which will not be repeated here.

In a fifth aspect, the present application provides a communication device, for example, the communication device is the network element of the first core network as described above. The communication device has the function of implementing the behavior in the method embodiment of the second aspect. The functions can be implemented by hardware, or can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the communication device includes, for example, a processing module and a transceiver module coupled with each other. The processing module is used to determine the first security gateway that provides security services for the terminal device, and the first security gateway is used to establish an Internet Key Security Protocol IKE Security Association SA connection with the terminal device; The plane network element configures a first forwarding rule, and the first forwarding rule is used to instruct the user plane network element to forward the data packets belonging to the IKE SA connection to the first security gateway; the transceiver module is also used for the processing module to determine After the establishment of the IPsec sub-SA connection between the terminal device and the second security gateway is completed, a second forwarding rule is configured to the user plane network element, and the second forwarding rule is used to indicate that the user plane network element will belong to the user plane network element. The data packets connected by the IPsec sub-SA are forwarded to the second security gateway.

These modules can perform the corresponding functions in the method examples of the second aspect. For details, please refer to the detailed descriptions in the method examples, which will not be repeated here.

In a sixth aspect, a communication apparatus is provided, for example, the communication apparatus is the aforementioned terminal equipment. The communication device has the function of implementing the behavior in the method embodiment of the fifth aspect. The functions can be implemented by hardware, or can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions. In a possible design, the communication device includes, for example, a transceiver module and a processing module coupled with each other. For example, the transceiver module is configured to receive the address information of the first security gateway from the network element of the first core network, and the processing module is configured to trigger the establishment of the IKE SA to the first security gateway according to the address information. After completing the establishment of the IKE SA, the transceiver module is configured to trigger a request message for establishing an IPsec sub-SA to the first security gateway. The request message carries the address segment of the second security gateway. For another example, the transceiver module is configured to receive address information from at least one security gateway of the policy control network element, and the processing module is configured to trigger the establishment of the IKE SA to the first security gateway. The first security gateway is one of the security gateways indicated by the address information of the at least one security gateway. The transceiver module is further configured to trigger a request message for establishing an IPsec sub-SA to the first security gateway after completing the establishment of the IKE SA. The request message carries the address segment of the second security gateway.

In a seventh aspect, the present application provides a communication device for a first security gateway or a chip of the first security gateway, comprising at least one processing element and at least one storage element, wherein at least one storage element is used for storing programs and data, at least one A processing element is used to perform the method of the aforementioned first aspect or any possible implementation of the first aspect.

In an eighth aspect, the present application provides a communication device for a first core network element or a chip of the first core network element, comprising at least one processing element and at least one storage element, wherein at least one storage element is used to store a program and data, at least one processing element for performing the method of the aforementioned second aspect or any possible implementation of the second aspect.

In a ninth aspect, the present application provides a communication device for terminal equipment or a chip of the terminal equipment, comprising at least one processing element and at least one storage element, wherein at least one storage element is used for storing programs and data, and at least one processing element is used for storing programs and data. for performing the method in the aforementioned third aspect or any possible implementation manner of the third aspect, or for performing the method in the aforementioned fifth aspect.

In a tenth aspect, the present application provides a communication device, comprising a processor and an interface circuit, the interface circuit is configured to receive signals from other communication devices other than the communication device and transmit to the processor or send signals from the processor to the communication device For other communication devices other than the device, the processor is used to implement the method in the foregoing first aspect or any possible implementation manner of the first aspect through logic circuits or executing code instructions.

In an eleventh aspect, the present application provides a communication device, comprising a processor and an interface circuit, the interface circuit is configured to receive signals from other communication devices other than the communication device and transmit to the processor or send signals from the processor to For other communication devices other than the communication device, the processor is used to implement the method in the foregoing second aspect or any possible implementation manner of the second aspect through logic circuits or executing code instructions.

In a twelfth aspect, the present application provides a communication device, including a processor and an interface circuit, the interface circuit is configured to receive signals from other communication devices other than the communication device and transmit to the processor or send signals from the processor to For other communication devices other than the communication device, the processor is used to implement the method in the foregoing third aspect or any possible implementation manner of the third aspect through logic circuits or executing code instructions.

In a thirteenth aspect, the present application provides a computer program product, the computer program product comprising computer instructions, when the computer instructions are executed, the method in the foregoing first aspect or any possible implementation manner of the first aspect is executed ; or cause the method in the foregoing second aspect or any possible implementation manner of the second aspect to be executed; or cause the method in the foregoing implementation manner of the third aspect to be executed.

In a fourteenth aspect, the present application provides a computer-readable storage medium, where computer instructions are stored in the computer storage medium, and when the computer instructions are executed, make the first aspect or any possible implementation of the first aspect. The method is performed, or causes the method of the aforementioned second aspect or any possible implementation of the second aspect to be performed, or causes the method of the aforementioned third aspect to be performed.

For the introduction of the beneficial effects of the third aspect to the fourteenth aspect, reference may be made to the description of the first aspect to the second aspect, which will not be repeated here.

Description of drawings

FIG. 1 is a schematic diagram of a possible communication network architecture in an embodiment of the application;

2A is a schematic diagram of another possible communication network architecture in an embodiment of the present application;

2B is a schematic diagram of yet another possible communication network architecture in an embodiment of the present application;

3A is a schematic diagram of data packet encapsulation in a transmission mode in an embodiment of the present application;

3B is a schematic diagram of data packet encapsulation in tunnel mode in an embodiment of the present application;

FIG. 4 is a schematic flowchart of an AF service flow path in an embodiment of the present application;

FIG. 5 is a schematic flowchart of adding ULCL in an embodiment of the application;

FIG. 6 is a schematic diagram of an AF notification process in an embodiment of the present application;

7 is a schematic flowchart of the establishment of an IKE SA and an IPsec sub-SA in the embodiment of the application;

8 is a schematic diagram of an MEC scenario in an embodiment of the present application;

FIG. 9 is a schematic diagram of another communication system architecture in an embodiment of the present application;

10 is a schematic flowchart of a communication method in an embodiment of the application;

11A is a schematic flowchart of a communication method according to a first possible implementation manner of the present application;

11B is a schematic flowchart of a communication method according to a second possible implementation manner of the present application;

11C is a schematic flowchart of a communication method according to a third possible implementation manner of the present application;

FIG. 12 is a schematic diagram of a first possible application scenario architecture of an embodiment of the present application;

13 is a schematic flowchart of a communication method in a first possible application scenario of an embodiment of the present application;

14 is a schematic diagram of a technical effect of a communication solution in a first possible application scenario of an embodiment of the present application;

15 is a schematic flowchart of another communication method in the first possible application scenario of the embodiment of the present application;

16 is a schematic diagram of the technical effect of another communication solution in the first possible application scenario of the embodiment of the present application;

17 is a schematic diagram of a second possible application scenario architecture of an embodiment of the present application;

18 is a schematic flowchart of a communication method in a second possible application scenario of an embodiment of the present application;

19 is a schematic diagram of a technical effect of a communication solution in a second possible application scenario of an embodiment of the present application;

FIG. 20 is a schematic diagram of a third possible application scenario architecture of an embodiment of the present application;

21 is a schematic flowchart of a communication method in a third possible application scenario of an embodiment of the present application;

22 is a schematic diagram of a technical effect of a communication solution in a third possible application scenario of an embodiment of the present application;

23 is a schematic diagram for describing the architecture and effects of the provided solution according to an embodiment of the present application;

FIG. 24 is a schematic structural diagram of a communication device 2400 according to an embodiment of the present application;

FIG. 25 is a schematic structural diagram of a communication apparatus 2500 according to an embodiment of the present application.

Detailed ways

The embodiments of the present application can be applied to the network architecture of the 4th Generation mobile communication technology (4G), such as a long term evolution (LTE) system, and can also be applied to the fifth generation mobile communication technology (the In the 5th Generation mobile communication technology, 5G) network architecture, such as the NR system, or the sixth generation mobile communication technology network architecture after the 5G network architecture, or other similar communication systems, there is no specific limitation.

The technical terms involved in the embodiments of the present application are first described below.

1) An access network (AN) device, including a radio access network (RAN) device, such as a base station (eg, an access point), may refer to an access network through one or more air interfaces in the access network. A device used by a cell to communicate with a wireless terminal device, or, for example, an access network device in a vehicle-to-everything (V2X) technology is a roadside unit (RSU). The base station may be used to interconvert the received air frames and IP packets, acting as a router between the terminal equipment and the rest of the access network, which may include the IP network. The RSU can be a fixed infrastructure entity supporting V2X applications and can exchange messages with other entities supporting V2X applications. The access network equipment can also coordinate the attribute management of the air interface. For example, the access network equipment may include an evolved base station (NodeB or eNB or e-NodeB, evolutional Node B) in the LTE system or long term evolution-advanced (LTE-A), or may also include a fifth The next generation node B (gNB) in the 5th generation (5G) NR system (also referred to as the NR system) may also include a cloud radio access network (Cloud RAN) ) a centralized unit (centralized unit, CU) and a distributed unit (distributed unit, DU) in the system, which are not limited in this embodiment of the present application.

In this embodiment of the present application, the device for implementing the function of the access network device may be the access network device, or may be a device capable of supporting the access network device to realize the function, such as a chip or a chip system, and the device may be installed in the access network equipment. In the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described by taking an example that the device for implementing the functions of the access network equipment is the access network equipment.

2) Terminal devices, including devices that provide users with voice and/or data connectivity, specifically, include devices that provide users with voice, or include devices that provide users with data connectivity, or include devices that provide users with voice and data connectivity sexual equipment. For example, it may include a handheld device with wireless connectivity, or a processing device connected to a wireless modem. The terminal equipment can communicate with the core network via the RAN, exchange voice or data with the RAN, or exchange voice and data with the RAN. The terminal equipment may include user equipment (UE), wireless terminal equipment, mobile terminal equipment, device-to-device (D2D) terminal equipment, vehicle to everything (V2X) terminal equipment , machine-to-machine/machine-type communications (M2M/MTC) terminal equipment, Internet of things (IoT) terminal equipment, subscription unit (subscriber unit), subscription station (subscriber) station), mobile station (mobile station), remote station (remote station), access point (access point, AP), remote terminal (remote terminal), access terminal (access terminal), user terminal (user terminal), user Agent (user agent), or user equipment (user device), etc. For example, these may include mobile telephones (or "cellular" telephones), computers with mobile terminal equipment, portable, pocket-sized, hand-held, computer-embedded mobile devices, and the like. For example, personal communication service (PCS) phones, cordless phones, session initiation protocol (SIP) phones, wireless local loop (WLL) stations, personal digital assistants (personal digital assistants), PDA), etc. Also includes constrained devices, such as devices with lower power consumption, or devices with limited storage capacity, or devices with limited computing power, etc. For example, it includes information sensing devices such as barcodes, radio frequency identification (RFID), sensors, global positioning system (GPS), and laser scanners.

As an example and not a limitation, in this embodiment of the present application, the terminal device may also be a wearable device. Wearable devices can also be called wearable smart devices or smart wearable devices, etc. It is a general term for the application of wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, watches, clothing and shoes. Wait. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction, and cloud interaction. In a broad sense, wearable smart devices include full-featured, large-scale, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, which needs to cooperate with other devices such as smart phones. Use, such as all kinds of smart bracelets, smart helmets, smart jewelry, etc. for physical sign monitoring.

The various terminal devices described above, if they are located on the vehicle (for example, placed in the vehicle or installed in the vehicle), can be considered as on-board terminal equipment. For example, the on-board terminal equipment is also called on-board unit (OBU). ).

In this embodiment of the present application, the terminal device may further include a relay (relay). Alternatively, it can be understood that any device capable of data communication with the base station can be regarded as a terminal device.

In this embodiment of the present application, the apparatus for implementing the function of the terminal device may be the terminal device, or may be an apparatus capable of supporting the terminal device to implement the function, such as a chip or a chip system, and the apparatus may be installed in the terminal device. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices. In the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described by taking the device for realizing the function of the terminal being a terminal device as an example.

3) The network elements involved in the embodiments of the present application may be hardware, software that is functionally divided, or a combined structure of the above two. The network elements may include core network network elements, access network network elements (or referred to as access network equipment), and the like. The core network element, for example, includes a mobility management network element, a policy control network element, or a data management network element.

The mobility management network element is responsible for the access and mobility management of terminal equipment in the mobile network. The mobility management network element may include the access and mobility management function (AMF) in 5G, or the mobility management entity (MME) in 4G, or the integration of network elements. form all or part of the control function. In future communication (for example, in 6G or other networks), the mobility management network element may be an AMF network element, or have other names, which are not limited in this application. In the subsequent description of this application, the mobility management network element is taken as an example of the AMF network element.

The data management network element is used to help operators realize unified management of user-related data. The data management network element may include, for example, a subscriber data management (subscriber data management, SDM) network element, or a unified data management (unified data management, UDM) network element or a home subscriber server (home subscriber server, HSS) network element.

The session management network element is responsible for managing user services, such as a session management function (SMF) network element in 5G. In future communication (for example, in 6G or other networks), the session management network element may be an SMF network element, or have other names, which are not limited in this application.

The policy control network element is responsible for the functions of policy control decision-making and flow-based charging control. For example, it can be a policy control function (PCF) network element in 5G. In future communication (for example, in 6G or other networks), the policy control network element may be a PCF network element, or other names, which are not limited in this application.

4) The terms "system" and "network" are often used interchangeably herein. The term "and/or" in this article is only an association relationship to describe the associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, A and B exist at the same time, and A and B exist independently B these three cases. In addition, the character "/" in this document generally indicates that the related objects are an "or" relationship. The term "at least one" referred to in this application refers to one, or more than one, including one, two, three and more; "multiple" refers to two, or more than two, including two, three or more. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one item (a) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c may be single or multiple . It should be understood that, in this embodiment of the present application, "B corresponding to A" means that B is associated with A, and B can be determined according to A. However, it should also be understood that determining B according to A does not mean that B is only determined according to A, and B may also be determined according to A and/or other information. And, unless stated to the contrary, the ordinal numbers such as “first” and “second” mentioned in the embodiments of the present application are used to distinguish multiple objects, and are not used to limit the order, sequence, priority or priority of multiple objects. Importance. In addition, the terms "comprising" and "having" in the embodiments and claims of the present application and the drawings are not exclusive. For example, a process, method, system, product or device that includes a series of steps or modules is not limited to the listed steps or modules, and may also include unlisted steps or modules.

Taking a 5G communication network architecture as an example, referring to FIG. 1 , FIG. 2A and FIG. 2B , schematic diagrams of three possible 5G communication network architectures are exemplarily provided in the embodiments of the present application. The communication network architecture may include terminal equipment and data network (DN). The communication network architecture may also include one or more of the following network elements: authentication server function (AUSF) network element, network exposure function (network exposure function, NEF) network element, policy control function (policy control function) function, PCF) network element, unified data management (unified data management, UDM) network element, unified database (unified data repository, UDR), network storage function (network repository function, NRF) network element, application function (application function, AF) ) network element, access and mobility management function (AMF) network element, session management function (SMF) network element, RAN network element and user plane function (UPF) network element, unified data repository function (unified data repository, UDR) network element, etc. Among the above network elements, the part other than the radio access network part may also be referred to as the core network part.

The functions of the above network elements are briefly described below.

The AMF network element is responsible for user mobility management, including mobility status management, assigning user temporary identity, and authenticating and authorizing users.

The SMF network element is responsible for UPF network element selection, UPF network element reselection, Internet Protocol (Internet Protocol, IP) address allocation, bearer establishment, modification and release, and QoS control.

The PCF network element includes the functions of policy control decision and flow-based charging control, including user subscription data management function, policy control function, charging policy control function, QoS control and so on.

The UDM network element is responsible for managing the subscription data, and is responsible for notifying the corresponding network element when the subscription data is modified.

The UDR network element is responsible for storing and retrieving subscription data, policy data and public architecture data, etc.; for UDM, PCF and NEF to obtain relevant data. UDR should be able to have different data access authentication mechanisms for different types of data, such as contract data and policy data, to ensure the security of data access; UDR should be able to return the appropriate data for illegal service operations or data access requests. Failure response for the reason value.

The AF network element is used to provide a certain application layer service to the UE. When the AF provides services to the UE, it has requirements on the QoS policy (Policy) and charging (Charging) policy, and needs to notify the network. At the same time, the AF also needs application-related information fed back by other network elements of the core network.

The NEF network element mainly supports the network capability opening function, and opens network capabilities and services to the outside world; the 3rd generation partnership project (3GPP) network function (network function, NF) publishes functions and events to other NFs through NEF. The capabilities and events opened by NF can be safely opened to third-party applications. NEF uses a standardized interface to UDR (Nudr) to store/retrieve structured data. Translate the exchange information of the AF with the exchange information of the internal network function. For example, there will be a conversion between AF-Service-Identifier and internal 5G core information. Internal 5G core information, such as data network name (DNN) or single network slice selection assistance information (S-NSSAI).

The UPF network element supports all or part of the following functions: interconnecting protocol data unit (PDU) sessions with the data network; packet routing and forwarding functions, for example, supporting the downlink classifier to forward traffic to Data network, support branching point (branching point) function to support multi-homed (multi-homed) PDU session; packet inspection function. UPF network elements are specifically divided into intermediate-UPF (intermediate-UPF, I-UPF) and anchor UPF (anchor-UPF, A-UPF). Among them, the I-UPF is connected to the access network RAN, the A-UPF is the UPF of the session anchor, and the A-UPF may also be called the PDU session anchor user plane network element (PDU session anchor, PSA). The UPF in this embodiment of the present application may have an offload function, such as an uplink classifier (uplink classifier, ULCL) or a branch point (branching point, BP) that supports the offload function.

The AUSF network element is responsible for the authentication function or performs the network slice specific authentication and authorization (NSSAA) process.

Untrusted non-3GPP access network (untrusted non-3GPP access network) equipment: This equipment allows non-3GPP technology interconnection and intercommunication between terminal equipment and 3GPP core network, including non-3GPP technology such as wireless fidelity (wireless fidelity, Wi-Fi), worldwide interoperability for microwave access (WiMAX), code division multiple access (code division multiple access, CDMA) networks, etc. The terminal equipment accessing the untrusted non-3GPP access network needs to interconnect with the 3GPP core network through the secure tunnel established with the security gateway. The security gateway may be, for example, an evolved packet data gateway (ePDG) or a non-3rd generation partnership project (3GPP) interworking function (non-3GPP interworking function, N3IWF) network element.

In addition, in order to make the description more concise, in the subsequent description, the "network element" in each functional network element is removed. For example, the AMF network element is abbreviated as AMF, and the UDM network element is abbreviated as UDM. For example.

Figure 1 shows a schematic diagram of a communication network architecture based on a service-oriented architecture. In Figure 1, between NEF, NRF, PCF, UDM, AUSF, UDR, AMF and SMF, the communication between any two network elements can use service-oriented communication For example, the interfaces Nnef or Nausf used for communication between NEF and AUSF are service-oriented interfaces. Similarly, interfaces Nnrf, Npcf, Nudm, Naf, Nudr, Namf, and Nsmf are service-oriented interfaces. In addition, AMF and terminal equipment can communicate through N1 interface, AMF and (R)AN can communicate through N2 interface, RAN and UPF can communicate through N3 interface, SMF and UPF can communicate through N4 interface, and air interface between terminal equipment and RAN Communication, UPF and DN can communicate through N6 interface.

FIG. 2A is a schematic diagram of a communication network architecture based on a point-to-point interface; the main difference between FIG. 1 and FIG. 2A is that the interface between each network element in FIG. 2A is a point-to-point interface, not a service-oriented interface.

The communication network architecture shown in FIG. 1 and FIG. 2A is a 3rd generation partnership project (3rd generation partnership project, 3GPP) system architecture. FIG. 2B is a non-3GPP (non-3GPP) system architecture. Compared with the 3GPP architecture, the non-3GPP system architecture adds N3IWF network elements. In FIG. 2B , the 3GPP core network is the home public land mobile network (home public land mobile network, HPLMN) of the UE as an example. The UE may access the 3GPP core network through at least one of a 3GPP access network (eg, RAN) and an untrusted non-3GPP access network.

Before describing in detail the solutions provided by the embodiments of the present application, the technical concepts involved in the embodiments of the present application are briefly described below.

(1) Internet Protocol Security (IPsec):

IPsec is not a separate protocol, it specifically provides a set of solutions applied to network security at the IP layer. IPsec is used to protect sensitive data in transit in insecure network environments. The two communicating parties perform encryption and data source authentication at the IP layer to ensure the confidentiality of data packet transmission, data consistency, perform data source authentication, and implement anti-replay.

Among them, data source authentication means that the identity of the peer is authenticated and cannot be denied. Integrity protection refers to ensuring that data is not tampered with during transmission. Confidentiality refers to the encryption protection of sensitive user data in transit. Anti-replay refers to refusing to receive old or duplicate packets.

Encapsulating security payload (ESP) and authentication header (AH) are two IPSec security protocols used to provide this security protocol for IP datagrams. AH mainly provides functions such as data source authentication, data integrity verification, and anti-replay attack, but does not support data encryption. ESP mainly provides data source authentication, data integrity verification, anti-replay attack, data encryption and other functions. AH and ESP can be used individually or nested. These combinations can be used between two hosts, two security gateways (firewall and router), or between a host and a security gateway.

There are two working modes of IPSec, namely transport mode and tunnel mode. Each mode uses different scenarios and handles data differently.

In transport mode, AH or ESP is inserted after the IP header but before all transport layer protocols, or before all other IPSec protocols. For example, see FIG. 3A for a schematic diagram of a data encapsulation manner in the transmission mode. Transport mode is used for communication between two hosts, or between a host and a security gateway. In the transmission mode, the two devices that encrypt and decrypt the message must be the original sender and final receiver of the message. In other words, the encryption/decryption point is the actual communication point. It should be noted that the Request For Comments (RFC) protocol currently supports terminal devices (such as hosts) and security gateways to communicate in transport mode, but it needs to ensure that all data packets encrypted and decrypted by the security gateway are forwarded from the security gateway .

In tunnel mode, AH or ESP is inserted before the original IP header, and a new IP header is generated and placed before AH or ESP. For example, referring to FIG. 3B is a schematic diagram of a data encapsulation manner in tunnel mode. Tunnel mode is often used in network-to-network scenarios. Usually, most of the data traffic between two security gateways (routers) is not the traffic of the security gateway itself, so the tunnel mode is generally not used between the security gateways. Packets encrypted at one security gateway can only be decrypted by another security gateway. Therefore, the IP packet must be tunnel encapsulated, that is, a new IP header is added, and the IP packet after tunnel encapsulation is sent to another security gateway to be decrypted.

The security services provided by IPsec are implemented based on policy rules defined by a security policy database (SPD). SPD is usually an ordered structure, with access control lists to describe data flow characteristics. Define which data flows need to use IPsec. The main contents stored in the SPD may include source IP address, destination IPR address, destination port number, source port number, encapsulation protocol, working mode, and so on. SPD defines 3 possible processing methods: bypass, IPsec encryption or discard. Bypass means that when the source and destination IP of the data packet does not match the policy recorded by the SPD, it is forwarded according to the routing table. IPSec encryption means that when the source and destination IPs of the data packets match the SPD record policy, they are handed over to the corresponding encapsulation to perform IPSec processing. Discard means that the data packet is not processed and directly discarded.

Security Association (SA):

SA is an agreement established by two communication entities (such as: host, security gateway) through negotiation. It creates a one-way logical connection for security purposes. All data flows passing through the same SA will get the same security service. IPSec protocol (AH or ESP), operation mode (transmission mode or tunnel mode), authentication algorithm, encryption algorithm, encryption key, key lifetime, anti-replay window, etc. to protect data packet security. SA is the foundation of IPSec.

Security association is a basic part of IPSec, which can include Internet Key Exchange Protocol (IKE) SA and IPsec SA. IKE SA is used to protect negotiation traffic and authentication traffic, such as negotiated IPSec protocol (AH or ESP), operation mode (transport mode or tunnel mode), authentication algorithm, encryption algorithm, encryption key, key lifetime, anti-replay window Wait. IPsec SA is used to protect the actual transmitted data traffic. IPsec SA is a one-way protection. Both IKE SA and IPsec SA are generated through IKE protocol negotiation.

The IKE protocol is responsible for key management, and defines the methods for performing identity authentication, negotiating encryption algorithms and generating shared session keys between communicating entities. IKE keeps the result of key negotiation in SA for later use by AH and ESP.

Security Association database (security Association database, SAD): a storage structure for storing all state data associated with SA.

Security parameter index (security parameter index, SPI): a 32-bit value used to find SA. SPI, IP destination address, and security protocol number are combined to form a triplet, which is used to uniquely identify a specific SA.

Security policy (SP): Configured by the user, it decides what kind of protection to provide for IP packets and in what way to implement the protection. SP attributes include protected data streams (such as access control lists (ACL)), security proposals (working mode, IPsec protocol, encryption and authentication algorithms), key configuration methods, local/peer IP addresses of the secure tunnel, IKE peer (Peer) and so on.

With the rapid development of the network, it poses better challenges to data security. At present, the encryption requirements from the terminal device to the core network (CN) are proposed. A feasible encryption scheme is to deploy security between UPF and DN. gateway. The communication between the UE and the security gateway implements end-to-end (E2E) encryption at the IP layer. The practical key and encryption strategy for encryption can be obtained through negotiation between the UE and the security gateway based on a security protocol (such as IPsec).

(2) The edge network is a peer-to-peer concept of the central cloud, which can be understood as a local data center, which can be identified by a data network access identifier (DNAI), and can also be called an edge computing network (edge computing network). computing network). Multiple local data networks (local DN) can be deployed in the edge network. In one implementation, the edge network may be an edge data network (EDN). Mobile edge computing (mobile edge computing, MEC) services are services provided by edge networks. The MEC service may also be referred to as the edge service for short.

Due to the mobility of the UE, the attached edge network may be updated in the process of moving, so the DNAI of the access will also change. The following describes the process of DNAI change in detail.

See Figure 4 for an AF service flow routing (influence traffic routing) process. The AF notifies the SMF of the DNAI supporting the MEC service, the corresponding location area, and service flow information through the PCF, so that the SMF triggers and adjusts the current session of the terminal device.

401. The AF generates an AF request (request). Wherein, the AF request may include the AF service identifier (AF Transaction ID) and the receiving method of the AF notification (for example, the AF notification needs to be received). Optionally, the AF request may also include an AF service indicator (AF service ID), a DNAI list corresponding to the service, and an application ID (such as an APP ID) and service flow information (traffic filtering information) of the indicated service. The AF request may also include N6 routing information (including port information for establishing an N6 connection with the UPF). The traffic flow information is used to identify the traffic flow.

402, the AF sends the generated AF request to the NEF.

Exemplarily, the AF may send the AF request to the NEF through the servitization interface message between the AF and the NEF. Service interface message, such as Nnef_Traffic Influence_Creat/Update/Delete.

403a, the NEF stores the content carried in the AF request in the UDR.

403b, the NEF notifies the AF of the storage/update/deletion of the content carried in the request in the storage information of the NEF. For example, the AF may be notified of the storage/update/deletion of the content carried in the AF request in the storage information of the NEF through a service interface message between the NEF and the AF. For example, the service interface message can be Nnef_Traffic Influence_Creat/Update/Delete Response.

Optionally, the UDR may also perform 404 .

404. If the PCF has subscribed to the notification of the AF request, the UDR will notify the PCF of the modification (including update/deletion, etc.) of the content carried by the corresponding AF request. For example, the UDR can notify the PCF of the modification of the content carried by the AF request through the service interface message of the UDR. For example, the service interface message of the UDR may be Nudr_DM_Notify.

405. The PCF determines whether the PDU session needs to be modified according to the content in Nudr_DM_Notify. If it is determined that the PDU session needs to be modified, a policy and charging control rule (policy and charging control rule, PCC rule) are generated according to the content in Nudr_DM_Notify. PCF sends PCC rule to SMF. Among them, the receiving method of the AF notification is that when the AF notification needs to be received, the PCF also sends the subscription event of the AF notification to the SMF.

Exemplarily, the PCF may send the PCC rule to the SMF through the PCF's servitization interface message. The PCF's serviced interface message may be Npcf_SM PolicyControl_UpdateNotify.

406. The SMF receives the PCC rule sent by the PCF, and performs user plane reconfiguration according to the PCC rule, including adjusting the current PDU session, which may include one or more of the following:

(1) Add/replace/delete a PDU session anchor user plane network element (such as a ULCL node) for the UE according to the updated DNAI list and the location information of the UE.

(2) Add new target DNAI and new routing rules (traffic steering rules) to UPF.

(3) Subscribe to the AMF for a new UE location information notification event.

See Figure 5 for the flow of adding ULCL. Specifically, the SMF determines to execute the PCC rule issued in the flow of FIG. 4 through the change of the area or detects the corresponding service flow, and the SMF executes the insertion of the ULCL node. In the process of adding ULCL shown in FIG. 5, the SMF needs to adjust the forwarding rules of PSA1, PSA2, and ULCL respectively to ensure that the corresponding uplink and downlink data packets are transmitted from the correct user plane network element.

501, the UE has established a PDU session with PSA1. At this time, the SMF locally stores the port information corresponding to the PDU session, such as the uplink port information on the PSA1 used for connecting to the RAN, and the downlink port information on the RAN used for connecting with the PSA1.

502, the SMF selects and configures the PSA2, mainly configures the N6 port of the PSA2, and obtains the uplink port of the PSA2.

503, the SMF selects and configures the added UPF (ULCL/BP), taking ULCL as an example. Mainly configure the uplink tunnel from ULCL to PSA1 and PSA2 (according to the uplink port information of PSA1 and PSA2), and configure the downlink tunnel from ULCL to RAN (according to the downlink port information of RAN). And obtain the downlink port information that the ULCL is used to connect with PSA1 and PSA2 respectively, and the uplink port information that the ULCL is used to connect to the RAN. At the same time, you need to configure data forwarding rules related to each port.

504 , the SMF updates the data forwarding rule of PSA1, and configures the downlink tunnel from PSA1 to ULCL mainly according to the downlink port information used by ULCL to connect with PSA1.

505 , the SMF updates the data forwarding rule of PSA2, and configures the downlink tunnel of PSA2 mainly according to the downlink port information used by the ULCL to connect with PSA2.

506 , the SMF updates the data forwarding rule of the RAN, and mainly establishes an uplink tunnel from the RAN to the ULCL according to the uplink port information used by the ULCL to connect with the RAN.

507, the SMF notifies the UE of the new IP address (IP prefix) of PSA2, for example, PSA2 adopts an IPv6 address.

508, the SMF updates the IP prefix of PSA1 to the UE, and PSA2 adopts the IPv6 address.

Steps 507-508 are mainly the transmission mechanism of the IPv6 address of the PSA, and update the respective IPv6 addresses. Since the routing path has changed after inserting the ULCL, the SMF adds the IPv6 address of the ULCL to the IPv6 address list of PSA1 and PSA2).

See Figure 6 for the flow of AF notification. AF notification can include Early notification or Late notification. AF notification is mainly used to notify AF of DNAI changes after inserting ULCL for SMF.

601. The SMF determines that the conditions for triggering the AF notification subscribed by the AF are met.

602a, if the AF subscribes to the early notification through the NEF, the SMF sends the early notification to the NEF, and the AF notification may include the target DNAI of the current PDU session.

Exemplarily, the SMF may send an early notification to the NEF through a servitized interface message with the NEF. For example, the NEF service interface message can be Nsmf_EventExposure_notify(early notification).

602b, after receiving the early notification, the NEF sends the early notification to the AF that subscribes to the early notification. NEF can send early notification to AF through service interface message. The service interface message can be Nnef_trafficInfluence_Notify(early notification).

Exemplarily, after receiving the early notification, NEF can also perform message mapping, such as selecting the corresponding AF transaction ID, etc., and Nnef_trafficInfluence_Notify can also include AF transaction ID, etc.

603a, the AF sends a reply message to the NEF, or the AF sends a reply message to the NEF after redeploying the application of Target DNAI. The reply message carries the N6 data routing information corresponding to Target DNAI.

Illustratively, the AF may send a reply message to the NEF through the NEF serviced interface message. For example, the NEF service interface message is Nnef_TrafficInfluence_AppRelocationinfo.

603b, after the NEF receives the reply message from the AF, the NEF triggers a matching notification message to notify the SMF of the application redeployment information (mainly including the N6 data routing information of the Target DNAI of the application redeployment).

Exemplarily, the NEF may send the application redeployment information to the SMF through the SMF service-oriented interface message. For example, the SMF service interface message can be Nsmf_TrafficInfluence_AppRelocationinfo.

602c, if the AF subscribes to the early notification of the direct notification, the SMF sends the early notification to the AF, and the early notification may include the target DNAI of the current PDU session.

Exemplarily, the SMF may send an early notification to the AF through an SMF serviced interface message with the AF. For example, the SMF service interface message can be Nsmf_EventExposure_notify(early notification).

603c, the AF directly sends a reply message to the SMF, or the AF sends a reply message to the NEF after redeploying the application of Target DNAI. The reply message carries the N6 data routing information corresponding to Target DNAI.

Illustratively, the AF may send a reply message to the SMF through a serviced interface message. For example, the service interface message is Nsmf_TrafficInfluence_AppRelocationinfo.

It should be understood that where 602a and 602b are performed, 602c is no longer performed.

604, the SMF executes the DNAI change process or the UPF add/modify/remove process. If the AF subscribes to the SMF for an AF acknowledgment to be expected indication, the SMF may wait for the reply message sent by the AF before executing the step 604 and then execute the step 604; otherwise, the SMF may execute the step 604 after sending the early notification. DNAI change process or perform UPF add/modify/remove (UPF addition/relocation/removal) process.

605a, if the AF subscribes to the late notification through the NEF, the SMF sends the late notification to the NEF. The late notification includes the Target DNAI of the current PDU Session.

Exemplarily, the SMF may send the late notification to the NEF through a servitization interface message, for example, the servitization interface message may be Nsmf_EventExposure_Notify.

605b, after receiving the late notification, the NEF sends the late notification to the AF that subscribes to the late notification. NEF can send late notification to AF through service interface message. The service interface message can be Nnef_trafficInfluence_Notify(late notification).

Exemplarily, after NEF receives the late notification, it can also perform message mapping, such as selecting the corresponding AF transaction ID, etc., and Nnef_trafficInfluence_Notify can also include the AF transaction ID, etc.

606a, the AF sends a reply message to the NEF, or the AF sends a reply message to the NEF after redeploying the application to Target DNAI. The reply message carries the detailed N6 data routing information corresponding to Target DNAI. If the AF changes, the AF includes the AF switching indication, including the Target AF ID, in the reply message, and notifies the NEF of the Target AF's target address (Target Address).

Illustratively, the AF may send a reply message to the NEF through a serviced interface message. For example, the service interface message is Nnef_TrafficInfluence_AppRelocationinfo.

606b, after the NEF receives the reply message from the AF, the NEF triggers a matching notification message to notify the SMF of the redeployment information of the application (mainly including the N6 data routing information of the Target DNAI of the application redeployment).

Illustratively, the NEF may send a reply message to the SMF through a serviced interface message. For example, the service interface message is Nsmf_TrafficInfluence_AppRelocationinfo.

605c, if the AF subscribes to the late notification of the direct notification, the SMF sends the late notification to the AF. The late notification includes the Target DNAI of the current PDU Session. After the AF receives the late notification from the SMF, the AF detects whether it can serve the Target DNAI. If the AF entity needs to be replaced, the AF selects the Target AF for the Target DNAI and performs AF migration.

Exemplarily, the SMF may send a late notification to the AF through a serviceable interface message. The service interface message can be Nsmf_trafficInfluence_Notify(late notification).

606c, the AF sends a reply message to the SMF, or the AF sends a reply message to the SMF after redeploying the application to Target DNAI. The reply message carries the detailed N6 data routing information corresponding to Target DNAI. If the AF changes, the AF includes the AF switching indication in the reply message, including the Target AF ID, and notifies the SMF of the Target AF's target address (Target Address).

Illustratively, the AF may send a reply message to the SMF through a serviced interface message. For example, the service interface message is Nsmf_TrafficInfluence_AppRelocationinfo.

The following describes the process of establishing an IKE SA and an IPsec sub-SA. Referring to Fig. 7, 701-702 are the establishment flow of IKE SA. Steps 703 to 704 are procedures for establishing an IPsec sub-SA. After the IKE SA is established, the information exchanged in the subsequent IPsec sub-SA establishment process can be encrypted and transmitted through the IKE SA. After the establishment of the IPsec sub-SA is completed, the data packets belonging to the IPsec sub-SA are encrypted and transmitted by the IPsec sub-SA. The information in square brackets in Figure 7 is optional, and the information in curly brackets is encrypted and protected by IKE SA.

701, the initiator initiates a message 1 for establishing an IKE SA to the responder, where the message 1 includes one or more of HDR, SAi1, KEi1, or Ni. HDR stands for IKE header, and HDR includes Security Parameter Indexes (SPI) (used to find security policy parameters), IKE protocol version number, exchange type (transmission type or tunnel type), and message ID (Message ID). ), other types of flags (Flag). SAi1 represents the encryption algorithm supported by the initiator, KEi1 represents the key exchange material of the initiator, and KEi1 contains the Diffie-Hellman value of the initiator, which is used to generate the encryption material. Ni represents the random number of the initiator, which is used to generate a key or for encryption, etc.

702, the responder sends a message 2 to the initiator, where the message 2 is used to respond to the message 1, and the message 2 includes one or more of HDR, SAr1, KEr1, or Nr. SAr1 represents the encryption algorithm supported by the responder, and KEr1 represents the key exchange material of the responder. KEr1 includes the responder's Diffie-Hellman value, which is used to generate the cryptographic material. Nr represents the random number of the responder, which is used to generate a key or for encryption, etc. Message 2 may also contain an authentication request. At this point, both parties have obtained the other party's KE and random number, and can generate the same SKEYSEED for generating all subsequent keys.

703, the initiator initiates a message 3 for establishing an IPSec sub-SA to the responder, and the message 3 includes HDR, SK{IDi, AUTH, SAi2, TSi, TSr}. Among them, SK{} means to use IKE SA to encrypt the content in curly brackets. Optionally, message 3 may also include one or more of [CERT] or [CERTREQ]. Among them, IDi and AUTH are used for authentication verification and integrity protection. Idi represents the identity information indicator (Identification-Initiator) of the initiator. AUTH (authentication) means authentication. CERT stands for certificate. CERTREQ stands for certificate request. SAi2 represents the encryption algorithm used by the IPSec sub-SA of the initiator, and TSi and TSr are the packet filtering rules applied to the encryption of this sub-SA. TSi may include IP addresses or IP address segments. The TSr may include an IP address or an IP address segment. For the initiator, if the source address of the data packet sent from the initiator is within the IP address range of the TSi and the destination address is within the IP address range of the TSr, the sub-SA needs to be encrypted. For the responder, if the source address of the data packet sent from the initiator is within the IP address range of the TSi and the destination address is within the IP address range of the TSr, the sub-SA needs to be decrypted. Or, for the initiator, if the destination address of the data packet sent from the responder is within the IP address range of the TSi, and the source address is within the IP address range of the TSr, the SA needs to be decrypted. For the responder, if the source address of the data packet sent from the responder is within the IP address range of the TSr, and the destination address is within the IP address range of the TSi, the sub-SA needs to be encrypted.

704, the responder responds with message 4 to the initiator. Message 4 includes HDR, SK{IDr, AUTH, SAr2, TSi, TSr}. Optionally, [CERT] may also be included in message 4. IDr represents the identity information indicator of the responder. AUTH (authentication) means authentication. CERT stands for certificate. SAr2 represents the encryption algorithm used by the responder's IPSec sub-SA, and TSi and TSr are the packet filtering rules applied to the encryption of this sub-SA.

In some embodiments, steps 703 and 704 may be performed multiple times, and IKE SAs are used for encryption protection to establish multiple groups of IPsec sub-SAs for data transmission. It should be understood that the initiator of the establishment of the IPsec sub-SA may be the initiator of the IKE SA, or the responder of the IKE SA.

At present, in order to realize the end-to-end (E2E) encryption of IPsec, a possible implementation method is to deploy a security gateway after each PSA (UPF) to realize end-to-end user plane data transmitted by terminal devices. side encryption. Taking the MEC scenario as an example, see Figure 8. In FIG. 8 , the central UPF, which is the anchor UPF of the session, is located in the centralized data center at the far end. The APP server 1 (server1) in the remote data center can send user plane data, such as user plane APP data, to the terminal device through the central UPF. In Figure 8, ULCL/BP can be regarded as a special UPF. It is located at the edge node closer to the terminal device. It can connect with the APP Server2 deployed in the edge computer room and forward the APP data on the user plane. ULCL/BP is used to offload the traffic of the terminal device, that is, the APP data of some terminal devices can be sent to the APP Server2 which is closer to the UE for processing. In Figure 8, the security gateway is an IPsec gateway deployed between the UPF and the APP server, and is mainly used to encrypt the data of the APP. In order to ensure the encrypted state of the APP data in the transmission path between the terminal device and the security gateway, that is, to ensure that the APP data is invisible on the core network side and the base station side (such as the RAN side). As can be seen from the above, in order to ensure the security of data transmission on the end-to-end side, an independent security gateway needs to be deployed after the central UPF and ULCL/BP. When the service of the terminal device is updated or the location of the terminal device changes, the insertion of a new ULCL/BP may be triggered and the security gateway may be changed, or the update of the ULCL/BP and the security gateway may be triggered. For example, the original server serving the terminal device is APP server1, and then due to the service update of the terminal device, the APP server1 of the original server terminal device needs to be switched to APP server2. Therefore, it is necessary to trigger the insertion of a new ULCL/BP and update the security gateway , switch from the original security gateway 1 to the security gateway 2. Specifically, the adjustment of the server is mainly realized by the AF influence traffic routing related process (for example, see the relevant description in Figure 4), and the AF can first provide the DNAI available to the relevant application server to the SMF through the PCF (that is, the access network where the application server is located). entity), the SMF triggers a new ULCL/BP insertion process (for example, refer to the relevant description in Figure 5) due to the movement of the terminal device or detects the data flow corresponding to the terminal device, and after the selection of ULCL/BP is completed, it notifies the AF to the DNAI change, and obtain the N6 configuration options and related routing rules required by the ULCL/BP through the AF notification process (for example, see the relevant description in Figure 6), and then configure the ULCL/BP. Then, in order to ensure the security of the user plane data, the establishment of the IKE SA and the IPsec SA of the security gateway 2 is further performed. In the current solution, every time ULCL/BP insertion or switching occurs, IKE SA and IPsec SA need to be re-established with the new security gateway, which leads to a complicated process and waste of resources. In addition, in some MEC application scenarios, the terminal device cannot perceive the insertion of the ULCL and the change of the application server, so that the core network cannot notify the terminal device to switch the security gateway, resulting in the inability to achieve end-to-end security in some MEC scenarios. Protect.

Based on this, the embodiments of the present application provide a communication method and apparatus, by deploying a centralized security gateway. A centralized security gateway is used to establish IKE SAs with end devices. Centralized security gateway overhead manages key generation and distribution. The security gateway that provides security protection for user plane data transmission adopts distributed deployment. Distributed security gateways can be deployed after ULCL/BP to establish user plane IPsec sub-SA connections with terminal devices. In the embodiment of the present application, the centralized security gateway replaces the distributed security gateway to create an IPsec sub-SA connection with the terminal device, or the centralized security gateway creates an IPsec sub-SA connection with the terminal device for the distributed security gateway. For example, a centralized security gateway may establish transport-mode IPsec sub-SAs for distributed security gateways.

Referring to FIG. 9 , a schematic diagram of the architecture of a communication system provided by an embodiment of the present application is shown. The communication system includes a first security gateway and a second security gateway. The first security gateway may also be referred to as a centralized security gateway. The first security gateway is used to provide security protection of the IKE SA, and the first security gateway may also be referred to as an IKE gateway. The second security gateway may be referred to as a distributed security gateway. The second security gateway is used to provide security protection of the IPsec SA, and the second security gateway may also be referred to as an IPsec gateway. The first security gateway may be deployed in a data center. The second security gateway may be distributed and deployed between each PSA and the application server. The communication system further includes network elements of the first core network and network elements of the second core network. As an example, the first core network network element may include a session management network element, and the second core network network element may include a mobility management network element or a policy control network element. Taking the 5G communication network architecture as an example, the session management network element may be SMF, the mobility management network element may be AMF, and the policy control network element may be PCF. Exemplarily, the communication system may further include a user plane network element.

The solution provided by the embodiment of the present application is described below with reference to the communication system architecture shown in FIG. 9 . Referring to FIG. 10 , a schematic flowchart of a communication method provided by an embodiment of the present application is shown.

1001, the first security gateway establishes an IKE SA connection with a terminal device.

1002. The first security gateway establishes an IPsec sub-SA connection for the second security gateway when it is determined that the user plane data needs to be securely transmitted through the second security gateway. The IPsec sub-SA connection is used for secure transmission of user plane data between the second security gateway and the terminal device.

Exemplarily, the end-to-end security service on the terminal device needs to be switched to the EAS server. In this scenario, the ULCL/BP needs to be inserted and the security gateway needs to be replaced. Therefore, it is necessary to determine the user plane data between the terminal device and the EAS server. Two security gateways for secure transmission.

In a possible implementation manner, when the first security gateway establishes an IPsec sub-SA connection for the second security gateway, it may be implemented in any of the following ways:

In a first possible implementation manner, the first security gateway may obtain the first security parameter by negotiating the IPsec sub-SA connection between the second security gateway and the terminal device instead of the second security gateway, and the second security gateway does not participate in the negotiation of the IPsec sub-SA connection, Then, the negotiated security parameters are configured to the second security gateway for use by the second security gateway. The first security parameter is used for secure transmission of user plane data between the second security gateway and the terminal device. Exemplarily, the first security parameter may include material for generating a key for user plane data transmission with the terminal device. For example, the material may include key material generated by the first security gateway, key exchange material of the terminal device, key exchange material configured for the second security gateway, random numbers of the terminal device or random numbers generated for the second security gateway.

As an example, the second security gateway may generate key material according to the material provided by the first security gateway. For example, see the formula (1) below.

KEYMAT=prf+(SK_d,Ni|Nr) Formula (1)

Wherein, KEYMAT (keying material) represents the key material generated by the second security gateway. Prf stands for pseudo-random function. Ni represents a random number of the terminal device, and Nr represents a random number generated by the second security gateway. SK_d represents the key material derived on the basis of IKE SA.

As another example, the second security gateway may generate key material according to the material provided by the first security gateway. For example, see the formula (2) below.

KEYMAT=prf+(SK_d,g^ir|Ni|Nr) Formula (2)

Wherein, KEYMAT represents the key material generated by the second security gateway. Prf stands for pseudo-random function. Ni represents a random number of the terminal device, and Nr represents a random number generated by the second security gateway. SK_d represents the key material derived on the basis of IKE SA. g^ir is generated from KEi and KEr. KEi represents the key exchange material of the terminal device, and KEr represents the key exchange material configured for the second security gateway.

As an example, the generation manner of SK_d is exemplarily described below, as shown in formula (3) and formula (4).

SK_d=prf+(SKEYSEED,Ni1|Nr1|SPIi|SPIr) Formula (3)

SKEYSEED=prf(Ni1|Nr1,g^ir) Formula (4)

Among them, SPIi and SPIr represent the security association index values of the initiator and the responder. g^ir is generated from KEi1 and KEr1. KEi1 represents the key exchange material of the terminal device in the IKE SA negotiation phase. KEr1 represents the key exchange material of the first security gateway in the IKE SA negotiation phase. Ni1 represents the random number of the terminal device in the IKE SA negotiation phase, and Nr1 represents the random number of the first security gateway in the IKE SA negotiation phase.

In some embodiments, the first security parameter may further include one or more of the following:

The encryption algorithm of the terminal device is the encryption algorithm allocated by the second security gateway, and is used for the packet filtering rule for user plane data transmission between the terminal device and the second security gateway. As an example, TSi and TSr can be included in the packet filtering rule. TSi may include IP addresses or IP address segments. The TSr may include an IP address or an IP address segment. For the initiator, if the source address of the data packet sent from the initiator is within the IP address range of the TSi and the destination address is within the IP address range of the TSr, the sub-SA needs to be encrypted. For the responder, if the source address of the data packet sent from the initiator is within the IP address range of the TSi, and the destination address is within the IP address range of the TSr, the sub-SA needs to be decrypted. Or, for the initiator, if the destination address of the data packet sent from the responder is within the IP address range of the TSi, and the source address is within the IP address range of the TSr, the SA needs to be decrypted. For the responder, if the source address of the data packet sent from the responder is within the IP address range of the TSr, and the destination address is within the IP address range of the TSi, the sub-SA needs to be encrypted. In this embodiment, the initiator is a terminal device, and the responder can be considered as the second security gateway.

In some embodiments, after the first security gateway negotiates with the terminal device and obtains the first security parameter, the KEYMAT may be generated according to the first security parameter, for example, using formula (1) or formula (2), and then the generated KEYMAT sent to the second security gateway. KEYMAT is a binary data string. Therefore, the second security gateway can intercept a part of the bits from the KEYMAT as the encryption key or decryption key of the IPsec sub-SA.

In a second possible implementation manner, the second security gateway may participate in the negotiation of the IPsec sub-SA connection between the first security gateway and the terminal device. The first security gateway may configure security parameters for the second security gateway during the negotiation process with the terminal device, the second security gateway may confirm or modify the security parameters after receiving the security parameters, and the second security gateway may send the modified or confirmed security parameters. To the first security gateway, the first security gateway sends the security parameters modified or confirmed by the second security gateway to the terminal device as its own negotiation result.

In a third possible implementation manner, the IPsec sub-SA negotiation is performed twice between the first security gateway and the terminal device. For the first negotiation, the first security gateway and the terminal device negotiate the IPsec sub-SA connection. In the second negotiation, the first security gateway, as an intermediate proxy network element, is responsible for forwarding the signaling message for negotiating the IPsec sub-SA connection between the second security gateway and the terminal device. It should be noted that the negotiation object that the terminal device can perceive is the first security gateway, and does not perceive the second security gateway.

The above-mentioned first possible implementation manner will be described below with reference to FIG. 11A .

1101a, refer to 1001, which will not be repeated here.

1102a, the terminal device initiates an establishment request to the first security gateway, so that the first security gateway receives the establishment request initiated by the terminal device, and the establishment request is used to request to establish an IPsec sub-SA connection with the first security gateway. It should be understood that the terminal device does not perceive the second security gateway and only exchanges messages with the first security gateway, but actually the first security gateway establishes the IPsec sub-SA connection instead of the second security gateway.

In some embodiments, the establishment request may include the encryption algorithm of the terminal device and the key exchange material of the terminal device. The establishment request may also include a packet filtering rule for using the IPsec sub-SA connection to transmit data on the user plane.

As an example, SAi represents the encryption algorithm of the terminal device. KEi represents the key exchange material for the end device. TSi and TSr represent packet filtering rules for user plane data transmission using IPsec sub-SA connections. It can be understood that TSi represents the IP address or IP address segment of the terminal device. TSr represents the IP address segment of the target application server, which may be understood as the IP address segment of the second security gateway. The establishment request may also include a random number of the terminal device, which is represented by Ni as an example.

1103a, the first security gateway sends the first security parameter of the IPsec sub-SA connection to the second security gateway.

Exemplarily, the first security parameter may include material for generating a key for user plane data transmission with the terminal device.

Exemplarily, the first security parameter includes one or more of the following key material (SK_d) generated by the first security gateway, key exchange material (KEi) of the terminal device, and key exchange material configured for the second security gateway: (KEr), a random number (Ni) of the terminal device, or a random number (Nr) generated for the second security gateway.

In some embodiments, the first security parameter may further include SAi and SAr. SAr represents the encryption algorithm configured for the second security gateway. The first security parameter may also include TSi and TSr. In a possible example, the first security gateway may also update the TSr for the second security gateway according to the TSr and the configuration information. For example, the updated TSr is represented by TSr*, then the TSi included in the first security parameter and the updated TSr( i.e. TSr*).

1104a, after receiving the first security parameter, the second security gateway sends a confirmation message to the first security parameter, where the confirmation message is used to indicate that the first security parameter has been received.

It should be noted that, as an optional step, 1104a may not be executed, and the first security gateway directly executes 1105a after executing 1103a.

1105a, the first security gateway sends a setup response to the terminal device, where the setup response includes the first security parameter.

The above-mentioned second possible implementation manner will be described below with reference to FIG. 11B .

1101b, refer to 1001, which will not be repeated here.

1102b, the terminal device initiates an establishment request to the first security gateway, so that the first security gateway receives the establishment request initiated by the terminal device, and the establishment request is used to request to establish an IPsec sub-SA connection with the first security gateway. It should be understood that the terminal device does not perceive the second security gateway and only exchanges messages with the first security gateway, but actually the first security gateway establishes the IPsec sub-SA connection instead of the second security gateway.

In some embodiments, the setup request may include SAi, KEi, TSi or TSr. SAi represents the encryption algorithm of the terminal device. KEi represents the key exchange material for the end device. TSi and TSr represent packet filtering rules for transmitting user plane data using the IPsec sub-SA connection. The establishment request may also include Ni, where Ni is a random number of the terminal device.

1103b, the first security gateway sends a configuration context of the IPsec sub-SA connection to the second security gateway, where the configuration context includes second security parameters configured for the second security gateway and used to establish an IPsec sub-SA connection with the terminal device.

Exemplarily, the second security parameter includes material for the second security gateway to generate a key for user plane data transmission between the second security gateway and the terminal device.

In some embodiments, the material used to generate the key for user plane data transmission with the terminal device includes one or more of the following: key material generated by the first security gateway, key of the terminal device The exchange material, the key exchange material configured for the second security gateway, the random number of the terminal device or the random number of the first security gateway.

In some embodiments, the second security parameter may further include one or more of the following: an encryption algorithm of the terminal device, an encryption algorithm allocated to the second security gateway, or an encryption algorithm used for the terminal device and the second security gateway. The first packet filtering rule for user plane data transmission between them.

1104b, after receiving the second security parameter, the second security gateway obtains the third security parameter according to the second security parameter, and sends the third security parameter to the first security gateway. Parameters are updated or confirmed.

In a possible implementation manner, the third security parameter includes one or more of the following: a second key exchange material for updating the first key exchange material, a second key exchange material for updating the first key exchange material, a The updated second random number.

In an example, the second security gateway confirms the second security parameter, and the parameters included in the third security parameter are the same as the second security parameter. The second security gateway may obtain a key for user plane data transmission with the terminal device according to the second security parameter. For example, in combination with formula (2), KEYMAT 1=prf+(SK_d,g^ir|Ni|Nr).

Wherein, KEYMAT1 represents the key material generated by the second security gateway. Prf stands for pseudo-random function. Ni represents a random number of the terminal device, and Nr represents a random number generated by the first security gateway. SK_d represents the key material derived on the basis of IKE SA. g^ir is generated from KEi and KEr. KEi represents the key exchange material of the terminal device, and KEr represents the first key exchange material of the first security gateway. Then further, the second security gateway may obtain the key for user plane data transmission with the terminal device from KEYMAT1.

In another example, the second security gateway may update the first key exchange material in the second security parameter, for example, to the second key exchange material. For example, the key material KEYMAT2 is generated by the following formula (5).

KEYMAT 2=prf+(SK_d,g^ir(new)|Ni|Nr) Formula (5)

Wherein, KEYMAT represents the key material generated by the second security gateway. Prf stands for pseudo-random function. Ni represents a random number of the terminal device, and Nr represents a random number generated by the second security gateway. SK_d represents the key material derived on the basis of IKE SA. g^ir(new) is generated from KEi and KEr*. KEi represents the key exchange material of the terminal device, and KEr* represents the second key exchange material.

In another example, the second security gateway may update the first key exchange material in the second security parameter, for example, update it to the second key exchange material. The first random number is also updated, for example, updated to its own random number, that is, the second random number. For example, the key material KEYMAT3 is generated by the following formula (6).

KEYMAT3=prf+(SK_d,g^ir(new)|Ni|Nr*) Formula (6)

Wherein, KEYMAT3 represents the key material generated by the second security gateway. Prf stands for pseudo-random function. Ni represents the random number of the terminal device, and Nr* represents the random number of the second security gateway. SK_d represents the key material derived on the basis of IKE SA. g^ir(new) is generated from KEi and KEr*. KEi represents the key exchange material of the terminal device, and KEr* represents the second key exchange material.

In another example, the second security gateway may update the first random number, for example, update it to its own random number, that is, the second random number. For example, the key material KEYMAT4 is generated by the following formula (7).

KEYMAT4=prf+(SK_d,g^ir|Ni|Nr*) Formula (7)

Wherein, KEYMAT4 represents the key material generated by the second security gateway. Prf stands for pseudo-random function. Ni represents the random number of the terminal device, and Nr* represents the random number of the second security gateway. SK_d represents the key material derived on the basis of IKE SA. g^ir is generated from KEi and KEr.

Optionally, the third security parameter may further include SAr* and/or TSr*. SAr* may be an encryption algorithm updated by the second security gateway for SAr. TSr* may be obtained after the second security gateway updates the TSr.

1105b, the first security gateway sends a setup response to the terminal device, where the setup response includes the third security parameter. The third security parameter is used for secure transmission of user plane data between the second security gateway and the terminal device.

The above-mentioned third possible implementation manner will be described below with reference to FIG. 11c.

1101c, refer to 1001, which will not be repeated here.

1102c, the terminal device initiates an establishment request 1 to the first security gateway, so that the first security gateway receives the establishment request 1 initiated by the terminal device, and the establishment request 1 is used to request the first establishment of an IPsec sub-SA connection with the first security gateway.

1103c, the first security gateway sends an establishment response 1 to the terminal device, where the establishment response 1 is used to respond to the establishment request 1, so as to complete the establishment of the first IPsec sub-SA connection between the first security gateway and the terminal device.

1104c, the terminal device initiates an establishment request 2 to the first security gateway, so that the first security gateway receives the establishment request 2 initiated by the terminal device, and the establishment request 2 is used to request to establish a second IPsec sub-SA connection with the first security gateway. In some embodiments, the establishment request 2 may include a fourth security parameter, where the fourth security parameter includes an encryption algorithm of the terminal device and a key exchange material of the terminal device. The fourth security parameter may further include a packet filtering rule for user plane data transmission using the IPsec sub-SA connection. For example, the encryption algorithm of the terminal device is represented by SAi. The key exchange material of the terminal device is represented by KEi. TSi and TSr represent packet filtering rules.

1105c, the first security gateway receives the establishment request 2, and forwards the fourth security parameter to the second security gateway.

Exemplarily, the first security gateway also sends the key material SK_d of the first security gateway in the IKE SA negotiation stage to the second security gateway.

1106c, after receiving the fourth security parameter, the second security gateway obtains a fifth security parameter matching the fourth security parameter, and sends the fifth security parameter to the first security gateway.

Exemplarily, the fifth security parameter includes KEr* and SAr*. KEr* includes the key exchange material for the second security gateway. SAr* includes the encryption algorithm of the second security gateway. The fifth security parameter may also include a random number Nr* of the second security gateway.

1107c: The first security gateway sends a setup response 2 to the terminal device, where the setup response 2 includes the fifth security parameter (for example, including KEr*, SAr*, and Nr*). The setup response 2 may also include SAi, KEi, TSi or TSr*. The TSr* may be obtained after the second security gateway updates the TSr.

In the above third possible implementation manner, the terminal device and the first security gateway negotiate twice, and in the first negotiation, an IPsec sub-SA connection is established between the first security gateway and the terminal device. During the second negotiation, the first security gateway does not actually configure the security parameters for the second security gateway, but forwards the security parameters to be negotiated sent by the terminal device to the second security gateway, and the terminal device does not perceive the security parameters of the second security gateway. The existence of the second security gateway actually means that the terminal device negotiates with the second security gateway to establish an IPsec sub-SA connection.

In a possible implementation manner, the first security gateway establishes the IKE SA connection with the terminal device, which may be triggered by the terminal device, or may be triggered by the first security gateway to establish the IKE SA connection.

In some embodiments, the establishment of the IKE SA connection is triggered by the first security gateway to the terminal device, and the first core network element may send the address of the terminal device to the first security gateway in the session management process (such as the session establishment/modification process). information. For example, the address information may be the IP address and/or port number of the terminal device. Further, the first security gateway can trigger the establishment of an IKE SA connection to the terminal device according to the address information of the terminal device.

In other embodiments, the terminal device triggers the establishment of the IKE SA connection to the first security gateway, and the first core network network element may send the address information of the first security gateway to the terminal device in the session management process. Further, the terminal device can trigger the establishment of an IKE SA connection to the first security gateway according to the address information of the first security gateway.

In a possible implementation manner, after the first security gateway replaces the second security gateway and completes the establishment of the IPsec sub-SA connection with the terminal device, subsequent data packets (including uplink data packets or downlink data packets) belonging to the IPsec sub-SA connection data packets) should be forwarded by the second security gateway. In this embodiment of the present application, after the first core network element determines that the IPsec sub-SA connection is established between the terminal device and the second security gateway, a second forwarding rule can be configured on the user plane network element. The second forwarding rule It is used to instruct the user plane network element to forward the data packets belonging to the IPsec sub-SA connection to the second security gateway. Before establishing the IPsec sub-SA connection, when the first core network element determines the first security gateway that provides security services for the terminal device, the first core network element configures the user plane network element with a first forwarding rule, and the first forwarding rule uses to instruct the user plane network element to forward the data packet of the terminal device to the first security gateway.

In some embodiments, the network element of the first core network may determine the first security gateway that provides security services for the terminal device according to the subscription data of the terminal device. For example, the network element of the first core network may acquire subscription data of the terminal device from the UDM or the UDR. For example, the network element of the first core network may determine the first security gateway that provides the security service for the terminal device from the subscription data of the terminal device according to the service identifier of the terminal device. For example, the service identifier may be DNN or NSSAI, etc., and the service identifier may also be other identifiers used to identify the service of the terminal device. In an embodiment, the first security gateway that provides security services for the terminal device is selected by the network element of the first core network.

In other embodiments, the network element of the first core network determines the first security gateway that provides security services for the terminal device according to the local configuration information. For example, the network element of the first core network may determine the first security gateway that provides the security service for the terminal device from the local configuration information according to the service identifier of the terminal device. For example, the service identifier may be DNN or NSSAI or the like. In an embodiment, the first security gateway that provides security services for the terminal device is selected by the network element of the first core network.

In still other embodiments, the first core network element may further receive address information of the first security gateway of the second core network element, so as to determine the first security gateway that provides security services for the terminal device. For example, the network element of the second core network may be a policy control network element or a mobility management network element. In this embodiment, the first security gateway that provides security services for the terminal device may be selected by a mobility management network element or a policy management network element.

The solutions provided by the embodiments of the present application are described in detail below in combination with specific scenarios. In the subsequent description, the first security gateway is called an IKE gateway as an example, and the second security gateway is called an IPsec gateway as an example.

In the first possible application scenario, the selection of the first security gateway for the terminal device by the network element of the first core network is taken as an example. Referring to FIG. 12, it is a schematic diagram of a possible communication network architecture. In Figure 12, the interface deployed between the SMF and the IKE gateway is an Nxx interface as an example. The interface deployed between the IKE gateway and the IPsec gateway is Nyy as an example. Of course, the interface may also adopt other names, which are not specifically limited in this embodiment of the present application. It should be noted that the communication network may include one or more IKE gateways, for example, different IKE gateways may be used to process different services.

The flow of the communication method according to the embodiment of the present application will be described below with reference to FIG. 12 .

Referring to FIG. 13, a schematic flowchart of a possible communication method is shown. In FIG. 13 , the selection of the first security network gateway is performed by the SMF as an example. When triggering the creation of an IKE SA, the creation is triggered by the terminal device as an example.

1301, a PDU session establishment process. Exemplarily, the following steps may occur in a session establishment process or a session modification process.

1302: The SMF determines that the current PDU session of the terminal device requires end-to-end security protection.

For example, the SMF can query the subscription data of the terminal device from the UDM, and determine according to the subscription data that the current PDU session of the terminal device needs to perform end-to-end security protection.

1303: The SMF determines the IKE gateway through local configuration information or subscription data of the terminal device. The SMF can obtain the subscription data of the terminal device from the UDM or the UDR.

Exemplarily, the SMF obtains the address information of the IKE gateway from the local configuration information or the subscription data of the terminal device. The address information may include IP addresses and/or port numbers.

1304: The SMF performs IKE gateway authentication. For example, an authorization request is initiated to the IKE gateway to verify whether the IKE gateway can provide the terminal device with a security service for the business processed by the terminal device.

Exemplarily, the authorization request may include the identifier of the terminal device, the destination IP address or the data network name (DNN). The IKE gateway determines, according to the authorization request, whether the IKE gateway can provide the terminal with encryption services for the network segment corresponding to the destination IP address or data network name.

For example, the identity of the terminal device may be a 5G globally unique temporary UE identity (5G-globally unique temporary identity, 5G-GUTI), or a user permanent identifier (subscription permanent identifier, SUPI), or a generic public subscription identifier (generic public subscription identifier). , GPSI), or user concealed identifier (subscription concealed identifier, SUCI), etc.

In some embodiments, 1304 is an optional step. After the IKE gateway is determined according to the subscription data or local configuration information, the IKE gateway may not be authorized any more.

1305: The SMF configures the UPF with the first forwarding rule. Exemplarily, the first forwarding rule may include address information of the IKE gateway, and the first forwarding rule is used to instruct the UPF to forward the data packets of the PDU session of the terminal device to the IKE gateway.

In some embodiments, the SMF may configure the UPF with the first forwarding rule during the N4 session establishment process.

1306, the SMF sends the address information of the IKE gateway to the terminal device through the AMF. Used by the terminal device to initiate the establishment of an IKE SA connection. For example, the SMF can send the address information of the IKE gateway to the AMF through N11. Then the AMF sends the address information of the IKE gateway to the terminal device through the NAS message.

1307: The terminal device initiates the establishment process of the IKE SA connection to the IKE gateway, and completes the establishment of the IKE SA connection with the IKE gateway.

1308: The terminal device initiates an IPSec sub-SA connection establishment process to the IKE gateway. Further, an IPsec sub-SA connection is created between the IKE gateway and the terminal device instead of the IPsec gateway. Specifically, any one of the above-mentioned first to third possible implementation manners can be used for implementation. In FIG. 13 , the second possible implementation manner is taken as an example for description. Exemplarily, the terminal device initiates an establishment request to the IKE gateway, and the establishment request is used to request to establish an IPsec sub-SA connection with the first security gateway. For example, the mode of establishment of the IPsec sub-SA connection may adopt the transport mode. The target Traffic Selectors carried in the establishment request is the address segment of the IPSec gateway, and the first security gateway can determine that the terminal device actually needs to select the IPsec gateway to provide security services for the terminal device according to the address segment of the IPsec gateway. It should be noted that the address segment of the IPsec gateway is the same as the address segment of the server that needs to provide business services for the terminal device.

Exemplarily, the setup request carries SAi, KEi, TSi, TSr, and Ni. SAi represents the encryption algorithm of the terminal device. KEi represents the key exchange material for the end device. TSi and TSr represent packet filtering rules for transmitting user plane data using the IPsec sub-SA connection. Ni represents the random number of the terminal device.

1309: The IKE gateway sends the configuration context of the IPsec sub-SA connection to the IPsec gateway. For details, see 1103b, the configuration context includes the second security parameter, and details are not repeated here. In FIG. 13 , the second security parameter includes SAi, SAr, KEi, KEr, TSi, TSr, Ni, Nr, and SK_d as an example. SK_d represents the key material derived based on the IKE SA, and KEr represents the first key exchange material of the IKE gateway. Nr represents the random number of the IKE gateway. TSr represents the key exchange material for the IKE gateway.

1310: The IPSec gateway feeds back the configuration information of the sub-SA connection to the IKE gateway, see 1104b, the configuration information includes the third security parameter, for the description of the third security parameter, see the description of 1104b, which is not repeated here. In FIG. 13 , the third security parameter includes KEr* and Nr* as an example. It should be understood that the third security parameter may further include SAr* and/or TSr*, and may also include SAi, KEi, TSi, and Ni. SAr* represents the encryption algorithm confirmed by the IPsec gateway according to SAr. In some embodiments, SAr* may or may not be the same as SAr. KEr* represents the key exchange material of the IPsec gateway.

1311: The IKE gateway sends an establishment response to the terminal device according to the configuration information of the IPsec sub-SA connection received from the IPSec gateway, where the establishment response may include a third security parameter. For details, refer to the description of 1105b, which will not be repeated here.

1312: The IKE gateway feeds back information on the establishment of the IPsec sub-SA connection to the SMF. The setup situation information may include TSr*.

1313: The SMF configures the second forwarding rule to the UPF. For example, TSr* may be included in the second forwarding rule. The second forwarding rule is used to instruct the UPF to forward the data packets belonging to the IPsec sub-SA connection to the IPSec gateway according to TSr*.

Through the above solution, the terminal device does not need to use control plane signaling to perceive the existence of the IPSec gateway. End devices only interact with the centralized IKE gateway to establish IPsec sub-SA connections. Subsequently, when the IPSec gateway is changed (such as the MEC scenario of ULCL insertion), the update and establishment of the IPSec sub-SA connection can be completed without additional control plane signaling overhead. In addition, every time the IPSec gateway changes, there is no need to establish an IKE SA connection, which reduces signaling overhead.

Exemplarily, referring to FIG. 14 , the technical effect of the above solution will be described. Referring to Figure 14, the selection and interaction of the IKE gateway is performed by the SMF. During the establishment of the PDU session of the terminal device, the SMF first informs the terminal device of the address information of the IKE gateway through a NAS message, and configures the first forwarding rule of the UPF, Instructs the UPF to forward the end device's packets to the IKE gateway. At this time, although the PDU session of the terminal device has been established, the terminal device can only interact with the IKE gateway. Further, the terminal device initiates an IKE SA establishment process according to the address information of the IKE gateway, and after establishing the IKE SA connection with the IKE gateway, the IKE gateway selects an IPSec gateway for the terminal device, and replaces the IPSec gateway to establish with the terminal device for transmitting user plane data. IPSec sub-SA connection. Further, the SMF configures the second forwarding rule on the UPF, and instructs the UPF to forward all the data packets of the IPSec sub-SA to the IPSec gateway.

With reference to FIG. 12 , another possible communication method flow provided by the embodiment of the present application is described, as shown in FIG. 15 . In FIG. 15 , the selection of the first security network gateway is performed by the SMF as an example. When triggering the creation of an IKE SA, the creation of an IKE SA is triggered by IKE to the terminal device as an example.

1501-1505, see 1301-1305, which will not be repeated here.

1506, the SMF sends the address information of the terminal device to the IKE gateway. The IKE gateway initiates the establishment of the IKE SA connection. For example, the SMF may send an SA establishment request message to the IKE gateway, where the SA establishment request message includes address information of the terminal device.

1507, the IKE gateway initiates the establishment process of the IKE SA connection to the terminal device, and the establishment of the IKE SA connection between the IKE gateway and the terminal device is completed.

1508, the terminal device initiates the establishment process of the IPsec sub-SA connection to the IKE gateway. Further, an IPsec sub-SA connection is created between the IKE gateway and the terminal device instead of the IPsec gateway. Specifically, any one of the above-mentioned first to third possible implementation manners can be used for implementation. In FIG. 15 , the second possible implementation manner is taken as an example for description.

1509-1513, see 1309-1313, which will not be repeated here.

Through the above solution, compared with the solution of FIG. 13 , the IKE gateway is notified of the address information of the terminal device by the SMF, so there is no additional signaling overhead for the terminal device. In addition, the terminal device does not need to perceive the existence of the IPSec gateway through control plane signaling. The establishment of the IPsec SA only interacts with the centralized IKE gateway. When the IPSec gateway changes later (such as the MEC scenario of ULCL insertion), it can also The update and establishment of the IPSec sub-SA connection can be completed without additional control plane signaling overhead. In addition, every time the IPSec gateway changes, there is no need to establish an IKE SA connection, which reduces signaling overhead.

Exemplarily, referring to FIG. 16 , the technical effect of the above solution will be described. Referring to Figure 16, the selection and interaction of the IKE gateway is performed by the SMF. During the establishment of the PDU session of the terminal device, the SMF notifies the IKE gateway of the address information of the terminal device, and configures the first forwarding rule of the UPF, instructing the UPF to transfer the terminal device to the terminal device. The packets are forwarded to the IKE gateway. At this time, although the PDU session of the terminal device has been established, the terminal device can only interact with the IKE gateway. Further, the terminal device initiates an IKE SA establishment process according to the address information of the IKE gateway, and after establishing the IKE SA connection with the IKE gateway, the IKE gateway selects an IPSec gateway for the terminal device, and replaces the IPSec gateway to establish with the terminal device for transmitting user plane data. IPSec sub-SA connection. Further, the SMF configures the second forwarding rule on the UPF, and instructs the UPF to forward all the data packets of the IPSec sub-SA to the IPSec gateway.

In the second possible application scenario, the mobility management network element selects the first security gateway for the terminal device as an example. Referring to FIG. 17, it is a schematic diagram of a possible communication network architecture. Take the mobility management gateway as the AMF in the 5G communication network as an example. In Figure 17, the interface deployed between the AMF and the IKE gateway is an Nxx interface as an example. The interface deployed between the IKE gateway and the IPsec gateway is Nyy as an example. Of course, the interface may also adopt other names, which are not specifically limited in this embodiment of the present application. It should be noted that the communication network may include one or more IKE gateways, for example, different IKE gateways may be used to process different services.

The flow of the communication method according to the embodiment of the present application will be described below with reference to FIG. 17 .

Referring to FIG. 18, a schematic flowchart of a possible communication method is shown. In FIG. 18 , the AMF is used as an example to notify the SMF after selecting the first security network gateway as the terminal device. When triggering the creation of an IKE SA, the creation is triggered by the terminal device as an example. As an example, in the registration process of the terminal device, the AMF selects and configures the IKE gateway, and sends the address information of the IKE gateway to the terminal device. When the PDU session of the terminal device is established, the AMF first sends the address information of the IKE gateway to the SMF, and the SMF notifies the terminal device, and further, the terminal device initiates the establishment of an IKE SA with the IKE gateway.

1801, a registration process of a terminal device.

1802, the AMF determines that the current PDU session of the terminal device needs to perform end-to-end security protection. For example, the AMF may query the UDM for the subscription information of the terminal device, and determine according to the subscription information that the current PDU session of the terminal device needs to perform end-to-end security protection.

1803, the AMF determines the IKE gateway according to the local configuration information or the subscription data of the terminal device.

For example, the AMF can acquire the subscription data of the terminal device from the UDM or the UDR. For example, the AMF may select the first security gateway for the terminal device from the subscription data of the terminal device according to the service identifier of the terminal device. For example, the service identifier can be DNN or NSSAI, etc., and the service identifier can also be other identifiers used to identify the service of the terminal device. Under an embodiment, the first security gateway that provides security services to the terminal device is selected by the AMF. For example, different service identifiers in the subscription data of the terminal device correspond to different IKE gateways.

For another example, the AMF determines the IKE gateway that provides the security service for the terminal device according to the local configuration information. For example, the AMF can determine the IKE gateway that provides the security service for the terminal device from the local configuration information according to the service identifier of the terminal device. For example, the service identifier may be DNN or NSSAI or the like. For example, different service identifiers in the local configuration information correspond to different IKE gateways.

Exemplarily, the AMF obtains the address information of the IKE gateway from the local configuration information or the subscription data of the terminal device. The address information may include IP addresses and/or port numbers.

1804, the AMF initiates an authorization request to the IKE gateway to verify whether the IKE gateway can provide the terminal device with a security service for the business processed by the terminal device.

Exemplarily, the authorization request may include the identifier of the terminal device, the destination IP address or the data network name (DNN). The IKE gateway determines, according to the authorization request, whether the IKE gateway can provide the terminal with encryption services for the network segment corresponding to the destination IP address or data network name.

In some embodiments, 1804 is an optional step. After the IKE gateway is determined according to the subscription data or the local configuration information, the IKE gateway may not be authorized any more.

1805, the AMF sends the address information of the IKE gateway to the terminal device.

1806, a PDU session establishment process. Exemplarily, the following steps 1807-1815 belong to the PDU session establishment flow.

1807, the AMF sends the address information of the IKE gateway to the SMF.

1808, see 1305, which will not be repeated here.

1809, see 1307, which will not be repeated here.

1810, the terminal device initiates the establishment process of the IPsec sub-SA connection to the IKE gateway. Further, an IPsec sub-SA connection is created between the IKE gateway and the terminal device instead of the IPsec gateway. Specifically, any one of the above-mentioned first to third possible implementation manners can be used for implementation. In FIG. 15 , the second possible implementation manner is taken as an example for description.

1811-1815, see 1309-1313, which will not be repeated here.

Through the above solution, the terminal device does not need to use control plane signaling to perceive the existence of the IPSec gateway. The establishment of IKE SA and IPsec sub-SA only interacts with the centralized IKE gateway. When the IPSec gateway changes subsequently, it does not need to be The extra control plane signaling overhead can complete the update and establishment of the IPSec gateway sub-SA. In the above scheme, the IKE gateway is managed and allocated by the AMF. In the registration process of the terminal device, the AMF selects the IKE gateway for the terminal device, and then notifies the SMF and UE of the address information of the IKE gateway in the PDU management process of the terminal device. . As a possible implementation, the AMF can also notify the IKE gateway of the address information of the terminal device in the PDU management process of the terminal device, and then the IKE gateway triggers the creation of an IKE SA connection.

Exemplarily, referring to Fig. 19, the technical effect of the above solution will be described. Referring to Figure 19, the AMF selects and interacts with the IKE gateway for the terminal device. During the registration process of the terminal device, the AMF first selects the IKE gateway for the terminal device. During the establishment of the PDU session of the terminal device, the AMF sends the The SMF informs the IKE gateway of the address information. The first forwarding rule of the UPF is configured by the SMF, and the UPF is instructed to forward the data packets of the terminal device to the IKE gateway. At this time, although the PDU session of the terminal device has been established, the terminal device can only interact with the IKE gateway. The terminal device initiates the IKE SA establishment process according to the address information of the IKE gateway. After the IKE SA connection is established with the IKE gateway, the IKE gateway selects an IPSec gateway for the terminal device, and replaces the IPSec gateway to establish IPSec with the terminal device for transmitting user plane data. Sub-SA connection. Further, the SMF configures the second forwarding rule on the UPF, and instructs the UPF to forward all the data packets of the IPSec sub-SA to the IPSec gateway.

In the third possible application scenario, the policy control network element configures the address information of the IKE gateway for the terminal device as an example. Referring to FIG. 20, it is a schematic diagram of a possible communication network architecture. Take the policy control network element as the PCF in the 5G communication network as an example. In Figure 20, the interface deployed between the PCF and the IKE gateway is an Nxx interface as an example. The interface deployed between the IKE gateway and the IPsec gateway is Nyy as an example. Of course, the interface may also adopt other names, which are not specifically limited in this embodiment of the present application. It should be noted that the communication network may include one or more IKE gateways, for example, different IKE gateways may be used to process different services.

The flow of the communication method according to the embodiment of the present application will be described below with reference to FIG. 20 .

Referring to FIG. 21, a schematic flowchart of a possible communication method is shown. In Figure 20, the PCF is used as an example to configure IKE gateways corresponding to different services for the terminal device. When triggering the creation of an IKE SA, the creation is triggered by the terminal device as an example. As an example, in the registration process of the terminal device, the PCF configures the IKE gateway for the terminal device. When the PDU session of the terminal device is established, the terminal device first sends the address information of the IKE gateway to the SMF, and the SMF configures the first forwarding rule, and the terminal device initiates the establishment of an IKE SA with the IKE gateway.

2101, a registration process of a terminal device.

2102. The PCF configures the terminal device with address information of the IKE gateway serving different services of the terminal device. For example, the PCF configures a security policy for the terminal device, and the security policy includes address information of IKE gateways of different services. Security policies can also include security levels for different network slices or sessions or data networks. For example, different security levels can correspond to different IKE gateways. Exemplarily, the PCF may configure the terminal device with address information of IKE gateways serving different services of the terminal device in a user configuration update (user configuration update) process. For example, different services of terminal equipment can be indicated by DNN. The PCF can carry the security policy in the user equipment routing selection policy (URSP) and configure it to the terminal device, that is, the PCF can carry the address information of the IKE gateway corresponding to each DNN in the URSP and configure it to the terminal device.

2103, a PDU session establishment process of the terminal device. Exemplarily, the following steps 2104-2114 may be included in the PDU session establishment process.

2104, the terminal device sends a PDU session establishment request (PDU session establishment request) to the AMF, where the PDU session establishment request includes address information of the IKE gateway.

2105, the AMF forwards the PDU session establishment request to the SMF. Exemplarily, the AMF may forward the PDU session establishment request to the SMF through the SMF serviced interface message. For example, the SMF serviced interface message may be Nsmf_PDUSession_CreatSMContext Response.

2106-2107, see 1304-1305, which will not be repeated here.

2108-2114, see 1307-1313, which will not be repeated here.

In the above solution, when configuring the URSP, the PCF sends the address information of the IKE gateway that can provide services to the terminal device to the terminal device, so that the terminal device can select the IKE gateway according to the current service. Terminal devices do not need to use control plane signaling to perceive the existence of IPSec gateways. End devices only interact with the centralized IKE gateway to establish IPsec SA connections. When the IPSec gateway changes subsequently, the update and establishment of the IPSec sub-SA connection can be completed without additional control plane signaling overhead. In addition, every time the IPSec gateway changes, there is no need to establish an IKE SA connection, which reduces signaling overhead.

Exemplarily, referring to Fig. 22, the technical effect of the above solution will be described. Referring to Figure 22, the PCF configures the terminal device with an IKE gateway capable of providing services for the terminal device in the URSP rule. In the process of establishing a PDU session, the terminal device selects an IKE gateway from the IKE gateways configured by the PCF according to the currently processed service, and notifies the SMF of the address information of the IKE gateway. Then the SMF configures the first forwarding rule of the UPF, instructing the UPF to forward the data packets of the terminal device to the IKE gateway. At this time, although the PDU session of the terminal device has been established, the terminal device can only interact with the IKE gateway. The terminal device initiates the IKE SA connection establishment process according to the address information of the IKE gateway. After the IKE SA connection is established with the IKE gateway, the IKE gateway selects an IPSec gateway for the terminal device, and instead of the IPSec gateway, establishes an IPSec gateway with the terminal device for transmitting user plane data. IPSec sub-SA connection. Further, the SMF configures the second forwarding rule on the UPF, and instructs the UPF to forward all the data packets of the IPSec sub-SA to the IPSec gateway.

The beneficial effects brought by the embodiments of the present application will be described below with reference to specific application scenarios. Referring to Figure 23, the IKE gateway is centrally deployed to establish an IKE SA with terminal devices, and is responsible for managing the generation and distribution of keys. The IPsec gateways used for user plane data transmission are deployed in a distributed manner, and are used to establish user plane SAs with terminal devices, encrypt data, and protect integrity. Among them, the sub-SA of the distributed IPsec gateway is established by the centralized IKE gateway, and the local configuration context and forwarding rules are configured by the IKE gateway. In the embodiment of the present application, the established IPsec sub-SA connection mode may be the transmission mode, the centralized IKE gateway may establish the transmission mode IPsec sub-SA for the distributed IPSec gateway, and the data packets belonging to the IPsec sub-SA will pass through the IPsec sub-SA. IPSec gateway for forwarding. In this embodiment of the present application, the forwarding rule of the IPSec sub-SA and the configuration context of the IPsec sub-SA can be configured for the IPsec gateway when the session is established. The UE establishes an IKE SA1 with the centralized IKE gateway. When the terminal device needs to conduct services through the IPsec gateway 2, the terminal device can interact with the IKE gateway to establish an IPsec SA2 for communication with the IPsec gateway 2, and the IKE gateway communicates with the IPsec gateway. To configure, configure the configuration context of IPSEC SA2 to IPsec Gateway 2. The solution provided by the embodiments of the present application effectively solves the problem of the application server switching of the terminal device. During the IPsec gateway switching process, the terminal device does not perceive the IPsec gateway and does not need to establish an IKE SA with the IPsec gateway.

The apparatus for implementing the above method in the embodiments of the present application will be described below with reference to the accompanying drawings. Therefore, the above content can be used in subsequent embodiments, and repeated content will not be repeated.

As shown in FIG. 24 , which is a possible exemplary block diagram of the communication device involved in the present application, the communication device 2400 can correspondingly implement the first security gateway (or IKE gateway), the second security gateway in the above method embodiments, and the second security gateway. The functions or steps implemented by the gateway (IPsec gateway), the first core network element, the policy control network element, and the terminal device. The communication device may include a transceiver module 2401 and a processing module 2402 . Optionally, a storage module may also be included, and the storage module may be used to store instructions (codes or programs) and/or data. The transceiver module 2401 and the processing module 2402 may be coupled with the storage module, for example, the processing module 2402 may read instructions (codes or programs) and/or data in the storage module to implement corresponding methods. Each of the above modules can be set independently, and can also be partially or fully integrated. Optionally, the transceiver module 2401 may include a sending module and a receiving module, the sending module is configured to perform a sending operation, and the receiving module is configured to perform a receiving operation.

It should be understood that the processing module 2402 can be a processor or a controller, such as a general-purpose central processing unit (CPU), general-purpose processor, digital signal processing (DSP), application-specific integrated circuit (application specific integrated circuit) integrated circuits, ASIC), field programmable gate array (FPGA), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various exemplary logical blocks, modules and circuits described in connection with this disclosure. The processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like. The transceiver module 2401 is an interface circuit of the device for receiving signals from other devices. For example, when the device is implemented in the form of a chip, the transceiver module 2401 is an interface circuit used by the chip to receive signals from other chips or devices, or an interface circuit used by the chip to send signals to other chips or devices.

The communication apparatus 2400 may be the first security gateway (or IKE gateway), the second security gateway (IPsec gateway), the first core network element, the policy control network element, and the terminal device in the above-mentioned embodiment, or may be the first security gateway (or IKE gateway) in the above-mentioned embodiment. A security gateway (or IKE gateway), a second security gateway (IPsec gateway), a first core network element, a policy control network element, and a chip of a terminal device. For example, when the communication apparatus 2400 is a first security gateway (or an IKE gateway), a second security gateway (IPsec gateway), a first core network element, a policy control network element, or a terminal device, the processing module 2402 may be, for example, a processing The transceiver module 2401 may be, for example, a transceiver. Optionally, the transceiver may include a radio frequency circuit or an input/output interface, and the storage unit may be, for example, a memory. For example, when the communication device 2400 is a chip used for the first security gateway (or IKE gateway), the second security gateway (IPsec gateway), the first core network element, the policy control network element, and the terminal device, the processing module 2402 For example, it may be a processor, and the transceiver module 2401 may be, for example, an input/output interface, a pin, or a circuit. The processing module 2402 can execute computer-executed instructions stored in a storage unit. Optionally, the storage unit is a storage unit in the chip, such as a register, a cache, etc., and the storage unit can also be the first security gateway (or the IKE gateway). ), the second security gateway (IPsec gateway), the first core network element, the policy control network element or a storage unit located outside the chip in the terminal device, such as a read-only memory (ROM) or a storage unit that can store Other types of static storage devices for static information and instructions, random access memory (RAM), etc.

In some possible implementation manners, the communication apparatus 2400 can correspondingly implement the behaviors and functions of the first security gateway (or IKE gateway) in the foregoing method embodiments. For example, the communication apparatus 2400 may be a first security gateway (or an IKE gateway), or may be a component (eg, a chip or a circuit) applied in the first security gateway (or an IKE gateway). The transceiver module 2401 can be used to support the communication between the first security gateway (or IKE gateway) and other network entities, for example, supporting the communication between the first security gateway (or IKE gateway) and FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , FIG. 13 , Communication among the second security gateway, terminal device, AMF, SMF, etc. shown in FIG. 15 , FIG. 18 , and FIG. 21 . The processing module 2402 is configured to control and manage the actions of the first security gateway (or the IKE gateway). For example, the processing module 2402 is configured to support the first security gateway (or the IKE gateway) to execute FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , The operations of the first security gateway (or the IKE gateway) in Fig. 13, Fig. 15, Fig. 18, and Fig. 21 except for sending and receiving.

In some embodiments, the processing module 2402 is configured to establish an Internet Key Security Protocol IKE SA connection with the terminal device through the transceiver module 2401; the processing module 2402 is further configured to determine that the terminal device needs to pass the second When the security gateway performs secure transmission of user plane data, an Internet Protocol security protocol IPsec sub-SA connection is established for the second security gateway; the IPsec sub-SA connection is used for the communication between the second security gateway and the terminal device. Secure transmission of user plane data.

In other possible implementation manners, the communication apparatus 2400 can correspondingly implement the behaviors and functions of the first core network network element (or SMF) in the foregoing method embodiments. For example, the communication apparatus 2400 may be a first core network element (or SMF), or may be a component (eg, a chip or circuit) applied in the first core network element (or SMF). The transceiver module 2401 can be used to support the communication between the first core network element (or SMF) and other network entities, for example, support the first core network element (or SMF) to communicate with FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , and FIG. 13. Communication between AMF, UPF, first security gateway (IKE gateway), terminal equipment, etc. shown in FIG. 15 , FIG. 18 , and FIG. 21 . The processing module 2402 is used to control and manage the actions of the first core network element (or SMF), for example, the processing module 2402 is used to support the first core network element (or SMF) to execute FIG. 10 , FIG. 11A , FIG. 11B , and FIG. Operations of the first core network element (or SMF) in 11C, FIG. 13 , FIG. 15 , FIG. 18 , and FIG. 21 except for sending and receiving.

In some embodiments, the processing module 2402 is configured to determine a first security gateway that provides security services for the terminal device, where the first security gateway is configured to establish an Internet Key Security Protocol IKE Security Association SA connection with the terminal device; The transceiver module 2401 is configured to configure a first forwarding rule for the user plane network element, where the first forwarding rule is used to instruct the user plane network element to forward the data packets belonging to the IKE SA connection to the first security gateway; the transceiver module 2401 , and is also used for the processing module to configure a second forwarding rule to the user plane network element after the establishment of the IPsec sub-SA connection between the terminal device and the second security gateway is completed, and the second forwarding rule It is used to instruct the user plane network element to forward the data packets belonging to the IPsec sub-SA connection to the second security gateway.

In some other possible implementation manners, the communication apparatus 2400 can correspondingly implement the behaviors and functions of the second security gateway (IPsec gateway) in the foregoing method embodiments. For example, the communication apparatus 2400 may be a second security gateway (IPsec gateway), or may be a component (eg, a chip or a circuit) applied in the second security gateway (IPsec gateway). The transceiver module 2401 can be used to support the communication between the second security gateway (IPsec gateway) and other network entities, for example, supporting the communication between the second security gateway (IPsec gateway) and FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , FIG. 13 , and FIG. 15 , the communication between the first security gateway, UPF, terminal equipment, etc. shown in FIG. 18 and FIG. 21 . The processing module 2402 is used to control and manage the actions of the second security gateway (IPsec gateway). For example, the processing module 2402 is used to support the second security gateway (IPsec gateway) to execute FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , and FIG. 13 , Figure 15, Figure 18, Figure 21 in the second security gateway (IPsec gateway) operations other than sending and receiving.

In some other possible implementation manners, the communication apparatus 2400 can correspondingly implement the behaviors and functions of the terminal equipment in the foregoing method embodiments. For example, the communication apparatus 2400 may be a terminal device, or may be a component (eg, a chip or a circuit) applied in the terminal device. The transceiver module 2401 can be used to support the communication between the terminal device and other network entities, for example, to support the terminal device to communicate with the AMF shown in FIG. 10, FIG. 11A, FIG. 11B, FIG. - Communication between security gateways, user plane network elements, etc. The processing module 2402 is used to control and manage the actions of the terminal equipment. For example, the processing module 2402 is used to support the terminal equipment to execute the terminal equipment shown in Figure 10, Figure 11A, Figure 11B, Figure 11C, Figure 13, Figure 15, Figure 18, and Figure 21. All operations except sending and receiving.

FIG. 25 shows a communication device 2500 provided in this embodiment of the present application, where the communication device 2500 may be a first security gateway (IKE gateway), which can implement the first security gateway (IKE gateway) in the method provided in this embodiment of the present application function of the first core network element (SMF), or the communication apparatus 2500 may be the first core network element (SMF), which can implement the function of the first core network element (SMF) in the method provided in the embodiments of this application; or, the communication apparatus 2500 may be the first core network element (SMF) Two security gateways (IPsec gateways), which can implement the functions of the second security gateways (IPsec gateways) in the methods provided in the embodiments of the present application; or, the communication apparatus 2500 may be a terminal device, which can implement the terminal devices in the methods provided in the embodiments of the present application. Alternatively, the communication apparatus 2500 may also be capable of supporting a first security gateway (IKE gateway), a first core network element (SMF), a second security gateway (IPsec gateway), or a terminal device to implement the embodiments of the present application. The means of the corresponding function in the method. Wherein, the communication apparatus 2500 may be a chip system. In this embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices.

In terms of hardware implementation, the above-mentioned transceiver module 2401 may be a transceiver, and the transceiver is integrated in the communication device 2500 to form a communication interface 2503 .

The communication device 2500 includes at least one processor 2502, and the processor 2502 may be a CPU, a microprocessor, an ASIC, or one or more integrated circuits for controlling the execution of the programs of the present application, for implementing or supporting the communication device 2500 implements the functions of the first security gateway (IKE gateway) or the first core network element (SMF) or the second security gateway (IPsec gateway) or the terminal device in the method provided by the embodiment of the present application. For details, refer to the detailed description in the method example, which is not repeated here.

The communication apparatus 2500 may also include at least one memory 2501 for storing program instructions and/or data. Memory 2501 and processor 2502 are coupled. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. The processor 2502 may cooperate with the memory 2501. The processor 2502 may execute program instructions and/or data stored in the memory 2501 to cause the communication device 2500 to implement the corresponding method. At least one of the at least one memory may be included in the processor 2502.

The communication device 2500 may also include a communication interface 2503, using any transceiver-like device, for communicating with other devices or communication networks, such as Ethernet, radio access network (RAN), wireless local area network (wireless local area network) area networks, WLAN), wired access networks, etc. The communication interface 2503 is used to communicate with other devices through a transmission medium, so that the devices used in the communication device 2500 can communicate with other devices. The processor 2502 can use the communication interface 2503 to send and receive data. The communication interface 2503 may specifically be a transceiver.

The specific connection medium between the communication interface 2503 , the processor 2502 , and the memory 2501 is not limited in the embodiments of the present application. In this embodiment of the present application, the memory 2501, the processor 2502, and the communication interface 2503 are connected by a bus 2504 in FIG. 25. The bus is represented by a thick line in FIG. 25. The connection between other components is only for schematic illustration. , is not limited. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is shown in FIG. 25, but it does not mean that there is only one bus or one type of bus.

In this embodiment of the present application, the processor 2502 may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, which can realize Alternatively, each method, step, and logic block diagram disclosed in the embodiments of the present application are executed. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.

The memory 2501 can be a ROM or other types of static storage devices that can store static information and instructions, a RAM or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory). read-only memory, EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), magnetic disk A storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, without limitation. The memory may exist independently and be connected to the processor through communication line 2504. The memory can also be integrated with the processor.

The memory 2501 is used for storing computer-executed instructions for executing the solution of the present application, and the execution is controlled by the processor 2502 . The processor 2502 is configured to execute the computer-executed instructions stored in the memory 2501, thereby implementing the service management method provided by the foregoing embodiments of the present application.

Optionally, the computer-executed instructions in the embodiments of the present application may also be referred to as application code, which is not specifically limited in the embodiments of the present application.

Embodiments of the present application further provide a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to execute FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , FIG. 13 , FIG. 15 , FIG. In FIG. 21 , the method performed by the first security gateway (IKE gateway) or the first core network element (SMF) or the second security gateway (IPsec gateway) or the terminal device.

Embodiments of the present application further provide a computer program product, including instructions, which, when run on a computer, cause the computer to execute FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , FIG. 13 , FIG. 15 , FIG. 18 , and FIG. 21 In the method, a first security gateway (IKE gateway) or a first core network element (SMF) or a second security gateway (IPsec gateway) or a terminal device executes the method.

An embodiment of the present application provides a chip system, where the chip system includes a processor and may also include a memory, for implementing the aforementioned FIG. 10 , FIG. 11A , FIG. 11B , FIG. 11C , FIG. 13 , FIG. 15 , FIG. 18 , and FIG. 21 The functions of the first security gateway (IKE gateway) or the first core network element (SMF) or the second security gateway (IPsec gateway) or the terminal device. The chip system can be composed of chips, and can also include chips and other discrete devices.

Those of ordinary skill in the art can understand that the first, second, and other numeral numbers involved in the present application are only for the convenience of description, and are not used to limit the scope of the embodiments of the present application, but also represent the sequence. "And/or", which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects are an "or" relationship. "At least one" means one or more. At least two means two or more. "At least one", "any one", or similar expressions, refers to any combination of these items, including any combination of single item(s) or plural item(s). For example, at least one item (single, species) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple. "Plurality" means two or more, and other quantifiers are similar. Furthermore, occurrences of the singular forms "a", "an" and "the" do not mean "one or only one" unless the context clearly dictates otherwise, but rather "one or more" in one". For example, "a device" means to one or more such devices.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server, or data center is by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that a computer can access, or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.

The various illustrative logic units and circuits described in the embodiments of this application may be implemented by general purpose processors, digital signal processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) or other programmable logic devices, Discrete gate or transistor logic, discrete hardware components, or any combination of the above are designed to implement or operate the described functions. A general-purpose processor may be a microprocessor, or alternatively, the general-purpose processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented by a combination of computing devices, such as a digital signal processor and a microprocessor, multiple microprocessors, one or more microprocessors in combination with a digital signal processor core, or any other similar configuration. accomplish.

The steps of the method or algorithm described in the embodiments of this application may be directly embedded in hardware, a software unit executed by a processor, or a combination of the two. A software unit may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. Illustratively, a storage medium can be coupled to the processor such that the processor can read information from, and write information to, the storage medium. Optionally, the storage medium can also be integrated into the processor. The processor and storage medium may be provided in the ASIC.

These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

Although the application has been described in conjunction with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made therein without departing from the spirit and scope of the application. Accordingly, this specification and drawings are merely exemplary illustrations of the application as defined by the appended claims, and are deemed to cover any and all modifications, variations, combinations or equivalents within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (20)

1. A communication method, comprising:

   The first security gateway establishes an Internet Key Security Protocol IKE Security Association SA connection with the terminal device;

   When determining that the terminal device needs to perform secure transmission of user plane data through the second security gateway, the first security gateway establishes an Internet Protocol security protocol IPsec sub-SA connection for the second security gateway; the IPsec sub-SA connection It is used for the secure transmission of user plane data between the second security gateway and the terminal device.
2. The method of claim 1, wherein establishing an Internet Protocol Security Protocol (IPsec) sub-SA connection for the second security gateway comprises:

   negotiating an IPsec sub-SA connection between the first security gateway and the terminal device to obtain a first security parameter;

   the first security gateway configures the first security parameter to the second security gateway;

   Wherein, the first security parameter is used for secure transmission of user plane data between the second security gateway and the terminal device.
3. The method of claim 2, wherein the first security parameter comprises material for generating a key for user plane data transmission with the terminal device.
4. The method according to claim 3, wherein the material for generating a key for user plane data transmission with the terminal device comprises one or more of the following:

   Key material generated by the first security gateway, key exchange material of the terminal device, key exchange material configured for the second security gateway, random numbers of the terminal device or generated for the second security gateway of random numbers.
5. The method according to claim 3 or 4, wherein the first security parameter further comprises one or more of the following:

   The encryption algorithm of the terminal device is the encryption algorithm allocated by the second security gateway, and is used for the packet filtering rule for user plane data transmission between the terminal device and the second security gateway.
6. The method of claim 1, wherein the first security gateway establishes an Internet Protocol Security Protocol (IPsec) sub-SA for the second security gateway, comprising:

   receiving, by the first security gateway, an establishment request initiated by a terminal device, where the establishment request is used to request to establish an IPsec sub-SA connection with the second security gateway;

   The first security gateway sends a configuration context of an IPsec sub-SA connection to the second security gateway, where the configuration context includes a second configuration context configured for the second security gateway for establishing an IPsec sub-SA connection with a terminal device. security parameters;

   receiving, by the first security gateway, a third security parameter from a second security gateway, where the third security parameter is obtained by updating or confirming the second security parameter by the second security gateway;

   sending, by the first security gateway, a setup response to the terminal device, where the setup response includes the third security parameter;

   The third security parameter is used for secure transmission of user plane data between the second security gateway and the terminal device.
7. 6. The method of claim 6, wherein the second security parameter comprises material used for the second security gateway to generate a key for user plane data transmission with the terminal device.
8. The method according to claim 7, wherein the material for generating a key for user plane data transmission with the terminal device comprises one or more of the following:

   The key material generated by the first security gateway, the key exchange material of the terminal device, the first key exchange material of the first security gateway, the first random number used by the terminal device, or the first key exchange material of the terminal device. A second random number used by the security gateway.
9. The method of claim 8, wherein the third security parameter includes one or more of the following:

   A second key exchange material for updating the first key exchange material, and a third random number for updating the first random number.
10. The method according to claim 8 or 9, wherein the second security parameter further comprises one or more of the following:

    The encryption algorithm of the terminal device, the encryption algorithm allocated to the second security gateway, or the first data packet filtering rule used for user plane data transmission between the terminal device and the second security gateway.
11. The method of claim 10, wherein the third security parameter further comprises a second packet filtering rule for updating the first packet filtering rule.
12. The method according to claim 10 or 11, wherein the third security parameter further comprises an encryption algorithm selected by the second security gateway.
13. A communication method, comprising:

    The network element of the first core network determines a first security gateway that provides security services for the terminal device, where the first security gateway is configured to establish an Internet Key Security Protocol IKE Security Association SA connection with the terminal device;

    The first core network element configures the user plane network element with a first forwarding rule, where the first forwarding rule is used to instruct the user plane network element to forward the data packets belonging to the IKE SA connection to the first security gateway;

    The first core network element configures the user plane network element with a second forwarding rule after determining that the establishment of the Internet Protocol Security Protocol (IPsec) sub-SA connection between the terminal device and the second security gateway is completed. The rule is used to instruct the user plane network element to forward the data packets belonging to the IPsec sub-SA connection to the second security gateway.
14. The method according to claim 13, wherein determining the first security gateway that provides security services for the terminal device by the first core network element comprises:

    The first core network element determines, according to the subscription data of the terminal device, a first security gateway that provides security services for the terminal device; or,

    The network element of the first core network determines, according to the local configuration information, a first security gateway that provides security services for the terminal device; or,

    The first core network element receives address information of a first security gateway from a second core network network element, and determines a first security gateway that provides security services for the terminal device according to the address information of the first security gateway; or,

    The first core network element receives address information from a first security gateway of a terminal device, where the first security gateway is one of at least one security gateway configured by a policy control network element for the terminal device.
15. The method of claim 14, wherein the first core network element is a session management network element, and the second core network element is a mobility management network element.
16. The method according to any one of claims 13-15, wherein the method further comprises:

    The first core network element sends the determined address information of the first security gateway to the terminal device, where the address information of the first security gateway is used by the terminal device to trigger the establishment of an IKE SA connection.
17. The method according to any one of claims 13-15, wherein the method further comprises:

    The first core network element sends the address information of the terminal device to the first security gateway, where the address information of the terminal device is used by the first security gateway to trigger the establishment of an IKE SA connection.
18. A communication device, characterized in that it comprises means for performing the method of any one of claims 1 to 12 or 13 to 17.
19. A communication device, characterized by comprising a processor and an interface circuit, the interface circuit being configured to receive signals from other communication devices other than the communication device and transmit to the processor or transfer signals from the processor The signal is sent to other communication devices other than the communication device, and the processor is used to implement the method according to any one of claims 1 to 12 or 13 to 17 by means of a logic circuit or executing code instructions.
20. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions, when the computer instructions are executed, the computer instructions described in any one of claims 1 to 12 or 13 to 17 are made method is executed.

Images