WO2022206462A1 - Signaling message processing method, apparatus, and system - Google Patents

Signaling message processing method, apparatus, and system Download PDF

Info

Publication number
WO2022206462A1
WO2022206462A1 PCT/CN2022/082102 CN2022082102W WO2022206462A1 WO 2022206462 A1 WO2022206462 A1 WO 2022206462A1 CN 2022082102 W CN2022082102 W CN 2022082102W WO 2022206462 A1 WO2022206462 A1 WO 2022206462A1
Authority
WO
WIPO (PCT)
Prior art keywords
security gateway
border security
sepp
border
information list
Prior art date
Application number
PCT/CN2022/082102
Other languages
French (fr)
Chinese (zh)
Inventor
邵国强
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022206462A1 publication Critical patent/WO2022206462A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/08Load balancing or load distribution

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a signaling message processing method, system, and device.
  • the 3rd generation partnership project (3GPP) defines a security and edge protection proxy ( SEPP ) device as the edge security gateway of the 5th generation core network (5GC).
  • SEPP acts as a proxy device for docking between operator networks, enabling the signaling interaction between the network function (NF) network element and the roaming partner (RP), through initiating SEPP (initiating SEPP) and responding SEPP (responding)
  • NF network function
  • RP roaming partner
  • SEPP network function
  • responding SEPP responding
  • the interaction between SEPP is realized.
  • the initiating SEPP and the responding SEPP are connected by the N32 interface.
  • the initiating SEPP and the responding SEPP need to negotiate the shared secret key and encryption algorithm through the handshake process.
  • the signaling interaction is performed according to the N32 forwarding interface (N32-f) context.
  • N32-f forwarding interface
  • FQDN fully qualified domain name
  • only one N32-f context is generated for multiple SEPPs.
  • Each signaling message must carry a message sequence number, and the sequence number is not repeated in the same N32-f context.
  • there is only one N32-f context which may limit the concurrent processing of signaling messages by SEPPs.
  • Embodiments of the present application provide a signaling message processing method and apparatus, and the signaling message processing method can implement load balancing among multiple SEPPs in the same operator network.
  • an embodiment of the present application provides a signaling message processing method, and the method is executed by a first border security gateway.
  • the first border security gateway receives the border security gateway information list of the operator network where the second border security gateway is located, and selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located.
  • the first border security gateway sends an encrypted signaling message to the third border security gateway. It can be seen that the border security gateway in the first operator's network can choose one from the list as the third border security gateway, and the third border security gateway can share the signaling message processing task with the second border complete gateway, so as to realize the second border security gateway. Load balancing among multiple border security gateways in a carrier network.
  • the first border security gateway sends a signaling message encrypted with the N32-f context to the third border security gateway, or sends a signaling message encrypted with a transport layer security key to the third border security gateway . It can be seen that, for different SEPP interconnection schemes, this embodiment defines an encryption method of signaling messages between SEPPs, which is beneficial to ensure the security of information transmission.
  • the first border security gateway sends a border security gateway information list of the operator network where the first border security gateway is located to the second border security gateway.
  • the border security gateway information list of the operator network where the first border security gateway is located includes the fourth border security gateway.
  • the second border security gateway sends the signaling message using the N32-f context of the fourth border security gateway. It can be seen that the border security gateway in the second operator's network can send signaling messages to the pre-assigned border security gateways in the first operator's network (that is, the border security gateways in the list), so as to realize multiple borders in the first operator's network. Load balancing between security gateways. That is, the border security gateway in the first operator's network and the border security gateway in the second operator's network may implement similar functions.
  • the first border security gateway negotiates with the third border security gateway to obtain the N32-f context, and The signaling message is sent using the N32-f context obtained through negotiation.
  • the first border security gateway sends a signaling message by using the associated N32-f context.
  • the first border security gateway receives the first message from the second border security gateway when performing the N32-C handshake with the second border security gateway.
  • the encrypted signaling message is forwarded to the third border security gateway through the IPX device.
  • the border security gateway information list includes priorities for multiple border security gateways.
  • the first border security gateway selects the third border security gateway with the highest priority from the border security gateway information list of the operator network where the second border security gateway is located. It can be seen that the pre-allocated border security gateway in the second operator network is the border security gateway with the highest priority, that is, the first border security gateway preferentially sends signaling messages to the third border security gateway with a high priority, which is conducive to balancing the network load .
  • the border security gateway information list includes weights for a plurality of border security gateways.
  • the first border security gateway selects the third border security gateway with the highest weight from the border security gateway information list of the operator network where the second border security gateway is located. It can be seen that the pre-allocated border security gateway in the second operator network is the border security gateway with the highest weight, that is, the first border security gateway preferentially sends signaling messages to the third border security gateway with a high weight, which is conducive to balancing the network load.
  • the border security gateway information list includes identifiers of multiple border security gateways.
  • the identifier of the border security gateway is any information that identifies a border security gateway, such as a fully qualified domain name, IP address, or serial number.
  • the first border security gateway receives the first message through the N32-c channel, where the first message includes the border security gateway information list of the operator network where the second border security gateway is located.
  • the first message is an N32-c message.
  • the border security gateway information list includes a timestamp. If the first border security gateway has recorded the border security gateway information list, the first border security gateway updates the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp . The first border security gateway sends a 200 OK message to the second border security gateway.
  • the first border security gateway if the first border security gateway does not record the border security gateway information list, the first border security gateway records the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp.
  • the first border security gateway if the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located, the first border security gateway sends a message to the The second border security gateway sends an error response message.
  • the first border security gateway selects a third border security gateway with the least occupied load from the border security gateway information list of the operator network where the second border security gateway is located. It can be seen that the pre-allocated border security gateway in the second operator network is the border security gateway with the least occupied load, that is, the first border security gateway preferentially sends a signaling message to the third border security gateway with the least occupied load, there are Conducive to balancing network load.
  • the first border security gateway updates the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending signaling messages. It can be seen that the third border security gateway can dynamically refresh the load information, so that the first border security gateway can dynamically adjust the load sent to the border security gateway in the second operator's network.
  • the first border security gateway uses the N32-f context of the third border security gateway to encrypt the signaling message, and sends the encrypted signaling message to the third border security gateway.
  • the N32-f context includes the context identifier, the N32-f peer information, and the N32-f security context.
  • the context identifier is used to identify the N32-f context, and both the first border security gateway and the second border security gateway can find the corresponding N32-f context according to the context identifier after negotiating to generate the N32-f context.
  • N32-f peer information includes peer SEPP information (SEPP identifier, address, operator network identifier).
  • SEPP identifier, address, operator network identifier For example, the N32-f peer information in the local N32-f context of the first border security gateway includes the identifier and address of the second border security gateway and the identifier of the operator network where the second border security gateway is located.
  • the N32-f peer information in the local N32-f context of the second border security gateway includes the identifier and address of the first border security gateway and the identifier of the operator network where the first border security gateway is located.
  • the N32-f security context includes security-related information.
  • the N32-f security context includes a session key for communication between the first border security gateway and the second border security gateway, an algorithm suite negotiated between the first border security gateway and the second border security gateway, and a security information list of IP exchange services (IPX ID, public key, etc.).
  • IPX ID IP address
  • public key IP key
  • the first border security gateway may encrypt the signaling message using the session key in the N32-f security context, and then send the encrypted signaling message to the second border security gateway.
  • the first border security gateway receives the signaling message sent by the network function NF network element (or device). Subsequently, the first border security gateway encrypts the received signaling message, and sends the encrypted signaling message to the third border security gateway. Therefore, in the solution provided by this embodiment, the signaling message sent by the NF can be encrypted by the first border security gateway and sent to the third border security gateway for processing.
  • the embodiment of the present application provides another signaling message processing method, and the method is executed by the first border security gateway.
  • the first border security gateway receives signaling messages from the second border security gateway.
  • the first border security gateway acquires the N32-f context shared among multiple border security gateways in the operator's network, and uses the shared N32-f context to process the received signaling message.
  • the plurality of border security gateways include the first border security gateway. It can be seen that the N32-f context can be shared among multiple border security gateways in the same operator network, so that signaling messages from the external operator network can be distributed evenly among the multiple border security gateways in the same operator network.
  • the first border security gateway establishes a transport layer security link with the first network function network element, encrypts the signaling message with the transport layer security key, and sends the encryption process to the first network function network element subsequent signaling messages. It can be seen that the border security gateway can use the transport layer security key to encrypt the signaling message, and send the encrypted signaling message to the destination network function network element of the signaling message.
  • an embodiment of the present application provides a signaling message processing method, and the method is executed by a network function NF network element.
  • the network function network element obtains a border security gateway information list of the operator's network, and selects a border security gateway (referred to as a fourth border security gateway in this aspect) from the border security gateway information list. Subsequently, the network function network element sends an encrypted signaling message to the fourth border security gateway.
  • the NF can choose one from the list as the fourth border security gateway, that is, multiple border security gateways in the list can share the signaling message processing task, so as to realize the communication between multiple border security gateways in the operator network. load balancing.
  • the NF sends a signaling message encrypted with a transport layer security key to the fourth border security gateway. It can be seen that this embodiment uses the transport layer security key to encrypt the signaling message, which is beneficial to ensure the security of information transmission.
  • the NF selects the fourth border security gateway from the border security gateway information list in the same manner as the first border full gateway selects the third border security gateway from the border security gateway information list in the first aspect , such as selecting the border security gateway with the highest priority or weight.
  • the NF selects the fourth border security gateway from the border security gateway information list in the same manner as the first border full gateway selects the third border security gateway from the border security gateway information list in the first aspect , such as selecting the border security gateway with the highest priority or weight.
  • the border security gateway information list includes identifiers of multiple border security gateways.
  • the identifier of the border security gateway is any information that identifies a border security gateway, such as a fully qualified domain name, IP address, or serial number.
  • the NF may receive a list of border security gateway information of the operator's network where the first security border gateway is located. At this time, the NF and the first border security gateway belong to the same operator network.
  • the NF can obtain the list of border security gateway information of the operator's network where it is located from the local configuration or the network repository function (NRF). At this point, NF and NRF belong to the same operator network.
  • NRF network repository function
  • the border security gateway information list includes a timestamp. If the NF has recorded the border security gateway information list, the NF updates the recorded border security gateway information list to the border security gateway information list under the current timestamp, so that the local border security gateway information list of the NF is up-to-date.
  • the NF if the NF does not record the border security gateway information list, the NF records the border security gateway information list of the operator network where the current timestamp is located.
  • the NF if the NF cannot identify the first message, or the NF cannot record (update) the border security gateway information list, the NF sends an error response message to the first border security gateway.
  • the first border security gateway updates the load information of the fourth border security gateway in the border security gateway information list according to the traffic occupied by sending signaling messages. It can be seen that the fourth border security gateway can dynamically refresh the load information, so that the NF dynamically adjusts the load sent to the border security gateway of the local operator network.
  • an embodiment of the present application provides a signaling message processing apparatus, where the signaling message processing apparatus includes a transceiver unit and a processing unit.
  • the transceiver unit is configured to receive a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located.
  • the processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located.
  • the transceiver unit is further configured to send encrypted signaling messages to the third border security gateway.
  • the transceiver unit is configured to send encrypted signaling messages to the third border security gateway, including:
  • the signaling message encrypted using the N32-f context is sent to the third border security gateway or the signaling message encrypted using the transport layer security key is sent to the third border security gateway.
  • the transceiver unit is further configured to send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
  • the transceiver unit is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
  • the transceiver unit negotiates with the third border security gateway to obtain the N32-f context, and uses the negotiated N32-f context to send signaling information.
  • the border security gateway information list includes: priorities of multiple border security gateways.
  • the processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the border security gateway information list includes: weights of multiple border security gateways.
  • the processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the highest weight is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the transceiver unit is configured to receive the first message from the second border security gateway, including:
  • the information list of the border security gateway of the operator network where the second border security gateway is located is received through the N32-c channel.
  • the border security gateway information list includes: a timestamp.
  • the processing unit is further configured to, if the processing unit has recorded the border security gateway information list, update the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp.
  • the transceiver unit is further configured to send a 200 OK message to the second border security gateway.
  • the processing unit is further configured to send an error response to the second border security gateway if the processing unit cannot identify the first message, or cannot record the border security gateway information list of the operator network where the second border security gateway is located information.
  • the processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the least occupied load is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the processing unit is configured to update the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending the signaling message.
  • the transceiver unit is configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
  • the signaling message is encrypted using the N32-f context of the third border security gateway, and the encrypted signaling message is sent to the third border security gateway.
  • the transceiver unit in the first border security gateway is further configured to receive a signaling message sent by the network function device, and the processing unit is further configured to encrypt the received signaling message. Further, the transceiver unit sends the encrypted signaling message to the third border security gateway.
  • an embodiment of the present application provides a signaling message processing apparatus, where the signaling message processing apparatus may be a device or a chip or circuit provided in the device.
  • the signaling message processing apparatus includes units and/or modules for executing the signaling message processing method provided in any one of the possible designs of the first, second, and third aspects, and thus can also implement the first aspect
  • the provided signaling message processing method has the beneficial effects.
  • embodiments of the present application provide a computer-readable storage medium, where the readable storage medium includes a program or an instruction, and when the program or instruction is run on a computer, causes the computer to execute the first, second, or third A method in any of the possible implementations of an aspect.
  • an embodiment of the present application provides a chip or a chip system, the chip or chip system includes at least one processor and an interface, the interface and the at least one processor are interconnected through a line, and the at least one processor is used for running a computer program or instruction, to perform the method described in any one of the possible implementations of the first, second or third aspect.
  • the interface in the chip may be an input/output interface, a pin or a circuit, or the like.
  • the chip system in the above aspects may be a system on chip (system on chip, SOC), or a baseband chip, etc.
  • the baseband chip may include a processor, a channel encoder, a digital signal processor, a modem, an interface module, and the like.
  • the chip or chip system described above in this application further includes at least one memory, where instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, such as a register, a cache, etc., or a storage unit of the chip (eg, a read-only memory, a random access memory, etc.).
  • the embodiments of the present application provide a computer program or a computer program product, including codes or instructions, when the codes or instructions are run on a computer, the computer may execute any one of the first, second, or third aspects. method in the implementation.
  • this embodiment further provides a communication system, which includes the network function NF and a border security gateway as described above.
  • the N32-f context may be an N32-f security context.
  • the signaling message may be a roaming message.
  • the signaling message may be a service discovery request or a network slicing request.
  • the network function NF device may be a session management function (SMF), a user plane function (UPF), a policy control function (PCF), or a connection Access and mobility management function (AMF) and other equipment in the 5G core network.
  • SMF session management function
  • UPF user plane function
  • PCF policy control function
  • AMF connection Access and mobility management function
  • FIG. 1a and FIG. 1b are schematic diagrams of network scenarios provided by embodiments of the present application.
  • FIG. 2 is a schematic flowchart of a signaling message processing method provided by an embodiment of the present application
  • FIG. 3 is a schematic flowchart of another signaling message processing method provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of still another signaling message processing method provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of another network scenario provided by an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of another signaling message processing method provided by an embodiment of the present application.
  • FIG. 7 is a schematic flowchart of sharing N32-f context between border security gateways in the same operator network according to an embodiment of the present application
  • FIG. 8 is another schematic flowchart of sharing N32-f context between border security gateways in the same operator network provided by an embodiment of the present application.
  • FIG. 9 is a schematic diagram of a signaling message processing apparatus provided by an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a server provided by an embodiment of the present application.
  • FIG. 11 is a schematic diagram of another signaling message processing apparatus provided by an embodiment of the present application.
  • FIG. 12 is a schematic diagram of another server provided by an embodiment of the present application.
  • words such as “exemplary” or “for example” are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as “exemplary” or “such as” should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as “exemplary” or “such as” is intended to present the related concepts in a specific manner.
  • the term "plurality” refers to two or more than two.
  • a plurality of first border security gateways refers to two or more first border security gateways.
  • the size of the sequence number of each process does not mean the sequence of execution, and the execution sequence of each process should be determined by its function and internal logic, rather than the implementation of the embodiments of the present application
  • the process constitutes any qualification.
  • SEPP acts as a docking agent between operator networks, enabling the signaling interaction between network function NF network elements and roaming partners, through the interaction between initiating SEPP (initiating SEPP) and responding SEPP (responding SEPP).
  • the interface between SEPPs is defined as the N32 interface, and all messages across the operator network during roaming need to be forwarded through the N32 interface.
  • SEPP needs to provide information message access and security protection capabilities for roaming scenarios.
  • the initiating SEPP and the responding SEPP need to negotiate the shared secret key and encryption algorithm through the handshake process. After the negotiation is completed, the signaling interaction is performed according to the N32 forwarding interface (N32-f) context.
  • N32-f N32 forwarding interface
  • one N32-f context is generated for multiple SEPPs.
  • Each message must carry a message sequence number, which does not repeat in the same N32-f context.
  • the initiating SEPP can only perform signaling interaction with the responding SEPP that negotiates to generate the N32-f context, which may result in different loads between SEPPs in the operator network where the responding SEPP is located. balanced.
  • an embodiment of the present application provides a signaling message processing method, which can implement load balancing of multiple SEPPs. This method can be applied to the network scenarios shown in Figure 1a and Figure 1b.
  • the first border security gateway in the embodiment shown in FIG. 1a and FIG. 1b is the SEPP of the first operator's network
  • the second border security gateway is the SEPP of the second operator's network.
  • the first operator network and the second operator network may be different operator networks.
  • the network scenarios shown in Figures 1a and 1b include network functions in the first operator's network, a first border security gateway, an IP exchange service (IP exchange service, IPX), a second border security gateway, and a second operator Network functions in the network.
  • IP exchange service IP exchange service, IPX
  • the first border security gateway and the second border security gateway are connected in a direct connection mode or a forwarding mode.
  • an N32 interconnection security protocol (protocol for N32 interconnect security, PRINS) is used for interaction between the first border security gateway and the second border security gateway in FIG. 1a.
  • the connection between the first border security gateway and the second border security gateway in FIG. 1a is performed in a forwarding mode.
  • the first border security gateway and the second border security gateway create a pair of directly connected transport layer security (TLS) links (tunnels) N32-c, complete mutual authentication with the help of the TLS mechanism, and export based on the TLS link Shared key.
  • TLS transport layer security
  • the N32-c handshake process is completed between the first border security gateway and the second border security gateway through the TLS link, and the PRINS context is negotiated. Confidentiality and integrity protection of application layer messages through context and shared secret key, and forwarded to peer SEPP through IPX.
  • first border security gateway and the second border security gateway in FIG. 1b are connected in a direct connection mode.
  • a TLS tunnel is established between the first border security gateway and the second border security gateway, and messages are transmitted to each other through the TLS tunnel, thereby ensuring the integrity and confidentiality of the message transmission process.
  • Figures 1a and 1b include a first border security gateway and a second border security gateway, and this network scenario is just an example.
  • the first operator network may have multiple border security gateways
  • the second operator network may also have multiple border security gateways.
  • the network function in the first operator's network and the network function in the second operator's network may include but are not limited to: access and mobility management function AMF, session management function SMF, policy control function PCF, network warehousing function (network warehousing function). repository function, NRF), network slice selection function (network slice selection function, NSSF), etc.
  • FIG. 2 is a schematic flowchart of a signaling message processing method according to an embodiment of the present application. The method flow is realized by the interaction between the first border security gateway and the second border security gateway, and includes the following steps:
  • the first border security gateway receives a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located;
  • the first border security gateway selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
  • the first border security gateway sends an encrypted signaling message to the third border security gateway.
  • the border security gateway is abbreviated as SEPP.
  • SEPP the border security gateway
  • the first border security gateway is the first SEPP
  • the second border security gateway is the second SEPP
  • the border security gateway information list is the SEPP information list.
  • the first SEPP represents the SEPP in which the network of the first operator is interconnected with the network of the second operator
  • the second SEPP represents the SEPP in which the network of the second operator is interconnected with the network of the first operator.
  • the second operator network may further include one or more other SEPPs, and the SEPP information of the other one or more SEPPs is stored in the SEPP information list of the second operator network.
  • the SEPP information list is carried in the first message and sent to the docked first SEPP through the second SEPP, that is, the SEPP information list sent by the second SEPP includes the SEPP information of all SEPPs in the second operator network.
  • the first message includes the SEPP information list of the operator network where the second SEPP is located.
  • the SEPP information list includes separate (respective) SEPP information of a plurality of SEPPs in the operator's network.
  • the respective SEPP information of the plurality of SEPPs may include information indicating the capability of the respective SEPPs to handle the load. That is to say, when the first SEPP receives the first message, the information of multiple SEPPs in the operator network where the second SEPP is located can be obtained.
  • the first SEPP can also select the SEPP to send the signaling message based on the information of the multiple SEPPs, thereby facilitating load balancing among the multiple SEPPs in the operator network where the second SEPP is located.
  • the information of any SEPP in the second operator's network may include fields such as the identifier, priority, weight, etc. of the SEPP.
  • the identity of a SEPP is any information that can identify a SEPP.
  • the identifier of the SEPP is a fully qualified domain name (FQDN) of the SEPP, or an IP address, or a serial number of the SEPP, or the like.
  • the priority of the SEPP or the weight of the SEPP may be used to indicate the ability of the SEPP to handle the load. For example, when the second operator network deploys multiple SEPPs, each SEPP is pre-allocated with a certain processing load capability. The ability of each SEPP to handle the load is indicated by the SEPP's priority or weight.
  • the priority of the second SEPP is the second priority
  • the priority of the third SEPP is the first priority. If the first priority is higher than the second priority, it means that the capability of the third SEPP to process the load is higher than the capability of the second SEPP to process the load.
  • the first SEPP selects to send a message to a certain SEPP from the SEPP information list of the second operator network
  • the first SEPP preferentially selects the third SEPP from the SEPP information list of the second operator network.
  • Table 1 is a SEPP information list provided by this embodiment of the present application.
  • the operator network where the second SEPP is located includes three SEPPs, namely SEPP_1, SEPP_2 and SEPP_3.
  • the identification, priority, and weight of each SEPP are shown in Table 1.
  • Table 1 A list of SEPP information
  • Table 1 records information such as identifiers, priorities, and weights of the three SEPPs, so that the first SEPP obtains the respective load processing capabilities of the SEPPs in the second operator's network from Table 1.
  • the SEPP information list further includes loads occupied by each SEPP.
  • the second SEPP may count the respective occupied loads of multiple SEPPs such as the second SEPP, the third SEPP, and the fourth SEPP in the SEPP information list at the current moment.
  • the second SEPP records the respective occupied loads of the multiple SEPPs into the SEPP information list, so that the first SEPP preferentially selects a SEPP with less occupied load from the SEPP information list.
  • the SEPP information list shown in Table 1 can be updated to the SEPP information list shown in Table 2.
  • Table 2 adds the load field occupied by SEPP. This field is used to indicate the occupied load of each SEPP in the second operator's network, that is, to indicate the remaining capacity of each SEPP to handle the load.
  • the SEPP information list further includes a timestamp field.
  • the time stamp indicates the time when the first SEPP records the multiple SEPP information in the SEPP information list.
  • the first SEPP acquires multiple SEPP information of the operator network where the second SEPP is located, records multiple SEPP information of the operator network where the second SEPP is located, and records the current time as a timestamp.
  • the first SEPP will re-record the multiple SEPP information of the operator network where the second SEPP is located (that is, overwrite the original record), and re-record the multiple SEPP information of the operator network where the second SEPP is located. Record the current moment as a timestamp (update timestamp).
  • the first SEPP may determine the third SEPP for sending the signaling message according to the respective priorities of the multiple SEPPs in the SEPP information list. For example, the first SEPP selects SEPP_1 with the highest priority from the SEPP information list (ie, SEPP_1 is the third SEPP), and uses the N32-f context of SEPP_1 to send a signaling message to SEPP_1.
  • the SEPP information list here also includes the second SEPP. If the second SEPP is the SEPP with the highest priority in the SEPP information list, the first SEPP sends a signaling message to the second SEPP by using the N32-f context of the second SEPP. For example, the first SEPP receives the first message from SEPP_1. When SEPP_1 is the SEPP with the highest priority in the SEPP information list, the first SEPP selects SEPP_1 preferentially, and uses the N32-f context of SEPP_1 to send a signaling message to SEPP_1.
  • the first SEPP may determine the third SEPP for sending the signaling message according to the respective weights of the multiple SEPPs in the SEPP information list. For example, the first SEPP selects SEPP_1 with the highest weight from the SEPP information list, and uses the N32-f context of SEPP_1 to send a signaling message to the third SEPP.
  • the SEPP information list here also includes the second SEPP. If the second SEPP is the SEPP with the highest weight in the SEPP information list, the first SEPP sends a signaling message to the second SEPP by using the N32-f context of the second SEPP.
  • the first SEPP may select the fourth SEPP with the second highest priority or weight in the operator network where the second SEPP is located, that is, the third SEPP is not selected.
  • the first SEPP selects the fifth SEPP with the third highest priority or weight in the operator network where the second SEPP is located. In this manner, it can be avoided that the load processed by the SEPP in the operator network where the second SEPP is located exceeds the load that can be processed by itself, thereby avoiding network congestion.
  • the first SEPP determines the third SEPP for sending the signaling message according to the respective occupied loads of the multiple SEPPs in the SEPP information list. For example, the first SEPP selects SEPP_3 with the least occupied load from the SEPP information list, and sends a signaling message to SEPP_3 using the N32-f context of SEPP_3.
  • the first SEPP sends an encrypted signaling message to the third SEPP, which may be sending an application layer encrypted signaling message or sending a transport layer encrypted signaling message.
  • the first SEPP sends the application-layer encrypted roaming information to the third SEPP is that the first SEPP encrypts the signaling message using the security context in the N32-f context of the third SEPP, and sends the encrypted roaming information to the third SEPP. Encrypted signaling messages.
  • the first SEPP encrypts the signaling message to be sent by using the security context in the N32-f context of SEPP_1, and sends the encrypted signaling message to SEPP_1.
  • SEPP_1 receives the encrypted signaling message sent by the first SEPP, and uses the security context in its own N32-f context (its own N32-f context corresponds to the N32-f context of the first SEPP) to the encrypted signaling message. Decrypt the message.
  • the first SEPP sends the transport layer encrypted roaming information to the third SEPP is that the first SEPP encrypts the signaling message with the transport layer security key, and sends the encrypted signaling message to the third SEPP. For example, if no TLS link is established between the first SEPP and the third SEPP, the first SEPP first establishes a TLS link with the third SEPP. The first SEPP then uses the TLS key to encrypt the signaling message, and sends the encrypted signaling message to the third SEPP through the TLS link with the third SEPP.
  • the signaling message in this embodiment refers to a message carrying a load.
  • This message is a different message from the first message carrying the SEPP information list.
  • the first SEPP uses the N32-f context of the third SEPP to send a signaling message to the third SEPP, where the signaling message carries the load of the first SEPP.
  • the embodiment of the present application provides a signaling message processing method, and the method is implemented by interaction between SEPPs of two different operator networks.
  • the SEPP in the first operator's network selects a SEPP from the SEPP information list of the second operator's network, and sends an encrypted signaling message to the selected SEPP, so as to realize multiple SEPPs in the second operator's network load balancing between.
  • FIG. 3 is a schematic flowchart of another signaling message processing method provided by an embodiment of the present application.
  • the signaling message processing method is applied in a static load balancing scenario.
  • the static load balancing scenario in this embodiment is a static load balancing scenario based on preset priorities or weights.
  • the method flow is realized by the interaction between the first border security gateway and the second border security gateway, and includes the following steps:
  • the second border security gateway When performing the N32-C handshake with the first border security gateway, the second border security gateway sends a first message to the first border security gateway, where the first message includes border security gateway information of the operator network where the second border security gateway is located list;
  • the first border security gateway receives and records the border security gateway information list of the operator network where the second border security gateway is located;
  • the first border security gateway sends a 200 OK message to the second border security gateway
  • the first border security gateway marks the second border security gateway in the border security gateway information list as an available border security gateway
  • the first border security gateway when the first border security gateway sends a signaling message to the second border security gateway, the first border security gateway selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
  • the first border security gateway sends a signaling message to the third border security gateway by using the N32-f context of the third border security gateway.
  • the second SEPP sends the first message to the first SEPP, which may be that the second SEPP sends the first message to the first SEPP through the N32-c channel. That is to say, the first message in this embodiment is an N32-c message.
  • the second SEPP sends an Exchange-LoadControl message to the first SEPP, where the Exchange-LoadControl message includes a SEPP information list.
  • SEPP information list reference is made to the description of the SEPP information list in the embodiment of FIG. 2 , and details are not repeated here.
  • step 301 when multiple SEPPs are deployed in the operator network where the second SEPP is located, and the FQDNs of the SEPPs are different, different processing load capabilities may be allocated to different SEPPs in advance.
  • SEPP_1 , SEPP_2 and SEPP_3 are deployed in the operator network where the second SEPP is located, and SEPP_1 , SEPP_2 and SEPP_3 will be assigned different weights, as shown in Table 1.
  • the network of the operator where the second SEPP is located will determine the SEPP information list of the operator.
  • the SEPP information list of the operator network where the second SEPP is located obtained by the second SEPP may be information locally configured by the second SEPP, or may be information obtained through interaction between SEPPs in the operator network. For example, multiple SEPPs in the second operator's network send their respective SEPP information to each other. Any SEPP in the second operator's network (eg, the second SEPP) may record multiple SEPP information in the operator's network, thereby generating a SEPP information list.
  • the first SEPP receives the SEPP information list of the operator network where the second SEPP is located, and determines whether the SEPP information list of the operator network has been recorded locally. If the first SEPP has locally recorded the SEPP information list of the operator network, the first SEPP updates the SEPP information list of the operator network and records the time stamp. If the first SEPP does not record the SEPP information list of the operator's network locally, the first SEPP records the SEPP information list of the operator's network, and records the time stamp. Optionally, if the first SEPP cannot identify the first message, or the first SEPP cannot record the SEPP information list of the operator network where the second SEPP is located, the first SEPP sends an error response message to the second SEPP.
  • the first SEPP when the first SEPP cannot recognize the first message, the first SEPP sends a 4xx/5xx error response message to the second SEPP.
  • the second SEPP receives the error response message, and will no longer perform the subsequent N32-c negotiation process with the first SEPP.
  • the N32-f context negotiation is completed between the second SEPP and the first SEPP, and the first SEPP may mark the second SEPP as an available border security gateway.
  • N32-f context negotiation is completed between the third SEPP and the first SEPP, and the first SEPP may mark the third SEPP as an available border security gateway.
  • the SEPP information list of the operator network where the second SEPP is located includes SEPP_1, SEPP_2 and SEPP_3.
  • the first SEPP marks SEPP_1, SEPP_2 and SEPP_3 as available SEPPs.
  • the first SEPP may subsequently send signaling messages to SEPP_1, SEPP_2 and SEPP_3.
  • the first SEPP When the first SEPP sends a signaling message to the second SEPP, the first SEPP selects the third SEPP from the locally recorded SEPP information list, and uses the context of the third SEPP to send the signaling message to the third SEPP. For a specific implementation manner, reference is made to the description of the corresponding steps in the embodiment of FIG. 2 , which is not repeated here.
  • the signaling messages sent by the first SEPP to the network function in the second operator's network are encrypted and forwarded through the N32f context of the third SEPP.
  • the first SEPP of the first operator network may select the designated SEPP according to the preset priority or weight in the SEPP information list of the second operator network, and use the N32-f context of the designated SEPP to communicate with each other.
  • the message is encrypted and then sent, so as to finally achieve load balancing among multiple SEPPs in the second operator's network. It can be seen that in the static load balancing scenario, the signaling messages sent by the first SEPP to the second operator's network are all sent according to the load pre-allocated by the second operator's network.
  • FIG. 4 is a schematic flowchart of still another signaling message processing method provided by an embodiment of the present application.
  • the signaling message processing method is applied in a dynamic load balancing scenario.
  • the dynamic load balancing scenario in this embodiment is a dynamic load balancing scenario based on load control information (load control information, LCI).
  • load control information load control information
  • the load control mechanism enables the NF service producer (NF service producer) to send its load information to the NF service consumer (NF service consumer), and the load information reflects the resource operation status of the NF service provider.
  • the first SEPP and the second SEPP in this embodiment are regarded as a SEPP service consumer (cSEPP) and a SEPP service provider (pSEPP), respectively, and vice versa.
  • the SEPP supports the 3gpp-Sbi-Lci header field, and load control information can be exchanged between the first SEPP and the second SEPP.
  • the flow of the signaling message processing method in this embodiment is realized by interaction among the first network function network element, the first border security gateway, the second border security gateway, and the second network function network element.
  • the method includes the following steps:
  • the first border security gateway receives a service request message from a first network function network element, where the service request message includes service information of the first network function network element;
  • the first border security gateway determines the second border security gateway according to the locally recorded border security gateway information list and load control information of the second operator network;
  • the first border security gateway uses the N32-f context of the second border security gateway to send an N32-f request message to the second border security gateway, where the N32-f request message includes the boundary of the operator network where the first border security gateway is located.
  • Security gateway information list and load control information, and service information of the first network function network element;
  • the second border security gateway receives the N32-f request message from the first border security gateway, and records the border security gateway information list of the operator network where the first border security gateway is located;
  • the second border security gateway sends the service information of the first network function network element to the second network function network element;
  • the second border security gateway receives a service response message from the second network function network element, where the service response message includes service response information of the second network function network element to the first network function network element;
  • the second border security gateway uses the N32-f context of the first border security gateway to send an N32-f response message to the first border security gateway, where the N32-f response message includes the boundary of the operator network where the second border security gateway is located.
  • Security gateway information list and load control information, and service response information of the second network function network element to the first network function network element;
  • the first border security gateway receives the N32-f response message from the second border security gateway, and updates the border security gateway information list of the operator network where the second border security gateway is located;
  • the first border security gateway sends a service response of the second network function network element to the first network function network element to the first network function network element.
  • the information exchange between SEPP and NF in this embodiment is based on FQDN, that is, the information exchange between SEPP and NF carries SEPP FQDN and NF FQDN.
  • the first NF queries a domain name system (domain name system, DNS), or queries the NRF, to obtain the IP address corresponding to the first SEPP FQDN.
  • the first NF directly configures the IP address corresponding to the FQDN locally.
  • the first NF sends the service request message to the address corresponding to the first SEPP FQDN.
  • the first NF carries the FQDN of the target NF (eg, the second NF) through the 3gpp-Sbi-Target-apiroot field in the service request message, and sends the service request message to the first SEPP.
  • the first SEPP receives the service request message, and obtains the FQDN of the target NF according to 3gpp-Sbi-Target-apiroot in the service request message.
  • the information exchange between the SEPP and the NF is based on FQDN routing. For example, configure FQDN routing on the first NF.
  • the first NF establishes a route with the first SEPP based on the FQDN route. Then the first NF sends the service request message through the route with the first SEPP.
  • the first SEPP determines the operator network where the target NF is located according to the FQDN of the target NF, and queries whether the local record includes the SEPP information list and load control information of the operator network where the target NF is located (ie, the operator network where the second SEPP is located).
  • the first SEPP determines the second SEPP according to the SEPP information list and the load control information.
  • the first SEPP sends a first request message to the second SEPP, where the first request message is used to request to obtain the operator network where the second SEPP is located List of SEPP information and load control information.
  • the first SEPP and the second SEPP perform a 32-c handshake process to obtain the SEPP information list and load control information of the operator network where the second SEPP is located.
  • the first SEPP can not only obtain the SEPP information list of the operator network where the second SEPP is located, but also can obtain the SEPP load control information (SEPP LCI) of the operator network where the second SEPP is located.
  • SEPP LCI SEPP load control information
  • the load control information includes a load control timestamp (LCT) and a load metric (LM).
  • LCT load control timestamp
  • LM load metric
  • the LCT parameter is used to indicate when the LCI is generated.
  • the receiver of the LCI uses the LCT to properly sort out the out-of-order LCI.
  • the LM parameter is used to indicate the current load level within the LCI range.
  • the LM parameter of a SEPP is used to indicate the current load level for that SEPP, expressed as a percentage in the range 0 to 100, where 0 means no or 0% load and 100 means that maximum or 100% load has been reached (i.e. no further load available).
  • this embodiment chooses to use LCI-based dynamic load balancing, and can also be extended to use Oracle cloud infrastructure (Oracle cloud infrastructure, OCI) parameters for flow control. Based on OCI parameters, load balancing and traffic control in scenarios with excessive traffic can be implemented.
  • the first SEPP uses the N32-f context of the second SEPP to send an N32-f request message to the second SEPP.
  • the N32f request message may also carry service information (load) of the first network function network element.
  • the first NF sends a service request message to the first SEPP, where the service request message includes service information of the first network function network element.
  • the first SEPP updates the locally recorded SEPP information list and load control information of the operator network where the second SEPP is located according to the load in the sent N32-f request message.
  • the first SEPP determines to send an N32-f request message to the second SEPP, and the load in the N32-f request message will occupy 10% of the load of the second SEPP.
  • the first SEPP will update the locally recorded load occupied by the second SEPP, from the original 30% load to 40% load.
  • the cSEPP can update the load of the pSEPP recorded locally in real time, which is beneficial to the subsequent load distribution.
  • the first SEPP in this embodiment may be either cSEPP or pSEPP.
  • the first SEPP can send the SEPP information list and load control information of the operator's network to the second SEPP through the N32-f request message, so that the second SEPP can obtain the SEPP of the operator where the first SEPP is located in advance Relevant information is helpful to achieve load balancing. That is, the second SEPP receives and records the SEPP information list of the operator network where the first SEPP is located in the N32-f request message.
  • the second SEPP can update the locally recorded SEPP information list of the operator network where the first SEPP is located according to the N32-f request message. For example, when the second SEPP receives the N32-f message from the first SEPP, the header part of the N32-f message carries the SEPP information list of the operator network where the first SEPP is located under the current timestamp. The second SEPP updates the locally recorded SEPP information list to the SEPP information list of the operator network where the first SEPP is located under the current timestamp.
  • the body part of the N32-c message carries the SEPP information list of the operator network where the first SEPP is located under the current timestamp.
  • the second SEPP may update the locally recorded load information of the first SEPP according to the N32-f request message. For example, when the second SEPP receives the N32-f message from the first SEPP, the body part of the N32-f message carries the load information of the first SEPP under the current timestamp. The second SEPP updates the locally recorded load information of the first SEPP to the load information of the first SEPP under the current timestamp.
  • the second SEPP sends the service information of the first NF to the second NF in the operator's network. Similar to the interaction process between the first NF and the first SEPP, the information exchange between the second SEPP and the second NF is also based on FQDN, or based on FQDN routing. For example, the second SEPP sends the service information of the first NF and the second SEPP FQDN to the second NF. After processing the service information of the first NF, the second NF sends a service response message to the second SEPP. For example, when the service information sent by the first NF is a request to access a new terminal device, the service response information of the second NF for the first NF is the access resources pre-allocated by the second NF for the new terminal device.
  • the second SEPP After receiving the service response message from the second NF, the second SEPP sends the N32-f response message to the first SEPP by using the N32-f context of the first SEPP.
  • the N32-f response message includes the service response of the second NF to the first NF.
  • the N32-f response message may also include the SEPP information list and load control information of the operator network where the second SEPP is located under the current timestamp, so that the first SEPP updates the locally recorded SEPP of the operator network where the second SEPP is located Information list and load control information.
  • the first SEPP acquires the service response in the N32-f response message, and sends the service response to the first NF.
  • the signaling message processing method in this embodiment may be applied between SEPP and NF.
  • the NF obtains the SEPP information list from the NRF or the SEPP.
  • the NF selects a designated SEPP according to the SEPP information list, and sends a message to the designated SEPP. That is to say, NF achieves load balancing between SEPP and NF by obtaining the SEPP information list in advance.
  • the NF directly pre-configures a SEPP information list locally, where the SEPP information list includes multiple SEPPs available to the NF in the same operator network, and parameters such as the priority or weight of each SEPP.
  • the network scenario shown in FIG. 1a is used as an example.
  • the specific steps to be executed are as shown in steps 401-409.
  • the specific steps performed are similar to steps 401-409.
  • the first SEPP and the second SEPP in the direct connection mode no longer transmit the N32-f message by encrypting the message through the N32-f context.
  • the first SEPP performs encryption by using the transport layer security key, and sends the encrypted request message to the second SEPP.
  • the other steps are also similar and will not be repeated here.
  • the first SEPP of the first operator network selects a designated SEPP based on the SEPP information list of the second operator network and dynamic load control information, and uses the N32-f context of the designated SEPP to pair signaling messages After encryption processing is performed, the data is sent to achieve load balancing among multiple SEPPs in the second operator's network. It can be seen that in the dynamic load balancing scenario, cSEPP dynamically adjusts the traffic sent to different pSEPPs according to the load control information of the second operator's network, which can improve the message processing efficiency of SEPP as a whole.
  • FIG. 5 is another network scenario provided by an embodiment of the present application.
  • the first operator network in FIG. 5 includes three SEPPs, namely SEPP_1, SEPP_2 and SEPP_3.
  • Figure 5 also includes multiple pSEPPs and multiple roaming partners.
  • Multiple SEPPs in the first operator's network are connected to multiple pSEPPs through IPX, and IPX is used to balance the load of the first operator's network.
  • multiple SEPPs in the first operator's network are connected to multiple pSEPPs through a pre-load balancer, and the pre-load balancer is also used to balance the load of the first operator's network.
  • the signaling message processing method shares the N32-f context among SEPPs of the operator's network, that is, SEPP_1 to SEPP_3 can use the same N32-f context to process messages.
  • the method is executed by the first SEPP of the first operator network, and the method flow is shown in Figure 6, including the following steps:
  • the first border security gateway receives a signaling message from the second border security gateway
  • the first border security gateway acquires the N32-f context shared among multiple border security gateways in the operator network, and uses the shared N32-f context to process the received signaling message.
  • contexts may be shared among multiple SEPPs in the operator's network.
  • SEPP internal database synchronization to achieve shared context.
  • SEPPs in the operator's network send subscription messages to each other to implement shared context.
  • the FQDN may be shared among multiple SEPPs in the local operator network, or different FQDNs may be used.
  • the SEPPs of the local operator network may Obtain the shared N32-f context corresponding to the destination SEPP in the signaling message, and then use the shared context to process the signaling message.
  • the first SEPP may be SEPP_1, SEPP_2 or SEPP_3 in the first operator network shown in FIG. 5 .
  • the second SEPP may be the pSEPP of roaming partner 1, the pSEPP of roaming partner 2, or the pSEPP of roaming partner 3 shown in FIG. 5 .
  • the multiple SEPPs can acquire the N32-f contexts recorded by the respective SEPPs.
  • SEPP_1 in Figure 5 negotiates with pSEPP of roaming partner 1 and records N32-f context 1
  • SEPP_2 negotiates with pSEPP of roaming partner 2 and records N32-f context 2
  • SEPP_3 negotiates with pSEPP of roaming partner 3 and records N32-f context 3.
  • the N32-f context is shared among SEPP_1 to SEPP_3 of the first operator network, that is, SEPP_1 to SEPP_3 all record the N32-f context 1 to N32-f context 3.
  • the pSEPP of roaming partner 2 sends a signaling message to SEPP_2, which can be processed by SEPP_1.
  • SEPP_1 acquires the shared context (N32-f context 2) corresponding to the destination SEPP (ie, SEPP_2) in the signaling message, and then uses the N32-f context 2 to process the signaling message.
  • the IPX or the pre-load balancer receives signaling messages sent by different roaming partners, and distributes the signaling messages according to the load situation of each SEPP in the first operator's network.
  • the IPX in FIG. 5 receives the signaling message sent by the pSEPP of roaming partner 2.
  • the IPX selects to send the signaling message to SEPP_1 according to the load control information (including the load index) of each SEPP in the first operator's network under the current timestamp. It can be seen that after the N32-f context is shared among multiple SEPPs in the first operator's network, each SEPP can process all N32-f traffic, and the load balancing of the first operator's network can be achieved through IPX.
  • the first SEPP selects to use the corresponding N32-f context to parse the received signaling message according to the shared N32-f context.
  • SEPP_1 in FIG. 5 receives a signaling message sent by pSEPP of roaming partner 2, where the signaling message is a message processed (encrypted) by pSEPP of roaming partner 2 using N32-f context 2. Since the shared N32-f context recorded by SEPP_1 includes N32-f context 2, SEPP_1 uses N32-f context 2 to process (decrypt) the signaling message.
  • a TLS link is established between the first SEPP and the first NF, and a TLS key is used to encrypt the signaling message, and the encrypted signaling message is sent to the first NF.
  • the destination NF of the signaling message sent by the pSEPP of roaming partner 2 is NF_1 in FIG. 5 .
  • SEPP_1 encrypts the signaling message sent by the pSEPP of roaming partner 2 according to the TLS key with NF_1, and sends the encrypted signaling message to NF_1. It can be seen that the SEPP can use the TLS key between the SEPP and the NF to encrypt the signaling message, and send the encrypted signaling message to the destination NF of the signaling message.
  • SEPP_1 and SEPP_2 in FIG. 5 as an example, the steps of sharing context among multiple SEPPs in the operator's network will be described in detail below.
  • the mutual subscription of the N32-f context is initiated between SEPP_1 and SEPP_2 in the first operator network.
  • SEPP_2 sends an N32-f context request message to SEPP_1.
  • the N32-f context request message is used to request subscription to the N32-f context of SEPP_1.
  • SEPP_1 negotiated N32-f context 1 with pSEPP of roaming partner 1, then SEPP_2 requests to subscribe to N32-f context 1 of SEPP_1.
  • SEPP_1 sends an N32-f context response message to SEPP_2, as shown by the solid line flow in FIG. 7 .
  • the N32-f context response message includes the N32-f context 1 recorded by SEPP_1.
  • SEPP_1 sends an N32-f context request message to SEPP_2.
  • the N32-f context request message is used to request subscription to the N32-f context of SEPP_2.
  • SEPP_2 sends an N32-f context response message to SEPP_1, where the N32-f context response message includes the N32-f context 2 recorded by SEPP_2, as shown in the dashed flow in FIG. 7 .
  • the N32-f context on any SEPP changes (including creation, deactivation, etc., the process of creation and deactivation refers to the protocol standard 3GPP TS 29.573, which will not be repeated), then the N32-f context changes.
  • the SEPP notifies other SEPPs in the operator's network through the callback interface. For example, a new N32-f context 3 is created between SEPP_1 and the pSEPP of roaming partner 3 through the N32-c handshake process, then SEPP_1 will record the N32-f context 3.
  • SEPP_1 sends an N32-f context update message to SEPP_2, where the update message includes the N32-f context 3 newly created by SEPP_1.
  • SEPP_2 receives and records the N32-f context 3 newly created by SEPP_1.
  • SEPP_2 sends an N32-f context update response message to SEPP_1.
  • the N32-f context update response message is used to indicate that SEPP_2 has recorded the N32-f context 3 newly created by SEPP_1, as shown in the solid line flow in FIG. 8 .
  • SEPP_2 sends an N32-f context update message to SEPP_1, where the update message includes the N32-f context 3 newly created by SEPP_2.
  • SEPP_1 receives and records the N32-f context 3 newly created by SEPP_2.
  • SEPP_1 sends an N32-f context update response message to SEPP_2.
  • the N32-f context update response message is used to indicate that SEPP_1 has recorded the N32-f context 3 newly created by SEPP_2, as shown in the virtual flow in FIG. 8 .
  • SEPP_1 or SEPP_2 When the N32-f context of SEPP_1 or SEPP_2 is deactivated, SEPP_1 or SEPP_2 notifies other SEPPs in the operator's network to deactivate the corresponding N32-f context through a process similar to FIG. 7 or FIG. 8 , which is not repeated here.
  • the N32-f context is shared among multiple SEPPs in the same operator network.
  • any SEPP can process messages processed by different N32-f contexts in the network.
  • the load balancing between SEPPs in the operator's network is realized by means of IPX or a pre-load balancer.
  • the signaling message processing method according to the embodiment of the present application is described in detail above with reference to FIG. 2 to FIG. 8 .
  • the signaling message processing apparatus according to the embodiment of the present application will be described in detail below with reference to FIG. 9 to FIG. 12 . It should be understood that the signaling message processing apparatus and server shown in FIG. 9 to FIG. 12 can implement one or more steps in the method flow shown in FIG. 2 to FIG. 8 . In order to avoid repetition, detailed description is omitted here.
  • FIG. 9 is a schematic diagram of a signaling message processing apparatus according to an embodiment of the present application.
  • the signaling message processing apparatus shown in FIG. 9 is used to implement the method performed by the first border security gateway in the embodiments shown in FIG. 2 to FIG. 4 .
  • the signaling message processing apparatus includes a transceiver unit 901 and a processing unit 902 .
  • the transceiver unit 901 is configured to receive a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located.
  • the processing unit 902 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located.
  • the transceiver unit 901 is further configured to send an encrypted signaling message to the third border security gateway.
  • the transceiver unit 901 is further configured to send a signaling message encrypted with the N32-f context to the third border security gateway, or send a signaling message encrypted with the transport layer security key to the third border security gateway .
  • the transceiver unit 901 is further configured to send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
  • the transceiver unit 901 is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
  • the transceiver unit 901 negotiates with the third border security gateway to obtain the N32-f context, and uses the negotiated N32-f context to send a message order message.
  • the border security gateway information list includes: priorities of multiple border security gateways.
  • the processing unit 902 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the border security gateway information list includes: weights of multiple border security gateways.
  • the processing unit 902 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the highest weight is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the transceiver unit 901 is configured to receive the first message from the second border security gateway, including:
  • the information list of the border security gateway of the operator network where the second border security gateway is located is received through the N32-c channel.
  • processing unit 902 is further configured to update the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp;
  • the transceiver unit 901 is further configured to send a 200 OK message to the second border security gateway.
  • the transceiver unit 901 is further configured to send a message to the first border security gateway if the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located.
  • the second border security gateway sends an error response message.
  • the processing unit 902 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the least occupied load is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the processing unit 902 is further configured to update the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by the signaling message sending.
  • the transceiver unit 901 is configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
  • the signaling message is encrypted using the N32-f context of the third border security gateway, and the encrypted signaling message is sent to the third border security gateway.
  • FIG. 10 is a schematic diagram of a server according to an embodiment of the present application.
  • the server may be a device (eg, a chip) capable of executing the signaling message processing method in the embodiments shown in FIG. 2 to FIG. 4 .
  • the server may include a transceiver 1001 , at least one processor 1002 and memory 1003 .
  • the transceiver 1001, the processor 1002 and the memory 1003 may be connected to each other through one or more communication buses, or may be connected to each other in other ways.
  • the transceiver 1001 may be used for sending data or receiving data. It is understood that the transceiver 1001 is a general term and may include a receiver and a transmitter. For example, the receiver is configured to receive the first message from the second border security gateway. For another example, the transmitter is configured to send a signaling message to the second border security gateway.
  • the processor 1002 may be used to process data of the server.
  • the processor 1002 may include one or more processors, for example, the processor 1002 may be one or more central processing units (CPUs), network processors (NPs), hardware chips, or any combination thereof .
  • the processor 1002 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
  • the memory 1003 is used for storing program codes and the like.
  • the memory 1003 may include a volatile memory (volatile memory), such as random access memory (RAM); the memory 1003 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (read- only memory, ROM), flash memory (flash memory), hard disk drive (HDD) or solid-state drive (solid-state drive, SSD); the memory 1003 may also include a combination of the above-mentioned types of memory.
  • processor 1002 and memory 1003 may be coupled through an interface, or may be integrated together, which is not limited in this embodiment.
  • the transceiver 1001 and the processor 1002 described above can be used to execute the signaling message processing methods in the embodiments shown in FIG. 2 to FIG. 4 , and the specific implementation methods are as follows:
  • the transceiver 1001 is configured to receive a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located;
  • the processor 1002 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
  • the transceiver 1001 is also used for sending signaling messages to the third border security gateway.
  • the transceiver 1001 is further configured to send a signaling message encrypted with the N32-f context to the third border security gateway, or send a signaling message encrypted with a transport layer security key to the third border security gateway.
  • the transceiver 1001 is further configured to send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
  • the transceiver 1001 is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
  • the transceiver 1001 negotiates with the third border security gateway to obtain the N32-f context, and uses the negotiated N32-f context to send a message order message.
  • the border security gateway information list includes: priorities of multiple border security gateways.
  • the processor 1002 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the border security gateway information list includes: weights of multiple border security gateways.
  • the processor 1002 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the highest weight is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the transceiver 1001 is configured to receive the first message from the second border security gateway, including:
  • the information list of the border security gateway of the operator network where the second border security gateway is located is received through the N32-c channel.
  • the processor 1002 is further configured to update the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp;
  • the transceiver 1001 is also used to send a 200 OK message to the second border security gateway.
  • the transceiver 1001 is further configured to send a message to the first border security gateway if the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located.
  • the second border security gateway sends an error response message.
  • the processor 1002 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
  • the third border security gateway with the least occupied load is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  • the processor 1002 is further configured to update the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending the signaling message.
  • the transceiver 1001 is configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
  • the signaling message is encrypted using the N32-f context of the third border security gateway, and the encrypted signaling message is sent to the third border security gateway.
  • the second border security gateway and the first border security gateway in the embodiments shown in FIG. 2 to FIG. 4 may implement similar functions.
  • the second border security gateway may also be the device and server shown in FIG. 9 and FIG. 10 .
  • FIG. 11 is a schematic diagram of another signaling message processing apparatus provided by an embodiment of the present application.
  • the signaling message processing apparatus shown in FIG. 11 is used to implement the methods performed by the first border security gateway in the embodiments shown in the foregoing FIGS. 6 to 8 .
  • the signaling message processing apparatus includes a transceiver unit 1101 and a processing unit 1102 .
  • the transceiver unit 1101 is configured to receive a signaling message from the second border security gateway.
  • the processing unit 1102 is configured to acquire the N32-f context shared among multiple border security gateways in the operator's network, and use the shared N32-f context to process the received signaling message.
  • the processing unit 1102 is further configured to encrypt the signaling message using the transport layer security key.
  • the transceiver unit 1101 is further configured to send the encrypted signaling message to the first network function network element.
  • FIG. 12 is a schematic diagram of another server provided by an embodiment of the present application.
  • the server may be a device (eg, a chip) capable of executing the signaling message processing method in the embodiments shown in FIG. 6 to FIG. 8 .
  • the server may include a transceiver 1201 , at least one processor 1202 and memory 1203 .
  • the transceiver 1201, the processor 1202 and the memory 1203 may be connected to each other through one or more communication buses, or may be connected to each other in other ways.
  • the transceiver 1201 may be used for sending data or receiving data. It can be understood that the transceiver 1201 is a general term and may include a receiver and a transmitter.
  • the processor 1202 may be used to process the data of the server.
  • the processor 1202 may include one or more processors, for example, the processor 1202 may be one or more central processing units (CPUs), network processors (NPs), hardware chips, or any combination thereof .
  • the processor 1202 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
  • the memory 1203 is used for storing program codes and the like.
  • the memory 1203 may include volatile memory, such as random access memory (RAM).
  • the memory 1203 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory (flash memory), hard disk drive (HDD) or solid state hard disk ( solid-state drive, SSD); storage 1203 may also include a combination of the above-mentioned types of storage.
  • processor 1202 and memory 1203 may be coupled through an interface, or may be integrated together, which is not limited in this embodiment.
  • the transceiver 1201 and the processor 1202 described above can be used to execute the signaling message processing methods in the embodiments shown in FIG. 6 to FIG. 8 , and the specific implementation is as follows:
  • the transceiver 1201 is configured to receive a signaling message from the second border security gateway
  • the processor 1202 is configured to acquire the N32-f context shared among multiple border security gateways in the operator's network, and use the shared N32-f context to process the received signaling message.
  • the processor 1202 is further configured to encrypt signaling messages with transport layer security keys.
  • the transceiver 1201 is further configured to send the encrypted signaling message to the first network function network element.
  • An embodiment of the present application provides a communication system, where the communication system includes the first communication device and the second communication device described in the foregoing embodiments.
  • An embodiment of the present application provides a computer-readable storage medium, where a program or an instruction is stored in the computer-readable storage medium, and when the program or instruction is executed on a computer, the computer can execute the signaling message processing in the embodiment of the present application. method.
  • An embodiment of the present application provides a chip or a chip system, the chip or chip system includes at least one processor and an interface, the interface and the at least one processor are interconnected by a line, and the at least one processor is used to run a computer program or instruction to perform the present application
  • the signaling message processing method in the embodiment is used to run a computer program or instruction to perform the present application.
  • the interface in the chip may be an input/output interface, a pin or a circuit, or the like.
  • the chip system in the above aspects may be a system on chip (system on chip, SOC), or a baseband chip, etc.
  • the baseband chip may include a processor, a channel encoder, a digital signal processor, a modem, an interface module, and the like.
  • the chip or chip system described above in this application further includes at least one memory, where instructions are stored in the at least one memory.
  • the memory may be a storage unit inside the chip, such as a register, a cache, etc., or a storage unit of the chip (eg, a read-only memory, a random access memory, etc.).
  • a computer program product includes one or more computer instructions.
  • the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • Computer instructions may be stored on or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website site, computer, server, or data center over a wire (e.g.
  • coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.) means to transmit to another website site, computer, server or data center.
  • a computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media.
  • the available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, high-density digital video discs (DVDs)), or semiconductor media (eg, solid state disks, SSD)) etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present application provide a signaling message processing method. In the signaling message processing method, an edge security gateway in a first operator network receives an edge security gateway information list of a second operator network, and selects one edge security gateway in the edge security gateway list as a third edge security gateway. The third edge security gateway may share a signaling message processing task with a second edge security gateway, so as to implement load balancing among a plurality of edge security gateways in the second operator network.

Description

一种信令消息处理方法、装置和系统A signaling message processing method, device and system
本申请要求于2021年3月30日提交中国国家知识产权局、申请号为202110342633.0、申请名称为“一种信令消息处理方法、装置和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202110342633.0 and the application title "A Signaling Message Processing Method, Device and System" submitted to the State Intellectual Property Office of China on March 30, 2021, the entire contents of which are approved by Reference is incorporated in this application.
技术领域technical field
本申请涉及通信技术领域,尤其涉及一种信令消息处理方法、系统及装置。The present application relates to the field of communication technologies, and in particular, to a signaling message processing method, system, and device.
背景技术Background technique
第三代合作伙伴计划(3 rdgenerationpartnershipproject,3GPP)定义了安全和边界代理(securityandedgeprotectionproxy,SEPP)设备作为第五代移动通信核心网(5 thgenerationcore,5GC)的边界安全网关。SEPP作为运营商网络之间的对接的代理设备,使得网络功能(networkfunction,NF)网元与漫游伙伴(roamingpartner,RP)之间的信令交互,通过发起SEPP(initiating SEPP)和应答SEPP(responding SEPP)之间的交互实现。其中,initiating SEPP和responding SEPP之间采用N32接口相连接。 The 3rd generation partnership project (3GPP) defines a security and edge protection proxy ( SEPP ) device as the edge security gateway of the 5th generation core network (5GC). SEPP acts as a proxy device for docking between operator networks, enabling the signaling interaction between the network function (NF) network element and the roaming partner (RP), through initiating SEPP (initiating SEPP) and responding SEPP (responding) The interaction between SEPP) is realized. Among them, the initiating SEPP and the responding SEPP are connected by the N32 interface.
其中,initiating SEPP和responding SEPP需要通过握手流程来协商共享秘钥和加密算法,协商完成后根据N32转发接口(N32-f)上下文进行信令交互。一方面,在多个SEPP共用完全合格域名(fullyqualifieddomainname,FQDN)的场景中,针对多个SEPP只生成一个N32-f上下文。而每个信令消息都要携带一个消息序号,该序号在同一个N32-f上下文中不重复。多个SEPP共用FQDN的场景中只有一个N32-f上下文,可能会限制SEPP对信令消息的并发处理。Among them, the initiating SEPP and the responding SEPP need to negotiate the shared secret key and encryption algorithm through the handshake process. After the negotiation is completed, the signaling interaction is performed according to the N32 forwarding interface (N32-f) context. On the one hand, in a scenario where multiple SEPPs share a fully qualified domain name (FQDN), only one N32-f context is generated for multiple SEPPs. Each signaling message must carry a message sequence number, and the sequence number is not repeated in the same N32-f context. In the scenario where multiple SEPPs share the FQDN, there is only one N32-f context, which may limit the concurrent processing of signaling messages by SEPPs.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种信令消息处理方法及装置,该信令消息处理方法可以实现同一运营商网络中多个SEPP之间的负载均衡。Embodiments of the present application provide a signaling message processing method and apparatus, and the signaling message processing method can implement load balancing among multiple SEPPs in the same operator network.
第一方面,本申请实施例提供一种信令消息处理方法,该方法由第一边界安全网关所执行。第一边界安全网关接收第二边界安全网关所在运营商网络的边界安全网关信息列表,并从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关。第一边界安全网关向第三边界安全网关发送加密的信令消息。可见,第一运营商网络中的边界安全网关可以从列表中任选一个作为第三边界安全网关,第三边界安全网关可以和第二边界完全网关共同分担信令消息处理任务,从而实现第二运营商网络中多个边界安全网关之间的负载均衡。In a first aspect, an embodiment of the present application provides a signaling message processing method, and the method is executed by a first border security gateway. The first border security gateway receives the border security gateway information list of the operator network where the second border security gateway is located, and selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located. The first border security gateway sends an encrypted signaling message to the third border security gateway. It can be seen that the border security gateway in the first operator's network can choose one from the list as the third border security gateway, and the third border security gateway can share the signaling message processing task with the second border complete gateway, so as to realize the second border security gateway. Load balancing among multiple border security gateways in a carrier network.
在一种可能的设计中,第一边界安全网关向第三边界安全网关发送使用N32-f上下文加密的信令消息,或者向第三边界安全网关发送使用传输层安全密钥加密的信令消息。可见,针对不同的SEPP对接方案,本实施例限定了SEPP之间的信令消息的加密方式,有利于确保信息传输的安全性。In one possible design, the first border security gateway sends a signaling message encrypted with the N32-f context to the third border security gateway, or sends a signaling message encrypted with a transport layer security key to the third border security gateway . It can be seen that, for different SEPP interconnection schemes, this embodiment defines an encryption method of signaling messages between SEPPs, which is beneficial to ensure the security of information transmission.
在一种可能的设计中,第一边界安全网关向第二边界安全网关发送第一边界安全网关所 在运营商网络的边界安全网关信息列表。其中,第一边界安全网关所在运营商网络的边界安全网关信息列表包括第四边界安全网关。第二边界安全网关采用第四边界安全网关的N32-f上下文发送信令消息。可见,第二运营商网络中的边界安全网关可以向第一运营商网络中预分配的边界安全网关(即列表中的边界安全网关)发送信令消息,实现第一运营商网络中多个边界安全网关之间的负载均衡。也就是说,第一运营商网络中的边界安全网关与第二运营商网络中的边界安全网关可以实现类似的功能。In a possible design, the first border security gateway sends a border security gateway information list of the operator network where the first border security gateway is located to the second border security gateway. Wherein, the border security gateway information list of the operator network where the first border security gateway is located includes the fourth border security gateway. The second border security gateway sends the signaling message using the N32-f context of the fourth border security gateway. It can be seen that the border security gateway in the second operator's network can send signaling messages to the pre-assigned border security gateways in the first operator's network (that is, the border security gateways in the list), so as to realize multiple borders in the first operator's network. Load balancing between security gateways. That is, the border security gateway in the first operator's network and the border security gateway in the second operator's network may implement similar functions.
在一种可能的设计中,若第一边界安全网关与第三边界安全网关之间未创建关联的N32-f上下文,第一边界安全网关与第三边界安全网关协商获得N32-f上下文,并采用协商获得的N32-f上下文发送信令消息。In a possible design, if an associated N32-f context is not created between the first border security gateway and the third border security gateway, the first border security gateway negotiates with the third border security gateway to obtain the N32-f context, and The signaling message is sent using the N32-f context obtained through negotiation.
在一种可能的设计中,若第一边界安全网关与第三边界安全网关之间已创建关联的N32-f上下文,第一边界安全网关采用已关联的N32-f上下文发送信令消息。In a possible design, if an associated N32-f context has been created between the first border security gateway and the third border security gateway, the first border security gateway sends a signaling message by using the associated N32-f context.
在一种可能的设计中,第一边界安全网关在和第二边界安全网关进行N32-C握手时,接收来自第二边界安全网关的第一消息。In a possible design, the first border security gateway receives the first message from the second border security gateway when performing the N32-C handshake with the second border security gateway.
在一个可能的设计中,加密的信令消息通过IPX设备转发给所述第三边界安全网关。In one possible design, the encrypted signaling message is forwarded to the third border security gateway through the IPX device.
在一种可能的设计中,边界安全网关信息列表包括多个边界安全网关的优先级。第一边界安全网关从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择优先级最高的第三边界安全网关。可见,第二运营商网络中预分配的边界安全网关为优先级最高的边界安全网关,即第一边界安全网关优先向优先级高的第三边界安全网关发送信令消息,有利于均衡网络负载。In one possible design, the border security gateway information list includes priorities for multiple border security gateways. The first border security gateway selects the third border security gateway with the highest priority from the border security gateway information list of the operator network where the second border security gateway is located. It can be seen that the pre-allocated border security gateway in the second operator network is the border security gateway with the highest priority, that is, the first border security gateway preferentially sends signaling messages to the third border security gateway with a high priority, which is conducive to balancing the network load .
在一种可能的设计中,边界安全网关信息列表包括多个边界安全网关的权重。第一边界安全网关从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择权重最高的第三边界安全网关。可见,第二运营商网络中预分配的边界安全网关为权重最高的边界安全网关,即第一边界安全网关优先向权重高的第三边界安全网关发送信令消息,有利于均衡网络负载。In one possible design, the border security gateway information list includes weights for a plurality of border security gateways. The first border security gateway selects the third border security gateway with the highest weight from the border security gateway information list of the operator network where the second border security gateway is located. It can be seen that the pre-allocated border security gateway in the second operator network is the border security gateway with the highest weight, that is, the first border security gateway preferentially sends signaling messages to the third border security gateway with a high weight, which is conducive to balancing the network load.
在一种可能的设计中,边界安全网关信息列表包括多个边界安全网关的标识。边界安全网关的标识为完全合格域名、IP地址或编号等任意一种标识一个边界安全网关的信息。In one possible design, the border security gateway information list includes identifiers of multiple border security gateways. The identifier of the border security gateway is any information that identifies a border security gateway, such as a fully qualified domain name, IP address, or serial number.
在一种可能的设计中,第一边界安全网关通过N32-c通道接收第一消息,第一消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表。其中,第一消息为N32-c消息。In a possible design, the first border security gateway receives the first message through the N32-c channel, where the first message includes the border security gateway information list of the operator network where the second border security gateway is located. The first message is an N32-c message.
在一种可能的设计中,边界安全网关信息列表包括时间戳。若第一边界安全网关已记录边界安全网关信息列表,第一边界安全网关将已记录的边界安全网关信息列表更新为当前时间戳下的第二边界安全网关所在运营商网络的边界安全网关信息列表。第一边界安全网关向第二边界安全网关发送200OK消息。In one possible design, the border security gateway information list includes a timestamp. If the first border security gateway has recorded the border security gateway information list, the first border security gateway updates the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp . The first border security gateway sends a 200 OK message to the second border security gateway.
在一种可能的设计中,若第一边界安全网关未记录边界安全网关信息列表,第一边界安全网关记录当前时间戳下的第二边界安全网关所在运营商网络的边界安全网关信息列表。In a possible design, if the first border security gateway does not record the border security gateway information list, the first border security gateway records the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp.
在一种可能的设计中,若第一边界安全网关无法识别第一消息,或者第一边界安全网关无法记录第二边界安全网关所在运营商网络的边界安全网关信息列表,第一边界安全网关向第二边界安全网关发送错误响应消息。In a possible design, if the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located, the first border security gateway sends a message to the The second border security gateway sends an error response message.
在一种可能的设计中,第一边界安全网关从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择已占用的负载最少的第三边界安全网关。可见,第二运营商网络中预分配的边界安全网关为已占用的负载最少的边界安全网关,即第一边界安全网关优先向已占用的负载最少的第三边界安全网关发送信令消息,有利于均衡网络负载。In a possible design, the first border security gateway selects a third border security gateway with the least occupied load from the border security gateway information list of the operator network where the second border security gateway is located. It can be seen that the pre-allocated border security gateway in the second operator network is the border security gateway with the least occupied load, that is, the first border security gateway preferentially sends a signaling message to the third border security gateway with the least occupied load, there are Conducive to balancing network load.
在一种可能的设计中,第一边界安全网关根据发送信令消息占用的流量,更新边界安全网关信息列表中第三边界安全网关的负载信息。可见,第三边界安全网关可以动态刷新负载信息,从而使得第一边界安全网关动态调整发送至第二运营商网络中的边界安全网关的负载。In a possible design, the first border security gateway updates the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending signaling messages. It can be seen that the third border security gateway can dynamically refresh the load information, so that the first border security gateway can dynamically adjust the load sent to the border security gateway in the second operator's network.
在一种可能的设计中,第一边界安全网关采用第三边界安全网关的N32-f上下文对信令消息进行加密,并向第三边界安全网关发送加密的信令消息。In a possible design, the first border security gateway uses the N32-f context of the third border security gateway to encrypt the signaling message, and sends the encrypted signaling message to the third border security gateway.
在一个可能的设计中,N32-f上下文中包括上下文标识、N32-f对端信息以及N32-f安全上下文。上下文标识用于标识该N32-f上下文,第一边界安全网关和第二边界安全网关在协商生成N32-f上下文后,都可以根据上下文标识找到对应的N32-f上下文。N32-f对端信息包括对端SEPP的信息(SEPP的标识、地址、运营商网络标识)。例如,第一边界安全网关本地的N32-f上下文中的N32-f对端信息包括第二边界安全网关的标识、地址和第二边界安全网关所在的运营商网络的标识。对应的,第二边界安全网关本地的N32-f上下文中的N32-f对端信息包括第一边界安全网关的标识、地址和第一边界安全网关所在的运营商网络的标识。In a possible design, the N32-f context includes the context identifier, the N32-f peer information, and the N32-f security context. The context identifier is used to identify the N32-f context, and both the first border security gateway and the second border security gateway can find the corresponding N32-f context according to the context identifier after negotiating to generate the N32-f context. N32-f peer information includes peer SEPP information (SEPP identifier, address, operator network identifier). For example, the N32-f peer information in the local N32-f context of the first border security gateway includes the identifier and address of the second border security gateway and the identifier of the operator network where the second border security gateway is located. Correspondingly, the N32-f peer information in the local N32-f context of the second border security gateway includes the identifier and address of the first border security gateway and the identifier of the operator network where the first border security gateway is located.
在一个可能的设计中,N32-f安全上下文包括安全相关的信息。例如,N32-f安全上下文包括第一边界安全网关和第二边界安全网关进行通信的会话密钥,第一边界安全网关和第二边界安全网关协商确定的算法套件、IP交换服务的安全信息列表(IPX的标识、公钥等)。第一边界安全网关可以使用N32-f安全上下文中的会话密钥对信令消息进行加密,然后向第二边界安全网关发送加密的信令消息。In one possible design, the N32-f security context includes security-related information. For example, the N32-f security context includes a session key for communication between the first border security gateway and the second border security gateway, an algorithm suite negotiated between the first border security gateway and the second border security gateway, and a security information list of IP exchange services (IPX ID, public key, etc.). The first border security gateway may encrypt the signaling message using the session key in the N32-f security context, and then send the encrypted signaling message to the second border security gateway.
在一个可能的设计中,第一边界安全网关接收网络功能NF网元(或设备)发送的信令消息。随后,第一边界安全网关对接收到的信令消息进行加密,并向第三边界安全网关发送加密的信令消息。从而,本实施例提供的方案可以由第一边界安全网关将NF发送的信令消息进行加密,并发送到第三边界安全网关进行处理。In a possible design, the first border security gateway receives the signaling message sent by the network function NF network element (or device). Subsequently, the first border security gateway encrypts the received signaling message, and sends the encrypted signaling message to the third border security gateway. Therefore, in the solution provided by this embodiment, the signaling message sent by the NF can be encrypted by the first border security gateway and sent to the third border security gateway for processing.
第二方面,本申请实施例提供另一种信令消息处理方法,该方法由第一边界安全网关所执行。第一边界安全网关接收来自第二边界安全网关的信令消息。第一边界安全网关获取所在运营商网络的多个边界安全网关之间共享的N32-f上下文,并使用共享的N32-f上下文处理接收到的信令消息。其中,多个边界安全网关包括该第一边界安全网关。可见,同一运营商网络的多个边界安全网关之间可以共享N32-f上下文,从而使得来自外部运营商网络的信令消息可以在同一运营商网络的多个边界安全网关之间均衡分发。In a second aspect, the embodiment of the present application provides another signaling message processing method, and the method is executed by the first border security gateway. The first border security gateway receives signaling messages from the second border security gateway. The first border security gateway acquires the N32-f context shared among multiple border security gateways in the operator's network, and uses the shared N32-f context to process the received signaling message. Wherein, the plurality of border security gateways include the first border security gateway. It can be seen that the N32-f context can be shared among multiple border security gateways in the same operator network, so that signaling messages from the external operator network can be distributed evenly among the multiple border security gateways in the same operator network.
在一种可能的设计中,第一边界安全网关与第一网络功能网元建立传输层安全链路,并采用传输层安全密钥加密信令消息,并向第一网络功能网元发送加密处理后的信令消息。可见,边界安全网关可以采用传输层安全密钥对信令消息进行加密,并向信令消息的目的网络功能网元发送加密处理后的信令消息。In a possible design, the first border security gateway establishes a transport layer security link with the first network function network element, encrypts the signaling message with the transport layer security key, and sends the encryption process to the first network function network element subsequent signaling messages. It can be seen that the border security gateway can use the transport layer security key to encrypt the signaling message, and send the encrypted signaling message to the destination network function network element of the signaling message.
第三方面,本申请实施例提供一种信令消息处理方法,该方法由网络功能NF网元所执行。网络功能网元获取所在运营商网络的边界安全网关信息列表,并从所述边界安全网关信息列表中选择一个边界安全网关(本方面中简称为第四边界安全网关)。随后,网络功能网元向第四边界安全网关发送加密的信令消息。可见,NF可以从列表中任选一个作为第四边界安全网关,即列表中的多个边界安全网关均可以共同分担信令消息处理任务,从而实现运营商网络中多个边界安全网关之间的负载均衡。In a third aspect, an embodiment of the present application provides a signaling message processing method, and the method is executed by a network function NF network element. The network function network element obtains a border security gateway information list of the operator's network, and selects a border security gateway (referred to as a fourth border security gateway in this aspect) from the border security gateway information list. Subsequently, the network function network element sends an encrypted signaling message to the fourth border security gateway. It can be seen that the NF can choose one from the list as the fourth border security gateway, that is, multiple border security gateways in the list can share the signaling message processing task, so as to realize the communication between multiple border security gateways in the operator network. load balancing.
在一种可能的设计中,NF向第四边界安全网关发送使用传输层安全密钥加密的信令消息。可见,本实施例使用传输层安全密钥对信令消息进行加密,有利于确保信息传输的安全性。In one possible design, the NF sends a signaling message encrypted with a transport layer security key to the fourth border security gateway. It can be seen that this embodiment uses the transport layer security key to encrypt the signaling message, which is beneficial to ensure the security of information transmission.
在一种可能的设计中,NF从边界安全网关信息列表中选择第四边界安全网关的方式与第 一方面中第一边界完全网关从边界安全网关信息列表中选择第三边界安全网关的方式相同,例如选择优先级最高或权重最高的边界安全网关。具体实现方式参考上述第一方面的内容,在此不再赘述。In one possible design, the NF selects the fourth border security gateway from the border security gateway information list in the same manner as the first border full gateway selects the third border security gateway from the border security gateway information list in the first aspect , such as selecting the border security gateway with the highest priority or weight. For a specific implementation manner, reference is made to the content of the above-mentioned first aspect, and details are not repeated here.
在一种可能的设计中,边界安全网关信息列表包括多个边界安全网关的标识。边界安全网关的标识为完全合格域名、IP地址或编号等任意一种标识一个边界安全网关的信息。In one possible design, the border security gateway information list includes identifiers of multiple border security gateways. The identifier of the border security gateway is any information that identifies a border security gateway, such as a fully qualified domain name, IP address, or serial number.
在一个可能的设计中,NF可以接收第一安全边界网关发送的所在运营商网络的边界安全网关信息列表。此时,NF和第一边界安全网关属于相同的运营商网络。In a possible design, the NF may receive a list of border security gateway information of the operator's network where the first security border gateway is located. At this time, the NF and the first border security gateway belong to the same operator network.
在一个可能的设计中,NF可以从本地配置或网络存储功能(network repository function,NRF)中获取其所在运营商网络的边界安全网关信息列表。此时,NF和NRF属于相同的运营商网络。In a possible design, the NF can obtain the list of border security gateway information of the operator's network where it is located from the local configuration or the network repository function (NRF). At this point, NF and NRF belong to the same operator network.
在一种可能的设计中,边界安全网关信息列表包括时间戳。若NF已记录边界安全网关信息列表,NF将已记录的边界安全网关信息列表更新为当前时间戳下的边界安全网关信息列表,从而使得NF本地的边界安全网关信息列表是最新的。In one possible design, the border security gateway information list includes a timestamp. If the NF has recorded the border security gateway information list, the NF updates the recorded border security gateway information list to the border security gateway information list under the current timestamp, so that the local border security gateway information list of the NF is up-to-date.
在一种可能的设计中,若NF没有记录边界安全网关信息列表,则NF记录当前时间戳下所在的运营商网络的边界安全网关信息列表。In a possible design, if the NF does not record the border security gateway information list, the NF records the border security gateway information list of the operator network where the current timestamp is located.
在一种可能的设计中,若NF无法识别第一消息,或者NF无法记录(更新)边界安全网关信息列表,NF向第一边界安全网关发送错误响应消息。In a possible design, if the NF cannot identify the first message, or the NF cannot record (update) the border security gateway information list, the NF sends an error response message to the first border security gateway.
在一种可能的设计中,第一边界安全网关根据发送信令消息占用的流量,更新边界安全网关信息列表中第四边界安全网关的负载信息。可见,第四边界安全网关可以动态刷新负载信息,从而使得NF动态调整发送至本地运营商网络的边界安全网关的负载。In a possible design, the first border security gateway updates the load information of the fourth border security gateway in the border security gateway information list according to the traffic occupied by sending signaling messages. It can be seen that the fourth border security gateway can dynamically refresh the load information, so that the NF dynamically adjusts the load sent to the border security gateway of the local operator network.
第四方面,本申请实施例提供一种信令消息处理装置,该信令消息处理装置包括收发单元和处理单元。其中,收发单元用于接收来自第二边界安全网关的第一消息,第一消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表。处理单元用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关。收发单元还用于向第三边界安全网关发送加密的信令消息。In a fourth aspect, an embodiment of the present application provides a signaling message processing apparatus, where the signaling message processing apparatus includes a transceiver unit and a processing unit. The transceiver unit is configured to receive a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located. The processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located. The transceiver unit is further configured to send encrypted signaling messages to the third border security gateway.
在一种可能的设计中,收发单元用于向第三边界安全网关发送加密的信令消息,包括:In a possible design, the transceiver unit is configured to send encrypted signaling messages to the third border security gateway, including:
向第三边界安全网关发送使用N32-f上下文加密的信令消息或者向第三边界安全网关发送使用传输层安全密钥加密的信令消息。The signaling message encrypted using the N32-f context is sent to the third border security gateway or the signaling message encrypted using the transport layer security key is sent to the third border security gateway.
在一种可能的设计中,收发单元还用于向第二边界安全网关发送第二消息,第二消息包括第一边界安全网关所在运营商网络的边界安全网关信息列表。In a possible design, the transceiver unit is further configured to send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
在一种可能的设计中,收发单元还用于采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息,包括:In a possible design, the transceiver unit is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
若第一边界安全网关与第三边界安全网关之间未创建关联的N32-f上下文,收发单元与第三边界安全网关协商获得N32-f上下文,并采用协商获得的N32-f上下文发送信令消息。If the associated N32-f context is not established between the first border security gateway and the third border security gateway, the transceiver unit negotiates with the third border security gateway to obtain the N32-f context, and uses the negotiated N32-f context to send signaling information.
在一种可能的设计中,边界安全网关信息列表包括:多个边界安全网关的优先级。处理单元用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In a possible design, the border security gateway information list includes: priorities of multiple border security gateways. The processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择优先级最高的第三边界安全网关。The third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种可能的设计中,边界安全网关信息列表包括:多个边界安全网关的权重。处理单元用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网 关,包括:In a possible design, the border security gateway information list includes: weights of multiple border security gateways. The processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择权重最高的第三边界安全网关。The third border security gateway with the highest weight is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种可能的设计中,收发单元用于接收来自第二边界安全网关的第一消息,包括:In a possible design, the transceiver unit is configured to receive the first message from the second border security gateway, including:
通过N32-c通道接收第二边界安全网关所在运营商网络的边界安全网关信息列表。The information list of the border security gateway of the operator network where the second border security gateway is located is received through the N32-c channel.
在一种可能的设计中,边界安全网关信息列表包括:时间戳。处理单元还用于若处理单元已记录边界安全网关信息列表,将已记录的边界安全网关信息列表更新为当前时间戳下的第二边界安全网关所在运营商网络的边界安全网关信息列表。收发单元还用于向第二边界安全网关发送200OK消息。In one possible design, the border security gateway information list includes: a timestamp. The processing unit is further configured to, if the processing unit has recorded the border security gateway information list, update the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp. The transceiver unit is further configured to send a 200 OK message to the second border security gateway.
在一种可能的设计中,处理单元还用于若处理单元无法识别第一消息,或者无法记录第二边界安全网关所在运营商网络的边界安全网关信息列表,向第二边界安全网关发送错误响应消息。In a possible design, the processing unit is further configured to send an error response to the second border security gateway if the processing unit cannot identify the first message, or cannot record the border security gateway information list of the operator network where the second border security gateway is located information.
在一种可能的设计中,处理单元用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In a possible design, the processing unit is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择已占用的负载最少的第三边界安全网关。The third border security gateway with the least occupied load is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种可能的设计中,处理单元用于根据发送信令消息占用的流量,更新边界安全网关信息列表中第三边界安全网关的负载信息。In a possible design, the processing unit is configured to update the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending the signaling message.
在一种可能的设计中,收发单元用于采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息,包括:In a possible design, the transceiver unit is configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
采用第三边界安全网关的N32-f上下文对信令消息进行加密,并向第三边界安全网关发送加密的信令消息。The signaling message is encrypted using the N32-f context of the third border security gateway, and the encrypted signaling message is sent to the third border security gateway.
在一种可能的设计中,第一边界安全网关中的收发单元还用于接收网络功能设备发送的信令消息,处理单元还用于对接收到的所述信令消息进行加密。进而,收发单元将加密的信令消息发送到第三边界安全网关。In a possible design, the transceiver unit in the first border security gateway is further configured to receive a signaling message sent by the network function device, and the processing unit is further configured to encrypt the received signaling message. Further, the transceiver unit sends the encrypted signaling message to the third border security gateway.
第五方面,本申请实施例提供一种信令消息处理装置,该信令消息处理装置可以为设备或设置于设备中的芯片或电路。该信令消息处理装置包括用于执行上述第一、第二、第三方面的任意一种可能的设计中所提供的信令消息处理方法的单元和/或模块,因此也能实现第一方面提供的信令消息处理方法所具备的有益效果。In a fifth aspect, an embodiment of the present application provides a signaling message processing apparatus, where the signaling message processing apparatus may be a device or a chip or circuit provided in the device. The signaling message processing apparatus includes units and/or modules for executing the signaling message processing method provided in any one of the possible designs of the first, second, and third aspects, and thus can also implement the first aspect The provided signaling message processing method has the beneficial effects.
第六方面,本申请实施例提供一种计算机可读存储介质,该可读存储介质包括程序或指令,当所述程序或指令在计算机上运行时,使得计算机执行第一、第二或第三方面中任一种可能实现方式中的方法。In a sixth aspect, embodiments of the present application provide a computer-readable storage medium, where the readable storage medium includes a program or an instruction, and when the program or instruction is run on a computer, causes the computer to execute the first, second, or third A method in any of the possible implementations of an aspect.
第七方面,本申请实施例提供一种芯片或者芯片系统,该芯片或者芯片系统包括至少一个处理器和接口,接口和至少一个处理器通过线路互联,至少一个处理器用于运行计算机程序或指令,以进行第一、第二或第三方面任一种可能的实现方式中任一项所描述的方法。In a seventh aspect, an embodiment of the present application provides a chip or a chip system, the chip or chip system includes at least one processor and an interface, the interface and the at least one processor are interconnected through a line, and the at least one processor is used for running a computer program or instruction, to perform the method described in any one of the possible implementations of the first, second or third aspect.
其中,芯片中的接口可以为输入/输出接口、管脚或电路等。Wherein, the interface in the chip may be an input/output interface, a pin or a circuit, or the like.
上述方面中的芯片系统可以是片上系统(system on chip,SOC),也可以是基带芯片等,其中基带芯片可以包括处理器、信道编码器、数字信号处理器、调制解调器和接口模块等。The chip system in the above aspects may be a system on chip (system on chip, SOC), or a baseband chip, etc., where the baseband chip may include a processor, a channel encoder, a digital signal processor, a modem, an interface module, and the like.
在一种可能的实现中,本申请中上述描述的芯片或者芯片系统还包括至少一个存储器,该至少一个存储器中存储有指令。该存储器可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In a possible implementation, the chip or chip system described above in this application further includes at least one memory, where instructions are stored in the at least one memory. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or a storage unit of the chip (eg, a read-only memory, a random access memory, etc.).
第八方面,本申请实施例提供一种计算机程序或计算机程序产品,包括代码或指令,当代码或指令在计算机上运行时,使得计算机执行第一、第二或第三方面中任一种可能实现方式中的方法。In an eighth aspect, the embodiments of the present application provide a computer program or a computer program product, including codes or instructions, when the codes or instructions are run on a computer, the computer may execute any one of the first, second, or third aspects. method in the implementation.
第九方面,本实施例还提供一种通信系统,该系统包括如上所述的网络功能NF和边界安全网关。In a ninth aspect, this embodiment further provides a communication system, which includes the network function NF and a border security gateway as described above.
在以上任一方面提供的方案中,N32-f上下文可以为N32-f安全上下文。In the solution provided by any of the above aspects, the N32-f context may be an N32-f security context.
在以上任一方面的技术方案中,信令消息可以为漫游消息。In the technical solution of any of the above aspects, the signaling message may be a roaming message.
在以上任一方面的技术方案中,信令消息可以为服务发现请求或网络切片请求。In the technical solution of any of the above aspects, the signaling message may be a service discovery request or a network slicing request.
在以上任一方面的技术方案中,网络功能NF设备可以为会话管理功能(session management function,SMF)、用户面功能(user plane function,UPF)、策略控制功能(policy control function,PCF)或接入和移动性管理功能(access and mobility management function,AMF)等5G核心网中的设备。In any of the above technical solutions, the network function NF device may be a session management function (SMF), a user plane function (UPF), a policy control function (PCF), or a connection Access and mobility management function (AMF) and other equipment in the 5G core network.
附图说明Description of drawings
图1a和图1b为本申请实施例提供的网络场景的示意图;FIG. 1a and FIG. 1b are schematic diagrams of network scenarios provided by embodiments of the present application;
图2为本申请实施例提供的一种信令消息处理方法的流程示意图;FIG. 2 is a schematic flowchart of a signaling message processing method provided by an embodiment of the present application;
图3为本申请实施例提供的另一种信令消息处理方法的流程示意图;3 is a schematic flowchart of another signaling message processing method provided by an embodiment of the present application;
图4为本申请实施例提供的再一种信令消息处理方法的流程示意图;4 is a schematic flowchart of still another signaling message processing method provided by an embodiment of the present application;
图5为本申请实施例提供的另一种网络场景的示意图;FIG. 5 is a schematic diagram of another network scenario provided by an embodiment of the present application;
图6为本申请实施例提供的又一种信令消息处理方法的流程示意图;6 is a schematic flowchart of another signaling message processing method provided by an embodiment of the present application;
图7为本申请实施例提供的一种同一运营商网络中的边界安全网关之间共享N32-f上下文的流程示意图;7 is a schematic flowchart of sharing N32-f context between border security gateways in the same operator network according to an embodiment of the present application;
图8为本申请实施例提供的另一种同一运营商网络中的边界安全网关之间共享N32-f上下文的流程示意图;FIG. 8 is another schematic flowchart of sharing N32-f context between border security gateways in the same operator network provided by an embodiment of the present application;
图9为本申请实施例提供的一种信令消息处理装置的示意图;9 is a schematic diagram of a signaling message processing apparatus provided by an embodiment of the present application;
图10为本申请实施例提供的一种服务器的示意图;FIG. 10 is a schematic diagram of a server provided by an embodiment of the present application;
图11为本申请实施例提供的另一种信令消息处理装置的示意图;11 is a schematic diagram of another signaling message processing apparatus provided by an embodiment of the present application;
图12为本申请实施例提供的另一种服务器的示意图。FIG. 12 is a schematic diagram of another server provided by an embodiment of the present application.
具体实施方式Detailed ways
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner.
在本申请的实施例中,术语“第二”、“第一”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第二”、“第一”的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。In the embodiments of the present application, the terms "second" and "first" are only used for description purposes, and cannot be understood as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature defined as "second" or "first" may expressly or implicitly include one or more of that feature. In the description of this application, unless stated otherwise, "plurality" means two or more.
本申请的实施例中,术语“多个”的含义是指两个或两个以上,例如,多个第一边界安全网关是指两个或两个以上的第一边界安全网关。In the embodiments of this application, the term "plurality" refers to two or more than two. For example, a plurality of first border security gateways refers to two or more first border security gateways.
应理解,在本文中对各种所述示例的描述中所使用的术语只是为了描述特定示例,而并非旨在进行限制。如在对各种所述示例的描述和所附权利要求书中所使用的那样,单数形式“一个(“a”,“an”)”和“该”旨在也包括复数形式,除非上下文另外明确地指示。It is to be understood that the terminology used in describing the various described examples herein is for the purpose of describing particular examples and is not intended to be limiting. As used in the description of the various described examples and the appended claims, the singular forms "a", "an")" and "the" are intended to include the plural forms as well, unless the context dictates otherwise. clearly instructed.
应理解,在本申请的各个实施例中,各个过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that, in each embodiment of the present application, the size of the sequence number of each process does not mean the sequence of execution, and the execution sequence of each process should be determined by its function and internal logic, rather than the implementation of the embodiments of the present application The process constitutes any qualification.
应理解,术语“包括”(也称“includes”、“including”、“comprises”和/或“comprising”)当在本说明书中使用时指定存在所陈述的特征、整数、步骤、操作、元素、和/或部件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元素、部件、和/或其分组。It is to be understood that the terms "includes" (also referred to as "includes", "including", "comprises" and/or "comprising") when used in this specification designate the presence of stated features, integers, steps, operations, elements, and/or components, but does not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groupings thereof.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
第三代合作伙伴计划定义了安全和边界代理SEPP作为第五代移动通信核心网的边界安全网关。SEPP作为运营商网络之间的对接的代理,使得网络功能NF网元与漫游伙伴之间的信令交互,通过发起SEPP(initiating SEPP)和应答SEPP(responding SEPP)之间的交互实现。其中,SEPP之间的接口定义为N32接口,漫游时跨运营商网络的所有消息都需要经过N32接口转发。SEPP需要提供漫游场景的信息消息接入及安全防护能力。The 3rd Generation Partnership Project defines the security and border proxy SEPP as the border security gateway of the fifth generation mobile communication core network. SEPP acts as a docking agent between operator networks, enabling the signaling interaction between network function NF network elements and roaming partners, through the interaction between initiating SEPP (initiating SEPP) and responding SEPP (responding SEPP). Among them, the interface between SEPPs is defined as the N32 interface, and all messages across the operator network during roaming need to be forwarded through the N32 interface. SEPP needs to provide information message access and security protection capabilities for roaming scenarios.
其中,initiating SEPP和responding SEPP需要通过握手流程来协商共享秘钥和加密算法,协商完成后根据N32转发接口(N32-f)上下文进行信令交互。目前,多SEPP部署的场景分为两种:多SEPP共用完全合格域名FQDN的场景、多SEPP使用不同FQDN的场景。Among them, the initiating SEPP and the responding SEPP need to negotiate the shared secret key and encryption algorithm through the handshake process. After the negotiation is completed, the signaling interaction is performed according to the N32 forwarding interface (N32-f) context. Currently, there are two scenarios in which multiple SEPPs are deployed: scenarios where multiple SEPPs share fully qualified domain name FQDNs, and scenarios where multiple SEPPs use different FQDNs.
例如,在多个SEPP共用FQDN的场景中,针对多个SEPP生成一个N32-f上下文。每个消息都要携带一个消息序号,该序号在同一个N32-f上下文中不重复。多个SEPP共用FQDN的场景中只有一个N32-f上下文,可能会限制信令消息的并发处理。又例如,在多个SEPP不共用FQDN的场景中,initiating SEPP只能向协商生成N32-f上下文的responding SEPP进行信令交互,可能会导致responding SEPP所在运营商网络中的SEPP之间的负载不均衡。For example, in a scenario where multiple SEPPs share an FQDN, one N32-f context is generated for multiple SEPPs. Each message must carry a message sequence number, which does not repeat in the same N32-f context. There is only one N32-f context in the scenario where multiple SEPPs share the FQDN, which may limit the concurrent processing of signaling messages. For another example, in a scenario where multiple SEPPs do not share the FQDN, the initiating SEPP can only perform signaling interaction with the responding SEPP that negotiates to generate the N32-f context, which may result in different loads between SEPPs in the operator network where the responding SEPP is located. balanced.
为了解决上述问题,本申请实施例提供一种信令消息处理方法,该方法可以实现多个SEPP的负载均衡。该方法可以应用于如图1a和图1b所示的网络场景中。其中,图1a和图1b所示的实施例中的第一边界安全网关为第一运营商网络的SEPP,第二边界安全网关为第二运营商网络的SEPP。第一运营商网络和第二运营商网络可以是不同的运营商网络。In order to solve the above problem, an embodiment of the present application provides a signaling message processing method, which can implement load balancing of multiple SEPPs. This method can be applied to the network scenarios shown in Figure 1a and Figure 1b. The first border security gateway in the embodiment shown in FIG. 1a and FIG. 1b is the SEPP of the first operator's network, and the second border security gateway is the SEPP of the second operator's network. The first operator network and the second operator network may be different operator networks.
其中,图1a和图1b所示的网络场景包括第一运营商网络中的网络功能、第一边界安全网关、IP交换服务(IP exchange service,IPX)、第二边界安全网关和第二运营商网络中的网络功能。第一边界安全网关和第二边界安全网关采用直连模式或者转发模式进行对接。The network scenarios shown in Figures 1a and 1b include network functions in the first operator's network, a first border security gateway, an IP exchange service (IP exchange service, IPX), a second border security gateway, and a second operator Network functions in the network. The first border security gateway and the second border security gateway are connected in a direct connection mode or a forwarding mode.
例如,图1a中的第一边界安全网关和第二边界安全网关之间采用N32对接安全协议(protocol for N32 interconnect security,PRINS)进行交互。其中,图1a中的第一边界安全网关与第二边界安全网关之间采用的是转发模式进行对接。第一边界安全网关与第二边界安全网关创建一对直连的传输层安全(transport layer security,TLS)链路(隧道)N32-c,借助TLS机制完成相互的认证,并基于TLS链路导出共享密钥。第一边界安全网关与第二边界安全网关之间通过TLS链路完成N32-c握手流程,协商PRINS上下文。通过上下文及共享秘钥对应用层消息进行机密性和完整性保护,并将其通过IPX转发到对端SEPP。For example, an N32 interconnection security protocol (protocol for N32 interconnect security, PRINS) is used for interaction between the first border security gateway and the second border security gateway in FIG. 1a. The connection between the first border security gateway and the second border security gateway in FIG. 1a is performed in a forwarding mode. The first border security gateway and the second border security gateway create a pair of directly connected transport layer security (TLS) links (tunnels) N32-c, complete mutual authentication with the help of the TLS mechanism, and export based on the TLS link Shared key. The N32-c handshake process is completed between the first border security gateway and the second border security gateway through the TLS link, and the PRINS context is negotiated. Confidentiality and integrity protection of application layer messages through context and shared secret key, and forwarded to peer SEPP through IPX.
又例如,图1b中的第一边界安全网关和第二边界安全网关之间采用直连模式对接。第一边界安全网关和第二边界安全网关之间建立TLS隧道,并通过TLS隧道互相传输消息,从而确保消息传输过程的完整性和机密性。图1a和图1b中包括了一个第一边界安全网关和一个第二边界安全网关,该网络场景仅为一种示例。实际上第一运营商网络可以有多个边界安全 网关,第二运营商网络也可以有多个边界安全网关。For another example, the first border security gateway and the second border security gateway in FIG. 1b are connected in a direct connection mode. A TLS tunnel is established between the first border security gateway and the second border security gateway, and messages are transmitted to each other through the TLS tunnel, thereby ensuring the integrity and confidentiality of the message transmission process. Figures 1a and 1b include a first border security gateway and a second border security gateway, and this network scenario is just an example. In fact, the first operator network may have multiple border security gateways, and the second operator network may also have multiple border security gateways.
其中,第一运营商网络中的网络功能和第二运营商网络中的网络功能可以包括但不限于:接入和移动管理功能AMF、会话管理功能SMF、策略控制功能PCF、网络仓储功能(network repository function,NRF)、网络切片选择功能(network slice selection function,NSSF)等。Wherein, the network function in the first operator's network and the network function in the second operator's network may include but are not limited to: access and mobility management function AMF, session management function SMF, policy control function PCF, network warehousing function (network warehousing function). repository function, NRF), network slice selection function (network slice selection function, NSSF), etc.
图2为本申请实施例提供的一种信令消息处理方法的流程示意图。该方法流程由第一边界安全网关和第二边界安全网关之间的交互实现,包括以下步骤:FIG. 2 is a schematic flowchart of a signaling message processing method according to an embodiment of the present application. The method flow is realized by the interaction between the first border security gateway and the second border security gateway, and includes the following steps:
201,第一边界安全网关接收来自第二边界安全网关的第一消息,第一消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表;201. The first border security gateway receives a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located;
202,第一边界安全网关从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关;202, the first border security gateway selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
203,第一边界安全网关向第三边界安全网关发送加密的信令消息。203. The first border security gateway sends an encrypted signaling message to the third border security gateway.
下面的描述中边界安全网关均简称为SEPP。例如,第一边界安全网关即为第一SEPP,第二边界安全网关即为第二SEPP,边界安全网关信息列表即为SEPP信息列表。本实施例中第一SEPP表示第一运营商网络与第二运营商网络对接的SEPP,第二SEPP表示第二运营商网络与第一运营商网络对接的SEPP。应理解,第二运营商网络还可以包括其他一个或多个SEPP,其他一个或多个SEPP的SEPP信息存储于第二运营商网络的SEPP信息列表中。该SEPP信息列表携带在第一消息中,通过第二SEPP发送给对接的第一SEPP,即第二SEPP发送的SEPP信息列表包含了第二运营商网络中所有SEPP的SEPP信息。In the following description, the border security gateway is abbreviated as SEPP. For example, the first border security gateway is the first SEPP, the second border security gateway is the second SEPP, and the border security gateway information list is the SEPP information list. In this embodiment, the first SEPP represents the SEPP in which the network of the first operator is interconnected with the network of the second operator, and the second SEPP represents the SEPP in which the network of the second operator is interconnected with the network of the first operator. It should be understood that the second operator network may further include one or more other SEPPs, and the SEPP information of the other one or more SEPPs is stored in the SEPP information list of the second operator network. The SEPP information list is carried in the first message and sent to the docked first SEPP through the second SEPP, that is, the SEPP information list sent by the second SEPP includes the SEPP information of all SEPPs in the second operator network.
其中,第一消息包括第二SEPP所在运营商网络的SEPP信息列表。SEPP信息列表包括该运营商网络中多个SEPP分别(各自)的SEPP信息。多个SEPP分别的SEPP信息可以包括用于指示各个SEPP处理负载的能力的信息。也就是说,第一SEPP接收第一消息,即可获取第二SEPP所在运营商网络的多个SEPP的信息。第一SEPP也就能基于多个SEPP的信息选择发送信令消息的SEPP,从而有利于实现第二SEPP所在运营商网络中多个SEPP之间的负载均衡。Wherein, the first message includes the SEPP information list of the operator network where the second SEPP is located. The SEPP information list includes separate (respective) SEPP information of a plurality of SEPPs in the operator's network. The respective SEPP information of the plurality of SEPPs may include information indicating the capability of the respective SEPPs to handle the load. That is to say, when the first SEPP receives the first message, the information of multiple SEPPs in the operator network where the second SEPP is located can be obtained. The first SEPP can also select the SEPP to send the signaling message based on the information of the multiple SEPPs, thereby facilitating load balancing among the multiple SEPPs in the operator network where the second SEPP is located.
其中,第二运营商网络中的任意一个SEPP的信息可以包括该SEPP的标识、优先级、权重等字段。SEPP的标识为任何可以标识一个SEPP的信息。例如,SEPP的标识为SEPP的全合格域名(FQDN),或者为IP地址,或者为SEPP的编号等。SEPP的优先级或SEPP的权重可以用于指示SEPP处理负载的能力。例如,当第二运营商网络部署多个SEPP时,每一个SEPP被预分配一定的处理负载的能力。每个SEPP处理负载的能力通过SEPP的优先级或权重来指示。例如,第二SEPP的优先级为第二优先级,第三SEPP的优先级为第一优先级。第一优先级高于第二优先级,则表示第三SEPP处理负载的能力高于第二SEPP处理负载的能力。当第一SEPP从第二运营商网络的SEPP信息列表中选择向某一个SEPP发送消息时,第一SEPP从第二运营商网络的SEPP信息列表中优先选择第三SEPP。Wherein, the information of any SEPP in the second operator's network may include fields such as the identifier, priority, weight, etc. of the SEPP. The identity of a SEPP is any information that can identify a SEPP. For example, the identifier of the SEPP is a fully qualified domain name (FQDN) of the SEPP, or an IP address, or a serial number of the SEPP, or the like. The priority of the SEPP or the weight of the SEPP may be used to indicate the ability of the SEPP to handle the load. For example, when the second operator network deploys multiple SEPPs, each SEPP is pre-allocated with a certain processing load capability. The ability of each SEPP to handle the load is indicated by the SEPP's priority or weight. For example, the priority of the second SEPP is the second priority, and the priority of the third SEPP is the first priority. If the first priority is higher than the second priority, it means that the capability of the third SEPP to process the load is higher than the capability of the second SEPP to process the load. When the first SEPP selects to send a message to a certain SEPP from the SEPP information list of the second operator network, the first SEPP preferentially selects the third SEPP from the SEPP information list of the second operator network.
例如,表1为本申请实施例提供的一种SEPP信息列表。本实施例中令第二SEPP所在运营商网络中包括三个SEPP,分别为SEPP_1、SEPP_2和SEPP_3。各个SEPP分别的标识、优先级、权重如表1所示。For example, Table 1 is a SEPP information list provided by this embodiment of the present application. In this embodiment, the operator network where the second SEPP is located includes three SEPPs, namely SEPP_1, SEPP_2 and SEPP_3. The identification, priority, and weight of each SEPP are shown in Table 1.
表1:一种SEPP信息列表Table 1: A list of SEPP information
序号serial number SEPP的标识SEPP logo SEPP的优先级SEPP priority SEPP的权重SEPP weight
SEPP_1SEPP_1 sepp1.comsepp1.com 第一优先级first priority 第一权重first weight
SEPP_2SEPP_2 sepp2.comsepp2.com 第二优先级second priority 第二权重second weight
SEPP_3SEPP_3 sepp3.comsepp3.com 第三优先级third priority 第三权重third weight
其中,表1记录了三个SEPP分别的标识、优先级、权重等信息,使得第一SEPP从表1中获取第二运营商网络中的SEPP分别处理负载的能力。Wherein, Table 1 records information such as identifiers, priorities, and weights of the three SEPPs, so that the first SEPP obtains the respective load processing capabilities of the SEPPs in the second operator's network from Table 1.
可选的,SEPP信息列表还包括各个SEPP已占用的负载。例如,第二SEPP可以统计当前时刻SEPP信息列表中的第二SEPP、第三SEPP、第四SEPP等多个SEPP分别的已被占用的负载。第二SEPP将多个SEPP分别的已占用的负载记录至SEPP信息列表中,以使第一SEPP从SEPP信息列表中优先选择已占用的负载更少的SEPP。例如,表1所示的SEPP信息列表可以更新为如表2所示的SEPP信息列表。Optionally, the SEPP information list further includes loads occupied by each SEPP. For example, the second SEPP may count the respective occupied loads of multiple SEPPs such as the second SEPP, the third SEPP, and the fourth SEPP in the SEPP information list at the current moment. The second SEPP records the respective occupied loads of the multiple SEPPs into the SEPP information list, so that the first SEPP preferentially selects a SEPP with less occupied load from the SEPP information list. For example, the SEPP information list shown in Table 1 can be updated to the SEPP information list shown in Table 2.
表2:另一种SEPP信息列表Table 2: Alternative SEPP Information List
Figure PCTCN2022082102-appb-000001
Figure PCTCN2022082102-appb-000001
其中,相较于表1,表2新增了SEPP已占用的负载字段。该字段用于指示第二运营商网络中各个SEPP已被占用的负载,即指示了各个SEPP剩余能处理负载的能力。Among them, compared with Table 1, Table 2 adds the load field occupied by SEPP. This field is used to indicate the occupied load of each SEPP in the second operator's network, that is, to indicate the remaining capacity of each SEPP to handle the load.
可选的,SEPP信息列表还包括时间戳字段。时间戳表示第一SEPP记录SEPP信息列表中多个SEPP信息的时刻。例如,第一SEPP获取第二SEPP所在运营商网络的多个SEPP信息,并记录第二SEPP所在运营商网络的多个SEPP信息,以及记录当前时刻作为时间戳。又例如,若第一SEPP之前已记录第二SEPP所在运营商网络的多个SEPP信息,第一SEPP将重新记录第二SEPP所在运营商网络的多个SEPP信息(即覆盖原记录),并重新记录当前时刻作为时间戳(更新时间戳)。Optionally, the SEPP information list further includes a timestamp field. The time stamp indicates the time when the first SEPP records the multiple SEPP information in the SEPP information list. For example, the first SEPP acquires multiple SEPP information of the operator network where the second SEPP is located, records multiple SEPP information of the operator network where the second SEPP is located, and records the current time as a timestamp. For another example, if the first SEPP has previously recorded multiple SEPP information of the operator network where the second SEPP is located, the first SEPP will re-record the multiple SEPP information of the operator network where the second SEPP is located (that is, overwrite the original record), and re-record the multiple SEPP information of the operator network where the second SEPP is located. Record the current moment as a timestamp (update timestamp).
一种实现方式中,第一SEPP可以根据SEPP信息列表中多个SEPP分别的优先级,确定发送信令消息的第三SEPP。例如,第一SEPP从SEPP信息列表中选择优先级最高的SEPP_1(即SEPP_1为第三SEPP),并采用SEPP_1的N32-f上下文向SEPP_1发送信令消息。其中,这里的SEPP信息列表也包括第二SEPP。若第二SEPP为该SEPP信息列表中优先级最高的SEPP,则第一SEPP采用第二SEPP的N32-f上下文向第二SEPP发送信令消息。例如,第一SEPP接收来自SEPP_1的第一消息。当SEPP_1为SEPP信息列表中优先级最高的SEPP时,第一SEPP优先选择SEPP_1,并采用SEPP_1的N32-f上下文向SEPP_1发送信令消息。In an implementation manner, the first SEPP may determine the third SEPP for sending the signaling message according to the respective priorities of the multiple SEPPs in the SEPP information list. For example, the first SEPP selects SEPP_1 with the highest priority from the SEPP information list (ie, SEPP_1 is the third SEPP), and uses the N32-f context of SEPP_1 to send a signaling message to SEPP_1. Wherein, the SEPP information list here also includes the second SEPP. If the second SEPP is the SEPP with the highest priority in the SEPP information list, the first SEPP sends a signaling message to the second SEPP by using the N32-f context of the second SEPP. For example, the first SEPP receives the first message from SEPP_1. When SEPP_1 is the SEPP with the highest priority in the SEPP information list, the first SEPP selects SEPP_1 preferentially, and uses the N32-f context of SEPP_1 to send a signaling message to SEPP_1.
另一种实现方式中,第一SEPP可以根据SEPP信息列表中多个SEPP分别的权重,确定发送信令消息的第三SEPP。例如,第一SEPP从SEPP信息列表中选择权重最高的SEPP_1,并采用SEPP_1的N32-f上下文向第三SEPP发送信令消息。其中,这里的SEPP信息列表也包括第二SEPP。若第二SEPP为该SEPP信息列表中权重最高的SEPP,则第一SEPP采用第二SEPP的N32-f上下文向第二SEPP发送信令消息。In another implementation manner, the first SEPP may determine the third SEPP for sending the signaling message according to the respective weights of the multiple SEPPs in the SEPP information list. For example, the first SEPP selects SEPP_1 with the highest weight from the SEPP information list, and uses the N32-f context of SEPP_1 to send a signaling message to the third SEPP. Wherein, the SEPP information list here also includes the second SEPP. If the second SEPP is the SEPP with the highest weight in the SEPP information list, the first SEPP sends a signaling message to the second SEPP by using the N32-f context of the second SEPP.
其中,上述两种实现方式中,当第二SEPP所在运营商网络中优先级或权重最高的第三SEPP当前的负载余量低于预设的第一阈值(或负载大于预设的第二阈值)时,第一SEPP可以选择第二SEPP所在运营商网络中优先级或权重第二高的第四SEPP,即不选择第三SEPP。以此类推,当第四SEPP当前的负载余量低于预设的阈值第一时,第一SEPP选择第二SEPP所在运营商网络中优先级或权重第三高的第五SEPP。采用该方式可以避免第二SEPP所在运营商网络中的SEPP处理的负载超过自身能处理的负载,从而避免网络拥塞。Wherein, in the above two implementation manners, when the current load margin of the third SEPP with the highest priority or weight in the operator network where the second SEPP is located is lower than the preset first threshold (or the load is greater than the preset second threshold) ), the first SEPP may select the fourth SEPP with the second highest priority or weight in the operator network where the second SEPP is located, that is, the third SEPP is not selected. By analogy, when the current load margin of the fourth SEPP is lower than the preset first threshold, the first SEPP selects the fifth SEPP with the third highest priority or weight in the operator network where the second SEPP is located. In this manner, it can be avoided that the load processed by the SEPP in the operator network where the second SEPP is located exceeds the load that can be processed by itself, thereby avoiding network congestion.
在一种实现方式中,第一SEPP根据SEPP信息列表中多个SEPP分别的已占用的负载,确定发送信令消息的第三SEPP。例如,第一SEPP从SEPP信息列表中选择已占用的负载最 少的SEPP_3,并采用SEPP_3的N32-f上下文向SEPP_3发送信令消息。In an implementation manner, the first SEPP determines the third SEPP for sending the signaling message according to the respective occupied loads of the multiple SEPPs in the SEPP information list. For example, the first SEPP selects SEPP_3 with the least occupied load from the SEPP information list, and sends a signaling message to SEPP_3 using the N32-f context of SEPP_3.
其中,上述三种实现方式中,第一SEPP向第三SEPP发送加密的信令消息,可以是发送应用层加密的信令消息,或者是发送传输层加密的信令消息。一种实现方式中,第一SEPP向第三SEPP发送应用层加密的漫游信息为第一SEPP采用第三SEPP的N32-f上下文中的安全上下文对信令消息进行加密,并向第三SEPP发送加密的信令消息。例如,第一SEPP从SEPP信息列表中选择的SEPP为SEPP_1,则第一SEPP采用SEPP_1的N32-f上下文中的安全上下文对待发送的信令消息进行加密,并向SEPP_1发送加密的信令消息。对应的,SEPP_1接收第一SEPP发送的加密的信令消息,通过自身的N32-f上下文(自身的N32-f上下文和第一SEPP的N32-f上下文相对应)中的安全上下文对加密的信令消息进行解密。Wherein, in the above three implementation manners, the first SEPP sends an encrypted signaling message to the third SEPP, which may be sending an application layer encrypted signaling message or sending a transport layer encrypted signaling message. In an implementation manner, the first SEPP sends the application-layer encrypted roaming information to the third SEPP is that the first SEPP encrypts the signaling message using the security context in the N32-f context of the third SEPP, and sends the encrypted roaming information to the third SEPP. Encrypted signaling messages. For example, if the SEPP selected by the first SEPP from the SEPP information list is SEPP_1, the first SEPP encrypts the signaling message to be sent by using the security context in the N32-f context of SEPP_1, and sends the encrypted signaling message to SEPP_1. Correspondingly, SEPP_1 receives the encrypted signaling message sent by the first SEPP, and uses the security context in its own N32-f context (its own N32-f context corresponds to the N32-f context of the first SEPP) to the encrypted signaling message. Decrypt the message.
另一种实现方式中,第一SEPP向第三SEPP发送传输层加密的漫游信息为第一SEPP采用传输层安全密钥对信令消息进行加密,并向第三SEPP发送加密的信令消息。例如,若第一SEPP与第三SEPP之间没有建立TLS链路,第一SEPP首先与第三SEPP建立TLS链路。第一SEPP再采用TLS密钥对信令消息进行加密,并通过与第三SEPP之间的TLS链路向第三SEPP发送加密后的信令消息。In another implementation manner, the first SEPP sends the transport layer encrypted roaming information to the third SEPP is that the first SEPP encrypts the signaling message with the transport layer security key, and sends the encrypted signaling message to the third SEPP. For example, if no TLS link is established between the first SEPP and the third SEPP, the first SEPP first establishes a TLS link with the third SEPP. The first SEPP then uses the TLS key to encrypt the signaling message, and sends the encrypted signaling message to the third SEPP through the TLS link with the third SEPP.
其中,本实施例中的信令消息是指携带负载的消息。该消息与携带SEPP信息列表的第一消息为不同的消息。例如,第一SEPP采用第三SEPP的N32-f上下文向第三SEPP发送信令消息,该信令消息携带第一SEPP的负载。The signaling message in this embodiment refers to a message carrying a load. This message is a different message from the first message carrying the SEPP information list. For example, the first SEPP uses the N32-f context of the third SEPP to send a signaling message to the third SEPP, where the signaling message carries the load of the first SEPP.
本申请实施例提供一种信令消息处理方法,该方法由两个不同运营商网络的SEPP之间的交互实现。其中,第一运营商网络中的SEPP向从第二运营商网络的SEPP信息列表中任选一个SEPP,并向被选中的SEPP发送加密的信令消息,实现第二运营商网络中多个SEPP之间的负载均衡。The embodiment of the present application provides a signaling message processing method, and the method is implemented by interaction between SEPPs of two different operator networks. Wherein, the SEPP in the first operator's network selects a SEPP from the SEPP information list of the second operator's network, and sends an encrypted signaling message to the selected SEPP, so as to realize multiple SEPPs in the second operator's network load balancing between.
下面对本申请实施例提供的信令消息处理方法应用于静态负载均衡场景或动态负载均衡场景进行详细的描述。图3为本申请实施例提供的另一种信令消息处理方法的流程示意图。该信令消息处理方法应用于静态负载均衡场景中。本实施例中的静态负载均衡场景为基于预设的优先级或权重的静态负载均衡场景。该方法流程由第一边界安全网关和第二边界安全网关之间的交互实现,包括以下步骤:The application of the signaling message processing method provided by the embodiment of the present application to a static load balancing scenario or a dynamic load balancing scenario is described in detail below. FIG. 3 is a schematic flowchart of another signaling message processing method provided by an embodiment of the present application. The signaling message processing method is applied in a static load balancing scenario. The static load balancing scenario in this embodiment is a static load balancing scenario based on preset priorities or weights. The method flow is realized by the interaction between the first border security gateway and the second border security gateway, and includes the following steps:
301,第二边界安全网关在和第一边界安全网关进行N32-C握手时,向第一边界安全网关发送第一消息,第一消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表;301. When performing the N32-C handshake with the first border security gateway, the second border security gateway sends a first message to the first border security gateway, where the first message includes border security gateway information of the operator network where the second border security gateway is located list;
302,第一边界安全网关接收并记录第二边界安全网关所在运营商网络的边界安全网关信息列表;302, the first border security gateway receives and records the border security gateway information list of the operator network where the second border security gateway is located;
303,第一边界安全网关向第二边界安全网关发送200OK消息;303, the first border security gateway sends a 200 OK message to the second border security gateway;
304,当第一边界安全网关与第二边界安全网关完成N32-f上下文协商,第一边界安全网关将边界安全网关信息列表中的第二边界安全网关标记为可用边界安全网关;304, when the first border security gateway and the second border security gateway complete the N32-f context negotiation, the first border security gateway marks the second border security gateway in the border security gateway information list as an available border security gateway;
305,当第一边界安全网关向第二边界安全网关发送信令消息时,第一边界安全网关从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关;305, when the first border security gateway sends a signaling message to the second border security gateway, the first border security gateway selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
306,第一边界安全网关采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息。306. The first border security gateway sends a signaling message to the third border security gateway by using the N32-f context of the third border security gateway.
其中,第二SEPP向第一SEPP发送第一消息,可以是第二SEPP通过N32-c通道向第一SEPP发送第一消息。也就是说,本实施例中的第一消息为N32-c消息。例如,在N32-c握手阶段,第二SEPP向第一SEPP发送Exchange-LoadControl消息,该Exchange-LoadControl消息包括SEPP信息列表。其中,SEPP信息列表参考图2实施例中对SEPP信息列表的描述, 在此不再赘述。Wherein, the second SEPP sends the first message to the first SEPP, which may be that the second SEPP sends the first message to the first SEPP through the N32-c channel. That is to say, the first message in this embodiment is an N32-c message. For example, in the N32-c handshake phase, the second SEPP sends an Exchange-LoadControl message to the first SEPP, where the Exchange-LoadControl message includes a SEPP information list. For the SEPP information list, reference is made to the description of the SEPP information list in the embodiment of FIG. 2 , and details are not repeated here.
可选的,在步骤301之前,第二SEPP所在运营商网络在部署多个SEPP,且各个SEPP的FQDN不同时,可以预先在不同的SEPP上分配不同的处理负载的能力。例如,第二SEPP所在运营商网络部署SEPP_1、SEPP_2和SEPP_3,SEPP_1、SEPP_2和SEPP_3将被分配不同的权重,如表1所示。基于上述预分配每个SEPP处理负载的能力的步骤,第二SEPP所在运营商网络将确定本运营商的SEPP信息列表。其中,第二SEPP所获取的第二SEPP所在运营商网络的SEPP信息列表可以是第二SEPP本地配置的信息,也可以是该运营商网络中的SEPP之间交互获取的信息。例如,第二运营商网络中的多个SEPP之间互相发送各自的SEPP信息。第二运营商网络中的任意一个SEPP(如第二SEPP)可以记录本运营商网络中的多个SEPP信息,从而生成SEPP信息列表。Optionally, before step 301, when multiple SEPPs are deployed in the operator network where the second SEPP is located, and the FQDNs of the SEPPs are different, different processing load capabilities may be allocated to different SEPPs in advance. For example, SEPP_1 , SEPP_2 and SEPP_3 are deployed in the operator network where the second SEPP is located, and SEPP_1 , SEPP_2 and SEPP_3 will be assigned different weights, as shown in Table 1. Based on the above-mentioned step of pre-allocating the processing load capability of each SEPP, the network of the operator where the second SEPP is located will determine the SEPP information list of the operator. Wherein, the SEPP information list of the operator network where the second SEPP is located obtained by the second SEPP may be information locally configured by the second SEPP, or may be information obtained through interaction between SEPPs in the operator network. For example, multiple SEPPs in the second operator's network send their respective SEPP information to each other. Any SEPP in the second operator's network (eg, the second SEPP) may record multiple SEPP information in the operator's network, thereby generating a SEPP information list.
其中,第一SEPP接收第二SEPP所在运营商网络的SEPP信息列表,并判断本地是否已记录该运营商网络的SEPP信息列表。若第一SEPP本地已记录该运营商网络的SEPP信息列表,第一SEPP更新该运营商网络的SEPP信息列表,并记录时间戳。若第一SEPP本地未记录该运营商网络的SEPP信息列表,第一SEPP记录该运营商网络的SEPP信息列表,并记录时间戳。可选的,若第一SEPP无法识别第一消息,或者第一SEPP无法记录第二SEPP所在运营商网络的SEPP信息列表,第一SEPP向第二SEPP发送错误响应消息。例如,当第一SEPP无法识别第一消息,第一SEPP向第二SEPP发送4xx/5xx错误响应消息。第二SEPP接收错误响应消息,将不再与第一SEPP执行后续的N32-c协商流程。The first SEPP receives the SEPP information list of the operator network where the second SEPP is located, and determines whether the SEPP information list of the operator network has been recorded locally. If the first SEPP has locally recorded the SEPP information list of the operator network, the first SEPP updates the SEPP information list of the operator network and records the time stamp. If the first SEPP does not record the SEPP information list of the operator's network locally, the first SEPP records the SEPP information list of the operator's network, and records the time stamp. Optionally, if the first SEPP cannot identify the first message, or the first SEPP cannot record the SEPP information list of the operator network where the second SEPP is located, the first SEPP sends an error response message to the second SEPP. For example, when the first SEPP cannot recognize the first message, the first SEPP sends a 4xx/5xx error response message to the second SEPP. The second SEPP receives the error response message, and will no longer perform the subsequent N32-c negotiation process with the first SEPP.
其中,第二SEPP与第一SEPP之间完成N32-f上下文协商,第一SEPP可以将第二SEPP标记为可用边界安全网关。类似的,第三SEPP与第一SEPP之间完成N32-f上下文协商,第一SEPP可以将第三SEPP标记为可用边界安全网关。其中,第二SEPP与第一SEPP之间完成N32-f上下文协商的步骤可以参考协议标准3GPP TS 29.500中的相关描述,在此不再赘述。例如,第二SEPP所在运营商网络的SEPP信息列表中包括SEPP_1、SEPP_2和SEPP_3。当SEPP_1、SEPP_2和SEPP_3分别与第一SEPP完成N32-f上下文协商,第一SEPP将SEPP_1、SEPP_2和SEPP_3标记为可用SEPP。第一SEPP后续可以向SEPP_1、SEPP_2和SEPP_3发送信令消息。The N32-f context negotiation is completed between the second SEPP and the first SEPP, and the first SEPP may mark the second SEPP as an available border security gateway. Similarly, N32-f context negotiation is completed between the third SEPP and the first SEPP, and the first SEPP may mark the third SEPP as an available border security gateway. Wherein, for the steps of completing the N32-f context negotiation between the second SEPP and the first SEPP, reference may be made to the relevant description in the protocol standard 3GPP TS 29.500, which will not be repeated here. For example, the SEPP information list of the operator network where the second SEPP is located includes SEPP_1, SEPP_2 and SEPP_3. When SEPP_1, SEPP_2 and SEPP_3 respectively complete N32-f context negotiation with the first SEPP, the first SEPP marks SEPP_1, SEPP_2 and SEPP_3 as available SEPPs. The first SEPP may subsequently send signaling messages to SEPP_1, SEPP_2 and SEPP_3.
当第一SEPP向第二SEPP发送信令消息,第一SEPP从本地已记录的SEPP信息列表中选择第三SEPP,并采用第三SEPP的上下文向第三SEPP发送信令消息。具体实现方式参考图2实施例中对应步骤的描述,在此不再赘述。其中,当第一SEPP选择向第三SEPP发送信令消息,第一SEPP向第二运营商网络中的网络功能发送信令消息都通过第三SEPP的N32f上下文进行加密和转发。When the first SEPP sends a signaling message to the second SEPP, the first SEPP selects the third SEPP from the locally recorded SEPP information list, and uses the context of the third SEPP to send the signaling message to the third SEPP. For a specific implementation manner, reference is made to the description of the corresponding steps in the embodiment of FIG. 2 , which is not repeated here. Wherein, when the first SEPP chooses to send a signaling message to the third SEPP, the signaling messages sent by the first SEPP to the network function in the second operator's network are encrypted and forwarded through the N32f context of the third SEPP.
本实施例中,第一运营商网络的第一SEPP可以按照第二运营商网络的SEPP信息列表中预设的优先级或者权重选择指定的SEPP,并采用指定的SEPP的N32-f上下文对信令消息进行加密处理后再发送,最终达到第二运营商网络的多个SEPP之间的负载均衡。可见,在静态负载均衡场景中,第一SEPP向第二运营商网络发送的信令消息都是按照第二运营商网络预分配的负载发送。In this embodiment, the first SEPP of the first operator network may select the designated SEPP according to the preset priority or weight in the SEPP information list of the second operator network, and use the N32-f context of the designated SEPP to communicate with each other. The message is encrypted and then sent, so as to finally achieve load balancing among multiple SEPPs in the second operator's network. It can be seen that in the static load balancing scenario, the signaling messages sent by the first SEPP to the second operator's network are all sent according to the load pre-allocated by the second operator's network.
图4为本申请实施例提供的再一种信令消息处理方法的流程示意图。该信令消息处理方法应用于动态负载均衡场景中。本实施例中的动态负载均衡场景为基于负载控制信息(load control information,LCI)的动态负载均衡场景。其中,负载控制机制使得NF服务提供者(NF service producer)可以将其负载信息发送给NF服务消费者(NF service consumer),负载信息反映了NF服务提供者的资源运行状态。类似的,本实施例中的第一SEPP和第二SEPP分别 视为SEPP服务消费者(cSEPP)和SEPP服务提供者(pSEPP),反之亦然。SEPP支持3gpp-Sbi-Lci头域,则第一SEPP和第二SEPP之间可以互通负载控制信息。FIG. 4 is a schematic flowchart of still another signaling message processing method provided by an embodiment of the present application. The signaling message processing method is applied in a dynamic load balancing scenario. The dynamic load balancing scenario in this embodiment is a dynamic load balancing scenario based on load control information (load control information, LCI). Among them, the load control mechanism enables the NF service producer (NF service producer) to send its load information to the NF service consumer (NF service consumer), and the load information reflects the resource operation status of the NF service provider. Similarly, the first SEPP and the second SEPP in this embodiment are regarded as a SEPP service consumer (cSEPP) and a SEPP service provider (pSEPP), respectively, and vice versa. The SEPP supports the 3gpp-Sbi-Lci header field, and load control information can be exchanged between the first SEPP and the second SEPP.
本实施例的信令消息处理方法的流程由第一网络功能网元、第一边界安全网关、第二边界安全网关和第二网络功能网元之间的交互实现。当第一边界安全网关为SEPP服务消费者,第二边界安全网关为SEPP服务提供者,该方法包括以下步骤:The flow of the signaling message processing method in this embodiment is realized by interaction among the first network function network element, the first border security gateway, the second border security gateway, and the second network function network element. When the first border security gateway is a SEPP service consumer and the second border security gateway is a SEPP service provider, the method includes the following steps:
401,第一边界安全网关接收来自第一网络功能网元的业务请求消息,该业务请求消息包括第一网络功能网元的业务信息;401. The first border security gateway receives a service request message from a first network function network element, where the service request message includes service information of the first network function network element;
402,第一边界安全网关根据本地记录的第二运营商网络的边界安全网关信息列表和负载控制信息,确定第二边界安全网关;402, the first border security gateway determines the second border security gateway according to the locally recorded border security gateway information list and load control information of the second operator network;
403,第一边界安全网关采用第二边界安全网关的N32-f上下文,向第二边界安全网关发送N32-f请求消息,该N32-f请求消息包括第一边界安全网关所在运营商网络的边界安全网关信息列表和负载控制信息,以及第一网络功能网元的业务信息;403. The first border security gateway uses the N32-f context of the second border security gateway to send an N32-f request message to the second border security gateway, where the N32-f request message includes the boundary of the operator network where the first border security gateway is located. Security gateway information list and load control information, and service information of the first network function network element;
404,第二边界安全网关接收来自第一边界安全网关的N32-f请求消息,并记录第一边界安全网关所在运营商网络的边界安全网关信息列表;404, the second border security gateway receives the N32-f request message from the first border security gateway, and records the border security gateway information list of the operator network where the first border security gateway is located;
405,第二边界安全网关向第二网络功能网元发送第一网络功能网元的业务信息;405. The second border security gateway sends the service information of the first network function network element to the second network function network element;
406,第二边界安全网关接收来自第二网络功能网元的业务响应消息,该业务响应消息包括第二网络功能网元针对第一网络功能网元的业务响应信息;406. The second border security gateway receives a service response message from the second network function network element, where the service response message includes service response information of the second network function network element to the first network function network element;
407,第二边界安全网关采用第一边界安全网关的N32-f上下文,向第一边界安全网关发送N32-f响应消息,该N32-f响应消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表和负载控制信息,以及第二网络功能网元针对第一网络功能网元的业务响应信息;407. The second border security gateway uses the N32-f context of the first border security gateway to send an N32-f response message to the first border security gateway, where the N32-f response message includes the boundary of the operator network where the second border security gateway is located. Security gateway information list and load control information, and service response information of the second network function network element to the first network function network element;
408,第一边界安全网关接收来自第二边界安全网关的N32-f响应消息,并更新第二边界安全网关所在运营商网络的边界安全网关信息列表;408, the first border security gateway receives the N32-f response message from the second border security gateway, and updates the border security gateway information list of the operator network where the second border security gateway is located;
409,第一边界安全网关向第一网络功能网元发送第二网络功能网元针对第一网络功能网元的业务响应。409. The first border security gateway sends a service response of the second network function network element to the first network function network element to the first network function network element.
本实施例中的SEPP和NF之间的信息交互基于FQDN,即SEPP和NF之间的信息交互携带SEPP FQDN和NF FQDN。例如,第一NF查询域名系统(domain name system,DNS),或者查询NRF,获取第一SEPP FQDN对应的IP地址。又例如,第一NF直接本地配置FQDN对应的IP地址。第一NF将业务请求消息发送至第一SEPP FQDN对应的地址。又例如,第一NF通过业务请求消息中的3gpp-Sbi-Target-apiroot字段携带目标NF(例如第二NF)的FQDN,并向第一SEPP发送该业务请求消息。第一SEPP接收业务请求消息,根据业务请求消息中3gpp-Sbi-Target-apiroot获取目标NF的FQDN。The information exchange between SEPP and NF in this embodiment is based on FQDN, that is, the information exchange between SEPP and NF carries SEPP FQDN and NF FQDN. For example, the first NF queries a domain name system (domain name system, DNS), or queries the NRF, to obtain the IP address corresponding to the first SEPP FQDN. For another example, the first NF directly configures the IP address corresponding to the FQDN locally. The first NF sends the service request message to the address corresponding to the first SEPP FQDN. For another example, the first NF carries the FQDN of the target NF (eg, the second NF) through the 3gpp-Sbi-Target-apiroot field in the service request message, and sends the service request message to the first SEPP. The first SEPP receives the service request message, and obtains the FQDN of the target NF according to 3gpp-Sbi-Target-apiroot in the service request message.
可选的,根据NF的能力,SEPP与NF之间的信息交互基于FQDN路由。例如,在第一NF上配置FQDN路由。第一NF基于FQDN路由,建立与第一SEPP之间的路由。然后第一NF通过与第一SEPP之间的路由发送业务请求消息。Optionally, according to the capabilities of the NF, the information exchange between the SEPP and the NF is based on FQDN routing. For example, configure FQDN routing on the first NF. The first NF establishes a route with the first SEPP based on the FQDN route. Then the first NF sends the service request message through the route with the first SEPP.
第一SEPP根据目标NF的FQDN确定目标NF所在的运营商网络,并查询本地记录中是否包括目标NF所在运营商网络(即第二SEPP所在运营商网络)的SEPP信息列表和负载控制信息。当本地记录中包括第二SEPP所在运营商网络的SEPP信息列表和负载控制信息,第一SEPP根据该SEPP信息列表和负载控制信息,确定第二SEPP。具体实现方式参考图2实施例中对应的步骤,在此不再赘述。当本地记录中不包括第二SEPP所在运营商网络的SEPP信息列表和负载控制信息,第一SEPP向第二SEPP发送第一请求消息,第一请求消息用于请求获取第二SEPP所在运营商网络的SEPP信息列表和负载控制信息。例如,第一SEPP与第 二SEPP执行32-c握手流程,获取第二SEPP所在运营商网络的SEPP信息列表和负载控制信息。The first SEPP determines the operator network where the target NF is located according to the FQDN of the target NF, and queries whether the local record includes the SEPP information list and load control information of the operator network where the target NF is located (ie, the operator network where the second SEPP is located). When the local record includes the SEPP information list and load control information of the operator network where the second SEPP is located, the first SEPP determines the second SEPP according to the SEPP information list and the load control information. For a specific implementation manner, refer to the corresponding steps in the embodiment of FIG. 2 , which will not be repeated here. When the local record does not include the SEPP information list and load control information of the operator network where the second SEPP is located, the first SEPP sends a first request message to the second SEPP, where the first request message is used to request to obtain the operator network where the second SEPP is located List of SEPP information and load control information. For example, the first SEPP and the second SEPP perform a 32-c handshake process to obtain the SEPP information list and load control information of the operator network where the second SEPP is located.
其中,本实施例相较于图3实施例,第一SEPP既可以获取第二SEPP所在运营商网络的SEPP信息列表,又可以获取第二SEPP所在运营商网络的SEPP负载控制信息(SEPP LCI)。其中,SEPP信息列表参考图2实施例中对应的描述,在此不再赘述。负载控制信息包括负载控制时间戳(load control timestamp,LCT)和负载指标(load metric,LM)。LCT参数用于指示生成LCI的时间。例如,LCI的接收方使用LCT来正确整理乱序的LCI。LM参数用于指示LCI范围内的当前负载水平。例如,SEPP的LM参数用于指示该SEPP的当前负载水平,以0到100范围内的百分比表示,其中0表示没有或0%负载,而100表示已达到最大或100%负载(即没有进一步的负载可用)。可选的,本实施例选择采用基于LCI的动态负载均衡,还可以扩展为采用Oracle公有云基础设施(Oracle cloud infrastructure,OCI)参数的流量控制。基于OCI参数能够实现流量过大场景的负载均衡和流量控制。In this embodiment, compared with the embodiment in FIG. 3 , the first SEPP can not only obtain the SEPP information list of the operator network where the second SEPP is located, but also can obtain the SEPP load control information (SEPP LCI) of the operator network where the second SEPP is located. . For the SEPP information list, reference is made to the corresponding description in the embodiment of FIG. 2 , and details are not repeated here. The load control information includes a load control timestamp (LCT) and a load metric (LM). The LCT parameter is used to indicate when the LCI is generated. For example, the receiver of the LCI uses the LCT to properly sort out the out-of-order LCI. The LM parameter is used to indicate the current load level within the LCI range. For example, the LM parameter of a SEPP is used to indicate the current load level for that SEPP, expressed as a percentage in the range 0 to 100, where 0 means no or 0% load and 100 means that maximum or 100% load has been reached (i.e. no further load available). Optionally, this embodiment chooses to use LCI-based dynamic load balancing, and can also be extended to use Oracle cloud infrastructure (Oracle cloud infrastructure, OCI) parameters for flow control. Based on OCI parameters, load balancing and traffic control in scenarios with excessive traffic can be implemented.
第一SEPP确定(选择)第二SEPP后,第一SEPP采用第二SEPP的N32-f上下文,向第二SEPP发送N32-f请求消息。其中,该N32f请求消息中还可以携带第一网络功能网元的业务信息(负载)。例如,第一NF向第一SEPP发送业务请求消息,该业务请求消息包括第一网络功能网元的业务信息。其中,第一SEPP根据发送N32-f请求消息中的负载,更新本地记录的第二SEPP所在运营商网络的SEPP信息列表和负载控制信息。例如,第一SEPP确定向第二SEPP发送N32-f请求消息,该N32-f请求消息中的负载将占用第二SEPP 10%负载。第一SEPP将更新本地记录的第二SEPP已占用的负载,由原本的30%负载更新为40%负载。可见,本实施例中cSEPP可以实时更新本地记录的pSEPP的负载,有利于后续负载的分配。After the first SEPP determines (selects) the second SEPP, the first SEPP uses the N32-f context of the second SEPP to send an N32-f request message to the second SEPP. The N32f request message may also carry service information (load) of the first network function network element. For example, the first NF sends a service request message to the first SEPP, where the service request message includes service information of the first network function network element. Wherein, the first SEPP updates the locally recorded SEPP information list and load control information of the operator network where the second SEPP is located according to the load in the sent N32-f request message. For example, the first SEPP determines to send an N32-f request message to the second SEPP, and the load in the N32-f request message will occupy 10% of the load of the second SEPP. The first SEPP will update the locally recorded load occupied by the second SEPP, from the original 30% load to 40% load. It can be seen that in this embodiment, the cSEPP can update the load of the pSEPP recorded locally in real time, which is beneficial to the subsequent load distribution.
其中,本实施例中的第一SEPP既可以为cSEPP也可以为pSEPP。当第一SEPP为pSEPP,第一SEPP可以通过N32-f请求消息向第二SEPP发送本运营商网络的SEPP信息列表和负载控制信息,以使第二SEPP提前获取第一SEPP所在运营商的SEPP相关信息,有利于实现负载均衡。也就是说,第二SEPP接收并记录N32-f请求消息中的第一SEPP所在运营商网络的SEPP信息列表。The first SEPP in this embodiment may be either cSEPP or pSEPP. When the first SEPP is pSEPP, the first SEPP can send the SEPP information list and load control information of the operator's network to the second SEPP through the N32-f request message, so that the second SEPP can obtain the SEPP of the operator where the first SEPP is located in advance Relevant information is helpful to achieve load balancing. That is, the second SEPP receives and records the SEPP information list of the operator network where the first SEPP is located in the N32-f request message.
其中,第二SEPP接收来自第一SEPP的N32-f请求消息后,可以根据该N32-f请求消息更新本地记录的第一SEPP所在运营商网络的SEPP信息列表。例如,当第二SEPP接收来自第一SEPP的N32-f消息,该N32-f消息的header部分携带当前时间戳下第一SEPP所在运营商网络的SEPP信息列表。第二SEPP将本地记录的SEPP信息列表更新为当前时间戳下第一SEPP所在运营商网络的SEPP信息列表。可选的,当第二SEPP接收来自第一SEPP的N32-c消息,该N32-c消息的body部分携带当前时间戳下第一SEPP所在运营商网络的SEPP信息列表。Wherein, after receiving the N32-f request message from the first SEPP, the second SEPP can update the locally recorded SEPP information list of the operator network where the first SEPP is located according to the N32-f request message. For example, when the second SEPP receives the N32-f message from the first SEPP, the header part of the N32-f message carries the SEPP information list of the operator network where the first SEPP is located under the current timestamp. The second SEPP updates the locally recorded SEPP information list to the SEPP information list of the operator network where the first SEPP is located under the current timestamp. Optionally, when the second SEPP receives the N32-c message from the first SEPP, the body part of the N32-c message carries the SEPP information list of the operator network where the first SEPP is located under the current timestamp.
其中,第二SEPP接收来自第一SEPP的N32-f请求消息后,可以根据该N32-f请求消息更新本地记录的第一SEPP的负载信息。例如,当第二SEPP接收来自第一SEPP的N32-f消息,该N32-f消息的body部分携带当前时间戳下第一SEPP的负载信息。第二SEPP将本地记录的第一SEPP的负载信息更新为当前时间戳下第一SEPP的负载信息。Wherein, after receiving the N32-f request message from the first SEPP, the second SEPP may update the locally recorded load information of the first SEPP according to the N32-f request message. For example, when the second SEPP receives the N32-f message from the first SEPP, the body part of the N32-f message carries the load information of the first SEPP under the current timestamp. The second SEPP updates the locally recorded load information of the first SEPP to the load information of the first SEPP under the current timestamp.
第二SEPP向本运营商网络中的第二NF发送第一NF的业务信息。类似于第一NF与第一SEPP之间的交互过程,第二SEPP和第二NF之间的信息交互也基于FQDN,或者基于FQDN路由。例如,第二SEPP将第一NF的业务信息和第二SEPP FQDN发送至第二NF。第二NF对第一NF的业务信息进行处理后,向第二SEPP发送业务响应消息。例如,当第一NF发送的业务信息为请求接入新的终端设备,第二NF针对第一NF的业务响应信息为第二 NF为新的终端设备预分配的接入资源。The second SEPP sends the service information of the first NF to the second NF in the operator's network. Similar to the interaction process between the first NF and the first SEPP, the information exchange between the second SEPP and the second NF is also based on FQDN, or based on FQDN routing. For example, the second SEPP sends the service information of the first NF and the second SEPP FQDN to the second NF. After processing the service information of the first NF, the second NF sends a service response message to the second SEPP. For example, when the service information sent by the first NF is a request to access a new terminal device, the service response information of the second NF for the first NF is the access resources pre-allocated by the second NF for the new terminal device.
第二SEPP接收来自第二NF的业务响应消息后,采用第一SEPP的N32-f上下文向第一SEPP发送N32-f响应消息。其中,该N32-f响应消息中包括第二NF针对第一NF的业务响应。此外,该N32-f响应消息中还可以包括当前时间戳下第二SEPP所在运营商网络的SEPP信息列表和负载控制信息,以使第一SEPP更新本地记录的第二SEPP所在运营商网络的SEPP信息列表和负载控制信息。第一SEPP获取N32-f响应消息中的业务响应,并向第一NF发送该业务响应。After receiving the service response message from the second NF, the second SEPP sends the N32-f response message to the first SEPP by using the N32-f context of the first SEPP. Wherein, the N32-f response message includes the service response of the second NF to the first NF. In addition, the N32-f response message may also include the SEPP information list and load control information of the operator network where the second SEPP is located under the current timestamp, so that the first SEPP updates the locally recorded SEPP of the operator network where the second SEPP is located Information list and load control information. The first SEPP acquires the service response in the N32-f response message, and sends the service response to the first NF.
一种实现方式中,本实施例中的信令消息处理方法可以应用于SEPP和NF之间。其中,NF从NRF或者SEPP获取SEPP信息列表。当NF向SEPP发送消息时,NF根据SEPP信息列表选择指定的SEPP,并向该指定SEPP发送消息。也就是说,NF通过预先获取SEPP信息列表,实现了SEPP和NF之间的负载均衡。另一种实现方式中,NF本地直接预先配置SEPP信息列表,该SEPP信息列表包括同一运营商网络中该NF可用的多个SEPP,以及各个SEPP的优先级或权重等参数。In an implementation manner, the signaling message processing method in this embodiment may be applied between SEPP and NF. The NF obtains the SEPP information list from the NRF or the SEPP. When the NF sends a message to the SEPP, the NF selects a designated SEPP according to the SEPP information list, and sends a message to the designated SEPP. That is to say, NF achieves load balancing between SEPP and NF by obtaining the SEPP information list in advance. In another implementation manner, the NF directly pre-configures a SEPP information list locally, where the SEPP information list includes multiple SEPPs available to the NF in the same operator network, and parameters such as the priority or weight of each SEPP.
其中,本实施例是以图1a所示的网络场景为例,第一SEPP和第二SEPP之间采用PRINS方式对接时,所执行的具体步骤如步骤401-409所示。在图1b所示的网络场景中,第一SEPP和第二SEPP之间采用直连方式对接时,所执行的具体步骤与步骤401-409类似。不同在于,采用直连方式的第一SEPP和第二SEPP不再通过N32-f上下文加密消息,传输N32-f消息。例如,步骤403中第一SEPP通过传输层安全密钥进行加密,向第二SEPP发送加密的请求消息。其他步骤也类似,在此不再赘述。In this embodiment, the network scenario shown in FIG. 1a is used as an example. When the first SEPP and the second SEPP are connected in a PRINS manner, the specific steps to be executed are as shown in steps 401-409. In the network scenario shown in FIG. 1b, when the first SEPP and the second SEPP are connected in a direct connection manner, the specific steps performed are similar to steps 401-409. The difference is that the first SEPP and the second SEPP in the direct connection mode no longer transmit the N32-f message by encrypting the message through the N32-f context. For example, in step 403, the first SEPP performs encryption by using the transport layer security key, and sends the encrypted request message to the second SEPP. The other steps are also similar and will not be repeated here.
本实施例中,第一运营商网络的第一SEPP基于第二运营商网络的SEPP信息列表,以及动态的负载控制信息选择指定的SEPP,并采用指定的SEPP的N32-f上下文对信令消息进行加密处理后再发送,最终达到第二运营商网络的多个SEPP之间的负载均衡。可见,在动态负载均衡场景中,cSEPP按照第二运营商网络的负载控制信息动态调整发送到不同pSEPP的流量,可以整体提高SEPP的消息处理效率。In this embodiment, the first SEPP of the first operator network selects a designated SEPP based on the SEPP information list of the second operator network and dynamic load control information, and uses the N32-f context of the designated SEPP to pair signaling messages After encryption processing is performed, the data is sent to achieve load balancing among multiple SEPPs in the second operator's network. It can be seen that in the dynamic load balancing scenario, cSEPP dynamically adjusts the traffic sent to different pSEPPs according to the load control information of the second operator's network, which can improve the message processing efficiency of SEPP as a whole.
图5为本申请实施例提供的另一种网络场景。图5中的第一运营商网络包括三个SEPP,分别为SEPP_1、SEPP_2和SEPP_3。图5还包括多个pSEPP和多个漫游伙伴。第一运营商网络中的多个SEPP通过IPX与多个pSEPP相连接,IPX用于均衡第一运营商网络的负载。可选的,第一运营商网络中的多个SEPP通过前置负载均衡器与多个pSEPP相连接,前置负载均衡器也用于均衡第一运营商网络的负载。FIG. 5 is another network scenario provided by an embodiment of the present application. The first operator network in FIG. 5 includes three SEPPs, namely SEPP_1, SEPP_2 and SEPP_3. Figure 5 also includes multiple pSEPPs and multiple roaming partners. Multiple SEPPs in the first operator's network are connected to multiple pSEPPs through IPX, and IPX is used to balance the load of the first operator's network. Optionally, multiple SEPPs in the first operator's network are connected to multiple pSEPPs through a pre-load balancer, and the pre-load balancer is also used to balance the load of the first operator's network.
在本实施例提供的网络场景中,信令消息处理方法本运营商网络的SEPP之间共享N32-f上下文,即SEPP_1~SEPP_3都可以使用相同的N32-f上下文处理消息。In the network scenario provided by this embodiment, the signaling message processing method shares the N32-f context among SEPPs of the operator's network, that is, SEPP_1 to SEPP_3 can use the same N32-f context to process messages.
该方法由第一运营商网络的第一SEPP所执行,方法流程如图6所示,包括以下步骤:The method is executed by the first SEPP of the first operator network, and the method flow is shown in Figure 6, including the following steps:
601,第一边界安全网关接收来自第二边界安全网关的信令消息;601. The first border security gateway receives a signaling message from the second border security gateway;
602,第一边界安全网关获取所在运营商网络的多个边界安全网关之间共享的N32-f上下文,并使用共享的N32-f上下文处理接收到的信令消息。602. The first border security gateway acquires the N32-f context shared among multiple border security gateways in the operator network, and uses the shared N32-f context to process the received signaling message.
本实施例中的本运营商网络中多个SEPP之间可以共享上下文。例如,SEPP内部数据库同步,实现共享上下文。又例如,本运营商网络中的SEPP之间互相发送订阅消息,实现共享上下文。在本实施例中,本地运营商网络中的多个SEPP之间可以共享FQDN,也可以使用不同的FQDN,接收到其他运营商网络的SEPP发送的信令消息后,本地运营商网络的SEPP可以获取信令消息中的目的SEPP对应的共享N32-f上下文,然后使用共享的上下文处理该信令消息。In this embodiment, contexts may be shared among multiple SEPPs in the operator's network. For example, SEPP internal database synchronization to achieve shared context. For another example, SEPPs in the operator's network send subscription messages to each other to implement shared context. In this embodiment, the FQDN may be shared among multiple SEPPs in the local operator network, or different FQDNs may be used. After receiving signaling messages sent by SEPPs of other operator networks, the SEPPs of the local operator network may Obtain the shared N32-f context corresponding to the destination SEPP in the signaling message, and then use the shared context to process the signaling message.
例如,第一SEPP可以是图5所示的第一运营商网络中的SEPP_1、SEPP_2或SEPP_3。第二SEPP可以是图5所示的漫游伙伴1的pSEPP、漫游伙伴2的pSEPP或漫游伙伴3的pSEPP。当第一SEPP所在运营商网络的多个SEPP之间共享上下文时,多个SEPP都能够获取各个SEPP已记录的N32-f上下文。图5中的SEPP_1与漫游伙伴1的pSEPP协商并记录N32-f上下文1,SEPP_2与漫游伙伴2的pSEPP协商并记录N32-f上下文2,SEPP_3与漫游伙伴3的pSEPP协商并记录N32-f上下文3。第一运营商网络的SEPP_1~SEPP_3之间共享N32-f上下文,即SEPP_1~SEPP_3都记录N32-f上下文1~N32-f上下文3。漫游伙伴2的pSEPP向SEPP_2发送信令消息,该信令消息可以由SEPP_1处理。此时,SEPP_1获取该信令消息中的目的SEPP(即SEPP_2)对应的共享上下文(N32-f上下文2),然后使用该N32-f上下文2对信令消息进行处理。For example, the first SEPP may be SEPP_1, SEPP_2 or SEPP_3 in the first operator network shown in FIG. 5 . The second SEPP may be the pSEPP of roaming partner 1, the pSEPP of roaming partner 2, or the pSEPP of roaming partner 3 shown in FIG. 5 . When the context is shared among multiple SEPPs in the operator network where the first SEPP is located, the multiple SEPPs can acquire the N32-f contexts recorded by the respective SEPPs. SEPP_1 in Figure 5 negotiates with pSEPP of roaming partner 1 and records N32-f context 1, SEPP_2 negotiates with pSEPP of roaming partner 2 and records N32-f context 2, SEPP_3 negotiates with pSEPP of roaming partner 3 and records N32-f context 3. The N32-f context is shared among SEPP_1 to SEPP_3 of the first operator network, that is, SEPP_1 to SEPP_3 all record the N32-f context 1 to N32-f context 3. The pSEPP of roaming partner 2 sends a signaling message to SEPP_2, which can be processed by SEPP_1. At this time, SEPP_1 acquires the shared context (N32-f context 2) corresponding to the destination SEPP (ie, SEPP_2) in the signaling message, and then uses the N32-f context 2 to process the signaling message.
其中,IPX或前置负载均衡器接收不同的漫游伙伴发送的信令消息,并根据第一运营商网络中各个SEPP的负载情况分发信令消息。例如,图5中的IPX接收漫游伙伴2的pSEPP发送的信令消息。IPX根据当前时间戳下第一运营商网络中各个SEPP的负载控制信息(包括负载指标),选择向SEPP_1发送该信令消息。可见,第一运营商网络中的多个SEPP之间共享N32-f上下文后,每一个SEPP都可以处理全部N32-f流量,则通过IPX即可实现第一运营商网络的负载均衡。Wherein, the IPX or the pre-load balancer receives signaling messages sent by different roaming partners, and distributes the signaling messages according to the load situation of each SEPP in the first operator's network. For example, the IPX in FIG. 5 receives the signaling message sent by the pSEPP of roaming partner 2. The IPX selects to send the signaling message to SEPP_1 according to the load control information (including the load index) of each SEPP in the first operator's network under the current timestamp. It can be seen that after the N32-f context is shared among multiple SEPPs in the first operator's network, each SEPP can process all N32-f traffic, and the load balancing of the first operator's network can be achieved through IPX.
第一SEPP根据共享的N32-f上下文,选择使用对应的N32-f上下文解析接收到的信令消息。例如,图5中的SEPP_1接收漫游伙伴2的pSEPP发送的信令消息,该信令消息为漫游伙伴2的pSEPP使用N32-f上下文2处理(加密)过的消息。由于SEPP_1记录的共享的N32-f上下文包括N32-f上下文2,SEPP_1使用N32-f上下文2处理(解密)该信令消息。The first SEPP selects to use the corresponding N32-f context to parse the received signaling message according to the shared N32-f context. For example, SEPP_1 in FIG. 5 receives a signaling message sent by pSEPP of roaming partner 2, where the signaling message is a message processed (encrypted) by pSEPP of roaming partner 2 using N32-f context 2. Since the shared N32-f context recorded by SEPP_1 includes N32-f context 2, SEPP_1 uses N32-f context 2 to process (decrypt) the signaling message.
一种实现方式中,第一SEPP与第一NF之间建立TLS链路,并采用TLS密钥对信令消息进行加密处理,并向第一NF发送加密处理后的信令消息。例如,漫游伙伴2的pSEPP发送的信令消息的目的NF为图5中的NF_1。SEPP_1根据与NF_1之间的TLS密钥对漫游伙伴2的pSEPP发送的信令消息进行加密处理,并向NF_1发送加密处理后的信令消息。可见,SEPP可以采用与NF之间的TLS密钥对信令消息进行加密,并向信令消息的目的NF发送加密处理后的信令消息。In an implementation manner, a TLS link is established between the first SEPP and the first NF, and a TLS key is used to encrypt the signaling message, and the encrypted signaling message is sent to the first NF. For example, the destination NF of the signaling message sent by the pSEPP of roaming partner 2 is NF_1 in FIG. 5 . SEPP_1 encrypts the signaling message sent by the pSEPP of roaming partner 2 according to the TLS key with NF_1, and sends the encrypted signaling message to NF_1. It can be seen that the SEPP can use the TLS key between the SEPP and the NF to encrypt the signaling message, and send the encrypted signaling message to the destination NF of the signaling message.
下面以图5中的SEPP_1和SEPP_2为例,对本运营商网络中的多个SEPP之间共享上下文的步骤进行详细的描述。其中,第一运营商网络中的SEPP_1和SEPP_2之间发起N32-f上下文的相互订阅。例如,SEPP_2向SEPP_1发送N32-f上下文请求消息。该N32-f上下文请求消息用于请求订阅SEPP_1的N32-f上下文。例如,SEPP_1与漫游伙伴1的pSEPP协商了N32-f上下文1,则SEPP_2请求订阅SEPP_1的N32-f上下文1。响应于该N32-f上下文请求消息,SEPP_1向SEPP_2发送N32-f上下文响应消息,如图7中的实线流程所示。该N32-f上下文响应消息包括SEPP_1记录的N32-f上下文1。Taking SEPP_1 and SEPP_2 in FIG. 5 as an example, the steps of sharing context among multiple SEPPs in the operator's network will be described in detail below. The mutual subscription of the N32-f context is initiated between SEPP_1 and SEPP_2 in the first operator network. For example, SEPP_2 sends an N32-f context request message to SEPP_1. The N32-f context request message is used to request subscription to the N32-f context of SEPP_1. For example, SEPP_1 negotiated N32-f context 1 with pSEPP of roaming partner 1, then SEPP_2 requests to subscribe to N32-f context 1 of SEPP_1. In response to the N32-f context request message, SEPP_1 sends an N32-f context response message to SEPP_2, as shown by the solid line flow in FIG. 7 . The N32-f context response message includes the N32-f context 1 recorded by SEPP_1.
类似的,SEPP_1向SEPP_2发送N32-f上下文请求消息。该N32-f上下文请求消息用于请求订阅SEPP_2的N32-f上下文。对应的,SEPP_2向SEPP_1发送N32-f上下文响应消息,该N32-f上下文响应消息包括SEPP_2记录的N32-f上下文2,如图7中的虚线流程所示。Similarly, SEPP_1 sends an N32-f context request message to SEPP_2. The N32-f context request message is used to request subscription to the N32-f context of SEPP_2. Correspondingly, SEPP_2 sends an N32-f context response message to SEPP_1, where the N32-f context response message includes the N32-f context 2 recorded by SEPP_2, as shown in the dashed flow in FIG. 7 .
一种实现方式中,任意一个SEPP上的N32-f上下文发生变化(包括新建、停用等,新建和停用流程参考协议标准3GPP TS 29.573,不再赘述),则N32-f上下文发生变化的SEPP通过回调接口通知本运营商网络中其他SEPP。例如,SEPP_1与漫游伙伴3的pSEPP之间通过N32-c握手流程新建N32-f上下文3,则SEPP_1将记录N32-f上下文3。SEPP_1向SEPP_2发送N32-f上下文更新消息,该更新消息包括SEPP_1新建的N32-f上下文3。SEPP_2接收 并记录SEPP_1新建的N32-f上下文3。SEPP_2向SEPP_1发送N32-f上下文更新响应消息。该N32-f上下文更新响应消息用于指示SEPP_2已记录SEPP_1新建的N32-f上下文3,如图8中的实线流程所示。In an implementation manner, if the N32-f context on any SEPP changes (including creation, deactivation, etc., the process of creation and deactivation refers to the protocol standard 3GPP TS 29.573, which will not be repeated), then the N32-f context changes. The SEPP notifies other SEPPs in the operator's network through the callback interface. For example, a new N32-f context 3 is created between SEPP_1 and the pSEPP of roaming partner 3 through the N32-c handshake process, then SEPP_1 will record the N32-f context 3. SEPP_1 sends an N32-f context update message to SEPP_2, where the update message includes the N32-f context 3 newly created by SEPP_1. SEPP_2 receives and records the N32-f context 3 newly created by SEPP_1. SEPP_2 sends an N32-f context update response message to SEPP_1. The N32-f context update response message is used to indicate that SEPP_2 has recorded the N32-f context 3 newly created by SEPP_1, as shown in the solid line flow in FIG. 8 .
类似的,SEPP_2与漫游伙伴3的pSEPP之间通过N32-c握手流程新建N32-f上下文3,则SEPP_2将N32-f上下文3。SEPP_2向SEPP_1发送N32-f上下文更新消息,该更新消息包括SEPP_2新建的N32-f上下文3。SEPP_1接收并记录SEPP_2新建的N32-f上下文3。SEPP_1向SEPP_2发送N32-f上下文更新响应消息。该N32-f上下文更新响应消息用于指示SEPP_1已记录SEPP_2新建的N32-f上下文3,如图8中的虚流程所示。Similarly, the N32-f context 3 is newly created between SEPP_2 and the pSEPP of the roaming partner 3 through the N32-c handshake process, then SEPP_2 will use the N32-f context 3. SEPP_2 sends an N32-f context update message to SEPP_1, where the update message includes the N32-f context 3 newly created by SEPP_2. SEPP_1 receives and records the N32-f context 3 newly created by SEPP_2. SEPP_1 sends an N32-f context update response message to SEPP_2. The N32-f context update response message is used to indicate that SEPP_1 has recorded the N32-f context 3 newly created by SEPP_2, as shown in the virtual flow in FIG. 8 .
其中,上述图7或图8中的实线流程或虚线流程没有先后顺序,仅表示两种不同的流程步骤。Wherein, the solid line process or the dotted line process in the above-mentioned FIG. 7 or FIG. 8 has no sequence, and only represents two different process steps.
当SEPP_1或SEPP_2的N32-f上下文停用时,SEPP_1或SEPP_2通过类似于图7或图8的流程通知本运营商网络中的其他SEPP停用对应的N32-f上下文,在此不再赘述。When the N32-f context of SEPP_1 or SEPP_2 is deactivated, SEPP_1 or SEPP_2 notifies other SEPPs in the operator's network to deactivate the corresponding N32-f context through a process similar to FIG. 7 or FIG. 8 , which is not repeated here.
本实施例中,同一运营商网络中的多个SEPP之间共享N32-f上下文。SEPP之间共享N32-f上下文之后,任意一个SEPP可以处理网络中使用不同N32-f上下文处理的消息。通过IPX或者前置负载均衡器的方式实现本运营商网络中SEPP之间的负载均衡。In this embodiment, the N32-f context is shared among multiple SEPPs in the same operator network. After the N32-f context is shared between SEPPs, any SEPP can process messages processed by different N32-f contexts in the network. The load balancing between SEPPs in the operator's network is realized by means of IPX or a pre-load balancer.
上文结合图2至图8详细描述了本申请实施例的信令消息处理方法。下面结合图9至图12,详细描述本申请实施例的信令消息处理装置。应理解,图9至图12所示的信令消息处理装置及服务器能够实现图2至图8所示的方法流程中的一个或者多个的步骤。为避免重复,在此不再详细赘述。The signaling message processing method according to the embodiment of the present application is described in detail above with reference to FIG. 2 to FIG. 8 . The signaling message processing apparatus according to the embodiment of the present application will be described in detail below with reference to FIG. 9 to FIG. 12 . It should be understood that the signaling message processing apparatus and server shown in FIG. 9 to FIG. 12 can implement one or more steps in the method flow shown in FIG. 2 to FIG. 8 . In order to avoid repetition, detailed description is omitted here.
图9为本申请实施例提供的一种信令消息处理装置的示意图。图9所示的信令消息处理装置用于实现上述图2至图4所示的实施例中第一边界安全网关所执行的方法。该信令消息处理装置包括收发单元901和处理单元902。其中,收发单元901用于接收来自第二边界安全网关的第一消息,第一消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表。处理单元902用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关。收发单元901还用于向第三边界安全网关发送加密的信令消息。FIG. 9 is a schematic diagram of a signaling message processing apparatus according to an embodiment of the present application. The signaling message processing apparatus shown in FIG. 9 is used to implement the method performed by the first border security gateway in the embodiments shown in FIG. 2 to FIG. 4 . The signaling message processing apparatus includes a transceiver unit 901 and a processing unit 902 . The transceiver unit 901 is configured to receive a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located. The processing unit 902 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located. The transceiver unit 901 is further configured to send an encrypted signaling message to the third border security gateway.
在一种实现方式中,收发单元901还用于向第三边界安全网关发送使用N32-f上下文加密的信令消息,或者向第三边界安全网关发送使用传输层安全密钥加密的信令消息。In an implementation manner, the transceiver unit 901 is further configured to send a signaling message encrypted with the N32-f context to the third border security gateway, or send a signaling message encrypted with the transport layer security key to the third border security gateway .
在一种实现方式中,收发单元901还用于向第二边界安全网关发送第二消息,第二消息包括第一边界安全网关所在运营商网络的边界安全网关信息列表。In an implementation manner, the transceiver unit 901 is further configured to send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
在一种实现方式中,收发单元901还用于采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息,包括:In an implementation manner, the transceiver unit 901 is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
若第一边界安全网关与第三边界安全网关之间未创建关联的N32-f上下文,收发单元901与第三边界安全网关协商获得N32-f上下文,并采用协商获得的N32-f上下文发送信令消息。If the associated N32-f context is not established between the first border security gateway and the third border security gateway, the transceiver unit 901 negotiates with the third border security gateway to obtain the N32-f context, and uses the negotiated N32-f context to send a message order message.
在一种实现方式中,边界安全网关信息列表包括:多个边界安全网关的优先级。处理单元902用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In an implementation manner, the border security gateway information list includes: priorities of multiple border security gateways. The processing unit 902 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择优先级最高的第三边界安全网关。The third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种实现方式中,边界安全网关信息列表包括:多个边界安全网关的权重。处理单元902用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In an implementation manner, the border security gateway information list includes: weights of multiple border security gateways. The processing unit 902 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择权重最高的第三边界安全网关。The third border security gateway with the highest weight is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种实现方式中,收发单元901用于接收来自第二边界安全网关的第一消息,包括:In an implementation manner, the transceiver unit 901 is configured to receive the first message from the second border security gateway, including:
通过N32-c通道接收第二边界安全网关所在运营商网络的边界安全网关信息列表。The information list of the border security gateway of the operator network where the second border security gateway is located is received through the N32-c channel.
在一种实现方式中,处理单元902还用于将已记录的边界安全网关信息列表更新为当前时间戳下的第二边界安全网关所在运营商网络的边界安全网关信息列表;In an implementation manner, the processing unit 902 is further configured to update the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp;
收发单元901还用于向第二边界安全网关发送200OK消息。在一种实现方式中,收发单元901还用于若第一边界安全网关无法识别第一消息,或者第一边界安全网关无法记录第二边界安全网关所在运营商网络的边界安全网关信息列表,向第二边界安全网关发送错误响应消息。The transceiver unit 901 is further configured to send a 200 OK message to the second border security gateway. In an implementation manner, the transceiver unit 901 is further configured to send a message to the first border security gateway if the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located. The second border security gateway sends an error response message.
在一种实现方式中,处理单元902用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In an implementation manner, the processing unit 902 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择已占用的负载最少的第三边界安全网关。The third border security gateway with the least occupied load is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种实现方式中,处理单元902还用于根据发送信令消息占用的流量,更新边界安全网关信息列表中第三边界安全网关的负载信息。In an implementation manner, the processing unit 902 is further configured to update the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by the signaling message sending.
在一种实现方式中,收发单元901用于采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息,包括:In an implementation manner, the transceiver unit 901 is configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
采用第三边界安全网关的N32-f上下文对信令消息进行加密,并向第三边界安全网关发送加密的信令消息。The signaling message is encrypted using the N32-f context of the third border security gateway, and the encrypted signaling message is sent to the third border security gateway.
在一种实现方式中,图9中的各个单元所实现的相关功能可以通过收发器和处理器来实现。图10为本申请实施例提供的一种服务器的示意图。该服务器可以为能够执行图2至图4所示的实施例中的信令消息处理方法的设备(例如芯片)。该服务器可以包括收发器1001、至少一个处理器1002和存储器1003。其中,收发器1001、处理器1002和存储器1003可以通过一条或多条通信总线相互连接,也可以通过其它方式相连接。In an implementation manner, the related functions implemented by each unit in FIG. 9 may be implemented by a transceiver and a processor. FIG. 10 is a schematic diagram of a server according to an embodiment of the present application. The server may be a device (eg, a chip) capable of executing the signaling message processing method in the embodiments shown in FIG. 2 to FIG. 4 . The server may include a transceiver 1001 , at least one processor 1002 and memory 1003 . The transceiver 1001, the processor 1002 and the memory 1003 may be connected to each other through one or more communication buses, or may be connected to each other in other ways.
其中,收发器1001可以用于发送数据,或者接收数据。可以理解的是,收发器1001是统称,可以包括接收器和发送器。例如,接收器用于接收来自第二边界安全网关的第一消息。又例如,发送器用于向第二边界安全网关发送信令消息。The transceiver 1001 may be used for sending data or receiving data. It is understood that the transceiver 1001 is a general term and may include a receiver and a transmitter. For example, the receiver is configured to receive the first message from the second border security gateway. For another example, the transmitter is configured to send a signaling message to the second border security gateway.
其中,处理器1002可以用于对服务器的数据进行处理。处理器1002可以包括一个或多个处理器,例如该处理器1002可以是一个或多个中央处理器(central processing unit,CPU),网络处理器(network processor,NP),硬件芯片或者其任意组合。在处理器1002是一个CPU的情况下,该CPU可以是单核CPU,也可以是多核CPU。The processor 1002 may be used to process data of the server. The processor 1002 may include one or more processors, for example, the processor 1002 may be one or more central processing units (CPUs), network processors (NPs), hardware chips, or any combination thereof . In the case where the processor 1002 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
其中,存储器1003用于存储程序代码等。存储器1003可以包括易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM);存储器1003也可以包括非易失性存储器(non-volatile memory),例如只读存储器(read-only memory,ROM),快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器1003还可以包括上述种类的存储器的组合。Among them, the memory 1003 is used for storing program codes and the like. The memory 1003 may include a volatile memory (volatile memory), such as random access memory (RAM); the memory 1003 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (read- only memory, ROM), flash memory (flash memory), hard disk drive (HDD) or solid-state drive (solid-state drive, SSD); the memory 1003 may also include a combination of the above-mentioned types of memory.
其中,上述处理器1002和存储器1003可以通过接口耦合,也可以集成在一起,本实施例不作限定。The above-mentioned processor 1002 and memory 1003 may be coupled through an interface, or may be integrated together, which is not limited in this embodiment.
上述收发器1001和处理器1002可以用于执行图2至图4所示的实施例中的信令消息处理方法,具体实现方式如下:The transceiver 1001 and the processor 1002 described above can be used to execute the signaling message processing methods in the embodiments shown in FIG. 2 to FIG. 4 , and the specific implementation methods are as follows:
收发器1001用于接收来自第二边界安全网关的第一消息,第一消息包括第二边界安全网关所在运营商网络的边界安全网关信息列表;The transceiver 1001 is configured to receive a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located;
处理器1002用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关;The processor 1002 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
收发器1001还用于向第三边界安全网关发送信令消息。The transceiver 1001 is also used for sending signaling messages to the third border security gateway.
在一种实现方式中,收发器1001还用于第三边界安全网关发送使用N32-f上下文加密的信令消息,或者向第三边界安全网关发送使用传输层安全密钥加密的信令消息。In an implementation manner, the transceiver 1001 is further configured to send a signaling message encrypted with the N32-f context to the third border security gateway, or send a signaling message encrypted with a transport layer security key to the third border security gateway.
在一种实现方式中,收发器1001还用于向第二边界安全网关发送第二消息,第二消息包括第一边界安全网关所在运营商网络的边界安全网关信息列表。In an implementation manner, the transceiver 1001 is further configured to send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
在一种实现方式中,收发器1001还用于采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息,包括:In an implementation manner, the transceiver 1001 is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
若第一边界安全网关与第三边界安全网关之间未创建关联的N32-f上下文,收发器1001与第三边界安全网关协商获得N32-f上下文,并采用协商获得的N32-f上下文发送信令消息。If the associated N32-f context is not established between the first border security gateway and the third border security gateway, the transceiver 1001 negotiates with the third border security gateway to obtain the N32-f context, and uses the negotiated N32-f context to send a message order message.
在一种实现方式中,边界安全网关信息列表包括:多个边界安全网关的优先级。处理器1002用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In an implementation manner, the border security gateway information list includes: priorities of multiple border security gateways. The processor 1002 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择优先级最高的第三边界安全网关。The third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种实现方式中,边界安全网关信息列表包括:多个边界安全网关的权重。处理器1002用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In an implementation manner, the border security gateway information list includes: weights of multiple border security gateways. The processor 1002 is configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择权重最高的第三边界安全网关。The third border security gateway with the highest weight is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种实现方式中,收发器1001用于接收来自第二边界安全网关的第一消息,包括:In one implementation, the transceiver 1001 is configured to receive the first message from the second border security gateway, including:
通过N32-c通道接收第二边界安全网关所在运营商网络的边界安全网关信息列表。The information list of the border security gateway of the operator network where the second border security gateway is located is received through the N32-c channel.
在一种实现方式中,处理器1002还用于将已记录的边界安全网关信息列表更新为当前时间戳下的第二边界安全网关所在运营商网络的边界安全网关信息列表;In an implementation manner, the processor 1002 is further configured to update the recorded border security gateway information list to the border security gateway information list of the operator network where the second border security gateway is located under the current timestamp;
收发器1001还用于向第二边界安全网关发送200OK消息。The transceiver 1001 is also used to send a 200 OK message to the second border security gateway.
在一种实现方式中,收发器1001还用于若第一边界安全网关无法识别第一消息,或者第一边界安全网关无法记录第二边界安全网关所在运营商网络的边界安全网关信息列表,向第二边界安全网关发送错误响应消息。In an implementation manner, the transceiver 1001 is further configured to send a message to the first border security gateway if the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located. The second border security gateway sends an error response message.
在一种实现方式中,处理器1002用于从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:In an implementation manner, the processor 1002 is configured to select the third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, including:
从第二边界安全网关所在运营商网络的边界安全网关信息列表中选择已占用的负载最少的第三边界安全网关。The third border security gateway with the least occupied load is selected from the border security gateway information list of the operator network where the second border security gateway is located.
在一种实现方式中,处理器1002还用于根据发送信令消息占用的流量,更新边界安全网关信息列表中第三边界安全网关的负载信息。In an implementation manner, the processor 1002 is further configured to update the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending the signaling message.
在一种实现方式中,收发器1001用于采用第三边界安全网关的N32-f上下文向第三边界安全网关发送信令消息,包括:In an implementation manner, the transceiver 1001 is configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, including:
采用第三边界安全网关的N32-f上下文对信令消息进行加密,并向第三边界安全网关发送加密的信令消息。其中,图2至图4所示的实施例中的第二边界安全网关与第一边界安全 网关可以实现类似的功能。那么第二边界安全网关也可以为如图9和图10所示的装置和服务器。The signaling message is encrypted using the N32-f context of the third border security gateway, and the encrypted signaling message is sent to the third border security gateway. Wherein, the second border security gateway and the first border security gateway in the embodiments shown in FIG. 2 to FIG. 4 may implement similar functions. Then the second border security gateway may also be the device and server shown in FIG. 9 and FIG. 10 .
图11为本申请实施例提供的另一种信令消息处理装置的示意图。图11所示的信令消息处理装置用于实现上述图6至图8所示的实施例中第一边界安全网关所执行的方法。该信令消息处理装置包括收发单元1101和处理单元1102。其中,收发单元1101用于接收来自第二边界安全网关的信令消息。处理单元1102用于获取所在运营商网络的多个边界安全网关之间共享的N32-f上下文,并使用共享的N32-f上下文处理接收到的信令消息。FIG. 11 is a schematic diagram of another signaling message processing apparatus provided by an embodiment of the present application. The signaling message processing apparatus shown in FIG. 11 is used to implement the methods performed by the first border security gateway in the embodiments shown in the foregoing FIGS. 6 to 8 . The signaling message processing apparatus includes a transceiver unit 1101 and a processing unit 1102 . The transceiver unit 1101 is configured to receive a signaling message from the second border security gateway. The processing unit 1102 is configured to acquire the N32-f context shared among multiple border security gateways in the operator's network, and use the shared N32-f context to process the received signaling message.
在一种实现方式中,处理单元1102还用于采用传输层安全密钥加密信令消息。收发单元1101还用于向第一网络功能网元发送加密处理后的信令消息。In one implementation, the processing unit 1102 is further configured to encrypt the signaling message using the transport layer security key. The transceiver unit 1101 is further configured to send the encrypted signaling message to the first network function network element.
在一种实现方式中,图11中的各个单元所实现的相关功能可以通过收发器和处理器来实现。图12为本申请实施例提供的另一种服务器的示意图。该服务器可以为能够执行图6至图8所示的实施例中的信令消息处理方法的设备(例如芯片)。该服务器可以包括收发器1201、至少一个处理器1202和存储器1203。其中,收发器1201、处理器1202和存储器1203可以通过一条或多条通信总线相互连接,也可以通过其它方式相连接。In an implementation manner, the related functions implemented by each unit in FIG. 11 may be implemented by a transceiver and a processor. FIG. 12 is a schematic diagram of another server provided by an embodiment of the present application. The server may be a device (eg, a chip) capable of executing the signaling message processing method in the embodiments shown in FIG. 6 to FIG. 8 . The server may include a transceiver 1201 , at least one processor 1202 and memory 1203 . The transceiver 1201, the processor 1202 and the memory 1203 may be connected to each other through one or more communication buses, or may be connected to each other in other ways.
其中,收发器1201可以用于发送数据,或者接收数据。可以理解的是,收发器1201是统称,可以包括接收器和发送器。The transceiver 1201 may be used for sending data or receiving data. It can be understood that the transceiver 1201 is a general term and may include a receiver and a transmitter.
其中,处理器1202可以用于对服务器的数据进行处理。处理器1202可以包括一个或多个处理器,例如该处理器1202可以是一个或多个中央处理器(central processing unit,CPU),网络处理器(network processor,NP),硬件芯片或者其任意组合。在处理器1202是一个CPU的情况下,该CPU可以是单核CPU,也可以是多核CPU。The processor 1202 may be used to process the data of the server. The processor 1202 may include one or more processors, for example, the processor 1202 may be one or more central processing units (CPUs), network processors (NPs), hardware chips, or any combination thereof . In the case where the processor 1202 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
其中,存储器1203用于存储程序代码等。存储器1203可以包括易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM)。存储器1203也可以包括非易失性存储器(non-volatile memory),例如只读存储器(read-only memory,ROM),快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器1203还可以包括上述种类的存储器的组合。Among them, the memory 1203 is used for storing program codes and the like. The memory 1203 may include volatile memory, such as random access memory (RAM). The memory 1203 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory (flash memory), hard disk drive (HDD) or solid state hard disk ( solid-state drive, SSD); storage 1203 may also include a combination of the above-mentioned types of storage.
其中,上述处理器1202和存储器1203可以通过接口耦合,也可以集成在一起,本实施例不作限定。The above-mentioned processor 1202 and memory 1203 may be coupled through an interface, or may be integrated together, which is not limited in this embodiment.
上述收发器1201和处理器1202可以用于执行图6至图8所示的实施例中的信令消息处理方法,具体实现方式如下:The transceiver 1201 and the processor 1202 described above can be used to execute the signaling message processing methods in the embodiments shown in FIG. 6 to FIG. 8 , and the specific implementation is as follows:
收发器1201用于接收来自第二边界安全网关的信令消息;The transceiver 1201 is configured to receive a signaling message from the second border security gateway;
处理器1202用于获取所在运营商网络的多个边界安全网关之间共享的N32-f上下文,并使用共享的N32-f上下文处理接收到的信令消息。The processor 1202 is configured to acquire the N32-f context shared among multiple border security gateways in the operator's network, and use the shared N32-f context to process the received signaling message.
在一种实现方式中,处理器1202还用于采用传输层安全密钥加密信令消息。收发器1201还用于向第一网络功能网元发送加密处理后的信令消息。In one implementation, the processor 1202 is further configured to encrypt signaling messages with transport layer security keys. The transceiver 1201 is further configured to send the encrypted signaling message to the first network function network element.
本申请实施例提供一种通信系统,该通信系统包括前述实施例所述的第一通信设备和第二通信设备。An embodiment of the present application provides a communication system, where the communication system includes the first communication device and the second communication device described in the foregoing embodiments.
本申请实施例提供一种计算机可读存储介质,该计算机可读存储介质存储有程序或指令,当所述程序或指令在计算机上运行时,使得计算机执行本申请实施例中的信令消息处理方法。An embodiment of the present application provides a computer-readable storage medium, where a program or an instruction is stored in the computer-readable storage medium, and when the program or instruction is executed on a computer, the computer can execute the signaling message processing in the embodiment of the present application. method.
本申请实施例提供一种芯片或者芯片系统,该芯片或者芯片系统包括至少一个处理器和接口,接口和至少一个处理器通过线路互联,至少一个处理器用于运行计算机程序或指令,以进行本申请实施例中的信令消息处理方法。An embodiment of the present application provides a chip or a chip system, the chip or chip system includes at least one processor and an interface, the interface and the at least one processor are interconnected by a line, and the at least one processor is used to run a computer program or instruction to perform the present application The signaling message processing method in the embodiment.
其中,芯片中的接口可以为输入/输出接口、管脚或电路等。Wherein, the interface in the chip may be an input/output interface, a pin or a circuit, or the like.
上述方面中的芯片系统可以是片上系统(system on chip,SOC),也可以是基带芯片等,其中基带芯片可以包括处理器、信道编码器、数字信号处理器、调制解调器和接口模块等。The chip system in the above aspects may be a system on chip (system on chip, SOC), or a baseband chip, etc., where the baseband chip may include a processor, a channel encoder, a digital signal processor, a modem, an interface module, and the like.
在一种实现方式中,本申请中上述描述的芯片或者芯片系统还包括至少一个存储器,该至少一个存储器中存储有指令。该存储器可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In an implementation manner, the chip or chip system described above in this application further includes at least one memory, where instructions are stored in the at least one memory. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or a storage unit of the chip (eg, a read-only memory, a random access memory, etc.).
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. A computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. Computer instructions may be stored on or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website site, computer, server, or data center over a wire (e.g. coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg infrared, wireless, microwave, etc.) means to transmit to another website site, computer, server or data center. A computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media. The available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, high-density digital video discs (DVDs)), or semiconductor media (eg, solid state disks, SSD)) etc.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. Interchangeability, the above description has generally described the components and steps of each example in terms of function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (19)

  1. 一种信令消息处理方法,其特征在于,包括:A method for processing signaling messages, comprising:
    第一边界安全网关接收来自第二边界安全网关的第一消息,所述第一消息包括所述第二边界安全网关所在运营商网络的边界安全网关信息列表;The first border security gateway receives a first message from the second border security gateway, where the first message includes a border security gateway information list of the operator network where the second border security gateway is located;
    所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,并向所述第三边界安全网关发送加密的信令消息。The first border security gateway selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, and sends an encrypted signaling message to the third border security gateway.
  2. 根据权利要求1所述的方法,其特征在于,所述向所述第三边界安全网关发送加密的信令消息,包括:The method according to claim 1, wherein the sending an encrypted signaling message to the third border security gateway comprises:
    向所述第三边界安全网关发送使用N32-f上下文加密的信令消息或者向所述第三边界安全网关发送使用传输层安全密钥加密的信令消息。Sending a signaling message encrypted with an N32-f context to the third border security gateway or a signaling message encrypted with a transport layer security key to the third border security gateway.
  3. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    所述第一边界安全网关向所述第二边界安全网关发送第二消息,所述第二消息包括所述第一边界安全网关所在运营商网络的边界安全网关信息列表。The first border security gateway sends a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
  4. 根据权利要求1所述的方法,其特征在于,所述第一边界安全网关采用所述第三边界安全网关的N32-f上下文向所述第三边界安全网关发送信令消息,包括:The method according to claim 1, wherein the first border security gateway uses the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, comprising:
    若所述第一边界安全网关与所述第三边界安全网关之间未创建关联的N32-f上下文,所述第一边界安全网关与所述第三边界安全网关协商获得N32-f上下文,并采用所述协商获得的N32-f上下文发送信令消息。If an associated N32-f context is not created between the first border security gateway and the third border security gateway, the first border security gateway negotiates with the third border security gateway to obtain an N32-f context, and The signaling message is sent using the N32-f context obtained through the negotiation.
  5. 根据权利要求1或3所述的方法,其特征在于,所述边界安全网关信息列表包括:多个边界安全网关的优先级,所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:The method according to claim 1 or 3, wherein the border security gateway information list includes: priorities of multiple border security gateways, and the first border security gateway operates from the location where the second border security gateway is located. Select the third border security gateway from the border security gateway information list of the commercial network, including:
    所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择优先级最高的第三边界安全网关。The first border security gateway selects a third border security gateway with the highest priority from the border security gateway information list of the operator network where the second border security gateway is located.
  6. 根据权利要求1或3所述的方法,其特征在于,所述边界安全网关信息列表包括:多个边界安全网关的权重,所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:The method according to claim 1 or 3, wherein the border security gateway information list comprises: weights of a plurality of border security gateways, the first border security gateway is obtained from an operator where the second border security gateway is located Select the third border security gateway from the network border security gateway information list, including:
    所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择权重最高的第三边界安全网关。The first border security gateway selects a third border security gateway with the highest weight from the border security gateway information list of the operator network where the second border security gateway is located.
  7. 根据权利要求1所述的方法,其特征在于,所述第一边界安全网关接收来自第二边界安全网关的第一消息,包括:The method according to claim 1, wherein the first border security gateway receives the first message from the second border security gateway, comprising:
    所述第一边界安全网关通过N32-c通道接收所述第二边界安全网关所在运营商网络的边界安全网关信息列表。The first border security gateway receives, through the N32-c channel, the border security gateway information list of the operator network where the second border security gateway is located.
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    若所述第一边界安全网关无法识别所述第一消息,或者所述第一边界安全网关无法记录所述第二边界安全网关所在运营商网络的边界安全网关信息列表,所述第一边界安全网关向所述第二边界安全网关发送错误响应消息。If the first border security gateway cannot identify the first message, or the first border security gateway cannot record the border security gateway information list of the operator network where the second border security gateway is located, the first border security gateway The gateway sends an error response message to the second border security gateway.
  9. 根据权利要求1所述的方法,其特征在于,所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:The method according to claim 1, wherein the first border security gateway selects a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located, comprising:
    所述第一边界安全网关从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择已占用的负载最少的第三边界安全网关。The first border security gateway selects a third border security gateway with the least occupied load from the border security gateway information list of the operator network where the second border security gateway is located.
  10. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method according to claim 9, wherein the method further comprises:
    所述第一边界安全网关根据发送所述信令消息占用的流量,更新所述边界安全网关信息列表中所述第三边界安全网关的负载信息。The first border security gateway updates the load information of the third border security gateway in the border security gateway information list according to the traffic occupied by sending the signaling message.
  11. 根据权利要求1至10任意一项所述的方法,其特征在于,所述第一边界安全网关采用所述第三边界安全网关的N32-f上下文向所述第三边界安全网关发送信令消息,包括:The method according to any one of claims 1 to 10, wherein the first border security gateway sends a signaling message to the third border security gateway by using the N32-f context of the third border security gateway ,include:
    所述第一边界安全网关采用所述第三边界安全网关的N32-f上下文对信令消息进行加密,并向所述第三边界安全网关发送加密的信令消息。The first border security gateway encrypts the signaling message by using the N32-f context of the third border security gateway, and sends the encrypted signaling message to the third border security gateway.
  12. 根据权利要求1至10任意一项所述的方法,其特征在于,在所述第一边界安全网关向所述第三边界安全网关发送加密的信令消息之前,所述方法还包括:The method according to any one of claims 1 to 10, wherein before the first border security gateway sends the encrypted signaling message to the third border security gateway, the method further comprises:
    所述第一边界安全网关接收网络功能设备发送的信令消息,对所述信令消息进行加密。The first border security gateway receives the signaling message sent by the network function device, and encrypts the signaling message.
  13. 一种信令消息处理装置,其特征在于,包括:A signaling message processing device, comprising:
    收发单元,用于接收来自第二边界安全网关的第一消息,所述第一消息包括所述第二边界安全网关所在运营商网络的边界安全网关信息列表;a transceiver unit, configured to receive a first message from a second border security gateway, where the first message includes a border security gateway information list of an operator network where the second border security gateway is located;
    处理单元,用于从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关;a processing unit, configured to select a third border security gateway from the border security gateway information list of the operator network where the second border security gateway is located;
    所述收发单元还用于向所述第三边界安全网关发送加密的信令消息。The transceiver unit is further configured to send an encrypted signaling message to the third border security gateway.
  14. 根据权利要求13所述的装置,其特征在于,所述收发单元还用于:The device according to claim 13, wherein the transceiver unit is further configured to:
    向所述第二边界安全网关发送第二消息,所述第二消息包括所述第一边界安全网关所在运营商网络的边界安全网关信息列表。Send a second message to the second border security gateway, where the second message includes a border security gateway information list of the operator network where the first border security gateway is located.
  15. 根据权利要求13所述的装置,其特征在于,所述收发单元还用于采用所述第三边界安全网关的N32-f上下文向所述第三边界安全网关发送信令消息,包括:The apparatus according to claim 13, wherein the transceiver unit is further configured to use the N32-f context of the third border security gateway to send a signaling message to the third border security gateway, comprising:
    若所述第一边界安全网关与所述第三边界安全网关之间未创建关联的N32-f上下文,所述收发单元与所述第三边界安全网关协商获得N32-f上下文,并采用所述协商获得的N32-f上下文发送信令消息。If an associated N32-f context is not established between the first border security gateway and the third border security gateway, the transceiver unit negotiates with the third border security gateway to obtain an N32-f context, and adopts the N32-f context. The N32-f context obtained through negotiation sends signaling messages.
  16. 根据权利要求13或14所述的装置,其特征在于,所述边界安全网关信息列表包括:多个边界安全网关的优先级,所述处理单元用于从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择第三边界安全网关,包括:The apparatus according to claim 13 or 14, wherein the border security gateway information list includes: priorities of multiple border security gateways, and the processing unit is configured to obtain information from an operator where the second border security gateway is located Select the third border security gateway from the network border security gateway information list, including:
    从所述第二边界安全网关所在运营商网络的边界安全网关信息列表中选择优先级最高的第三边界安全网关。The third border security gateway with the highest priority is selected from the border security gateway information list of the operator network where the second border security gateway is located.
  17. 根据权利要求13或14所述的装置,其特征在于,所述收发单元还用于接收网络功能设备发送的信令消息,所述处理单元还用于对接收到的所述信令消息进行加密。The apparatus according to claim 13 or 14, wherein the transceiver unit is further configured to receive a signaling message sent by a network function device, and the processing unit is further configured to encrypt the received signaling message .
  18. 一种信令消息处理装置,其特征在于,包括存储器和处理器;A signaling message processing device, comprising a memory and a processor;
    所述存储器,用于存储指令;the memory for storing instructions;
    所述处理器,用于执行所述指令,使得如权利要求1至12中任意一项所述的方法被执行。the processor for executing the instructions such that the method of any one of claims 1 to 12 is performed.
  19. 一种计算机可读存储介质,其特征在于,包括程序或指令,当所述程序或指令在计算机上运行时,如权利要求1至12中任意一项所述的方法被执行。A computer-readable storage medium, characterized by comprising a program or an instruction, when the program or the instruction is run on a computer, the method according to any one of claims 1 to 12 is performed.
PCT/CN2022/082102 2021-03-30 2022-03-21 Signaling message processing method, apparatus, and system WO2022206462A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110342633.0 2021-03-30
CN202110342633.0A CN115150820A (en) 2021-03-30 2021-03-30 Method, device and system for processing signaling message

Publications (1)

Publication Number Publication Date
WO2022206462A1 true WO2022206462A1 (en) 2022-10-06

Family

ID=83404215

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/082102 WO2022206462A1 (en) 2021-03-30 2022-03-21 Signaling message processing method, apparatus, and system

Country Status (2)

Country Link
CN (1) CN115150820A (en)
WO (1) WO2022206462A1 (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108293017A (en) * 2015-12-08 2018-07-17 霍尼韦尔国际公司 Device and method for using Internet of Things gras generally recognized as safe gateway
WO2020000145A1 (en) * 2018-06-25 2020-01-02 Intel Corporation World-switch as a way to schedule multiple isolated tasks within a VM
US20200036754A1 (en) * 2018-07-30 2020-01-30 Cisco Technology, Inc. Sepp registration, discovery and inter-plmn connectivity policies
US10637753B1 (en) * 2019-04-09 2020-04-28 Verizon Patent And Licensing Inc. Managing a 5G network using extension information
CN111615217A (en) * 2019-02-25 2020-09-01 华为技术有限公司 Session establishment method and device
US20210014680A1 (en) * 2018-02-16 2021-01-14 Telefonaktiebolaget Lm Ericsson (Publ) Protecting a message transmitted between core network domains
CN113438268A (en) * 2020-03-23 2021-09-24 诺基亚技术有限公司 Apparatus, method and computer program related to information of SCP and SEPP stored in NRF
CN113497730A (en) * 2020-04-03 2021-10-12 大唐移动通信设备有限公司 Communication method and device of agent and network equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108293017A (en) * 2015-12-08 2018-07-17 霍尼韦尔国际公司 Device and method for using Internet of Things gras generally recognized as safe gateway
US20210014680A1 (en) * 2018-02-16 2021-01-14 Telefonaktiebolaget Lm Ericsson (Publ) Protecting a message transmitted between core network domains
WO2020000145A1 (en) * 2018-06-25 2020-01-02 Intel Corporation World-switch as a way to schedule multiple isolated tasks within a VM
US20200036754A1 (en) * 2018-07-30 2020-01-30 Cisco Technology, Inc. Sepp registration, discovery and inter-plmn connectivity policies
CN111615217A (en) * 2019-02-25 2020-09-01 华为技术有限公司 Session establishment method and device
US10637753B1 (en) * 2019-04-09 2020-04-28 Verizon Patent And Licensing Inc. Managing a 5G network using extension information
CN113438268A (en) * 2020-03-23 2021-09-24 诺基亚技术有限公司 Apparatus, method and computer program related to information of SCP and SEPP stored in NRF
CN113497730A (en) * 2020-04-03 2021-10-12 大唐移动通信设备有限公司 Communication method and device of agent and network equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NOKIA; NOKIA SHANGHAI-BELL: "Dynamic SEPP discovery", 3GPP DRAFT; S2-2002874, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Online Meeting ;20200420 - 20200423, 10 April 2020 (2020-04-10), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051874401 *

Also Published As

Publication number Publication date
CN115150820A (en) 2022-10-04

Similar Documents

Publication Publication Date Title
JP6464298B2 (en) End-to-end M2M service layer session
US9509663B2 (en) Secure distribution of session credentials from client-side to server-side traffic management devices
WO2022012310A1 (en) Communication method and apparatus
JP6936393B2 (en) Parameter protection method and device, and system
CN101494538B (en) Data transmission control method and communication system and encipher control network element
TWI812678B (en) Method and products for information transmission of terminals
WO2021218595A1 (en) Address acquiring method and apparatus
WO2020029730A1 (en) Identity information processing method, device and system
JP2021532627A (en) Communication method and communication device
WO2021174884A1 (en) Communication method and apparatus
CN110784434B (en) Communication method and device
WO2020048517A1 (en) Rrc connection method, device, and system
WO2019010702A1 (en) Access traffic steering, switching, and splitting management
WO2021096798A1 (en) Domain name system as an authoritative source for multipath mobility policy
US20230013500A1 (en) Radio bearer configuration method, apparatus, and system
EP4152717A1 (en) Secure communication method, related apparatus, and system
WO2021068937A1 (en) Service binding method and apparatus
WO2024067757A1 (en) Cross-terminal-communication device management method, system and apparatus based on bus, and medium
WO2018176187A1 (en) Data transmission method, user equipment, and control plane node
WO2022206462A1 (en) Signaling message processing method, apparatus, and system
US20130086218A1 (en) Proxy Server For Home Network Access
KR102648720B1 (en) Traffic transmission system based on dynamic tunneling communication, and signaling method of the same
WO2022012355A1 (en) Secure communication method, related apparatus, and system
WO2024065503A1 (en) Negotiation of authentication procedures in edge computing
WO2023284623A1 (en) Data synchronization method, apparatus and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22778645

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22778645

Country of ref document: EP

Kind code of ref document: A1