WO2022217571A1 - 网络切片的鉴权方法及装置、设备和存储介质 - Google Patents
网络切片的鉴权方法及装置、设备和存储介质 Download PDFInfo
- Publication number
- WO2022217571A1 WO2022217571A1 PCT/CN2021/087685 CN2021087685W WO2022217571A1 WO 2022217571 A1 WO2022217571 A1 WO 2022217571A1 CN 2021087685 W CN2021087685 W CN 2021087685W WO 2022217571 A1 WO2022217571 A1 WO 2022217571A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- authentication
- message
- network slice
- network
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 145
- 230000015654 memory Effects 0.000 claims description 77
- 230000004044 response Effects 0.000 claims description 60
- 230000008569 process Effects 0.000 claims description 46
- 238000013475 authorization Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 38
- 238000004891 communication Methods 0.000 description 29
- 238000007726 management method Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 238000001514 detection method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013523 data management Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004873 anchoring Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/18—Selecting a network or a communication service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/04—Large scale networks; Deep hierarchical networks
- H04W84/042—Public Land Mobile systems, e.g. cellular systems
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Definitions
- the present application relates to the field of communication technologies, and in particular, to an authentication method and apparatus, device, and storage medium for network slicing.
- the 5th Generation mobile communication technology (5G) network has rich and diverse network services, and different network services have different requirements for the network; for example, network services such as autonomous driving and remote control require the network to have ultra-low Latency and ultra-high reliability; network services such as Augmented Reality (AR)/Virtual Reality (VR) require the network to have ultra-high bandwidth; network services such as the Internet of Things (IOT) require the network to have Support massive device access and ultra-low power saving. Therefore, in order to meet the requirements of different network services, the network is divided into multiple network slices, and different network slices are used to implement different network services.
- network services such as autonomous driving and remote control require the network to have ultra-low Latency and ultra-high reliability
- network services such as Augmented Reality (AR)/Virtual Reality (VR) require the network to have ultra-high bandwidth
- network services such as the Internet of Things (IOT) require the network to have Support massive device access and ultra-low power saving. Therefore, in order to meet the requirements of different network services, the network is divided into multiple network slices,
- NSSAA network slice-specific authentication and authorization
- UE-to-Network relay UE-to-Network relay
- Release 17 Release 17, R17
- a remote terminal Remote User Equipment, RM UE
- relay terminal Relay UE, RL UE
- NSSAA process NSSAA process on the network slice to be used by the RM UE.
- Embodiments of the present application provide an authentication method and apparatus, device, and storage medium for network slicing.
- a first aspect provides an authentication method for network slicing, which is applied to a first network device, and the method includes:
- the authentication request message In the case of receiving the authentication request message, send the first authentication message to the first terminal; the authentication request message is used to trigger the authentication process for the second terminal requesting to use the target network slice; the second The terminal accesses the first network device through the first terminal;
- the first authentication message includes first indication information and a first Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) message; the first indication information indicates that the first EAP message is used by the second terminal use; the first EAP message is used to verify the legitimacy of the second terminal using the target network slice.
- EAP Extensible Authentication Protocol
- an authentication method for network slicing which is applied to a first terminal, and the method includes:
- the first authentication message includes first indication information and a first EAP message; the first indication information indicates that the first EAP message is used by the second terminal use; the first EAP information is used to verify the legitimacy of the target network slice requested by the second terminal to be used;
- an authentication method for network slicing is provided, which is applied to a second terminal, and the method includes:
- an authentication method for network slicing is provided, which is applied to a second terminal, and the method includes:
- the discovery message includes the identification information of the home public land mobile network (Home Public Land Mobile Network, HPLMN) of the first terminal;
- HPLMN Home Public Land Mobile Network
- the HPLMN identification information of the first terminal is the same as the HPLMN identification information of the second terminal, access the first network device through the first terminal; the first network device refers to the first terminal Network equipment that provides services.
- an authentication apparatus for network slicing which is applied to a first network device, and the apparatus includes:
- the first sending unit is configured to send the first authentication message to the first terminal when receiving the authentication request message; the authentication request message is used to trigger the authentication of the second terminal requesting to use the target network slice; the authorization process; the second terminal accesses the first network device through the first terminal;
- the first authentication message includes first indication information and a first EAP message; the first indication information indicates that the first EAP message is used by the second terminal; the first EAP message is used for authentication The second terminal uses the validity of the target network slice.
- an authentication device for network slicing which is applied to a first terminal, and the device includes:
- a second receiving unit configured to receive a first authentication message sent by a first network device; the first authentication message includes first indication information and a first EAP message; the first indication information is used to indicate the first authentication message An EAP is for the second terminal; the first EAP information is used to verify the validity of the target network slice requested by the second terminal;
- the second sending unit is configured to send the first EAP message to the second terminal; the second terminal accesses the first network device through the first terminal.
- an authentication device for network slicing which is applied to a second terminal, and the device includes:
- the third receiving unit is configured to receive the first extensible authentication protocol EAP information sent by the first terminal; the first EAP information is used to verify the legitimacy of the second terminal requesting to use the target network slice; the second The terminal accesses the first network device through the first terminal.
- an authentication device for network slicing which is applied to a second terminal, and the device includes:
- a third receiving unit configured to receive a discovery message sent by a first terminal; the discovery message includes HPLMN identification information of the first terminal;
- a network access unit configured to access the first network device through the first terminal if the HPLMN identification information of the first terminal is the same as the HPLMN identification information of the second terminal; the first network device is Refers to a network device that provides services for the first terminal.
- a network device comprising: a memory, a transceiver, a processor, and a bus system;
- the memory is used to store programs and instructions
- the transceiver for receiving or transmitting information under the control of the processor
- the processor is configured to execute a program in the memory
- the bus system is used to connect the memory, the transceiver and the processor so that the memory, the transceiver and the processor communicate;
- the processor is configured to invoke the program instructions in the memory to execute the authentication method for the network slice in the first aspect.
- a tenth aspect provides a terminal, the terminal comprising: a memory, a transceiver, a processor, and a bus system;
- the memory is used to store programs and instructions
- the transceiver for receiving or transmitting information under the control of the processor
- the processor is configured to execute a program in the memory
- the bus system is used to connect the memory, the transceiver and the processor so that the memory, the transceiver and the processor communicate;
- the processor is configured to invoke the program instructions in the memory to execute the method described in the second aspect, the third aspect or the fourth aspect.
- a computer-readable storage medium on which a computer program is stored, and the computer program is executed by a processor to implement the steps of the method in the first aspect; or; the computer program is executed by the processor in the first aspect.
- the first network device may indicate to the first terminal that the first EAP message is for the second terminal through the first indication information.
- the first terminal can forward the first EAP message to the second terminal, so as to realize the authentication of the target network slice requested by the second terminal, ensure the security of the network slice, and solve the problem that the authentication scheme of the network slice in the prior art is not perfect. The problem.
- FIG. 1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
- FIG. 2 is a schematic diagram of a UE-to-Network relay architecture provided by an embodiment of the present application
- FIG. 3 is a schematic flowchart 1 of an authentication method for a network slice provided by an embodiment of the present application
- FIG. 4 is a second schematic flowchart of an authentication method for a network slice provided by an embodiment of the present application.
- FIG. 5 is a third schematic flowchart of an authentication method for a network slice provided by an embodiment of the present application.
- FIG. 6 is a fourth schematic flowchart of an authentication method for a network slice provided by an embodiment of the present application.
- FIG. 7 is a schematic flowchart 5 of an authentication method for a network slice provided by an embodiment of the present application.
- FIG. 8 is a sixth schematic flowchart of an authentication method for a network slice provided by an embodiment of the present application.
- FIG. 9 is a seventh schematic flowchart of an authentication method for a network slice provided by an embodiment of the present application.
- FIG. 10 is a schematic structural diagram 1 of an authentication device for network slicing provided by an embodiment of the present application.
- FIG. 11 is a second structural schematic diagram of an authentication device for network slicing provided by an embodiment of the present application.
- FIG. 12 is a schematic diagram 3 of the structure of an authentication device for network slicing provided by an embodiment of the present application.
- FIG. 13 is a schematic block diagram of a network device according to an embodiment of the present application.
- FIG. 14 is a schematic block diagram of a terminal provided by an embodiment of the present application.
- FIG. 1 exemplarily shows a schematic diagram of a system architecture provided by the present application.
- the system architecture includes an Access and Mobility management Function (AMF) network element, a Session Management Function (SMF) network element, and a Policy Control Function (PCF). ) network element, authentication service function (AUthentication Server Function, AUSF) network element, data management function (Unified Data Management, UDM) network element, application function (Application Function, AF) network element, user plane function (User Plane Function, UPF) network element ) network element, and the Network Slice Selection Function (NSSF) network element.
- the communication system architecture further includes a radio access network (Wireless Access Network, RAN) device, a terminal (User Equipment, UE) and a data network (Data Network, DN) network element.
- RAN Radio access network
- UE User Equipment
- DN data network
- the AMF network element is mainly used for the registration, mobility management, and tracking area update procedures of the terminal in the mobile network.
- the mobility management network element can receive non-access stratum (Non Access Stratum, NAS) messages, complete registration management, connection management and reachability management, assign tracking area list and mobility management, etc., and transparently route session management messages to SMF network element.
- Non-access stratum Non Access Stratum, NAS
- the SMF network element is mainly used for session management in the mobile network, such as session creation, modification and release.
- Specific functions include, for example, assigning Internet Protocol (IP) addresses to users, and selecting user plane network elements that provide packet forwarding functions.
- IP Internet Protocol
- the PCF network element includes a user subscription data management function, a policy control function, a charging policy control function, a quality of service (Quality of Service, QoS) control, and the like.
- the AUSF network element is mainly used to use the extensible authentication protocol (EAP) to verify service functions and store keys to realize user authentication and authentication.
- the UDM network element is mainly used to store user data, such as subscription information and authentication/authorization information.
- UPF network element is mainly used for user plane service processing, such as service routing, packet forwarding, anchoring function, quality of service (Quality of Service, QoS) mapping and execution, uplink identification and routing to data network, downlink Packet buffering and notification triggering of downlink data arrivals, connection to external data networks, etc.
- the NSSF network element is mainly used to select the network slice serving the UE, determine the network slice selection assistance information (Network Slice Selection Assistance Information, NSSAI) configured for the UE, and determine the NSSAI allowed by the UE.
- NSSAI Network Slice Selection Assistance Information
- a RAN device is a device that provides wireless communication functions for UEs.
- Access network equipment includes but is not limited to: next-generation base stations (gNodeB, gNB), evolved Node B (evolved Node B, eNB), radio network controller (Radio Network Controller, RNC), Node B (Node B) in 5G , NB), Base Station Controller (BSC), Base Transceiver Station (BTS), Home Base Station, Base Band Unit (BBU), Transmitting and Receiving Point (TRP), Transmitting Point (TP), mobile switching center, etc.
- next-generation base stations gNodeB, gNB
- evolved Node B evolved Node B
- RNC Radio Network Controller
- Node B Node B
- BSC Base Station Controller
- BTS Base Transceiver Station
- BBU Base Band Unit
- TRP Transmitting and Receiving Point
- TP Transmitting Point
- the UE in this embodiment of the present application is a device with a wireless transceiver function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it can also be deployed on water; it can also be deployed in the air (for example, aircraft, balloons, etc.). and satellite, etc.).
- UE can be mobile phone, tablet computer, computer with wireless transceiver function, VR device, AR device, wireless device in unmanned driving, wireless device in telemedicine, device in smart grid, wireless device in transportation safety, intelligent Wireless devices in cities, etc.
- the DN network element is mainly used to provide services for users, such as operators' services, Internet access services, and third-party services.
- the above network elements may be network elements in hardware devices, or may be software functions running on dedicated hardware, or virtualized functions instantiated on a platform (eg, a cloud platform).
- the above network elements may be divided into one or more services, and further, services that exist independently of network functions may also appear.
- the UE can be connected to the AMF network element through the N1 port, and the RAN device can be connected to the AMF network element through the N2 port.
- the UE is connected to the RAN device through the Uu port.
- N3 is the connection between the RAN equipment and the UPF network element.
- N4 is a connection port between the SMF network element and the UPF, and is used to transmit the control signaling between the SMF network element and the UPF network element.
- N5 is the connection port between the PCF network element and the AF network element
- N6 is the connection port between the UPF network element and the DN network element
- N7 is the connection port between the SMF network element and the PCF network element
- N8 is the AMF network element.
- N10 is the connection port between UDM NE and SMF NE
- N11 is the connection port between AMF NE and SMF NE
- N12 is AUSF NE and AMF NE
- N15 is the connection port between the AMF network element and the PCF network element
- N22 is the connection port between the NSSF network element and the AMF network element.
- Network slicing can be customized for different services to achieve dedicated and isolated network resources and provide better services while meeting the needs of different business scenarios.
- the terminal may provide the requested NSSAI (ie, Requested NSSAI) to the core network.
- the core network will make a comprehensive judgment based on the terminal's contract data, roaming agreement, and local configuration information, and return to the terminal the NSSAI allowed by the current network (ie Allowed NSSAI).
- the terminal can establish a Packet Data Unit (PDU) session in a network slice provided by the Allowed NSSAI to transmit data.
- PDU Packet Data Unit
- the secondary authentication process for network slicing was introduced. That is to say, when the terminal registers with the network, in addition to performing the main authentication process of the terminal's permanent identification, it may also judge whether it is necessary to perform NSSAA on the requested network slice according to the network slice requested by the terminal and the subscription data of the terminal. , this process may also be simply referred to as the secondary authentication process of network slicing, or simply referred to as the secondary authentication process.
- the network will trigger the NSSAA process. If the network slice authentication is successful, the network slice can be used by the terminal, and the single network slice auxiliary information (Single-Network Slice Selection Assistance Information, S-NSSAI) corresponding to the network slice is added to the Allowed NSSAI. If the network slice authentication fails, the network slice cannot be used by the terminal, and the S-NSSAI corresponding to the network slice is added to the rejected NSSAI (ie, Rejected NSSAI).
- S-NSSAI Single-Network Slice Selection Assistance Information
- the UE-to-Network relay architecture 200 may include an RM UE 21, an RL UE 22, a base station 23, a core network 24, and a public safety application server (AS) 25.
- the RL UE 22 can be connected to the base station 23 through the Uu port.
- the Uu port is the data transmission port between the UE and the base station, and is mainly used to implement functions such as broadcast paging of the base station, processing of radio resource control (Radio Resource Control, RRC) connection, handover and power control decision execution.
- RRC Radio Resource Control
- the RL UE 22 can also communicate with the core network 24 through the N1 port, while the base station 23 accesses the core network 24 through the N2 port. Specifically, corresponding to FIG. 1, the RL UE 22 may communicate with the AMF network element in the core network 24 through the N1 port to transmit NAS layer data.
- the RL UE 22 may be within the coverage of the base station 23.
- the RM UE 21 may be outside the coverage of the base station 23, and the RM UE 21 may not be directly connected to the base station 23, but directly connected to the RL UE 22 through the PC5 port, and access the core network 24 through the RL UE 22.
- the PC5 port is a data transmission port between the UE and the UE, and the adjacent UE can establish a direct link through the PC5 port within a short range, and perform data transmission through the direct link.
- the base station can be connected to the AS 25 via the SGi port.
- the SGi port is used to connect with the external Internet and transmit user plane data.
- the core network 24 can provide communication connection, authentication, management, communication, and complete bearer of data services for the RM UE 21 and the RL UE 22.
- the core network is divided into a user plane function and a control plane function.
- the user plane function is mainly responsible for packet forwarding and QoS control.
- the control plane function is mainly responsible for user registration and authentication, mobility management, delivery of data packet forwarding policies to UPF network elements, or QoS control policies.
- the functions of the control plane mainly include AMF network elements and SMF network elements.
- the RM UE 21 can access the network through the RL UE 22 to implement data transmission. If the network slice requested by the terminal needs to perform NSSAA, although the existing NSSAA process can be used for the RL UE 22, it is unclear whether the network slice can be used for the authentication of the RM UE 21.
- the embodiments of the present application provide an authentication method for network slicing, which can solve the problem that the authentication solution for network slicing in the related art is not perfect.
- FIG. 3 is a schematic flowchart of an authentication method for a network slice provided by an embodiment of the present application. As shown in FIG. 3 , the authentication method for a network slice provided by this embodiment of the present application may include steps 301 to 304 .
- Step 301 In the case of receiving the authentication request message, the first network device sends a first authentication message to the first terminal.
- the first authentication message includes first indication information and a first EAP message; the first indication information indicates that the first EAP message is used by the second terminal.
- Step 302 The first terminal receives the first authentication message sent by the first network device.
- Step 303 The first terminal sends a first EAP message to the second terminal.
- Step 304 the second terminal receives the first EAP message.
- the first network device may be an AMF network element in the core network, and is used to perform network registration, mobility management, tracking area update, terminal paging and the like for the first terminal and the second terminal.
- the second terminal may access the first network device through the first terminal. That is, the first terminal may provide a relay service for the second terminal and the first network device, and forward data for the second terminal and the first network device. It can be understood that the first terminal is the RL UE 22 in the UE-to-Network relay architecture 200 shown in FIG. 2 . The second terminal may be the RM UE 21 in the UE-to-Network relay architecture 200.
- the second terminal may determine that the target network slice needs to be used according to the current service. If the target network slice requires slice granularity authentication and authorization, that is, the target network slice is a network slice that requires NSSAA, the second terminal may trigger an authentication process for the target network slice.
- the second terminal may send an authentication request message.
- the authentication request message is used to trigger an authentication process for the second terminal that requests to use the target network slice. That is, the second terminal triggers the authentication process of the target network slice requested to be used by the network side through the authentication request message.
- the second terminal may send an authentication request message to the first terminal, so that the first terminal forwards the authentication request message to the first network device, thereby triggering the authentication process of the target network slice on the network side.
- the second terminal may send an authentication request message to the first terminal through the PC5 port.
- the first terminal can send the authentication request message to the first network device through the N1 port, or the first terminal can also send the authentication request message to the base station through the Uu port, and then the base station uses the N2 port to authenticate the request message.
- the request message is sent to the first network device.
- the second terminal may notify the first authentication, authorization and accounting server (Authentication Authorization Accounting-Server, AAA-S) through the application layer to authenticate the target network slice to be used.
- the first AAA-S is the home AAA-S of the second terminal. Based on this, the home AAA-S corresponding to the second terminal may send an authentication request message to the first network device, so as to trigger the authentication process of the target network slice on the network side.
- the system architecture shown in FIG. 1 may further include a network slice authentication and authorization function (NSSAA Function, NSSAAF) network element.
- NSSAA Function NSSAAF
- the first AAA-S may be connected to the NSSAAF network element, and send an authentication request message to the first network device through the NSSAAF network element.
- the network side can also verify whether the data transmitted by the first AAA-S is credible data through the authentication, authorization and accounting proxy (AAA-P) network element.
- the AAA-P network element is arranged between the first AAA-S and the NSSAAF network element, and is used for verifying the data sent by the first AAA-S. It can be understood that the first AAA-S can send an authentication request message to the AAA-P network element. If the AAA-P network element verifies the authentication request message successfully, the AAA-P network element sends the authentication request message through the NSSAA. forwarded to the first network device in the core network.
- the target network slice may require periodic authentication. Based on this, the first AAA-S may actively send an authentication request message to the first network device according to the time period, so as to trigger the authentication process for the target network slice.
- the authentication request message received by the first network device may come from the first terminal or the first AAA-S.
- the authentication request message may include at least one of the following information: identification information of the second terminal, S-NSSAI corresponding to the target network slice, and the home public land mobile network (Home) of the second terminal.
- Public Land Mobile Network, HPLMN Public Land Mobile Network
- the identification information of the second terminal can be an International Mobile Subscriber Identity (IMSI), a globally unique temporary UE identity (Globally Unique Temporary UE Identity, GUTI), and a Global Positioning System Identity (Global Positioning System Identity, GPSI).
- IMSI International Mobile Subscriber Identity
- GUTI Globally Unique Temporary UE Identity
- GPSI Global Positioning System Identity
- the IMSI may carry the HPLMN identification information of the second terminal at the same time, while the GUTI and GPSI do not contain the HPLMN identification information of the second terminal. Therefore, when the IMSI is used, the authentication request message may not separately carry the HPLMN identification information of the second terminal.
- the first network device may start the process of authenticating the target network slice requested by the second terminal based on the received authentication request message.
- the authentication process initiated by the first network may be an EAP Protected Extensible Authentication Protocol (EAP-PEAP) authentication process, or an EAP Message Digest Algorithm (EAP-Message Digest 5, EAP-MD5) authentication process, or It may be an EAP-Transport Level Security (EAP-Transport Level Security, EAP-TLS) authentication process, which is not limited in this embodiment of the present application.
- the first network device may send the first authentication message to the first terminal.
- the first authentication message may include the first indication information and the first EAP message.
- the first EAP message is used to verify the legitimacy of the second terminal using the target network slice; the first indication information may indicate that the first EAP message is used by the second terminal.
- the first indication information may indicate that the first EAP message is directed to the second terminal.
- the first terminal can parse the first authentication message to obtain the first indication information and the first EAP message. Further, the first terminal may send the first EAP message to the second terminal according to the first indication information in the first authentication message.
- the first indication information may include identification information of the second terminal and/or S-NSSAI of the target network slice. That is, the first network device indicates that the first EAP message is for the second terminal through the identification information of the second terminal and/or the S-NSSAI of the target network slice.
- the identification information of the second terminal is the same as that in the foregoing embodiment, and details are not described herein again.
- the first EAP message may include authentication-related information of the second terminal requesting to use the target network slice.
- the first EAP message may include an encryption algorithm, certificate information of the first AAA-S (including name information and public key information of the first AAA-S), random encryption information, and the like.
- the second terminal may authenticate the target network slice based on the authentication-related information in the first EAP message.
- the first network device can indicate to the first terminal that the first EAP message is for the second terminal through the first indication information.
- the first terminal can forward the first EAP message to the second terminal, so as to realize the authentication of the target network slice requested by the second terminal, ensure the security of the network slice, and solve the problem that the authentication scheme of the network slice in the prior art is not perfect. The problem.
- the target network slice in this embodiment of the present application is a network slice that needs to perform NSSAA.
- NSSAA network slicing needs to be performed, which is usually deployed at the home location of the terminal and bound to the HPLMN of the terminal. That is to say, the authentication of the target network slice needs to be performed through the NSSAAF network element at the home of the second terminal and/or the AAA-S at the home of the second terminal.
- the second terminal performs relay communication through the first terminal, and the data transmission of the second terminal uses the resources of the first terminal. Therefore, in order to authenticate the target network slice requested by the second terminal, the HPLMNs of the second terminal and the first terminal need to be the same. Based on this, the second terminal may use the home NSSAAF of the first terminal and/or the home AAA-S to authenticate the target network slice.
- steps 305 to 307 may also be implemented before step 301 .
- Step 305 The first terminal sends a discovery message; the discovery message includes the HPLMN identification information of the first terminal.
- Step 306 The second terminal receives the discovery message sent by the first terminal.
- Step 307 If the HPLMN identification information of the first terminal is the same as the HPLMN identification information of the second terminal, the second terminal accesses the first network device through the first terminal; the first network device refers to the one that currently provides services for the first terminal. Network equipment.
- a discovery message may be broadcast to the outside world.
- the discovery message may carry the HPLMN identification information of the first terminal, so as to inform the surrounding terminals that it can provide the relay service.
- the second terminal may be a terminal without network coverage, or a low-cost and/or low-bandwidth terminal that cannot directly access the network.
- the second terminal is located adjacent to the first terminal, and the second terminal may receive the discovery message sent by the first terminal. Further, the second terminal may determine the target network slice to be used according to the current service. If the target network slicing needs to perform NSSAA, the second terminal may judge whether the HPLMN of the first terminal and its own are the same according to the HPLMN identification information of the first terminal carried in the discovery message.
- the second terminal may also actively initiate short-range communication. Specifically, when the second terminal wishes to use the target network slice for data transmission, it may actively broadcast a discovery request message before step 305 to request terminals around the second terminal to provide relay services.
- the discovery request message may include the HPLMN of the second terminal and/or the S-NSSAI of the requested target network slice.
- the first terminal may feed back a discovery response message (ie, the discovery message in step 305 ) to the second terminal based on the foregoing discovery request message.
- the discovery response message carries the HPLMN identification information of the first terminal.
- the second terminal can determine whether the HPLMN of the first terminal and its own are the same according to the discovery message sent by the first terminal.
- the second terminal selects the first terminal, and establishes a short-range communication connection with the first terminal.
- the requested target network slice is authenticated by accessing the first network device through the first terminal.
- the reason why the second terminal selects the first terminal with the same HPLMN to authenticate the target network slice is that the target network slice for which NSSAA needs to be performed is bound to the home operator of the second terminal. Therefore, only Only when the HPLMN identification information of the first terminal and the second terminal are the same can the target network slice be authenticated and used.
- the discovery message may also carry an NSSAI supported by the first terminal, or a relay service code (Relay Service Code, RSC) corresponding to each S-NSSAI in the NSSAI.
- RSC relay Service Code
- the NSSAI supported by the first terminal includes the S-NSSAI corresponding to the target network slice.
- the second terminal can determine whether to use the first terminal as a relay terminal according to the NSSAI carried in the discovery message or the RSC corresponding to each S-NSSAI in the NSSAI, and the HPLMN identification information.
- the second terminal is the same as the second terminal.
- a terminal establishes a short-range communication connection.
- the NSSAI supported by the first terminal may be at least one of the NSSAI subscribed by the first terminal, the NSSAI subscribed by the first terminal (that is, the Subscribed NSSAI), and the NSSAI (that is, the Configured NSSAI) configured by the network for the first terminal.
- the NSSAI supported by the first terminal not only includes the S-NSSAI in the Allowed NSSAI of the first terminal, but also may include the S-NSSAI in the Rejected NSSAI. This is because the network slice expected to be used by other terminals using the first terminal for relay communication is not necessarily in the Allowed NSSAI. Therefore, the first terminal may carry the S-NSSAI corresponding to all supported network slices in the discovery message for broadcasting.
- steps 301 to 304 may be performed during the process of establishing short-distance communication between the first terminal and the second terminal, or may be performed after the first terminal and the second terminal establish short-distance communication.
- the first terminal may carry HPLMN identification information in the discovery message to establish short-range communication with the adjacent second terminal, so as to provide information for the adjacent second terminal.
- the terminal forwards the authentication-related information for the target network slice to realize the authentication of the target network slice and ensure the security of the slice.
- the authentication method for network slicing provided by the implementation of this application may further include steps 308 to 312 .
- Step 308 The second terminal sends a second EAP message to the first terminal; the second EAP message is used to verify the legitimacy of the second terminal using the target network slice.
- the second terminal may authenticate the first AAA-S based on the authentication-related information carried in the first EAP message. After the verification is successful, the second terminal may generate a second EAP message based on the first EAP message.
- the second EAP message may carry the authentication-related information of the second terminal, which is used to verify the legitimacy of the second terminal using the target network slice.
- the second EAP message may include information such as encryption information encrypted by using the public key, certificate information of the second terminal, and the like.
- the second terminal may send the second EAP message to the first terminal through the PC5 port.
- Step 309 the first terminal receives the second EAP message.
- the first terminal may receive the second EAP message through the PC5 port.
- Step 310 The first terminal sends a second authentication message to the first network device; the second authentication message includes second indication information and a second EAP message; the second indication information is used to indicate that the second EAP message and the first Two terminal associations.
- the first terminal may determine that the second EAP message is used to authenticate the second terminal that requests the target network slice. Based on this, the first terminal may generate second indication information, and use the second indication information to indicate that the second EAP message is directed to the second terminal.
- the second indication information may include identification information of the second terminal and/or the S-NSSAI of the target network slice. That is, the first network device indicates through the identification information of the second terminal and/or the S-NSSAI of the target network slice that the second EAP message is associated with the second terminal, that is, the second EAP message is directed to the second terminal .
- the first terminal can generate the second authentication message according to the second indication information and the second EAP message, and send the second authentication message to the first network device.
- Step 311 The first network device receives the second authentication message.
- Step 312 The first network device sends a second authentication message to the first AAA-S.
- the first network device after receiving the second authentication message, the first network device sends the second authentication message to the home AAA-S corresponding to the second terminal, that is, the first AAA-S. So that the first AAA-S authenticates the target network slice requested by the second terminal based on the second EAP message.
- the first AAA-S may verify the right of the second terminal to use the target network slice based on the second EAP message, obtain an authentication result, and feed back the authentication result to the first network device.
- the first network device can send the authentication result to the first terminal, so that the first terminal can perform subsequent relay services.
- steps 301 to 304, and steps 308 to 312 may be performed multiple times. That is, the first EAP message and the second EAP message may be repeatedly exchanged between the first terminal, the second terminal, the first network device, and the first AAA-S for many times until the verification succeeds or the expiration times are reached.
- the first terminal is responsible for forwarding the EAP message between the first network device and the second terminal, and indicates through the indication information that the EAP message is with the second terminal. Accordingly, in this way, the authentication of the target network slice requested by the second terminal is realized, and the security of the network slice is guaranteed.
- steps 313 to 321 may also be performed.
- Step 313 The first network device sends an authentication command to the first terminal based on the authentication request message; the authentication command includes the EAP identification request message and the third indication information; the third indication information indicates that the EAP identification request message is used by the second terminal. terminal use.
- the first network device After the first network device starts the authentication process for the target network slice used by the second terminal, it can send an authentication command to the first terminal.
- the EAP identification request message in the authentication command may be used to request user identity information of the second terminal, so as to authenticate the identity of the second terminal based on the user identity information of the second terminal.
- the authentication command further needs to carry third indication information.
- the third indication information may include the identification information of the second terminal and/or the S-NSSAI of the target network slice. That is, the first network device indicates through the identification information of the second terminal and/or the S-NSSAI of the target network slice that the EAP identification request message is associated with the second terminal, that is, the EAP identification request message is directed to the second terminal of.
- the first network device prompts the first terminal through the third indication information that the EAP identification request message in the authentication command is sent to the second terminal.
- Step 314 The first terminal receives the authentication command sent by the first network device.
- the first terminal may receive the authentication command through the NAS layer, and obtain the third indication information and the EAP identification request message by parsing.
- Step 315 The first terminal sends an EAP identification request message to the second terminal.
- the first terminal may send the EAP identification request message to the second terminal through the PC5 port based on the third indication information.
- Step 316 secondly receive the EAP identification request message sent by the first terminal
- Step 317 The second terminal sends an EAP identification response message to the first terminal.
- the second terminal may forward the EAP identification request message to its own EAP protocol layer, and process the EAP identification request message through the EAP protocol layer to obtain the EAP identification response message.
- the EAP identification response message is used to carry the authentication information of the second terminal, so as to realize the authentication of the target network slice requested by the second terminal on the network side.
- the second terminal may send the EAP identification response message to the first terminal through the PC5 port.
- Step 318 The first terminal receives the EAP identification response message sent by the second terminal.
- Step 319 The first terminal sends an authentication command response message to the first network device; the authentication command response message includes fourth indication information and an EAP identification response message; the fourth indication information is used to indicate that the EAP identification response message is associated with the second terminal .
- the first terminal may forward the EAP indication response message to the first network device.
- the first terminal may simultaneously send fourth indication information, and the fourth indication information indicates that the EAP identification response message is associated with the second terminal, that is, the EAP identification response message is directed to the second terminal.
- Step 320 The first network device receives the authentication command response message sent by the first terminal.
- Step 321 The first network device sends an authentication command response message to the first AAA-S.
- the first network device forwards the authentication command response message to the first AAA-S, and the first AAA-S verifies the user identity information of the second terminal, thereby realizing Authentication of the target network slice to ensure the security of the slice.
- Step 304 After the first network device sends the first authentication message to the first terminal, steps 322 to 326 may also be performed.
- Step 322 The first network device receives the authentication result message sent by the first AAA-S; the authentication result message includes the authentication result of the target network slice requested by the second terminal.
- the first AAA-S authenticates the validity of the target network slice used by the second terminal to obtain an authentication result.
- the first AAA-S may notify the first network device of the target network slice authentication result requested by the second terminal.
- the authentication result message carries the authentication result of the target network slice, and also carries the identification information of the second terminal and/or the S-NSSAI of the target network slice to indicate the authentication result is the target network slice requested by the second terminal.
- Step 323 The first network device sends an authentication result message to the first terminal.
- the first network device may send an authentication result message to the first terminal to notify the first terminal of the authentication result of the target network slice requested by the second terminal.
- Step 324 The first terminal receives the authentication result message sent by the first network device.
- Step 325 If the authentication result indicates that the authentication of the target network slice requested by the second terminal is successful, the first terminal relays the data in the target network slice for the second terminal.
- the first terminal may determine whether the authentication of the target network slice requested by the second terminal is successful.
- the first terminal may determine that the network side has allowed the second terminal to use the target network slice. In this way, the first terminal can relay the service data in the target network slice for the second terminal.
- the first terminal determines that the network side does not allow the second terminal to use the target network slice. In this way, the first terminal refuses to relay the service data in the target network slice for the second terminal.
- the network slice authentication method provided in this embodiment of the present application may further include the following steps:
- Step 326 The first terminal sends the authentication result of the target network slice to the second terminal.
- the first terminal may send the authentication result of the target network slice requested by the second terminal to the second terminal based on the identification information of the second terminal in the authentication result message.
- the second terminal can perform subsequent service processing based on the authentication result.
- the second terminal stops transmitting service data through the target network slice. If the authentication of the target network slice requested by the second terminal succeeds, the second terminal transmits the data of the target network slice through the first terminal.
- the authentication method for network slice provided by the embodiment of the present application may include the following steps:
- Step 801 the second terminal receives the discovery message sent by the first terminal; the discovery message includes the HPLMN identification information of the first terminal;
- Step 802 If the HPLMN identification information of the first terminal is the same as the HPLMN identification information of the second terminal, the second terminal accesses the first network device through the first terminal; the first network device refers to a network that provides services for the first terminal. equipment.
- the second terminal is located adjacent to the first terminal, and the second terminal can receive the discovery message sent by the first terminal. Further, the second terminal may determine the target network slice to be used according to the current service. If the target network slicing needs to perform NSSAA, the second terminal may judge whether the HPLMN of the first terminal and its own are the same according to the HPLMN identification information of the first terminal carried in the discovery message.
- the second terminal may also actively initiate short-range communication.
- the second terminal may also perform the following steps:
- the discovery request message is used to request the surrounding terminals to provide relay services.
- the discovery request message may include the HPLMN of the second terminal and/or the S-NSSAI of the requested target network slice.
- the second terminal when the second terminal expects to use the target network slice, it can actively initiate short-range communication, and use the target network slice for data transmission through the relay service provided by other terminals.
- the first terminal may feed back a discovery response message (that is, the discovery message in step 801 ) to the second terminal based on the foregoing discovery request message, and the discovery response message carries the discovery response message.
- a discovery response message that is, the discovery message in step 801
- the discovery response message carries the discovery response message.
- HPLMN identification information of the first terminal In this way, after receiving the discovery message sent by the first terminal, the second terminal can determine whether the HPLMN of the first terminal and its own are the same according to the discovery message sent by the first terminal.
- the second terminal selects the first terminal, and establishes a short-range communication connection with the first terminal. In this way, the second terminal can access the first network device through the first terminal, so as to trigger the network side to authenticate the target network slice requested by the second terminal.
- the discovery message may also carry an NSSAI supported by the first terminal, or a relay service code (Relay Service Code, RSC) corresponding to each S-NSSAI in the NSSAI.
- RSC relay Service Code
- the NSSAI supported by the first terminal includes the S-NSSAI corresponding to the target network slice.
- the second terminal can determine whether to use the first terminal as a relay terminal according to the NSSAI carried in the discovery message or the RSC corresponding to each S-NSSAI in the NSSAI, and the HPLMN identification information.
- the second terminal is the same as the second terminal.
- a terminal establishes a short-range communication connection.
- the NSSAI supported by the first terminal may be the S-NSSAI subscribed by the first terminal, the NSSAI subscribed by the first terminal (that is, Subscribed NSSAI), and the NSSAI (that is, Configured NSSAI) configured by the network for the first terminal. at least one of. That is to say, the NSSAI supported by the first terminal not only includes the S-NSSAI in the Allowed NSSAI of the first terminal, but also may include the S-NSSAI in the Rejected NSSAI. This is because the network slice expected to be used by other terminals using the first terminal for relay communication is not necessarily in the Allowed NSSAI. Therefore, the first terminal may carry the S-NSSAI corresponding to all supported network slices in the discovery message for broadcasting.
- the first terminal may carry HPLMN identification information in the discovery message to establish short-range communication with the adjacent second terminal, so as to provide information for the adjacent second terminal.
- the terminal forwards the authentication-related information for the target network slice to realize the authentication of the target network slice and ensure the security of the slice.
- the authentication method for network slicing provided by the embodiment of the present application is described in detail below with reference to an actual application scenario.
- the network slice authentication method provided by this embodiment of the present application may include the following steps:
- Step 1 The RL UE sends a discovery message.
- the RL UE is the first terminal in the above embodiment, and can provide relay services for other terminals.
- the discovery message includes the HPLMN identification information of the first terminal, that is, the HPLMN ID.
- the discovery message may further include the NSSAI supported by the RL UE or the RSC corresponding to each S-NSSAI in the NSSAI.
- the NSSAI supported by the RL UE, or the S-NSSAI associated with the RSC may include the NSSAI subscribed by the RL UE, the Subscribed NSSAI of the RL UE, and all the S-NSSAIs in the Configured NSSAI of the RL UE whose network is the RL UE.
- the NSSAI supported by the RL UE, or the S-NSSAI associated with the RSC may be included in the S-NSSAI in the Rejected NSSAI.
- the NSSAI supported by the RL UE, or the S-NSSAI associated with the RSC may be the S-NSSAI subscribed by the RL UE. That is, the number of NSSAIs supported by the RL UE, or S-NSSAIs associated with the RSC is greater than or equal to the number in the Allowed NSSAIs. This is because the network slice requested by the UE using the RL UE for relay transmission is not necessarily in the Allowed NSSAI.
- Step 2 After the RM UE receives the discovery message, it checks whether the RL UE is the same as its own HPLMN. If the HPLMN of the RL UE and the RM UE is the same, the RL UE is selected.
- the RM UE is the second terminal in the above embodiment.
- the RM UE determines to use the target network slice according to the current service.
- the second terminal may receive the discovery message, so as to access the network through other UEs, so as to realize the authentication of the target network slice.
- Step 3 The RM UE establishes a short-range communication connection with the RL UE.
- the RM UE establishes a short-range communication connection with the RL UE based on the discovery message. In this way, the RM UE can access the network through the RL UE, and communicate with the network side through the RL UE corresponding to the AMF network element.
- Step 4 Trigger the RL-AMF to perform the NSSAA authentication process on the target network slice.
- the RL-AMF is the first network device in the foregoing embodiment.
- the RL-AMF may be the AMF network element currently serving the RL UE.
- the RL-AMF is triggered to execute the NSSAA process of the target network slice, and the trigger operation may come from the RL UE or the RM-AAA-S.
- the RM-AAA-S is the first AAA-S in the above-mentioned embodiment, which is deployed in the home of the RM UE.
- step 4 may be implemented by step 4a.
- Step 4a the RM UE sends an authentication request message to the RL UE, and the RL UE forwards the authentication request message to the RL-AMF to trigger the RL-AMF to authenticate the target network slice used by the RM UE.
- the authentication request message includes the S-NSSAI of the requested target network slice, the HPLMN ID of the RM UE, and the identification information of the RM UE.
- step 4 may also be implemented through step 4b.
- Step 4b the RM-AAA-S sends an authentication request message to the RL-AMF to trigger the RL-AMF to authenticate the target network slice used by the RM UE.
- the RM UE can trigger the RM-AAA-S to perform NSSAA through the application layer.
- Step 5 The RL-AMF sends an authentication command (NSSAA command) to the RL UE.
- NSSAA command an authentication command
- the authentication command includes an EAP ID request message (EAP ID request) that needs to be sent to the RM UE.
- EAP ID request EAP ID request message
- the authentication command also includes the S-NSSAI of the target network slice and the identification information of the RM UE to indicate to the RL UE that the EAP identification request message is sent to the RM UE.
- Step 6 The RL UE sends the received EAP ID request message (EAP ID request) and the S-NSSAI of the target network slice to the RM UE.
- EAP ID request EAP ID request
- S-NSSAI S-NSSAI
- the NAS layer of the RL UE after receiving the authentication command (NSSAA command), the NAS layer of the RL UE sends the EAP ID request message (EAP ID request) and the S-NSSAI of the target network slice to its own PC5 layer. Send the EAP ID request message (EAP ID request) and the S-NSSAI of the target network slice to the RM UE through the PC5 port.
- EAP ID request EAP ID request
- S-NSSAI of the target network slice to its own PC5 layer.
- Step 7 After receiving the EAP ID request message (EAP ID request) and the S-NSSAI of the target network slice, the RM UE generates an EAP ID response message, and sends the EAP ID response message and the S-NSSAI of the target network slice to the RL UE .
- EAP ID request EAP ID request
- S-NSSAI S-NSSAI
- the RM UE transfers the EAP identification request message to its own EAP protocol layer, and obtains the EAP identification response message through the EAP protocol layer processing.
- Step 8 The RL UE sends an authentication command response message to the RL AMF.
- the authentication command response message includes the EAP identification response message, the S-NSSAI of the target network slice, and the identification information of the RM UE.
- the RL UE indicates that the EAP identification response message is for the RM UE by carrying the identification information of the RM UE in the authentication command response message.
- Step 9 RL-AMF, RM-AAA-S, RL UE, and RM UE transmit EAP messages to authenticate the validity of RM UE using the target network slice, and RM-AAA-S notifies RL-AMF for RM The UE uses the authentication result of the target network slice.
- the EAP message refers to carrying information related to RM UE authentication, such as certificate information, key information, and the like.
- the EAP message here includes the first EAP message and/or the second EAP message in the above embodiments.
- the NSSAAF network element of the RM UE also participates in the authentication process, which is not shown in FIG. 9 .
- the RL UE is responsible for forwarding the EAP message between the RL-AMF and the RM UE, and the signaling between the AMF and the RL UE needs to include the RM UE ID and the RM HPLMN S-NSSAI to indicate the EAP message is for RM.
- Step 10 the RL-AMF sends an authentication result message to the RL UE.
- the authentication result message includes the authentication result of the target network slice, and also includes the identification information of the RM UE and the HPLMN identification information of the RM UE, to indicate that the authentication result of the target network slice is for the RM UE.
- the RL UE can determine whether the network side allows the RM UE to use the target network slice. If the network side allows the RM UE to use the target network slice, the RL UE can relay the service data in the target network slice for the RM UE.
- An embodiment of the present application provides an authentication apparatus for network slicing, and the apparatus can be applied to the first network device provided in the above embodiment.
- the authentication apparatus 100 for network slicing provided in this embodiment of the present application is Can include:
- the first sending unit 1001 is configured to send a first authentication message to the first terminal in the case of receiving an authentication request message; the authentication request message is used to trigger an authentication request to a second terminal requesting to use the target network slice. an authentication process; the second terminal accesses the first network device through the first terminal;
- the first authentication message includes first indication information and a first EAP message; the first indication information indicates that the first EAP message is used by the second terminal; the first EAP message is used for authentication The second terminal uses the validity of the target network slice.
- the HPLMN of the first terminal and the second terminal are the same.
- the authentication request message comes from the first terminal or the first AAA-S; the first AAA-S is the home AAA-S of the second terminal.
- the authentication request message includes at least one of the following information: identification information of the second terminal, single network slice auxiliary information corresponding to the target network slice, and HPLMN of the second terminal identification information.
- the authentication apparatus 100 for network slicing may further include a first receiving unit.
- the first receiving unit configured to receive the second authentication message sent by the first terminal
- the first sending unit 1001 is further configured to send the second authentication message to the first AAA-S;
- the second authentication message includes second indication information and a second EAP message; the second indication information indicates that the second EAP message is associated with the second terminal; the second EAP message is used for Verifying the legitimacy of using the target network slice by the second terminal.
- the first sending unit 1001 is further configured to send an authentication command to the first terminal based on the authentication request message;
- the authentication command includes an EAP identification request message and third indication information;
- the third indication information indicates that the EAP identification request message is used by the second terminal;
- the first receiving unit is further configured to receive an authentication command response message sent by the first terminal; the authentication command response message includes fourth indication information and an EAP identification response message; the fourth indication information indicates the EAP An identification response message is associated with the second terminal.
- the first receiving unit is further configured to receive an authentication result message sent by the first AAA-S; the authentication result message includes the authentication of the target network slice requested by the second terminal result;
- the first sending unit 1001 is configured to send the authentication result message to the first terminal.
- An embodiment of the present application further provides an authentication apparatus for network slicing, and the apparatus can be applied to the first terminal provided in the above-mentioned embodiment.
- the authentication apparatus 110 for network slicing provided in this embodiment of the present application is Can include:
- the second receiving unit 1101 is configured to receive a first authentication message sent by a first network device; the first authentication message includes first indication information and a first EAP message; the first indication information indicates the first authentication message
- the EAP message is used by the second terminal; the first EAP message is used to verify the validity of the target network slice requested by the second terminal to be used;
- the second sending unit 1102 is configured to send the first EAP message to the second terminal; the second terminal accesses the first network device through the first terminal.
- the HPLMN of the first terminal and the second terminal are the same.
- the second sending unit 1102 is configured to send an authentication request message to the first network device; the authentication request message is used to trigger an authentication process for the second terminal requesting to use the target network slice .
- the authentication request message includes at least one of the following information: identification information of the second terminal, single network slice auxiliary information corresponding to the target network slice, and HPLMN of the second terminal identification information.
- the second receiving unit 1101 is configured to receive a second EAP message sent by a second terminal; the second EAP message is used to verify the legitimacy of the second terminal using the target network slice;
- a second sending unit configured to send a second authentication message to the first network device
- the second authentication message includes second indication information and a second EAP message; the second indication information indicates that the second EAP message is associated with the second terminal.
- the second receiving unit 1101 is configured to receive an authentication command sent by the first network device; the authentication command includes an EAP identification request message and third indication information; the third indication information indicates the EAP identification request message is used by the second terminal;
- the second sending unit 1102 is configured to send the EAP identification request message to the second terminal.
- the second receiving unit 1101 is configured to receive an EAP identification response message sent by the second terminal;
- the second sending unit 1102 is further configured to send an authentication command response message to the first network device; the authentication command response message includes fourth indication information and the EAP identification response message; the fourth indication information indicates The EAP identification response message is associated with the second terminal.
- the second receiving unit 1101 is further configured to receive an authentication result message sent by the first network device; the authentication result message includes the target network slice requested by the second terminal. Authentication result;
- the authentication device 110 for the network slice may further include a processing unit, and the processing unit may cooperate so that if the authentication result indicates that the authentication of the target network slice requested by the second terminal is successful, then the authentication of the target network slice requested by the second terminal is successful.
- the second terminal relays the data in the target network slice.
- the second sending unit is further configured to send a discovery message; the discovery message includes HPLMN identification information of the first terminal.
- An embodiment of the present application further provides an authentication apparatus for network slicing, and the apparatus can be applied to the second terminal provided in the foregoing embodiment.
- the authentication apparatus 120 for network slicing provided in this embodiment of the present application Can include:
- the third receiving unit 1201 is configured to receive a first EAP message sent by a first terminal; the first EAP message is used to verify the legitimacy of a request by the second terminal to use a target network slice; the second terminal passes the The first terminal accesses the first network device.
- the HPLMN of the first terminal and the second terminal are the same.
- the authentication apparatus 120 for the above network slicing may further include a third sending unit; the third sending unit is configured to send an authentication request message; the authentication request message is used to trigger the request to use the the authentication process of the second terminal of the target network slice.
- the third sending unit is configured to send the authentication request message to the first terminal through the PC5 port; or send the authentication request message to the first AAA-S through the application layer; the first An AAA-S is the home AAA-S of the second terminal.
- the authentication request message includes at least one of the following information: identification information of the second terminal, single network slice auxiliary information corresponding to the target network slice, and information of the second terminal HPLMN identification information.
- the third sending unit is further configured to send a second EAP message to the first terminal; the second EAP message is used to perform the second EAP message on the second terminal using the target network slice and the validity. Authentication.
- the third receiving unit 1201 is configured to receive an EAP identification request message sent by the first terminal;
- the third sending unit is further configured to send an EAP identification response message to the first terminal.
- the third receiving unit 1201 is further configured to receive a discovery message sent by the first terminal; the discovery message includes HPLMN identification information of the first terminal.
- the authentication apparatus 120 for network slicing may further include a network access unit 1202, configured to be configured so that if the HPLMN identification information of the first terminal is the same as that of the second terminal If the HPLMN identification information is the same, the first network device is accessed through the first terminal.
- a network access unit 1202 configured to be configured so that if the HPLMN identification information of the first terminal is the same as that of the second terminal If the HPLMN identification information is the same, the first network device is accessed through the first terminal.
- the embodiment of the present application further provides an authentication device for network slicing, and the device can be applied to the second terminal provided in the foregoing embodiment.
- the authentication device 120 may include:
- the third receiving unit 1201 is configured to receive a discovery message sent by a first terminal; the discovery message includes HPLMN identification information of the first terminal;
- the network access unit 1202 is configured to access the first network device through the first terminal if the HPLMN identification information of the first terminal is the same as the HPLMN identification information of the second terminal; the first network device Refers to a network device that provides services for the first terminal.
- each functional unit in the above-mentioned embodiment may be integrated into one processing module, or each unit may exist physically alone, or two or more units may be integrated into one module.
- the above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules.
- the integrated modules are implemented in the form of software function modules and are not sold or used as independent products, they can be stored in a computer-readable storage medium.
- the technical solution of this embodiment is essentially or correct. Part of the contribution made by the prior art or all or part of the technical solution can be embodied in the form of a software product, the computer software product is stored in a storage medium, and includes several instructions to make a computer device (which can be a personal A computer, a server, or a network device, etc.) or a processor (processor) executes all or part of the steps of the method in this embodiment.
- the aforementioned storage medium includes: U disk, mobile hard disk, read only memory (Read Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes.
- an embodiment of the present application further provides a network device.
- the network device provided by the embodiment of the present application may include a memory 1301 , a transceiver 1302 , a processor 1303 , and a bus system 1304 .
- the memory 1301 is used to store programs and instructions
- the transceiver 1302 is used to receive or transmit information under the control of the processor 1303;
- the processor 1303 is used for executing the program in the memory 1301;
- the bus system 1301 is used to connect the memory 1301, the transceiver 1302 and the processor 1303, so that the memory 1301, the transceiver 1302 and the processor 1303 communicate;
- the processor 1303 is configured to call program instructions in the memory 1301, and control the transceiver 1302 to perform the following steps:
- the authentication request message In the case of receiving the authentication request message, send the first authentication message to the first terminal; the authentication request message is used to trigger the authentication process for the second terminal requesting to use the target network slice; the second The terminal accesses the first network device through the first terminal;
- the first authentication message includes first indication information and a first Extensible Authentication Protocol EAP message; the first indication information indicates that the first EAP message is used by the second terminal; the first The EAP message is used to verify the legitimacy of the second terminal using the target network slice.
- the processor 1303 may also be configured to invoke program instructions in the memory 1301 to control the transceiver 1302 to perform the following steps:
- the second authentication message includes second indication information and a second EAP message; the second indication information indicates that the second EAP message is associated with the second terminal; the second EAP message is used for Verifying the legitimacy of using the target network slice by the second terminal.
- the processor 1303 may also be configured to invoke program instructions in the memory 1301 to control the transceiver 1302 to perform the following steps:
- an authentication command is sent to the first terminal;
- the authentication command includes an EAP identity request message and third indication information;
- the third indication information indicates that the EAP identity request message is used for used by the second terminal;
- the authentication command response message includes fourth indication information and an EAP identification response message; the fourth indication information indicates that the EAP identification response message and the second Terminal association.
- the processor 1303 may also be configured to invoke program instructions in the memory 1301 to control the transceiver 1302 to perform the following steps:
- the authentication result message includes the authentication result of the target network slice requested by the second terminal;
- An embodiment of the present application further provides a terminal.
- the terminal provided by the embodiment of the present application may include a memory 1401 , a transceiver 1402 , a processor 1403 , and a bus system 1404 .
- the memory 1401 is used to store programs and instructions
- the transceiver 1402 is used to receive or transmit information under the control of the processor 1403;
- the processor 1403 is used for executing the program in the memory 1401;
- the bus system 1401 is used to connect the memory 1401, the transceiver 1402 and the processor 1403, so that the memory 1401, the transceiver 1402 and the processor 1403 communicate;
- the processor 1403 is configured to call program instructions in the memory 1401, and control the transceiver 1402 to perform the following steps:
- the first authentication message includes first indication information and a first extensible authentication protocol EAP message; the first indication information indicates that the first EAP message uses to be used by the second terminal; the first EAP message is used to verify the legitimacy of the target network slice requested by the second terminal to be used;
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- An authentication request message is sent to the first network device; the authentication request message is used to trigger an authentication process for the second terminal that requests to use the target network slice.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the second EAP message is used to verify the legitimacy of the second terminal using the target network slice;
- the second authentication message includes second indication information and a second EAP message; the second indication information indicates that the second EAP message is associated with the second terminal.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the authentication command includes an EAP identification request message and third indication information; the third indication information indicates that the EAP identification request message is used by the second terminal use;
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the authentication command response message includes fourth indication information and the EAP identification response message; the fourth indication information indicates that the EAP identification response message is the same as the The second terminal is associated.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the authentication result message includes the authentication result of the target network slice requested by the second terminal;
- the second terminal relays the data in the target network slice.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- a discovery message is sent; the discovery message includes HPLMN identification information of the first terminal.
- the processor 1403 is further configured to call program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the first EAP message is used to verify the validity of the target network slice requested by the second terminal; the second terminal The terminal accesses the first network device.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- An authentication request message is sent; the authentication request message is used to trigger an authentication process for the second terminal that requests to use the target network slice.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the first authentication, authorization and accounting server AAA-S Send an authentication request message to the first authentication, authorization and accounting server AAA-S through the application layer; the first AAA-S is the home AAA-S of the second terminal.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the second EAP message is used to authenticate the use of the target network slice and validity by the second terminal.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- An EAP identification response message is sent to the first terminal.
- the processor 1403 is further configured to invoke program instructions in the memory 1401 to control the transceiver 1402 to perform the following steps:
- the discovery message includes HPLMN identification information of the first terminal
- processor 1403 is further configured to call the program instructions in the memory 1401 to perform the following steps:
- the first network device is accessed through the first terminal.
- the above-mentioned processor may be an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), or a Digital Signal Processing Device (DSPD) ), at least one of a programmable logic device (Progmable Logic Device, PLD), a field programmable gate array (Field Progmable Gate Array, FPGA), a central processing unit (Central Processing Unit, CPU), a controller.
- ASIC Application Specific Integrated Circuit
- DSP Digital Signal Processor
- DSPD Digital Signal Processing Device
- PLD programmable logic device
- FPGA field programmable gate array
- CPU Central Processing Unit
- the memory can be a volatile memory (volatile memory), such as RAM; or a non-volatile memory (non-volatile memory), such as ROM, flash memory (flash memory), hard disk (Hard Disk Drive, HDD) or solid-state drive (Solid-State Drive, SSD); or a combination of the above-mentioned types of memory, and provide instructions and data to the processor 1101.
- volatile memory volatile memory
- non-volatile memory such as ROM, flash memory (flash memory), hard disk (Hard Disk Drive, HDD) or solid-state drive (Solid-State Drive, SSD); or a combination of the above-mentioned types of memory, and provide instructions and data to the processor 1101.
- Embodiments of the present application further provide a computer storage medium, specifically a computer-readable storage medium.
- Computer instructions are stored thereon, and when the computer storage medium is a network device or a terminal, when the computer instructions are executed by the processor, any steps of the authentication method for network slicing in the embodiments of the present application are implemented.
- the above-mentioned computer storage medium/memory can be a read-only memory (Read Only Memory, ROM), a programmable read-only memory (Programmable Read-Only Memory, PROM), an erasable programmable read-only memory (Erasable Programmable Read-Only Memory, EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Random Access Memory (FRAM), Flash Memory, Magnetic Surface Memory, CD-ROM, or CD-ROM (Compact Disc Read-Only Memory, CD-ROM) and other memories; it can also be various terminals including one or any combination of the above memories, such as mobile phones, computers, tablet devices, personal digital assistants, etc. .
- references throughout the specification to "one embodiment” or “an embodiment” or “an embodiment of the present application” or “previous embodiments” or “some embodiments” mean the target features related to the embodiments, The structure or characteristic is included in at least one embodiment of the present application. Thus, appearances of "in one embodiment” or “in an embodiment” or “the present embodiments” or “the preceding embodiments” or “some embodiments” in various places throughout the specification are not necessarily necessarily referring to the same embodiments . Furthermore, the features, structures or characteristics of these objects may be combined in any suitable manner in one or more embodiments.
- the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application.
- implementation constitutes any limitation.
- the above-mentioned serial numbers of the embodiments of the present application are only for description, and do not represent the advantages or disadvantages of the embodiments.
- the detection device performs any step in the embodiments of the present application, which may be performed by a processor of the detection device. Unless otherwise specified, the embodiments of the present application do not limit the sequence in which the detection device performs the following steps. In addition, the manner in which data is processed in different embodiments may be the same method or different methods. It should also be noted that, any step in the embodiments of the present application can be independently performed by the detection device, that is, when the detection device performs any step in the foregoing embodiments, it may not depend on the execution of other steps.
- the disclosed apparatus and method may be implemented in other manners.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented.
- the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms. of.
- the unit described above as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit; it may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
- each functional unit in each embodiment of the present application may all be integrated into one processing unit, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above integration
- the unit can be implemented either in the form of hardware or in the form of hardware plus software functional units.
- the aforementioned program can be stored in a computer-readable storage medium, and when the program is executed, the execution includes: The steps of the above method embodiments; and the aforementioned storage medium includes: a removable storage device, a read only memory (Read Only Memory, ROM), a magnetic disk or an optical disk and other media that can store program codes.
- ROM Read Only Memory
- the above-mentioned integrated units of the present application are implemented in the form of software function modules and sold or used as independent products, they may also be stored in a computer-readable storage medium.
- the computer software products are stored in a storage medium and include several instructions to make A computer device (which may be a personal computer, a detection device, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application.
- the aforementioned storage medium includes various media that can store program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请实施例提供一种网络切片的鉴权方法,包括:第一网络设备在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议消息;所述第一指示信息指示所述第一可扩展鉴权协议消息用于被所述第二终端使用;所述第一可扩展鉴权协议消息用于验证所述第二终端使用所述目标网络切片的合法性。本申请实施例还提供一种网络切片的鉴权装置、设备、以及存储介质。
Description
本申请涉及通信技术领域,尤其涉及一种网络切片的鉴权方法及装置、设备和存储介质。
第五代移动通信技术(the 5th Generation mobile communication technology,5G)网络中网络业务丰富多样,并且不同的网络业务对网络有不同的要求;例如,自动驾驶和远程控制等网络业务要求网络具备超低时延和超高可靠性;增强现实(Augmented Reality,AR)/虚拟现实(Virtual Reality,VR)等网络业务要求网络具备超高带宽;物联网(Internet of Things,IOT)等网络业务要求网络具备支持海量设备接入和超低省电。因此,为了满足不同网络业务的需求,将网络划分为多个网络切片,不同的网络切片用于实现不同的网络业务。
当终端需要使用某个网络切片时,还需要针对该网络切片执行网络切片粒度的鉴权和授权(Network Slice-Specific Authentication and Authorization,NSSAA)流程,以判定该网络切片是否允许被终端使用。
随着通信技术的发展,在通信标准推进过程中,版本17(Release 17,R17)中引入了终端到网络中继(UE-to-Network relay)的通信架构。也就是说,远端终端(Remote User Equipment,RM UE)可以通过中继终端(Relay UE,RL UE)接入到网络中,来实现RM UE与网络之间的数据传输。但是,如何对RM UE要使用的网络切片执行NSSAA流程,目前还没有明确的方法。
发明内容
本申请实施例提供了一种网络切片的鉴权方法及装置、设备和存储介质。
第一方面,提供一种网络切片的鉴权方法,应用于第一网络设备,所述方法包括:
在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;
所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议(Extensible Authentication Protocol,EAP)消息;所述第一指示信息指示所述第一EAP消息用于被所述第二终端使用;所述第一EAP消息用于验证所述第二终端使用所述目标网络切片的合法性。
第二方面,提供一种网络切片的鉴权方法,应用于第一终端,所述方法包括:
接收第一网络设备发送的第一鉴权消息;所述第一鉴权消息包括第一指示信息和第一EAP消息;所述第一指示信息指示所述第一EAP消息用于被第二终端使用;所述第一EAP信息用于验证所述第二终端请求使用的目标网络切片的合法性;
向所述第二终端发送所述第一EAP消息;所述第二终端通过所述第一终端接入所述第一网络设备。
第三方面,提供一种网络切片的鉴权方法,应用于第二终端,所述方法包括:
接收第一终端发送的第一EAP消息;所述第一EAP消息用于验证所述第二终端请求使用的目标网络切片的合法性;所述第二终端通过所述第一终端接入第一网络设备。
第四方面,提供一种网络切片的鉴权方法,应用于第二终端,所述方法包括:
接收第一终端发送的发现消息;所述发现消息包括所述第一终端的归属地公共陆地移动网络(Home Public Land Mobile Network,HPLMN)标识信息;
若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入第一网络设备;所述第一网络设备是指为所述第一终端提供服务的网络设备。
第五方面,提供一种网络切片的鉴权装置,应用于第一网络设备,所述装置包括:
第一发送单元,配置为在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;
所述第一鉴权消息包括第一指示信息和第一EAP消息;所述第一指示信息指示所述第一EAP 消息用于被所述第二终端使用;所述第一EAP消息用于验证所述第二终端使用所述目标网络切片的合法性。
第六方面,提供一种网络切片的鉴权装置,应用于第一终端,所述装置包括:
第二接收单元,配置为接收第一网络设备发送的第一鉴权消息;所述第一鉴权消息包括第一指示信息和第一EAP消息;所述第一指示信息用于指示所述第一EAP是针对第二终端的;所述第一EAP信息用于验证所述第二终端请求使用的目标网络切片的合法性;
第二发送单元,配置为向所述第二终端发送所述第一EAP消息;所述第二终端通过所述第一终端接入所述第一网络设备。
第七方面,提供一种网络切片的鉴权装置,应用于第二终端,所述装置包括:
第三接收单元,配置为接收第一终端发送的第一可扩展鉴权协议EAP信息;所述第一EAP信息用于验证所述第二终端请求使用目标网络切片的合法性;所述第二终端通过所述第一终端接入第一网络设备。
第八方面,提供一种网络切片的鉴权装置,应用于第二终端,所述装置包括:
第三接收单元,配置为接收第一终端发送的发现消息;所述发现消息包括所述第一终端的HPLMN标识信息;
网络接入单元,配置为若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入第一网络设备;所述第一网络设备是指为所述第一终端提供服务的网络设备。
第九方面,提供一种网络设备,所述网络设备包括:存储器、收发器、处理器以及总线系统;
其中,所述存储器用于存储程序和指令;
所述收发器用于在所述处理器的控制下接收或发送信息;
所述处理器用于执行所述存储器中的程序;
所述总线系统用于连接所述存储器、所述收发器以及所述处理器,以使所述存储器、所述收发器以及所述处理器进行通信;
所述处理器用于调用所述存储器中的程序指令,执行第一方面所述网络切片的鉴权方法。
第十方面,提供一种终端,所述终端包括:存储器、收发器、处理器以及总线系统;
其中,所述存储器用于存储程序和指令;
所述收发器用于在所述处理器的控制下接收或发送信息;
所述处理器用于执行所述存储器中的程序;
所述总线系统用于连接所述存储器、所述收发器以及所述处理器,以使所述存储器、所述收发器以及所述处理器进行通信;
所述处理器用于调用所述存储器中的程序指令,执行第二方面、第三方面或第四方面所述的方法。
第十一方面,提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行实现第一方面所述方法的步骤;或者;所述计算机程序被处理器执行第二方面、第三方面或第四方面所述方法的步骤。
本申请实施例提供的网络切片的鉴权方法中,第一网络设备可以通过第一指示信息向第一终端指示第一EAP消息是针对第二终端的。这样,第一终端可以向第二终端转发第一EAP消息,实现对第二终端请求的目标网络切片的鉴权,保证网络切片的安全,解决了现有技术中网络切片的鉴权方案不完善的问题。
图1为本申请实施例提供的一种系统架构示意图;
图2为本申请实施例提供的一种UE-to-Network relay架构示意图;
图3为本申请实施例提供的一种网络切片的鉴权方法流程示意图一;
图4为本申请实施例提供的一种网络切片的鉴权方法流程示意图二;
图5为本申请实施例提供的一种网络切片的鉴权方法流程示意图三;
图6为本申请实施例提供的一种网络切片的鉴权方法流程示意图四;
图7为本申请实施例提供的一种网络切片的鉴权方法流程示意图五;
图8为本申请实施例提供的一种网络切片的鉴权方法流程示意图六;
图9为本申请实施例提供的一种网络切片的鉴权方法流程示意图七;
图10为本申请实施例提供的一种网络切片的鉴权装置结构组成示意图一;
图11为本申请实施例提供的一种网络切片的鉴权装置结构组成示意图二;
图12为本申请实施例提供的一种网络切片的鉴权装置结构组成示意图三;
图13为本申请实施例提供的一种网络设备的示意性框图;
图14为本申请实施例提供的一种终端的示意性框图。
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述,所附附图仅供参考说明之用,并非用来限定本发明实施例。
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其他步骤或单元。
图1示例性示出了本申请提供的一种系统架构示意图。如图1所示,该系统架构包括接入和移动性管理功能(Access and Mobility management Function,AMF)网元、会话管理(Session Management Function,SMF)网元、策略控制功能(Policy Control Function,PCF)网元、认证服务功能(AUthentication Server Function,AUSF)网元、数据管理功能(Unified Data Management,UDM)网元、应用功能(Application Function,AF)网元、用户面功能(User Plane Function,UPF)网元、以及网络切片选择功能(the Network Slice Selection Function,NSSF)网元。进一步,该通信系统架构还包括无线接入网(Wireless Access Network,RAN)设备、终端(User Equipment,UE)和数据网络(Data Network,DN)网元。
其中,AMF网元主要用于移动网络中终端的注册、移动性管理、跟踪区更新流程。移动性管理网元可以接收非接入层(Non Access Stratum,NAS)消息、完成注册管理、连接管理以及可达性管理、分配跟踪区域列表以及移动性管理等,并且透明路由会话管理消息到SMF网元。
SMF网元,主要用于移动网络中的会话管理,如会话创建、修改、释放。具体功能比如包括为用户分配互联网协议(Internet Protocol,IP)地址、选择提供报文转发功能的用户面网元等。
另外,PCF网元,其包含用户签约数据管理功能,策略控制功能,计费策略控制功能,服务质量(Quality of Service,QoS)控制等。AUSF网元,主要用于使用可扩展的身份验证协议(extensible authentication protocol,EAP)验证服务功能、存储密钥,以实现对用户的鉴权和认证。UDM网元,主要用于存储用户数据,如签约信息、鉴权/授权信息。
UPF网元,主要用于用户平面的业务处理,例如业务路由、包转发、锚定功能、业务质量(Quality of Service,QoS)映射和执行、上行链路的标识识别并路由到数据网络、下行包缓存和下行链路数据到达的通知触发、与外部数据网络连接等。NSSF网元,主要用于选择为UE服务的网络切片,确定为UE配置的网络切片选择辅助信息(Network Slice Selection Assistance Information,NSSAI),以及确定UE允许的NSSAI。
RAN设备,是一种为UE提供无线通信功能的设备。接入网设备包括但不限于:5G中的下一代基站(gNodeB,gNB)、演进型节点B(evolved Node B,eNB)、无线网络控制器(Radio Network Controller,RNC)、节点B(Node B,NB)、基站控制器(Base Station Controller,BSC)、基站收发台(Base Transceiver Station,BTS)、家庭基站、基带单元(Base Band Unit,BBU)、传输点(Transmitting and Receiving Point,TRP)、发射点(Transmitting Point,TP)、移动交换中心等。
本申请实施例中的UE,是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上;还可以部署在空中(例如飞机、气球和卫星上等)。UE可以是手机、平板电脑、带无线收发功能的电脑、VR设备、AR设备、无人驾驶中的无线设备、远程医疗中的无线设备、智能电网中的设备、运输安全中的无线设备、智慧城市中的无线设备等。
DN网元,主要用于为用户提供业务,比如运营商的业务、互联网接入业务和第三方业务。
可以理解的是,上述网元既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。上述网元可划分出一个或多个服务,进一步,还可能会出现独立于网络功能存在的服务。
参考图1所示,UE可以通过N1端口与AMF网元连接,RAN设备通过N2端口与AMF网元连接。UE通过Uu端口与RAN设备连接。N3为RAN设备和UPF网元之间的连接。N4为SMF网元和UPF 之间的连接端口,用于传递SMF网元和UPF网元之间的控制信令。N5为PCF网元与AF网元之间的连接端口,N6为用UPF网元和DN网元之间的连接端口,N7为SMF网元与PCF网元之间的连接端口,N8为AMF网元和UDM网元之间的连接端口,N10为UDM网元和SMF网元之间的连接端口,N11为AMF网元和SMF网元之间的连接端口,N12为AUSF网元和AMF网元之间的连接端口,N15为AMF网元和PCF网元之间的连接端口,N22为NSSF网元和AMF网元之间的连接端口。
随着技术的发展,未来的通信网络必将接入大量的终端。这些终端分属不同的领域,他们有着不同的特点和需求。因此,在上述5G架构中引入了网络切片的概念。网络切片可以针对不同业务进行定制化的设计,以实现网络资源的专用和隔离,在满足不同业务场景需求的同时,提供更好的服务。
具体地,当终端请求接入到某个网络切片时,终端可以提供请求的NSSAI(即Requested NSSAI)给核心网。核心网会根据终端的签约数据,漫游协议,以及本地配置等信息进行综合判断,向终端返回当前网络允许的NSSAI(即Allowed NSSAI)。终端在收到Allowed NSSAI后,即可在Allowed NSSAI提供的某个网络切片中建立分组数据单元(Packet Data Unit,PDU)会话来传输数据。
在R16中,引入了网络切片的二次鉴权流程。也就是说,当终端注册到网络中时,除了执行终端永久标识的主鉴权流程之外,可能还会根据终端请求的网络切片,以及终端的签约数据判断是否需要对请求的网络切片执行NSSAA,该流程也可以简单称为网络切片的二次鉴权流程,或者简称为第二次鉴权流程。
实际应用中,当终端请求的网络切片需要进行NSSAA的情况下,网络会触发NSSAA流程。如果该网络切片鉴权成功,则该网络切片可以被终端使用,将该网络切片对应的单一网络切片辅助信息(Single-Network Slice Selection Assistance Information,S-NSSAI)添加至Allowed NSSAI中。如果该网络切片鉴权失败,则该网络切片不可被终端使用,将该网络切片对应的S-NSSAI添加至拒绝的NSSAI(即Rejected NSSAI)中。
随着通信技术的不断演进,R17引入了UE-to-Network relay架构200。参考图2所示,UE-to-Network relay架构200中可以包括RM UE 21,RL UE 22,基站23,核心网24,以及公共安全应用服务器(AS)25。其中,RL UE 22可以通过Uu端口连接到基站23。这里,Uu端口是UE与基站之间的数据传输端口,主要用于实现基站的广播寻呼、无线资源控制(Radio Resource Control,RRC)连接的处理,切换和功率控制的判决执行等功能。除此之外,RL UE 22还可以通过N1端口与核心网24进行通信,同时基站23通过N2端口接入核心网24。具体地,对应于图1,RL UE 22可以通过N1端口与核心网24中的AMF网元进行通信,以传输NAS层数据。
可以理解的是,RL UE 22可以是在基站23的覆盖范围内。而RM UE 21可以在基站23覆盖范围之外,RM UE 21可以不直接连接到基站23,而是通过PC5端口直接连接到RL UE 22,通过RL UE 22接入核心网24。其中,PC5端口是UE与UE之间的数据传输端口,邻近的UE可以在近距离范围内通过PC5端口建立直连链路,通过直连链路进行数据传输。基站可以通过SGi端口连接到AS 25。SGi端口用于与外部互联网连接,传输用户面数据。
其中,核心网24可以为RM UE 21和RL UE 22提供通信连接、认证、管理、通信以及对数据业务完成承载等。对应于图1所示的网络架构中,核心网分为用户面功能与控制面功能。用户面功能主要负责分组数据包的转发、QoS控制等。控制面功能主要负责用户注册认证、移动性管理、向UPF网元下发数据包转发策略、或QoS控制策略等。其中,控制面功能主要包括AMF网元与SMF网元等。
在架构200中,RM UE 21可以通过RL UE 22接入到网络中实现数据传输。若终端请求的网络切片需要进行NSSAA,虽然对RL UE 22可以使用现有NSSAA过程,但是对RM UE 21鉴权是否可以使用该网络切片还不清楚。
基于此,本申请实施例提供了一种网络切片的鉴权方法,能够解决相关技术中网络切片的鉴权方案不够完善的问题。
图3为本申请实施例提供的一种网络切片的鉴权方法的流程示意图。如图3所示,本申请实施例提供的网络切片的鉴权方法,可以包括步骤301至步骤304。
步骤301、第一网络设备在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息。
其中,第一鉴权消息包括第一指示信息和第一EAP消息;第一指示信息指示第一EAP消息用于被第二终端使用。
步骤302、第一终端接收第一网络设备发送的第一鉴权消息。
步骤303、第一终端向第二终端发送第一EAP消息。
步骤304、第二终端接收第一EAP消息。
其中,第一网络设备可以是核心网中的AMF网元,用于对第一终端和第二终端进行网络注册、移动性管理、跟踪区域更新、终端寻呼等。
在一些实施例中,第二终端可以通过第一终端接入第一网络设备。也就是说,第一终端可以为第二终端和第一网络设备提供中继服务,为第二终端和第一网络设备转发数据。可以理解的是,第一终端为图2所示的UE-to-Network relay架构200中的RL UE 22。第二终端可以是UE-to-Network relay架构200中的RM UE 21。
在一些实施例中,第二终端可以根据当前的业务,确定需要使用目标网络切片。若目标网络切片需要进行切片粒度的鉴权和授权的网络切片,即该目标网络切片为需要进行NSSAA的网络切片,则第二终端可以触发对该目标网络切片的鉴权流程。
具体地,第二终端可以发送鉴权请求消息。其中,鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程。也就是说,第二终端通过鉴权请求消息,触发网络侧对请求使用的目标网络切片的鉴权流程。
在一些实施例中,第二终端可以向第一终端发送鉴权请求消息,使第一终端将该鉴权请求消息转发至第一网络设备,从而触发网络侧对目标网络切片的鉴权流程。
具体地,第二终端可以通过PC5端口,向第一终端发送鉴权请求消息。对应的,第一终端可以通过N1端口将该鉴权请求消息发给第一网络设备,或者第一终端还可以通过Uu端口将鉴权请求消息发送至基站,接着基站通过N2端口将该鉴权请求消息发送至第一网络设备。
在一些实施例中,第二终端可以通过应用层通知第一认证授权计费服务器(Authentication Authorization Accounting-Server,AAA-S)对需要使用的目标网络切片进行鉴权。其中,第一AAA-S是第二终端的归属地AAA-S。基于此,第二终端对应的归属地AAA-S可以向第一网络设备发送鉴权请求消息,以触发网络侧对目标网络切片的鉴权流程。
需要说明的是,图1所示的系统架构中还可以包括网络切片鉴权与授权功能(NSSAA Function,NSSAAF)网元。第一AAA-S可以与该NSSAAF网元连接,通过NSSAAF网元向第一网络设备发送鉴权请求消息。
由于第一AAA-S为第三方供应商提供的服务器,网络侧还可以通过认证授权计费代理(AAA-P)网元,来验证第一AAA-S传输的数据是否为可信的数据。AAA-P网元设置于第一AAA-S和NSSAAF网元之间,用于核验第一AAA-S发送的数据。可以理解的是,第一AAA-S可以向AAA-P网元发送鉴权请求消息,若AAA-P网元对鉴权请求消息核验通过,则AAA-P网元将鉴权请求消息通过NSSAA转发给核心网中的第一网络设备。
在一些实施例中,为了确保目标网络切片的安全,目标网络切片可能需要进行周期性鉴权。基于此,第一AAA-S可以按照时间周期,主动向第一网络设备发送鉴权请求消息,触发对目标网络切片的鉴权流程。
也就是说,第一网络设备接收到的鉴权请求消息可以来自于第一终端,也可以来自于第一AAA-S。
在本申请实施例中,鉴权请求消息中可以包括以下信息的至少一种:第二终端的标识信息、目标网络切片对应的S-NSSAI、以及第二终端的归属地公共陆地移动网(Home Public Land Mobile Network,HPLMN)标识信息。
这里,第二终端的标识信息可以是国际移动用户识别码(International Mobile Subscriber Identity,IMSI)、全球唯一临时UE标识(Globally Unique Temporary UE Identity,GUTI)、以及全球定位系统标识(Global Positioning System Identity,GPSI)中的一种。
需要说明的是,IMSI中可以同时携带第二终端的HPLMN标识信息,而GUTI和GPSI中不包含第二终端的HPLMN标识信息。因此,使用IMSI时,鉴权请求消息中可以不用单独携带第二终端的HPLMN标识信息。
可以理解的是,第一网络设备可以基于接收到的鉴权请求消息,启动对第二终端请求的目标网络切片进行鉴权的流程。这里,第一网络启动的鉴权流程可以是EAP受保护可扩展鉴权协议(EAP-PEAP)鉴权流程,或者EAP消息摘要算法(EAP-Message Digest 5,EAP-MD5)鉴权流程,还可以是EAP传输级安全(EAP-Transport Level Security,EAP-TLS)鉴权流程,本申请实施例对此不做限定。
基于此,第一网络设备在启动对第二终端请求的目标网络切片鉴权流程后,可以向第一终端发送第一鉴权消息。
在一些实施例中,第一鉴权消息中可以包括第一指示信息和第一EAP消息。其中,第一EAP消息用于验证第二终端使用目标网络切片的合法性;第一指示信息可以指示第一EAP消息用于被第二终端使用。
也就是说,第一指示信息可以指示第一EAP消息是针对第二终端的。这样,第一终端接收到第一鉴权消息后,可以解析该第一鉴权消息,得到第一指示信息和第一EAP消息。进一步,第一终端可以根据第一鉴权消息中的第一指示信息,将第一EAP消息发送给第二终端。
在一些实施例中,第一指示信息可以包括第二终端的标识信息,和/或目标网络切片的S-NSSAI。也就是说,第一网络设备通过第二终端的标识信息,和/或目标网络切片的S-NSSAI来指示第一EAP消息是针对第二终端的。其中,第二终端的标识信息与上述实施例相同,此处不再赘述。
在一些实施例中,第一EAP消息中可以包括请求使用目标网络切片的第二终端的鉴权相关信息。示例性的,第一EAP消息中可以包括加密算法、第一AAA-S的证书信息(包括第一AAA-S的名称信息和公钥信息)、随机加密信息等。
这样,第二终端接收到第一EAP消息后,可以基于第一EAP消息中的鉴权相关信息,对目标网络切片进行鉴权。
由此可见,本申请实施例提供的网络切片的鉴权方法中,第一网络设备可以通过第一指示信息向第一终端指示第一EAP消息是针对第二终端的。这样,第一终端可以向第二终端转发第一EAP消息,实现对第二终端请求的目标网络切片的鉴权,保证网络切片的安全,解决了现有技术中网络切片的鉴权方案不完善的问题。
应注意,本申请实施例中的目标网络切片是需要进行NSSAA的网络切片。实际应用中,需要进行NSSAA的网络切片,通常情况下部署于终端的归属地,与终端的HPLMN绑定。也就是说,对目标网络切片的鉴权,需要通过第二终端归属地NSSAAF网元,和/或第二终端的归属地AAA-S进行。
然而,第二终端是通过第一终端进行中继通信的,第二终端的数据传输使用的是第一终端的资源。因此,要实现对第二终端请求使用的目标网络切片进行鉴权,则需要第二终端和第一终端的HPLMN相同。基于此,第二终端可以使用第一终端的归属地NSSAAF,和/或归属地AAA-S对目标网络切片进行鉴权。
在一些实施例中,参考图4所示的流程示意图,步骤301之前还可以实现步骤305至步骤307。
步骤305、第一终端发送发现消息;发现消息包括第一终端的HPLMN标识信息。
步骤306、第二终端接收第一终端发送的发现消息。
步骤307、若第一终端的HPLMN标识信息与第二终端的HPLMN标识信息相同,则第二终端通过第一终端接入第一网络设备;第一网络设备是指当前为第一终端提供服务的网络设备。
在一些实施例中,当第一终端希望发起近距离通信的情况下,可以向外界广播发现消息。该发现消息中可以携带第一终端的HPLMN标识信息,以向周围的终端告知自己可以提供中继服务。
在一示例中,第二终端可以是没有网络覆盖的终端,或者是无法直接接入网络的低成本和/或低带宽的终端。
第二终端与第一终端位置邻近,第二终端可以接收第一终端发送的发现消息。进一步地,第二终端可以根据当前业务,确定要使用的目标网络切片。若目标网络切片需要进行NSSAA,则第二终端可以根据发现消息中携带的第一终端的HPLMN标识信息,判断第一终端和自己的HPLMN是否相同。
在一些实施例中,第二终端也可以主动发起近距离通信。具体地,当第二终端期望使用目标网络切片进行数据传输时,可以在步骤305之前主动广播发现请求消息,以请求第二终端周围的终端提供中继服务。其中,发现请求消息可以包括第二终端的HPLMN,和/或所请求的目标网络切片的S-NSSAI。
进一步地,第一终端在接收到第二终端的发现请求消息后,可以基于上述发现请求消息,向第二终端反馈发现响应消息(即步骤305中的发现消息)。该发现响应消息中携带有第一终端的HPLMN标识信息。这样,第二终端接收到第一终端发送的发现消息后,可以根据第一终端发送的发现消息,判断第一终端和自己的HPLMN是否相同。
本申请实施例中,在第一终端和第二终端的HPLMN相同的情况下,第二终端选择第一终端,并与第一终端建立近距离通信连接。通过第一终端接入第一网络设备,对请求的目标网络切片进行鉴权。
第二终端选择与其具有相同的HPLMN的第一终端,来对目标网络切片进行鉴权的原因是:需要进行NSSAA的目标网络切片是与第二终端的归属地运营商绑定的,因此,只有第一终端和第二终端的HPLMN标识信息相同的情况下,才能实现该目标网络切片进行鉴权和使用。
在一些实施例中,发现消息中还可以携带第一终端支持的NSSAI,或者该NSSAI中每个S-NSSAI对应的中继服务码(Relay Service Code,RSC)。这里,第一终端支持的NSSAI中包括目标网络切片对应的S-NSSAI。
这样,第二终端可以根据发现消息中携带的NSSAI或该NSSAI中每个S-NSSAI对应的RSC,以及HPLMN标识信息,确定是否将第一终端作为中继终端。
具体地,当发现消息中携带第二终端请求的S-NSSAI或该S-NSSAI对应的RSC,并且发现消息中携带的HPLMN标识信息与第二终端的HPLMN标识信息相同,第二终端则与第一终端建立近距离通信连接。
在一些实施例中,第一终端支持的NSSAI可以是第一终端签约的NSSAI,第一终端订阅的NSSAI (即Subscribed NSSAI),以及网络为第一终端配置的NSSAI(即Configured NSSAI)中的至少一个。也就是说,第一终端支持的NSSAI中不仅包括第一终端Allowed NSSAI中的S-NSSAI,还可以包括Rejected NSSAI中的S-NSSAI。这是因为,使用第一终端进行中继通信的其他终端期望使用的网络切片不一定在Allowed NSSAI中。因此,第一终端可以将所有支持的网络切片对应的S-NSSAI携带在发现消息中进行广播。
需要说明的是,步骤301至步骤304可以在第一终端和第二终端建立近距离通信过程中执行,也可以在第一终端和第二终端建立近距离通信之后执行。
综上所述,本申请实施例提供的网络切片的鉴权方法中,第一终端可以在发现消息中携带HPLMN标识信息,以与邻近的第二终端建立近距离通信,从而为邻近的第二终端转发用于目标网络切片的鉴权相关信息,实现对目标网络切片的鉴权,保障切片安全。
在一些实施例中,参考图5所示,本申请实施提供的网络切片的鉴权方法还可以包括步骤308至步骤312。
步骤308、第二终端向第一终端发送第二EAP消息;第二EAP消息用于验证第二终端使用目标网络切片的合法性。
在一些实施例中,步骤304第二终端接收到第一EAP消息后,可以基于第一EAP消息中携带的鉴权相关信息,对第一AAA-S进行验证。当验证成功后,第二终端可以基于第一EAP消息生成第二EAP消息。
这里,第二EAP消息中可以携带第二终端的鉴权相关信息,用于验证第二终端使用目标网络切片的合法性。示例性的,第二EAP消息中可以包括使用公钥加密后的加密信息、第二终端的证书信息等信息。
进一步,第二终端可以通过PC5端口向第一终端发送该第二EAP消息。
步骤309、第一终端接收第二EAP消息。
这里,第一终端可以通过PC5端口接收第二EAP消息。
步骤310、第一终端向第一网络设备发送第二鉴权消息;第二鉴权消息中包括第二指示信息和第二EAP消息;所述第二指示信息用于指示第二EAP消息与第二终端关联。
本申请实施例中,第一终端接收到第二EAP消息后,可以确定第二EAP消息是用于验证请求目标网络切片的第二终端的。基于此,第一终端可以生成第二指示信息,通过第二指示信息来指示第二EAP消息是针对第二终端的。
这里,第二指示信息可以包括第二终端的标识信息,和/或目标网络切片的S-NSSAI。也就是说,第一网络设备通过第二终端的标识信息,和/或目标网络切片的S-NSSAI来指示第二EAP消息是与第二终端关联,即第二EAP消息是针对第二终端的。
这样,第一终端可以根据第二指示信息和第二EAP消息,生成第二鉴权消息,并将第二鉴权消息发送给第一网络设备。
步骤311、第一网络设备接收第二鉴权消息。
步骤312、第一网络设备向第一AAA-S发送第二鉴权消息。
在本申请实施例中,第一网络设备接收到第二鉴权消息后,将第二鉴权消息发送给第二终端对应的归属地AAA-S,即第一AAA-S。以使第一AAA-S基于第二EAP消息,对第二终端请求的目标网络切片进行鉴权。
具体地,第一AAA-S可以基于第二EAP消息对第二终端使用目标网络切片的权限进行验证,得到鉴权结果,并将鉴权结果反馈给第一网络设备。这样,第一网络设备可以将该鉴权结果发送至第一终端,以使第一终端进行后续的中继服务。
需要说明的是,步骤301至步骤304,以及步骤308至步骤312可以执行多次。也就是说,第一EAP消息和第二EAP消息可以在第一终端、第二终端、第一网络设备,以及第一AAA-S之间反复交互多次,直至验证成功或达到截止次数。
可以理解的是,本申请实施例提供的网络切片鉴权方法中,第一终端负责在第一网络设备和第二终端之间转发EAP消息,并通过指示信息来指示EAP消息是与第二终端相关的,以此来实现对第二终端请求的目标网络切片进行鉴权,保障网络切片的安全。
在一些实施例中,参考图6所示,在步骤301向第一终端发送第一鉴权消息之前,还可以执行步骤313至步骤321。
步骤313、第一网络设备基于鉴权请求消息,向第一终端发送鉴权命令;鉴权命令包括EAP标识请求消息和第三指示信息;第三指示信息指示EAP标识请求消息用于被第二终端使用。
可以理解的是,第一网络设备启动对第二终端使用的目标网络切片鉴权流程后,可以向第一终端发 送鉴权命令。
这里,鉴权命令中的EAP标识请求消息可以用于请求第二终端的用户身份信息,以便于基于第二终端的用户身份信息对第二终端的身份进行鉴权。
在本申请实施例中,上述鉴权命令中还需要携带第三指示信息。其中,第三指示信息可以包括第二终端的标识信息和/或目标网络切片的S-NSSAI。也就是说,第一网络设备通过第二终端的标识信息,和/或目标网络切片的S-NSSAI来指示EAP标识请求消息是与第二终端关联的,即EAP标识请求消息是针对第二终端的。
也就是说,第一网络设备通过第三指示信息,向第一终端提示鉴权命令中的EAP标识请求消息是发给第二终端的。
步骤314、第一终端接收第一网络设备发送的鉴权命令。
具体地,第一终端可以通过NAS层接收鉴权命令,并解析得到第三指示信息和EAP标识请求消息。
步骤315、第一终端向第二终端发送EAP标识请求消息。
这里,第一终端可以基于第三指示信息,通过PC5端口将EAP标识请求消息发送给第二终端。
步骤316、第二接收第一终端发送的EAP标识请求消息;
步骤317、第二终端向第一终端发送EAP标识响应消息。
在本申请实施例中,第二终端接收到EAP标识请求消息后,可以将EAP标识请求消息转发至自己的EAP协议层,通过EAP协议层对EAP标识请求消息进行处理,得到EAP标识响应消息。
这里,EAP标识响应消息用于携带第二终端的身份验证信息,以实现网络侧对第二终端请求的目标网络切片的身份验证。
具体地,第二终端得到EAP标识响应消息后,可以通过PC5端口将该EAP标识响应消息发送至第一终端。
步骤318、第一终端接收第二终端发送的EAP标识响应消息。
步骤319、第一终端向第一网络设备发送鉴权命令响应消息;鉴权命令响应消息包括第四指示信息和EAP标识响应消息;第四指示信息用于指示EAP标识响应消息与第二终端关联。
可以理解的是,第一终端可以将EAP表示响应消息转发给第一网络设备。并且,第一终端可以同时发送第四指示信息,通过第四指示信息来指示该EAP标识响应消息是与第二终端关联的,即该EAP标识响应消息是针对第二终端的。
步骤320、第一网络设备接收第一终端发送的鉴权命令响应消息。
步骤321、第一网络设备将第一AAA-S发送鉴权命令响应消息。
这里,第一网络设备在接收到鉴权命令响应消息后,将该鉴权命令响应消息转发给第一AAA-S,通过第一AAA-S对第二终端的用户身份信息进行验证,从而实现对目标网络切片的鉴权,保证切片的安全。
在一些实施例中,参考图7所示的流程示意图。步骤304第一网络设备向第一终端发送第一鉴权消息之后,还可以执行步骤322至步骤326。
步骤322、第一网络设备接收第一AAA-S发送的鉴权结果消息;鉴权结果消息包括第二终端所请求的目标网络切片的鉴权结果。
具体地,第一AAA-S对第二终端使用目标网络切片的合法性进行鉴权,得到鉴权结果。这样,第一AAA-S可以通知第一网络设备针对第二终端请求的目标网络切片鉴权结果。
在本申请实施例中,鉴权结果消息中携带有目标网络切片的鉴权结果,同时还携带有第二终端的标识信息,和/或目标网络切片的S-NSSAI,以指示该鉴权结果是针对第二终端请求的目标网络切片。
步骤323、第一网络设备向第一终端发送鉴权结果消息。
可以理解的是,第一网络设备可以向第一终端发送鉴权结果消息,向第一终端通知第二终端请求的目标网络切片的鉴权结果。
步骤324、第一终端接收第一网络设备发送的鉴权结果消息。
步骤325、若鉴权结果表征第二终端所请求的目标网络切片鉴权成功,则第一终端为第二终端中继目标网络切片内的数据。
在本申请实施例中,第一终端接收到鉴权结果消息后,可以确定第二终端请求的目标网络切片是否鉴权成功。
若鉴权成功,则第一终端可以确定网络侧已经允许第二终端使用目标网络切片。这样,第一终端可以为第二终端中继该目标网络切片内的业务数据。
若鉴权失败,则第一终端确定网络侧不允许第二终端使用目标网络切片。这样,第一终端拒绝为第二终端中继该目标网络切片内的业务数据。
可选地,本申请实施例提供的网络切片鉴权方法还可以包括以下步骤:
步骤326、第一终端向第二终端发送目标网络切片的鉴权结果。
这里,第一终端在得到鉴权结果消息后,可以基于鉴权结果消息中的第二终端的标识信息,将第二终端请求的目标网络切片的鉴权结果发送给第二终端。
这样,第二终端接收到目标网络切片的鉴权结果后,可以基于该鉴权结果进行后续业务处理。示例性的,若第二终端请求的目标网络切片鉴权失败,第二终端则停止通过该目标网络切片传输业务数据。若第二终端请求的目标网络切片鉴权成功,第二终端则通过第一终端传输目标网络切片的数据。
在本申请一实施例中,参考图8所示的流程示意图,本申请实施例提供的网络切片的鉴权方法可以包括以下步骤:
步骤801、第二终端接收第一终端发送的发现消息;发现消息包括第一终端的HPLMN标识信息;
步骤802、若第一终端的HPLMN标识信息与第二终端的HPLMN标识信息相同,则第二终端通过第一终端接入第一网络设备;第一网络设备是指为第一终端提供服务的网络设备。
可以理解的是,第二终端与第一终端位置邻近,第二终端可以接收第一终端发送的发现消息。进一步地,第二终端可以根据当前业务,确定要使用的目标网络切片。若目标网络切片需要进行NSSAA,则第二终端可以根据发现消息中携带的第一终端的HPLMN标识信息,判断第一终端和自己的HPLMN是否相同。
在一些实施例中,第二终端也可以主动发起近距离通信。
具体地,步骤801之前,第二终端还可以执行以下步骤:
发送发现请求消息;该发现请求消息用于请求周围的终端提供中继服务。其中,发现请求消息可以包括第二终端的HPLMN,和/或所请求的目标网络切片的S-NSSAI。
可以理解的是,第二终端在期望使用目标网络切片时,可以主动发起近距离通信,通过其他终端提供的中继服务来利用目标网络切片进行数据传输。
对应的,第一终端在接收到第二终端的发现请求消息后,可以基于上述发现请求消息,向第二终端反馈发现响应消息(即步骤801中的发现消息),该发现响应消息中携带有第一终端的HPLMN标识信息。这样,第二终端接收到第一终端发送的发现消息后,可以根据第一终端发送的发现消息,判断第一终端和自己的HPLMN是否相同。
在第一终端和第二终端的HPLMN相同的情况下,第二终端选择第一终端,并与第一终端建立近距离通信连接。这样,第二终端可以通过第一终端接入第一网络设备,以触发网络侧对第二终端请求的目标网络切片进行鉴权。
在一些实施例中,发现消息中还可以携带第一终端支持的NSSAI,或者该NSSAI中每个S-NSSAI对应的中继服务码(Relay Service Code,RSC)。这里,第一终端支持的NSSAI中包括目标网络切片对应的S-NSSAI。
这样,第二终端可以根据发现消息中携带的NSSAI或该NSSAI中每个S-NSSAI对应的RSC,以及HPLMN标识信息,确定是否将第一终端作为中继终端。
具体地,当发现消息中携带第二终端请求的S-NSSAI或该S-NSSAI对应的RSC,并且发现消息中携带的HPLMN标识信息与第二终端的HPLMN标识信息相同,第二终端则与第一终端建立近距离通信连接。
在一些实施例中,第一终端支持的NSSAI可以是第一终端签约的S-NSSAI,第一终端订阅的NSSAI(即Subscribed NSSAI),以及网络为第一终端配置的NSSAI(即Configured NSSAI)中的至少一个。也就是说,第一终端支持的NSSAI中不仅包括第一终端Allowed NSSAI中的S-NSSAI,还可以包括Rejected NSSAI中的S-NSSAI。这是因为,使用第一终端进行中继通信的其他终端期望使用的网络切片不一定在Allowed NSSAI中。因此,第一终端可以将所有支持的网络切片对应的S-NSSAI携带在发现消息中进行广播。
综上所述,本申请实施例提供的网络切片的鉴权方法中,第一终端可以在发现消息中携带HPLMN标识信息,以与邻近的第二终端建立近距离通信,从而为邻近的第二终端转发用于目标网络切片的鉴权相关信息,实现对目标网络切片的鉴权,保障切片安全。
下面结合实际应用场景,对本申请实施例提供的网络切片的鉴权方法进行详细地描述。
参考图9所示的流程示意图,本申请实施例提供的网络切片鉴权方法可以包括以下步骤:
步骤1、RL UE发送发现消息。
这里,RL UE即为上述实施例中的第一终端,可以为其他终端提供中继服务。
在本申请实施例中,发现消息中包括第一终端的HPLMN标识信息,即HPLMN ID。另外,发现消息中还可以包括RL UE支持的NSSAI或者该NSSAI中每个S-NSSAI对应的RSC。
本申请实施例中,RL UE支持的NSSAI,或RSC关联的S-NSSAI可以包括RL UE签约的NSSAI,RL UE的Subscribed NSSAI,以及网络为RL UE的Configured NSSAI中全部的S-NSSAI。可选的,RL UE支持的NSSAI,或RSC关联的S-NSSAI可以包括在Rejected NSSAI中的S-NSSAI。
可选地,RL UE支持的NSSAI,或RSC关联的S-NSSAI,可以是RL UE签约的S-NSSAI。也就是说,RL UE支持的NSSAI,或RSC关联的S-NSSAI的数量大于或等于Allowed NSSAI中的数量。这是因为,使用RL UE进行中继传输的UE,其所请求的网络切片不一定在Allowed NSSAI中。
步骤2、RM UE接收收到发现消息后,检查RL UE是否和自己的HPLMN相同,若RL UE和RM UE的HPLMN相同,则选择该RL UE。
其中,RM UE即为上述实施例中的第二终端。
在本申请实施例中,RM UE根据当前业务确定使用目标网络切片。当要使用的网络切片需要NSSAA的情况下,第二终端可以接收发现消息,以通过其他UE接入网络,来实现对目标网络切片的鉴权。
步骤3、RM UE与RL UE建立近距离通信连接。
具体地,RM UE基于发现消息,与RL UE建立近距离通信连接。这样,RM UE可以通过RL UE接入网络,通过RL UE对应AMF网元与网络侧通信。
需要说明的是,后续步骤4至步骤10可以发生在建立连接过程中,或者连接建立完成之后。
步骤4、触发RL-AMF对目标网络切片进行NSSAA的鉴权流程。
这里,RL-AMF即为上述实施例中的第一网络设备。RL-AMF可以是当前为RL UE提供服务的AMF网元。
本申请实施例中,RL-AMF被触发执行目标网络切片的NSSAA流程,该触发操作可以来自于RL UE或者RM-AAA-S。
这里,RM-AAA-S即为上述实施例中的第一AAA-S,其部署于RM UE的归属地。
在一种可能的实现方式中,上述步骤4可以通过步骤4a实现。
步骤4a、RM UE向RL UE发送鉴权请求消息,RL UE向RL-AMF转发该鉴权请求消息,以触发RL-AMF对RM UE使用的目标网络切片进行鉴权。
这里,该鉴权请求消息中包括请求的目标网络切片的S-NSSAI,RM UE的HPLMN ID,以RM UE的标识信息。
在另一种可能的实现方式中,上述步骤4还可以通过步骤4b实现。
步骤4b、RM-AAA-S向RL-AMF发送鉴权请求消息,以触发RL-AMF对RM UE使用的目标网络切片进行鉴权。
这里,RM UE可以通过应用层触发RM-AAA-S进行NSSAA。
步骤5、RL-AMF向RL UE发送鉴权命令(NSSAA command)。
其中,鉴权命令中包括需要发送给RM UE的EAP标识请求消息(EAP ID request)。
另外,鉴权命令中还包含目标网络切片的S-NSSAI,以及RM UE的标识信息,以指示RL UE该EAP标识请求消息是发给RM UE的.
步骤6、RL UE将收到的EAP标识请求消息(EAP ID request),以及目标网络切片的S-NSSAI发送给RM UE。
具体地,RL UE的NAS层收到鉴权命令(NSSAA command)后将EAP标识请求消息(EAP ID request),以及目标网络切片的S-NSSAI发给自己的PC5层。通过PC5端口将EAP标识请求消息(EAP ID request)和目标网络切片的S-NSSAI发送给RM UE。
步骤7、RM UE收到EAP标识请求消息(EAP ID request)和目标网络切片的S-NSSAI后,生成EAP标识响应消息,并将EAP标识响应消息和目标网络切片的S-NSSAI发给RL UE。
具体地,RM UE收到EAP标识请求消息后,将EAP标识请求消息转给自己的EAP协议层,通过EAP协议层处理,得到EAP标识响应消息。
步骤8、RL UE向RL AMF发送鉴权命令响应消息。
这里,鉴权命令响应消息中包括EAP标识响应消息、目标网络切片的S-NSSAI、以及RM UE的标识信息。这里,RL UE通过在鉴权命令响应消息中携带RM UE的标识信息,来指示EAP标识响应消息是针对RM UE的。
步骤9、RL-AMF,RM-AAA-S,RL UE,以及RM UE之间传输EAP消息对RM UE使用目标网络切片的合法性进行鉴权,并且RM-AAA-S通知RL-AMF针对RM UE使用目标网络切片的鉴权结果。
这里,EAP消息是指携带有RM UE鉴权的相关信息,例如证书信息、密钥信息等。这里的EAP消息包括上述实施例中的第一EAP消息和/或第二EAP消息。
需要说明的是,在鉴权过程中,RM UE的NSSAAF网元也同时参与鉴权流程,图9中并未示出。
在本申请实施例中,RL UE负责在RL-AMF和RM UE之间转发EAP消息,AMF和RL UE之间的信令中都需要包含RM UE ID、RM HPLMN S-NSSAI,以指示EAP消息是针对RM的。
步骤10、RL-AMF向RL UE发送鉴权结果消息。
这里,鉴权结果消息中包括目标网络切片的鉴权结果,同时还包括RM UE的标识信息、以及RM UE的HPLMN标识信息,以指示该目标网络切片的鉴权结果是针对RM UE的。
进一步的,RL UE接收到鉴权结果消息后,可以确定网络侧是否允许RM UE使用该目标网络切片。若网络侧允许RM UE使用该目标网络切片,则RL UE可以为RM UE中继该目标网络切片内的业务数据。
本申请一实施例提供一种网络切片的鉴权装置,该装置可以应用于上述实施例提供的第一网络设备中,如图10所示,本申请实施例提供的网络切片的鉴权装置100可以包括:
第一发送单元1001,配置为在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;
所述第一鉴权消息包括第一指示信息和第一EAP消息;所述第一指示信息指示所述第一EAP消息用于被所述第二终端使用;所述第一EAP消息用于验证所述第二终端使用所述目标网络切片的合法性。
在一些实施例中,所述第一终端和所述第二终端的HPLMN相同。
在一些实施例中,所述鉴权请求消息来自于所述第一终端,或第一AAA-S;所述第一AAA-S为所述第二终端的归属地AAA-S。
在一些实施例中,所述鉴权请求消息包括以下信息的至少一种:所述第二终端的标识信息、所述目标网络切片对应的单一网络切片辅助信息、以及所述第二终端的HPLMN标识信息。
在一些实施例中,网络切片的鉴权装置100中还可以包括第一接收单元。
所述第一接收单元,配置为接收所述第一终端发送的第二鉴权消息;
第一发送单元1001,还配置为向第一AAA-S发送所述第二鉴权消息;
其中,所述第二鉴权消息中包括第二指示信息和第二EAP消息;所述第二指示信息指示所述第二EAP消息与所述第二终端关联;所述第二EAP消息用于验证所述第二终端使用所述目标网络切片的合法性。
在一些实施例中,第一发送单元1001,还配置为基于所述鉴权请求消息,向所述第一终端发送鉴权命令;所述鉴权命令包括EAP标识请求消息和第三指示信息;所述第三指示信息指示所述EAP标识请求消息用于被所述第二终端使用;
第一接收单元,还配置为接收所述第一终端发送的鉴权命令响应消息;所述鉴权命令响应消息包括第四指示信息和EAP标识响应消息;所述第四指示信息指示所述EAP标识响应消息与所述第二终端关联。
在一些实施例中,第一接收单元,还配置为接收第一AAA-S发送的鉴权结果消息;所述鉴权结果消息包括所述第二终端所请求的所述目标网络切片的鉴权结果;
第一发送单元1001,配置为向所述第一终端发送所述鉴权结果消息。
本申请一实施例还提供一种网络切片的鉴权装置,该装置可以应用于上述实施例提供的第一终端中,如图11所示,本申请实施例提供的网络切片的鉴权装置110可以包括:
第二接收单元1101,配置为接收第一网络设备发送的第一鉴权消息;所述第一鉴权消息包括第一指示信息和第一EAP消息;所述第一指示信息指示所述第一EAP消息用于被第二终端使用;所述第一EAP消息用于验证所述第二终端请求使用的目标网络切片的合法性;
第二发送单元1102,配置为向所述第二终端发送所述第一EAP消息;所述第二终端通过所述第一终端接入所述第一网络设备。
在一些实施例中,所述第一终端和所述第二终端的HPLMN相同。
在一些实施例中,所述第二发送单元1102,配置为向第一网络设备发送鉴权请求消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程。
在一些实施例中所述鉴权请求消息包括以下信息中的至少一种:所述第二终端的标识信息、所述目标网络切片对应的单一网络切片辅助信息、以及所述第二终端的HPLMN标识信息。
在一些实施例中,第二接收单元1101,配置为接收第二终端发送的第二EAP消息;所述第二EAP消息用于验证所述第二终端使用所述目标网络切片的合法性;
第二发送单元,配置为向所述第一网络设备发送第二鉴权消息;
其中,所述第二鉴权消息中包括第二指示信息和第二EAP消息;所述第二指示信息指示所述第二EAP消息与所述第二终端关联。
在一些实施例中,第二接收单元1101,配置为接收所述第一网络设备发送的鉴权命令;所述鉴权命令包括EAP标识请求消息和第三指示信息;所述第三指示信息指示所述EAP标识请求消息用于被所述第二终端使用;
第二发送单元1102,配置为向所述第二终端发送所述EAP标识请求消息。
在一些实施例中,第二接收单元1101,配置为接收所述第二终端发送的EAP标识响应消息;
第二发送单元1102,还配置为向所述第一网络设备发送鉴权命令响应消息;所述鉴权命令响应消息包括第四指示信息和所述EAP标识响应消息;所述第四指示信息指示所述EAP标识响应消息与所述第二终端关联。
在一些实施例中,第二接收单元1101,还配置为接收所述第一网络设备发送的鉴权结果消息;所述鉴权结果消息包括所述第二终端所请求的所述目标网络切片的鉴权结果;
这里,上述网络切片的鉴权装置110中还可以包括处理单元,该处理单元可以配合为若所述鉴权结果表征所述第二终端所请求的所述目标网络切片鉴权成功,则为所述第二终端中继所述目标网络切片内的数据。
在一些实施例中,第二发送单元,还配置为发送发现消息;所述发现消息包括所述第一终端的HPLMN标识信息。
本申请一实施例还提供一种网络切片的鉴权装置,该装置可以应用于上述实施例提供的第二终端中,如图12所示,本申请实施例提供的网络切片的鉴权装置120可以包括:
第三接收单元1201,配置为接收第一终端发送的第一EAP消息;所述第一EAP消息用于验证所述第二终端请求使用目标网络切片的合法性;所述第二终端通过所述第一终端接入第一网络设备。
在一些实施例中,所述第一终端和所述第二终端的HPLMN相同。
在一些实施例中,上述网络切片的鉴权装置120还可以包括第三发送单元;所述第三发送单元,配置为发送鉴权请求消息;所述鉴权请求消息用于触发对请求使用所述目标网络切片的所述第二终端的鉴权流程。
在一些实施例中,第三发送单元,配置为通过PC5端口向所述第一终端发送所述鉴权请求消息;或者,通过应用层向第一AAA-S发送鉴权请求消息;所述第一AAA-S为所述第二终端的归属地AAA-S。
在一些实施例中,所述鉴权请求消息包括以下信息中的至少一种:所述第二终端的标识信息、所述目标网络切片对应的单一网络切片辅助信息、以及所述第二终端的HPLMN标识信息。
在一些实施例中,第三发送单元,还配置为向所述第一终端发送第二EAP消息;所述第二EAP消息用于对所述第二终端使用所述目标网络切片和合法性进行鉴权。
在一些实施例中,第三接收单元1201,配置为接收所述第一终端发送的EAP标识请求消息;
第三发送单元,还配置为向所述第一终端发送EAP标识响应消息。
在一些实施例中,第三接收单元1201,还配置为接收所述第一终端发送的发现消息;所述发现消息包括所述第一终端的HPLMN标识信息。
这里,参考图12所示,本申请实施例提供的网络切片的鉴权装置120中还可以包括网络接入单元1202,配置为若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入所述第一网络设备。
基于上述实施例,本申请实施例还提供一种网络切片的鉴权装置,该装置可以应用于上述实施例提供的第二终端中,如图12所示,本申请实施例提供的网络切片的鉴权装置120可以包括:
第三接收单元1201,配置为接收第一终端发送的发现消息;所述发现消息包括所述第一终端的HPLMN标识信息;
网络接入单元1202,配置为若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入第一网络设备;所述第一网络设备是指为所述第一终端提供服务的网络设备。
需要说明的是,上述实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。
集成的模块如果以软件功能模块的形式实现并非作为独立的产品进行销售或使用时,可以存储在一个计算机可读取存储介质中,基于这样的理解,本实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存 储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或processor(处理器)执行本实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。
基于前述实施例,本申请实施例一实施例中还提供一种网络设备,如图13所示,本申请实施例提供的网络设备可以包括存储器1301、收发器1302、处理器1303及总线系统1304。
其中,
所述存储器1301用于存储程序和指令;
所述收发器1302用于在所述处理器1303的控制下接收或发送信息;
所述处理器1303用于执行所述存储器1301中的程序;
所述总线系统1301用于连接所述存储器1301、所述收发器1302以及所述处理器1303,以使所述存储器1301、所述收发器1302以及所述处理器1303进行通信;
所述处理器1303用于调用所述存储器1301中的程序指令,控制收发器1302执行以下步骤:
在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;
所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议EAP消息;所述第一指示信息指示所述第一EAP消息用于被所述第二终端使用;所述第一EAP消息用于验证所述第二终端使用所述目标网络切片的合法性。
在一些实施例中,所述处理器1303还可以用于调用所述存储器1301中的程序指令,控制收发器1302执行以下步骤:
接收所述第一终端发送的第二鉴权消息;以及,
向第一AAA-S发送所述第二鉴权消息;
其中,所述第二鉴权消息中包括第二指示信息和第二EAP消息;所述第二指示信息指示所述第二EAP消息与所述第二终端关联;所述第二EAP消息用于验证所述第二终端使用所述目标网络切片的合法性。
在一些实施例中,所述处理器1303还可以用于调用所述存储器1301中的程序指令,控制收发器1302执行以下步骤:
基于所述鉴权请求消息,向所述第一终端发送鉴权命令;所述鉴权命令包括EAP标识请求消息和第三指示信息;所述第三指示信息指示所述EAP标识请求消息用于被所述第二终端使用;
接收所述第一终端发送的鉴权命令响应消息;所述鉴权命令响应消息包括第四指示信息和EAP标识响应消息;所述第四指示信息指示所述EAP标识响应消息与所述第二终端关联。
在一些实施例中,所述处理器1303还可以用于调用所述存储器1301中的程序指令,控制收发器1302执行以下步骤:
接收第一AAA-S发送的鉴权结果消息;所述鉴权结果消息包括所述第二终端所请求的所述目标网络切片的鉴权结果;
向所述第一终端发送所述鉴权结果消息。
本申请一实施例中还提供一种终端,如图14所示,本申请实施例提供的终端可以包括存储器1401、收发器1402、处理器1403及总线系统1404。
其中,
所述存储器1401用于存储程序和指令;
所述收发器1402用于在所述处理器1403的控制下接收或发送信息;
所述处理器1403用于执行所述存储器1401中的程序;
所述总线系统1401用于连接所述存储器1401、所述收发器1402以及所述处理器1403,以使所述存储器1401、所述收发器1402以及所述处理器1403进行通信;
所述处理器1403用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收第一网络设备发送的第一鉴权消息;所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议EAP消息;所述第一指示信息指示所述第一EAP消息用于被第二终端使用;所述第一EAP消息用于验证所述第二终端请求使用的目标网络切片的合法性;
向所述第二终端发送所述第一EAP消息;所述第二终端通过所述第一终端接入所述第一网络设备。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
向第一网络设备发送鉴权请求消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收第二终端发送的第二EAP消息;所述第二EAP消息用于验证所述第二终端使用所述目标网络切片的合法性;
向所述第一网络设备发送第二鉴权消息;
其中,所述第二鉴权消息中包括第二指示信息和第二EAP消息;所述第二指示信息指示所述第二EAP消息与所述第二终端关联。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收所述第一网络设备发送的鉴权命令;所述鉴权命令包括EAP标识请求消息和第三指示信息;所述第三指示信息指示所述EAP标识请求消息用于被所述第二终端使用;
向所述第二终端发送所述EAP标识请求消息。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收所述第二终端发送的EAP标识响应消息;
向所述第一网络设备发送鉴权命令响应消息;所述鉴权命令响应消息包括第四指示信息和所述EAP标识响应消息;所述第四指示信息指示所述EAP标识响应消息与所述第二终端关联。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收所述第一网络设备发送的鉴权结果消息;所述鉴权结果消息包括所述第二终端所请求的所述目标网络切片的鉴权结果;
若所述鉴权结果表征所述第二终端所请求的所述目标网络切片鉴权成功,则为所述第二终端中继所述目标网络切片内的数据。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
发送发现消息;所述发现消息包括所述第一终端的HPLMN标识信息。
在本申请一实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收第一终端发送的第一可扩展鉴权协议EAP消息;所述第一EAP消息用于验证所述第二终端请求使用的目标网络切片的合法性;所述第二终端通过所述第一终端接入第一网络设备。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
发送鉴权请求消息;所述鉴权请求消息用于触发对请求使用所述目标网络切片的所述第二终端的鉴权流程。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
通过PC5端口向所述第一终端发送所述鉴权请求消息;或者,
通过应用层向第一认证授权计费服务器AAA-S发送鉴权请求消息;所述第一AAA-S为所述第二终端的归属地AAA-S。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
向所述第一终端发送第二EAP消息;所述第二EAP消息用于对所述第二终端使用所述目标网络切片和合法性进行鉴权。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收所述第一终端发送的EAP标识请求消息;
向所述第一终端发送EAP标识响应消息。
在一些实施例中,所述处理器1403还用于调用所述存储器1401中的程序指令,控制收发器1402执行以下步骤:
接收所述第一终端发送的发现消息;所述发现消息包括所述第一终端的HPLMN标识信息;
对应的,所述处理器1403还用于调用所述存储器1401中的程序指令,执行以下步骤:
若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入所述第一网络设备。
在本申请提供的实施例中,上述处理器可以为特定用途集成电路(Application Specific Integrated Circuit,ASIC)、数字信号处理器(Digital Signal Processor,DSP)、数字信号处理装置(Digital Signal Processing Device,DSPD)、可编程逻辑装置(Progmable Logic Device,PLD)、现场可编程门阵列(Field Progmable Gate Array,FPGA)、中央处理器(Central Processing Unit,CPU)、控制器中的至少一种。可以理解地,对于不同的设备,用于实现上述处理器功能的电子器件还可以为其它,本申请实施例不作具体限定。
在实际应用中,存储器可以是易失性存储器(volatile memory),例如RAM;或者非易失性存储器(non-volatile memory),例如ROM,快闪存储器(flash memory),硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD);或者上述种类的存储器的组合,并向处理器1101提供指令和数据。
本申请实施例还提供了一种计算机存储介质,具体为计算机可读存储介质。其上存储有计算机指令,在计算机存储介质位网络设备或终端时,该计算机指令被处理器执行时实现本申请实施例中网络切片的鉴权方法的任意步骤。
上述计算机存储介质/存储器可以是只读存储器(Read Only Memory,ROM)、可编程只读存储器(Programmable Read-Only Memory,PROM)、可擦除可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性随机存取存储器(Ferromagnetic Random Access Memory,FRAM)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(Compact Disc Read-Only Memory,CD-ROM)等存储器;也可以是包括上述存储器之一或任意组合的各种终端,如移动电话、计算机、平板设备、个人数字助理等。
应理解,说明书通篇中提到的“一个实施例”或“一实施例”或“本申请实施例”或“前述实施例”或“一些实施例”意味着与实施例有关的目标特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”或“本申请实施例”或“前述实施例”或“一些实施例”未必一定指相同的实施例。此外,这些目标的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。
在未做特殊说明的情况下,检测设备执行本申请实施例中的任一步骤,可以是检测设备的处理器执行该步骤。除非特殊说明,本申请实施例并不限定检测设备执行下述步骤的先后顺序。另外,不同实施例中对数据进行处理所采用的方式可以是相同的方法或不同的方法。还需说明的是,本申请实施例中的任一步骤是检测设备可以独立执行的,即检测设备执行上述实施例中的任一步骤时,可以不依赖于其它步骤的执行。
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元;既可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。
另外,在本申请各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。
本申请所提供的几个方法实施例中所揭露的方法,在不冲突的情况下可以任意组合,得到新的方法实施例。
本申请所提供的几个产品实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的产品实施例。
本申请所提供的几个方法或设备实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的方法实施例或设备实施例。
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。
或者,本申请上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、检测设备、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、磁碟或者光盘等各种可以存储程序代码的介质。
在本申请实施例中,不同实施例中相同步骤和相同内容的说明,可以互相参照。在本申请实施例中,术语“并”不对步骤的先后顺序造成影响。
以上所述,仅为本申请的实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。
Claims (32)
- 一种网络切片的鉴权方法,应用于第一网络设备,所述方法包括:在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议消息;所述第一指示信息指示所述第一可扩展鉴权协议消息用于被所述第二终端使用;所述第一可扩展鉴权协议消息用于验证所述第二终端使用所述目标网络切片的合法性。
- 根据权利要求1所述的方法,其中,所述第一终端和所述第二终端的归属地公共陆地移动网络HPLMN相同。
- 根据权利要求1或2所述的方法,其中,所述鉴权请求消息来自于所述第一终端,或第一认证授权计费服务器;所述第一认证授权计费服务器为所述第二终端的归属地对应的认证授权计费服务器。
- 根据权利要求1-3任一项所述的方法,其中,所述鉴权请求消息包括以下信息的至少一种:所述第二终端的标识信息、所述目标网络切片对应的单一网络切片辅助信息、以及所述第二终端的HPLMN标识信息。
- 根据权利要求1-4任一项所述的方法,其中,还包括:接收所述第一终端发送的第二鉴权消息;以及,向第一认证授权计费服务器发送所述第二鉴权消息;其中,所述第二鉴权消息中包括第二指示信息和第二可扩展鉴权协议消息;所述第二指示信息指示所述第二可扩展鉴权协议消息与所述第二终端关联;所述第二可扩展鉴权协议消息用于验证所述第二终端使用所述目标网络切片的合法性。
- 根据权利要求1-5任一项所述的方法,其中,向所述第一终端发送第一鉴权消息之前,还包括:基于所述鉴权请求消息,向所述第一终端发送鉴权命令;所述鉴权命令包括可扩展鉴权协议标识请求消息和第三指示信息;所述第三指示信息指示所述可扩展鉴权协议标识请求消息用于被所述第二终端使用;接收所述第一终端发送的鉴权命令响应消息;所述鉴权命令响应消息包括第四指示信息和可扩展鉴权协议标识响应消息;所述第四指示信息指示所述可扩展鉴权协议标识响应消息与所述第二终端关联。
- 根据权利要求1-6任一项所述的方法,其中,所述向第一终端发送第一鉴权消息之后,还包括:接收第一认证授权计费服务器发送的鉴权结果消息;所述鉴权结果消息包括所述第二终端所请求的所述目标网络切片的鉴权结果;向所述第一终端发送所述鉴权结果消息。
- 一种网络切片的鉴权方法,应用于第一终端,所述方法包括:接收第一网络设备发送的第一鉴权消息;所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议消息;所述第一指示信息指示所述第一可扩展鉴权协议消息用于被第二终端使用;所述第一可扩展鉴权协议消息用于验证所述第二终端请求使用的目标网络切片的合法性;向所述第二终端发送所述第一可扩展鉴权协议消息;所述第二终端通过所述第一终端接入所述第一网络设备。
- 根据权利要求8所述的方法,其中,所述第一终端和所述第二终端的归属地公共陆地移动网络HPLMN相同。
- 根据权利要求8或9所述的方法,其中,所述接收第一网络设备发送的第一鉴权消息之前,还包括:向第一网络设备发送鉴权请求消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程。
- 根据权利要求10所述的方法,其中,所述鉴权请求消息包括以下信息中的至少一种:所述第二终端的标识信息、所述目标网络切片对应的单一网络切片辅助信息、以及所述第二终端的HPLMN标识信息。
- 根据权利要求8-11任一项所述的方法,其中,还包括:接收第二终端发送的第二可扩展鉴权协议消息;所述第二可扩展鉴权协议消息用于验证所述第二终端使用所述目标网络切片的合法性;向所述第一网络设备发送第二鉴权消息;其中,所述第二鉴权消息中包括第二指示信息和第二可扩展鉴权协议消息;所述第二指示信息指示 所述第二可扩展鉴权协议消息与所述第二终端关联。
- 根据权利要求8-12任一项所述的方法,其中,所述接收第一网络设备发送的第一鉴权消息之前,还包括:接收所述第一网络设备发送的鉴权命令;所述鉴权命令包括可扩展鉴权协议标识请求消息和第三指示信息;所述第三指示信息指示所述可扩展鉴权协议标识请求消息用于被所述第二终端使用;向所述第二终端发送所述可扩展鉴权协议标识请求消息。
- 根据权利要求13所述的方法,其中,所述向所述第二终端发送所述可扩展鉴权协议标识请求消息之后,还包括:接收所述第二终端发送的可扩展鉴权协议标识响应消息;向所述第一网络设备发送鉴权命令响应消息;所述鉴权命令响应消息包括第四指示信息和所述可扩展鉴权协议标识响应消息;所述第四指示信息指示所述可扩展鉴权协议标识响应消息与所述第二终端关联。
- 根据权利要求8-14任一项所述的方法,其中,所述向所述第二终端发送所述第一可扩展鉴权协议消息之后,还包括:接收所述第一网络设备发送的鉴权结果消息;所述鉴权结果消息包括所述第二终端所请求的所述目标网络切片的鉴权结果;若所述鉴权结果表征所述第二终端所请求的所述目标网络切片鉴权成功,则为所述第二终端中继所述目标网络切片内的数据。
- 根据权利要求8-15任一项所述的方法,其中,接收第一网络设备发送的第一鉴权消息之前,还包括:发送发现消息;所述发现消息包括所述第一终端的HPLMN标识信息。
- 一种网络切片的鉴权方法,应用于第二终端,所述方法包括:接收第一终端发送的第一可扩展鉴权协议消息;所述第一可扩展鉴权协议消息用于验证所述第二终端请求使用的目标网络切片的合法性;所述第二终端通过所述第一终端接入第一网络设备。
- 根据权利要求17所述的方法,其中,所述第一终端和所述第二终端的归属地公共陆地移动网络HPLMN相同。
- 根据权利要求17或18所述的方法,其中,所述接收第一终端发送的第一可扩展鉴权协议消息之前,还包括:发送鉴权请求消息;所述鉴权请求消息用于触发对请求使用所述目标网络切片的所述第二终端的鉴权流程。
- 根据权利要求19所述的方法,其中,所述发送鉴权请求消息,包括:通过PC5端口向所述第一终端发送所述鉴权请求消息;或者,通过应用层向第一认证授权计费服务器发送鉴权请求消息;所述第一认证授权计费服务器为所述第二终端的归属地对应的认证授权计费服务器。
- 根据权利要求19或20所述的方法,其中,所述鉴权请求消息包括以下信息中的至少一种:所述第二终端的标识信息、所述目标网络切片对应的单一网络切片辅助信息、以及所述第二终端的HPLMN标识信息。
- 根据权利要求17-21任一项所述的方法,其中,还包括:向所述第一终端发送第二可扩展鉴权协议消息;所述第二可扩展鉴权协议消息用于对所述第二终端使用所述目标网络切片和合法性进行鉴权。
- 根据权利要求17-22任一项所述的方法,其中,述接收第一终端发送的第一可扩展鉴权协议消息之前,还包括:接收所述第一终端发送的可扩展鉴权协议标识请求消息;向所述第一终端发送可扩展鉴权协议标识响应消息。
- 根据权利要求17-23任一项所述的方法,其中,所述接收第一终端发送的第一可扩展鉴权协议消息之前,还包括:接收所述第一终端发送的发现消息;所述发现消息包括所述第一终端的HPLMN标识信息;若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入所述第一网络设备。
- 一种网络切片的鉴权方法,应用于第二终端,所述方法包括:接收第一终端发送的发现消息;所述发现消息包括所述第一终端的归属地公共陆地移动网络HPLMN标识信息;若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入第一网络设备;所述第一网络设备是指为所述第一终端提供服务的网络设备。
- 一种网络切片的鉴权装置,应用于第一网络设备,所述装置包括:第一发送单元,配置为在接收到鉴权请求消息的情况下,向第一终端发送第一鉴权消息;所述鉴权请求消息用于触发对请求使用目标网络切片的第二终端的鉴权流程;所述第二终端通过所述第一终端接入所述第一网络设备;所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议消息;所述第一指示信息指示所述第一可扩展鉴权协议消息用于被所述第二终端使用;所述第一可扩展鉴权协议消息用于验证所述第二终端使用所述目标网络切片的合法性。
- 一种网络切片的鉴权装置,应用于第一终端,所述装置包括:第二接收单元,配置为接收第一网络设备发送的第一鉴权消息;所述第一鉴权消息包括第一指示信息和第一可扩展鉴权协议消息;所述第一指示信息用于指示所述第一可扩展鉴权协议是针对第二终端的;所述第一可扩展鉴权协议消息用于验证所述第二终端请求使用的目标网络切片的合法性;第二发送单元,配置为向所述第二终端发送所述第一可扩展鉴权协议消息;所述第二终端通过所述第一终端接入所述第一网络设备。
- 一种网络切片的鉴权装置,应用于第二终端,所述装置包括:第三接收单元,配置为接收第一终端发送的第一可扩展鉴权协议消息;所述第一可扩展鉴权协议消息用于验证所述第二终端请求使用目标网络切片的合法性;所述第二终端通过所述第一终端接入第一网络设备。
- 一种网络切片的鉴权装置,应用于第二终端,所述装置包括:第三接收单元,配置为接收第一终端发送的发现消息;所述发现消息包括所述第一终端的HPLMN标识信息;网络接入单元,配置为若所述第一终端的HPLMN标识信息与所述第二终端的HPLMN标识信息相同,则通过所述第一终端接入第一网络设备;所述第一网络设备是指为所述第一终端提供服务的网络设备。
- 一种网络设备,所述网络设备包括:存储器、收发器、处理器以及总线系统;其中,所述存储器用于存储程序和指令;所述收发器用于在所述处理器的控制下接收或发送信息;所述处理器用于执行所述存储器中的程序;所述总线系统用于连接所述存储器、所述收发器以及所述处理器,以使所述存储器、所述收发器以及所述处理器进行通信;所述处理器用于调用所述存储器中的程序指令,执行如权利要求1至7中任一项所述的方法。
- 一种终端,所述终端包括:存储器、收发器、处理器以及总线系统;其中,所述存储器用于存储程序和指令;所述收发器用于在所述处理器的控制下接收或发送信息;所述处理器用于执行所述存储器中的程序;所述总线系统用于连接所述存储器、所述收发器以及所述处理器,以使所述存储器、所述收发器以及所述处理器进行通信;所述处理器用于调用所述存储器中的程序指令,执行如权利要求8至16,或17至25中任一项所述的方法。
- 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行实现权利要求1至7任一项所述方法的步骤;或者;所述计算机程序被处理器执行8至25任一项所述方法的步骤。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202180096897.0A CN117158012A (zh) | 2021-04-16 | 2021-04-16 | 网络切片的鉴权方法及装置、设备和存储介质 |
PCT/CN2021/087685 WO2022217571A1 (zh) | 2021-04-16 | 2021-04-16 | 网络切片的鉴权方法及装置、设备和存储介质 |
EP21936450.2A EP4325916A4 (en) | 2021-04-16 | 2021-04-16 | AUTHENTICATION METHOD AND APPARATUS FOR NETWORK SLICE, AND DEVICE AND STORAGE MEDIUM |
US18/378,830 US20240056807A1 (en) | 2021-04-16 | 2023-10-11 | Network equipment and user equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/087685 WO2022217571A1 (zh) | 2021-04-16 | 2021-04-16 | 网络切片的鉴权方法及装置、设备和存储介质 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/378,830 Continuation US20240056807A1 (en) | 2021-04-16 | 2023-10-11 | Network equipment and user equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022217571A1 true WO2022217571A1 (zh) | 2022-10-20 |
Family
ID=83640039
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/087685 WO2022217571A1 (zh) | 2021-04-16 | 2021-04-16 | 网络切片的鉴权方法及装置、设备和存储介质 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240056807A1 (zh) |
EP (1) | EP4325916A4 (zh) |
CN (1) | CN117158012A (zh) |
WO (1) | WO2022217571A1 (zh) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109417687A (zh) * | 2016-07-01 | 2019-03-01 | 金雅拓M2M有限责任公司 | 用于蜂窝网络中的用户设备的远程供给的方法 |
CN109699031A (zh) * | 2018-01-11 | 2019-04-30 | 华为技术有限公司 | 采用共享密钥、公钥和私钥的验证方法及装置 |
WO2020035732A1 (en) * | 2018-08-13 | 2020-02-20 | Lenovo (Singapore) Pte. Ltd. | Network slice authentication |
CN112512096A (zh) * | 2017-05-09 | 2021-03-16 | 华为技术有限公司 | 一种基于切片的通信方法和设备 |
-
2021
- 2021-04-16 EP EP21936450.2A patent/EP4325916A4/en active Pending
- 2021-04-16 WO PCT/CN2021/087685 patent/WO2022217571A1/zh active Application Filing
- 2021-04-16 CN CN202180096897.0A patent/CN117158012A/zh active Pending
-
2023
- 2023-10-11 US US18/378,830 patent/US20240056807A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109417687A (zh) * | 2016-07-01 | 2019-03-01 | 金雅拓M2M有限责任公司 | 用于蜂窝网络中的用户设备的远程供给的方法 |
CN112512096A (zh) * | 2017-05-09 | 2021-03-16 | 华为技术有限公司 | 一种基于切片的通信方法和设备 |
CN109699031A (zh) * | 2018-01-11 | 2019-04-30 | 华为技术有限公司 | 采用共享密钥、公钥和私钥的验证方法及装置 |
WO2020035732A1 (en) * | 2018-08-13 | 2020-02-20 | Lenovo (Singapore) Pte. Ltd. | Network slice authentication |
Non-Patent Citations (2)
Title |
---|
CHINA MOBILE, OPPO, HUAWEI, HISILCON: "Remote provisioning of credentials for NSSAA or secondary authentication/authorisation", 3GPP DRAFT; S2-2102263, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. E-Meeting; 20210412 - 20210416, 6 April 2021 (2021-04-06), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051993647 * |
See also references of EP4325916A4 * |
Also Published As
Publication number | Publication date |
---|---|
CN117158012A (zh) | 2023-12-01 |
US20240056807A1 (en) | 2024-02-15 |
EP4325916A1 (en) | 2024-02-21 |
EP4325916A4 (en) | 2024-05-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10743279B2 (en) | Network registration and network slice selection system and method | |
US12082102B2 (en) | Multimedia priority service for wireless devices | |
US20220369215A1 (en) | Relay selection in cellular sliced networks | |
US11533610B2 (en) | Key generation method and related apparatus | |
WO2020224622A1 (zh) | 一种信息配置方法及装置 | |
US20210385283A1 (en) | Multimedia Priority Service | |
WO2021136211A1 (zh) | 授权结果的确定方法及装置 | |
EP3860176B1 (en) | Method, apparatus, and system for obtaining capability information of terminal | |
WO2021203891A1 (zh) | 控制网络切片认证的方法、装置、设备及存储介质 | |
US20230024999A1 (en) | Communication system, method, and apparatus | |
CN116723507B (zh) | 针对边缘网络的终端安全方法及装置 | |
US20240129794A1 (en) | Network Congestion Control | |
US20240129793A1 (en) | Network Overload Control | |
WO2023087965A1 (zh) | 一种通信方法及装置 | |
US20230337002A1 (en) | Security context generation method and apparatus, and computer-readable storage medium | |
WO2019196963A1 (zh) | 接入网络切片的方法及装置、存储介质、电子装置 | |
US20230300702A1 (en) | Method, device, and system for core network device re-allocation in wireless network | |
WO2022217571A1 (zh) | 网络切片的鉴权方法及装置、设备和存储介质 | |
CN117083894A (zh) | 协调用于接入无人驾驶空中服务的重新认证/重新授权流程的装置和方法 | |
JP2023531150A (ja) | 5gマルチキャストブロードキャストサービスハンドオーバ | |
CN114208240B (zh) | 数据传输方法、装置及系统 | |
WO2024066924A1 (zh) | 用户终端策略的配置方法、装置、介质及芯片 | |
US20230336992A1 (en) | Method and apparatus for authenticating user equipment in wireless communication system | |
EP4443929A1 (en) | Method and device for forming end-to-end security during provisioning of credentials to terminal by using control plane | |
US20240179661A1 (en) | Deregistration Method and Communication Apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21936450 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2021936450 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2021936450 Country of ref document: EP Effective date: 20231116 |