WO2022227919A1 - 切换场景下的安全配置方法和通信装置 - Google Patents
切换场景下的安全配置方法和通信装置 Download PDFInfo
- Publication number
- WO2022227919A1 WO2022227919A1 PCT/CN2022/081556 CN2022081556W WO2022227919A1 WO 2022227919 A1 WO2022227919 A1 WO 2022227919A1 CN 2022081556 W CN2022081556 W CN 2022081556W WO 2022227919 A1 WO2022227919 A1 WO 2022227919A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user plane
- access network
- radio bearer
- network node
- data radio
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 195
- 238000004891 communication Methods 0.000 title claims abstract description 137
- 230000004044 response Effects 0.000 claims abstract description 63
- 230000004913 activation Effects 0.000 claims description 185
- 238000004590 computer program Methods 0.000 claims description 24
- 230000009977 dual effect Effects 0.000 claims description 19
- 238000001994 activation Methods 0.000 description 191
- 101150090033 DRB2 gene Proteins 0.000 description 124
- 101100117568 Oryza sativa subsp. japonica DRB5 gene Proteins 0.000 description 124
- 101001100327 Homo sapiens RNA-binding protein 45 Proteins 0.000 description 118
- 102100038823 RNA-binding protein 45 Human genes 0.000 description 118
- 238000012545 processing Methods 0.000 description 46
- 230000006870 function Effects 0.000 description 41
- 230000008569 process Effects 0.000 description 40
- 230000005540 biological transmission Effects 0.000 description 30
- 238000007726 management method Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 13
- 238000012986 modification Methods 0.000 description 13
- 230000004048 modification Effects 0.000 description 13
- 238000012790 confirmation Methods 0.000 description 10
- 238000013461 design Methods 0.000 description 10
- 230000009471 action Effects 0.000 description 6
- 238000013507 mapping Methods 0.000 description 5
- 238000005259 measurement Methods 0.000 description 5
- 238000012546 transfer Methods 0.000 description 4
- 101150034979 DRB3 gene Proteins 0.000 description 3
- 101100278514 Oryza sativa subsp. japonica DRB2 gene Proteins 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000002779 inactivation Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000011664 signaling Effects 0.000 description 3
- 239000013256 coordination polymer Substances 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0055—Transmission or use of information for re-establishing the radio link
- H04W36/0064—Transmission or use of information for re-establishing the radio link of control information between different access points
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0823—Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L5/00—Arrangements affording multiple use of the transmission path
- H04L5/003—Arrangements for allocating sub-channels of the transmission path
- H04L5/0053—Allocation of signaling, i.e. of overhead other than pilot signals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0055—Transmission or use of information for re-establishing the radio link
- H04W36/0069—Transmission or use of information for re-establishing the radio link in case of dual connectivity, e.g. decoupled uplink/downlink
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/08—Reselecting an access point
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/16—Performing reselection for specific purposes
- H04W36/18—Performing reselection for specific purposes for allowing seamless reselection, e.g. soft reselection
- H04W36/185—Performing reselection for specific purposes for allowing seamless reselection, e.g. soft reselection using make before break
Definitions
- the present application relates to the field of communication, and more particularly, to a security configuration method and communication device in a handover scenario.
- DAPS dual activate protocol stack
- the source base station can only activate DAPS handover for one or more of the data radio bearers (DRBs).
- DRBs data radio bearers
- the terminal device Before the resource release request is indicated by the network (RAN) node, the terminal device continues to transmit data packets simultaneously with the source RAN node and the target RAN node, and the source RAN node and the target RAN node can transmit the same data packet.
- the source RAN node and the target RAN node can transmit the same data packet, there are certain loopholes in the security configuration method in the current system, and there are hidden dangers in data security.
- Embodiments of the present application provide a security configuration method and a communication device in a handover scenario, so as to improve communication security.
- a first aspect provides a security configuration method in a handover scenario.
- the method can be executed by an access network node or a module (such as a chip) configured on (or used for) an access network node.
- a module such as a chip
- the implementation of the network access node is taken as an example for description.
- the method includes: the target access network node receives a first message, where the first message is used to instruct the terminal device to switch from the source access network node to the target access network node, wherein the first message includes first information, the first message A piece of information is used to indicate the user plane security configuration using the same data radio bearer as the source access network node; the target access network node sends a response message to the first message, the response message includes second information, the second information User plane security configuration for indicating the second data radio bearer of the target access network node, wherein the user planes of the second data radio bearer of the target access network node and the first data radio bearer of the source access node
- the security configuration is the same.
- the second data radio bearer is a data radio bearer after the first data radio bearer is switched from the source access network node to the target access network node.
- the target access network node determines, according to the first information, that the user plane security configuration adopted for the DRB is the same as the user plane security configuration of the DRB of the source RAN node. It can reduce the potential security risks caused by different security configurations of data wireless bearers when the target access network node and the source access network node transmit the same data packet, and improve the security of data transmission.
- the first information includes identification information of the first data radio bearer and a dual-activation protocol stack switching instruction, where the dual-activation protocol stack switching instruction is used to indicate the first data radio bearer.
- a data radio bearer uses dual active protocol stack handover.
- the source access network node can specifically instruct the switching of the dual-activation protocol stack through the dual-activation protocol stack, which not only instructs the first data radio bearer to use the dual-activation protocol switching, but also implicitly instructs the user plane security configuration adopted by the DRB and the source connection.
- the user plane security configuration of the DRB of the network access node is the same, which avoids adding new information overhead in the first message.
- the first message includes the user plane security configuration of the first data radio bearer
- the method further includes: the target access network node according to the dual activation protocol stack a handover instruction to determine that the user plane security configuration of the second data radio bearer is the same as the user plane security configuration of the first data radio bearer; the target access network node configures the user plane security configuration of the first data radio bearer according to the user plane security configuration of the first data radio bearer
- the user plane security of the second data radio bearer, or the user plane security of the data radio bearer in the protocol data unit session corresponding to the second data radio bearer is configured.
- the user plane security of the data radio bearer includes ciphering protection and/or integrity protection.
- the user plane security configuration of the first data radio bearer includes that the user plane security of the first data radio bearer is configured as an enabled state or a disabled state, wherein the enabled state may also be referred to as an activated state, and the disabled state may be referred to as an enabled state. called the inactive state.
- the user plane security configuration of the first data radio bearer includes an encryption protection enable instruction or an encryption protection disable instruction, and/or an integrity protection enable instruction or an integrity protection disable instruction.
- an encryption protection enable instruction or an encryption protection disable instruction includes an encryption protection enable instruction or an encryption protection disable instruction, and/or an integrity protection enable instruction or an integrity protection disable instruction.
- turning on can also be called activation, and not turning on can also be called inactivation.
- the target access network node can specifically determine that the user plane security configuration adopted for the DRB is the same as the user plane security configuration of the DRB of the source access network node according to the dual activation protocol stack switching instruction of the first data radio bearer. Under the circumstance that new information overhead is avoided in the first message, the target access network node and the source access network node are made to implicitly indicate the use of the same data radio bearer as the source access network node for the dual activation protocol stack switching instruction. A consensus is reached on the security configuration of the user plane.
- the first information includes a user plane security activation status
- the user plane security activation status is used to indicate the user plane security activation status of the first data radio bearer or the user plane security activation status.
- the user plane activation state includes that the user plane security is enabled or the user plane security is disabled.
- the activation state of the user plane is an on state, which may include that encryption protection is on and/or integrity protection is on; / or Integrity protection is disabled.
- turning on can also be called activation, and not turning on can also be called inactivation.
- the method further includes:
- the target access network node determines the user plane security configuration of the second data radio bearer according to the user plane security activation state.
- the source access network node includes the user plane security activation status in the first message, which not only indicates the user plane security activation status of the first DRB in the source access network node, so that the target access network node according to the user plane security activation status
- the plane security activation state determines the user plane security configuration of the second DRB, so that the user plane security configuration used by the target access network node for the second DRB is the same as the user plane security configuration used by the source access network node for the first DRB.
- the first message includes the user plane security configuration of the first data radio bearer
- the method further includes: the target access network node sends the second data radio bearer to the user plane security configuration.
- the user plane security configuration of the bearer is compared with the user plane security configuration of the first data radio bearer. If the comparison result is different, the second information includes the user plane security configuration of the second data radio bearer. If the result is the same, the second information indicates that the same user plane security configuration as the first data radio bearer is used for the second data radio bearer.
- the first message includes a first user plane security policy
- the first user plane security policy is the user plane security policy of the first data radio bearer
- the The first user plane security policy is the user plane security policy of the protocol data unit session corresponding to the first data radio bearer.
- the first user security policy may include user plane encryption protection indication information and/or user plane integrity protection indication information.
- the user plane encryption protection indication information is used to indicate three possible values, which are required (required), recommended (preferred), or not needed (not needed) to enable user plane encryption protection.
- the user plane integrity protection indication information is used to indicate three possible values, namely required (required), recommended (preferred), or not required (not needed) to enable user plane integrity protection.
- the first user plane security policy indicates that it is recommended to use (or referred to as enabling) security protection.
- the target access network node determines, according to the first information, that the user plane security configuration adopted for the DRB is the same as the user plane security configuration of the DRB of the source access network node.
- the second information indicates that the second data radio bearer of the target access network node uses the same data radio bearer as the first data radio bearer of the source access network node.
- the same user plane security configuration, or the second information includes the user plane security configuration of the second data radio bearer.
- the second information can indicate the user plane security configuration of the second data radio bearer in the above manner, so that the terminal device can determine the user plane of the second data radio bearer after acquiring the second information through the source access network node Security configuration.
- the method further includes: after the target access network node receives a radio resource control (radio resource control, RRC) reconfiguration complete message from the terminal device , the target access network node updates the user plane security configuration of the second data radio bearer according to the second user plane security policy, wherein the second user plane security policy is the second data radio bearer of the target access network node.
- RRC radio resource control
- the target access network node can update the user plane security configuration of the second data radio bearer, so as to ensure data security based on the latest policy .
- the method further includes: the target access network node sending the updated user plane security of the second data radio bearer of the target access network node to the terminal device configuration.
- the updated user plane security configuration is carried in a resource release message.
- the first message is from the source access network node
- the target access network node sending the response message includes: the target access network node receiving the source The network access node sends the response message; or, the first message comes from a core network node, and sending the response message by the target access network node includes: the target access network node sending the response message to the core network node.
- a security configuration method in a handover scenario is provided, and the method can be executed by an access network node or a module (such as a chip) configured on (or used for) an access network node.
- a module such as a chip configured on (or used for) an access network node.
- the implementation of the network access node is taken as an example for description.
- the method includes: a source access network node sending a first message, where the first message is used to instruct a terminal device to switch from the source access network node to a target access network node, wherein the first message includes first information, the first message is A piece of information is used to indicate the user plane security configuration using the same data radio bearer as the source access network node; the source access network node receives a response message to the first message, the response message includes second information, the second information User plane security configuration for indicating the second data radio bearer of the target access network node, wherein the user planes of the second data radio bearer of the target access network node and the first data radio bearer of the source access node
- the security configuration is the same.
- the second data radio bearer is a data radio bearer after the first data radio bearer is switched from the source access network node to the target access network node.
- the source access network node can notify the target access network node to use the same user plane security configuration as the DRB of the source access network node through the first information, so that the target access network node can A message uses the same user plane security configuration as the DRB of the source access network node.
- the method further includes: the source access network node sends a second message to the terminal device, where the second message is used to instruct the terminal device to access from the source The network node switches to the target access network node, and the second message includes the second information.
- the source access network node forwards the second information from the target access network node to the terminal device, so that the terminal device can determine the user plane security configuration of the DRB adopted by the target access network node according to the second information, so that the terminal The device and the target access network node reach a consensus to ensure the reliability of data transmission.
- the first information includes identification information of the first data radio bearer and a dual-activation protocol stack switching instruction, where the dual-activation protocol stack switching instruction is used to indicate the first data radio bearer.
- a data radio bearer uses dual active protocol stack handover.
- the source access network node can specifically instruct the switching of the dual-activation protocol stack through the dual-activation protocol stack, which not only instructs the first data radio bearer to use the dual-activation protocol switching, but also implicitly instructs the user plane security configuration adopted by the DRB and the source connection.
- the user plane security configuration of the DRB of the network access node is the same, which avoids adding new information overhead in the first message.
- the first information includes a user plane security activation status
- the user plane security activation status is used to indicate the user plane security activation status of the first data radio bearer or the user plane security activation status.
- the source access network node includes the user plane security activation status in the first message, which not only indicates the user plane security activation status of the first DRB in the source access network node, so that the target access network node according to the user plane security activation status
- the plane security activation state determines the user plane security configuration of the second DRB, so that the user plane security configuration used by the target access network node for the second DRB is the same as the user plane security configuration used by the source access network node for the first DRB.
- the source access network node determines that the first message includes the first information.
- the first message includes the user plane security configuration of the first data radio bearer, and/or the first message includes the first user plane security policy
- the first user plane security policy is the user plane security policy of the first data radio bearer, or the user plane security policy of the protocol data unit session corresponding to the first data radio bearer.
- the first user plane security policy indicates that security protection is recommended to be used.
- the method further includes: when the first user plane security policy indicates that security protection is recommended to be used, the source access network node determines that the first message contains The first information is included, wherein the first user plane security policy is the user plane security policy of the first data radio bearer, or the user plane security policy of the protocol data unit session corresponding to the first first data radio bearer.
- the source access network node notifies the target access network node to use the same DRB user plane security configuration as the source access network node through the first information through the solution provided in this application.
- the second information indicates that the second data radio bearer of the target access network node uses the same data radio bearer as the first data radio bearer of the source access network node.
- the same user plane security configuration, or the second information includes the user plane security configuration of the second data radio bearer.
- the response message is from the target access network node
- the source access network node sending the first message includes: the source access network node sends the target access network node to the target access network node.
- the network access node sends the first message; or, the response message comes from a core network node, and the source access network node sending the first message includes: the source access network node sending the first message to the core network node;
- a security configuration method in a switching scenario is provided.
- the method can be executed by a terminal device or a module (such as a chip) configured in (or used for) the terminal device.
- the method is executed by the terminal device as an example below. Be explained.
- the method includes: the terminal device receives a radio resource configuration message from the source access network device, the radio resource configuration message includes second information, and the second information is used to indicate the user of the second data radio bearer of the target access network node plane security configuration, wherein the user plane security configuration of the second data radio bearer and the first data radio bearer of the source access node is the same; the terminal device receives a resource release message from the target access network node, the resource release message Including third information, the third information is used to indicate the updated user plane security configuration of the second data radio bearer of the target access network node.
- the second data radio bearer is a data radio bearer after the first data radio bearer is switched from the source access network node to the target access network node.
- the target access network node and the source access network node can use the same user plane security configuration for the DRB during the handover process of the terminal device, which can reduce the transmission of the same transmission between the target access network node and the source access network node to the terminal device.
- the security risks caused by the different security configurations of the data wireless bearer during the data packet improve the security of data transmission.
- the updated user plane security configuration can be obtained through the resource release message, so as to ensure data security based on the latest policy.
- the second information indicates that the second data radio bearer of the target access network node uses the same data radio bearer as the first data radio bearer of the source access network node.
- the same user plane security configuration, or the second information includes the user plane security configuration of the second data radio bearer.
- a communication device may include modules that perform one-to-one correspondence with the methods/operations/steps/actions described in the first aspect.
- the modules may be hardware circuits, or However, software can also be implemented in combination with hardware circuits and software.
- the apparatus includes: a transceiver unit for receiving a first message, where the first message is used to instruct a terminal device to switch from a source access network node to a target access network node, wherein the first message includes the first message information, the first information is used to indicate the user plane security configuration using the same data radio bearer as the source access network node; the processing unit is used to determine the user plane security configuration of the second data radio bearer of the target access network node The user plane security configuration of the first data radio bearer of the source access node is the same; the transceiver unit is used for the target access network node to send a response message to the first message, the response message includes second information, the second The information is used to indicate the user plane security configuration of the second data radio bearer.
- the second data radio bearer is a data radio bearer after the first data radio bearer is switched from the source access network node to the target access network node.
- the first information includes identification information of the first data radio bearer and a dual-activation protocol stack switching instruction, where the dual-activation protocol stack switching instruction is used to indicate the first data radio bearer.
- a data radio bearer uses dual active protocol stack handover.
- the first message includes the user plane security configuration of the first data radio bearer
- the processing unit is further configured to switch the instruction according to the dual activation protocol stack, determining that the user plane security configuration of the second data radio bearer is the same as the user plane security configuration of the first data radio bearer; the processing unit is further configured to configure the second data radio bearer according to the user plane security configuration of the first data radio bearer
- the user plane security of the data radio bearer, or the user plane security of the data radio bearer in the protocol data unit session corresponding to the second data radio bearer is configured.
- the first information includes a user plane security activation status
- the user plane security activation status is used to indicate the user plane security activation status of the first data radio bearer or the user plane security activation status.
- the processing unit is further configured to determine the user plane security configuration of the second data radio bearer according to the user plane security activation state.
- the first message includes the user plane security configuration of the first data radio bearer
- the processing unit is further configured to the user of the second data radio bearer
- the plane security configuration is compared with the user plane security configuration of the first data radio bearer. If the comparison result is different, the second information includes the user plane security configuration of the second data radio bearer. If the comparison result is If the same, the second information indicates that the second data radio bearer uses the same user plane security configuration as the first data radio bearer.
- the first message includes a first user plane security policy
- the first user plane security policy is the user plane security policy of the first data radio bearer
- the The first user plane security policy is the user plane security policy of the protocol data unit session corresponding to the first data radio bearer.
- the first user plane security policy indicates that security protection is recommended to be used.
- the second information indicates that the second data radio bearer of the target access network node uses the same data radio bearer as the first data radio bearer of the source access network node.
- the same user plane security configuration, or the second information includes the user plane security configuration of the second data radio bearer.
- the processing unit is further configured to, after the target access network node receives the radio resource control reconfiguration complete message from the terminal device, A security policy, updating the user plane security configuration of the second data radio bearer, wherein the second user plane security policy is the user plane security policy of the second data radio bearer of the target access network node or the second data radio bearer User plane security policy of the corresponding protocol data unit session.
- the transceiver unit is further configured to send the updated user plane security configuration of the second data radio bearer of the target access network node to the terminal device.
- the updated user plane security configuration is carried in a resource release message.
- the first message comes from the source access network node; the transceiver unit is specifically configured to send the response message to the source access network node, or the first message A message comes from a core network node, and the transceiver unit is specifically configured to send the response message to the core network node.
- a fifth aspect provides a communication device.
- the device may include modules that perform one-to-one correspondence with the methods/operations/steps/actions described in the second aspect.
- the modules may be hardware circuits, or However, software can also be implemented in combination with hardware circuits and software.
- the apparatus includes: a processing unit configured to determine a first message, where the first message is used to instruct the terminal device to switch from the source access network node to the target access network node, wherein the first message includes the first message information, the first information is used to indicate the user plane security configuration using the same data radio bearer as the source access network node; the transceiver unit is used to send the first message; the transceiver unit is also used to receive a response to the first message message, the response message includes second information, the second information is used to indicate the user plane security configuration of the second data radio bearer of the target access network node, wherein the second data radio bearer of the target access network node
- the user plane security configuration is the same as the user plane security configuration of the first data radio bearer of the source access node.
- the second data radio bearer is a data radio bearer after the first data radio bearer is switched from the source access network node to the target access network node.
- the transceiver unit is further configured to send a second message to the terminal device, where the second message is used to instruct the terminal device to switch from the source access network node to the target an access network node, the second message includes the second information.
- the first information includes identification information of the first data radio bearer and a dual-activation protocol stack switching instruction, where the dual-activation protocol stack switching instruction is used to indicate the first data radio bearer.
- a data radio bearer uses dual active protocol stack handover.
- the first information includes a user plane security activation status
- the user plane security activation status is used to indicate the user plane security activation status of the first data radio bearer or the user plane security activation status.
- the processing unit is further configured to determine, by the source access network node, that in the first message, when it is determined that the data radio bearer uses dual activation protocol stack handover Include the first information.
- the first message includes the user plane security configuration of the first data radio bearer, and/or the first message includes the first user plane security policy
- the first user plane security policy is the user plane security policy of the first data radio bearer, or the user plane security policy of the first protocol data unit session corresponding to the first data radio bearer.
- the first user plane security policy indicates that security protection is recommended.
- the processing unit is further configured to, in the case that the first user plane security policy indicates that security protection is recommended to be used, the source access network node to determine the first message including the first information, wherein the first user plane security policy is the user plane security policy of the first data radio bearer, or the user plane security policy of the first protocol data unit session corresponding to the first data radio bearer .
- the second information indicates that the second data radio bearer of the target access network node uses the same data radio bearer as the first data radio bearer of the source access network node.
- the second information includes the user plane security configuration of the second data radio bearer.
- the response message is from the target access network node, and the transceiver unit is specifically configured to send the first message to the target access network node; or, the response The message comes from the core network node, and the transceiver unit is specifically configured to send the first message to the core network node.
- a sixth aspect provides a communication device.
- the device may include a one-to-one module for performing the method/operation/step/action described in the third aspect.
- the module may be a hardware circuit, or However, software can also be implemented in combination with hardware circuits and software.
- the apparatus includes: a transceiver unit configured to receive a radio resource configuration message from a source access network device, where the radio resource configuration message includes second information, and the second information is used to indicate the target access network node
- the user plane security configuration of the second data radio bearer wherein the user plane security configuration of the second data radio bearer is the same as the user plane security configuration of the first data radio bearer of the source access node
- the processing unit is used to determine The second data radio bearer and the first data radio bearer of the source access node have the same user plane security configuration
- the transceiver unit is further configured to receive a resource release message from the target access network node, where the resource release message includes a third information, where the third information is used to indicate the updated user plane security configuration of the data radio bearer of the target access network node.
- the second information indicates that the second data radio bearer of the target access network node uses the same data radio bearer as the first data radio bearer of the source access network node.
- the same user plane security configuration, or the second information includes the user plane security configuration of the second data radio bearer.
- a communication apparatus including a processor.
- the processor may implement the first aspect and the method in any possible implementation manner of the first aspect.
- the communication device further includes a memory, and the processor is coupled to the memory and can be configured to execute instructions in the memory, so as to implement the first aspect and the method in any possible implementation manner of the first aspect.
- the communication device further includes a communication interface, and the processor is coupled to the communication interface.
- the communication interface may be a transceiver, a pin, a circuit, a bus, a module, or other types of communication interfaces, which are not limited.
- the communication device is a target access network node.
- the communication interface may be a transceiver, or an input/output interface.
- the communication device is a chip configured in the target access network node.
- the communication interface may be an input/output interface.
- a communication apparatus including a processor.
- the processor may implement the method in the second aspect and any possible implementation manner of the second aspect.
- the communication device further includes a memory, and the processor is coupled to the memory and can be configured to execute instructions in the memory, so as to implement the second aspect and the method in any possible implementation manner of the second aspect.
- the communication device further includes a communication interface, and the processor is coupled to the communication interface.
- the communication interface may be a transceiver, a pin, a circuit, a bus, a module or other types of communication interfaces, which are not limited.
- the communication device is a source access network node.
- the communication interface may be a transceiver, or an input/output interface.
- the communication device is a chip configured in the source access network node.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- a communication apparatus including a processor.
- the processor may implement the third aspect and the method in any possible implementation manner of the third aspect.
- the communication device further includes a memory, and the processor is coupled to the memory and can be configured to execute instructions in the memory, so as to implement the third aspect and the method in any possible implementation manner of the third aspect.
- the communication device further includes a communication interface, and the processor is coupled to the communication interface.
- the communication interface may be a transceiver, a pin, a circuit, a bus, a module, or other types of communication interfaces, which are not limited.
- the communication apparatus is a terminal device.
- the communication interface may be a transceiver, or an input/output interface.
- the communication device is a chip configured in the terminal device.
- the communication interface may be an input/output interface.
- the transceiver may be a transceiver circuit.
- the input/output interface may be an input/output circuit.
- a processor comprising: an input circuit, an output circuit and a processing circuit.
- the processing circuit is configured to receive a signal through the input circuit and transmit a signal through the output circuit, so that the processor executes the method of the first aspect to the third aspect and any one of the possible implementations of the first aspect to the third aspect .
- the above-mentioned processor may be one or more chips
- the input circuit may be input pins
- the output circuit may be output pins
- the processing circuit may be transistors, gate circuits, flip-flops and various logic circuits, etc. .
- the input signal received by the input circuit may be received and input by, for example, but not limited to, a receiver
- the signal output by the output circuit may be, for example, but not limited to, output to and transmitted by a transmitter
- the circuit can be the same circuit that acts as an input circuit and an output circuit at different times.
- the embodiments of the present application do not limit the specific implementation manners of the processor and various circuits.
- a computer program product comprising: a computer program (also referred to as code, or instructions), when the computer program is executed, causes the computer to execute the above-mentioned first to third aspects Aspects and methods of any possible implementations of the first to third aspects.
- a computer-readable storage medium stores a computer program (also referred to as code, or instruction), when it runs on a computer, causing the computer to execute the above-mentioned first aspect
- a computer program also referred to as code, or instruction
- a communication system including at least two of the foregoing terminal equipment, source access network node, target access network node or core network node.
- FIG. 1 is a schematic block diagram of a communication system provided by an embodiment of the present application.
- 1A is another schematic block diagram of a communication system provided by an embodiment of the present application.
- FIG. 2 is a schematic flowchart of user plane security activation provided by an embodiment of the present application
- FIG. 3 is a schematic diagram of DRB data packet transmission using DAPS handover provided by an embodiment of the present application
- FIG. 4 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- FIG. 5 is a schematic flowchart of a security configuration method in an Xn interface-based handover scenario provided by an embodiment of the present application
- FIG. 6 is another schematic flowchart of a security configuration method in an Xn interface-based handover scenario provided by an embodiment of the present application
- FIG. 7 is a schematic flowchart of a security configuration method in an N2 interface-based handover scenario provided by an embodiment of the present application.
- FIG. 8 is another schematic flowchart of a security configuration method in an N2 interface-based handover scenario provided by an embodiment of the present application.
- FIG. 9 is a schematic block diagram of an example of a communication device provided by an embodiment of the present application.
- FIG. 10 is a schematic structural diagram of an example of a terminal device provided by an embodiment of the present application.
- FIG. 11 is a schematic structural diagram of an example of an access network device provided by an embodiment of the present application.
- FIG. 12 is a schematic structural diagram of an example of a communication device provided by an embodiment of the present application.
- Communication between communication devices may include: communication between a network device and a terminal device, communication between a network device and a network device, and/or communication between a terminal device and a terminal device.
- the term “communication” may also be described as "transmission”, “information transmission”, or “signal transmission”, or the like. Transmission can include sending and/or receiving.
- the technical solution of the embodiments of the present application is described by taking the communication between the network device and the terminal device as an example, and those skilled in the art can also use the technical solution for communication between other scheduling entities and subordinate entities, such as between a macro base station and a micro base station.
- the scheduling entity may allocate radio resources, such as air interface resources, to the subordinate entities.
- Air interface resources include one or more of the following resources: time domain resources, frequency domain resources, code resources and space resources.
- the communication between the network device and the terminal device includes: the access network device sends a downlink signal to the terminal device, and/or the terminal device sends an uplink signal to the access network device.
- the signal can also be replaced with information or data, etc.
- the terminal device involved in the embodiments of the present application may also be referred to as a terminal.
- the terminal may be a device with wireless transceiving function. Terminals can be deployed on land, including indoors, outdoors, handheld, and/or vehicle; can also be deployed on water (such as ships, etc.); and can also be deployed in the air (such as aircraft, balloons, and satellites, etc.).
- the terminal equipment may be user equipment (user equipment, UE). UEs include handheld devices, in-vehicle devices, wearable devices, or computing devices with wireless communication capabilities. Exemplarily, the UE may be a mobile phone, a tablet computer, or a computer with a wireless transceiver function.
- the terminal device may also be a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in telemedicine, intelligent A wireless terminal in a power grid, a wireless terminal in a smart city, and/or a wireless terminal in a smart home, and so on.
- VR virtual reality
- AR augmented reality
- a wireless terminal in a power grid a wireless terminal in a smart city
- a wireless terminal in a smart home and so on.
- the access network (radio access network, RAN) node involved in the embodiment of the present application may be a RAN device, including a base station (base station, BS), which may be deployed in a wireless access network and capable of wirelessly communicating with terminal devices device of.
- the base station may have various forms, such as macro base station, micro base station, relay station or access point.
- the base station involved in the embodiments of the present application may be a next generation access network (next generation-RAN, NG-RAN) device in a 5G system, a base station in a long term evolution (long term evolution, LTE) system, or a base station in other systems , without restrictions.
- the NG-RAN equipment in the 5G system may also be called a transmission reception point (TRP) or a next generation Node B (generation Node B, gNB or gNodeB).
- the base station may be an integrated base station, or may be a base station separated into multiple network elements, which is not limited.
- the base station is a base station in which a centralized unit (centralized unit, CU) and a distributed unit (distributed unit, DU) are separated, that is, the base station includes a CU and a DU.
- FIG. 1 is a schematic diagram of a system architecture 100 suitable for an embodiment of the present application.
- the 5G core network (5G core, 5GC, or new generation core, NGC) includes access and mobility management function (AMF) nodes, session management function (SMF) as shown in Figure 1 ) node, user plane function (UPF) node, authentication server function (AUSF) node, policy control function (PCF) node, application function (application function, AF) node, Unified data management function (unified data management, UDM) node, network slice selection function (network slice selection function, NSSF) node and other functional units.
- AMF access and mobility management function
- SMF session management function
- UPF user plane function
- AUSF authentication server function
- PCF policy control function
- UDM Unified data management function
- UDM network slice selection function
- NSSF network slice selection function
- the AMF node is mainly responsible for services such as mobility management and access management.
- the SMF node is mainly responsible for session management, terminal device address management and allocation, dynamic host configuration protocol functions, and user plane function selection and control.
- UPF is mainly responsible for external connection to the data network (DN) and data packet routing and forwarding on the user plane, packet filtering, and performing quality of service (QoS) control related functions.
- UDM is mainly responsible for storing the contract data, credential and persistent identity (SUPI, Subscriber Permanent Identifier) of contract terminal devices in the network, and the service interface provided is Nudm. These data can be used for authentication and authorization of terminal devices to access the operator's network.
- AUSF is mainly responsible for the authentication function of terminal equipment.
- the PCF node is mainly responsible for providing a unified policy framework for network behavior management, providing policy rules for control plane functions, and acquiring registration information related to policy decisions.
- the service interface provided is Npcf. It should be noted that these functional units can work independently, or can be combined to implement certain control functions, such as access control and mobility management functions such as access authentication, security encryption, location registration, etc. to terminal equipment, and Session management functions such as establishment, release, and modification of user plane transmission paths.
- the functional units in 5GC can communicate through the next generation network (NG) interface.
- the UE can transmit control plane messages with the AMF node through the NG interface 1 (N1 for short).
- the RAN node can establish a user plane data transmission channel with the UPF through the NG interface 3 (N3 for short), the RAN node can establish a control plane signaling connection with the AMF node through the NG interface 2 (N2 for short), and the UPF can pass the NG interface 4 (N4 for short).
- the UPF can exchange user plane data with the data network DN through the NG interface 6 (N6 for short), the AMF node can exchange information with the SMF node through the NG interface 11 (N11 for short), and the SMF node can pass the NG interface 11 (N11 for short).
- the interface 7 (N7 for short) exchanges information with the PCF node, and the AMF node can exchange information with the AUSF through the NG interface 12 (N12 for short).
- FIG. 1 is only an exemplary architecture diagram, in addition to the functional units shown in FIG. 1 , the network architecture may further include other functional units.
- the 5G system architecture can also use service-oriented interfaces.
- the NSSF can select a set of network slice instances for the UE, and determine the allowed slice selection assistance information (slice selection assistance information, NSSAI), etc.
- the service interface provided by the NSSF is Nnssf.
- the network exposure function (NEF) can expose network capabilities and events, obtain external application information from the application layer function (AF), and store the information for external exposure in the unified data repository (unified data repository). , UDR), the service interface provided by NEF is Nnef.
- the network repository function (NRF) can provide service registration, discovery and authorization, and maintain available network function (NF) instance information.
- the service interface provided by the NRF is the Nnrf interface.
- AUSF can provide 3GPP and non-3GPP unified access authentication services, and the service interface provided by AUSF is Nausf.
- the network slice specific authentication and authorization function (NSSAAF) can authenticate and authorize UEs to access specific slices, preventing illegal UEs from accessing slices to access services or resources.
- the service interface provided by NSSAAF is Nnssaaf.
- two RAN nodes can communicate directly through the Xn interface; or two RAN nodes cannot communicate directly through the AMF, that is, indirectly through the N2 interface.
- the terms access network (AN) and wireless access network RAN may not be distinguished.
- a handover process that allows a terminal device to maintain a connection with a source access network node after receiving a radio resource control (RRC) message for indicating handover until it successfully accesses the target access network node to release the source community.
- RRC radio resource control
- DAPS bearer (DAPS bearer)
- the DAPS bearer means that the wireless protocol of the bearer is located at the source base station and the target base station at the same time during the DAPS handover process, that is, the resources of the source base station and the resources of the target base station can be used.
- User plane security policy including user plane encryption protection indication information and/or user plane integrity protection indication information.
- the user plane encryption protection indication information is used to indicate three possible values, which are required (required), recommended (preferred), or not needed (not needed).
- the user plane integrity protection indication information is used to indicate three possible values. , respectively not needed, preferred, and required. Among them, not needed indicates that user plane security does not need to be activated, preferred indicates that user plane security can be activated or not, and required indicates that user plane security must be activated.
- the above three possible values can be indicated by 2 bits, for example, 00 indicates that activation is not required, 01 indicates that it can be activated or not, and 11 indicates that it must be activated.
- the manner in which the user plane encryption protection indication information and the user plane integrity protection indication information are specifically used to indicate the three possible values is not limited in this embodiment of the present application.
- the UP security activation process includes but is not limited to the following steps:
- the UE sends a non-access stratum (NAS) message to the AMF through the NG-RAN, the NAS message contains an N1 session management (session management, SM) container, and the container contains a PDU session establishment request. Contains information such as the PDU session identifier (identifier, ID).
- NAS non-access stratum
- the AMF generates a PDU session creation request message and sends it to the SMF according to the NAS message.
- the PDU session creation request message corresponding to the serviced message may be an Nsmf_PDUSession_CreateSMContext request (Nsmf_PDUSession_CreateSMContext request) message.
- the message contains the N1SM container.
- the SMF sends a response message to the AMF.
- the response message may be an Nsmf_PDUSession_CreateSMContext response (Nsmf_PDUSession_CreateSMContext response) message.
- the SMF obtains the user plane security policy.
- the SMF can obtain the user plane security policy from the UDM, or it can obtain the user plane security policy from the local configuration.
- the user plane security policy includes the UP encryption protection policy and/or the UP integrity protection policy.
- the UP encryption protection policy can be required (Required), recommended (Preferred), or not required (not needed).
- the UP integrity protection policy can be required (Required), recommended (Preferred), or not required (not needed).
- the SMF sends the determined user plane security policy to the AMF.
- the SMF may send the determined user plane security policy to the AMF through Namf_Communication_N1N2 MessageTransfer (Namf_Communication_N1N2MessageTransfer).
- the AMF further sends the UP security policy to the NG-RAN.
- AMF may send UP security policy to NG-RAN through N2PDU session request.
- NG-RAN activates user plane security according to the received UP security policy.
- the NG-RAN enables UP encryption protection and UP integrity protection, and uses the UP encryption key, UP
- the integrity protection key and the UP security algorithm perform encryption protection and integrity protection on the UP data with the UE, as well as decryption and integrity verification.
- the UP encryption protection policy instruction included in the UP security policy must be enabled (required), and the UP integrity protection policy instruction does not need to be enabled (not needed), then the NG-RAN enables the UP encryption protection, but does not enable the UP integrity protection, And adopt the UP encryption key and the UP security algorithm to encrypt, protect or decrypt the UP data between the UE and the UE.
- the NG-RAN may determine whether to enable UP encryption or not to enable UP encryption; or to enable UP integrity protection or not to enable UP integrity protection. . In this case, the NG-RAN may send the determined UP activation result to the SMF.
- the NG-RAN sends an RRC connection reconfiguration message to the UE, and the message includes the UP security activation indication information.
- the UP security activation indication information includes UP encryption protection activation indication information and/or UP integrity protection activation indication information, the UP encryption protection activation indication information is used to indicate whether to enable UP encryption protection, and the UP integrity protection activation indication information is used to indicate whether Enable UP integrity protection.
- the UP security activation indication information when it does not carry the UP encryption protection activation indication information, it means that encryption is enabled.
- the UP security activation instruction information When encryption is not enabled, the UP security activation instruction information carries UP encryption protection activation instruction information, and the UP encryption protection activation instruction information informs the UE not to enable encryption protection.
- the UP security activation indication information includes UP integrity protection activation indication information, and the UP integrity protection activation indication information indicates whether integrity protection is enabled or not.
- the UP integrity protection activation indication information may notify the UE to enable integrity protection by indicating enable (enabled), or notify the UE not to enable integrity protection by indicating disable (disable).
- the NG-RAN may also indicate whether the UE enables security protection (encryption protection and/or integrity protection) in other ways, for example, the RRC connection reconfiguration message carries or does not carry a certain information element (information element, IE) to Indicates whether the UE enables security protection. It is also possible to instruct the UE whether to enable security protection by setting different values for the IE. This application does not limit this.
- IE information element
- the RRC connection reconfiguration message sent by the NG-RAN includes a user plane security activation indication information corresponding to each DRB.
- the user plane security activation status of each DRB in a PDU session is the same, which can be enabled or disabled. Among them, turning on can also be called activation, not turning on can be called inactivation, etc.
- the UE activates UP security.
- the UE activates the UP security between the UE and the base station according to the UP security activation indication information carried in step 8, so as to perform security protection or de-security protection on the UP data transmitted between the UE and the base station.
- the specific activation of UP security may include configuring a packet data convergence protocol (packet data convergence protocol, PDCP) entity corresponding to the DRB.
- PDCP packet data convergence protocol
- configuring the PDCP entity of the DRB includes configuring the PDCP entity with an encryption algorithm and a key, so that when the data packet passes through the PDCP entity, the PDCP entity can process the data packet securely.
- the UE sends an RRC Connection Reconfiguration Acknowledgement (ACK) message to the NG-RAN.
- the NG-RAN receives the RRC connection reconfiguration confirmation message from the UE.
- the security activation state of the user plane refers to the security activation state of the DRB. If the access network device determines to activate the security protection of the DRB, the security state of the DRB may be the open state (also called the activated state); or if the access network device determines If the security protection of the DRB is not activated, the security state of the DRB may be an inactive state (also referred to as an inactive state or an inactive state).
- the user plane security activation state may include encryption protection activation state and/or integrity protection activation state.
- the encryption protection activation state may be an on state or a non-on state
- the integrity protection activation state may be an on state or a non-on state.
- the user plane security configuration may include enabling or not enabling the user plane security of the DRB.
- the UP security configuration of the DRB may also be called the UP security activation indication.
- the terminal device and/or the access network node can configure the DRB corresponding to the DRB user plane security configuration.
- the PDCP entity so that when the data packet passes through the PDCP entity, the PDCP entity can safely process the data packet.
- the source RAN node can activate DAPS handover for one or more DRBs. Whether it is Xn-based handover or N2-based handover, for DRBs that activate DAPS handover, before the terminal device receives a resource release request from the target RAN node, the terminal device directly maintains the connection with the source RAN node, and the terminal device and the source RAN node.
- the data packets are transmitted simultaneously with the target RAN node, and the source RAN node and the target RAN node can transmit the same data packets as the terminal equipment.
- the source RAN node assigns a sequence number (SN) of the data packet, and sends the data packet containing the SN to the target RAN node.
- SN sequence number
- the target RAN node sends the data packet to the terminal device.
- the source RAN node determines the security activation state according to the source RAN node. After the PDCP entity corresponding to the DRB is configured, the data packet is sent to the terminal device after being securely processed by the PDCP entity.
- the source RAN node, the target RAN node, and the terminal device may be configured with a physical (PHY) layer, a media access control (MAC) layer, a radio link control (RLC) layer, and a PDCP layer, respectively.
- the PDCP layer of the source RAN node may be referred to as a master PDCP (master-PDCP, M-PDCP) layer
- the PDCP layer of the target RAN node may be referred to as a secondary PDCP (secondary-PDCP, S-PDCP).
- the PDCP layer of the terminal device can also be divided into M-PDCP for processing data packets from the source RAN node and S-PDCP for processing data packets from the target RAN node, but the present application is not limited to this.
- the UP security activation state of the DRB determined by the target RAN node and the source RAN node is determined by the two RAN nodes according to the obtained user plane security policy. However, when the user plane security policy indicates that the preference is enabled, the RAN node may or may not enable UP security protection. If the security activation state determined by one of the RAN nodes is encryption enabled, and the other RAN node determines The security activation status of is not turn on encryption protection. In the DAPS scenario, when the source RAN node and the target RAN node transmit the same data packet, the attacker can perform an XOR operation on the data packets received from the source and target RAN nodes, that is, the encrypted data packet is compared with the unencrypted data packet.
- the packet is XORed to obtain the key stream of the encrypted data packet. It makes it easier for attackers to obtain further key information, so as to obtain the ciphertext of other data packets.
- using the existing security mechanism in the DAPS mode has security risks.
- the present application proposes that the target RAN node adopts the same user plane security configuration for the DRB of the target RAN node as the user plane security configuration of the DRB of the source RAN node according to the instruction. It can reduce the potential security risks when the target RAN node and the source RAN node transmit the same data packet, and improve the security of data transmission.
- the present application can be applied to the scenario of two-way transmission of the same data, and the application scenario includes but is not limited to the data transmission mode of the dual-activation protocol stack.
- the embodiments of the present application are described by taking DAPS as an example, but the present application is not limited thereto.
- FIG. 4 is a schematic flowchart of a communication method provided by an embodiment of the present application.
- the target RAN node receives message A (ie, an example of the first message), where the message A is used to instruct the terminal device to switch from the source RAN node to the target RAN node, and the message A includes information A (ie, an example of the first message) ), the information A is used to indicate the UP security configuration using the same DRB as the source RAN node.
- message A ie, an example of the first message
- the message A is used to instruct the terminal device to switch from the source RAN node to the target RAN node
- the message A includes information A (ie, an example of the first message)
- the information A is used to indicate the UP security configuration using the same DRB as the source RAN node.
- the message A may be a handover request message for requesting handover of the terminal device from the source RAN node to the target RAN node.
- the application is not limited to this.
- the UP security configuration of the DRB refers to the security configuration of whether to enable UP security protection.
- the UP security protection may be UP encryption protection and/or UP integrity protection.
- the UP security configuration of the DRB may refer to whether to enable UP encryption protection and/or whether to enable UP integrity protection.
- the UP security configuration may be to enable UP encryption protection, and the information A instructs the DRB switched to the target RAN node to maintain the UP encryption protection state of the DRB at the source RAN node.
- the DRB also turns on UP encryption protection.
- the existing determination mechanism is still used, for example, the target RAN node can determine whether to enable integrity protection according to the UP integrity protection policy.
- the present application is not limited to this.
- the target RAN node can determine whether to accept the handover of the terminal device from the source RAN node to the target RAN node according to the message A, and can determine to use the same UP security configuration as the UP security configuration of the DRB of the source RAN node according to the information A in the message A .
- the target RAN node can determine, according to the information A, that some DRBs of the target RAN node use the same UP security configuration as the UP security configuration of the DRBs of the source RAN node, or that all DRBs of the target RAN node use the same UP security configuration as the DRBs of the source RAN node.
- the security configuration is the same as the UP security configuration, or the target RAN node. Specifically, it may include but not limited to the following embodiments.
- the information A includes a DAPS handover indication, and the DAPS handover indication is used to instruct the DRB1 of the source RAN node to use DAPS handover.
- the information A includes identification information of DRB1.
- the target RAN node determines that the DRB2 of the target RAN node (that is, an example of the second data radio bearer) uses the same UP security configuration as the DRB1 of the source RAN node (that is, an example of the first data radio bearer) UP Security Configuration.
- the DRB2 is the DRB after DRB1 is handed over to the target RAN node, or the DRB2 is the DRB at the target RAN node after DRB1 activates DAPS, and the DRB1 and DRB2 can carry data packets of the same control.
- DRB2 is the DRB corresponding to DRB1 in the target RAN node.
- the identification information of DRB1 in the source access network node is the same as the identification information of DRB2 in the target access network node.
- the target RAN node uses the source access network node's UP security configuration for the one or more DRBs to configure the relationship between the target access network node and the UE. user plane security between the one or more DRBs.
- the message A also includes the UP security configuration of DRB1.
- the target RAN node configures the PDCP entity of DRB2 according to the UP security configuration of DRB1. In other words, configure the security of the PDCP entity of DRB2.
- the target RAN node can determine that the UP security configuration of DRB2 is the same as the UP security configuration of DRB1 according to the DAPS instruction, and configure the target RAN node according to the UP security configuration of DRB1 in message A
- the security protection of the upper DRB2 is to configure the PDCP entity of the DRB2, so that the data packets passing through the PDCP entity are protected by security (such as encryption processing, integrity protection processing, etc.).
- the target RAN node is configured to enable the security protection of DRB2, that is, the PDCP entity of DRB2 is configured, so that the data packets passing through the PDCP entity are protected by security (such as encryption processing, integrity protection processing, etc.) ; If the UP security configuration of DRB1 does not enable security protection, the target RAN node is configured not to enable the UP security protection of DRB2, that is, the data packets of the PDCP entity passing through DRB2 are not protected by security.
- security such as encryption processing, integrity protection processing, etc.
- the UP security configuration of the DRB may also be referred to as an UP security activation indication, and this application does not limit the name used to indicate the UP security configuration of the DRB.
- the embodiment of the present application takes the RAN node and the terminal device as an example to configure the PDCP entity of the DRB2 according to the UP security configuration, but the present application is not limited to this configuration on other entities, for example, it can be configured on a NAS layer entity to be used for Data is handled securely.
- the UP security configuration of the DRB1 is included in the UE context information in the message A or in the RRC context information in the UE context information.
- the UE context information may include UE security capabilities, access stratum (access stratum, AS) security information (eg, key KgNB*, security protection algorithm), a PDU session resource to-be-established list, and an RRC context.
- the key KgNB* is used to generate signaling plane security keys and/or user plane security keys.
- the RRC context may include UE radio related capabilities and RRC reconfiguration information. However, the present application is not limited to this.
- the message A further includes an UP security policy 1, where the UP security policy 1 is used to indicate the UP security policy of the DRB1, or the UP security policy 1 is used to indicate the UP security policy of the PDU session corresponding to the DRB1 .
- the message A includes a PDU session to be established list
- the PDU session to be established list includes PDU session information corresponding to the DRB1
- the UP security policy 1 is included in the PDU session information.
- the target RAN node determines, according to the DAPS handover instruction, to use the same UP security configuration for DRB2 and/or one or more DRBs associated with DRB2 as the UP security configuration of the source RAN node for DRB1 configuration.
- one or more DRBs associated with DRB2 may be DRBs belonging to the same PDU session as DRB2. That is, DRB2 is associated with one or more DRBs through the identifier of the corresponding PDU session.
- the present application is not limited to this.
- the message A is from the source RAN node.
- the message A may be sent by the source RAN node to the target RAN node, or the message A may be sent by the AMF node to the target RAN node, and the message A includes the transparent information received by the AMF node from the source RAN node.
- the transparent container may also be referred to as the transparent information (transparent information), that is, information that is transparently transmitted from the source RAN node to the target RAN node through the AMF node. This application does not limit this.
- the information A includes the UP security activation state, which is the user plane security activation state of the DRB1 of the source RAN node or the user plane security activation state of the PDU session corresponding to the DRB1.
- the source RAN node obtains the UP security activation state of DRB1 (or the PDU session corresponding to DRB1) including obtaining the UP security activation state locally.
- the stored UP security activation status is contained in message A. If the UP security activation state of DRB1 (or the PDU session corresponding to DRB1) is not stored locally, the source RAN node may determine the UP security activation state according to the local security configuration of DRB1, and include the determined UP security activation state in message A .
- the present application is not limited to this.
- the target RAN node determines that the DRB2 of the target RAN node uses the same UP security configuration as the UP security configuration of DRB1.
- the target RAN node determines that the message A includes the UP security activation status of a DRB or the UP security activation status of a PDU session
- the target RAN node determines the DRB or the PDU session according to the UP security activation status.
- the DRB in the UP uses the same UP security configuration that the source RAN node adopts for that DRB.
- the target RAN node after receiving the UP security activation status, determines the UP security configuration of the DRB2 according to the UP security activation status.
- the target RAN node determines to reuse the UP security configuration of the DRB received from the source RAN node.
- the terminal device receives DRB1 or the UP security activation state of the PDU session corresponding to DRB1 in message A, and the terminal device determines that DRB2 reuses the UP security configuration of DRB1 received from the source RAN node.
- the present application is not limited to this.
- the UE context information in the message A or the resource list for the PDU session to be established in the UE context includes the UP security activation state.
- the target RAN node determines the UP security configuration of DRB2 according to the UP security activation state, which can ensure that the UP security configuration adopted by the target RAN node for DRB2 is the same as the UP security configuration adopted by the source RAN node for DRB1.
- the target RAN node determines, according to the UP security activation state of the DRB1 in the message A or the PDU session corresponding to the DRB1, that the DRB2 and/or one or more DRBs associated with the DRB2 are Use the same UP security configuration as the source RAN node's UP security configuration for DRB1.
- one or more DRBs associated with DRB2 may be DRBs belonging to the same PDU session as DRB2. That is, DRB2 is associated with one or more DRBs through the identifier of the corresponding PDU session.
- the present application is not limited to this.
- the message A is from the source RAN node.
- the message A may be sent by the source RAN node to the target RAN node, or the message A may be sent by the AMF node to the target RAN node, and the message A includes the transparent information received by the AMF node from the source RAN node.
- the message A includes information A.
- the source RAN node determines that the DRB1 adopts DAPS handover, and the UP security policy of the PDU session corresponding to the DRB1 indicates that it is recommended to be turned on (for example, the encryption protection security policy or the integrity protection security policy indicates that it is recommended to be turned on), Then the source RAN node determines that message A includes information A.
- the target RAN node determines the UP security configuration of the DRB in the PDU session.
- Embodiment 1 and Embodiment 2 are only two examples provided by the embodiments of the present application, and the present application is not limited thereto, and may also include other embodiments.
- Information A can directly indicate that DRB2 of the target network device uses the same UP security configuration as DRB1, or can indirectly indicate that DRB2 of the target network device uses the same UP security configuration as DRB1, such as through DAPS indication or UP security activation status. It should be understood that as long as the user plane security configuration of the DRB in the target access network node determined by the target access network node according to the information in the message A is the same as the user plane security configuration of the DRB of the source access network node, the information can be determined. For the user plane security configuration used to indicate the use of the same data radio bearer as the source access network node. All should fall within the protection scope of the present application, and will not be listed one by one here.
- the target RAN node sends a response message of message A, where the response message includes information B (ie, an example of the second information), where the information B is used to indicate the UP security configuration of the DRB2 of the target access network node.
- information B ie, an example of the second information
- the UP security configuration of the DRB2 is the same as the UP security configuration of the DRB1.
- the response message is used to confirm the acceptance of the handover of the terminal device from the source RAN node to the target RAN node.
- the information B indicates the UP security configuration of the DRB2 by the target RAN node, including but not limited to the following:
- the information B instructs the target RAN node to use the same UP security configuration for DRB2 as the DRB1 of the source RAN node.
- the target RAN node indicates to the terminal device through information B that the UP security configuration used by the target RAN node for DRB2 is the same as the UP security configuration of DRB1 of the source RAN node.
- the target RAN node notifies the target RAN node of the UP security configuration of a DRB by means of an offset or a variable (Delta). For example, in this example, the target RAN node compares the determined UP security configuration of DRB2 with the UP security configuration of the DRB1 in message A. If the comparison result is different, the target RAN node will determine the UP security configuration of DRB2 The information is sent to the source RAN node through a response message, and the source RAN node notifies the terminal equipment.
- an offset or a variable Delta
- the response message does not include the UP security configuration of DRB2
- the RRC reconfiguration message including the handover command sent by the source RAN node to the terminal device does not include the UP security configuration of DRB2, and the terminal device from the source RAN
- the node does not obtain the UP security configuration of DRB2
- the target RAN node since the target RAN node uses the same UP security configuration for DRB2 as the source RAN node uses for DRB1 according to the information A, there is no difference. Therefore, the target RAN node can use the information B to indicate the target RAN node.
- the UP security configuration adopted for DRB1 is the same as the UP security configuration adopted by the source RAN node, and it is not necessary to include the UP security configuration of DRB2.
- the target RAN node may also determine other configurations of the DRB2, such as a security protection algorithm, etc., according to the Delta manner. If a configuration of DRB2 is the same as the corresponding configuration of DRB1, the information B may not include the configuration; if a configuration of DRB2 is different from the configuration corresponding to DRB1, the offset is calculated, and the information B may include the offset .
- the information B is a 1-bit indication.
- the indication status of the information B includes "true” or “false (false)”, when the information B indicates "true”, it means that the UP security configuration adopted by the target RAN node for DRB2 is the same as that adopted by the source RAN node for DRB1
- the UP security configuration is the same, indicating "false” means different.
- the present application is not limited to this.
- the information B includes the UP security configuration of the DRB2.
- the target RAN node determines to use the same UP security configuration for DRB2 as the source RAN node uses for DRB1 according to the information A, and generates an UP security configuration of DRB2 that is the same as the UP security configuration of DRB1. Further, the target RAN node configures the PDCP entity of DRB2 according to the UP security configuration. The target RAN node indicates the UP security configuration of DRB2 through information B.
- the response message includes a transparent container to be sent to the terminal device, and the transparent container includes the information B.
- the source RAN node forwards it to the terminal device.
- the terminal device can determine, according to the transparent container, that the UP security configuration adopted by the target RAN node for DRB2 is the same as the UP security configuration adopted by the source RAN node, and configure the PDCP entity of the corresponding DRB.
- the response message may be a message sent by the target RAN node to the source RAN node
- the response message may be sent by the target RAN node to the source RAN node.
- the core network node forwards the transparent container to the source RAN node.
- the present application is not limited to this.
- the target RAN node can determine whether to activate the security protection of the PDU session according to the UP security policy of the PDU session, and determine the UP security configuration of the DRB3 in the PDU session.
- the UP security configuration of the DRB3 determined by the target RAN node according to the UP security policy may be the same as or different from that of the source RAN node, which is not limited in this application.
- the target RAN node transparently transmits the configuration of the DRB without DAPS in the message B to the terminal device.
- the target RAN node updates the user plane security configuration of DRB2 according to the UP security policy of DRB2 or the UP security policy of the PDU session corresponding to DRB2.
- the UP security policy may be the UP security policy carried in the message A, or may be from the SMF.
- the UP security activation state of the PDU session corresponding to the current DRB1 is UP security activation state 1, and the target RAN node can determine the UP security activation state 2 according to the user plane security policy in message A or the user plane security policy from the SMF.
- the RAN node may determine the updated UP security configuration of the DRB2 according to the UP security activation state 2 .
- the target network device may send the updated UP security configuration of DRB2 to the terminal device.
- the updated UP security configuration of DRB2 may be carried in the RRC message sent by the target RAN node to the terminal device.
- the target RAN node receives the user plane security policy from the SMF in the path switching request, and the target RAN updates the local user plane security policy (ie, the user plane security policy from the source RAN). If the current user plane confidentiality and integrity protection activation state of the UE is inconsistent with the user plane security policy received from the SMF, the target RAN node updates the UP security configuration of DRB2 according to the user plane security policy sent by the SMF. If the target RAN node determines that the user plane security policy in the message A is the same as the user plane security policy from the SMF, the target RAN, after the UE handover is completed, according to the user plane security policy received from the source RAN node or according to the user plane security policy received from the SMF.
- the target RAN determines that the user plane security policy in the message A is the same as the user plane security policy from the SMF, the target RAN, after the UE handover is completed, according to the user plane security policy received from the source RAN node or according to the user plane security policy
- the received user plane security policy update the UP security configuration of DRB2, and notify the terminal device through the UP security configuration instruction 3. Further, the target RAN re-evaluates whether to update the security configuration of the DRB only when the user plane security policy indicates that encryption protection and/or integrity protection are preferred.
- the target RAN node may determine the UP security activation state 2 according to the user plane security policy in the message A or the user plane security policy from the SMF. In the case that the UP security activation state 2 is different from the UP security activation state 1, the target RAN node updates the UP security configuration of the DRB2, and can notify the terminal device through the UP security configuration indication 3.
- the present application is not limited to this.
- the updated UP security configuration of the DRB2 may be carried in a resource release message sent by the target RAN node to the terminal device.
- the above-mentioned completion of the terminal equipment handover to the target RAN node may include, but is not limited to:
- the target access network device After the target access network device receives the instruction from the terminal device to indicate that the handover is complete; or,
- the target access network device After the target access network device sends an indication to indicate that the handover is successful; or,
- the target access network device After the target access network device receives the instruction for indicating the serial number (SN) state transition; or,
- the target access network device After the target access network device sends an instruction for instructing to release the user context; or,
- the target access network device After the target access network device sends an instruction for indicating resource release to the terminal device.
- the UP security configuration adopted by the target RAN node for the DRB is the same as the user plane security configuration of the DRB of the source RAN node.
- the data security hidden danger when the target RAN node and the source RAN node transmit the same data packet can be reduced, and the security of data transmission can be improved.
- the communication method provided by the present application can be applied to, including but not limited to, the handover process based on the Xn interface, and can also be applied to the handover process based on the N2 handover.
- the application of the communication method of the present application to the handover process based on the Xn interface and the handover process based on the N2 handover are respectively described below, and it should be understood that the present application is not limited thereto.
- FIG. 5 is a schematic flowchart of a security configuration method in an Xn interface-based handover scenario provided by an embodiment of the present application.
- the source RAN node sends a handover request message (ie, an example of the first message) to the target RAN node.
- a handover request message ie, an example of the first message
- the target RAN node receives the handover request message from the source RAN node, and the handover request message is used to request the terminal device to be handed over from the source RAN node to the target RAN node.
- the handover request message includes information A. This information A is used to indicate to use the same UP security configuration as that of the DRB of the source RAN node.
- the information A is a DAPS handover indication
- the DAPS handover indication is used to instruct DRB1 to use DAPS handover.
- the information A is the UP security activation state
- the UP security activation state is the UP security activation state of the DRB1 or the UP security activation state of the PDU session corresponding to the DRB1.
- the handover request message when the source RAN node determines that DRB1 uses DAPS handover, the handover request message includes the UP security activation state. Or, when the source RAN node determines that DRB1 uses DAPS handover, and the UP security policy of the DRB1 or the UP security policy of the PDU session corresponding to DRB1 indicates that UP security protection is recommended to be enabled, the handover request message includes the UP security activation state .
- the source RAN node determines that DRB1 uses DAPS handover, and the encryption protection policy in the UP security policy of the DRB1 or the encryption protection policy in the UP security policy of the PDU session corresponding to DRB1 indicates that it is recommended to enable UP encryption protection.
- the handover request message includes the activation state of the UP encryption protection. For integrity protection, the existing determination mechanism is still used.
- the handover request message also includes information such as KgNB*, PDU session resource to-be-established list information, and RRC context, where the PDU session resource to-be-established list information may include the UP security policy corresponding to each PDU session.
- the target RAN node determines, according to the information A, that the UP security configuration of DRB2 of the target RAN node is the same as the UP security configuration of the source RAN node to DRB1.
- the information A is a DAPS handover instruction
- the target RAN node determines, according to the DAPS handover instruction, that the target RAN node uses the same UP security configuration for DRB2 as the source RAN node for DRB1.
- the information A is the UP security activation state
- the target RAN node determines the UP security configuration adopted for the DRB2 according to the UP security activation state. Due to the UP security configuration determined based on the same UP security activation state, the UP security configuration of the DRB2 is the same as the UP security configuration adopted by the source RAN node for DRB1.
- the target RAN node generates a handover command, and the handover command is used to indicate the UP security configuration adopted by the target RAN node for DRB2.
- the handover command may include information B, or a transparent container including information B, and the information B may be used in the manner 1 (that is, instructing the target RAN node to use the DRB2 with the source RAN node) as described in the embodiment of FIG. 4 .
- the same UP security configuration of DRB1) or mode 2 including the UP security configuration of DRB2
- indicating that the UP security configuration adopted by the target RAN node for DRB2 is the same as the UP security configuration adopted by the source RAN node for DRB1.
- the target RAN node sends a handover response confirmation message to the source RAN node, where the handover response confirmation message includes a handover command.
- the source RAN node receives the handover response acknowledgement message from the target RAN node.
- the source RAN node sends an RRC connection reconfiguration message to the terminal device, where the RRC connection reconfiguration message includes a handover command.
- the terminal device determines, according to the handover command, the UP security configuration adopted by the target RAN node for the DRB2.
- the DRB security configuration between the terminal device and the target RAN node can be determined according to the handover command. Further, the terminal equipment configures the DRB with the target RAN node.
- the terminal device sends an RRC reconfiguration complete message to the target RAN node.
- the target RAN node receives the RRC reconfiguration complete message from the terminal equipment.
- the target RAN determines whether to update the UP security configuration of the DRB2 according to the UP security policy.
- the target RAN node After the target RAN node receives the RRC reconfiguration complete message from the terminal device, the target RAN node determines the user plane security activation state 2 according to the UP security policy of the PDU session corresponding to the DRB2 carried in the handover request message or from the SMF.
- the target RAN node sends the updated DRB2 security configuration to the terminal device according to the user plane security activation status 2 in S509 , the updated security activation indication.
- the target RAN sends the updated UP security configuration of DRB2 to the terminal device.
- the terminal device receives the updated DRB2 security configuration from the target RAN.
- the terminal device updates the UP security configuration of the DRB2 of the target RAN according to the updated security configuration of the DRB2 (that is, the updated security activation instruction).
- the PDCP entity corresponding to the corresponding DRB is configured according to the updated security configuration of the DRB2.
- FIG. 6 is another schematic flowchart of a security configuration method in an Xn interface-based handover scenario provided by an embodiment of the present application.
- the UE establishes a connection with the core network through a source RAN (Source-RAN, S-RAN) node, and transmits uplink and downlink data packets.
- the S-RAN node can determine to trigger the Xn handover procedure according to the UE's measurement report, and switch the UE to the T-RAN node (target-RAN, T-RAN).
- the T-RAN node performs DRB UP security based on the method provided in this application. configuration, thereby improving the security of data transmission.
- the S-RAN node obtains mobility control information from the AMF node.
- the S-RAN node obtains mobility control information, such as roaming and access restriction information, from the AMF node.
- the S-RAN node configures the measurement process of the UE, and the UE may perform reporting according to the measurement configuration.
- the S-RAN node determines to handover the UE according to the measurement report and the radio resource management information.
- the S-RAN node sends a handover request message to the T-RAN node.
- the handover request message may include a target cell ID, a globally unique AMF identifier (GUAMI), UE context information, UE history information, and the like.
- GUI globally unique AMF identifier
- the UE context information may include UE security capabilities, AS security information (such as KgNB*), a PDU session resource to-be-established list, and an RRC context.
- the PDU session resource to-be-established information may include PDU session ID, single network slice selection assistance information (S-NSSAI), PDU session type, UP security policy of the PDU session, source DRB to QoS ( A list of mappings for quality of service, QoS) flows.
- S-NSSAI single network slice selection assistance information
- PDU session type PDU session type
- UP security policy of the PDU session PDU session
- source DRB to QoS A list of mappings for quality of service, QoS
- the UP security policy includes an integrity protection security policy and a confidentiality protection security policy.
- the integrity protection security policy is used to indicate that UP integrity protection must be turned on, recommended to be turned on or not turned on, and the confidentiality protection security policy is used to indicate that it must be turned on, It is recommended to enable or disable UP encryption protection.
- the UP security policy may also contain a maximum integrity protection data rate.
- the source DRB to QoS flow mapping list may include DRB ID, QoS flow ID (QoS flow ID, QFI).
- DRB ID QoS flow ID
- QFI QoS flow ID
- the mapping list from source DRB to QoS flow also includes DRB ID, QFI(s) and DAPS handover indication.
- the DAPS handover instruction for instructing DRB1 to use DAPS handover is included.
- the handover request message includes an UP security activation state
- the UP security activation state is used to indicate the UP security activation state of the DRB1 or the UP security activation state of the PDU session corresponding to the DRB1.
- the handover request message when the S-RAN node determines that DRB1 uses DAPS handover, the handover request message includes the UP security activation status, and the UP security activation status is used to indicate the UP security activation status of DRB1 or the UP security activation status of the PDU session corresponding to the DRB1. UP security activation status.
- the handover request message when the S-RAN node determines that DRB1 uses DAPS handover, and the UP security policy of the DRB1 or the UP security policy of the PDU session corresponding to DRB1 indicates that UP security protection is recommended to be enabled, the handover request message includes the UP security activation state.
- the UP security activation state is specifically carried in the PDU session information corresponding to the DRB1 in the PDU session resource to-be-established list.
- the RRC context may include UE radio-related capabilities and RRC reconfiguration information, and the RRC reconfiguration information may include UP security configuration information of the DRB of the S-RAN node.
- the handover request message may also include other information, which is not limited in this application.
- the T-RAN node may perform admission control.
- the T-RAN node receives the slice information, it performs slice admission control. If the slice associated with a PDU session is a slice not supported by the T-RAN node, the T-RAN node rejects the PDU session.
- the T-RAN node performs handover preparation.
- the handover preparation includes that the T-RAN node uses the same UP security configuration for DRB2 as the S-RAN node uses for DRB1.
- the T-RAN node determines whether to accept the DAPS handover, and at the same time indicates the determination result to the S-RAN node. If the T-RAN node receives the DAPS handover, the T-RAN node uses the same UP security configuration for DRB2 as the S-RAN node does for DRB1.
- the T-RAN node determines to use the same UP security configuration for DRB2 of the T-RAN node as that of the S-RAN node for DRB1 according to the DAPS handover instruction of DRB1.
- the T-RAN node may configure the DRB2 of the T-RAN node according to the user plane security configuration of the DRB1 included in the RRC context in the handover request message, for example, configure the PDCP entity corresponding to the DRB2.
- the UP security configuration includes whether to enable encryption protection and/or integrity protection of the DRB.
- the T-RAN node determines that the use of DRB2 for the T-RAN node is the same as that for the S-RAN node according to the UP security activation state of DRB1 (or specifically the PDU session corresponding to DRB1) included in the handover request message UP security configuration.
- the T-RAN node determines the UP security configuration adopted for DRB2 according to the UP security activation state of the DRB1 (or specifically the PDU session corresponding to the DRB1).
- the present application is not limited to this.
- the T-RAN node determines whether to activate the security protection of the PDU session according to the UP security policy of the PDU session, and determines the DRB user plane security configuration of the PDU session.
- the updated DRB user plane security configuration is included in a transparent container and sent to the UE.
- the T-RAN node sends a handover request determination message to the S-RAN node.
- the handover request determination message includes a transparent container, and the transparent container is sent to the UE through the S-RAN node as an RRC message.
- the T-RAN node can indicate through the transparent container that the UP security configuration adopted by the target RAN node for DRB2 is the same as the UP security configuration adopted by the source RAN node for DRB1. Instruct the target RAN node to use the same UP security configuration for DRB2 as the source RAN node's DRB1) or mode 2 (including the UP security configuration of DRB2), instruct the target RAN node to use the UP security configuration for DRB2 and the source RAN node for DRB1. UP security configuration is the same.
- the S-RAN node sends an RRC connection reconfiguration message to the UE to trigger the UE to perform handover.
- the RRC reconfiguration message includes the transparent container from the T-RAN node and information for accessing the target cell (ie, the cell managed by the T-RAN).
- the information of the target cell includes the target cell ID, the cell-radio network temporary identifier (C-RNTI) of the target cell, the security algorithm identifier of the security algorithm selected by the T-RAN node, and the like.
- the UE determines, according to the transparent container from the T-RAN node, that the UP security configuration adopted by the T-RAN node for DRB2 is the same as the UP security configuration adopted by the S-RAN node for DRB1. And configure the UP security configuration of the DRB2 of the T-RAN node according to the transparent container.
- the S-RAN node continues to transmit downlink data packets until the handover success message sent by the T-RAN node is received (ie, in S613).
- the S-RAN node transmits the buffered data and the new data from the UPF.
- the S-RAN node sends an early status transfer message to the T-RAN node.
- the early state transmission message includes a downlink count (count) value, which is used to indicate the PDCP data network (data network) of the first PDCP service data unit (SDU) sent by the S-RAN node to the T-RAN node, DN) and the hyper frame number (HFN) of the SDU.
- count downlink count
- DN data network
- HFN hyper frame number
- the S-RAN node continues to allocate the SN of the downlink data packet until the S-RAN node sends a sequence number (SN) status transfer message to the T-RAN node (ie, in S615).
- SN sequence number
- the S-RAN node sends an SN status transfer message to the T-RAN node.
- the SN status transmission message is used to transmit the uplink PDCP SN reception status and the downlink PDCP SN transmission status.
- the S-RAN node forwards the data of one or more DRBs not configured with DAPS to the T-RAN, and the T-RAN buffers the user data from the S-RAN.
- the UE sends an RRC reconfiguration complete message to the T-RAN node after separating and synchronizing from the source cell to the new cell.
- the UE sends an RRC reconfiguration complete message (RRCReconfigurationComplete) message to the T-RAN node to complete the RRC handover procedure.
- RRCReconfigurationComplete RRC reconfiguration complete message
- the UE continues to maintain connection with the S-RAN node cell until the RRC Reconfiguration message (RRCReconfiguration) message is received.
- the UE releases the source signaling radio bearer (SRB) resources and the security configuration of the source cell. And stop data transmission with the S-RAN node.
- SRB source signaling radio bearer
- the T-RAN node sends a handover success message to the S-RAN node, notifying the S-RAN node that the UE has successfully accessed the target cell.
- the S-RAN node sends an SN status transfer message to the T-RAN node.
- the T-RAN node sends a path switching request message to the AMF node.
- the T-RAN node triggers the 5GC to switch the downlink data path to the T-RAN node through the path switching request message.
- the path switching request message includes the user plane security policy sent from the S-RAN node.
- downlink path switching is performed between the 5GC and the T-RAN node.
- the AMF node sends a path switching request confirmation message to the T-RAN node.
- the path switching determination request also includes the UP security policy.
- the T-RAN node sends a UE context release message to the S-RAN node.
- the T-RAN node sends a UE context release message to the S-RAN node according to the received path switch request determination message.
- the S-RAN node releases the radio resources and control plane resources associated with the UE context.
- the T-RAN node determines whether to update the UP security activation state of the DAPS-activated PDU session according to the UP security policy.
- the T-RAN node determines whether to update the UP security policy of the PDU session corresponding to DRB2 according to the UP security policy of the PDU session corresponding to DRB1 received from the S-RAN node active state. If the UP security policy of the PDU session corresponding to DRB2 is received in S618, the T-RAN node determines whether to update the UP security activation state of the PDU session that activates the DAPS handover based on the UP security policy.
- the T-RAN node may determine the UP security activation state 2 according to the UP security policy of the PDU session corresponding to DRB2. If the current UP security activation state 1 of the PDU session is different, the T-RAN node determines to update the UP security configuration of DRB2. The T-RAN node determines the UP security configuration used for DRB2 according to the UP security activation state 2, that is, the updated UP security configuration (if the current UP security configuration of DRB2 is UP security configuration 1, then the updated UP security configuration of DRB2 The configuration can be UP security configuration 2). Optionally, the T-RAN node updates the UP security configuration of other DRBs corresponding to the PDU session that are not activated for DAPS handover at the same time.
- the T-RAN node sends a resource release message to the terminal device, where the resource release message includes an UP security activation indication.
- the UP security activation indication (that is, the UP security configuration indication 3 described above) is used to indicate the updated security configuration of the DRB2.
- the UP security activation indication carried in the resource release message is only an example, and the UP security activation indication may also be carried in other RRC messages sent by the T-RAN node to the terminal device. This application does not limit this.
- the terminal device updates the UP security configuration of the DRB according to the UP security activation instruction.
- the UE receives the resource release request and releases the source SRB resources and the security configuration of the source cell. And the terminal device updates the UP security configuration of the DRB according to the UP security activation instruction.
- the T-RAN may trigger an intra-RAN handover procedure to enable the terminal device to update the DRB1 security configuration.
- FIG. 7 is a schematic flowchart of a security configuration method in an N2 interface-based handover scenario provided by an embodiment of the present application.
- the source RAN node sends a handover required (handover required) message to the AMF node.
- Information A is included in the handover required message.
- the handover required message includes a DAPS handover instruction instructing DRB1 to use DAPS handover.
- the information A is the DAPS handover indication or the UP security activation state.
- the handover request message when the information A is the UP security activation state, in the case that the source RAN node determines that the DRB1 uses DAPS handover, the handover request message includes the UP security activation state, and the UP security activation state is used to indicate the UP of the DRB1.
- the handover request message includes the UP security activation state .
- the source RAN determines to initiate an N2 handover and sends a handover required message to the AMF node.
- the message also includes a list of PDU session resources and a transparent container that the source RAN node needs to transparently transmit to the target RAN node through the AMF node.
- the PDU session resource establishment list includes the PDU session ID, the UP security policy corresponding to the PDU session, and the like. However, the present application is not limited to this.
- the information A is included in the PDU session resource list or the transparent container.
- the AMF node sends a handover request message to the target RAN node, where the handover request message includes information A.
- the AMF node After the AMF node interacts with the core network node, the AMF node sends a handover request message to the target RAN node, and the handover request message includes the transparent container and the PDU session resource establishment list from the source RAN node.
- the target RAN node determines, according to the information A, that the UP security configuration of DRB2 is the same as the UP security configuration of the source RAN node to DRB1.
- the information A is a DAPS handover instruction
- the target RAN node determines, according to the DAPS handover instruction, that the target RAN node uses the same UP security configuration for DRB2 as the source RAN node for DRB1.
- the information A is the UP security activation state
- the target RAN node determines that the UP security configuration of the DRB2 is the same as the UP security configuration of the DRB1 by the source RAN node according to the UP security activation state.
- the target RAN node sends a handover request confirmation message to the AMF node, where the handover request confirmation message includes a transparent transmission container.
- the transparent transmission container in the handover request determination message is the transparent container transparently transmitted from the target RAN node to the source RAN node.
- the transparent container is used to indicate the UP security configuration adopted by the target RAN node for DRB2.
- the transparent container can be implemented by way 1 (that is, instructing the target RAN node to use the same UP security configuration for DRB2 as the source RAN node's DRB1) or way 2 (including the UP security of DRB2) as described in the embodiment of FIG. 4 . configuration), indicating that the UP security configuration adopted by the target RAN node for DRB2 is the same as the UP security configuration adopted by the source RAN node for DRB1.
- the handover request determination message may further include a PDU session resource confirmation list, which is used to indicate the PDU session that accepts the handover.
- the AMF node sends a handover command to the source RAN node, where the handover command includes the transparent container from the target RAN node.
- the switching command may also include a PDU session resource switching list.
- S706 to S711 in the embodiment of FIG. 7 correspond to S504 to S509 in the embodiment of FIG. 5 in sequence.
- FIG. 8 is another schematic flowchart of a security configuration method in an N2 interface-based handover scenario provided by an embodiment of the present application.
- the UE establishes a connection with the core network through the S-RAN node, and transmits uplink and downlink data packets.
- the S-RAN node can determine to trigger the N2 handover process according to the UE's measurement report, switch the UE to the S-RAN node, and perform the UP security configuration of the DRB based on the method provided in this application, thereby improving the security of data transmission.
- the S-RAN node determines to initiate the handover process of N2.
- the S-RAN node sends a handover request 1 to a source AMF (source AMF, S-AMF) node.
- source AMF source AMF, S-AMF
- the handover request 1 message includes a DAPS handover instruction instructing DRB1 to use DAPS handover.
- the information A is the DAPS handover indication or the information A includes the UP security activation state of the DRB1.
- the handover request message includes the UP security activation state, and the UP security activation state is used to indicate the UP of DRB1. Safe activation status.
- the handover request message includes the UP security activation state .
- the source RAN node determines to initiate the N2 handover and sends a handover request 1 message to the S-AMF node, which contains the PDU session resource list and the transparent container that the source RAN node needs to transparently transmit to the target RAN node through the S-AMF node.
- the PDU session resource list includes the PDU session ID, the UP security policy corresponding to the PDU session, and the like.
- the transparent container may contain the RRC container, the PDU session resource information list, and the target cell identifier.
- the PDU session resource information list contains PDU session ID, QoS flow information list and DRB and QoS flow mapping list.
- the DRB and QoS flow mapping list may include the DRB ID, the associated QoS flow list, and optionally, DAPS request information. etc. but the present application is not limited to this.
- the information A is included in the PDU session resource list or the transparent container.
- the S-AMF node performs an AMF node selection process to select a target AMF (target-AMF, T-AMF) node.
- S804 if the S-AMF node executes S803, the S-AMF node sends a Namf_communication_UE context establishment request to the T-AMF node.
- the Namf_Communication_Create UEContext Request (Namf_Communication_CreatUEContext Request) includes N2 information and UE context information.
- the N2 information includes the target cell identifier and the PDU session resource list.
- the UE context includes the subscription permanent identifier (SUPI), the allowed NSSAI corresponding to the access type, the PDU session identifier and the corresponding SMF information, as well as the S-NSSAI, the PCF identifier and the data network name (DNN).
- SUPI subscription permanent identifier
- DNN data network name
- the T-AMF node sends an Nsmf_PDU session_update SM context request to the SMF node.
- the Nsmf_PDUSession_Update SM Context Request (Nsmf_PDUSession_UpdateSMContext Request) message includes the PDU session ID, the ID of the target cell or the ID of the T-RAN.
- the SMF node determines whether to allow N2 handover according to the ID of the target cell or the ID of the T-RAN.
- the SMF node detects the UPF node selection rule, and if the UE moves out of the service area of the UPF node, the SMF node selects a new intermediate UPF node;
- the SMF node sends an N4 session modification request message to a PDU session anchor (PDU session anchor) UPF (ie UPF (PSA)) node.
- PDU session anchor PDU session anchor
- UPF UPF
- the SMF node executes the N4 session modification procedure, and sends an N4 session modification request message to the UPF (PSA) node of the PDU session.
- PSA UPF
- the UPF (PSA) node sends an N4 session modification response message to the SMF node.
- the SMF node sends an N4 session establishment request message to the target UPF (target-UPF, T-UPF) node.
- target UPF target-UPF, T-UPF
- the SMF node and the newly selected T-UPF node perform the N4 session establishment process, that is, send an N4 session establishment request message to the T-UPF node.
- the T-UPF node sends an N4 session establishment response message to the SMF node.
- the SMF node sends an Nsmf_PDUSession_Update SM Context Request Response message (Nsmf_PDUSession_UpdateSMContext Response) to the T-AMF node.
- Nsmf_PDUSession_UpdateSMContext Response Nsmf_PDUSession_UpdateSMContext Response
- the message includes the N3UP address, uplink (UL) CN derivation identifier and QoS parameters; if the SMF node does not accept the PDU session handover, the message includes a non-acceptance reason value.
- the T-AMF node performs PDU switching response management.
- the T-AMF node manages the Nsmf_PDUSession_UpdateSMContext Response message sent by the relevant SMF node.
- the T-AMF node receives the Nsmf_PDUSession_UpdateSMContext Response message sent by all SMF nodes or the maximum waiting time of the T-AMF node expires, the T-AMF continues to perform the N2 handover process.
- the T-AMF node sends handover request 2 to the T-RAN node.
- the handover request 2 message includes N2 mobility management (MM) information, N2SM information, a transparent container that is transparently transmitted from the S-RAN node to the target RAN node, and the transparent container includes information A, a handover restriction list, and is not accepted. list of PDU sessions.
- MM mobility management
- the T-RAN node determines that the UP security configuration of DRB2 of the T-RAN node is the same as the UP security configuration of the source RAN node to DRB1. For this step, reference may be made to the foregoing description of S703 in the embodiment of FIG. 7 , which is not repeated here for brevity.
- the T-RAN node sends a handover request confirmation message to the T-AMF node.
- the handover request confirmation message includes a transparent container from the T-RAN node to the S-RAN node, where the transparent container is used to indicate the UP security configuration adopted by the target RAN node for the DRB2.
- the transparent container is used to indicate the UP security configuration adopted by the target RAN node for the DRB2.
- the handover request confirmation message also includes the N2SM response list, the failed PDU session list, and the T-RAN node's SM N3 transmission information list.
- the T-AMF node sends an Nsmf_PDU session_update SM context request message to the SMF node,
- the message includes the PDU session identifier, the N2SM response, and the T-RAN SM N3 transmission information list.
- the T-AMF node For each N2SM response, the T-AMF node sends an N2SM response to the SMF node; if there is no new intermediate UPF node, the SMF node stores the N3 tunnel information.
- the N4 session modification request message includes a list of T-RAN SM N3 forwarding information, and an indication of optional allocation of a downlink (downlink, DL) forwarding tunnel.
- the T-UPF node sends an N4 session modification response message to the SMF node.
- the N4 session modification response message contains the SMN3 forwarding information list.
- the SMF node sends an N4 session modification request message to the source UPF (source UPF, S-UPF) node.
- the N4 session modification request message includes the T-RAN SM N3 forwarding information list or the T-UPF SM N3 forwarding information list, and the indication of the DL forwarding tunnel;
- the S-UPF node sends an N4 session modification response message to the SMF node.
- the N4 session modification response message contains the S-UPF SM N3 forwarding information list
- the SMF node sends an Nsmf_PDU session_update SM context response message including N2SM information to the T-AMF node.
- the T-AMF node sends a Namf_communication_UE context establishment response message to the S-AMF node.
- the message includes N2 information, PDU session establishment failure list, and N2SM information.
- the T-RAN node After receiving the handover determination message from the UE, the T-RAN node determines whether to update the UP security activation state of the DAPS-activated PDU session according to the UP security policy.
- the T-RAN node may determine the UP security activation state 2 according to the UP security policy of the PDU session corresponding to DRB2. If the current UP security activation state 1 of the PDU session is different, the T-RAN node determines to update the UP security configuration of DRB2. The T-RAN node determines the UP security configuration used for DRB2 according to the UP security activation state 2, that is, the updated UP security configuration (if the current UP security configuration of DRB1 is UP security configuration 1, the updated UP security configuration can be Configure 2) for UP security.
- the UP security activation indication is carried in the resource release message and sent to the terminal device, or the UP security activation indication may be carried in other RRC messages sent by the T-RAN node to the terminal device.
- the UP security activation indication is used to indicate the UP security configuration 2, that is, the updated security configuration of the DRB2.
- the terminal device After receiving the UP security activation instruction, the terminal device updates the UP security configuration of the DRB2 according to the UP security activation instruction.
- the T-RAN node may trigger an intra-RAN handover procedure to enable the terminal device to update the UP security configuration.
- the target RAN node adopts the same DRB user plane security configuration for the DRB as that of the source RAN node.
- the data security hidden danger when the target RAN node and the source RAN node transmit the same data packet can be reduced, and the security of data transmission can be improved.
- each network element may include a hardware structure and/or a software module, and implement the above functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Whether one of the above functions is performed in the form of a hardware structure, a software module, or a hardware structure plus a software module depends on the specific application and design constraints of the technical solution.
- FIG. 9 is a schematic block diagram of a communication apparatus provided by an embodiment of the present application.
- the communication device 900 may include a transceiver unit 920 .
- the communication apparatus 900 may correspond to the terminal device in the above method embodiments, or a chip configured (or used for) in the terminal device, or other devices capable of implementing the method of the terminal device, Modules, circuits or units, etc.
- the communication apparatus 900 may correspond to the terminal equipment in the methods 400 to 800 according to the embodiments of the present application, and the communication apparatus 900 may include the terminal equipment for executing the methods 400 to 800 in FIGS. 4 to 8 .
- method unit the terminal equipment for executing the methods 400 to 800 in FIGS. 4 to 8 .
- each unit in the communication apparatus 900 and the above-mentioned other operations and/or functions are respectively to implement the corresponding processes of the methods 400 to 800 in FIG. 4 to FIG. 8 .
- the communication apparatus 900 may further include a processing unit 910, and the processing unit 910 may be configured to process instructions or data to implement corresponding operations.
- the transceiver unit 920 in the communication apparatus 900 may be an input/output interface or circuit of the chip, and the processing in the communication apparatus 900 Unit 910 may be a processor in a chip.
- the communication device 900 may further include a storage unit 930, the storage unit 930 may be used to store instructions or data, and the processing unit 910 may execute the instructions or data stored in the storage unit, so as to enable the communication device to implement corresponding operations .
- the transceiver unit 920 in the communication apparatus 900 may be implemented through a communication interface (such as a transceiver or an input/output interface), for example, may correspond to the transceiver 1010 in the terminal device 1000 shown in FIG. 10 .
- the processing unit 910 in the communication apparatus 900 may be implemented by at least one processor, for example, may correspond to the processor 1020 in the terminal device 1000 shown in FIG. 10 .
- the processing unit 910 in the communication device 900 may also be implemented by at least one logic circuit.
- the storage unit 930 in the communication apparatus 900 may correspond to the memory in the terminal device 1000 shown in FIG. 10 .
- the communication apparatus 900 may correspond to the access network node in the above method embodiments, for example, or a chip configured (or used in) the access network node, or other devices capable of implementing Apparatus, module, circuit or unit etc. of the method of accessing a network node.
- the communication apparatus 900 may correspond to a source RAN node or a target RAN node in the methods 400 to 800 according to the embodiments of the present application, and the communication apparatus 900 may include a method for executing the methods 400 to 800 in FIGS. 4 to 8 . Elements of a method performed by a source RAN node or a target RAN node.
- each unit in the communication apparatus 900 and the above-mentioned other operations and/or functions are respectively to implement the corresponding processes of the methods 400 to 800 in FIG. 4 to FIG. 8 .
- the communication apparatus 900 may further include a processing unit 910, and the processing unit 910 may be configured to process instructions or data to implement corresponding operations.
- the transceiver unit 920 in the communication apparatus 900 may be an input/output interface or circuit of the chip.
- the processing unit 910 may be a processor in a chip.
- the communication device 900 may further include a storage unit 930, the storage unit 930 may be used to store instructions or data, and the processing unit 910 may execute the instructions or data stored in the storage unit, so as to enable the communication device to implement corresponding operations .
- the transceiver unit 920 in the communication device 900 may be implemented through a communication interface (such as a transceiver or an input/output interface), for example, it may correspond to the one shown in FIG. 11 .
- the processing unit 910 in the communication apparatus 900 may be implemented by at least one processor, for example, may correspond to the processor 1120 in the access network device 1100 shown in FIG. 11 , and the processing unit 910 in the communication apparatus 900 may be implemented by at least one processor.
- the communication device 900 may correspond to the AMF node in the above method embodiments, for example, or a chip configured (or used in) the AMF node, or other methods capable of implementing the AMF node device, module, circuit or unit, etc.
- the communication apparatus 900 may correspond to the AMF node in the methods 400 to 800 according to the embodiments of the present application, and the communication apparatus 900 may include the AMF node for executing the methods 400 to 800 in FIGS. 4 to 8 .
- method unit each unit in the communication apparatus 900 and the above-mentioned other operations and/or functions are respectively to implement the corresponding processes of the methods 400 to 800 in FIG. 4 to FIG. 8 .
- the communication apparatus 900 may further include a processing unit 910, and the processing unit 910 may be configured to process instructions or data to implement corresponding operations.
- the transceiver unit 920 in the communication device 900 may be an input/output interface or circuit of the chip, and the processing in the communication device 900 Unit 910 may be a processor in a chip.
- the communication device 900 may further include a storage unit 930, the storage unit 930 may be used to store instructions or data, and the processing unit 910 may execute the instructions or data stored in the storage unit, so as to enable the communication device to implement corresponding operations .
- the transceiver unit 920 in the communication device 900 can be implemented through a communication interface (such as a transceiver or an input/output interface), for example, it can correspond to the AMF node shown in FIG. 12 Transceiver 1210 in 1200.
- the processing unit 910 in the communication device 900 may be implemented by at least one processor, for example, may correspond to the processor 1220 in the AMF node 1200 shown in FIG. 12 , and the processing unit 910 in the communication device 900 may be implemented by at least one logic circuit implementation.
- FIG. 10 is a schematic structural diagram of a terminal device 1000 provided by an embodiment of the present application.
- the terminal device 1000 can be applied to the system shown in FIG. 1 to perform the functions of the terminal device in the foregoing method embodiments.
- the terminal device 1000 includes a processor 1020 and a transceiver 1010 .
- the terminal device 1000 further includes a memory.
- the processor 1020, the transceiver 1010 and the memory can communicate with each other through an internal connection path to transmit control and/or data signals.
- the memory is used for storing a computer program, and the processor 1020 is used for executing the computer program in the memory to control the transceiver 1010 to send and receive signals.
- the above-mentioned processor 1020 and the memory can be combined into a processing device, and the processor 1020 is configured to execute the program codes stored in the memory to realize the above-mentioned functions.
- the memory may also be integrated in the processor 1020 or independent of the processor 1020 .
- the processor 1020 may correspond to the processing unit in FIG. 9 .
- the transceiver 1010 described above may correspond to the transceiver unit in FIG. 9 .
- the transceiver 1010 may include a receiver (or receiver, receiving circuit) and a transmitter (or transmitter, transmitting circuit). Among them, the receiver is used for receiving signals, and the transmitter is used for transmitting signals.
- the terminal device 1000 shown in FIG. 10 can implement the processes involving the terminal device in the method embodiments shown in FIG. 4 to FIG. 8 .
- the operations and/or functions of each module in the terminal device 1000 are respectively to implement the corresponding processes in the foregoing method embodiments.
- the above-mentioned processor 1020 may be used to perform the actions described in the foregoing method embodiments that are implemented inside the terminal device, and the transceiver 1010 may be used to perform the actions described in the foregoing method embodiments that the terminal device sends to or receives from the network device. action.
- the transceiver 1010 may be used to perform the actions described in the foregoing method embodiments that the terminal device sends to or receives from the network device. action.
- the above-mentioned terminal device 1000 may further include a power supply for providing power to various devices or circuits in the terminal device.
- the terminal device 1000 may also include input and output devices, such as including one or more of an input unit, a display unit, an audio circuit, a camera, a sensor, etc., the audio
- the circuitry may also include speakers, microphones, and the like.
- FIG. 11 is a schematic structural diagram of a network device provided by an embodiment of the present application.
- the network device 1100 may be applied to the system shown in FIG. 1 to execute an access network node (for example, a source RAN node or a target RAN node) in the foregoing method embodiment. node) function.
- an access network node for example, a source RAN node or a target RAN node
- the network device 1100 shown in FIG. 11 can implement various processes of the source RAN node or the target RAN node involved in the method embodiments shown in FIGS. 4 to 8 .
- the operations and/or functions of each module in the network device 1100 are respectively to implement the corresponding processes in the foregoing method embodiments.
- the network device 1100 shown in FIG. 11 may be an eNB or a gNB.
- the network device includes a central unit (CU), a distribution unit (DU) and an active antenna unit (active antenna).
- unit, AAU) network equipment, etc. optionally, the CU can be specifically divided into CU-CP and CU-UP. This application does not limit the specific architecture of the network device.
- the network device 1100 shown in FIG. 11 may be a CU node or a CU-CP node.
- FIG. 12 is a schematic structural diagram of a communication device 1200 provided by an embodiment of the present application.
- the network device 1200 can be applied to the system shown in FIG. 1 to perform the functions of the AMF node in the above method embodiment.
- the communication device 1200 may include a transceiver 1210 , a processor 1220 and a memory 1230 .
- the communication device 1200 shown in FIG. 12 can implement various processes of the AMF node involved in the method embodiments shown in FIG. 4 to FIG. 8 .
- the operations and/or functions of each module in the communication device 1200 are respectively to implement the corresponding processes in the foregoing method embodiments.
- An embodiment of the present application further provides a processing apparatus, including a processor and a (communication) interface; the processor is configured to execute the method in any of the above method embodiments.
- the above-mentioned processing device may be one or more chips.
- the processing device may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or a It is a central processing unit (CPU), a network processor (NP), a digital signal processing circuit (DSP), or a microcontroller (microcontroller unit). , MCU), it can also be a programmable logic device (PLD) or other integrated chips.
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- SoC system on chip
- MCU microcontroller unit
- MCU programmable logic device
- PLD programmable logic device
- the present application further provides a computer program product, the computer program product includes: computer program code, when the computer program code is executed by one or more processors, the computer program code including the processor
- the apparatus performs the methods in the embodiments shown in FIGS. 4 to 8 .
- the technical solutions provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software When implemented in software, it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions.
- the computer may be a general-purpose computer, a special-purpose computer, a computer network, a network device, a terminal device, a core network device, a machine learning device, or other programmable devices.
- the computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.).
- the computer-readable storage medium can be any available media that can be accessed by a computer, or a data storage device such as a server, data center, etc. that includes one or more available media integrated.
- the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, digital video discs (DVDs)), or semiconductor media, and the like.
- the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores program codes, and when the program codes are executed by one or more processors, the processing includes the processing
- the device of the controller executes the method in the embodiment shown in FIG. 4 to FIG. 8 .
- the present application further provides a system, which includes the aforementioned one or more network devices.
- the system may further include one or more of the aforementioned terminal devices.
- the disclosed system, apparatus and method may be implemented in other manners.
- the apparatus embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
- the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
一种切换场景下的安全配置方法和通信装置。该方法用于提高通信的安全性,包括:目标接入网节点接收包含第一信息的第一消息,第一消息用于指示终端设备从源接入网节点切换至目标接入网节点,第一信息用于指示使用与源接入网节点相同的数据无线承载的用户面安全配置;目标接入网节点发送第一消息的响应消息,响应消息包括第二信息,第二信息用于指示目标接入网节点的第二数据无线承载的用户面安全配置,其中,目标接入网节点的第二数据无线承载的用户面安全配置和源接入网节点的第一数据无线承载的用户面安全配置相同。
Description
本申请要求于2021年04月29日提交中国专利局、申请号为202110489097.7、申请名称为“切换场景下的安全配置方法和通信装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及通信领域,并且更具体地,涉及一种切换场景下的安全配置方法和通信装置。
在移动通信系统中,为了满足切换过程中数据包传输的可靠性以及极低的切换中断时延,提出了基于双激活协议栈(dual activate protocol stack,DAPS)的切换流程。基于DAPS的切换中,源基站可以仅对其中一个或多个数据无线承载(data radio bearer,DRB)激活DAPS切换,针对激活DAPS切换的DRB,终端设备在接收到目标无线接入网(radio access network,RAN)节点指示资源释放请求之前,终端设备继续与源RAN节点和目标RAN节点同时进行数据包的传输,且源RAN节点和目标RAN节点可以传输相同的数据包。当源RAN节点和目标RAN节点可以传输相同的数据包时,目前系统中的安全配置方式存在一定的漏洞,数据安全存在隐患。
发明内容
本申请实施例提供一种切换场景下的安全配置方法和通信装置,以期提高通信的安全性。
第一方面,提供了一种切换场景下的安全配置方法,该方法可以由接入网节点或配置于(或用于)接入网节点的模块(如芯片)执行,以下以该方法由接入网节点执行为例进行说明。
该方法包括:目标接入网节点接收第一消息,该第一消息用于指示终端设备从源接入网节点切换至该目标接入网节点,其中,第一消息包括第一信息,该第一信息用于指示使用与源接入网节点相同的数据无线承载的用户面安全配置;该目标接入网节点发送该第一消息的响应消息,该响应消息包括第二信息,该第二信息用于指示该目标接入网节点的第二数据无线承载的用户面安全配置,其中,该目标接入网节点的第二数据无线承载和该源接入节点的第一数据无线承载的用户面安全配置相同。
结合第一方面,在第一方面的某些实现方式中,该第二数据无线承载为该第一数据无线承载由源接入网节点切换至该目标接入网节点后的数据无线承载。
根据上述方案,目标接入网节点根据第一信息,确定对DRB采用的用户面安全配置与源RAN节点的DRB的用户面安全配置相同。能够减少目标接入网节点与源接入网节点在传输相同数据包时因数据无线承载的安全配置不同造成的安全隐患,提高数据传输的安 全性。
结合第一方面,在第一方面的某些实现方式中,该第一信息包括该第一数据无线承载的标识信息和双激活协议栈切换指示,该双激活协议栈切换指示用于指示该第一数据无线承载使用双激活协议栈切换。
根据上述实现方式,源接入网节点具体可以通过双激活协议栈切换指示,既指示了第一数据无线承载使用双激活协议切换,又隐式的指示了DRB采用的用户面安全配置与源接入网节点的DRB的用户面安全配置相同,避免了在第一消息中增加新的信息开销。
结合第一方面,在第一方面的某些实现方式中,该第一消息包括该第一数据无线承载的用户面安全配置,该方法还包括:该目标接入网节点根据该双激活协议栈切换指示,确定该第二数据无线承载的用户面安全配置与该第一数据无线数据承载的用户面安全配置相同;该目标接入网节点根据该第一数据无线承载的用户面安全配置,配置该第二数据无线承载的用户面安全,或配置该第二数据无线承载对应的协议数据单元会话中的数据无线承载的用户面安全。
可选地,数据无线承载的用户面安全包括加密(ciphering)保护和/或完整性保护(integrity protection)。
可选地,第一数据无线承载的用户面安全配置包括第一数据无线承载的用户面安全被配置为开启状态或未开启状态,其中,开启状态还可以称为激活状态,未开启状态可以被称为未激活状态。
可选地,第一数据无线承载的用户面安全配置包含加密保护开启指示或加密保护不开启指示,和/或完整性保护开启指示或完整性保护不开启指示。其中,开启也可以称为激活,不开启也可以称为不激活。
根据上述实现方式,目标接入网节点具体可以根据第一数据无线承载的双激活协议栈切换指示确定对DRB采用的用户面安全配置与源接入网节点的DRB的用户面安全配置相同。在避免第一消息中增加新的信息开销的情况下,使得目标接入网节点与源接入网节点对双激活协议栈切换指示隐式指示使用与源接入网节点相同的数据无线承载的用户面安全配置达成共识。
结合第一方面,在第一方面的某些实现方式中,该第一信息包括用户面安全激活状态,该用户面安全激活状态用于指示该第一数据无线承载的用户面安全激活状态或该第一数据无线承载对应的协议数据单元会话的用户面安全激活状态。
可选地,该用户面激活状态包括用户面安全为开启状态或用户面安全为未开启状态。
作为示例非限定,该用户面激活状态为开启状态,可以包括加密保护为开启状态和/或完整性保护为开启状态;用户面安全激活状态为未开启状态,可以包括加密保护为未开启状态和/或完整性保护为未开启状态。其中,开启也可以称为激活,不开启也可以称为不激活。
结合第一方面,在第一方面的某些实现方式中,该方法还包括:
该目标接入网节点根据该用户面安全激活状态,确定该第二数据无线承载的用户面安全配置。
根据上述实现方式,源接入网节点通过第一消息中包括用户面安全激活状态,既指示了第一DRB在源接入网节点中的用户面安全激活状态,使得目标接入网节点根据用户面 安全激活状态确定第二DRB的用户面安全配置,实现了目标接入网节点对第二DRB使用的用户面安全配置与源接入网节点对第一DRB使用的用户面安全配置相同。
结合第一方面,在第一方面的某些实现方式中,该第一消息包括该第一数据无线承载的用户面安全配置,该方法还包括:该目标接入网节点将该第二数据无线承载的用户面安全配置与该第一数据无线承载的用户面安全配置比对,若比对的结果为不相同,则第二信息包括该第二数据无线承载的用户面安全配置,若比对的结果为相同,则第二信息指示对该第二数据无线承载使用与该第一数据无线承载相同的用户面安全配置。
结合第一方面,在第一方面的某些实现方式中,该第一消息包括第一用户面安全策略,该第一用户面安全策略为该第一数据无线承载的用户面安全策略,或者该第一用户面安全策略为该第一数据无线承载对应的协议数据单元会话的用户面安全策略。
可选地,第一用户安全策略可以包括用户面加密保护指示信息和/或用户面完整性保护指示信息。其中,用户面加密保护指示信息用于指示三种可能的值,分别为必需(required)开启、推荐(preferred)开启或不需要(not needed)开启用户面加密保护。用户面完整性保护指示信息用于指示三种可能的值,分别为必需(required)开启、推荐(preferred)开启或不需要(not needed)开启用户面完整性保护。
结合第一方面,在第一方面的某些实现方式中,该第一用户面安全策略指示推荐使用(或称为开启)安全保护。
根据上述实现方式,该第一用户面安全策略指示推荐使用安全保护的情况下,由于目标接入网节点确定的DRB的用户面安全配置可能与源接入网节点确定的用户面安全配置不同,目标接入网节点通过本申请提供的方案,根据该第一信息,确定对DRB采用的用户面安全配置与源接入网节点的DRB的用户面安全配置相同。
结合第一方面,在第一方面的某些实现方式中,该第二信息指示对该目标接入网节点的第二该数据无线承载使用与该源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,该第二信息包括该第二数据无线承载的用户面安全配置。
根据上述实现方式,第二信息可以通过上述方式指示第二数据无线承载的用户面安全配置,以便终端设备通过源接入网节点获取到该第二信息后可以确定第二数据无线承载的用户面安全配置。
结合第一方面,在第一方面的某些实现方式中,该方法还包括:在该目标接入网节点接收到来自该终端设备的无线资源控制(radio resource control,RRC)重配置完成消息后,该目标接入网节点根据第二用户面安全策略,更新该第二数据无线承载的用户面安全配置,其中,该第二用户面安全策略为该目标接入网节点的第二数据无线承载的用户面安全策略或该第二数据无线承载对应的协议数据单元会话的用户面安全策略。
根据上述实现方式,在终端设备完成由源接入网节点切换至目标接入节点后,目标接入网节点可以更新第二数据无线承载的用户面安全配置,以实现基于最新的策略保证数据安全。
结合第一方面,在第一方面的某些实现方式中,该方法还包括:该目标接入网节点向该终端设备发送该目标接入网节点的第二数据无线承载更新后的用户面安全配置。
结合第一方面,在第一方面的某些实现方式中,该更新后的用户面安全配置承载在资源释放消息中。
结合第一方面,在第一方面的某些实现方式中,该第一消息来自该源接入网节点,该目标接入网节点发送该响应消息包括:该目标接入网节点向该源接入网节点发送该响应消息;或者,该第一消息来自核心网节点,该目标接入网节点发送该响应消息包括:该目标接入网节点向该核心网节点发送该响应消息。
第二方面,提供了一种切换场景下的安全配置方法,该方法可以由接入网节点或配置于(或用于)接入网节点的模块(如芯片)执行,以下以该方法由接入网节点执行为例进行说明。
该方法包括:源接入网节点发送第一消息,该第一消息用于指示终端设备从该源接入网节点切换至目标接入网节点,其中,第一消息包括第一信息,该第一信息用于指示使用与源接入网节点相同的数据无线承载的用户面安全配置;该源接入网节点接收该第一消息的响应消息,该响应消息包括第二信息,该第二信息用于指示该目标接入网节点的第二数据无线承载的用户面安全配置,其中,该目标接入网节点的第二数据无线承载和该源接入节点的第一数据无线承载的用户面安全配置相同。结合第二方面,在第二方面的某些实现方式中,该第二数据无线承载为该第一数据无线承载由源接入网节点切换至该目标接入网节点后的数据无线承载。
根据上述方案,源接入网节点可以通过第一信息,通知目标接入网节点使用与源接入网节点的DRB相同的用户面安全配置,使得目标接入网节点可以根据接收到的该第一信息使用与源接入网节点的DRB相同的用户面安全配置。能够减少目标接入网节点与源接入网节点在传输相同数据包时因数据无线承载的安全配置不同造成的安全隐患,提高数据传输的安全性。
结合第二方面,在第二方面的某些实现方式中,该方法还包括:该源接入网节点向该终端设备发送第二消息,该第二消息用于指示该终端设备从源接入网节点切换至目标接入网节点,该第二消息包括该第二信息。
根据上述实现方式,源接入网节点向终端设备转发来自目标接入网节点的第二信息,使得终端设备能够根据第二信息确定目标接入网节点采用的DRB的用户面安全配置,使得终端设备与目标接入网节点达成共识,以期保证数据传输的可靠性。
结合第二方面,在第二方面的某些实现方式中,该第一信息包括该第一数据无线承载的标识信息和双激活协议栈切换指示,该双激活协议栈切换指示用于指示该第一数据无线承载使用双激活协议栈切换。
根据上述实现方式,源接入网节点具体可以通过双激活协议栈切换指示,既指示了第一数据无线承载使用双激活协议切换,又隐式的指示了DRB采用的用户面安全配置与源接入网节点的DRB的用户面安全配置相同,避免了在第一消息中增加新的信息开销。
结合第二方面,在第二方面的某些实现方式中,该第一信息包括用户面安全激活状态,该用户面安全激活状态用于指示该第一数据无线承载的用户面安全激活状态或该第一数据无线承载对应的协议数据单元会话的用户面安全激活状态。
根据上述实现方式,源接入网节点通过第一消息中包括用户面安全激活状态,既指示了第一DRB在源接入网节点中的用户面安全激活状态,使得目标接入网节点根据用户面安全激活状态确定第二DRB的用户面安全配置,实现了目标接入网节点对第二DRB使用的用户面安全配置与源接入网节点对第一DRB使用的用户面安全配置相同。
结合第二方面,在第二方面的某些实现方式中,在确定该数据无线承载使用双激活协议栈切换的情况下,该源接入网节点确定该第一消息中包括该第一信息。
结合第二方面,在第二方面的某些实现方式中,该第一消息包括该第一数据无线承载的用户面安全配置,和/或,该第一消息包括该第一用户面安全策略,该第一用户面安全策略为该第一数据无线承载的用户面安全策略,或者该第一数据无线承载对应的协议数据单元会话的用户面安全策略。
结合第二方面,在第二方面的某些实现方式中,该第一用户面安全策略指示推荐使用安全保护。结合第二方面,在第二方面的某些实现方式中,该方法还包括:在该第一用户面安全策略指示推荐使用安全保护的情况下,该源接入网节点确定该第一消息中包括该第一信息,其中,该第一用户面安全策略为该第一数据无线承载的用户面安全策略,或者该第一该第一数据无线承载对应的协议数据单元会话的用户面安全策略。
根据上述实现方式,该第一用户面安全策略指示推荐使用安全保护的情况下,由于目标接入网节点确定的DRB的用户面安全配置可能与源接入网节点确定的用户面安全配置不同,源接入网节点通过本申请提供的方案,通过该第一信息,通知目标接入网节点使用与源接入网节点相同的DRB的用户面安全配置。
结合第二方面,在第二面的某些实现方式中,该第二信息指示对该目标接入网节点的第二该数据无线承载使用与该源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,该第二信息包括该第二数据无线承载的用户面安全配置。
结合第二方面,在第二方面的某些实现方式中,该响应消息来自该目标接入网节点,该源接入网节点发送第一消息,包括:该源接入网节点向该目标接入网节点发送该第一消息;或者,该响应消息来自核心网节点,该源接入网节点发送第一消息,包括:该源接入网节点向该核心网节点发送该第一消息;
第三方面,提供了一种切换场景下的安全配置方法,该方法可以由终端设备或配置于(或用于)终端设备的模块(如芯片)执行,以下以该方法由终端设备执行为例进行说明。
该方法包括:终端设备接收来自源接入网设备的无线资源配置消息,该无线资源配置消息包括第二信息,该第二信息用于指示该目标接入网节点的第二数据无线承载的用户面安全配置,其中,该第二数据无线承载和该源接入节点的第一数据无线承载的用户面安全配置相同;该终端设备接收来自目标接入网节点的资源释放消息,该资源释放消息包括第三信息,该第三信息用于指示该目标接入网节点的该第二数据无线承载更新后的用户面安全配置。
结合第三方面,在第三方面的某些实现方式中,该第二数据无线承载为该第一数据无线承载由源接入网节点切换至该目标接入网节点后的数据无线承载。
根据上述方案,终端设备的切换过程中目标接入网节点与源接入网节点可以对DRB采用相同的用户面安全配置,能够减少目标接入网节点、源接入网节点向终端设备传输相同数据包时因数据无线承载的安全配置不同造成的安全隐患,提高数据传输的安全性。进一步地,在终端设备完成切换后可以通过资源释放消息获取更新后的用户面安全配置,以实现基于最新的策略保证数据安全。
结合第三方面,在第三方面的某些实现方式中,该第二信息指示对该目标接入网节点的第二该数据无线承载使用与该源接入网节点的第一数据无线承载的相同的用户面安全 配置,或者,该第二信息包括该第二数据无线承载的用户面安全配置。
第四方面,提供了一种通信装置,一种设计中,该装置可以包括执行第一方面中所描述的方法/操作/步骤/动作所一一对应的模块,该模块可以是硬件电路,也可是软件,也可以是硬件电路结合软件实现。一种设计中,该装置包括:收发单元,用于接收第一消息,该第一消息用于指示终端设备从源接入网节点切换至目标接入网节点,其中,第一消息包括第一信息,该第一信息用于指示使用与源接入网节点相同的数据无线承载的用户面安全配置;处理单元,用于确定该目标接入网节点的第二数据无线承载的用户面安全配置和该源接入节点的第一数据无线承载的用户面安全配置相同;收发单元,用于该目标接入网节点发送该第一消息的响应消息,该响应消息包括第二信息,该第二信息用于指示该第二数据无线承载的用户面安全配置。
结合第四方面,在第四方面的某些实现方式中,该第二数据无线承载为该第一数据无线承载由源接入网节点切换至该目标接入网节点后的数据无线承载。
结合第四方面,在第四方面的某些实现方式中,该第一信息包括该第一数据无线承载的标识信息和双激活协议栈切换指示,该双激活协议栈切换指示用于指示该第一数据无线承载使用双激活协议栈切换。
结合第四方面,在第四方面的某些实现方式中,该第一消息包括该第一数据无线承载的用户面安全配置,以及,该处理单元还用于根据该双激活协议栈切换指示,确定该第二数据无线承载的用户面安全配置与该第一数据无线数据承载的用户面安全配置相同;该处理单元还用于根据该第一数据无线承载的用户面安全配置,配置该第二数据无线承载的用户面安全,或配置该第二数据无线承载对应的协议数据单元会话中的数据无线承载的用户面安全。
结合第四方面,在第四方面的某些实现方式中,该第一信息包括用户面安全激活状态,该用户面安全激活状态用于指示该第一数据无线承载的用户面安全激活状态或该第一数据无线承载对应的协议数据单元会话的用户面安全激活状态。
结合第四方面,在第四方面的某些实现方式中,该处理单元还用于根据该用户面安全激活状态,确定该第二数据无线承载的用户面安全配置。
结合第四方面,在第四方面的某些实现方式中,该第一消息包括该第一数据无线承载的用户面安全配置,以及,该处理单元还用于将该第二数据无线承载的用户面安全配置与该第一数据无线承载的用户面安全配置比对,若比对的结果为不相同,则第二信息包括该第二数据无线承载的用户面安全配置,若比对的结果为相同,则第二信息指示对该第二数据无线承载使用与该第一数据无线承载相同的用户面安全配置。
结合第四方面,在第四方面的某些实现方式中,该第一消息包括第一用户面安全策略,该第一用户面安全策略为该第一数据无线承载的用户面安全策略,或者该第一用户面安全策略为该第一数据无线承载对应的协议数据单元会话的用户面安全策略。
结合第四方面,在第四方面的某些实现方式中,该第一用户面安全策略指示推荐使用安全保护。
结合第四方面,在第四方面的某些实现方式中,该第二信息指示对该目标接入网节点的第二该数据无线承载使用与该源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,该第二信息包括该第二数据无线承载的用户面安全配置。
结合第四方面,在第四方面的某些实现方式中,该处理单元还用于在该目标接入网节点接收到来自该终端设备的无线资源控制重配置完成消息后,根据第二用户面安全策略,更新该第二数据无线承载的用户面安全配置,其中,该第二用户面安全策略为该目标接入网节点的第二数据无线承载的用户面安全策略或该第二数据无线承载对应的协议数据单元会话的用户面安全策略。
结合第四方面,在第四方面的某些实现方式中,该收发单元还用于向该终端设备发送该目标接入网节点的第二数据无线承载更新后的用户面安全配置。
结合第四方面,在第四方面的某些实现方式中,该更新后的用户面安全配置承载在资源释放消息中。
结合第四方面,在第四方面的某些实现方式中,该第一消息来自该源接入网节点;该收发单元具体用于向该源接入网节点发送该响应消息,或者,该第一消息来自核心网节点,该收发单元具体用于向该核心网节点发送该响应消息。
第五方面,提供了一种通信装置,一种设计中,该装置可以包括执行第二方面中所描述的方法/操作/步骤/动作所一一对应的模块,该模块可以是硬件电路,也可是软件,也可以是硬件电路结合软件实现。一种设计中,该装置包括:处理单元,用于确定第一消息,该第一消息用于指示终端设备从源接入网节点切换至目标接入网节点,其中,第一消息包括第一信息,该第一信息用于指示使用与源接入网节点相同的数据无线承载的用户面安全配置;收发单元,用于发送第一消息;该收发单元还用于接收该第一消息的响应消息,该响应消息包括第二信息,该第二信息用于指示该目标接入网节点的第二数据无线承载的用户面安全配置,其中,该目标接入网节点的第二数据无线承载的用户面安全配置和该源接入节点的第一数据无线承载的用户面安全配置相同。
结合第五方面,在第五方面的某些实现方式中,该第二数据无线承载为该第一数据无线承载由源接入网节点切换至该目标接入网节点后的数据无线承载。
结合第五方面,在第五方面的某些实现方式中,该收发单元还用于向该终端设备发送第二消息,该第二消息用于指示该终端设备从源接入网节点切换至目标接入网节点,该第二消息包括该第二信息。
结合第五方面,在第五方面的某些实现方式中,该第一信息包括该第一数据无线承载的标识信息和双激活协议栈切换指示,该双激活协议栈切换指示用于指示该第一数据无线承载使用双激活协议栈切换。
结合第五方面,在第五方面的某些实现方式中,该第一信息包括用户面安全激活状态,该用户面安全激活状态用于指示该第一数据无线承载的用户面安全激活状态或该第一数据无线承载对应的协议数据单元会话的用户面安全激活状态。
结合第五方面,在第五方面的某些实现方式中,该处理单元还用于在确定该数据无线承载使用双激活协议栈切换的情况下,该源接入网节点确定该第一消息中包括该第一信息。
结合第五方面,在第五方面的某些实现方式中,该第一消息包括该第一数据无线承载的用户面安全配置,和/或,该第一消息包括该第一用户面安全策略,该第一用户面安全策略为该第一数据无线承载的用户面安全策略,或者该第一该第一数据无线承载对应的协议数据单元会话的用户面安全策略。
结合第五方面,在第五方面的某些实现方式中,该第一用户面安全策略指示推荐使用 安全保护。
结合第五方面,在第五方面的某些实现方式中,该处理单元还用于在该第一用户面安全策略指示推荐使用安全保护的情况下,该源接入网节点确定该第一消息中包括该第一信息,其中,该第一用户面安全策略为该第一数据无线承载的用户面安全策略,或者该第一该第一数据无线承载对应的协议数据单元会话的用户面安全策略。
结合第五方面,在第五方面的某些实现方式中,该第二信息指示对该目标接入网节点的第二该数据无线承载使用与该源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,
该第二信息包括该第二数据无线承载的用户面安全配置。
结合第五方面,在第五方面的某些实现方式中,该响应消息来自该目标接入网节点,该收发单元具体用于向该目标接入网节点发送该第一消息;或者,该响应消息来自核心网节点,该收发单元具体用于向该核心网节点发送该第一消息。
第六方面,提供了一种通信装置,一种设计中,该装置可以包括执行第三方面中所描述的方法/操作/步骤/动作所一一对应的模块,该模块可以是硬件电路,也可是软件,也可以是硬件电路结合软件实现。一种设计中,该装置包括:收发单元,用于接收来自源接入网设备的无线资源配置消息,该无线资源配置消息包括第二信息,该第二信息用于指示该目标接入网节点的第二数据无线承载的用户面安全配置,其中,该第二数据无线承载的用户面安全配置和该源接入节点的第一数据无线承载的用户面安全配置相同;处理单元,用于确定该第二数据无线承载和该源接入节点的第一数据无线承载的用户面安全配置相同;该收发单元还用于接收来自目标接入网节点的资源释放消息,该资源释放消息包括第三信息,该第三信息用于指示该目标接入网节点的该数据无线承载更新后的用户面安全配置。
结合第六方面,在第六方面的某些实现方式中,该第二信息指示对该目标接入网节点的第二该数据无线承载使用与该源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,该第二信息包括该第二数据无线承载的用户面安全配置。
第七方面,提供了一种通信装置,包括处理器。该处理器可以实现上述第一方面以及第一方面中任一种可能实现方式中的方法。可选地,该通信装置还包括存储器,该处理器与该存储器耦合,可用于执行存储器中的指令,以实现上述第一方面以及第一方面中任一种可能实现方式中的方法。可选地,该通信装置还包括通信接口,处理器与通信接口耦合。本申请实施例中,通信接口可以是收发器、管脚、电路、总线、模块或其它类型的通信接口,不予限制。
在一种实现方式中,该通信装置为目标接入网节点。当该通信装置为目标接入网节点时,该通信接口可以是收发器,或,输入/输出接口。
在另一种实现方式中,该通信装置为配置于目标接入网节点中的芯片。当该通信装置为配置于目标接入网节点中的芯片时,该通信接口可以是输入/输出接口。
第八方面,提供了一种通信装置,包括处理器。该处理器可以实现上述第二方面以及第二方面中任一种可能实现方式中的方法。可选地,该通信装置还包括存储器,该处理器与该存储器耦合,可用于执行存储器中的指令,以实现上述第二方面以及第二方面中任一种可能实现方式中的方法。可选地,该通信装置还包括通信接口,处理器与通信接口耦合。本申请实施例中,通信接口可以是收发器、管脚、电路、总线、模块或其它类型的通信接 口,不予限制。
在一种实现方式中,该通信装置为源接入网节点。当该通信装置为源接入网节点时,该通信接口可以是收发器,或,输入/输出接口。
在另一种实现方式中,该通信装置为配置于源接入网节点中的芯片。当该通信装置为配置于源接入网节点中的芯片时,该通信接口可以是输入/输出接口。
可选地,该收发器可以为收发电路。可选地,该输入/输出接口可以为输入/输出电路。
第九方面,提供了一种通信装置,包括处理器。该处理器可以实现上述第三方面以及第三方面中任一种可能实现方式中的方法。可选地,该通信装置还包括存储器,该处理器与该存储器耦合,可用于执行存储器中的指令,以实现上述第三方面以及第三方面中任一种可能实现方式中的方法。可选地,该通信装置还包括通信接口,处理器与通信接口耦合。本申请实施例中,通信接口可以是收发器、管脚、电路、总线、模块或其它类型的通信接口,不予限制。
在一种实现方式中,该通信装置为终端设备。当该通信装置为终端设备时,该通信接口可以是收发器,或,输入/输出接口。
在另一种实现方式中,该通信装置为配置于终端设备中的芯片。当该通信装置为配置于终端设备中的芯片时,该通信接口可以是输入/输出接口。
可选地,该收发器可以为收发电路。可选地,该输入/输出接口可以为输入/输出电路。
第十方面,提供了一种处理器,包括:输入电路、输出电路和处理电路。该处理电路用于通过该输入电路接收信号,并通过该输出电路发射信号,使得该处理器执行第一方面至第三方面以及第一方面至第三方面中任一种可能实现方式中的方法。
在具体实现过程中,上述处理器可以为一个或多个芯片,输入电路可以为输入管脚,输出电路可以为输出管脚,处理电路可以为晶体管、门电路、触发器和各种逻辑电路等。输入电路所接收的输入的信号可以是由例如但不限于接收器接收并输入的,输出电路所输出的信号可以是例如但不限于输出给发射器并由发射器发射的,且输入电路和输出电路可以是同一电路,该电路在不同的时刻分别用作输入电路和输出电路。本申请实施例对处理器及各种电路的具体实现方式不做限定。
第十一方面,提供了一种计算机程序产品,该计算机程序产品包括:计算机程序(也可以称为代码,或指令),当该计算机程序被运行时,使得计算机执行上述第一方面至第三方面以及第一方面至第三方面中任一种可能实现方式中的方法。
第十二方面,提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序(也可以称为代码,或指令)当其在计算机上运行时,使得计算机执行上述第一方面至第三方面以及第一方面至第三方面中任一种可能实现方式中的方法。
第十三方面,提供了一种通信系统,包括前述的终端设备、源接入网节点、目标接入网节点或核心网节点中的至少两种节点。
图1是本申请实施例提供的通信系统的一个示意性框图;
图1A是本申请实施例提供的通信系统的另一个示意性框图;
图2是本申请实施例提供的用户面安全激活的示意性流程图;
图3是本申请实施例提供的使用DAPS切换的DRB数据包传输的示意图;
图4是本申请实施例提供的通信方法的一个示意性流程图;
图5是本申请实施例提供的基于Xn接口的切换场景下的安全配置方法的一个示意性流程图;
图6是本申请实施例提供的基于Xn接口的切换场景下的安全配置方法的另一个示意性流程图;
图7是本申请实施例提供的基于N2接口的切换场景下的安全配置方法的一个示意性流程图;
图8是本申请实施例提供的基于N2接口的切换场景下的安全配置方法的另一个示意性流程图;
图9是本申请实施例提供的的通信装置的一例的示意性框图;
图10是本申请实施例提供的的终端设备的一例的示意性结构图;
图11是本申请实施例提供的的接入网设备的一例的示意性结构图;
图12是本申请实施例提供的的通信设备的一例的示意性结构图。
本申请实施例提供的技术方案可以应用于通信设备间的通信。通信设备间的通信可以包括:网络设备和终端设备间的通信、网络设备和网络设备间的通信、和/或终端设备和终端设备间的通信。在本申请实施例中,术语“通信”还可以描述为“传输”、“信息传输”、或“信号传输”等。传输可以包括发送和/或接收。以网络设备和终端设备间的通信为例描述本申请实施例的技术方案,本领域技术人员也可以将该技术方案用于进行其它调度实体和从属实体间的通信,例如宏基站和微基站之间的通信,例如第一终端设备和第二终端设备间的通信。其中,调度实体可以为从属实体分配无线资源,例如空口资源。空口资源包括以下资源中的一种或多种:时域资源、频域资源、码资源和空间资源。
在本申请实施例中,网络设备和终端设备间的通信包括:接入网设备向终端设备发送下行信号,和/或终端设备向接入网设备发送上行信号。其中,信号还可以被替换为信息或数据等。
本申请实施例涉及到的终端设备还可以称为终端。终端可以是一种具有无线收发功能的设备。终端可以被部署在陆地上,包括室内、室外、手持、和/或车载;也可以被部署在水面上(如轮船等);还可以被部署在空中(例如飞机、气球和卫星上等)。终端设备可以是用户设备(user equipment,UE)。UE包括具有无线通信功能的手持式设备、车载设备、可穿戴设备或计算设备。示例性地,UE可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。终端设备还可以是虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、工业控制中的无线终端、无人驾驶中的无线终端、远程医疗中的无线终端、智能电网中的无线终端、智慧城市(smart city)中的无线终端、和/或智慧家庭(smart home)中的无线终端等等。
本申请实施例涉及到的接入网(radio access network,RAN)节点可以是RAN设备,包括基站(base station,BS),可以是一种部署在无线接入网中能够和终端设备进行无线通信的设备。基站可能有多种形式,比如宏基站、微基站、中继站或接入点等。本申请实 施例涉及到的基站可以是5G系统中的下一代接入网(next generation-RAN,NG-RAN)设备、长期演进(long term evolution,LTE)系统中的基站或其它系统中的基站,不做限制。其中,5G系统中的NG-RAN设备还可以称为发送接收点(transmission reception point,TRP)或下一代节点B(generation Node B,gNB或gNodeB)。其中,基站可以是一体化的基站,也可以是分离成多个网元的基站,不予限制。例如,基站是集中式单元(centralized unit,CU)和分布式单元(distributed unit,DU)分离的基站,即基站包括CU和DU。
图1是适用于本申请实施例的系统架构100的示意图。
5G核心网(5G core,5GC,或new generation core,NGC)包括如图1所示的接入和移动性管理功能(access and mobility management function,AMF)节点、会话管理功能(session management function,SMF)节点、用户面功能(user plane function,UPF)节点、鉴权服务器功能(authentication server function,AUSF)节点、策略控制功能(policy control function,PCF)节点、应用功能(application function,AF)节点、统一数据管理功能(unified data management,UDM)节点、网络切片选择功能(network slice selection function,NSSF)节点等多个功能单元。
AMF节点主要负责移动性管理、接入管理等服务。SMF节点主要负责会话管理、终端设备地址管理和分配、动态主机配置协议功能、用户面功能的选择和控制等。UPF主要负责对外连接到数据网络(data network,DN)以及用户面的数据包路由转发、报文过滤、执行服务质量(quality of service,QoS)控制相关功能等。UDM主要负责存储网络中签约终端设备的签约数据、信任状(credential)和持久身份标识(SUPI,Subscriber Permanent Identifier)等,提供的服务化接口为Nudm。这些数据可以被用于终端设备接入运营商网络的认证和授权。AUSF主要负责对终端设备的认证功能等。PCF节点主要负责为网络行为管理提供统一的策略框架、提供控制面功能的策略规则、获取与策略决策相关的注册信息等,提供的服务化接口为Npcf。需要说明的是,这些功能单元可以独立工作,也可以组合在一起实现某些控制功能,如实现对终端设备的接入鉴权、安全加密、位置注册等接入控制和移动性管理功能,以及用户面传输路径的建立、释放和更改等会话管理功能。
如图1所示,5GC中各功能单元之间可以通过下一代网络(next generation,NG)接口进行通信,如:UE可以通过NG接口1(简称N1)与AMF节点进行控制面消息的传输,RAN节点可以通过NG接口3(简称N3)与UPF建立用户面数据传输通道,RAN节点可以通过NG接口2(简称N2)与AMF节点建立控制面信令连接,UPF可以通过NG接口4(简称N4)与SMF节点进行信息交互,UPF可以通过NG接口6(简称N6)与数据网络DN交互用户面数据,AMF节点可以通过NG接口11(简称N11)与SMF节点进行信息交互,SMF节点可以通过NG接口7(简称N7)与PCF节点进行信息交互,AMF节点可以通过NG接口12(简称N12)与AUSF进行信息交互。需要说明的是,图1仅为示例性架构图,除图1中所示功能单元之外,该网络架构还可以包括其他功能单元。
进一步的,5G的系统架构还可以使用服务化的接口。例如图1A所示,NSSF可以为UE选择一组网络切片实例,确定允许的切片选择协助信息(slice selection assistance information,NSSAI)等,NSSF提供的服务化接口为Nnssf。网络能力开放功能(network exposure function,NEF)可以开放网络能力和事件,从应用层功能(application function,AF)获取外部应用信息,以及将用于外部开放的信息存储在统一数据存储(unified data repository,UDR)中,NEF提供的服务化接口为Nnef。网络存储功能(network repository function,NRF)可以提供服务注册、发现和授权,并维护可用的网络功能(network function,NF)实例信息,该NRF提供的服务化接口为Nnrf接口。AUSF可以提供3GPP和非3GPP统一接入认证服务,AUSF提供的服务化接口为Nausf。网络切片认证与授权功能(network slice specific authentication and authorization function,NSSAAF)可以对UE接入特定切片进行认证和授权,防止非法UE接入切片访问服务或资源,NSSAAF提供的服务化接口为Nnssaaf。
在5G系统中,两个RAN节点之间可以直接交互,通过Xn接口进行通信;或两个RAN节点之间不能直接交互,通过AMF进行通信,即通过N2接口间接交互。在无线接入场景下接入网(access network,AN)和无线接入网RAN这两个术语可以不做区分。
下面对本申请相关的技术或术语进行介绍。
一、DAPS切换(DAPS handover)
一种切换过程,允许终端设备在接收到用于指示切换的无线资源控制(radio resource control,RRC)消息后,保持与源接入网节点的连接直到成功接入到目标接入网节点释放源小区。
二、DAPS承载(DAPS bearer)
DAPS承载是指在DAPS切换过程中该承载的无线协议同时位于源基站和目标基站,即能够使用源基站的资源又能够使用目标基站的资源。
三、用户面安全策略
用户面安全策略,包括用户面加密保护指示信息和/或用户面完整性保护指示信息。用户面加密保护指示信息用于指示三种可能的值,分别为必需(required),推荐(preferred),或不需要(not needed),用户面完整性保护指示信息用于指示三种可能的值,分别为not needed、preferred和required。其中,not needed表示不需要激活用户面安全,preferred表示可以激活可以不激活用户面安全,required表示必须激活用户面安全。上述三种可能的值可以采用2比特(bit)来指示,例如00指示不需要激活,01指示可以激活可以不激活,11指示必须激活。用户面加密保护指示信息和用户面完整性保护指示信息具体采用何种方式对三种可能的值进行指示,在本申请实施例中不作限定。
四、用户面(user plane,UP)安全激活
下面以图2为例简要说明,一种协议数据单元(protocol data unit,PDU)会话建立过程中RAN激活UP安全的示例。如图2所示,UP安全激活过程包括但不限于以下步骤:
1.UE通过NG-RAN向AMF发送非接入层(non-access stratum,NAS)消息,该NAS消息中包含N1会话管理(session management,SM)容器,容器中包含PDU会话建立请求,请求中包含PDU会话标识(identifier,ID)等信息。
2.AMF根据NAS消息生成发送给SMF的PDU会话创建请求消息,该PDU会话创建请求消息对应服务化的消息可以为N
smf_PDU会话_建立SM上下文请求(Nsmf_PDUSession_CreateSMContext request)消息。该消息中包含N1SM容器。
3.若SMF能处理接收到的请求,则SMF向AMF发送响应消息。响应消息可以为Nsmf_PDU会话_创建SM上下文响应(Nsmf_PDUSession_CreateSMContext response)消息。
4.SMF获得用户面安全策略。
SMF可以从UDM中获得用户面安全策略,也可以从本地配置中获得用户面安全策略。用户面安全策略包含UP加密保护策略和/或UP完整性保护策略。
(1)UP加密保护策略可以是必需开启(Required),推荐开启(Preferred),或不需要开启(not needed)。
(2)UP完整性保护策略可以是必需开启(Required),推荐开启(Preferred),或不需要开启(not needed)。
5.SMF将确定的用户面安全策略发送AMF。
SMF可以通过Namf_通信_N1N2消息传递(Namf_Communication_N1N2MessageTransfer)将确定的用户面安全策略发送给AMF。
6.AMF进一步将UP安全策略发送给NG-RAN。
AMF可以通过N2PDU会话请求将UP安全策略发送给NG-RAN。
7.NG-RAN根据收到的UP安全策略,激活用户面安全。
例如,如果收到的是加密保护策略指示必须开启(required),完整性保护策略指示必须开启(required),则NG-RAN开启UP加密保护和UP完整性保护,并采用UP加密密钥、UP完整性保护密钥以及UP安全算法对与UE之间的UP数据进行加密保护和完整性保护,以及进行解密和完整性验证。
再例如,UP安全策略所包括的UP加密保护策略指示必须开启(required),UP完整性保护策略指示不需要开启(not needed),则NG-RAN开启UP加密保护,不开启UP完整性保护,并采用UP加密密钥以及UP安全算法对与UE之间的UP数据进行加密保护或解密。
又例如,在UP加密保护策略或UP完整性保护策略是推荐开启(preferred)的情况下,NG-RAN可以确定开启UP加密或不开启UP加密;或开启UP完整性保护或不开启UP完整保护。这种情况下,NG-RAN可以将确定的UP激活结果发送给SMF。
8.NG-RAN向UE发送RRC连接重配置消息,该消息中包含UP安全激活指示信息。
该UP安全激活指示信息包括UP加密保护激活指示信息和/或UP完整性保护激活指示信息,UP加密保护激活指示信息用于指示是否开启UP加密保护,UP完整性保护激活指示信息用于指示是否开启UP完整性保护。
示例性地,当UP安全激活指示信息中不携带UP加密保护激活指示信息时,表示开启加密。当不开启加密时,UP安全激活指示信息中携带UP加密保护激活指示信息,该UP加密保护激活指示信息通知UE不开启加密保护。针对完整性保护,该UP安全激活指示信息中包括UP完整性保护激活指示信息,该UP完整性保护激活指示信息指示开启和不开启完整性保护。例如,该UP完整性保护激活指示信息可以通过指示使能(enabled)通知UE开启完整性保护,或者指示不使能(disable)通知UE不开启完整保护。
或者,NG-RAN还可以通过其他方式指示UE是否开启安全保护(加密保护和/或完整性保护),例如,RRC连接重配置消息中携带或不携带某个信息元素(information element,IE)来指示UE是否开启安全保护。也可以通过对IE设置不同的值来指示UE是否开启安全保护。本申请对此不做限定。
目前,针对PDU会话的每一个DRB,NG-RAN发送的该RRC连接重配置消息中包括每一个DRB分别对应的一个用户面安全激活指示信息。PDU会话中的每个DRB的用户面 安全激活状态相同,可以包含开启或不开启。其中,开启又可以称为激活,不开启可以称为不激活等。
9.UE激活UP安全。
UE根据步骤8所携带的UP安全激活指示信息激活UE与基站之间的UP安全,以便对与基站之间传输的UP数据进行安全保护或解安全保护。具体的激活UP安全可以包含配置对应DRB的分组数据汇聚协议(packet data convergence protocol,PDCP)实体。
示例性地,若开启加密安全,则配置DRB的PDCP实体包含使用加密算法和密钥配置PDCP实体,使得数据包经过PDCP实体时,PDCP实体可以对数据包进行安全处理。
10.UE向NG-RAN发送RRC连接重配置确认(ACK)消息。相应的,NG-RAN接收来自UE的RRC连接重配置确认消息。
五、用户面安全激活状态
用户面安全激活状态指DRB的安全激活状态,若接入网设备确定激活DRB的安全保护,则该DRB的安全状态可以是开启状态(也可以称为激活状态);或者若接入网设备确定不激活DRB的安全保护,则该DRB的安全状态可以为不开启状态(也可以称为不激活状态或未激活状态)。该用户面安全激活状态可以包括加密保护激活状态和/或完整性保护激活状态。例如,加密保护激活状态可以为开启状态或不开启状态,完整性保护激活状态可以为开启状态或不开启状态。
六、用户面安全配置
用户面安全配置可以包括DRB开启或不开启用户面安全,DRB的UP安全配置也可以称为UP安全激活指示,终端设备和/或接入网节点可以根据DRB的用户面安全配置配置该DRB对应的PDCP实体,使得数据包经过PDCP实体时,PDCP实体可以对数据包进行安全处理。
目前,基于DAPS的切换中,源RAN节点可以对一个或多个DRB激活DAPS切换。无论是基于Xn的切换还是基于N2的切换,针对激活DAPS切换的DRB,终端设备在接收到来自目标RAN节点的资源释放请求之前,终端设备与源RAN节点直接保持连接,终端设备与源RAN节点和目标RAN节点同时进行数据包的传输,且源RAN节点和目标RAN节点可以与终端设备传输相同的数据包。例如图3所示,切换过程中,源RAN节点分配数据包的序列号(sequence number,SN),并将包含SN的数据包发送给目标RAN节点,目标RAN节点根据目标RAN节点确定的安全激活状态,配置DRB对应的PDCP实体后,来自源RAN节点的数据包经过该PDCP实体安全处理后,目标RAN节点将数据包发送给终端设备,同时源RAN节点根据源RAN节点确定的安全激活状态,配置DRB对应的PDCP实体后,将数据包经过该PDCP实体安全处理后发送给终端设备。其中,源RAN节点、目标RAN节点和终端设备可以分别配置物理(physical,PHY)层、媒体接入(media access control,MAC)层、无线链路控制(radio link control,RLC)层和PDCP层。源RAN节点的PDCP层可以称为主PDCP(master-PDCP,M-PDCP)层,目标RAN节点的PDCP层可以称为辅PDCP(secondary-PDCP,S-PDCP)。以及终端设备的PDCP层也可以分为处理来自源RAN节点数据包的M-PDCP和处理来自目标RAN节点的数据包的S-PDCP,但本申请不限于此。
目标RAN节点和源RAN节点确定的该DRB的UP安全激活状态,是两个RAN节点 各自根据获取到的用户面安全策略确定的。然而,当用户面安全策略指示偏好开启(preferred)时,RAN节点可以开启UP安全保护也可以不开启UP安全保护,若其中一个RAN节点确定的安全激活状态为开启加密,而另一个RAN节点确定的安全激活状态为不开启加密保护。在DAPS场景下,源RAN节点和目标RAN节点传输相同的数据包时,攻击者可以将从源和目标RAN节点接收到的数据包进行异或操作,即将加密后的数据包与未加密的数据包进行异或操作,可以得到加密数据包的密钥流。使得攻击者更容易获取进一步的密钥信息,从而获取其他数据包的密文。目前DAPS方式下使用现有安全机制存在着安全隐患。
本申请提出了目标RAN节点根据指示,对目标RAN节点的DRB采用的用户面安全配置与源RAN节点的DRB的用户面安全配置相同。能够减小目标RAN节点与源RAN节点在传输相同数据包时的安全隐患,提高数据传输的安全性。
需要说明的是,本申请可以应用于双路传输相同数据的场景,应用场景包括但不限于双激活协议栈的数据传输方式。本申请实施例以DAPS为例进行说明,但本申请不限于此。
下面结合附图对本申请实施例提供的通信方法进行详细说明。
图4是本申请实施例提供的通信方法的一个示意性流程图。
S410,目标RAN节点接收消息A(即第一消息的一个示例),该消息A用于指示终端设备从源RAN节点切换至目标RAN节点,该消息A包括信息A(即第一信息的一个示例),该信息A用于指示使用与源RAN节点相同的DRB的UP安全配置。
例如,该消息A可以是切换请求消息,该切换请求消息用于请求将终端设备从源RAN节点切换至目标RAN节点。但申请不限于此。
其中,该DRB的UP安全配置是指是否开启UP安全保护的安全配置。可选地,该UP安全保护可以是UP加密保护和/或UP完整性保护。该DRB的UP安全配置可以是指是否开启UP加密保护和/或是否开启UP完整性保护。
例如,UP安全配置可以是开启UP加密保护,信息A指示切换到目标RAN节点的DRB维持该DRB在源RAN节点的UP加密保护状态,即若切换前该DRB开启了UP加密保护,则切换后的该DRB也开启UP加密保护。针对完整性保护,依旧使用现有的确定机制,例如目标RAN节点可以根据UP完整性保护策略确定是否开启完整性保护。但本申请不限于此。
该目标RAN节点根据消息A可以确定是否接受终端设备从源RAN节点切换至目标RAN节点,并根据该消息A中的信息A可以确定使用与源RAN节点的DRB的UP安全配置相同的UP安全配置。其中,目标RAN节点根据该信息A可以确定目标RAN节点的部分DRB使用与源RAN节点的DRB的UP安全配置相同的UP安全配置,或者目标RAN节点的全部DRB使用与源RAN节点的DRB的UP安全配置相同的UP安全配置,或者目标RAN节点。具体可以包括但不限于以下实施方式。
实施方式一,该信息A包括DAPS切换指示,该DAPS切换指示用于指示源RAN节点的DRB1使用DAPS切换。
可选地,该信息A包括DRB1的标识信息。
目标RAN节点根据该DAPS切换指示,确定目标RAN节点的DRB2(即第二数据无线承载的一个示例)使用与源RAN节点的DRB1(即第一数据无线承载的一个示例)的 UP安全配置相同的UP安全配置。
其中,该DRB2为DRB1切换至目标RAN节点后的DRB,或者,DRB2为DRB1激活DAPS后在目标RAN节点的DRB,该DRB1和DRB2可以承载相同控制的数据包。或者说,DRB2为目标RAN节点中与DRB1对应的DRB。
作为示例非限定,DRB1在源接入网节点中的标识信息与DRB2在目标接入网节点中的标识信息相同。
也就是说,当PDU会话的一个或者多个DRB被激活DAPS切换,则目标RAN节点使用源接入网节点的对该一个或多个DRB的UP安全配置去配置目标接入网节点与UE之间与该一个或多个DRB的用户面安全。
该消息A中还包括DRB1的UP安全配置。目标RAN节点根据DRB1的UP安全配置,配置DRB2的PDCP实体。或者说,配置DRB2的PDCP实体的安全。
例如,目标RAN节点接收到消息A后,目标RAN节点根据该DAPS指示,可以确定DRB2的UP安全配置与DRB1的UP安全配置相同,并根据消息A中的DRB1的UP安全配置,配置目标RAN节点上DRB2的安全保护,即配置DRB2的PDCP实体,使得经过PDCP实体的数据包被安全保护(如加密处理、完整性保护处理等)。若DRB1的UP安全配置为开启UP安全保护,目标RAN节点配置开启DRB2的安全保护,即配置DRB2的PDCP实体,使得经过PDCP实体的数据包被安全保护(如加密处理、完整性保护处理等);若DRB1的UP安全配置为不开启安全保护,目标RAN节点配置不开启DRB2的UP安全保护,即经过DRB2的PDCP实体的数据包没有被安全保护。
需要说明的是,DRB的UP安全配置也可以称为UP安全激活指示,本申请对用于指示DRB的UP安全配置的名称不做限定。
应理解,本申请实施例以RAN节点和终端设备根据UP安全配置配置DRB2的PDCP实体为例进行说明,但本申请不限于此配置在其他的实体上,例如可以配置在NAS层实体以用于对数据进行安全处理。
可选地,该DRB1的UP安全配置包含在该消息A中的UE上下文信息中或UE上下文信息中的RRC上下文信息中。
其中,UE上下文信息可以包括UE安全能力、接入层(access stratum,AS)安全信息(如密钥KgNB*,安全保护算法)、PDU会话资源待建立列表、RRC上下文。密钥KgNB*用于生成信令面的安全密钥和/或用户面的安全密钥。RRC上下文可以包括UE无线相关能力和RRC重配置信息。但本申请不限于此。
可选地,该消息A中还包括UP安全策略1,该UP安全策略1用于指示该DRB1的UP安全策略,或者,该UP安全策略1用于指示该DRB1对应的PDU会话的UP安全策略。
可选地,该消息A中包括PDU会话待建立列表,该PDU会话待建立列表中包括该DRB1对应的PDU会话信息,该UP安全策略1包含在该PDU会话信息中。
在一种可选地实施方式中,目标RAN节点根据DAPS切换指示,确定对DRB2和/或与DRB2相关联的一个或多个DRB均使用与源RAN节点对DRB1的UP安全配置相同的UP安全配置。
其中,与DRB2相关联的一个或多个DRB可以是与DRB2属于同一PDU会话的DRB。 即DRB2与一个或多个DRB通过对应的PDU会话的标识相关联。但本申请不限于此。
可选地,该消息A来自源RAN节点。其中,消息A可以是由源RAN节点发送给目标RAN节点的,或者,该消息A是由AMF节点发送给目标RAN节点的,且该消息A中包括AMF节点接收到的来自源RAN节点的透明容器(transparent container),该透明容器包括该DAPS指示。
透明容器还可以称为该透传信息(transparent information),即为源RAN节点通过AMF节点透传至目标RAN节点的信息。本申请对此不做限定。
实施方式二,该信息A包括UP安全激活状态,该UP安全激活状态为源RAN节点的DRB1的用户面安全激活状态或DRB1对应的PDU会话的用户面安全激活状态。
其中,源RAN节点获取DRB1(或DRB1对应的PDU会话)的UP安全激活状态包含从本地获取,如源RAN节点中本地存储有DRB1(或DRB1对应的PDU会话)的UP安全激活状态,则将存储的UP安全激活状态包含在消息A中。若本地未存储有DRB1(或DRB1对应的PDU会话)的UP安全激活状态,则源RAN节点可以根据本地的DRB1的安全配置确定UP安全激活状态,将确定的UP安全激活状态包含在消息A中。但本申请不限于此。
目标RAN节点根据该UP安全激活状态,确定目标RAN节点的DRB2使用与DRB1的UP安全配置相同的UP安全配置。
也就是说,当目标RAN节点确定消息A中包括一个DRB的UP安全激活状态或一个PDU会话的UP安全激活状态时,目标RAN节点根据该UP安全激活状态,确定对该DRB或对该PDU会话中的DRB使用与源RAN节点对该DRB采用的UP安全配置相同的UP安全配置。
一种实施方式中,目标RAN节点接收到该UP安全激活状态后,根据该UP安全激活状态确定DRB2的UP安全配置。
另一种实施方式中,目标RAN节点接收到该UP安全激活状态后,确定重用从源RAN节点接收到的DRB的UP安全配置。
例如,终端设备接收到消息A中DRB1或DRB1对应的PDU会话的UP安全激活状态,终端设备确定DRB2重用从源RAN节点接收到的DRB1的UP安全配置。但本申请不限于此。
可选地,该消息A中的UE上下文信息中或UE上下文中的PDU会话待建立资源列表中包括该UP安全激活状态。
根据上述实施方式,目标RAN节点根据该UP安全激活状态,确定DRB2的UP安全配置,能够保证目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同。在一种可选地实施方式中,目标RAN节点根据消息A中的该DRB1或该DRB1对应的PDU会话的UP安全激活状态,确定对DRB2和/或与DRB2相关联的一个或多个DRB均使用与源RAN节点对DRB1的UP安全配置相同的UP安全配置。
其中,与DRB2相关联的一个或多个DRB可以是与DRB2属于同一PDU会话的DRB。即DRB2与一个或多个DRB通过对应的PDU会话的标识相关联。但本申请不限于此。
可选地,该消息A来自源RAN节点。其中,消息A可以是由源RAN节点发送给目标RAN节点的,或者,该消息A是由AMF节点发送给目标RAN节点的,且该消息A中 包括AMF节点接收到的来自源RAN节点的透明容器,该透明容器包括该UP安全激活状态指示。
在一种实施方式中,源RAN节点确定该DRB1采用DAPS切换,则该消息A中包括信息A。
在另一种实施方式中,源RAN节点确定该DRB1采用DAPS切换,且该DRB1对应的PDU会话的UP安全策略指示推荐开启(例如,加密保护安全策略或完整性保护安全策略指示推荐开启),则源RAN节点确定消息A中包括信息A。
目标RAN节点根据信息A,确定该PDU会话中的DRB的UP安全配置。
需要说明的是,上述实施方式一、实施方式二仅为本申请实施例提供的两个示例,本申请不限于此,还可以包括其他实施方式。信息A可以直接指示目标网络设备的DRB2使用与DRB1相同的UP安全配置,也可以间接指示目标网络设备的DRB2使用与DRB1相同的UP安全配置,例如通过DAPS指示或UP安全激活状态。应理解,只要目标接入网节点根据消息A中的信息确定的目标接入网节点中的DRB的用户面安全配置与源接入网节点的DRB的用户面安全配置相同,该信息都可以认定为用于指示使用与源接入网节点相同的数据无线承载的用户面安全配置。均应落在本申请的保护范围内,在此不再一一举例。
S420,目标RAN节点发送消息A的响应消息,该响应消息包括信息B(即第二信息的一个示例),该信息B用于指示目标接入网节点的DRB2的UP安全配置。
其中,该DRB2的UP安全配置与DRB1的UP安全配置相同。该响应消息用于确认接受终端设备从源RAN节点切换至目标RAN节点。其中,该信息B指示目标RAN节点对DRB2的UP安全配置的方式包括但不限于以下方式:
方式1,该信息B指示目标RAN节点对DRB2使用与源RAN节点的DRB1相同的UP安全配置。
目标RAN节点通过信息B向终端设备指示目标RAN节点对DRB2使用的UP安全配置与源RAN节点的DRB1的UP安全配置相同。
例如,目标RAN节点通过偏移量或变量(Delta)的方式通知目标RAN节点对一个DRB的UP安全配置。比如在本示例中目标RAN节点将确定的DRB2的UP安全配置与消息A中的该DRB1的UP安全配置进行比较,若比较的结果为不相同,则目标RAN节点将确定的DRB2的UP安全配置信息通过响应消息发送给源RAN节点,并由源RAN节点通知终端设备。若比对的结果为相同,响应消息中不包括DRB2的UP安全配置,源RAN节点向终端设备发送的包括切换命令的RRC重配置消息中也不包括DRB2的UP安全配置,终端设备从源RAN节点未获取到DRB2的UP安全配置,则认为DRB2与DRB1的UP安全配置相同。又比如,若目标RAN节点确定DRB2重用源RAN节点的UP安全配置,则不包含该UP安全配置来指示UE重用DRB1的UP安全配置。
该示例中,由于目标RAN节点根据信息A,对DRB2采用了与源RAN节点对DRB1采用的UP安全配置相同的UP安全配置,不存在不同,因此,目标RAN节点可以通过信息B指示目标RAN节点对DRB1采用的UP安全配置与源RAN节点采用的UP安全配置相同,无需包括DRB2的UP安全配置。
可选地,目标RAN节点还可以根据Delta的方式确定DRB2的其他配置,例如安全保 护算法等。若DRB2的一种配置与DRB1相应的配置相同,则信息B可以不包括该种配置,若DRB2的一种配置与DRB1相应的配置不同,则计算偏移量,信息B可以包括该偏移量。
再例如,该信息B为1比特的指示,该信息B指示“1”时表示目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同,指示“0”时表示不相同。或者,该信息B的指示状态包括“真(true)”或“假(false)”,当信息B指示“真”时,表示目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同,指示“假”时表示不相同。但本申请不限于此。
方式2,信息B包括DRB2的UP安全配置。
在S410中,目标RAN节点根据信息A,确定对DRB2采用与源RAN节点对DRB1采用的UP安全配置相同的UP安全配置后,生成与DRB1的UP安全配置相同的DRB2的UP安全配置。进一步的,目标RAN节点根据该UP安全配置,配置DRB2的PDCP实体。目标RAN节点通过信息B指示DRB2的UP安全配置。
该响应消息包括需要发送至终端设备的透明容器,该透明容器包括该信息B,当该透明容器通过响应消息传递至源RAN节点后,由源RAN节点转发给终端设备。终端设备可以根据该透明容器确定目标RAN节点对DRB2采用的UP安全配置与源RAN节点采用的UP安全配置相同,并配置相应的DRB的PDCP实体。其中,当该切换流程采用基于Xn的切换时,该响应消息可以是目标RAN节点发送给源RAN节点的消息,当该切换流程采用基于N2的切换时,该响应消息可以是目标RAN节点发送给核心网节点(如AMF节点)的消息,由核心网节点将该透明容器转发给源RAN节点。但本申请不限于此。
需要说明的是,对于未激活DAPS的DRB3,目标RAN节点可以根据PDU会话的UP安全策略确定是否激活该PDU会话的安全保护,并确定PDU会话中的DRB3的UP安全配置。目标RAN节点根据UP安全策略确定的DRB3的UP安全配置可以与源RAN节点相同也可以不同,本申请对此不做限定。目标RAN节点将未激活DAPS的DRB的配置包含在信息B中透传给终端设备。
可选地,在完成终端设备切换至目标RAN节点后,目标RAN节点根据DRB2的UP安全策略或根据DRB2对应的PDU会话的UP安全策略,更新DRB2的用户面安全配置。其中,该UP安全策略可以是承载在消息A中的UP安全策略,或者可以是来自SMF的。
例如,当前DRB1对应的PDU会话的UP安全激活状态为UP安全激活状态1,目标RAN节点可以根据消息A中的用户面安全策略或来自SMF的用户面安全策略,确定UP安全激活状态2,目标RAN节点可以根据该UP安全激活状态2,确定DRB2的更新后的UP安全配置。目标网络设备可以向终端设备发送DRB2的更新后的UP安全配置。DRB2的更新后的UP安全配置可以承载在目标RAN节点向终端设备发送的RRC消息中。
再例如,目标RAN节点在路径切换请求中接收到来自SMF的用户面安全策略,目标RAN更新本地的用户面安全策略(即来自源RAN的用户面安全策略)。若UE当前的用户面机密性和完整性保护激活状态与从SMF接收到的用户面安全策略不一致,目标RAN节点根据SMF发送的用户面安全策略更新DRB2的UP安全配置。目标RAN节点在确定消息A中的用户面安全策略与来自SMF的用户面安全策略相同的情况下,目标RAN在UE切换完成之后根据从源RAN节点接收到的用户面安全策略或根据从SMF接收到的用户面安全策略,更新DRB2的UP安全配置,并可以通过UP安全配置指示3通知终端设 备。进一步,目标RAN在用户面安全策略指示加密保护和/或完整性保护为preferred时才重新评估是否更新DRB的安全配置。
再例如,目标RAN节点可以根据消息A中的用户面安全策略或来自SMF的用户面安全策略,确定UP安全激活状态2。在UP安全激活状态2与UP安全激活状态1不同的情况下,目标RAN节点更新DRB2的UP安全配置,并可以通过UP安全配置指示3通知终端设备。但本申请不限于此。
作为示例非限定,该DRB2的更新后的UP安全配置可以承载在目标RAN节点向终端设备发送的资源释放消息中。
可选地,上述完成终端设备切换至目标RAN节点后可以包括但不限于:
目标接入网设备接收到来自该终端设备的用于指示切换完成的指示后;或者,
目标接入网设备发送用于指示切换成功的指示后;或者,
目标接入网设备接收到用于指示序列号(SN)状态转移的指示后;或者,
目标接入网设备发送用于指示释放用户上下文的指示后;或者,
目标接入网设备向该终端设备发送用于指示资源释放的指示后。
根据上述方案,目标RAN节点对DRB采用的UP安全配置与源RAN节点的DRB的用户面安全配置相同。能够减小目标RAN节点与源RAN节点在传输相同数据包时的数据安全隐患,提高数据传输的安全性。
本申请提供的通信方法可以应用于包括但不限于基于Xn接口的切换过程中,也可以应用于基于N2切换的切换过程中。下面分别对本申请的通信方法应用于基于Xn接口的切换过程中以及应用于基于N2切换的切换过程中进行说明,应理解本申请并不限于此。
下面首先介绍本申请的通信方法应用于基于Xn接口的切换过程中的实施例。图5是本申请实施例提供的基于Xn接口的切换场景下的安全配置方法的一个示意性流程图。
需要说明的是,图5所示实施例与图4所示实施例中相同或相似的部分可以参考上述对图4实施例的描述,为了简要,在此不再赘述。
S501,源RAN节点向目标RAN节点发送切换请求消息(即第一消息的一个示例)。
相应地,目标RAN节点接收来自源RAN节点的该切换请求消息,该切换请求消息用于请求终端设备从源RAN节点切换至目标RAN节点。该切换请求消息中包括信息A。该信息A用于指示使用与源RAN节点的DRB的UP安全配置相同的UP安全配置。
一种实施方式中,该信息A为DAPS切换指示,该DAPS切换指示用于指示DRB1使用DAPS切换。
另一种实施方式中,该信息A为UP安全激活状态,该UP安全激活状态为DRB1的UP安全激活状态或DRB1对应的PDU会话的UP安全激活状态。
可选地,在源RAN节点确定DRB1使用DAPS切换的情况下,该切换请求消息中包括该UP安全激活状态。或者,在源RAN节点确定DRB1使用DAPS切换,且该DRB1的UP安全策略或DRB1对应的PDU会话的UP安全策略指示推荐开启UP安全保护的情况下,该切换请求消息中包括该UP安全激活状态。
可选地,在源RAN节点确定DRB1使用DAPS切换,且该DRB1的UP安全策略中的加密保护策略或DRB1对应的PDU会话的UP安全策略中的加密保护策略指示推荐开启UP加密保护的情况下,该切换请求消息中包括该UP加密保护的激活状态。针对完整性保 护,依旧使用现有的确定机制。
可选地,该切换请求消息还包括KgNB*、PDU会话资源待建立列表信息和RRC上下文等信息,其中PDU会话资源待建立列表信息可以包括每个PDU会话对应的UP安全策策略。
S502,目标RAN节点根据信息A,确定目标RAN节点的DRB2的UP安全配置与源RAN节点对DRB1的UP安全配置相同。
一种实施方式中,该信息A为DAPS切换指示,目标RAN节点根据该DAPS切换指示,确定目标RAN节点对DRB2使用与源RAN节点对DRB1的UP安全配置相同的UP安全配置。
另一种实施方式中,该信息A为UP安全激活状态,目标RAN节点根据该UP安全激活状态,确定对DRB2采用的UP安全配置。由于基于同一UP安全激活状态确定的UP安全配置,因此,该DRB2的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同。
目标RAN节点生成切换命令,该切换命令用于指示目标RAN节点对DRB2采用的UP安全配置。作为示例非限定,该切换命令可以包括信息B,或包含信息B的透明容器,该信息B可以通过如图4实施例中介绍的方式1(即指示目标RAN节点对DRB2使用与源RAN节点的DRB1相同的UP安全配置)或方式2(包括DRB2的UP安全配置),指示目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同。
S503,目标RAN节点向源RAN节点发送切换响应确认消息,该切换响应确认消息中包括切换命令。
相应地,源RAN节点接收来自目标RAN节点的该切换响应确认消息。
S504,源RAN节点向终端设备发送RRC连接重配置消息,该RRC连接重配置消息中包括切换命令。
S505,终端设备根据切换命令确定目标RAN节点对DRB2采用的UP安全配置。
终端设备接收到切换命令后,根据该切换命令可以确定终端设备与目标RAN节点之间的DRB安全配置。进一步的,终端设备对与目标RAN节点之间的DRB进行配置。
S506,终端设备向目标RAN节点发送RRC重配置完成消息。
相应地,目标RAN节点接收来自终端设备的RRC重配置完成消息。
S507,目标RAN根据UP安全策略,确定是否更新DRB2的UP安全配置。
在目标RAN节点接收到来自终端设备的RRC重配置完成消息后,目标RAN节点根据切换请求消息中承载的或根据来自SMF的DRB2对应的PDU会话的UP安全策略,确定用户面安全激活状态2。
若该用户面安全激活状态2与DRB1对应的PDU会话当前的用户面安全激活状态1不同,目标RAN节点根据该用户面安全激活状态2,在S509中向终端设备发送更新后的DRB2的安全配置,即更新后的安全激活指示。
S508,目标RAN向终端设备发送更新后的DRB2的UP安全配置。
相应地,终端设备接收来自目标RAN的更新后的DRB2的安全配置。
S509,终端设备根据更新后的DRB2的安全配置(即更新后的安全激活指示),更新 目标RAN的DRB2的UP安全配置。
例如,根据更新后的DRB2的安全配置,配置相应的DRB对应的PDCP实体。
图6是本申请实施例提供的基于Xn接口的切换场景下的安全配置方法的另一个示意性流程图。
需要说明的是,图6所示实施例与图4、图5所示实施例中相同或相似的部分可以参考上述对图4、图5实施例的描述,为了简要,在此不再赘述。
在本实施例中,UE通过源RAN(Source-RAN,S-RAN)节点与核心网建立连接,并传输上下行数据包。S-RAN节点可以根据UE的测量报告确定触发Xn切换流程,将UE切换至T-RAN节点(target-RAN,T-RAN),T-RAN节点基于本申请提供的方法,进行DRB的UP安全配置,从而提高数据传输的安全性。
S601,S-RAN节点从AMF节点获取移动性控制信息。
UE与核心网网元建立连接的过程中,或者UE与核心网网元执行位置区域更新流程中,S-RAN节点从AMF节点获取移动性控制信息,如漫游和访问限制信息。
S602,S-RAN节点配置UE的测量流程,UE可以根据测量配置执行上报。
S603,S-RAN节点根据测量报告和无线资源管理信息确定切换UE。
S604,S-RAN节点向T-RAN节点发送切换请求消息。
该切换请求消息中可以包括目标小区ID、全球唯一AMF标识(globally unique AMF identifier,GUAMI)、UE上下文信息、UE历史信息等。
其中,UE上下文信息可以包括UE安全能力、AS安全信息(如KgNB*)、PDU会话资源待建立列表、RRC上下文。
该PDU会话资源待建立信息可以包括PDU会话ID、单网络切片选择协助信息(single network slice selection assistance information,S-NSSAI)、PDU会话类型,该PDU会话的UP安全策略,源DRB到服务质量(quality of service,QoS)流(flow)的映射列表。
其中,UP安全策略包括完整性保护安全策略和机密性保护安全策略,完整性保护安全策略用于指示必须开启、推荐开启或不开启UP完整性保护,机密性保护安全策略用于指示必须开启、推荐开启或不开启UP加密保护。UP安全策略还可以包含最大完整性保护数据速率。
源DRB到QoS flow的映射列表可以包括DRB ID、QoS流ID(QoS flow ID,QFI)。其中,对于需要激活DAPS的DRB(s),源DRB到QoS flow的映射列表还包括DRB ID,QFI(s)和DAPS切换指示。其中,包括用于指示DRB1使用DAPS切换的DAPS切换指示。
可选地,该切换请求消息中包括UP安全激活状态,该UP安全激活状态用于指示该DRB1的UP安全激活状态或该DRB1对应的PDU会话的UP安全激活状态。
例如,在S-RAN节点确定DRB1使用DAPS切换的情况下,该切换请求消息中包括该UP安全激活状态,该UP安全激活状态用于指示DRB1的UP安全激活状态或该DRB1对应的PDU会话的UP安全激活状态。或者,在S-RAN节点确定DRB1使用DAPS切换,且该DRB1的UP安全策略或DRB1对应的PDU会话的UP安全策略指示推荐开启UP安全保护的情况下,该切换请求消息中包括该UP安全激活状态。
作为示例非限定,该UP安全激活状态具体承载在PDU会话资源待建立列表中该DRB1对应的PDU会话信息中。
RRC上下文可以包括UE无线相关能力和RRC重配置信息,RRC重配置信息中可以包含S-RAN节点的DRB的UP安全配置信息。
需要说明的是以上仅示出了切换请求消息可能包括的部分相关信息,切换请求消息还可以包括其他信息,本申请对此不做限定。
S605,T-RAN节点可以执行准入控制。
若T-RAN节点接收到切片信息,则执行切片准入控制,若一个PDU会话关联的切片为T-RAN节点不支持的切片,则T-RAN节点拒绝该PDU会话。
S606,T-RAN节点执行切换准备。其中,切换准备包括T-RAN节点对DRB2使用与S-RAN节点对DRB1相同的UP安全配置。
若步骤S604接收到了DAPS切换指示,T-RAN节点确定是否接受DAPS切换,同时向S-RAN节点指示确定的结果。若T-RAN节点接收DAPS切换,T-RAN节点对DRB2使用与S-RAN节点对DRB1相同的UP安全配置。
一种实施方式中,T-RAN节点根据DRB1的DAPS切换指示,确定对T-RAN节点的DRB2使用与S-RAN节点对DRB1相同的UP安全配置。
T-RAN节点可以根据切换请求消息中RRC上下文包含的DRB1的用户面安全配置,对T-RAN节点的DRB2进行配置,例如,配置DRB2对应的PDCP实体。可选的,该DRB1对应的PDU会话中的其他DRB也使用S-RAN节点中DRB相同的UP安全配置,UP安全配置包含是否开启DRB的加密保护和/或完整性保护。
另一种实施方式中,T-RAN节点根据切换请求消息中包括的DRB1(或具体为DRB1对应的PDU会话)的UP安全激活状态,确定对T-RAN节点的DRB2使用与S-RAN节点相同的UP安全配置。
例如,T-RAN节点根据该DRB1(或具体为DRB1对应的PDU会话)的UP安全激活状态,确定对DRB2采用的UP安全配置。但本申请不限于此。
对于没有激活DAPS的PDU会话,T-RAN节点根据PDU会话的UP安全策略确定是否激活PDU会话的安全保护,并确定PDU会话的DRB用户面安全配置。将更新后的DRB用户面安全配置包含在透明容器中发送给UE。
S607,T-RAN节点向S-RAN节点发送切换请求确定消息。
该切换请求确定消息中包含一个透明容器,该透明容器作为RRC消息通过S-RAN节点发送给UE。
T-RAN节点可以通过该透明容器指示目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同,例如透明容器可以通过如图4实施例中介绍的方式1(即指示目标RAN节点对DRB2使用与源RAN节点的DRB1相同的UP安全配置)或方式2(包括DRB2的UP安全配置),指示目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同。
S608、S-RAN节点向UE发送RRC连接重配置消息触发UE执行切换。
该RRC重配置消息中包含来自T-RAN节点的透明容器以及用于接入到目标小区(即T-RAN管理的小区)的信息。该目标小区的信息包括目标小区ID,目标小区的小区无线网络临时标识(cell-radio network temporary identifier,C-RNTI),T-RAN节点选择的安全算法的安全算法标识等。
UE根据来自T-RAN节点的透明容器确定T-RAN节点对DRB2采用的UP安全配置与S-RAN节点对DRB1采用的UP安全配置相同。并根据该透明容器配置T-RAN节点的DRB2的UP安全配置。
对于配置DAPS的DRB(s)(其中包括DRB1),S-RAN节点继续传输下行数据包,直到接收到T-RAN节点发送的切换成功消息(即S613中)。
S609,S-RAN节点传递已缓存数据和来自UPF的新数据。
S610,对于配置了DAPS的一个或多个DRB,S-RAN节点向T-RAN节点发送早期状态传输消息。
该早期状态传输消息中包含下行计数(count)值,用于指示S-RAN节点向T-RAN节点发送的第一个PDCP服务数据单元(service data unit,SDU)的PDCP数据网络(data network,DN)和SDU的超帧号(hyper frame number,HFN)。
S-RAN节点继续分配下行数据包的SN直到S-RAN节点向T-RAN节点发送序列号(SN)状态传输消息(即S615中)。
S611,对于未配置DAPS的一个或多个DRB,S-RAN节点向T-RAN节点发送SN状态传输消息。
该SN状态传输消息用于传输上行PDCP SN接收状态和下行PDCP SN传输状态。
S612,S-RAN节点向T-RAN转发未配置DAPS的一个或多个DRB的数据,T-RAN缓存来自S-RAN的用户数据。
S613,UE从源小区分离同步到新的小区后向T-RAN节点发送RRC重配置完成消息。
UE向T-RAN节点发送RRC重配置完成消息(RRCReconfigurationComplete)消息完成RRC切换流程。
对于DAPS切换,UE继续保持与S-RAN节点小区的连接,直到接收到RRC重配置消息(RRCReconfiguration)消息。在接收到T-RAN节点的释放请求,UE释放源信令无线承载(signaling radio bearer,SRB)资源,源小区的安全配置。并停止与S-RAN节点之间的数据传输。
S614,针对DAPS切换,T-RAN节点向S-RAN节点发送切换成功消息,通知S-RAN节点UE已经成功接入目标小区。
S615,针对DAPS切换的一个或多个DRB,S-RAN节点向T-RAN节点发送SN状态传输消息。
S616,T-RAN节点向AMF节点发送路径切换请求消息。
T-RAN节点通过该路径切换请求消息触发5GC将下行数据路径切换到T-RAN节点。该路径切换请求消息中包括从S-RAN节点发送的用户面安全策略。
S617,5GC与T-RAN节点之间执行下行路径切换。
S618,AMF节点向T-RAN节点发送路径切换请求确定消息。
若T-RAN节点在S616中发送的用户面安全策略与SMF本地的UP安全策略不同,则该路径切换确定请求中还包含UP安全策略。
S619,T-RAN节点向S-RAN节点发送UE上下文释放消息。
T-RAN节点根据接收到的路径切换请求确定消息,向S-RAN节点发送UE上下文释放消息。S-RAN节点释放UE上下文关联的无线资源和控制面资源。
S620,T-RAN节点根据UP安全策略确定是否更新激活DAPS的PDU会话的UP安全激活状态。
若S618中没有接收到DRB2对应的PDU会话的UP安全策略,T-RAN节点根据从S-RAN节点接收到的DRB1对应的PDU会话的UP安全策略,确定是否更新DRB2对应的PDU会话的UP安全激活状态。若S618中接收到DRB2对应的PDU会话的UP安全策略,T-RAN节点根UP安全策略,确定是否更新激活DAPS切换的PDU会话的UP安全激活状态。
对于执行DAPS切换的DRB,如DRB2,T-RAN节点可以根据DRB2对应的PDU会话的UP安全策略,确定UP安全激活状态2。若该PDU会话当前的UP安全激活状态1不相同,T-RAN节点确定更新DRB2的UP安全配置。T-RAN节点根据UP安全激活状态2,确定对DRB2采用的UP安全配置,即更新后的UP安全配置(若DRB2的当前UP安全配置为UP安全配置1,则该更新后的DRB2的UP安全配置可以为UP安全配置2)。可选的,T-RAN节点同时更新PDU会话对应的其他的未激活DAPS切换的DRB的UP安全配置。
S621,T-RAN节点向终端设备发送资源释放消息,该资源释放消息包括UP安全激活指示。
该UP安全激活指示(即为前文所述的UP安全配置指示3)用于指示更新后的DRB2的安全配置。
需要说明的是,UP安全激活指示承载在资源释放消息中仅为一个示例,该UP安全激活指示还可以承载在T-RAN节点向终端设备发送的其他RRC消息中。本申请对此不做限定。
S622,终端设备根据该UP安全激活指示,更新DRB的UP安全配置。
UE接收到资源释放请求,释放源SRB资源,源小区的安全配置。且终端设备根据该UP安全激活指示,更新DRB的UP安全配置。
可选地,作为UP安全激活指示承载在资源释放消息中通知终端设备更新UP安全配置的一种替代方案,T-RAN可以触发一次RAN内部(intra-RAN)切换流程,以使终端设备更新DRB1的安全配置。
下面再介绍本申请的通信方法应用于基于N2接口的切换过程中的实施例。图7是本申请实施例提供的基于N2接口的切换场景下的安全配置方法的一个示意性流程图。
需要说明的是,图7所示实施例与图4所示实施例中相同或相似的部分可以参考上述对图4实施例的描述,为了简要,在此不再赘述。
S701,源RAN节点向AMF节点发送需要切换(handover required)消息。该需要切换消息中包括信息A。
其中,该需要切换消息中包括指示DRB1使用DAPS切换的DAPS切换指示。该信息A为该DAPS切换指示或UP安全激活状态。
可选地,该信息A为UP安全激活状态时,在源RAN节点确定DRB1使用DAPS切换的情况下,该切换请求消息中包括该UP安全激活状态,该UP安全激活状态用于指示DRB1的UP安全激活状态或DRB1对应的PDU会话的UP安全激活状态。或者,在源RAN节点确定DRB1使用DAPS切换,且该DRB1的UP安全策略或DRB1对应的PDU会话 的UP安全策略指示推荐开启UP安全保护的情况下,该切换请求消息中包括该UP安全激活状态。
源RAN确定发起N2切换后向AMF节点发送handover required消息,该消息中还包含PDU会话资源列表和源RAN节点需要通过AMF节点透传至目标RAN节点的透明容器。该PDU会话资源建立列表中包括PDU会话ID,PDU会话对应的UP安全策略等。但本申请不限于此。
作为示例非限定,该PDU会话资源列表或该透明容器中包括信息A。
S702,AMF节点向目标RAN节点发送切换请求消息,该切换请求消息中包括信息A。
AMF节点与核心网节点交互后,AMF节点向目标RAN节点发送切换请求消息,切换请求消息中包含来自源RAN节点的透明容器和PDU会话资源建立列表。
S703,目标RAN节点根据信息A,确定DRB2的UP安全配置与源RAN节点对DRB1的UP安全配置相同。
一种实施方式中,该信息A为DAPS切换指示,目标RAN节点根据该DAPS切换指示,确定目标RAN节点对DRB2使用与源RAN节点对DRB1的UP安全配置相同的UP安全配置。
另一种实施方式中,信息A为UP安全激活状态,目标RAN节点根据UP安全激活状态,确定该DRB2的UP安全配置与源RAN节点对DRB1的UP安全配置相同。
S704,目标RAN节点向AMF节点发送切换请求确定消息,该切换请求确定消息中包括透传容器。
该切换请求确定消息中的透传容器为目标RAN节点透传至源RAN节点的透明容器。该透明容器用于指示目标RAN节点对DRB2采用的UP安全配置。
作为示例非限定,该透明容器可以通过如图4实施例中介绍的方式1(即指示目标RAN节点对DRB2使用与源RAN节点的DRB1相同的UP安全配置)或方式2(包括DRB2的UP安全配置),指示目标RAN节点对DRB2采用的UP安全配置与源RAN节点对DRB1采用的UP安全配置相同。
该切换请求确定消息中还可以包括PDU会话资源确认列表,用于指示接受切换的PDU会话。
S705,AMF节点向源RAN节点发送切换命令,该切换命令中包括来自目标RAN节点的透明容器。
该切换命令中还可以包括PDU会话资源切换列表。
图7实施例中的S706至S711与图5实施例中S504至S509依次对应,具体实施方式可以参考前文中对图5实施例中S505至S508的描述,为了简要,在此不再赘述。
图8是本申请实施例提供的基于N2接口的切换场景下的安全配置方法的另一个示意性流程图。
需要说明的是,图8所示实施例与图4、图7所示实施例中相同或相似的部分可以参考上述对图4、图7实施例的描述,为了简要,在此不再赘述。
在本实施例中,UE通过S-RAN节点与核心网建立连接,并传输上下行数据包。S-RAN节点可以根据UE的测量报告确定触发N2切换流程,将UE切换至S-RAN节点,并基于本申请提供的方法,进行DRB的UP安全配置,从而提高数据传输的安全性。
S801,S-RAN节点确定发起N2的切换流程。
S802,S-RAN节点向源AMF(source AMF,S-AMF)节点发送切换请求1。
其中,该切换请求1消息中包括指示DRB1使用DAPS切换的DAPS切换指示。该信息A为该DAPS切换指示或该信息A包括DRB1的UP安全激活状态。
可选地,该信息A包括UP安全激活状态时,在源RAN节点确定DRB1使用DAPS切换的情况下,该切换请求消息中包括该UP安全激活状态,该UP安全激活状态用于指示DRB1的UP安全激活状态。或者,在源RAN节点确定DRB1使用DAPS切换,且该DRB1的UP安全策略或DRB1对应的PDU会话的UP安全策略指示推荐开启UP安全保护的情况下,该切换请求消息中包括该UP安全激活状态。
源RAN节点确定发起N2切换后向S-AMF节点发送切换请求1消息,该消息中包含PDU会话资源列表和源RAN节点需要通过S-AMF节点透传至目标RAN节点的透明容器。该PDU会话资源列表中包括PDU会话ID,PDU会话对应的UP安全策略等。透明容器中可以包含RRC容器,PDU会话资源信息列表,目标小区标识。该PDU会话资源信息列表包含PDU会话ID,QoS flow信息列表和DRB与QoS flow映射列表。DRB与QoS flow映射列表中可以包含DRB ID、关联的QoS flow列表,可选地,还包括DAPS请求信息。等但本申请不限于此。
作为示例非限定,该PDU会话资源列表或该透明容器中包括信息A。
S803,若S-AMF节点不能为UE服务,S-AMF节点执行AMF节点选择流程,选择目标AMF(target-AMF,T-AMF)节点。
S804,若S-AMF节点执行了S803,则S-AMF节点向T-AMF节点发送N
amf_通信_建立UE上下文请求。
该Namf_通信_建立UE上下文请求(Namf_Communication_CreatUEContext Request)中包含N2信息和UE上下文信息。
其中,N2信息包含目标小区标识,PDU会话资源列表。UE上下文包含订阅永久标识(subscription permanent identifier,SUPI),接入类型对应的允许的NSSAI,PDU会话标识和对应的SMF信息以及S-NSSAI,PCF标识和数据网络名称(data network name,DNN)。
S805,T-AMF节点向SMF节点发送Nsmf_PDU会话_更新SM上下文请求。
该Nsmf_PDU会话_更新SM上下文请求(Nsmf_PDUSession_UpdateSMContext Request)消息,包括PDU会话ID,目标小区的ID或T-RAN的ID。
S806,SMF节点根据目标小区的ID或T-RAN的ID,确定是否允许N2切换。SMF节点检测UPF节点选择规则,如果UE移出UPF节点的服务区,SMF节点选择一个新的中间UPF节点;
S807,SMF节点向PDU会话锚点(PDU session anchor)UPF(即UPF(PSA))节点发送N4会话修改请求消息。
如果SMF节点选择了一个新的中间UPF节点,SMF节点执行N4会话修改流程,向PDU会话的UPF(PSA))节点发送N4会话修改请求消息。
S808,UPF(PSA)节点向SMF节点发送N4会话修改响应消息。
S809,SMF节点向目标UPF(target-UPF,T-UPF)节点发送N4会话建立请求消息。
SMF节点与新选择的T-UPF节点执行N4会话建立流程,即向T-UPF节点发送N4会 话建立请求消息。
S810,T-UPF节点向SMF节点发送N4会话建立响应消息。
S811,SMF节点向T-AMF节点发送Nsmf_PDU会话_更新SM上下文请求响应消息(Nsmf_PDUSession_UpdateSMContext Response)。
如果SMF节点接受PDU会话切换,该消息中包括N3UP地址和上行(uplink,UL)CN推导标识和QoS参数;如果SMF节点不接受PDU会话切换,则该消息中包含一个不接受的原因值。
S812,T-AMF节点执行PDU切换响应管理。
T-AMF节点管理相关SMF节点发送的Nsmf_PDUSession_UpdateSMContext Response消息。当T-AMF节点接收到所有的SMF节点发送的Nsmf_PDUSession_UpdateSMContext Response消息或者T-AMF节点最大等待时间超期,T-AMF继续执行N2切换流程。
S813,T-AMF节点向T-RAN节点发送切换请求2。
该切换请求2消息中包含N2移动性管理(mobility management,MM)信息,N2SM信息,S-RAN节点透传至目标RAN节点的透明容器,该透明容器中包括信息A,切换限制列表,不接受的PDU会话列表。
T-RAN节点根据信息A,确定T-RAN节点的DRB2的UP安全配置与源RAN节点对DRB1的UP安全配置相同。该步骤可以参考前文对图7实施例中S703的描述,为了简要,在此不再赘述。
S814,T-RAN节点向T-AMF节点发送切换请求确认消息。
该切换请求确认消息中包含T-RAN节点到S-RAN节点的透明容器,该透明容器用于指示目标RAN节点对DRB2采用的UP安全配置。具体指示方式可以参考前文中的描述,为了简要,在此不再赘述。
该切换请求确认消息中还包括N2SM响应列表、失败的PDU会话列表,T-RAN节点的SM N3传输信息列表。
S815,T-AMF节点向SMF节点发送Nsmf_PDU会话_更新SM上下文请求消息,
该消息中包括PDU会话标识,N2SM响应,T-RAN SM N3传输信息列表。对于每一个N2SM响应,T-AMF节点向SMF节点发送N2SM响应;如果没有新的中间UPF节点,则SMF节点存储N3隧道信息。
S816,如果SMF节点在S806中选择了一个新的中间UPF节点,则SMF节点向该T-UPF节点发送N4会话修改请求消息。
该N4会话修改请求消息中包含T-RAN SM N3转发信息列表,可选分配下行(downlink,DL)转发隧道的指示。
S817,T-UPF节点向SMF节点发送的N4会话修改响应消息。
该N4会话修改响应消息中包含SM N3转发信息列表。
S818,SMF节点向源UPF(source UPF,S-UPF)节点发送N4会话修改请求消息。
该N4会话修改请求消息中包含T-RAN SM N3转发信息列表或者T-UPF SM N3转发信息列表,DL转发隧道的指示;
S819,S-UPF节点向SMF节点发送N4会话修改响应消息。
该N4会话修改响应消息中包含S-UPF SM N3转发信息列表;
S820,SMF节点向T-AMF节点发送包含N2SM信息的Nsmf_PDU会话_更新SM上下文响应消息。
S821,T-AMF节点向S-AMF节点发送Namf_通信_建立UE上下文响应消息。
该消息中包含N2信息,PDU会话建立失败列表,N2SM信息。
S822,N2切换执行阶段。
T-RAN节点在接收到UE的切换确定消息后,根据UP安全策略确定是否更新激活DAPS的PDU会话的UP安全激活状态。
对于执行DAPS切换的DRB,如DRB2,T-RAN节点可以根据DRB2对应的PDU会话的UP安全策略,确定UP安全激活状态2。若该PDU会话当前的UP安全激活状态1不相同,T-RAN节点确定更新DRB2的UP安全配置。T-RAN节点根据UP安全激活状态2,确定对DRB2采用的UP安全配置,即更新后的UP安全配置(若DRB1的当前UP安全配置为UP安全配置1,则该更新后的UP安全配置可以为UP安全配置2)。
可选地,UP安全激活指示承载在资源释放消息中发送给终端设备,或者,该UP安全激活指示可以承载在T-RAN节点向终端设备发送的其他RRC消息中。该UP安全激活指示用于指示UP安全配置2,即DRB2的更新后的安全配置。
终端设备接收到该UP安全激活指示后,根据该UP安全激活指示,更新DRB2的UP安全配置。
可选地,作为UP安全激活指示承载在资源释放消息中通知终端设备更新UP安全配置的一种替代方案,T-RAN节点可以触发一次RAN内部(intra-RAN)切换流程,以使终端设备更新DRB2的安全配置。
根据本申请实施例提供的方案,目标RAN节点对DRB采用与源RAN节点相同的DRB用户面安全配置。能够减小目标RAN节点与源RAN节点在传输相同数据包时的数据安全隐患,提高数据传输的安全性。
以上,结合图4至图8详细说明了本申请实施例提供的方法。以下,结合图9至图12详细说明本申请实施例提供的装置。为了实现上述本申请实施例提供的方法中的各功能,各网元可以包括硬件结构和/或软件模块,以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能以硬件结构、软件模块、还是硬件结构加软件模块的方式来执行,取决于技术方案的特定应用和设计约束条件。
图9是本申请实施例提供的通信装置的示意性框图。如图9所示,该通信装置900可以包括收发单元920。
在一种可能的设计中,该通信装置900可对应于上文方法实施例中的终端设备,或者配置于(或用于)终端设备中的芯片,或者其他能够实现终端设备的方法的装置、模块、电路或单元等。
应理解,该通信装置900可对应于根据本申请实施例的方法400至800中的终端设备,该通信装置900可以包括用于执行图4至图8中的方法400至800中终端设备执行的方法的单元。并且,该通信装置900中的各单元和上述其他操作和/或功能分别为了实现图4至图8中的方法400至800的相应流程。
可选地,通信装置900还可以包括处理单元910,该处理单元910可以用于处理指令或者数据,以实现相应的操作。
还应理解,该通信装置900为配置于(或用于)终端设备中的芯片时,该通信装置900中的收发单元920可以为芯片的输入/输出接口或电路,该通信装置900中的处理单元910可以为芯片中的处理器。
可选地,通信装置900还可以包括存储单元930,该存储单元930可以用于存储指令或者数据,处理单元910可以执行该存储单元中存储的指令或者数据,以使该通信装置实现相应的操作。
应理解,该通信装置900中的收发单元920为可通过通信接口(如收发器或输入/输出接口)实现,例如可对应于图10中示出的终端设备1000中的收发器1010。该通信装置900中的处理单元910可通过至少一个处理器实现,例如可对应于图10中示出的终端设备1000中的处理器1020。该通信装置900中的处理单元910还可以通过至少一个逻辑电路实现。该通信装置900中的存储单元930可对应于图10中示出的终端设备1000中的存储器。
还应理解,各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明,为了简洁,在此不再赘述。
在另一种可能的设计中,该通信装置900可对应于上文方法实施例中的接入网节点,例如,或者配置于(或用于)接入网节点中的芯片,或者其他能够实现接入网节点的方法的装置、模块、电路或单元等。
应理解,该通信装置900可对应于根据本申请实施例的方法400至800中的源RAN节点或目标RAN节点,该通信装置900可以包括用于执行图4至图8中的方法400至800中源RAN节点或目标RAN节点执行的方法的单元。并且,该通信装置900中的各单元和上述其他操作和/或功能分别为了实现图4至图8中的方法400至800的相应流程。
可选地,通信装置900还可以包括处理单元910,该处理单元910可以用于处理指令或者数据,以实现相应的操作。
还应理解,该通信装置900为配置于(或用于)接入网设备中的芯片时,该通信装置900中的收发单元920可以为芯片的输入/输出接口或电路,该通信装置900中的处理单元910可以为芯片中的处理器。
可选地,通信装置900还可以包括存储单元930,该存储单元930可以用于存储指令或者数据,处理单元910可以执行该存储单元中存储的指令或者数据,以使该通信装置实现相应的操作。
应理解,该通信装置900为接入网设备时,该通信装置900中的收发单元920为可通过通信接口(如收发器或输入/输出接口)实现,例如可对应于图11中示出的接入网设备1100中的收发器1110。该通信装置900中的处理单元910可通过至少一个处理器实现,例如可对应于图11中示出的接入网设备1100中的处理器1120,该通信装置900中的处理单元910可通过至少一个逻辑电路实现。
还应理解,各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明,为了简洁,在此不再赘述。
在另一种可能的设计中,该通信装置900可对应于上文方法实施例中的AMF节点,例如,或者配置于(或用于)AMF节点中的芯片,或者其他能够实现AMF节点的方法的装置、模块、电路或单元等。
应理解,该通信装置900可对应于根据本申请实施例的方法400至800中的AMF节点,该通信装置900可以包括用于执行图4至图8中的方法400至800中AMF节点执行的方法的单元。并且,该通信装置900中的各单元和上述其他操作和/或功能分别为了实现图4至图8中的方法400至800的相应流程。
可选地,通信装置900还可以包括处理单元910,该处理单元910可以用于处理指令或者数据,以实现相应的操作。
还应理解,该通信装置900为配置于(或用于)AMF节点中的芯片时,该通信装置900中的收发单元920可以为芯片的输入/输出接口或电路,该通信装置900中的处理单元910可以为芯片中的处理器。
可选地,通信装置900还可以包括存储单元930,该存储单元930可以用于存储指令或者数据,处理单元910可以执行该存储单元中存储的指令或者数据,以使该通信装置实现相应的操作。
应理解,该通信装置900为AMF节点时,该通信装置900中的收发单元920为可通过通信接口(如收发器或输入/输出接口)实现,例如可对应于图12中示出的AMF节点1200中的收发器1210。该通信装置900中的处理单元910可通过至少一个处理器实现,例如可对应于图12中示出的AMF节点1200中的处理器1220,该通信装置900中的处理单元910可通过至少一个逻辑电路实现。
还应理解,各单元执行上述相应步骤的具体过程在上述方法实施例中已经详细说明,为了简洁,在此不再赘述。
图10是本申请实施例提供的终端设备1000的结构示意图。该终端设备1000可应用于如图1所示的系统中,执行上述方法实施例中终端设备的功能。如图所示,该终端设备1000包括处理器1020和收发器1010。可选地,该终端设备1000还包括存储器。其中,处理器1020、收发器1010和存储器之间可以通过内部连接通路互相通信,传递控制和/或数据信号。该存储器用于存储计算机程序,该处理器1020用于执行该存储器中的该计算机程序,以控制该收发器1010收发信号。
上述处理器1020可以和存储器可以合成一个处理装置,处理器1020用于执行存储器中存储的程序代码来实现上述功能。具体实现时,该存储器也可以集成在处理器1020中,或者独立于处理器1020。该处理器1020可以与图9中的处理单元对应。
上述收发器1010可以与图9中的收发单元对应。收发器1010可以包括接收器(或称接收机、接收电路)和发射器(或称发射机、发射电路)。其中,接收器用于接收信号,发射器用于发射信号。
应理解,图10所示的终端设备1000能够实现图4至图8所示方法实施例中涉及终端设备的过程。终端设备1000中的各个模块的操作和/或功能,分别为了实现上述方法实施例中的相应流程。具体可参见上述方法实施例中的描述,为避免重复,此处适当省略详细描述。
上述处理器1020可以用于执行前面方法实施例中描述的由终端设备内部实现的动作,而收发器1010可以用于执行前面方法实施例中描述的终端设备向网络设备发送或从网络设备接收的动作。具体请见前面方法实施例中的描述,此处不再赘述。
可选地,上述终端设备1000还可以包括电源,用于给终端设备中的各种器件或电路 提供电源。
除此之外,为了使得终端设备的功能更加完善,该终端设备1000还可以包括输入输出装置,如包括输入单元、显示单元、音频电路、摄像头和传感器等中的一个或多个,所述音频电路还可以包括扬声器、麦克风等。
图11是本申请实施例提供的网络设备的结构示意图,该网络设备1100可应用于如图1所示的系统中,执行上述方法实施例中接入网节点(例如,源RAN节点或目标RAN节点)的功能。
应理解,图11所示的网络设备1100能够实现图4至图8所示方法实施例中涉及的源RAN节点或目标RAN节点的各个过程。网络设备1100中的各个模块的操作和/或功能,分别为了实现上述方法实施例中的相应流程。具体可参见上述方法实施例中的描述,为避免重复,此处适当省略详细描述。
应理解,图11所示出的网络设备1100可以是eNB或gNB,可选地,网络设备包含中心单元(central unit,CU)、分布单元(distribute unit,DU)和有源天线单元(active antenna unit,AAU)的网络设备等,可选地,CU可以具体分为CU-CP和CU-UP。本申请对于网络设备的具体架构不作限定。
应理解,图11所示出的网络设备1100可以是CU节点或CU-CP节点。
图12是本申请实施例提供的通信设备1200的结构示意图,该网络设备1200可应用于如图1所示的系统中,执行上述方法实施例中AMF节点的功能。该通信设备1200可以包括收发器1210、处理器1220以及存储器1230。
应理解,图12所示的通信设备1200能够实现图4至图8所示方法实施例中涉及的AMF节点的各个过程。通信设备1200中的各个模块的操作和/或功能,分别为了实现上述方法实施例中的相应流程。具体可参见上述方法实施例中的描述,为避免重复,此处适当省略详细描述。
本申请实施例还提供了一种处理装置,包括处理器和(通信)接口;所述处理器用于执行上述任一方法实施例中的方法。
应理解,上述处理装置可以是一个或多个芯片。例如,该处理装置可以是现场可编程门阵列(field programmable gate array,FPGA),可以是专用集成芯片(application specific integrated circuit,ASIC),还可以是系统芯片(system on chip,SoC),还可以是中央处理器(central processor unit,CPU),还可以是网络处理器(network processor,NP),还可以是数字信号处理电路(digital signal processor,DSP),还可以是微控制器(micro controller unit,MCU),还可以是可编程控制器(programmable logic device,PLD)或其他集成芯片。
根据本申请实施例提供的方法,本申请还提供一种计算机程序产品,该计算机程序产品包括:计算机程序代码,当该计算机程序代码由一个或多个处理器执行时,使得包括该处理器的装置执行图4至图8所示实施例中的方法。
本申请实施例提供的技术方案可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、 专用计算机、计算机网络、网络设备、终端设备、核心网设备、机器学习设备或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机可以存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,数字视频光盘(digital video disc,DVD))、或者半导体介质等。
根据本申请实施例提供的方法,本申请还提供一种计算机可读存储介质,该计算机可读存储介质存储有程序代码,当该程序代码由一个或多个处理器运行时,使得包括该处理器的装置执行图4至图8所示实施例中的方法。
根据本申请实施例提供的方法,本申请还提供一种系统,其包括前述的一个或多个网络设备。还系统还可以进一步包括前述的一个或多个终端设备。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。
Claims (35)
- 一种切换场景下的安全配置方法,其特征在于,包括:目标接入网节点接收第一消息,所述第一消息用于指示终端设备从源接入网节点切换至所述目标接入网节点,其中,所述第一消息包括第一信息,所述第一信息用于指示使用与所述源接入网节点相同的数据无线承载的用户面安全配置;所述目标接入网节点发送所述第一消息的响应消息,所述响应消息包括第二信息,所述第二信息用于指示所述目标接入网节点的第二数据无线承载的用户面安全配置,其中,所述目标接入网节点的第二数据无线承载的用户面安全配置和所述源接入节点的第一数据无线承载的用户面安全配置相同。
- 根据权利要求1所述的方法,其特征在于,所述第二数据无线承载为所述第一数据无线承载由所述源接入网节点切换至所述目标接入网节点后的数据无线承载。
- 根据权利要求1或2所述的方法,其特征在于,所述第一信息包括所述第一数据无线承载的标识信息和双激活协议栈切换指示,所述双激活协议栈切换指示用于指示所述第一数据无线承载使用双激活协议栈切换。
- 根据权利要求3所述的方法,其特征在于,所述第一消息包括所述第一数据无线承载的用户面安全配置,所述方法还包括:所述目标接入网节点根据所述双激活协议栈切换指示,确定所述第二数据无线承载的用户面安全配置与所述第一数据无线数据承载的用户面安全配置相同;所述目标接入网节点根据所述第一数据无线承载的用户面安全配置,配置所述第二数据无线承载的用户面安全,或配置所述第二数据无线承载对应的协议数据单元会话中的数据无线承载的用户面安全。
- 根据权利要求1或2所述的方法,其特征在于,所述第一信息包括用户面安全激活状态,所述用户面安全激活状态用于指示所述第一数据无线承载的用户面安全激活状态或所述第一数据无线承载对应的协议数据单元会话的用户面安全激活状态。
- 根据权利要求5所述的方法,其特征在于,所述方法还包括:所述目标接入网节点根据所述用户面安全激活状态,确定所述第二数据无线承载的用户面安全配置。
- 根据权利要求6所述的方法,其特征在于,所述第一消息包括所述第一数据无线承载的用户面安全配置,所述方法还包括:所述目标接入网节点将所述第二数据无线承载的用户面安全配置与所述第一数据无线承载的用户面安全配置比对,若比对的结果为不相同,则所述第二信息包括所述第二数据无线承载的用户面安全配置,若比对的结果为相同,则所述第二信息指示对所述第二数据无线承载使用与所述第一数据无线承载相同的用户面安全配置。
- 根据权利要求1至7中任一项所述的方法,其特征在于,所述第一消息包括第一用户面安全策略,所述第一用户面安全策略为所述第一数据无线承载的用户面安全策略,或者所述第一用户面安全策略为所述第一数据无线承载对应的协议数据单元会话的用户面安全策略。
- 根据权利要求8所述的方法,其特征在于,所述第一用户面安全策略指示推荐使用安全保护。
- 根据权利要求1至9中任一项所述的方法,其特征在于,所述第二信息指示对所述目标接入网节点的第二所述数据无线承载使用与所述源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,所述第二信息包括所述第二数据无线承载的用户面安全配置。
- 根据权利要求1至10中任一项所述的方法,其特征在于,所述方法还包括:在所述目标接入网节点接收到来自所述终端设备的无线资源控制重配置完成消息后,所述目标接入网节点根据第二用户面安全策略,更新所述第二数据无线承载的用户面安全配置,其中,所述第二用户面安全策略为所述目标接入网节点的第二数据无线承载的用户面安全策略或所述第二数据无线承载对应的协议数据单元会话的用户面安全策略。
- 根据权利要求1至11中任一项所述的方法,其特征在于,所述方法还包括:所述目标接入网节点向所述终端设备发送所述目标接入网节点的第二数据无线承载更新后的用户面安全配置。
- 根据权利要求12所述的方法,其特征在于,所述更新后的用户面安全配置承载在资源释放消息中。
- 根据权利要求1至13中任一项所述的方法,其特征在于,所述第一消息来自所述源接入网节点,所述目标接入网节点发送所述响应消息包括:所述目标接入网节点向所述源接入网节点发送所述响应消息,或者,所述第一消息来自核心网节点,所述目标接入网节点发送所述响应消息包括:所述目标接入网节点向所述核心网节点发送所述响应消息。
- 一种切换场景下的安全配置方法,其特征在于,包括:源接入网节点发送第一消息,所述第一消息用于指示终端设备从所述源接入网节点切换至目标接入网节点,其中,所述第一消息包括第一信息,所述第一信息用于指示使用与所述源接入网节点相同的数据无线承载的用户面安全配置;所述源接入网节点接收所述第一消息的响应消息,所述响应消息包括第二信息,所述第二信息用于指示所述目标接入网节点的第二数据无线承载的用户面安全配置,其中,所述目标接入网节点的第二数据无线承载的用户面安全配置和所述源接入节点的第一数据无线承载的用户面安全配置相同。
- 根据权利要求15所述的方法,其特征在于,所述第二数据无线承载为所述第一数据无线承载由所述源接入网节点切换至所述目标接入网节点后的数据无线承载。
- 根据权利要求15或16所述的方法,其特征在于,所述方法还包括:所述源接入网节点向所述终端设备发送第二消息,所述第二消息用于指示所述终端设备从所述源接入网节点切换至目标接入网节点,所述第二消息包括所述第二信息。
- 根据权利要求15至17中任一项所述的方法,其特征在于,所述第一信息包括所述第一数据无线承载的标识信息和双激活协议栈切换指示,所述双激活协议栈切换指示用于指示所述第一数据无线承载使用双激活协议栈切换。
- 根据权利要求15至17中任一项所述的方法,其特征在于,所述第一信息包括用户面安全激活状态,所述用户面安全激活状态用于指示所述第一数据无线承载的用户面安 全激活状态或所述第一数据无线承载对应的协议数据单元会话的用户面安全激活状态。
- 根据权利要求19所述的方法,其特征在于,所述方法还包括:在确定所述第一数据无线承载使用双激活协议栈切换的情况下,所述源接入网节点确定所述第一消息中包括所述第一信息。
- 根据权利要求15至20中任一项所述的方法,其特征在于,所述第一消息包括所述第一数据无线承载的用户面安全配置,和/或,所述第一消息包括所述第一用户面安全策略,所述第一用户面安全策略为所述第一数据无线承载的用户面安全策略,或者所述第一数据无线承载对应的协议数据单元会话的用户面安全策略。
- 根据权利要求21所述的方法,其特征在于,所述第一用户面安全策略指示推荐使用安全保护。
- 根据权利要求15至22中任一项所述的方法,其特征在于,所述方法还包括:在所述第一用户面安全策略指示推荐使用安全保护的情况下,所述源接入网节点确定所述第一消息中包括所述第一信息,其中,所述第一用户面安全策略为所述第一数据无线承载的用户面安全策略,或者所述第一数据无线承载对应的协议数据单元会话的用户面安全策略。
- 根据权利要求15至23中任一项所述的方法,其特征在于,所述第二信息指示对所述目标接入网节点的第二所述数据无线承载使用与所述源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,所述第二信息包括所述第二数据无线承载的用户面安全配置。
- 根据权利要求15至24中任一项所述的方法,其特征在于,所述响应消息来自所述目标接入网节点,所述源接入网节点发送第一消息,包括:所述源接入网节点向所述目标接入网节点发送所述第一消息;或者,所述响应消息来自核心网节点,所述源接入网节点发送第一消息,包括:所述源接入网节点向所述核心网节点发送所述第一消息。
- 一种切换场景下的安全配置方法,其特征在于,包括:终端设备接收来自源接入网设备的无线资源配置消息,所述无线资源配置消息包括第二信息,所述第二信息用于指示所述目标接入网节点的第二数据无线承载的用户面安全配置,其中,所述第二数据无线承载的用户面安全配置和所述源接入节点的第一数据无线承载的用户面安全配置相同;所述终端设备接收来自所述目标接入网节点的资源释放消息,所述资源释放消息包括第三信息,所述第三信息用于指示所述目标接入网节点的第二数据无线承载更新后的用户面安全配置。
- 根据权利要求26所述的方法,其特征在于,所述第二信息指示对所述目标接入网节点的第二所述数据无线承载使用与所述源接入网节点的第一数据无线承载的相同的用户面安全配置,或者,所述第二信息包括所述第二数据无线承载的用户面安全配置。
- 一种通信装置,其特征在于,包括处理器和存储器,所述存储器和所述处理器耦合,所述处理器用于执行如权利要求1至14中任一项所述的方法。
- 一种通信装置,其特征在于,包括处理器和存储器,所述存储器和所述处理器耦 合,所述处理器用于执行如权利要求15至25中任一项所述的方法。
- 一种通信装置,其特征在于,包括处理器和存储器,所述存储器和所述处理器耦合,所述处理器用于执行如权利要求26或27所述的方法。
- 根据权利要求30所述的装置,其特征在于,所述通信装置配置于终端设备,或所述通信装置为终端设备。
- 一种计算机可读存储介质,其特征在于,包括计算机程序,当其在计算机上运行时,使得所述计算机执行如权利要求1至27中任一项所述的方法。
- 一种芯片,其特征在于,包括至少一个处理器和通信接口,所述处理器利用所述通信接口,执行权利要求1至27中任一项所述的方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括:计算机程序,当所述计算机程序被运行时,使得计算机执行如权利要求1至27中任一项所述的方法。
- 一种程序产品,其特征在于,所述程序产品包括计算机程序,所述计算机程序存储在可读存储介质中,通信装置的至少一个处理器可以从所述可读存储介质读取所述计算机程序,所述至少一个处理器执行所述计算机程序使得通信装置实施如权利要求1-14任意一项所述的方法或者如权利要求15-25任意一项所述的方法或者如权利要求26-27任意一项所述的方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP22794396.6A EP4319046A4 (en) | 2021-04-29 | 2022-03-17 | SAFETY CONFIGURATION PROCEDURE AND COMMUNICATION DEVICE IN A SWITCHING SCENE |
US18/495,995 US20240056907A1 (en) | 2021-04-29 | 2023-10-27 | Security configuration method in handover scenario and communication apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110489097.7A CN115277035A (zh) | 2021-04-29 | 2021-04-29 | 切换场景下的安全配置方法和通信装置 |
CN202110489097.7 | 2021-04-29 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/495,995 Continuation US20240056907A1 (en) | 2021-04-29 | 2023-10-27 | Security configuration method in handover scenario and communication apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022227919A1 true WO2022227919A1 (zh) | 2022-11-03 |
Family
ID=83745392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/081556 WO2022227919A1 (zh) | 2021-04-29 | 2022-03-17 | 切换场景下的安全配置方法和通信装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240056907A1 (zh) |
EP (1) | EP4319046A4 (zh) |
CN (1) | CN115277035A (zh) |
WO (1) | WO2022227919A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230319653A1 (en) * | 2022-03-29 | 2023-10-05 | T-Mobile Innovations Llc | Wireless data service delivery to a wireless ue based on a security policy for the wireless ue |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1937840A (zh) * | 2005-09-19 | 2007-03-28 | 华为技术有限公司 | 一种移动终端切换过程中获得安全联盟信息的方法及装置 |
CN109600339A (zh) * | 2017-09-30 | 2019-04-09 | 华为技术有限公司 | 通信方法、装置和系统 |
CN110167018A (zh) * | 2018-02-11 | 2019-08-23 | 华为技术有限公司 | 一种安全保护的方法、装置及接入网设备 |
CN110831007A (zh) * | 2018-08-10 | 2020-02-21 | 华为技术有限公司 | 用户面完整性保护方法、装置及设备 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10757754B2 (en) * | 2016-10-27 | 2020-08-25 | Qualcomm Incorporated | Techniques for securing PDCP control PDU |
-
2021
- 2021-04-29 CN CN202110489097.7A patent/CN115277035A/zh active Pending
-
2022
- 2022-03-17 EP EP22794396.6A patent/EP4319046A4/en active Pending
- 2022-03-17 WO PCT/CN2022/081556 patent/WO2022227919A1/zh active Application Filing
-
2023
- 2023-10-27 US US18/495,995 patent/US20240056907A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1937840A (zh) * | 2005-09-19 | 2007-03-28 | 华为技术有限公司 | 一种移动终端切换过程中获得安全联盟信息的方法及装置 |
CN109600339A (zh) * | 2017-09-30 | 2019-04-09 | 华为技术有限公司 | 通信方法、装置和系统 |
CN110167018A (zh) * | 2018-02-11 | 2019-08-23 | 华为技术有限公司 | 一种安全保护的方法、装置及接入网设备 |
CN110831007A (zh) * | 2018-08-10 | 2020-02-21 | 华为技术有限公司 | 用户面完整性保护方法、装置及设备 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4319046A4 |
Also Published As
Publication number | Publication date |
---|---|
EP4319046A4 (en) | 2024-09-04 |
CN115277035A (zh) | 2022-11-01 |
US20240056907A1 (en) | 2024-02-15 |
EP4319046A1 (en) | 2024-02-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20200120570A1 (en) | Method for performing handover in wireless communication system and apparatus therefor | |
EP3735018B1 (en) | Security negotiation method and apparatus | |
WO2019184832A1 (zh) | 一种密钥生成方法和相关装置 | |
KR101868713B1 (ko) | 사용자 디바이스들 간의 제어된 크레덴셜 제공 | |
WO2019184651A1 (zh) | 一种通信方法及装置 | |
US10812973B2 (en) | System and method for communicating with provisioned security protection | |
KR20210066855A (ko) | 3gpp 사설 lan들 | |
WO2020135850A1 (zh) | 通信方法和装置 | |
WO2020253551A1 (zh) | 通信方法和通信装置 | |
WO2018227638A1 (zh) | 通信方法和装置 | |
WO2015113207A1 (zh) | 一种安全密钥更改方法和基站及用户设备 | |
JP7286785B2 (ja) | プロトコルデータユニットセッションの確立 | |
CN116233564A (zh) | 传输组播业务的方法和装置 | |
US20220303763A1 (en) | Communication method, apparatus, and system | |
WO2018166338A1 (zh) | 一种秘钥更新方法及装置 | |
EP4016949A1 (en) | Communication method and device | |
US20240056907A1 (en) | Security configuration method in handover scenario and communication apparatus | |
WO2022199451A1 (zh) | 会话切换的方法和装置 | |
CN110167019A (zh) | 通信方法及装置 | |
WO2023020481A1 (zh) | 用于传输数据的方法和装置 | |
WO2021238813A1 (zh) | 一种获取密钥的方法及装置 | |
WO2022252964A1 (zh) | 一种业务转移方法和装置 | |
AU2022305545A1 (en) | Communication mode switching method and related apparatus | |
WO2021201729A1 (en) | Faster release or resume for ue in inactive state | |
WO2023213209A1 (zh) | 密钥管理方法及通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22794396 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022794396 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2022794396 Country of ref document: EP Effective date: 20231026 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |