WO2023061275A1

WO2023061275A1 - Communication authorization method and apparatus, network element and storage medium

Info

Publication number: WO2023061275A1
Application number: PCT/CN2022/124026
Authority: WO
Inventors: 李欢; 吴晓波; 谢振华
Original assignee: 维沃移动通信有限公司
Priority date: 2021-10-12
Filing date: 2022-10-09
Publication date: 2023-04-20
Also published as: CN115967942A

Abstract

The present application relates to the technical field of communications, and provides a communication authorization method and apparatus, a network element, and a storage medium. The communication authorization method in the embodiments of the present application comprises: a first network element acquiring policy information, the policy information comprising a communication policy of a first PIN element; and the first network element performing authorization control, according to the policy information, on a data packet associated with the first PIN element.

Description

Communication authorization method, device, network element and storage medium

Cross References to Related Applications

This application claims priority to Chinese Patent Application No. 202111188003.9 filed in China on October 12, 2021, the entire contents of which are hereby incorporated by reference.

technical field

The present application belongs to the technical field of communication, and in particular relates to a communication authorization method, device, network element and storage medium.

Background technique

The 3rd Generation Partnership Project ( ^3rd Generation Partnership Project, 3GPP) currently introduces the concept of Personal IoT Network (PIN). A PIN is a group consisting of at least one PIN element (PIN element), wherein a PIN element is a terminal or a 3GPP non-device. The PIN elements in the same PIN can communicate through direct connection among them, or through indirect communication through communication network.

Contents of the invention

Embodiments of the present application provide a communication authorization method, device, network element, and storage medium, so as to ensure the security of communication between devices.

In the first aspect, the embodiment of the present application provides a communication authorization method, including:

The first network element acquires policy information, where the policy information includes: a communication policy of the first PIN element;

The first network element performs authorization control on data packets associated with the first PIN element according to the policy information.

In this way, the data packets associated with the PIN element are authorized and controlled according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication security between devices.

In the second aspect, the embodiment of the present application provides a communication authorization method, including:

The second network element obtains the first communication strategy of the first IoT PIN element;

The second network element sends policy information to the first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is based on the determined by the first communication policy of the first PIN element.

In this way, the second network element sends policy information to the first network element, so that the first network element can authorize and control the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication rights and ensuring the communication between devices. communication security.

In a third aspect, the embodiment of the present application provides a communication authorization device, including:

An acquisition module, configured to acquire policy information, where the policy information includes: the communication policy of the first IoT PIN element;

A control module, configured to perform authorization control on data packets associated with the first PIN element according to the policy information.

In a fourth aspect, the embodiment of the present application provides a communication authorization device, including:

An acquisition module, configured to acquire the first communication strategy of the first IoT PIN element;

A sending module, configured to send policy information to a first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is based on the second communication policy of the first PIN element determined by the first communication policy of a PIN element.

In this way, the communication authorization device sends policy information to the first network element, so that the first network element performs authorization control on the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication between devices. communication security.

In the fifth aspect, the embodiment of the present application provides a network element, the network element is a first network element, including: a memory, a processor, and a program or instruction stored in the memory and operable on the processor When the program or instruction is executed by the processor, the steps in the communication authorization method at the first network element side provided in the embodiment of the present application are implemented.

In this way, the authorization control of the data packets associated with the PIN element can be implemented according to the policy information, thereby avoiding communication between devices without communication authority, and ensuring communication security between devices.

In a sixth aspect, an embodiment of the present application provides a network element, the network element is a first network element, and includes a processor and a communication interface, wherein the processor or the communication interface is used to: acquire policy information, and the policy The information includes: a communication policy of the first PIN element; according to the policy information, authorization control is performed on a data packet associated with the first PIN element.

In a seventh aspect, the embodiment of the present application provides a network element, the network element is a second network element, including: a memory, a processor, and a program or instruction stored in the memory and operable on the processor When the program or instruction is executed by the processor, the steps in the communication authorization method at the second network element side provided by the embodiment of the present application are implemented.

In this way, the policy information can be sent to the first network element, so that the first network element can authorize and control the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication permissions and ensuring communication between devices Safety.

In an eighth aspect, the embodiment of the present application provides a network element, the network element is a second network element, and includes a processor and a communication interface, wherein the processor or the communication interface is used to: obtain the first IoT PIN The first communication policy of the element; sending policy information to the first network element, the policy information includes: the second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is based on the determined by the first communication policy of the first PIN element.

In the ninth aspect, the embodiments of the present application provide a readable storage medium, the readable storage medium stores programs or instructions, and when the programs or instructions are executed by a processor, the first network element provided in the embodiments of the present application is implemented The steps in the communication authorization method on the second network element side, or, when the program or instruction is executed by the processor, implement the steps in the communication authorization method on the second network element side provided in the embodiment of the present application.

In this way, the authorization control of the data packets associated with the PIN element can be implemented according to the policy information, thereby avoiding communication between devices without communication authority, and ensuring communication security between devices. Alternatively, policy information can be sent to the first network element, so that the first network element can authorize and control the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication between devices Safety.

In a tenth aspect, a computer program product is provided, the computer program product is stored in a storage medium, and the computer program product is executed by at least one processor to implement the communication on the first network element side provided by the embodiment of the present application The steps in the authorization method, or the computer program product is executed by at least one processor to implement the steps in the communication authorization method on the second network element side provided by the embodiment of this application.

In an eleventh aspect, there is provided a communication device configured to implement the communication authorization method on the first network element side provided in the embodiment of the present application, or configured to implement the second network element provided in the embodiment of the present application. Communication authorization method on the element side.

Description of drawings

FIG. 1 shows a block diagram of a wireless communication system to which an embodiment of the present application is applicable;

FIG. 2 is a flow chart of a communication authorization method provided in an embodiment of the present application;

Fig. 3 is a flow chart of another communication authorization method provided by the embodiment of the present application;

FIG. 4 is a schematic diagram of a communication authorization provided by an embodiment of the present application;

Fig. 5 is a schematic diagram of another communication authorization provided by the embodiment of the present application;

Fig. 6 is a schematic diagram of another communication authorization provided by the embodiment of the present application;

FIG. 7 is a schematic diagram of another communication authorization provided by the embodiment of the present application;

Fig. 8 is a schematic diagram of another communication authorization provided by the embodiment of the present application;

FIG. 9 is a structural diagram of a communication authorization device provided in an embodiment of the present application;

FIG. 10 is a structural diagram of another communication authorization device provided by an embodiment of the present application;

FIG. 11 is a structural diagram of a communication device provided by an embodiment of the present application;

FIG. 12 is a structural diagram of a first network element provided by an embodiment of the present application;

FIG. 13 is a structural diagram of a second network element provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the application will be clearly described below in conjunction with the accompanying drawings in the embodiments of the application. Obviously, the described embodiments are part of the embodiments of the application, not all of them. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments in this application belong to the protection scope of this application.

The terms "first", "second" and the like in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific sequence or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or described herein and that "first" and "second" distinguish objects. It is usually one category, and the number of objects is not limited. For example, there may be one or more first objects. In addition, "and/or" in the description and claims means at least one of the connected objects, and the character "/" generally means that the related objects are an "or" relationship.

Fig. 1 shows a block diagram of a wireless communication system to which the embodiment of the present application is applicable. The wireless communication system includes a PIN, a radio access network (Radio Access Network, RAN) and a core network.

Wherein, the PIN includes at least one PIN element (PIN element), and one PIN element is a terminal or a non-3GPP device. Non-3GPP devices refer to devices that do not use 3GPP-defined credentials, devices that do not support the Non-Access-Stratum (NAS) protocol defined by 3GPP, or devices that do not support 3GPP access technologies (such as 3G/4G/5G air interface technology) but only supports non-3GPP access technologies (such as wireless fidelity (Wireless Fidelity, WiFi), fixed network, Bluetooth and other access technologies).

In addition, a PIN can have one or more PIN elements with gateway capability (PIN element with gateway capability). The PIN elements in the PIN can communicate with each other, for example, the PIN elements can communicate through a direct connection between them, or can communicate indirectly through a communication network. The PIN element in the PIN can also communicate with other devices outside the PIN. At this time, the communication data between the PIN element in the PIN and other devices outside the PIN can be forwarded through the PIN element with gateway capability.

Wherein, the terminal can also be called terminal equipment or user equipment (User Equipment, UE), and the terminal can be a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer) or a notebook computer, a personal computer, or a mobile phone. Digital assistant (Personal Digital Assistant, PDA), handheld computer, netbook, ultra-mobile personal computer (ultra-mobile personal computer, UMPC), mobile internet device (Mobile Internet Device, MID), augmented reality (augmented reality, AR)/virtual Reality (virtual reality, VR) equipment, robot, wearable device (Wearable Device), vehicle equipment (Vehicle User Equipment, VUE), pedestrian terminal (Pedestrian User Equipment, PUE), smart home (home equipment with wireless communication function , such as refrigerators, TVs, washing machines or furniture, etc.), wearable devices include: smart watches, smart bracelets, smart headphones, smart glasses, smart jewelry (smart bracelets, smart bracelets, smart rings, smart necklaces, Smart anklets, smart anklets, etc.), smart wristbands, smart clothing, game consoles, etc. It should be noted that, the embodiment of the present application does not limit the specific type of the terminal.

It is worth noting that the wireless access network described in the embodiment of the present application is not limited to the long term evolution (Long Term Evolution, LTE)/LTE evolution (LTE-Advanced, LTE-A) system, and can also be used in other wireless communication systems , such as Code Division Multiple Access (CDMA), Time Division Multiple Access (Time Division Multiple Access, TDMA), Frequency Division Multiple Access (Frequency Division Multiple Access, FDMA), Orthogonal Frequency Division Multiple Access, OFDMA), Single-carrier Frequency-Division Multiple Access (Single-carrier Frequency-Division Multiple Access, SC-FDMA) and other systems. The terms "system" and "network" in the embodiments of this application are often used interchangeably, and the described technology can be used for the above-mentioned system and radio technology, and can also be used for other systems and radio technologies, such as non-3GPP Access systems (eg, Wireless Local Area Network (WLAN), fixed access systems, Bluetooth, etc.). The following description describes the New Radio (New Radio, NR) system for example purposes, and uses NR terms in most of the following descriptions. These technologies can also be applied to applications other than NR system applications, such as the 6th generation (6th Generation, 6G) communication system.

The above-mentioned core network may include: session management function (Session Management Function, SMF), access and mobility management function (Access and Mobility Management Function, AMF), user plane function (User Port Function, UPF), policy control function (Policy Control Function, PCF) and unified data management (Unified Data Management, UDM). In the embodiment of the present application, the core network may further include: an access policy function (Access Right Function, ARF). The ARF can exist independently, or can be set up together with other core network elements or implemented by other core network elements. For example, PCF or UDM supports the function of ARF in this embodiment of the application.

In this embodiment of the application, the PIN element may also be referred to as a PIN device. For example, the user's mobile phone, the printer at home, and the sweeping robot are all PIN elements, and they form a PIN. The phone can communicate with the printer to specify which files to print. The mobile phone can also communicate with the sweeping robot to formulate and execute a cleaning plan.

There may be risks in the existing communication mechanism, that is, other devices outside the PIN or other devices in the PIN may also send printing commands to the printer, or send cleaning commands to the sweeping robot. If an application is used to control communication permissions, when the application is attacked, the communication permissions may be compromised, causing unauthorized UEs to access PIN elements, thereby disturbing the normal communication between PIN elements in the PIN, for example, Making a printer or robot vacuum perform a task it shouldn't. Therefore, the embodiment of the present application proposes an authorization method for inter-device communication, which ensures that the inter-device communication can only be performed in an authorized state.

A communication authorization method, device, network element, and storage medium provided in the embodiments of the present application are described in detail below through some embodiments and application scenarios with reference to the accompanying drawings.

Please refer to FIG. 2. FIG. 2 is a flowchart of a communication authorization method provided in the embodiment of the present application. As shown in FIG. 2, it includes the following steps:

Step 201, the first network element acquires policy information, where the policy information includes: a communication policy of the first PIN element.

In this embodiment of the application, the first network element may include the following items:

UPF, said first PIN element, target PIN element;

Wherein, the target PIN element is a PIN element with gateway capability among the PINs to which the first PIN element belongs.

The acquisition of the policy information by the first network element may be that the first network element receives the policy information from the second network element, for example, the first network element receives the policy information from an AMF or an SMF.

The above-mentioned first PIN element may be one or more PIN elements in the PIN.

The above-mentioned communication policy of the first PIN element may include at least one of a bidirectional communication policy of the first PIN element and a single communication policy. The two-way communication policy includes description information of PIN elements that can communicate with each other.

The description information of the PIN element in this embodiment of the application may include at least one of the following:

Internet Protocol (IP) address of the PIN element;

The Medium Access Control (MAC) address of the PIN element;

Identification of the PIN element;

The virtual local area network (Virtual Local Area Network, VLAN) identifier used by the data packet sent by the PIN element;

The User Datagram Protocol (UDP) port number used by the packet sent by the PIN element.

Among them, the identification of the PIN element includes but not limited to external identification, such as: Generic Public Subscription Identifier (Generic Public Subscription Identifier, GPSI), Fully Qualified Domain Name (Fully Qualified Domain Name, FQDN), International Mobile Subscriber Identification Code (International Mobile Subscriber Identification Number, IMSI), User Permanent Identifier (Subscription Permanent Identifier, SUPI), User Concealed Identifier (Subscription Concealed Identifier, SUCI), User Temporary Identifier, or unique identifier in PIN;

The one-way communication policy indicates which PIN elements the first PIN element can send data packets to, or, the one-way communication policy indicates which PIN elements the first PIN element can receive data packets sent by. Specifically, a single communication policy may include description information of these PIN elements.

It should be noted that the communication strategy of the first PIN element in the embodiment of the present application can also be called the access right or access strategy of the first PIN element, that is, the strategy can control the communication of the PIN element or other devices that access the first PIN element Behavior. The description information of the PIN element in this embodiment of the present application may also be referred to as indication information of the PIN element, or identification information of the PIN element.

Step 202, the first network element performs authorization control on data packets associated with the first PIN element according to the policy information.

The data packet associated with the above-mentioned first PIN element may be a data packet whose destination address is indicated as the first PIN element. Wherein, the data packet whose destination address indicates the first PIN element can be: the destination IP address of the data packet is the IP address of the first PIN element, the destination MAC address of the data packet is the MAC address of the first PIN element, or the data packet The identifier of the first PIN element is included in the packet header to indicate that the destination of the data packet is the first PIN element. Through the above steps, the authorization control of the data packet whose destination address is indicated as the first PIN element can be realized. The foregoing authorization control of the data packet associated with the first PIN element may be sending, receiving or discarding the data packet associated with the first PIN element according to the communication policy of the first PIN element.

In some implementations, the data packet associated with the above-mentioned first PIN element may also be a data packet whose source address indicates the first PIN element, wherein the data packet whose source address indicates the first PIN element may be: a data packet The source IP address of the data packet is the IP address of the first PIN element, the source MAC address of the data packet is the MAC address of the first PIN element, or the header of the data packet includes the identifier of the first PIN element to indicate that the source of the data packet is the first PIN element A PIN element. Through the above steps, the authorization control of the data packet whose source address is indicated as the first PIN element can be realized. The foregoing authorization control of the data packet associated with the first PIN element may be to determine whether the data packet associated with the first PIN can be sent to the device indicated by the destination address of the data packet. For example, the destination address of the data packet is indicated as the second PIN element, if the communication strategy allows the first PIN element to communicate with the second PIN element, or allows the first PIN element to send a data packet to the second PIN element, then forward the data packet, otherwise , discarding the packet.

The authorization control of the data packets associated with the first PIN element may be sending, receiving or discarding the data packets associated with the first PIN element according to the communication policy of the first PIN element, which is specifically determined by the communication policy.

Through the above steps, the embodiment of the present application can realize the authorization control of the data packets associated with the PIN element according to the policy information, thereby avoiding the communication between devices without communication authority, ensuring the communication security between the devices, and preventing the PIN element from being attacked by others. Attacks on devices without communication permissions.

As a possible implementation manner, the authorization control of the data packet associated with the first PIN element includes at least one of the following:

sending a first data packet associated with the first PIN element to the first PIN element;

Discarding the second data packet associated with the first PIN element;

receiving a third data packet associated with the first PIN element.

The foregoing sending the first data packet associated with the first PIN element to the first PIN element may be forwarding the first data packet associated with the first PIN element to the first PIN element. For example, the first network element is a UPF, and forwards the first data packet associated with the first PIN element to the first PIN element. Wherein, forwarding the first data packet to the first PIN element can be forwarded through the session channel of the first PIN element, or forwarded to the PIN to which the first PIN element belongs, for example, to the PIN to which the first PIN element belongs has gateway capability The PIN element is forwarded.

The discarding of the second data packet associated with the first PIN element may be, when the second data packet is received, discarding the second data packet, or not forwarding the data packet to the first PIN element.

The aforementioned receiving of the third data packet associated with the first PIN element may be that the first PIN element receives the communication policy and receives the third data packet.

Wherein, in the case of sending the first data packet associated with the first PIN element to the first PIN element, the first network element may include a UPF or the above-mentioned target PIN element;

In the case of discarding the second data packet associated with the first PIN element, the first network element may include a UPF, the first PIN element, or a target PIN element;

In the case of receiving the third data packet associated with the first PIN element, the first network element may include a UPF, the first PIN element, or a target PIN element.

In this embodiment, the security of the PIN element can be improved by sending, discarding or receiving the data packet.

Optionally, the sending the first data packet associated with the first PIN element to the first PIN element includes:

In the case where the communication policy of the first PIN element includes a communication policy that allows the first PIN element to receive a data packet sent by the second PIN element, send the first PIN element associated information to the first PIN element A first data packet, wherein the first data packet is a data packet sent by the second PIN element to the first PIN element.

The above-mentioned second PIN element may be one or more elements, and specifically, a corresponding communication strategy may be configured according to an actual situation.

In this implementation manner, it can be realized that only the data packets of the PIN elements allowed by the communication policy are sent to the first PIN element.

Optionally, the discarding the second data packet associated with the first PIN element includes:

In the case where the communication strategy of the first PIN element includes a communication strategy that prohibits the first PIN element from receiving a data packet sent by a third PIN element, discarding the second data packet associated with the first PIN element, wherein, The second data packet is a data packet sent by the third PIN element to the first PIN element; or

When the communication policy of the first PIN element does not include a communication policy that allows the first PIN element to receive a data packet sent by a third PIN element, discarding the second data packet associated with the first PIN element, wherein , the second data packet is a data packet sent by the third PIN element to the first PIN element.

The aforementioned third PIN may be one or more PIN elements.

In this implementation manner, it may be implemented to prohibit sending to the first PIN element the data packet sent by the PIN element that is prohibited by the communication policy from being received by the first PIN element.

Optionally, the receiving the third data packet associated with the first PIN element includes:

In the case where the communication policy of the first PIN element includes a communication policy that allows the first PIN element to receive data packets sent by the second PIN element, receiving the first PIN element sent by the second PIN element is associated with of the third packet.

In this implementation manner, it can be realized that the first PIN element only receives data packets sent by the PIN element that the communication policy allows the first PIN element to receive.

As a possible implementation manner, the first network element is a UPF, and the acquiring policy information by the first network element includes: receiving the policy information from an SMF by the first network element.

The first network element may receive the policy information from the SMF through the N4 interface between the UPF and the SMF. The policy information may be an N4 rule, and the N4 rule is determined by the SMF according to the first communication policy of the first PIN element after receiving the first communication policy of the first PIN element. The N4 rule may indicate data packets that the UPF can send to the first PIN element, and/or, the N4 rule may indicate data packets that the UPF cannot send to the first PIN element.

In this implementation manner, the UPF can implement authorization control of data packets associated with the first PIN element according to the communication policy of the first PIN element.

Optionally, the communication policy of the first PIN element includes:

Packet Detection Rules (PDR) and Forwarding Action Rules (FAR);

Wherein, exemplary, the PDR includes at least one of the following:

Allow the first detection information of the data packet received by the first PIN element;

Forbid the second detection information of the data packet received by the first PIN element;

The FAR is used to indicate at least one of the following:

Forwarding the first data packet to the first PIN element in case a first data packet conforming to the first detection information is received;

In case of receiving a second data packet conforming to the second detection information, discarding the second data packet.

In the case where the above-mentioned communication policy allows the first PIN element to receive the data packet of the second PIN element, the above-mentioned first detection information may include the description information of the second PIN element; when the above-mentioned communication policy prohibits the first PIN element from receiving the third PIN element In the case of a data packet, the second detection information may include description information of the third PIN element.

The receiving of the first data packet conforming to the first detection information may be the receiving of a data packet conforming to the PIN element corresponding to the first detection information, such as receiving the data packet of the above-mentioned second PIN element.

The received second data packet conforming to the second detection information may be a received data packet conforming to the PIN element corresponding to the second detection information, such as the data packet receiving the above-mentioned third PIN element.

For example, the communication policy of the first PIN element describes that the first PIN element can receive data packets from the second PIN element. The PDR included in the N4 rule includes the detection information of the data packet of the second PIN element. The detection information may include description information of the second PIN element. The FAR associated with the PDR indicates that when the UPF receives a data packet conforming to the detection information of the data packet of the second PIN element, it forwards the data packet to the first PIN element. For example, the action (action) of the FAR is indicated as forwarding, and the destination interface (destination interface) is indicated as the access side.

In addition, the PDR may also include detection information describing data packets other than the data packet of the second PIN element, such as detection information of a data packet including the third PIN element. The detection information may include description information of the third PIN element. The FAR associated with the PDR indicates that when the UPF receives a data packet conforming to the detection information of the data packet of the third PIN element, it discards the data packet.

It should be noted that, when the communication strategy only includes the above-mentioned PDR, the first network element can send the data packet corresponding to the first detection information according to the above-mentioned first detection information, or discard the data packet corresponding to the second detection information according to the second detection information. data packets.

In the case where the communication strategy only includes the FAR, the FAR includes at least one of the first detection information and the second detection information, so that the corresponding data packet is directly sent or discarded according to the FAR.

In this embodiment, through the above PDR and FAR, the UPF can realize the authorization control of the data packet associated with the first PIN element according to the communication policy of the first PIN element. Of course, in some implementations, the communication strategy of the first PIN element obtained by the UPF is not limited to include the above-mentioned PDR and FAR, for example: the communication strategy of the first PIN element can be represented by other information, and this embodiment of the present application does not make any limited.

As a possible implementation manner, the first network element is the first PIN element or the target PIN element, and obtaining the policy information by the first network element includes: receiving, by the first network element, the policy information.

In this implementation manner, the first PIN element or the target PIN element can implement authorization control on data packets associated with the first PIN element according to the communication policy of the first PIN element.

In this embodiment of the present application, the first network element obtains policy information, and the policy information includes: the communication policy of the first PIN element of the Internet of Things; Associated packets for authorization control. In this way, the data packets associated with the PIN element are authorized and controlled according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication security between devices.

Please refer to FIG. 3. FIG. 3 is a flowchart of another communication authorization method provided in the embodiment of the present application. As shown in FIG. 3, it includes the following steps:

Step 301, the second network element acquires the first communication policy of the first IoT PIN element;

Step 302, the second network element sends policy information to the first network element, the policy information includes: the second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is Determined according to the first communication policy of the first PIN element.

Wherein, the above-mentioned second communication strategy of the first PIN element is the communication strategy of the first PIN element in the embodiment shown in FIG. 2 .

The second communication strategy of the above-mentioned first PIN element may be the same as the first communication strategy of the first PIN element, or the second communication strategy of the first PIN element is generated by the second network element according to the first communication strategy of the first PIN element A communication rule or a communication strategy that differs in form and/or content from the first communication strategy.

In this embodiment, by sending policy information to the first network element, the first network element performs authorization control on the data packets associated with the first PIN element according to the second communication policy of the first PIN element, so as to improve the security of the PIN element sex.

Optionally, the second communication policy of the first PIN element includes at least one of the following:

A communication policy that allows the first PIN element to receive the data packet sent by the second PIN element;

A communication policy that prohibits the first PIN element from receiving data packets sent by the third PIN element.

For the second communication strategy of the above-mentioned first PIN element, please refer to the corresponding description of the embodiment shown in FIG. 2 , which will not be repeated here.

Optionally, the second network element obtaining the first communication policy of the first PIN element includes:

The second network element receives the first communication policy of the first PIN element from the PIN element communication policy network element; or

The second network element receives the communication policy of the PIN to which the first PIN element belongs from the PIN element communication policy network element, and the communication policy of the PIN includes the first communication policy of the first PIN element.

The aforementioned PIN element communication policy network element may be UDM or PCF.

The above PIN communication policy may include a first communication policy of one or more PIN elements, for example: a first communication policy including one or more or all PIN elements in the PIN.

In this embodiment, the above-mentioned reception of the communication strategy from the PIN element communication strategy network element may be to receive the communication strategy actively sent by the PIN element communication strategy network element from the PIN element communication strategy network element, or may be to send the PIN element communication strategy network element Request and obtain a communications policy.

Optionally, the method also includes:

A communication policy request sent by the second network element to the PIN element communication policy network element, where the communication policy request includes description information of the first PIN element, or, the communication policy request includes the first PIN Description information of the PIN to which the element belongs.

Wherein, the above-mentioned communication strategy request may be a session management subscription data request message, or (subscription data management-acquisition request service (Nudm_SDM_Get request service). The above-mentioned PIN element communication strategy network element may send a communication strategy through a communication strategy response, and the communication strategy response It can be a session management subscription data response message or a Nudm_SDM_Get service response.

Alternatively, the communication policy request may be a session management policy connection establishment request message, or a session management policy control creation (Npcf_SMPolicyControl_Create) service request; the communication policy response may be a session management policy connection establishment response message, or a session management policy control creation (Npcf_SMPolicyControl_Create) Service response.

In this embodiment, the communication policy is requested from the PIN element communication policy network element through the above communication policy request.

Optionally, the second network element includes the following item:

an SMF serving the first PIN element, an AMF serving the first PIN element, the first PIN element, a target PIN element;

Wherein, the target PIN element is a PIN element with gateway capability in the PIN to which the first PIN element belongs.

In this embodiment, the SMF serving the first PIN element, the AMF serving the first PIN element, the first PIN element, or the target PIN element can send the first PIN element to the first network element the second communication strategy.

Optionally, the second network element is an SMF serving the first PIN element, and obtaining the first communication policy of the first PIN element by the second network element includes: the second network element is in the The first communication policy of the first PIN element is acquired during the session establishment process of the first PIN element.

The above-mentioned first communication strategy for obtaining the first PIN element during the session establishment process of the first PIN element may be that, when the SMF receives the PDU session establishment request initiated by the first PIN element, it sends the PDU from the PIN element communication strategy network Element obtains the first communication policy of the first PIN element.

Optionally, the second network element is an AMF serving the first PIN element, and obtaining the first communication policy of the first PIN element by the second network element includes: the second network element is in the The first communication policy of the first PIN element is acquired during the registration process of the first PIN element or the session establishment process.

The above-mentioned first communication strategy for obtaining the first PIN element during the registration process of the first PIN element or the session establishment process may be that, when the AMF receives a registration request initiated by the first PIN element or a PDU session establishment request, Obtain the first communication policy of the first PIN element from the PIN element communication policy network element. Optionally, the AMF may acquire the first communication policy of the first PIN element from the PIN element communication policy network element through the SMF serving the first PIN element.

Optionally, the second network element is an SMF serving the first PIN element, and sending policy information to the first network element by the second network element includes: sending the policy information to the first network element by the second network element A network element sends the policy information, and the first network element includes a UPF.

For the policy information sent by the SMF to the UPF, please refer to the corresponding description of the embodiment shown in FIG. 2 , which will not be repeated here.

Optionally, the second communication policy of the first PIN element includes:

PDRs and FARs;

Wherein, the PDR includes at least one of the following:

The FAR is used to indicate at least one of the following:

Forwarding the first data packet to the first PIN in case a first data packet conforming to the first detection information is received;

For the above PDR and FAR, please refer to the corresponding description of the embodiment shown in FIG. 2 , which will not be repeated here.

Optionally, the second network element is an SMF serving the first PIN element, and the second network element sends policy information to the first network element, including: the second network element sends the policy information to the sending the policy information by the first network element;

Wherein, the first network element includes a target PIN element, and the target PIN element is a PIN element with gateway capability in the PIN to which the first PIN element belongs; or

The first network element includes the first PIN element.

The sending of the policy information by the second network element to the first network element through the AMF may be that the SMF sends the policy information to the target PIN element AMF, and the AMF sends the policy information to the first network element. For example: the SMF sends a message transfer request message or a communication transfer request message (Namf_Communication_N1N2MessageTransfer service) to the AMF to send the second communication policy of the PIN element. Optionally, the message transfer request message or the communication transfer request message (Namf_Communication_N1N2MessageTransfer service) includes the second communication policy that the session management container (N1SM container) includes the first PIN element.

Optionally, the second network element is an AMF serving the first PIN element, and sending policy information to the first network element by the second network element includes: sending the policy information to the first network element by the second network element The network element sends the policy information;

The first network element includes the first PIN element.

The sending of the policy information by the second network element to the first network element may be that after the AMF receives the first communication policy of the first PIN element from the PIN element communication policy network element or the SMF, it sends the first communication policy to the first network element. A second communication strategy for a PIN element.

It should be noted that this embodiment is an implementation manner of the second network element corresponding to the embodiment shown in FIG. 2 , and its specific implementation manner can refer to the relevant description of the embodiment shown in FIG. 2 to avoid repeated descriptions. , which will not be described in detail in this embodiment.

The method provided by the embodiment of the present application is illustrated below with multiple embodiments:

Example 1:

This embodiment uses the UPF serving the PIN element to perform authorization control on the data packet of the PIN element as an example. As shown in FIG. 4 , taking the session of the first PIN element as a PDU session as an example, the method embodiment includes the following steps:

Step 1, PIN element access policy The network element (for example, UDM or PCF) obtains the access policy of the PIN element.

Wherein, the access policy of the PIN element may include at least one of the following:

Two-way communication strategy, that is, the description information of PIN elements/devices that can communicate with each other;

One-way communication strategy, that is, to which PIN elements a specific PIN element/device can send data to, or which PIN elements/devices a specific PIN element can receive data from;

The description information of the PIN element/device may include at least one of the following:

the IP address of the PIN element/device;

MAC address of the PIN element/device;

The identification of the PIN element/device, including but not limited to external identification, GPSI, FQDN, IMSI, SUCI or SUPI, temporary identification, unique identification in the PIN;

The VLAN identifier used by the data packet sent by the PIN element/device;

The UPD port number used by the packet sent by this PIN element/device.

Step 2. The first PIN element sends a NAS message to the AMF, which includes a PDU session establishment request.

Optionally, the NAS message includes PDU session establishment parameters, such as data network name (Data Network Name, DNN) and/or network slice selection assistance information (network slice selection assistance information, NSSAI).

Step 3, AMF receives the NAS message, and forwards the PDU session establishment request therein to the SMF.

Optionally, the AMF may select the SMF according to the PDU session establishment parameters therein, and the AMF may also select the SMF according to the configuration information.

Step 4. The SMF acquires the communication policy (eg access policy) of the PIN element from the PIN element communication policy network element.

The SMF may obtain the PIN element communication strategy of the PIN to which the PIN element belongs, and may also obtain the communication strategy related to the first PIN element in the PIN element communication strategy.

In a possible manner, the SMF is an SMF configured to serve the PIN element or the PIN to which the PIN element belongs. PIN element communication policy After the network element acquires the communication policy of the PIN element in step 1, it can send the communication policy of the PIN element to the SMF.

In another possible manner, the SMF sends a PIN element communication policy request message to the PIN element communication policy network element, where the request message may include the identifier of the first PIN element, or the identifier of the PIN to which the first PIN element belongs. Optionally, a communication policy request indication of a PIN element may also be included. The SMF receives a communication policy response message of the PIN element from the PIN element communication policy network element, and the response message includes the communication policy of the PIN element.

Exemplarily, the communication policy request message of the PIN element may be a session management subscription data request message, or a Nudm_SDM_Get service request message; the communication policy response message of the PIN element may be a session management subscription data response message or a Nudm_SDM_Get service response.

Or, for example, the communication policy request message of the PIN element may be a session management policy connection establishment request message, or an Npcf_SMPolicyControl_Create service; the communication policy response message of the PIN element may be a session management policy connection establishment response message, or an Npcf_SMPolicyControl_Create service response.

Step 5. The SMF sends the N4 rule to the UPF serving the PDU session, the N4 rule indicates the data packet that the UPF can send to the first PIN element, or the N4 rule indicates the data packet that the UPF cannot send to the first PIN element.

The SMF determines the N4 rule according to the communication policy of the PIN element.

For example, the communication policy of the PIN element describes that the first PIN element can receive data from the second PIN element. N4 rules include PDR and FAR. The PDR includes the detection information of the data packet of the second PIN element. The detection information may include description information of the second PIN element, and the description information of the second PIN element may refer to the description of the description information of the PIN element in step 1. The FAR associated with the PDR indicates that when the UPF receives a data packet conforming to the detection information of the data packet of the second PIN element, it forwards the data packet to PIN element1. For example, the action (action) of FAR indicates forwarding (forwarding), and the destination interface (destination interface) indicates access side (access side).

Optionally, the PDR may also include detection information describing the data packet other than the second PIN element. For example, the detection information may include description information of the third PIN element, and the description information of the third PIN element may refer to the description of the description information of the PIN element in step 1. The FAR associated with the PDR indicates that when the UPF receives a data packet conforming to the detection information of the data packet except the second PIN element, it discards the data packet.

Step 6a, the UPF receives the data packet of the second PIN element, and the UPF forwards the data packet according to the N4 rule;

In step 6b, the UPF receives the third PIN element or data packets of other UEs or devices, and the UPF discards the data packets according to the N4 rule.

In this embodiment, the data packet sent by the second PIN element to the first PIN element is forwarded according to the communication policy, and the data sent by the third PIN element to the first PIN element is discarded, so as to realize the data packet associated with the PIN element according to the policy information Authorization control is carried out, thereby avoiding communication between devices without communication authority, and ensuring communication security between devices.

Example 2:

This embodiment uses the PIN element with gateway capability to perform authorization control on the data packet of the PIN element as an example. As shown in FIG. 5, taking the session of the first PIN element as a PDU session as an example, the method embodiment includes the following steps:

Wherein, for steps 1 to 4, refer to the description of Embodiment 1, and details are not repeated here.

Step 5. The SMF sends the N4 rule to the UPF for establishing the N4 session.

Steps 1-5 are optional.

Step 6. The SMF sends the communication policy (for example: access policy) of the PIN element to the AMF serving the PIN element with GW (gateway) capability.

Exemplarily, the SMF sends a message transfer request message or Namf_Communication_N1N2MessageTransfer service to the AMF, which includes the access policy of the PIN element.

Optionally, the message transfer request message or the Namf_Communication_N1N2MessageTransfer service includes the N1SM container, which includes the access policy of the PIN element.

In step 7, the AMF sends the communication policy of the PIN element received in step 6 to the PIN element with gateway capability.

Step 8a, the PIN element with gateway capability receives the data packet of the second PIN element, and forwards the data packet according to the access policy of the PIN element;

Step 8b, the PIN element with gateway capability receives the third PIN element or the data packet of other UE or device, and discards the data packet according to the access policy of the PIN element.

For the description and examples of the communication policy of the PIN element, refer to the description in Embodiment 1.

Example 3:

This embodiment uses the first PIN element to perform authorization control on the data packet of the PIN element as an example. As shown in FIG. 6, taking the session of the first PIN element as a PDU session as an example, the method embodiment includes the following steps:

Step 5. The SMF sends the N4 rule to the UPF for establishing the N4 session.

Wherein, for steps 1 to 5, refer to the description of Embodiment 2, and details are not repeated here. Steps 1-5 are optional.

Step 6. The SMF sends the communication policy (for example: access policy) of the PIN element to the AMF. The AMF is the AMF serving the first PIN element.

Optionally, the N1SM container included in the message transfer request message or the Namf_Communication_N1N2MessageTransfer service includes the access policy of the PIN element.

In step 7, the AMF sends the communication policy of the PIN element received in step 6 to the first PIN element.

Step 8a, the first PIN element receives the data packet of the second PIN element, and receives the data packet according to the PIN element;

Step 8b, the first PIN element receives the third PIN element or data packets of other UEs or devices, and discards the data packets according to the communication policy of the PIN element.

In this embodiment, the data packet sent by the second PIN element to the first PIN element is received according to the communication policy, and the data sent by the third PIN element to the first PIN element is discarded, so as to realize the data packet associated with the PIN element according to the policy information Authorization control is carried out, thereby avoiding communication between devices without communication authority, and ensuring communication security between devices.

Example 4:

In this embodiment, the PIN element with gateway capability performs authorization control on the data packet of the PIN element as an example. As shown in FIG. 7, taking the session of the first PIN element as a PDU session as an example, the method embodiment includes the following steps:

Wherein, for steps 1 to 3, refer to the description of Embodiment 2, and details are not repeated here. Steps 1-3 are optional.

Step 4. The AMF obtains the communication policy (for example: access policy) of the PIN element from the PIN element communication policy network element.

For this step, reference may be made to the description of Step 4 of Embodiment 1, wherein SMF is replaced with AMF. The session management subscription data request message is replaced by the subscription data request message. Mobility Management Policy Request message or UE/PIN Element Policy Request message

Exemplarily, the communication policy request message of the PIN element may be a subscription data request message, or a Nudm_SDM_Get service request message; the communication policy response message of the PIN element may be a subscription data response message or a Nudm_SDM_Get service response.

Or, exemplary, the communication policy request message of the PIN element may be a mobility management policy connection establishment request message, a mobility management policy connection modification request message, a UE/PIN element policy control establishment request message, and a UE/PIN element policy control modification request message Request message, such as AM policy control establishment message (Npcf_AMPolicyControl_Create service), AM policy control update message (Npcf_AMPolicyControl_Update service), UE policy control establishment message (Npcf_UEPolicyControl_Create service), or UE policy control update message (Npcf_UEPolicyControl_Update service); access policy of PIN element The response message can be a mobility management policy connection establishment response message, a mobility management policy connection modification response message, a UE/PIN element policy control establishment response message, and a UE/PIN element policy control modification response message, such as Npcf_AMPolicyControl_Create service response, Npcf_AMPolicyControl_Update service response , Npcf_UEPolicyControl_Create service response, or Npcf_UEPolicyControl_Update service response.

This step can also be performed after step 6, or when the first PIN element is registered with the AMF.

Step 5. The SMF sends the N4 rule to the UPF for establishing the N4 session.

Step 6. The SMF sends a session establishment response message to the AMF.

Wherein, for steps 7 to 8, refer to the description of Embodiment 2, and details are not repeated here.

Example 5:

This embodiment uses the first PIN element to perform authorization control on the data packet of the PIN element as an example. As shown in FIG. 8 , taking the session of the first PIN element as a PDU session as an example, the method embodiment includes the following steps:

Step 5. The SMF sends the N4 rule to the UPF for establishing the N4 session.

Step 6. The SMF sends a session establishment response message to the AMF.

Wherein, steps 1 to 6 refer to the description of Embodiment 4, which will not be repeated here.

Wherein, for steps 7 to 8, refer to the description of Embodiment 3, and details are not repeated here.

It should be noted that the above-mentioned embodiments 1 to 5 all take the data packet as an example to indicate the first PIN element as the destination address. In the embodiment of the present application, the data packet associated with the first PIN element may also include a source address indication The first PIN element. For example: in the case where the communication policy of the first PIN element includes allowing the first PIN element to communicate with the second PIN element and prohibiting the communication between the first PIN element and the third PIN element:

Exemplarily, the PIN element access policy describes that the first PIN element can send data to the second PIN element. Optionally, the PIN element access policy describes that the first PIN element is prohibited from sending data to the third PIN element. In above-mentioned embodiment 1, steps 6a and 6b are as follows respectively:

Step 6a, the UPF receives the data packet sent by the first PIN element indicating that the destination address is the second PIN element, and the UPF forwards the data packet to the second PIN element according to the N4 rule;

In step 6b, the UPF receives the data packet sent by the first PIN element and indicates that the destination address is the third PIN element, and the UPF discards the data packet according to the N4 rule.

In above-mentioned embodiment 2, steps 8a and 8b are as follows respectively:

Step 8a, the PIN element having the gateway capability receives the data packet sent by the first PIN element indicating the destination address as the second PIN element, and forwards the data packet to the second PIN element according to the communication policy of the PIN element;

Step 8b: The PIN element with gateway capability receives the data packet sent by the first PIN element indicating that the destination address is the third PIN element, and discards the data packet according to the access policy of the PIN element.

In above-mentioned embodiment 3, steps 8a and 8b are as follows respectively:

Step 8a, when the first PIN element needs to send a data packet whose destination address is indicated as the second PIN element, send the data packet to the second PIN element according to the communication policy of the PIN element;

Step 8b: When the first PIN element needs to send the data packet whose destination address is indicated as the third PIN element, the data packet is discarded according to the communication strategy of the PIN element, or the data packet whose destination address is indicated as the third PIN element is not sent.

In above-mentioned embodiment 4, steps 8a and 8b are as follows respectively:

In above-mentioned embodiment 5, steps 8a and 8b are as follows respectively:

Step 8a, the first PIN element needs to send the data packet whose destination address is indicated as the second PIN element, and send the data packet to the second PIN element according to the communication strategy of the PIN element;

Step 8b, the first PIN element needs to send the data packet whose destination address is indicated as the third PIN element, and discards the data packet according to the communication policy of the PIN element, or does not send the data packet whose destination address is indicated as the third PIN element.

In this embodiment, authorization control can be implemented on data packets whose source address is indicated as the first PIN element according to policy information, thereby avoiding communication between devices without communication authority and ensuring communication security between devices.

Please refer to FIG. 9. FIG. 9 is a structural diagram of a communication authorization device provided by an embodiment of the present application. As shown in FIG. 9, the communication authorization device 900 includes:

An acquisition module 901, configured to acquire policy information, where the policy information includes: a communication policy of the first IoT PIN element;

The control module 902 is configured to perform authorization control on data packets associated with the first PIN element according to the policy information.

Wherein, the above-mentioned communication authorization device is included in the first network element, or referred to as the first network element including the above-mentioned communication authorization device, and the first network element refers to the corresponding description of the above-mentioned method embodiment, which will not be repeated here.

Optionally, the authorization control of the data packet associated with the first PIN element includes at least one of the following:

Discarding the second data packet associated with the first PIN element;

receiving a third data packet associated with the first PIN element.

Optionally, the first network element includes the following item:

User plane function UPF, said first PIN element, target PIN element;

Optionally, the first network element is a user plane function UPF, and the acquiring policy information by the first network element includes: the first network element receiving the policy information from a session management function SMF.

Optionally, the first network element is the first PIN element or the target PIN element, and the acquisition of policy information by the first network element includes: the first network element obtains the policy information from the access and mobility management function AMF The policy information is received.

Optionally, the communication policy of the first PIN element includes at least one of the following:

Packet detection rule PDR and forwarding behavior rule FAR;

Wherein, the PDR includes at least one of the following:

The FAR is used to indicate at least one of the following:

The communication authorization device in the embodiment of the present application performs authorization control on data packets associated with PIN elements according to policy information, thereby avoiding communication between devices without communication authority and ensuring communication security between devices.

The communication authorization device in this embodiment of the present application may be a device, a device with an operating system or an electronic device, or may be a component, an integrated circuit, or a chip in the first network element.

The communication authorization device provided by the embodiment of the present application can realize each process realized by the method embodiment in FIG. 2 and achieve the same technical effect. To avoid repetition, details are not repeated here.

Please refer to FIG. 10, which is a structural diagram of a communication authorization device provided by an embodiment of the present application. As shown in FIG. 10, the communication authorization device 1000 includes:

An acquisition module 1001, configured to acquire a first communication strategy of the first IoT PIN element;

A sending module 1002, configured to send policy information to a first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is based on the determined by the first communication policy of the first PIN element.

Wherein, the above-mentioned communication authorization device is included in the second network element, or referred to as the second network element including the above-mentioned communication authorization device, and the first network element refers to the corresponding description of the above-mentioned method embodiment, which will not be repeated here.

Optionally, the acquiring the first communication policy of the first PIN element includes:

receiving a first communication policy for a first PIN element from a PIN element communication policy network element; or

The communication policy of the PIN to which the first PIN element belongs is received from the PIN element communication policy network element, where the communication policy of the PIN includes the first communication policy of the first PIN element.

Optionally, the device also includes:

A request module, configured to send a communication policy request to the PIN element communication policy network element, where the communication policy request includes description information of the first PIN element, or, the communication policy request includes the first PIN element Description information of the PIN to which it belongs.

Optionally, the second network element includes the following item:

a session management function SMF serving said first PIN element, an access and mobility management function AMF serving said first PIN element, said first PIN element, a target PIN element;

Optionally, the second network element is an SMF serving the first PIN element, and the obtaining the first communication policy of the first PIN element includes: obtaining during the session establishment process of the first PIN element a first communication policy for a first PIN element; or

The second network element is an AMF serving the first PIN element, and the acquiring the first communication policy of the first PIN element includes: acquiring the first PIN element during a registration process or a session establishment process of the first PIN element. A first communication strategy for a PIN element.

Optionally, the second network element is an SMF serving the first PIN element, and the sending the policy information to the first network element includes: sending the policy information to the first network element, the The first network element includes a user plane function UPF.

Packet detection rule PDR and forwarding behavior rule FAR;

Wherein, the PDR includes at least one of the following:

The FAR is used to indicate at least one of the following:

Optionally, the second network element is an SMF serving the first PIN element, and the sending the policy information to the first network element includes: sending the policy information to the first network element through AMF;

The first network element includes the first PIN element.

Optionally, the second network element is an AMF serving the first PIN element, and the sending the policy information to the first network element includes: sending the policy information to the first network element;

The first network element includes the first PIN element.

The communication authorization device in the embodiment of the present application sends policy information to the first network element, so that the first network element performs authorization control on the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication authority, The communication security between devices is guaranteed.

The communication authorization device in this embodiment of the present application may be a device, a device with an operating system or an electronic device, or may be a component, an integrated circuit, or a chip in the second network element.

The communication authorization device provided by the embodiment of the present application can realize each process realized by the method embodiment in FIG. 3 and achieve the same technical effect. To avoid repetition, details are not repeated here.

Optionally, as shown in FIG. 11 , this embodiment of the present application further provides a communication device 1100, including a processor 1101, a memory 1102, and programs or instructions stored in the memory 1102 and operable on the processor 1101, For example, when the communication device 1100 is the first network element, when the program or instruction is executed by the processor 1101, each process of the above embodiment of the communication authorization method on the first network element side can be realized, and the same technical effect can be achieved. When the communication device 1100 is the second network element, when the program or the instruction is executed by the processor 1101, each process of the above embodiment of the communication authorization method on the second network element side can be achieved, and the same technical effect can be achieved. In order to avoid repetition, I won't go into details here. The communication device is a terminal or a network side device.

The embodiment of the present application also provides a communication device, including a processor and a communication interface, wherein the processor or the communication interface is used to: obtain policy information, and the policy information includes: a communication policy of the first PIN element; according to the The policy information is used to perform authorization control on data packets associated with the first PIN element.

Alternatively, the communication interface is configured to: obtain a first communication policy of the first PIN element; send policy information to the first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the The second communication policy of the first PIN element is determined according to the first communication policy of the first PIN element.

In this embodiment, in this way, the data packets associated with the PIN element can be authorized and controlled according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication security between devices. Alternatively, policy information can be sent to the first network element, so that the first network element can authorize and control the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication between devices Safety.

This communication device embodiment corresponds to the method embodiment shown in the above-mentioned Figure 2 and Figure 3, and each implementation process and implementation method of the above-mentioned method embodiment can be applied to this communication device embodiment, and can achieve the same technology Effect.

Specifically, FIG. 12 is a schematic diagram of a hardware structure of a first network element implementing an embodiment of the present application. It should be noted that, in this embodiment, the first network element is used as a PIN element, and the PIN element is used as an example for illustration:

The first network element 1200 includes but not limited to: a radio frequency unit 1201, a network module 1202, an audio output unit 1203, an input unit 1204, a sensor 1205, a display unit 1206, a user input unit 1207, an interface unit 1208, a memory 1209, and a processor 1210 etc. at least some of the components.

Those skilled in the art can understand that the first network element 1200 may also include a power supply (such as a battery) for supplying power to various components, and the power supply may be logically connected to the processor 1210 through the power management system, so that the management of charging, discharging, and power management functions. The structure of the first network element shown in FIG. 12 does not constitute a limitation on the communication device. The first network element may include more or fewer components than shown in the figure, or combine some components, or arrange different components. This will not be repeated here.

It should be understood that, in the embodiment of the present application, the input unit 1204 may include a graphics processor (Graphics Processing Unit, GPU) 12041 and a microphone 12042, and the graphics processor 12041 is used for the image capture device ( Such as the image data of the still picture or video obtained by the camera) for processing. The display unit 1206 may include a display panel 12061, and the display panel 12061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1207 includes a touch panel 12071 and other input devices 12072 . Touch panel 12071, also called touch screen. The touch panel 12071 may include two parts, a touch detection device and a touch controller. Other input devices 12072 may include, but are not limited to, physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, and joysticks, which will not be repeated here.

In the embodiment of the present application, the radio frequency unit 1201 receives the downlink data from the network side device, and processes it to the processor 1210; in addition, sends the uplink data to the network side device. Generally, the radio frequency unit 1201 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like.

The memory 1209 can be used to store software programs or instructions as well as various data. The memory 1209 may mainly include a program or instruction storage area and a data storage area, wherein the program or instruction storage area may store an operating system, an application program or instructions required by at least one function (such as a sound playback function, an image playback function, etc.) and the like. In addition, the memory 1209 may include a high-speed random access memory, and may also include a nonvolatile memory, wherein the nonvolatile memory may be a read-only memory (Read-Only Memory, ROM), a programmable read-only memory (Programmable ROM) , PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. For example at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device.

The processor 1210 may include one or more processing units; optionally, the processor 1210 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, application programs or instructions, etc., Modem processors mainly handle wireless communications, such as baseband processors. It can be understood that the foregoing modem processor may not be integrated into the processor 1210 .

Wherein, the radio frequency unit 1201 or the processor 1210 is used to acquire policy information, the policy information includes: the communication policy of the first IoT PIN element; according to the policy information, the data packet associated with the first PIN element Perform authorization control.

Discarding the second data packet associated with the first PIN element;

receiving a third data packet associated with the first PIN element.

Optionally, the first network element includes the following item:

User plane function UPF, said first PIN element, target PIN element;

Optionally, the first network element is a user plane function UPF, and the acquiring policy information includes: receiving the policy information from a session management function SMF.

Optionally, the first network element is the first PIN element or the target PIN element, and the acquiring policy information includes: receiving the policy information from an access and mobility management function AMF.

Packet detection rule PDR and forwarding behavior rule FAR;

Wherein, the PDR includes at least one of the following:

The FAR is used to indicate at least one of the following:

The above-mentioned first network element performs authorization control on the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication authority and ensuring communication security between devices.

Specifically, the terminal in this embodiment of the present invention also includes: instructions or programs stored in the memory 1209 and operable on the processor 1210, and the processor 1210 calls the instructions or programs in the memory 1209 to execute the functions executed by the modules shown in FIG. method, and achieve the same technical effect, in order to avoid repetition, it is not repeated here.

Specifically, the embodiment of the present application also provides a second network element. In this embodiment, the second network element is used as an example for illustration: as shown in FIG. 13 , the second network element 1300 includes: a transceiver device 1301 .

Transceiving means 1301, configured to acquire a first communication policy of a first PIN element; send policy information to a first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the first The second communication policy of the PIN element is determined according to the first communication policy of the first PIN element.

Optionally, the transceiver 1301 is also used for:

A communication policy request sent to the PIN element communication policy network element, where the communication policy request includes description information of the first PIN element, or, the communication policy request includes a description of the PIN to which the first PIN element belongs information.

Optionally, the second network element includes the following item:

Packet detection rule PDR and forwarding behavior rule FAR;

Wherein, the PDR includes at least one of the following:

The FAR is used to indicate at least one of the following:

The first network element includes the first PIN element.

The above-mentioned second network element sends policy information to the first network element, so that the first network element performs authorization control on the data packets associated with the PIN element according to the policy information, thereby avoiding communication between devices without communication authority, and ensuring the communication between devices. communication security.

Specifically, the second network element in the embodiment of the present invention further includes: instructions or programs stored in the memory 1302 and executable on the processor 1303, and the processor 1303 invokes the instructions or programs in the memory 1302 to execute the The method of module execution achieves the same technical effect, so in order to avoid repetition, it is not repeated here.

The embodiment of the present application also provides a readable storage medium, on which a program or instruction is stored, and when the program or instruction is executed by the processor, the communication on the first network element side provided by the embodiment of the present application is realized. The steps in the authorization method, or, when the program or instruction is executed by the processor, implement the steps in the communication authorization method on the second network element side provided by the embodiment of the present application.

Wherein, the processor is the processor in the first network element or the second network element described in the foregoing embodiments. The readable storage medium includes computer readable storage medium, such as computer read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.

An embodiment of the present application also provides a system, the system includes a first network element and a second network element, wherein the first network element is used to: obtain policy information, and the policy information includes: the first IoT PIN element communication policy; and according to the policy information, perform authorization control on the data packet associated with the first PIN element;

The second network element is used to acquire the first communication policy of the first IoT PIN element; and send policy information to the first network element, where the policy information includes: the second communication policy of the first PIN element, wherein , the second communication policy of the first PIN element is determined according to the first communication policy of the first PIN element.

The embodiment of the present application also provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the above communication authorization method embodiment Each process can achieve the same technical effect, so in order to avoid repetition, it will not be repeated here.

It should be understood that the chip mentioned in the embodiment of the present application may also be called a system-on-chip, a system-on-chip, a system-on-a-chip, or a system-on-a-chip.

It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions are performed, for example, the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present application can be embodied in the form of computer software products, which are stored in a storage medium (such as ROM/RAM, magnetic disk, etc.) , CD-ROM), including several instructions to make a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present application.

The embodiments of the present application have been described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Under the inspiration of this application, without departing from the purpose of this application and the scope of protection of the claims, many forms can also be made, all of which belong to the protection of this application.

Claims

A communication authorization method, comprising:

The first network element obtains policy information, and the policy information includes: a communication policy of the first IoT PIN element;

The first network element performs authorization control on data packets associated with the first PIN element according to the policy information.
The method according to claim 1, wherein the authorization control of the data packet associated with the first PIN element includes at least one of the following:

sending a first data packet associated with the first PIN element to the first PIN element;

Discarding the second data packet associated with the first PIN element;

receiving a third data packet associated with the first PIN element.
The method according to claim 2, wherein the sending the first data packet associated with the first PIN element to the first PIN element comprises:

In the case where the communication policy of the first PIN element includes a communication policy that allows the first PIN element to receive a data packet sent by the second PIN element, send the first PIN element associated information to the first PIN element A first data packet, wherein the first data packet is a data packet sent by the second PIN element to the first PIN element.
The method according to claim 2, wherein the discarding the second data packet associated with the first PIN element comprises:

In the case where the communication strategy of the first PIN element includes a communication strategy that prohibits the first PIN element from receiving a data packet sent by a third PIN element, discarding the second data packet associated with the first PIN element, wherein, The second data packet is a data packet sent by the third PIN element to the first PIN element; or

When the communication policy of the first PIN element does not include a communication policy that allows the first PIN element to receive a data packet sent by a third PIN element, discarding the second data packet associated with the first PIN element, wherein , the second data packet is a data packet sent by the third PIN element to the first PIN element.
The method according to claim 2, wherein said receiving the third data packet associated with said first PIN element comprises:

In the case where the communication policy of the first PIN element includes a communication policy that allows the first PIN element to receive data packets sent by the second PIN element, receiving the first PIN element sent by the second PIN element is associated with of the third packet.
The method according to claim 1, wherein the first network element comprises one of the following:

User plane function UPF, said first PIN element, target PIN element;

Wherein, the target PIN element is a PIN element with gateway capability among the PINs to which the first PIN element belongs.
The method according to claim 6, wherein the first network element is a user plane function (UPF), and obtaining policy information by the first network element comprises: the first network element receives the policy from a session management function (SMF) information.
The method according to claim 6, wherein the first network element is the first PIN element or the target PIN element, and obtaining policy information by the first network element comprises: the first network element obtains policy information from The Access and Mobility Management Function AMF receives said policy information.
The method of claim 7, wherein the communication policy of the first PIN element includes at least one of the following:

Packet detection rule PDR and forwarding behavior rule FAR;

Wherein, the PDR includes at least one of the following:

Allow the first detection information of the data packet received by the first PIN element;

Forbid the second detection information of the data packet received by the first PIN element;

The FAR is used to indicate at least one of the following:

Forwarding the first data packet to the first PIN element in case a first data packet conforming to the first detection information is received;

In case of receiving a second data packet conforming to the second detection information, discarding the second data packet.
A communication authorization method, comprising:

The second network element obtains the first communication strategy of the first IoT PIN element;

The second network element sends policy information to the first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is based on the determined by the first communication policy of the first PIN element.
The method of claim 10, wherein the second communication policy of the first PIN element includes at least one of the following:

A communication policy that allows the first PIN element to receive the data packet sent by the second PIN element;

A communication policy that prohibits the first PIN element from receiving data packets sent by the third PIN element.
The method according to claim 10 or 11, wherein said second network element acquiring the first communication policy of the first PIN element comprises:

The second network element receives the first communication policy of the first PIN element from the PIN element communication policy network element; or

The second network element receives the communication policy of the PIN to which the first PIN element belongs from the PIN element communication policy network element, and the communication policy of the PIN includes the first communication policy of the first PIN element.
The method of claim 12, wherein the method further comprises:

A communication policy request sent by the second network element to the PIN element communication policy network element, where the communication policy request includes description information of the first PIN element, or, the communication policy request includes the first PIN Description information of the PIN to which the element belongs.
The method according to claim 10 or 11, wherein the second network element comprises one of the following:

a session management function SMF serving said first PIN element, an access and mobility management function AMF serving said first PIN element, said first PIN element, a target PIN element;

Wherein, the target PIN element is a PIN element with gateway capability among the PINs to which the first PIN element belongs.
The method according to claim 14, wherein the second network element is an SMF serving the first PIN element, and obtaining the first communication policy of the first PIN element by the second network element comprises: the The second network element obtains the first communication policy of the first PIN element during the session establishment process of the first PIN element; or

The second network element is an AMF serving the first PIN element, and the acquisition of the first communication policy of the first PIN element by the second network element includes: the second network element is in the first PIN element Obtain the first communication policy of the first PIN element during the registration process or the session establishment process of .
The method according to claim 14, wherein the second network element is an SMF serving the first PIN element, and the second network element sends policy information to the first network element, comprising: the second The network element sends the policy information to the first network element, where the first network element includes a user plane function UPF.
The method of claim 16, wherein the second communication policy of the first PIN element includes at least one of the following:

Packet detection rule PDR and forwarding behavior rule FAR;

Wherein, the PDR includes at least one of the following:

Allow the first detection information of the data packet received by the first PIN element;

Forbid the second detection information of the data packet received by the first PIN element;

The FAR is used to indicate at least one of the following:

Forwarding the first data packet to the first PIN in case a first data packet conforming to the first detection information is received;

In case of receiving a second data packet conforming to the second detection information, discarding the second data packet.
The method according to claim 14, wherein the second network element is an SMF serving the first PIN element, and the second network element sends policy information to the first network element, comprising: the second The network element sends the policy information to the first network element through the AMF;

Wherein, the first network element includes a target PIN element, and the target PIN element is a PIN element with gateway capability in the PIN to which the first PIN element belongs; or

The first network element includes the first PIN element.
The method according to claim 15, wherein the second network element is an AMF serving the first PIN element, and the second network element sends policy information to the first network element, comprising: the second The network element sends the policy information to the first network element;

Wherein, the first network element includes a target PIN element, and the target PIN element is a PIN element with gateway capability in the PIN to which the first PIN element belongs; or

The first network element includes the first PIN element.
A communication authorization device, comprising:

An acquisition module, configured to acquire policy information, where the policy information includes: the communication policy of the first IoT PIN element;

A control module, configured to perform authorization control on data packets associated with the first PIN element according to the policy information.
The device according to claim 20, wherein said performing authorization control on the data packet associated with the first PIN element comprises at least one of the following:

sending a first data packet associated with the first PIN element to the first PIN element;

Discarding the second data packet associated with the first PIN element;

receiving a third data packet associated with the first PIN element.
A communication authorization device, comprising:

An acquisition module, configured to acquire the first communication strategy of the first IoT PIN element;

A sending module, configured to send policy information to a first network element, where the policy information includes: a second communication policy of the first PIN element, wherein the second communication policy of the first PIN element is based on the second communication policy of the first PIN element determined by the first communication policy of a PIN element.
The apparatus of claim 22, wherein the second communication policy of the first PIN element includes at least one of the following:

A communication policy that allows the first PIN element to receive the data packet sent by the second PIN element;

A communication policy that prohibits the first PIN element from receiving data packets sent by the third PIN element.
A network element, where the network element is a first network element, including: a memory, a processor, and a program or instruction stored in the memory and operable on the processor, wherein the program or instruction is The processor implements the steps in the communication authorization method according to any one of claims 1 to 9 when executed.
A network element, where the network element is a second network element, including: a memory, a processor, and a program or instruction stored in the memory and operable on the processor, wherein the program or instruction is The processor implements the steps in the communication authorization method according to any one of claims 10 to 19 when executed.
A readable storage medium, on which a program or instruction is stored, wherein, when the program or instruction is executed by a processor, the communication authorization method according to any one of claims 1 to 9 is implemented or, when the program or instructions are executed by the processor, the steps in the communication authorization method according to any one of claims 10 to 19 are realized.
A chip, comprising a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the communication authorization as claimed in any one of claims 1 to 9 steps in the method, or implement the steps in the communication authorization method according to any one of claims 10 to 19.
A computer program product, wherein the program product is stored in a non-volatile storage medium, and the program product is executed by at least one processor to implement the communication authorization according to any one of claims 1 to 9 steps in the method, or implement the steps in the communication authorization method according to any one of claims 10 to 19.
A communication device, wherein it is configured to execute the communication authorization method according to any one of claims 1 to 9, or to execute the communication authorization method according to any one of claims 10 to 19.