WO2023202503A1 - Communication method and apparatus - Google Patents

Communication method and apparatus Download PDF

Info

Publication number
WO2023202503A1
WO2023202503A1 PCT/CN2023/088566 CN2023088566W WO2023202503A1 WO 2023202503 A1 WO2023202503 A1 WO 2023202503A1 CN 2023088566 W CN2023088566 W CN 2023088566W WO 2023202503 A1 WO2023202503 A1 WO 2023202503A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
terminal device
network element
information
mobility management
Prior art date
Application number
PCT/CN2023/088566
Other languages
French (fr)
Chinese (zh)
Inventor
赵鹏涛
李岩
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023202503A1 publication Critical patent/WO2023202503A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/30Connection release

Definitions

  • the present application relates to the field of communication technology, and in particular, to a communication method and device.
  • Access network equipment can provide network access functions for authorized user equipment in a specific area, but there is a risk that access network equipment may be controlled by a third party.
  • access network equipment is usually deployed inside the campus.
  • the security management capabilities of the computer rooms inside the campus are weak, and third parties may control the access network equipment in certain ways. If a third party controls the access network equipment, it can control the user plane and control plane of the mobile communication network, thus posing huge risks to communication security.
  • This application provides a communication method and device, which can improve the communication security of terminal equipment when the access network equipment is controlled.
  • a communication method includes: a mobility management network element determines that a first access network device is untrustworthy; and the mobility management network element sends a first indication to a terminal device connected to the first access network device.
  • Information, the first indication information is used to indicate that the first access network device is untrustworthy, or to instruct to disconnect from the first access network device.
  • the mobility management network element determines that the first access network device is untrustworthy, it can indicate to the terminal device under the first access network device that the first access network device is untrustworthy, or instruct it to disconnect from the third access network device.
  • the first access network device is connected so that the terminal device can disconnect from the first access network device according to the instructions of the mobility management network element, thereby improving the communication security of the terminal device.
  • the method further includes: the mobility management network element determines that the second access network device is untrustworthy; the mobility management network element sends the second access network device to the terminal device. The identification of the device connected to the network.
  • the second access network device may include one or more access network devices.
  • the second access network device is any of the following devices: an access network device controlled by the mobility management network element; an access network device connected to the first access network device; an access network physically adjacent to the terminal device Equipment; access network equipment that the terminal equipment can access.
  • the mobility management network element can send the identification of the one or more access network devices to the terminal device so that the terminal device can subsequently The cell access process does not access the one or more access network devices, further improving the communication security of the terminal equipment.
  • the mobility management network element may also send the identification of the first access network device to the terminal device.
  • the method further includes: the mobility management network element sending timer information to the terminal device, the timer information being used to indicate that the first access network device is unavailable. letter time.
  • the mobility management network element can also send timer information to the terminal device to indicate the time when the first access network device is untrustworthy, so that the terminal device can determine that it can be used after the time indicated by the timer information expires.
  • Access to the cell of the first access network device improves communication security of the terminal device and ensures effective utilization of resources of the first access network device.
  • the mobility management network element sends the first instruction information to the terminal device, including: the mobility management network element sends a deregistration request message to the terminal device, and the deregistration request message is sent to the terminal device.
  • the request message is used to request the terminal device to deregister from the currently connected network, and the deregistration request message includes the first indication information.
  • the mobility management network element can send the first indication information to the terminal device through the de-registration request message. That is to say, the mobility management network element can request the terminal device to deregister while sending the first indication information to the terminal device. After the terminal device is de-registered, the mobility management network element can delete the context of the first terminal device, thereby saving resources of the mobility management network element.
  • the mobility management network element sends a de-registration request message to the terminal device, including: the mobility management network element determines whether the coverage of the first access network device is There is an alternative access network device; when there is an alternative access network device in the coverage area of the first access network device, the mobility management network element sends the deregistration request message to the terminal device.
  • the mobility management network element can request the terminal device to register when there is no alternative access network device within the coverage range of the first access network device. That is to say, when the terminal device has no other alternative access network device, When an access network device enters, the mobility management network element can trigger the terminal device to register, that is, the context of the terminal device is no longer retained, thereby saving the resources of the mobility management network element.
  • the mobile management network element when the terminal device accesses the network through the third generation partner plan technology and the non-third generation partner plan technology, the mobile management network element provides The terminal device sends the first instruction information, including: the mobility management network element sends the first instruction information to the terminal device through a non-3rd generation partnership program technology interoperability function network element.
  • the mobile management network element can send the first instruction information to the terminal device through the non-3rd generation partner program technology interworking function network element , to prevent the first access network device from being unable to forward the first indication information to the terminal device after it is controlled by a third party.
  • the method further includes: the mobility management network element sending configuration information to a third access network device, the configuration information being used to indicate not to provide access to the first access network device. Network equipment cell to switch.
  • the mobility management network element can instruct the third access network device not to perform handover to the cell of the first access network device through configuration information. Therefore, according to the configuration information, when the terminal device performs cell handover, the third access network device The third access network device does not switch the terminal device to the cell of the first access network device, thereby improving communication security.
  • the method further includes: before the mobility management network element sends the configuration information to the third access network device, the method further includes: the mobility management network element determines the third access network device, and the third access network device It is any of the following equipment: access network equipment controlled by the mobility management network element; access network equipment connected to the first access network equipment; access network equipment connected to the first access network equipment; The access network equipment adjacent to the terminal equipment; the access network equipment that the terminal equipment can access.
  • the mobility management network element determines the first access network device Before the device is untrusted, the method further includes: the mobility management network element receiving second indication information from the security policy control network element, the second indication information being used to indicate that the first access network device is untrusted.
  • the mobility management network element can determine that the first access network device is untrustworthy according to the instruction information of the security policy control network element.
  • the method further includes: the mobility management network element releases the connection with the first access network device; the mobility management network element triggers the session deletion of the terminal device. activation.
  • the mobility management network element can release the connection with the first access network device and trigger the deactivation of the session of the terminal device to prevent the first access network device from Control the user plane and data plane of the mobile access network to improve communication security.
  • the method further includes: when the mobility management network element does not receive a confirmation message from the terminal device, the mobility management network element reports to the data management network element Send the identification of the first access network device, the identification of the terminal device and third indication information.
  • the confirmation message is used to indicate that the terminal device successfully received the first indication information.
  • the third indication information is used to indicate that the third indication information is received.
  • An access network device is not trustworthy, or is used to indicate to the terminal device that the access network device is not trustworthy.
  • the mobility management network element when the mobility management network element does not receive the confirmation message from the terminal device, or in other words, when the terminal device does not receive the first indication information from the mobility management network element, the mobility management network element can access the first The identifier of the network device and the identifier of the terminal device are sent to the data management network element, and the data management network element is instructed to indicate that the first access network device is untrustworthy, or the first access network device is instructed to be indicated to the terminal device to be untrustworthy. Based on this, the data management network element can indicate to the terminal device that the first access network device is untrustworthy after the terminal device reconnects to the network, so that the terminal device does not access the cell of the first access network device and improves the communication of the terminal device. Safety.
  • a communication method includes: a terminal device receiving first indication information from a mobility management network element, the first indication information being used to indicate that the first access network device connected to the terminal device is unavailable. message, or used to instruct to disconnect from the first access network device; after receiving the first instruction message, the terminal device disconnects from the first access network device.
  • the mobility management network element indicates to the terminal device that the first access network device is untrustworthy, or after instructing to disconnect from the first access network device, the terminal device disconnects from the first access network device, Preventing the first access network device from controlling communication of the terminal device improves communication security of the terminal device.
  • the method further includes: the terminal device stores first policy information, the first policy information is used to indicate not to A cell that accesses the first access network device.
  • the terminal device after receiving the first indication information, saves the first policy information for instructing not to access the cell of the first access network device. That is to say, when the terminal device subsequently performs cell access, it will not access the cell of the first access device according to the first policy information, thereby improving communication security of the terminal device.
  • the method further includes: the terminal device receiving timer information from the mobility management network element, the timer information being used to indicate the first access network device Untrustworthy time; after the time indicated by the timer information expires, the terminal device deletes the first policy information.
  • the mobility management network element can also indicate to the terminal device the time when the first access network device is untrustworthy through timer information. In this case, when the time indicated by the timer information expires, the terminal device may delete the first policy information. That is to say, after the time indicated by the timer information expires, the terminal device can access the cell of the first access network device.
  • the method further includes: the terminal device receiving the identification of the second access network device from the mobility management network element; the terminal device storing the second policy information, The second policy information is used to indicate not to access the cell of the second access network device.
  • the second access network device may include one or more access network devices.
  • the identification of the one or more access network devices can be sent to the terminal device so that the terminal device can save it and use it to indicate not to access.
  • Second policy information of the cell of the second access network device That is to say, when the terminal device subsequently performs cell access, according to the second policy information, the terminal device does not access the cell of the second access network device, thereby improving communication security of the terminal device.
  • the terminal device receives the first indication information from the mobility management network element, including: the terminal device receives a deregistration request message from the mobility management network element, the The deregistration request message is used to request the terminal device to deregister from the currently connected network, and the deregistration request message includes the first indication information.
  • the mobility management network element can send the first indication information to the terminal device through the de-registration request message. That is to say, the mobility management network element can request the terminal device to deregister while sending the first indication information to the terminal device. In this case, after the terminal device deregisters, the mobility management network element can delete the context of the first terminal device, thereby saving resources of the mobility management network element.
  • the terminal device in the case where the terminal device also accesses the network through non-3rd generation partnership plan technology, receives the first indication from the mobility management network element
  • the information includes: the terminal device receives the first instruction information from the mobility management network element through a non-3rd generation partner program technology interworking function network element.
  • the mobile management network element can send the first instruction information to the terminal device through the non-3rd generation partner program technology interworking function network element , to prevent the mobility management network element from being unable to forward the first indication information to the terminal device after the first access network device is controlled by a third party.
  • the method further includes: the terminal device sending a confirmation message to the mobility management network element, the confirmation message being used to indicate that the terminal device successfully receives the first indication information. .
  • a communication method includes: a first device receiving second indication information from a security policy control network element, the second indication information being used to indicate that the first access network device is untrustworthy; A device sends configuration information to a third access network device.
  • the configuration information includes an identification of the first access network device and a cell switching policy.
  • the cell switching policy is used to indicate not to switch the terminal device to the first access network. device cell.
  • the first device can be any network device.
  • the first device can be a mobility management network element, or the first device can also be a network management device, which is not limited in this application.
  • the first device after receiving the second indication information from the security policy control network element, the first device can determine that the first access network device is untrustworthy based on the second indication information. Based on this, the first device may send configuration information to the third access network device to instruct not to switch the terminal device to the cell of the first access network device, so that the third access network device does not switch the terminal device to the first cell.
  • Cells with access network equipment improve communication security of terminal equipment.
  • the method further includes: the first device determines the third access network device based on the first access network device, and the third access network device is Any of the following equipment: access network equipment controlled by the mobility management network element, access network equipment adjacent to the first access network equipment, access network connected to the first access network equipment Access network equipment that may be connected to equipment and terminal equipment.
  • a communication method which method includes: a third access network device receives configuration information from the first device, the configuration information includes the cell switching policy, and the cell switching policy is used to indicate not to use the cell switching policy.
  • the terminal device switches to the cell of the first access network device; the third access network device determines not to switch to the cell of the first access network device according to the cell switching policy.
  • the third access network device can not switch to the cell of the first access network device according to the configuration information of the first device, thereby improving communication security.
  • a communication method includes: the data management network element receiving the identification of the terminal device and the identification of the first access network device and third indication information from the mobility management network element.
  • the third indication information It is used to indicate that the first access network device is not trustworthy, or the third indication information is used to instruct the terminal device to notify the access network device that the access network device is not trustworthy; after receiving the third indication information, the data management network element sends a notification to the terminal device.
  • the terminal device sends fourth indication information, where the fourth indication information is used to indicate that the first access network device is untrustworthy.
  • the data management network element will send the fourth indication information to the terminal device after the terminal device accesses the network.
  • the data management network element can indicate to the terminal device that the first access network device is untrustworthy after the terminal device reconnects to the network.
  • the first access network device is untrustworthy, so that the terminal device does not access the cell of the first access network device, thereby improving communication security of the terminal device.
  • a sixth aspect provides a communication device, which is used to perform any of the methods provided in the above first to fourth aspects.
  • the device may include units and/or modules for executing the methods provided in the first to fourth aspects, such as a processing module and/or a transceiver module (which may also be a communication module).
  • the device is a network device, for example, the device is a mobility management network element, a data management network element, or a first device.
  • the communication module may be a transceiver, or an input/output interface; the processing module may be a processor.
  • the device is a chip, chip system or circuit used in network equipment.
  • the communication module may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip, chip system or circuit etc.
  • the processing module may be a processor, a processing circuit or a logic circuit, etc.
  • the device is a chip, chip system or circuit in the mobile management network element.
  • the apparatus may comprise units and/or modules for performing the method provided in the first aspect, such as a processing unit and/or a communication unit.
  • the device is the first device, or a chip, chip system or circuit in the first device.
  • the device may include units and/or modules for performing the method provided in the third aspect, such as a processing module and/or a transceiver module.
  • the device is a third access network device, or a chip, chip system or circuit in the third access network device.
  • the device may include units and/or modules for performing the method provided in the fourth aspect, such as a processing module and/or a transceiver module.
  • the device is a data management network element, or a chip, chip system or circuit in the data management network element.
  • the device may include units and/or modules for performing the method provided in the fifth aspect, such as a processing module and/or a transceiver module.
  • the device is a terminal device.
  • the communication unit may be a transceiver, or an input/output interface;
  • the processing unit may be a processor.
  • the device is a terminal device or a chip, a chip system or a circuit in the terminal device (10).
  • the device may include units and/or modules for performing the method provided in the second aspect, such as a processing module and/or a transceiver module.
  • the above-mentioned transceiver may be a transceiver circuit.
  • the above input/output interface may be an input/output circuit.
  • the above-mentioned transceiver may be a transceiver circuit.
  • the above input/output interface may be an input/output circuit.
  • a seventh aspect provides a communication device.
  • the device includes: a memory for storing a program; a processor for executing the program stored in the memory.
  • the processor is configured to execute the above-mentioned first aspect to Any method provided by the fifth aspect.
  • this application provides a processor for executing the methods provided in the above aspects.
  • the process of sending the above information and obtaining/receiving the above information in the above method can be understood as the process of the processor outputting the above information, and the process of the processor receiving the input above information.
  • the processor When outputting the above information, the processor outputs the above information to the transceiver for transmission by the transceiver. After the above information is output by the processor, it may also need to undergo other processing before reaching the transceiver.
  • the transceiver obtains/receives the above information and inputs it into the processor. Furthermore, after the transceiver receives the above information, the above information may need to undergo other processing before being input to the processor.
  • the receiving request message mentioned in the foregoing method can be understood as the processor receiving input information.
  • the above-mentioned processor may be a processor specifically designed to perform these methods, or may be a processor that executes computer instructions in a memory to perform these methods, such as a general-purpose processor.
  • the above-mentioned memory can be a non-transitory memory, such as a read-only memory (ROM), which can be integrated on the same chip as the processor, or can be separately provided on different chips.
  • ROM read-only memory
  • a ninth aspect provides a computer-readable storage medium that stores program code for device execution, where the program code includes execution of any of the methods provided in the above-mentioned first to fifth aspects.
  • a tenth aspect provides a computer program product containing instructions, which when the computer program product is run on a computer, causes the computer to execute any of the methods provided in the first to fifth aspects.
  • a chip in an eleventh aspect, includes a processor and a communication interface.
  • the processor reads instructions stored in the memory through the communication interface and executes any of the methods provided in the first to fifth aspects.
  • the chip may also include a memory, in which instructions are stored, and the processor is used to execute the instructions stored in the memory.
  • the processor is used to execute the above-mentioned first step. Any method provided by the first aspect to the fifth aspect.
  • a communication system including one or more of the aforementioned mobility management network element, first device, and data management network element.
  • the communication system may also include the above-mentioned third access network device.
  • the communication system may also include the above-mentioned terminal device.
  • Figure 1 shows a schematic diagram of a network architecture.
  • Figure 2 shows another schematic diagram of network architecture.
  • Figure 3 is a schematic flow chart of a communication method 300 provided by an embodiment of the present application.
  • Figure 4 is a schematic flow chart of a communication method 400 provided by an embodiment of the present application.
  • Figure 5 is a schematic flow chart of a communication method 500 provided by an embodiment of the present application.
  • Figure 6 is a schematic flow chart of a communication method 600 provided by an embodiment of the present application.
  • Figure 7 is a schematic flow chart of a communication method 700 provided by an embodiment of the present application.
  • Figure 8 is a schematic block diagram of a communication device provided by an embodiment of the present application.
  • Figure 9 is a schematic block diagram of a communication device provided by another embodiment of the present application.
  • Figure 10 is a schematic block diagram of a communication device provided by yet another embodiment of the present application.
  • the technical solutions provided by this application can be applied to various communication systems, such as fifth generation (5th generation, 5G) or new radio (NR) systems, long term evolution (LTE) systems, LTE frequency division Duplex (frequency division duplex, FDD) system, LTE time division duplex (TDD) system, etc.
  • the technical solution provided by this application can also be applied to future communication systems, such as the sixth generation mobile communication system.
  • the technical solution provided by this application can also be applied to device-to-device (D2D) communication, vehicle-to-everything (V2X) communication, machine-to-machine (M2M) communication, machine type Communication (machine type communication, MTC), and Internet of Things (Internet of things, IoT) communication systems or other communication systems.
  • D2D device-to-device
  • V2X vehicle-to-everything
  • M2M machine-to-machine
  • MTC machine type Communication
  • Internet of Things Internet of things, IoT
  • 5G system framework based on point-to-point interfaces and 5G based on service-based interfaces in conjunction with Figure 1 and Figure 2. system framework.
  • FIG. 1 shows a schematic architectural diagram of a 5G system 100 applicable to the embodiment of the present application.
  • Figure 1 is a schematic diagram of the 5G network architecture based on point-to-point interfaces.
  • the network architecture may include but is not limited to the following network elements (also known as functional network elements, functional entities, nodes, devices, etc.):
  • Wired wireless
  • R radio access network
  • AMF access and mobility management function
  • SMF session management function
  • UPF User plane function
  • PCF policy control function
  • UDM unified data management
  • AF AF network element
  • DN data network
  • NSSF network slice selection function
  • AUSF authentication server function
  • UDM unified data management
  • BSF BSF network element
  • UDR unified data repository
  • User equipment can be called terminal equipment (terminal equipment), terminal device, access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal (mobile terminal, MT), remote station, remote terminal, mobile device, user terminal, terminal, wireless communications equipment, user agent or user device.
  • the terminal device may be a device that provides voice/data connectivity to the user, such as a handheld device, a vehicle-mounted device, etc. with wireless connectivity capabilities.
  • terminals can be: mobile phones, tablets, computers with wireless transceiver functions (such as laptops, handheld computers, etc.), mobile Internet devices (mobile internet device, MID), virtual reality (virtual reality, VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical Terminals, wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, wireless terminals in smart homes, cellular phones, cordless Telephone, session initiation protocol (SIP) telephone, wireless local loop (WLL) station, personal digital assistant (PDA), handheld device with wireless communication capabilities, computing device or connection Other processing equipment to wireless modems, vehicle-mounted equipment, wearable devices, terminal equipment in the 5G network or terminal equipment in the future evolved public land mobile communication network (public land mobile network, PLMN), etc.
  • mobile Internet devices mobile internet device, MID
  • virtual reality virtual reality
  • VR virtual reality
  • AR augmented reality
  • wireless terminals in industrial control wireless terminals in self-driv
  • the terminal device can also be a terminal device in an Internet of things (IoT) system.
  • IoT Internet of things
  • Its main technical feature is to connect objects to the network through communication technology, thereby realizing an intelligent network of human-computer interconnection and object interconnection.
  • IoT technology can achieve massive connections, deep coverage, and terminal power saving through narrowband (NB) technology, for example.
  • NB narrowband
  • terminal equipment can also include smart printers, train detectors, etc. Its main functions include collecting data (some terminal equipment), receiving control information and downlink data from network equipment, and sending electromagnetic waves to transmit uplink data to network equipment.
  • the user equipment can be any device that can access the network. Terminal equipment and access network equipment can communicate with each other using some air interface technology.
  • the user equipment can be used to act as a base station.
  • user equipment may act as a scheduling entity that provides sidelink signals between user equipments in V2X or D2D, etc.
  • V2X or D2D a scheduling entity that provides sidelink signals between user equipments in V2X or D2D, etc.
  • cell phones and cars use sidelink signals to communicate with each other.
  • Cell phones and smart home devices communicate between each other without having to relay communication signals through base stations.
  • Radio access network (R)AN) equipment used to provide network access functions for authorized user equipment in a specific area, and can use different services according to the level of user equipment, business needs, etc. Quality transmission tunnel.
  • (R)AN can manage wireless resources, provide access services to user equipment, and then complete the forwarding of control signals and user equipment data between user equipment and the core network.
  • (R)AN can also be understood as a base station in a traditional network.
  • the access network device in the embodiment of the present application may be any communication device with wireless transceiver functions used to communicate with user equipment.
  • the access network equipment includes but is not limited to evolved Node B (eNB) or 5G, such as NR, gNB in the system, or transmission point (TRP or TP), one of the base stations in the 5G system Or a group (including multiple antenna panels) of antenna panels, or it can also be a network node that constitutes a gNB or transmission point, such as a baseband unit (BBU), or a distributed unit (DU), etc.
  • eNB evolved Node B
  • 5G such as NR, gNB in the system, or transmission point (TRP or TP)
  • TRP or TP transmission point
  • BBU baseband unit
  • DU distributed unit
  • gNB may include centralized units (CUs) and DUs.
  • the gNB may also include an active antenna unit (AAU).
  • CU implements some functions of gNB
  • DU implements some functions of gNB.
  • CU is responsible for processing non-real-time protocols and services, implementing radio resource control (RRC), and packet data convergence protocol (PDCP) layer functions.
  • RRC radio resource control
  • PDCP packet data convergence protocol
  • DU is responsible for processing physical layer protocols and real-time services, and implementing the functions of the radio link control (RLC) layer, media access control (MAC) layer and physical (physical, PHY) layer.
  • RLC radio link control
  • MAC media access control
  • PHY physical layer
  • the access network device may be a device including one or more of a CU node, a DU node, and an AAU node.
  • the CU can be divided into access network equipment in the access network (radio access network, RAN), or the CU can be divided into access network equipment in the core network (core network, CN). This application does not Make limitations.
  • UPF User plane function
  • QoS quality of service
  • the user plane network element may be a user plane function (UPF) network element.
  • UPF user plane function
  • user plane network elements can still be UPF network elements, or they can have other names, which are not limited in this application.
  • Access and mobility management function (AMF) network element The access and mobility management function network element is mainly used for mobility management and access management, etc., and can be used to implement MME functions in addition to session management. Other functions, such as access authorization/authentication and other functions.
  • the access and mobility management equipment may still be an AMF, or may have other names, which are not limited in this application.
  • Session management function (SMF) network element mainly used for session management, Internet protocol (IP) address allocation and management of user equipment, selection of manageable user plane functions, policy control and charging The endpoint of the functional interface and downstream data notification, etc.
  • IP Internet protocol
  • the session management network element can still be an SMF network element, or it can also have other names, which is not limited in this application.
  • PCF Policy control function
  • the policy control network element can still be a PCF network element, or it can also have other names, which is not limited in this application.
  • Application function used for data routing affected by applications, wireless access network open function network elements, interaction with the policy framework for policy control, etc.
  • application network elements can still be AF network elements, or they can have other names, which are not limited in this application.
  • Data management network element used to process UE identification, access authentication, registration and mobility management, etc.
  • the data management network element may refer to a unified data management (UDM) network element in the system 100 and/or a unified data repository (UDR) network element.
  • UDM unified data management
  • UTR unified data repository
  • AUSF Authentication server function
  • the authentication server functional network element can still be an AUSF network element, or it can also have other names, which is not limited in this application.
  • Network data analytics function network element: used to identify network slicing instances and load load level information of network slicing instances.
  • the network data analysis function enables NF consumers to subscribe or unsubscribe to periodic notifications and notify consumers when thresholds are exceeded.
  • network data analysis function network elements can still be NWDAF network elements, or they can have other names, which are not limited in this application.
  • DN Data network
  • DN is a network located outside the operator's network.
  • the operator's network can access multiple DNs.
  • a variety of services can be deployed on the DN, which can provide data and/or voice for terminal devices. Waiting for service.
  • DN is a private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • the control server of the sensor is deployed in the DN, and the control server can provide services for the sensor.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • DN is the internal office network of a company.
  • the mobile phones or computers of employees of the company can be used as terminal devices.
  • the employees' mobile phones or computers can access information and data resources on the company's internal office network.
  • Nausf, Nnef, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of these interface serial numbers can be found in the meaning defined in the 3GPP standard protocol, and is not limited here.
  • network elements can communicate with each other through the interfaces shown in the figure.
  • the UE and the AMF can interact through the N1 interface, and the interaction message can be called an N1 message (N1Message), for example.
  • N1Message N1 message
  • RAN and AMF can interact through the N2 interface, which can be used for sending non-access stratum (NAS) messages.
  • NAS non-access stratum
  • RAN and UPF can interact through the N3 interface, which can be used to transmit user plane data, etc.
  • SMF and UPF can interact through the N4 interface.
  • the N4 interface can be used to transmit information such as tunnel identification information of the N3 connection, data cache indication information, and downlink data notification messages.
  • UPF and DN can interact through the N6 interface, which can transmit user plane data, etc.
  • the relationship between other interfaces and each network element is shown in 1. For the sake of simplicity, they will not be described in detail here.
  • FIG 2 it is a schematic diagram of the 5G network architecture based on point-to-point interfaces.
  • the interface between each network element is a point-to-point interface, not a service-oriented interface.
  • N7 The interface between PCF and SMF, used to deliver protocol data unit (PDU) session granularity and business data flow granularity control policy.
  • PDU protocol data unit
  • N15 The interface between PCF and AMF, used to deliver UE policies and access control related policies.
  • N5 The interface between AF and PCF, used for issuing application service requests and reporting network events.
  • N4 The interface between SMF and UPF, used to transfer information between the control plane and the user plane, including controlling the delivery of forwarding rules for the user plane, QoS control rules, traffic statistics rules, etc., and reporting of user plane information. .
  • N11 The interface between SMF and AMF, used to transfer PDU session tunnel information between RAN and UPF, transfer control messages sent to UE, transfer radio resource control information sent to RAN, etc.
  • N2 The interface between AMF and RAN, used to transmit wireless bearer control information from the core network side to the RAN.
  • N1 The interface between AMF and UE, independent of access, is used to deliver QoS control rules to UE, etc.
  • N8 The interface between AMF and UDM, used for AMF to obtain access and mobility management-related subscription data and authentication data from UDM, and for AMF to register UE's current mobility management-related information with UDM.
  • N10 The interface between SMF and UDM, used for SMF to obtain session management-related subscription data from UDM, and for SMF to register UE current session-related information with UDM.
  • N35 The interface between UDM and UDR, used by UDM to obtain user subscription data information from UDR.
  • N36 The interface between PCF and UDR, used for PCF to obtain policy-related contract data and application data-related information from UDR.
  • N12 The interface between AMF and AUSF, used for AMF to initiate the authentication process to AUSF, which can carry SUCI as the contract identification;
  • N13 The interface between UDM and AUSF, used by AUSF to obtain the user authentication vector from UDM to perform the authentication process.
  • the above network elements or functions can be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).
  • a platform for example, a cloud platform.
  • the network device is the access and mobility management network element AMF
  • the base station is the wireless access network RAN as an example.
  • Computer-readable media may include, but are not limited to: magnetic storage devices (e.g., hard disks, floppy disks, tapes, etc.), optical disks (e.g., compact discs (CD), digital versatile discs (DVD)) etc.), smart cards and flash memory devices (e.g. erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.).
  • magnetic storage devices e.g., hard disks, floppy disks, tapes, etc.
  • optical disks e.g., compact discs (CD), digital versatile discs (DVD)
  • smart cards and flash memory devices e.g. erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.
  • various storage media described herein may represent one or more devices and/or other machine-readable media for storing information.
  • machine-readable medium may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.
  • the evolved packet system (EPS) defined in the 3rd generation partnership project (3GPP) includes a 5G network architecture based on service-oriented interfaces or a 5G network architecture based on point-to-point interfaces.
  • the 5G network can It is divided into three parts, namely UE, DN and operator network.
  • the operator's network may include one or more of the network elements shown in Figure 1 except for the UE and DN, or may also include other network elements.
  • This application does not limit the 5G network structure. You may refer to the current Introduction to related technologies.
  • AR augmented reality
  • VR virtual reality
  • IOT industrial control
  • the traditional centralized anchor point deployment method in LTE is increasingly difficult to support the rapidly growing mobile service traffic model.
  • the increased traffic is ultimately concentrated at the gateway and core computer room, which places higher and higher requirements on backhaul network bandwidth, computer room throughput, and gateway specifications;
  • the long-distance backhaul network and complex transmission environment from the access network to the anchor gateway lead to large delays and jitter in user packet transmission.
  • edge computing By moving user plane network elements and business processing capabilities down to the edge of the network, edge computing realizes local processing of distributed business traffic and avoids excessive concentration of traffic, thus greatly reducing the specification requirements for core computer rooms and centralized gateways. At the same time, edge computing also shortens the distance of the backhaul network and reduces the end-to-end transmission delay and jitter of user messages, making it possible to deploy ultra-low-latency services.
  • Campus edge computing refers to a technology that applies edge computing to smart campuses. By combining edge computing with smart campuses, rapid deployment can be achieved, local business closed-loop can be realized, and a more optimized network can save transmission and ensure user experience for campus users.
  • SPCF Security policy control function
  • SPCF is mainly responsible for security events, information collection and analysis, etc. It can provide control plane functional network elements (such as AMF, SMF etc.) provide security policy control. In future communication systems, the security policy control network element can still be SPCF, or it can also have other names, which are not limited in this application.
  • the embodiments shown below do not specifically limit the specific structure of the execution body of the method provided by the embodiment of the present application, as long as it can be provided according to the embodiment of the present application by running a program that records the code of the method provided by the embodiment of the present application.
  • the execution subject of the method provided by the embodiment of the present application can be the core network device and the terminal device, or a functional module in the core network device or the terminal device that can call the program and execute the program.
  • for indicating can be understood as “enabling”, and “enabling” can include direct enabling and indirect enabling.
  • enabling can include direct enabling and indirect enabling.
  • the information enabled by the information is called to-be-enabled information.
  • the to-be-enabled information can be directly enabled, such as to-be-enabled information.
  • the enabling information itself or the index of the information to be enabled, etc.
  • the information to be enabled can also be indirectly enabled by enabling other information, where there is an association relationship between the other information and the information to be enabled. It is also possible to enable only a part of the information to be enabled, while other parts of the information to be enabled are known or agreed in advance.
  • the enabling of specific information can also be achieved by means of a pre-agreed (for example, protocol stipulated) arrangement order of each piece of information, thereby reducing the enabling overhead to a certain extent.
  • the common parts of each information can also be identified and enabled uniformly to reduce the enabling overhead caused by enabling the same information individually.
  • preconfigured may include predefined, for example, protocol definitions.
  • pre-definition can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in the device (for example, including each network element). This application does not limit its specific implementation method.
  • the “save” involved in the embodiments of this application may refer to saving in one or more memories.
  • the one or more memories may be provided separately, or may be integrated in an encoder or decoder, a processor, or a communication device.
  • the one or more memories may also be partially provided separately and partially integrated in the decoder, processor, or communication device.
  • the type of memory can be any form of storage medium, and this application is not limited thereto.
  • the "protocol” involved in the embodiments of this application may refer to standard protocols in the communication field, which may include, for example, 5G protocols, new radio (NR) protocols, and related protocols applied in future communication systems. There are no restrictions on this application.
  • Figure 3 shows an exemplary flowchart of the method 300 provided by the embodiment of the present application.
  • the method 300 is exemplarily described below in conjunction with each step.
  • the mobility management network element determines that the first access network device is untrustworthy.
  • the mobility management network element may determine that the first access network device is untrustworthy based on instructions from other network elements. For example, the mobility management network element receives second indication information from the security policy control network element, and the second indication information is used to indicate that the first access network device is untrustworthy. After receiving the second indication information, the mobility management network element determines that the first access network device is not trustworthy according to the second indication information; or, the mobility management network element can also determine on its own that the first access network device is not trustworthy, specifically The implementation method is not limited in this application.
  • the mobility management network element determines that the first access network device is not trustworthy. It can also be said that the mobility management network element determines that the first access network device is controlled by a third party. It can also be said that the mobility management network element determines that the first access network device is controlled by a third party. The first access network equipment is not secure, etc.
  • the mobility management network element sends the first instruction information to the terminal device connected to the first access network device.
  • the terminal device receives the first indication information from the mobility management network element.
  • the mobility management network element after determining that the first access network device is untrustworthy, sends the first indication information to the terminal device connected to the first access network device. For example, after determining that the first access network device is untrustworthy, the mobility management network element queries the terminal device connected to the first access network device, and then sends the first indication information to the terminal device. It should be understood that multiple terminal devices may be connected to the first access network device. For convenience, one of the terminal devices is used as an example for description here.
  • the first indication information is used to indicate that the first access network device is not trustworthy, or the first indication information is used to indicate to disconnect from the first access network device. It should be understood that in addition to the above examples, the first indication information may also indicate other contents. For example, the first indication information is used to indicate that the first access network device is controlled by a third party, or the first indication information is used to indicate that the first access network device is controlled by a third party. Indicating that the first access network equipment is unsafe, etc., is not limited by this application.
  • the mobility management network element may also determine the radio resource control connection state of the terminal device (including connected state, idle state, inactive state, etc.). When the terminal device is in the connected state and the terminal device is connected to the first access network device, the mobility management network element sends the first indication information to the terminal device.
  • the mobility management network element may also determine whether there is an alternative access network device in the coverage area of the first access network device, where the alternative access network device here It may refer to an access network device connected to the first access network device, or to other access network devices that can be used for terminal devices within the coverage of the first access network device to access the network. It should be understood that when the first access network device has an alternative access network device, after the terminal device is disconnected from the first access network device, it can choose to access the alternative access network device according to needs.
  • the mobility management network element may send a deregistration request message to the terminal device and carry the first indication information in the Go to the registration request message.
  • the de-registration request message is used to request the terminal device to de-register from the network.
  • the terminal device may send a de-registration acceptance message to the mobility management network element.
  • the mobility management network element triggers the network side to execute the de-registration process of the terminal device. In the de-registration process, the mobility management network element deletes the context of the terminal device.
  • the mobile management network element can trigger the de-registration of the terminal device. During the de-registration process, the mobile management network element deletes the context of the terminal device, thereby saving the resources of the mobile management network element. If the first access network device has an alternative access network device, the mobility management network element does not need to trigger the de-registration of the terminal device. That is to say, the mobility management network element can retain the context of the terminal device. In this case, after the terminal device disconnects from the first access network device, the redirection or mobility registration update process can be used to quickly reconnect to the network, thereby improving the efficiency of the terminal device's network access and improving user experience.
  • the mobility management network element when it sends the first indication information to the terminal device, it may or may not carry the identifier of the first access network device.
  • the first indication information may be used to indicate to the terminal device that the access network device currently connected to the terminal device is not trustworthy, or in other words, the first indication information Used to instruct the terminal device to disconnect from the currently connected access network device, etc.
  • the mobility management network element can use non-access layer messages (i.e., through the 3rd generation partnership project). planning technology) to send the first instruction information to the terminal device; in the case where the terminal device accesses the network through the third generation partner planning technology and the non-third generation partner planning technology, the mobile management network element passes the non-third generation partner planning technology
  • the planned technical interworking function non-3gpp interworking function, N3IWF
  • the mobility management network element will give priority to using other methods.
  • the terminal device since the terminal device is connected to the first access network device, when the mobility management network element sends the first indication information to the terminal device through a non-access layer message, the non-access layer message needs to pass through the first access network device.
  • the network access device forwards it to the terminal device. Since the first access network device is not trustworthy, the first access network device may not forward the non-access layer message, resulting in the terminal device being unable to successfully receive the first indication information.
  • the mobility management network element sends the first instruction information to the terminal device through non-3rd generation partner program technology, it can prevent the first instruction information from being successfully delivered due to the first access network device not forwarding the non-access layer message. The situation of the terminal equipment.
  • the mobility management network element sends the identifier of the second access network device to the terminal device.
  • the terminal device receives the identification of the second access network device from the mobility management network element.
  • the mobility management network element may also send the identification of the second access network device to the terminal device.
  • the second access network device may include one or more access network devices. That is to say, if the mobility management network element determines that in addition to the first access network device, there are one or more other access network devices that are not trustworthy, the mobility management network element can change the identity of the one or more access network devices to sent to the terminal device.
  • the mobility management network element sends timer information to the terminal device.
  • the terminal device receives the timer information from the mobility management network element.
  • the mobility management network element may also send timer information to the terminal device, where the timer information is used to indicate the time when one or more access network devices are untrustworthy.
  • the timer information is used to indicate the time when the first access network device is untrustworthy. That is to say, when the time indicated by the timer information expires, it can be considered that the first access network device becomes trustworthy again, or that the first access network device regains security, or that it can access the first access network device.
  • Cell for access network equipment when the time indicated by the timer information expires, it can be considered that the first access network device becomes trustworthy again, or that the first access network device regains security, or that it can access the first access network device.
  • the mobility management network element also sends the identification of the second access network device to the terminal device.
  • the timer information can be used to indicate the first access network device and the second access network device. The time when the access network device is untrustworthy, or the timer information can be used to indicate the time when one or more access network devices in the first access network device and the second access network device are untrustworthy, or the timer The information is used to indicate the time when one or more access network devices in the second access network device are untrustworthy.
  • the mobility management network element also sends the identifier of the second access network device to the terminal device.
  • the mobility management network element can send multiple timer information to the terminal device.
  • the timer information corresponds one-to-one to multiple access network devices in the first access network device and the second access network device, and the multiple timer information is used to indicate the untrustworthy time of the multiple access network devices respectively.
  • the times indicated by the plurality of timer information may be the same or different, and are not limited in this application.
  • the terminal device may send a confirmation message to the mobility management network element, where the confirmation message is used to indicate that the terminal device successfully received the first indication information.
  • the mobility management network element determines that the first indication information is sent successfully based on the confirmation message.
  • the mobility management network element may send the first indication message to the data management network element.
  • the identifier of the terminal device and the identifier of the first access network device may also be sent, the indication information being used to indicate that the first access network device is not trustworthy, or the indication information being used to indicate that the terminal device failed to receive the information indicating that the first access network device is not trustworthy. information, or the indication information is used to indicate that the terminal device fails to learn that the first access network device is untrustworthy.
  • the mobility management network element also sends the identification of the second access network device to the data management network element.
  • the data management network element receives and stores the identity of the terminal device, the identity of the first access network device, and optionally the identity of the second access network device. After the terminal device reconnects to the network, the data management network element sends indication information indicating that the first access network device and the second access network device are untrustworthy to the terminal device, so that the terminal device can access the network in the subsequent process. , do not access the cell of the first access network device and the second access network device, thereby improving communication security of the terminal device.
  • the terminal device disconnects the connection with the first access network device according to the first indication information.
  • the terminal device stores the first policy information.
  • the terminal device after receiving the first indication information, stores the first policy information.
  • the first policy information may be first instruction information or other information.
  • the first policy information may also have different names in different scenarios.
  • the first policy information may also be called configuration information, or indication information, etc., which is not limited in this application.
  • the first policy information is used in a cell where the terminal device does not access the first access network device, or in other words, the first policy information is used in a cell where the terminal device accesses an access network device other than the first access network device.
  • the terminal device may select a cell for access based on the first policy information. For example, during the cell access process, the terminal device receives a system message broadcast by an access network device.
  • the system message includes the identifier of the access network device.
  • the terminal device determines whether the identifier of the access network device is the same as the first access network device.
  • the identifiers of network access devices are the same. If they are the same, the terminal device does not try to access the cell of the access network device; if they are different, the terminal device can try to access the cell of the access network device.
  • the terminal device deletes the first policy information after the time indicated by the timer information expires. That is to say, after the time indicated by the timer information expires, the terminal device may try to access the cell of the first access network device.
  • the terminal device may store the second policy information after receiving the identification of the second access network device.
  • the second policy information is used in a cell where the terminal device does not access the second access network device. It should be understood that the first policy information and the second policy information may be the same information element or different information elements, which is not limited in this application.
  • the first device sends configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device.
  • the third access network device may include one or more access network devices.
  • the first device may be any network device.
  • the first device may be a mobility management network element, or the first device may be a network management device.
  • the first device receives second indication information from the security policy control network element.
  • the second indication information is used to indicate that the first access network device is untrustworthy.
  • the first device can send a request to the third access network device according to the second indication information.
  • the network access device sends the configuration information.
  • the first device may first determine the third access network device.
  • the third access network device may be an access network device controlled or managed by the first device, or the third access network device may be an access network device adjacent to the first access network device, or the third access network device may The access network device is an access network device connected to the first access network device, or the third access network device is an access network device near the terminal device, or the third access network device is a terminal device Access network equipment that can be accessed is not limited in this application.
  • the configuration information may be first indication information or other information. In different scenarios, the configuration information may also have other names. For example, the configuration information may also be called policy information, indication information, or cell access policy, etc., which is not limited in this application.
  • the third access network device can save the configuration information and perform cell switching based on the configuration information. For example, during the cell handover process, a terminal device on the third access network device measures the signal strength of the candidate cell, and then reports the measurement report to the third access network device. After the third access network device receives the measurement report, if the identity of the access network device where the candidate cell is located is the same as the identity of the first access network device, the third access network device does not switch the terminal device to the candidate cells, thereby improving the communication security of terminal equipment.
  • the first device may also send timer information to the third access network device, where the timer information is used to indicate a time when the first access network device is untrustworthy.
  • the third access network device can delete the configuration information, or the third access network device can modify the configuration information, so that the modified configuration information Indicates that handover can be performed to the cell of the first access network device.
  • the above example is based on the example that the configuration information is used to indicate not to perform handover to the cell of the first access network device. However, if the first device also determines that the second access network device is not trustworthy, the first device The device can also use the configuration information to instruct the third access network device not to perform handover to the cell of the second access network device.
  • the specific implementation method is similar to the above example and will not be described again here.
  • the mobility management network element may indicate to the terminal device connected to the first access network device that the first access network device is untrustworthy, or may instruct the terminal device to disconnect from the first access network device.
  • the connection with the first access network device is such that the terminal device can disconnect from the first access network device according to the instructions of the mobility management network element, thereby improving communication security of the terminal device.
  • Figure 4 shows an exemplary flow chart of the method 400 provided by the embodiment of the present application.
  • AMF1 in method 400 may correspond to the mobility management network element in method 300
  • RAN1 in method 400 may correspond to the first access network device in method 300
  • RAN2 in method 400 may correspond to
  • the method 400 UE may correspond to the terminal device in the method 300
  • the indication information #1 in the method 400 may correspond to the first indication information in the method 300.
  • the method 400 can be applied in the network architecture shown in Figure 1 or Figure 2.
  • method 400 after AMF1 determines that RAN1 is not trustworthy, it indicates to the UE on RAN1 that RAN1 is not trustworthy (or indicates to disconnect from RAN1), but does not trigger the deregistration process of the UE. After the UE disconnects according to the instruction of AMF1 After connecting to RAN1, the UE can quickly re-access the network through the redirection process or mobility registration process, which can improve the efficiency of the UE re-accessing the network and improve user experience.
  • the following is an exemplary description of the method 400 in combination with each step.
  • AMF1 determines that RAN1 is not trustworthy.
  • AMF1 determines that RAN1 is untrustworthy.
  • the SPCF after determining that RAN1 is untrustworthy, the SPCF notifies AMF1 that RAN1 is untrustworthy, where AMF1 is the AMF corresponding to RAN1.
  • AMF1 can also determine on its own that RAN1 is not trustworthy, which is not limited in this application.
  • S402 determines that RAN1 has an alternative RAN.
  • AMF1 determines whether there is an alternative RAN in the coverage area of RAN1, where the alternative RAN here may refer to the RAN connected to RAN1, or may refer to the coverage that can be used for RAN1
  • the RAN of the UE access network within the range can be a 5G base station (gNB), a 4G base station (eNB), or a base station under other network systems, which is not limited in this application.
  • RAN1 is a base station under a private network (such as a campus network). If there is a public network base station that can cover the coverage area of RAN1, it means that RAN1 has an alternative RAN; for another example, RAN1 is a base station under the public network. base stations. If there is a 4G base station that can cover the coverage area of RAN1, it means that RAN1 has an alternative RAN.
  • AMF1 can combine PLMN ID, TAI, etc. to determine whether RAN1 has an alternative RAN.
  • the specific method is not limited in this application.
  • the AMF can also verify the RRC connection status (including connected state, idle state, inactive state, etc.) and the way the UE accesses the network (including 3GPP mode and non-3GPP mode), where the UE refers to the UE connected to the network.
  • one or more UEs may be connected to RAN1.
  • one of the UEs is taken as an example for description here.
  • AMF1 When the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy. The details are shown in S403.
  • AMF1 sends indication information #1 to the UE.
  • the UE receives indication information #1 from AMF1.
  • the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information #1 is used to instruct the UE to disconnect the current network connection, or the indication information #1 is is used to instruct the UE to switch to other RAN, or the indication information #1 is used to instruct the UE to perform redirection.
  • the indication information #1 can be carried in a certain message in the existing process, such as a PDU session establishment response message or a deregistration request message. That is to say, AMF1 can reuse the existing message to indicate to the UE that RAN1 is not trustworthy, thereby saving signaling overhead; or, the indication information #1 can also be carried in a newly generated message by AMF1, thereby eliminating the need to modify the existing message. Change the content in the message.
  • AMF1 may send the indication information #1 to the UE through the NAS message.
  • AMF1 may retain the UE's context if RAN1 has an alternative RAN. In other words, AMF1 does not trigger the UE to register. It should be noted that since RAN1 has an alternative RAN, if the UE disconnects from RAN1, the UE can reconnect to the alternative RAN. Since AMF1 retains the context of the UE, the UE can use redirection or mobility to The registration update process quickly accesses the alternative RAN, thereby improving UE access to the network. efficiency and improve user experience.
  • AMF1 may also send the identification of RAN1 to UE1.
  • AMF1 may also send the identification of RAN2 to the UE. It should be understood that AMF1 can determine that RAN2 is untrustworthy based on instructions from other network elements, or can determine on its own that RAN2 is untrustworthy, which is not limited in this application.
  • the RAN2 may include one or more RANs. That is to say, if AMF1 determines that one or more RANs are untrustworthy, AMF1 may send the identifier of the one or more RANs to UEl. For example, after SPCF determines that multiple RANs are untrustworthy, it notifies AMF1 that the multiple RANs are untrustworthy. In this case, AMF1 can send the identifiers of the multiple untrusted RANs to the UE.
  • AMF1 sends a RAN ID list to UE1.
  • the RAN ID list includes the identification of one or more untrusted RANs.
  • the RAN ID list includes the identification of RAN1 and/or Identification of RAN2.
  • AMF1 can also send timer information to the UE.
  • the timer information can be used to indicate the time when RAN1 is untrustworthy, or the timer information can be used to indicate one or more of the RAN ID lists.
  • AMF1 may send multiple timers to the UE, and the multiple timer information may respectively correspond to multiple untrusted RANs.
  • S404 The UE sends an Ack (acknowledgement) message to AMF1.
  • AMF1 receives the Ack message from the UE.
  • the UE After receiving the indication information #1 from AMF1, the UE replies with an Ack message to AMF1. After receiving the Ack message from the UE, AMF1 determines that the indication information #1 has been delivered to the UE, or that the UE has learned the untrustworthy information of RAN1.
  • the UE determines that RAN1 is untrustworthy according to the indication information #1, and then the UE disconnects from RAN1.
  • the UE stores policy information.
  • the UE stores policy information. This policy information is used for the UE not to access cells of untrusted RAN. Several possible implementation methods are illustrated below.
  • the UE After the UE determines that RAN1 is untrustworthy, it stores policy information (recorded as policy information #1), and selects a cell for access based on the policy information #1 during the cell access process.
  • the policy information #1 1 is used for cells where the UE does not access RAN1.
  • the UE receives a system message broadcast by a certain RAN.
  • the system message includes the identifier of the RAN.
  • the UE determines whether the identifier of the RAN is the same as the identifier of RAN1. If they are the same, the UE does not attempt to connect. Enter the cell of the RAN; if different, the UE may try to access the cell of the RAN.
  • the UE deletes policy information #1 after the time indicated by the timer information expires. That is to say, after the timer expires, the UE can Try to access the cell of RAN1.
  • the UE receives a RAN ID list, and the RAN ID list includes the identity of RAN1 and/or the identity of RAN2.
  • the UE stores policy information (denoted as policy information #2), and selects a cell for access based on the policy information #2 during the cell access process.
  • the policy information #2 is used for the UE not to access the RAN.
  • RAN corresponding to the ID list For example, during the cell access process, the UE receives a system message broadcast by a certain RAN. The identity of the RAN is included in the system message. The UE determines whether the identity of the RAN is included in the RANID list. If it is, the UE does not try to access the cell of the RAN.
  • the UE can try to access the cell of the RAN. community.
  • the UE also receives timer information indicating the time when one or more RANs in the RAN ID list are untrustworthy, the UE will use the timer information after the time indicated by the timer information expires. The corresponding RAN identifier is deleted from the RAN ID list.
  • policy information #1 and policy information #2 may be two independent cells or one cell, which is not limited in this application.
  • S407, AMF1 releases the N2 connection with RAN1, triggering PDU session deactivation.
  • AMF1 determines that RAN1 is untrustworthy, it releases the N2 connection with RAN1 and triggers the deactivation of the PDU session corresponding to the UE.
  • the specific process is not limited in this application.
  • S407 can be executed after S401, which means that AMF1 can release the N2 connection with RAN1 after determining that RAN1 is untrustworthy; or, S407 can also be executed after S404, which is not limited in this application.
  • S408, AMF1 sends the identity of the UE and the identity of RAN1 to the UDM.
  • UDM receives the identity of the UE from AMF1 and the identity of RAN1.
  • AMF1 determines that UE has not received indication information #1 from AMF1, or in other words, AMF1 determines that UE does not have information that can know that RAN1 is untrustworthy, then AMF1 can send the The identity of the UE and the identity of RAN1 are sent to UDM.
  • AMF1 can also send an indication message #2 to UDM.
  • the indication message #2 is used to indicate that RAN1 is not trustworthy, or to indicate that the UE has not learned that RAN1 is untrustworthy. Information about the trust, or used to instruct UDM to notify the UE that RAN1 is not trustworthy.
  • AMF1 may also send the identification of RAN2 to UDM.
  • S408 can also be described as: AMF1 sends a RAN ID list to UDM, and the RAN ID list includes the identifier of RAN1 and/or the identifier of RAN2.
  • S409, UDM saves the identity of the UE and the identity of RAN1.
  • UDM After receiving the identity of the UE and the identity of RAN1 from AMF1, UDM saves the identity of the UE and the identity of RAN1. Optionally, if the UDM also receives the identifier of RAN2 from AMF1, the UDM also saves the identifier of RAN2.
  • S409 can also be described as: If the UDM receives the RAN ID list from AMF1, the UDM saves the RAN ID list.
  • AMF1 may not send the identity of UE1 and the identity of RAN1 to the UDM, but locally maintain the identity of UE1 and the identity of RAN1 (or a RAN ID list).
  • the UE may reconnect to the network.
  • the following is an illustrative explanation combined with 2 examples.
  • Example 1 S410, the UE accesses the 4G network through the redirection process.
  • the eNB is an alternative RAN of RAN1.
  • the UE After the UE disconnects from the RAN1, it can access the 4G network through the eNB and the MME corresponding to the eNB.
  • the MME can obtain the context of the UE through AMF1.
  • S411, UDM sends the identification and indication information #3 of RAN1 to the UE.
  • the UDM can send the identification of RAN1 and indication information #3 to the UE through the interworking process of the 4G and 5G networks, where the indication information #3 is used to indicate that RAN1 is not trustworthy.
  • the UDM also receives and saves the identifier of RAN2 in S409, the UDM also sends the identifier of RAN2 to the UE. At this time, the indication information #3 is also used to indicate that RAN2 is untrustworthy.
  • S411 can also be described as: If the UDM receives and saves the RAN ID list in S409, the UDM sends the RAN ID list and indication information #3 to the UE.
  • the indication information #3 is used to indicate that the RAN corresponding to the RAN ID list is not trustworthy.
  • the UE can store policy information, which is used for cells in which the UE does not access RAN1 (optionally also including RAN2). For the specific implementation process, please refer to S406 and will not be repeated here.
  • S411 may be performed by AMF1.
  • Example 2 S412, the UE reconnects to the 5G network through the mobility registration update process.
  • RAN3 is an alternative RAN to RAN1. After the UE disconnects from RAN1, it can reconnect to the 5G network through RAN3 and AMF2. AMF2 can obtain the context of the UE from AMF1. It should be understood that AMF2 may be the same as AMF1 or may be different from AMF1. If AMF2 is the same as AMF1, then AMF2 does not need to perform the steps of obtaining the UE's context from AMF1.
  • S413, UDM sends the identification of RAN1 and indication information #4 to the UE.
  • the indication information #4 is used to indicate that RAN1 is untrustworthy.
  • the UDM also receives and saves the identifier of RAN2 in S409, the UDM also sends the identifier of RAN2 to the UE. At this time, the indication information #4 is also used to indicate that RAN2 is untrustworthy.
  • S413 can also be described as: If the UDM receives and saves the RAN ID list in S409, the UDM sends the RAN ID list and indication information #4 to the UE.
  • the indication information #4 is used to indicate that the RAN corresponding to the RAN ID list is not trustworthy. .
  • FIG. 5 shows an exemplary flowchart of the method 500 provided by the embodiment of the present application.
  • AMF1 in method 500 may correspond to the mobility management network element in method 300
  • RAN1 in method 500 may correspond to the first access network device in method 300
  • RAN2 in method 500 may correspond to
  • the UE in method 500 may correspond to the terminal device in method 300
  • the indication information #1 in method 500 may correspond to the first indication information in method 300.
  • method 500 after AMF1 determines that RAN1 is not trustworthy, it indicates to the UE on RAN1 that RAN1 is not trustworthy (or instructs to disconnect from RAN1), and triggers the deregistration process of the UE. After the UE disconnects from RAN1, the UE can re-access the network through the initial registration process. In this way, AMF1 can release the context of the UE, thereby saving AMF1's resources.
  • the method 500 is exemplarily described below in conjunction with each step.
  • AMF1 determines that RAN1 is not trustworthy.
  • S502 AMF1 determines that RAN1 has no alternative RAN.
  • AMF1 determines that RAN1 is untrustworthy, it determines whether there is an alternative RAN in the coverage area of RAN1.
  • AMF1 can also verify the RRC connection status of the UE (including connected state, idle state, inactive state, etc.) and the mode of the UE accessing the network (including 3GPP mode and non-3GPP mode).
  • AMF1 When the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy.
  • AMF1 may indicate to the UE that RAN1 is untrustworthy through a NAS message.
  • AMF1 may indicate to the UE that RAN1 is untrustworthy during the de-registration process. The details are shown in S503.
  • AMF1 sends a deregistration request message to the UE.
  • the deregistration request message is used to request the terminal device to deregister from the network.
  • the deregistration request message includes indication information #1.
  • the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information is used to indicate to disconnect from RAN1, or the The indication information #1 is used to instruct the UE to switch to another RAN, or the indication information #1 is used to instruct the UE to perform redirection.
  • RAN1 has no alternative RAN. If the UE disconnects from RAN1, there may not be (or may not be found in a short time) other RANs for accessing the network, and AMF1 can trigger the UE to deregister. During the de-registration process, AMF1 deletes the context of the UE, thereby saving AMF1's resources.
  • the deregistration request message may include the identity of RAN1.
  • the de-registration request message may also include a RAN ID list, which includes the identification of one or more untrusted RANs.
  • a RAN ID list which includes the identification of one or more untrusted RANs. For example, after SPCF determines that multiple RANs are untrustworthy, it notifies AMF1 that the multiple RANs are untrustworthy. In this case, AMF1 can send the RAN ID list to the UE.
  • the de-registration request message may also include timer information, which may be used to indicate the time when RAN1 is untrustworthy, or the timer information may be used to indicate one or more of the RAN ID lists.
  • RAN can't be trusted at all times. Therefore, when the time indicated by the timer information expires, the UE can determine that the RAN corresponding to the timer is trustworthy, or in other words, the UE can delete the identifier of the RAN corresponding to the timer information from the untrusted RAN ID list. .
  • S504 The UE sends a deregistration acceptance message to AMF1.
  • the UE after receiving the deregistration request message from AMF1, the UE sends a deregistration accept message to AMF1.
  • AMF1 triggers the network side to de-register the UE.
  • the specific process may refer to the existing protocol, which is not limited in this application.
  • the UE stores policy information.
  • S507, AMF1 sends the identity of the UE and the identity of RAN1 to the UDM.
  • S508, UDM stores the identity of the UE and the identity of RAN1.
  • S505 to S508 are similar to S405, S406, S408, and S409 in method 400, and will not be described again here for the sake of brevity.
  • the UE may reconnect to the network.
  • the following is an illustrative explanation combined with 2 examples.
  • Example 1 S509, the UE accesses the 4G network through the initial registration process.
  • the eNB is an alternative RAN of RAN1. After the UE disconnects from the RAN1, it can access the 4G network through the eNB and the MME corresponding to the eNB. It should be understood that since the network side performs the de-registration process of the UE, in S509, the UE accesses the 4G network through the initial registration process.
  • UDM sends the identification and indication information #3 of RAN1 to the UE.
  • S510 is similar to S411 in method 400, and will not be described again here for the sake of brevity.
  • Example 2 S511, the UE re-accesses the 5G network through the initial registration process.
  • RAN3 is an alternative RAN to RAN1. After the UE disconnects from RAN1, it can reconnect to the 5G network through RAN3 and AMF2. It should be understood that since the network side performs the de-registration process of the UE, in S511, the UE accesses the 5G network through the initial registration process.
  • UDM sends the identification and indication information #4 of RAN1 to the UE.
  • S512 is similar to S511 in method 400, and will not be described again here for the sake of brevity.
  • FIG. 6 shows an exemplary flowchart of the method 600 provided by the embodiment of the present application.
  • AMF1 in method 600 may correspond to the mobility management network element in method 300
  • RAN1 in method 600 may correspond to the first access network device in method 300
  • RAN2 in method 600 may correspond to
  • the UE in the method 600 may correspond to the terminal device in the method 300
  • the N3IWF/TNGF in the method 600 may correspond to the non-3rd Generation Partnership Project technical interworking in the method 300.
  • Functional network element, the indication information #1 in the method 600 may correspond to the first indication information in the method 300.
  • AMF1 determines that RAN1 is untrustworthy, if AMF1 finds that the UE accesses the network through 3GPP and non-3GPP, AMF1 can send indication information #1 to the UE through non-3GPP to trigger the UE to disconnect from RAN1 , thereby preventing the situation where indication information #1 cannot be delivered to the UE due to RAN1 not forwarding the NAS message.
  • the following is an exemplary description of the method 600 in combination with each step.
  • AMF1 determines that RAN1 is not trustworthy.
  • S602 determines that the UE accesses the network through 3GPP or non-3GPP.
  • AMF1 determines that RAN1 is untrustworthy, it can verify the RRC connection status of the UE (including connected state, idle state, inactive state, etc.) and the method of the UE accessing the network (including 3GPP method and non-3GPP method).
  • AMF1 notifies the UE that RAN1 is not trustworthy.
  • AMF1 can notify the UE that RAN1 is not trustworthy through N3IWF/TNGF. Details are shown in S603 to S605.
  • AMF1 sends the N2 message to the non-3GPP interworking function (N3IWF) network element/trusted non-3GPP gateway function (TNGF) network element.
  • N3IWF non-3GPP interworking function
  • TNGF non-3GPP gateway function
  • the N2 message includes indication information #1.
  • the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information is used to instruct the UE to disconnect from RAN1. , or the indication information is used to instruct the UE to switch to other RAN.
  • the N2 message may include the identity of RAN1.
  • the N2 message may also include a RAN ID list, which includes the identities of multiple untrusted RANs, including the identity of RAN1.
  • the N2 message may also include a timer, which is used to indicate the time when RAN1 is untrustworthy, or the timer is used to indicate the time when one or more RANs in the RAN ID list are untrustworthy. That is to say, when the timer expires, the UE can determine that the RAN corresponding to the timer has become trusted, or in other words, the UE can delete the identity of the RAN corresponding to the timer from the RAN ID list.
  • a timer which is used to indicate the time when RAN1 is untrustworthy, or the timer is used to indicate the time when one or more RANs in the RAN ID list are untrustworthy. That is to say, when the timer expires, the UE can determine that the RAN corresponding to the timer has become trusted, or in other words, the UE can delete the identity of the RAN corresponding to the timer from the RAN ID list.
  • T3IWF/TNGF sends indication information #1 to the UE.
  • T3IWF/TNGF After receiving the N2 message from AMF1, T3IWF/TNGF sends indication information #1 to the UE.
  • T3IWF/TNGF can also send a RAN ID list and/or timer to the UE, which is not limited by this application. Certainly.
  • S605 The UE sends an Ack message to AMF1 through T3IWF/TNGF.
  • the UE may send an Ack message to AMF1 through T3IWF/TNGF.
  • S606 The UE disconnects from RAN1.
  • S606 is similar to S405 in method 400 and will not be described again here.
  • S607 The UE stores policy information.
  • the UE stores policy information. This policy information is used for the UE not to access a cell of an untrusted RAN, or this policy information is used for the UE not to access the network through 3GPP.
  • the UE does not attempt to access the network through 3GPP before receiving a new indication.
  • the UE selects a cell for access according to the policy information.
  • the specific implementation manner is similar to S406 in method 400. For the sake of simplicity, details will not be described here.
  • S608 to S609 are similar to S408 to S409 in method 400, and will not be described again here.
  • Example 1 S410-S411) in the specific process and method 400 It is similar to Example 2 (S412-S413) and will not be described again here.
  • Figure 7 shows an exemplary flow chart of the communication method 700 provided by the embodiment of the present application.
  • the SPCF in method 700 may correspond to the security policy control network element in method 300
  • the AMF1/network management device in method 700 may correspond to the first device in method 300
  • the RAN4 in method 700 It may correspond to the third access network device in method 300.
  • method 700 after the AMF1/network management device determines that RAN1 is untrustworthy, it may instruct other RANs (such as RAN4 in Figure 7) not to switch the UE to the cell of RAN1 to improve communication security.
  • RAN4 RAN4 in Figure 7
  • method 700 can be implemented independently or in combination with methods 400 to 600.
  • method 700 can be used as a parallel solution of method 400 and executed after S401 in method 400, which is not limited by this application. The following is an exemplary description of the method 700 in combination with each step.
  • SPCF sends instruction information #3 to AMF1/network management device.
  • AMF1/network management device receives indication information #3 from SPCF.
  • the SPCF may send indication information #3 to the AMF1/network management device.
  • the indication information #3 is used to indicate that RAN1 is not trustworthy.
  • the network management device is, for example, an operation, administration and maintenance (OAM) device.
  • OAM operation, administration and maintenance
  • the following description will take OAM as the network management device as an example.
  • the AMF1/network management device in the embodiment of this application refers to the AMF1 or the network management device, and other similar places will not be repeatedly explained.
  • the indication information #3 may be used to indicate that the multiple RANs are untrustworthy.
  • SPCF can send a RAN ID list to AMF1/OAM.
  • the RAN ID list includes the identification of one or more untrusted RANs.
  • SPCF can also send a timer to AMF1/OAM, which is used to indicate the time when RAN1 is untrustworthy.
  • AMF1/OAM can save the identity of RAN1. If the OAM also receives a timer indicating the untrusted time of RAN1, after the timer expires, the OAM can delete the RAN1 logo.
  • AMF1/OAM sends configuration information to RAN4.
  • AMF1/OAM can send configuration information to RAN4.
  • the configuration information includes the identity of RAN1 and the cell switching strategy.
  • the cell switching strategy is used to not switch the UE to RAN1. community.
  • the configuration information may also include a RAN ID list and a timer, which are not limited in this application.
  • the RAN4 can be any RAN, or it can be a RAN connected to RAN1, or a RAN that has overlapping coverage with RAN1, or any RAN controlled by AMF1, or a RAN that is physically adjacent to RAN1. This application is not limited.
  • RAN4 After receiving the configuration information, RAN4 performs cell handover according to the configuration information. For example, during the cell handover process, a UE on RAN4 measures the signal strength of the candidate cell, and then reports the measurement report of the candidate cell to RAN4. After RAN4 receives the measurement report from the UE, if the identity of the RAN where the candidate cell is located is the same as the identity of RAN1 (or is included in the RAN ID list), RAN4 determines not to handover the UE to the candidate cell, or in other words, RAN4 does not switch the candidate cell. The candidate cell is used as the target cell.
  • method 700 can be implemented independently or in combination with methods 400 to 600, which is not limited in this application.
  • AMF1/OAM can determine that RAN1 is not trustworthy based on the indication information #3. Based on this, AMF1/OAM can send configuration information to RAN4 to instruct not to switch the UE to the cell of RAN1, so that RAN4 does not switch the terminal device to the cell of RAN1, thereby improving the communication security of the UE.
  • embodiments of the present application also provide corresponding devices, which include modules for executing corresponding modules in each of the above method embodiments.
  • the module can be software, hardware, or a combination of software and hardware. It can be understood that the technical features described in the above method embodiments are also applicable to the following device embodiments. Therefore, content that is not described in detail can be referred to the above method embodiments. For the sake of brevity, they will not be described again here.
  • FIG. 8 is a schematic block diagram of the communication device 10 provided by the embodiment of the present application.
  • the device 10 includes a transceiver module 11 and a processing module 12 .
  • the transceiver module 11 can implement corresponding communication functions, and the processing module 12 is used to perform data processing, or in other words, the transceiver module 11 is used to perform operations related to receiving and sending, and the processing module 12 is used to perform other operations besides receiving and sending.
  • the transceiver module 11 may also be called a communication interface or communication unit.
  • the device 10 may also include a storage module 13, which may be used to store instructions and/or data, and the processing module 12 may read the instructions and/or data in the storage module, so that the device implements each of the foregoing. Actions of the device or network element in the method embodiment.
  • the device 10 may correspond to the mobility management network element in the above method embodiment (such as the mobility management network element in method 300, or AMF1 in methods 400 to 700), or a mobile management network element.
  • Management network element components such as chips).
  • the device 10 can implement steps or processes corresponding to the execution of the mobility management network element in the above method embodiment, wherein the transceiver module 11 can be used to perform operations related to the transceiver of the mobility management network element in the above method embodiment, and the processing module 12 It can be used to perform operations related to processing of the mobile mobility management network element in the above method embodiment.
  • the processing module 12 is used to determine that the first access network device is untrustworthy; the transceiver module 11 is used to send first indication information to a terminal device connected to the first access network device.
  • An indication information is used to indicate that the first access network device is untrustworthy, or to instruct to disconnect from the first access network device.
  • the processing module 12 is also configured to determine that the second access network device is untrustworthy; the transceiver module 11 is also configured to send the identification of the second access network device to the terminal device.
  • the transceiver module 11 is also configured to send timer information to the terminal device, where the timer information is used to indicate the time when the first access network device is untrustworthy.
  • the transceiver module 11 is specifically configured to send a de-registration request message to the terminal device.
  • the de-registration request message is used to request the terminal device to de-register from the currently connected network.
  • the de-registration request message includes the first indication. information.
  • the transceiver module 11 when the terminal device accesses the network through the third generation partnership program technology and the non-third generation partnership program technology, the transceiver module 11 is specifically used to interoperate through the non-third generation partnership program technology.
  • the network element sends the first indication information to the terminal device.
  • the transceiver module 11 is also configured to send configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device.
  • the transceiver module 11 is also configured to receive second indication information from the security policy control network element, where the second indication information is used to indicate that the first access network device is untrustworthy.
  • the device 10 may correspond to the terminal equipment in the above method embodiment (such as the terminal equipment in method 300, or the UE in methods 400 to 600), or a component of the terminal equipment. (such as chips).
  • the device 10 can implement steps or processes corresponding to those performed by the terminal device in the above method embodiment, wherein the transceiver module 11 can be used to perform operations related to the transceiver of the terminal device in the above method embodiment, and the processing module 12 can be used to perform Operations related to processing of the terminal device in the above method embodiment.
  • the transceiver module 11 is configured to receive first indication information from the mobility management network element.
  • the first indication information is used to indicate that the first access network device connected to the terminal device is not trustworthy, or is used to indicate that the first access network device connected to the terminal device is untrustworthy.
  • the processing module 12 is configured to disconnect from the first access network device.
  • the processing module 12 is also configured to store first policy information, where the first policy information is used to indicate a cell in which the first access network device is not to be accessed.
  • the transceiver module 11 is also configured to receive timer information from the mobility management network element, where the timer information is used to indicate the time when the first access network device is untrustworthy; the processing module 12 is also configured to After the time indicated by the timer information expires, the first policy information is deleted.
  • the transceiver module 11 is also configured to receive the identity of the second access network device from the mobility management network element; the processing module 12 is also configured to store second policy information, the second policy information is used to indicate that no A cell that accesses the second access network device.
  • the transceiver module 11 is specifically configured to receive a de-registration request message from the mobility management network element.
  • the de-registration request message is used to request the terminal device to de-register from the currently connected network.
  • the de-registration request message includes the first indication information. .
  • the transceiver module 11 is specifically configured to receive information from the mobile management network element through non-3rd Generation Partner Program technology interworking function network element.
  • the first indication information of the network element is specifically configured to receive information from the mobile management network element through non-3rd Generation Partner Program technology interworking function network element.
  • the device 10 here is embodied in the form of a functional module.
  • module may refer to an application specific integrated circuit (ASIC), an electronic circuit, for executing a or Multiple software or firmware programs of processors (eg, shared processors, dedicated processors, or group processors, etc.) and memory, merged logic, and/or other suitable components to support the described functionality.
  • ASIC application specific integrated circuit
  • the device 10 can be specifically the mobility management network element in the above embodiments, and can be used to execute various processes and/or corresponding to the mobility management network element in the above method embodiments. or steps; alternatively, the apparatus 10 may be specifically a terminal device in the above embodiments, and may be used to execute various processes and/or steps corresponding to the terminal devices in the above method embodiments. To avoid duplication, they will not be described again here.
  • the apparatus 10 of each of the above solutions is executed by equipment (such as a mobility management network element, a first device, a third access network device, a data management network element, a terminal device, etc.) that implements the above method. function of the corresponding steps.
  • This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions; for example, the transceiver module can be replaced by a transceiver (for example, the sending unit in the transceiver module can be replaced by a transmitter, and the receiving unit in the transceiver module can be replaced by a receiver.
  • other units, such as processing modules, etc. can be replaced by processors to respectively perform the sending and receiving operations and related processing operations in each method embodiment.
  • transceiver module 11 may also be a transceiver circuit (for example, it may include a receiving circuit and a transmitting circuit), and the processing module may be a processing circuit.
  • FIG. 9 is a schematic diagram of another communication device 20 according to an embodiment of the present application.
  • the device 20 includes a processor 21, which is used to execute computer programs or instructions stored in the memory 22, or read data/signaling stored in the memory 22, to perform the methods in each of the above method embodiments.
  • processors 21 there are one or more processors 21 .
  • the device 20 further includes a memory 22, which is used to store computer programs or instructions and/or data.
  • the memory 22 may be integrated with the processor 21 or may be provided separately.
  • the device 20 also includes a transceiver 23, which is used for receiving and/or transmitting signals.
  • the processor 21 is used to control the transceiver 23 to receive and/or transmit signals.
  • the device 20 is used to implement the operations performed by the mobility management network element in each of the above method embodiments.
  • the processor 21 is used to execute the computer program or instructions stored in the memory 22 to implement the related operations of the mobility management network element in each of the above method embodiments.
  • the processor 21 executes the computer program or instructions stored in the memory 22 to implement The method performed by the mobility management network element in Figure 3, or the method used to instruct the AMF1 in Figures 4 to 7.
  • the device 20 is used to implement the operations performed by the terminal device in each of the above method embodiments.
  • the processor 21 is used to execute computer programs or instructions stored in the memory 22 to implement related operations of the terminal device in each of the above method embodiments.
  • the processor 21 executes the computer program or execution stored in the memory 22, which may implement the method executed by the terminal device in FIG. 3, or be used to instruct the method executed by the UE in FIGS. 4 to 7.
  • processors mentioned in the embodiments of this application may be a central processing unit (CPU), or other general-purpose processor, digital signal processor (DSP), or application-specific integrated circuit (ASIC).
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
  • the memory mentioned in the embodiments of the present application may be a volatile memory and/or a non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory Programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be random access memory (RAM).
  • RAM can be used as an external cache.
  • RAM includes the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), Double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component
  • the memory storage module
  • memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
  • FIG. 10 is a schematic diagram of a chip system 30 provided by an embodiment of the present application.
  • the chip system 30 (or can also be called a processing system) includes a logic circuit 31 and an input/output interface 32.
  • the logic circuit 31 may be a processing circuit in the chip system 30 .
  • the logic circuit 31 can be coupled to the memory unit and call instructions in the memory unit, so that the chip system 30 can implement the methods and functions of various embodiments of the present application.
  • the input/output interface 32 can be an input/output circuit in the chip system 30, which outputs information processed by the chip system 30, or inputs data or signaling information to be processed into the chip system 30 for processing.
  • the logic circuit 31 can determine that the first access network device is not trustworthy, and then send it through the input/output interface 32. First instruction message.
  • the logic circuit 31 can receive the first instruction information through the input/output interface 32, and the input/output interface 32 can transmit the first instruction information. The information is input to the logic circuit 31 for processing, and the logic circuit 31 can disconnect from the first access network device according to the first instruction information.
  • the chip system 30 is used to implement the operations performed by the mobility management network element (the mobility management network element in Figure 3, or AMF1 in Figures 4-7) in each of the above method embodiments.
  • the logic circuit 31 is used to implement the processing-related operations performed by the mobility management network element in the above method embodiment, such as the processing-related operations performed by the mobility management network element in the embodiment shown in Figure 3, or Figure 4 to the processing related operations performed by AMF1 in any embodiment shown in Figure 7;
  • the input/output interface 32 is used to implement the sending and/or receiving related operations performed by the mobility management network element in the above method embodiment, For example, the sending and/or receiving related operations performed by the mobility management network element in the embodiment shown in Figure 3, or the sending and/or receiving related operations performed by AMF1 in any one of the embodiments shown in Figures 4 to 7. operate.
  • the chip system 30 is used to implement the operations performed by the terminal device (the terminal device in Figure 3, or the UE in Figures 4 to 7) in each of the above method embodiments.
  • the logic circuit 31 is used to implement the processing-related operations performed by the terminal device in the above method embodiment, such as the processing-related operations performed by the terminal device in the embodiment shown in Figure 3, or Figures 4 to 7 Processing-related operations performed by the UE in any of the embodiments shown;
  • the input/output interface 32 is used to implement the sending and/or reception-related operations performed by the terminal device in the above method embodiments, such as shown in Figure 3
  • the terminal device in the illustrated embodiment executes Transmitting and/or receiving related operations, or transmitting and/or receiving related operations performed by the UE in any one of the embodiments shown in FIGS. 4 to 7 .
  • Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the methods executed by the device in each of the above method embodiments are stored.
  • the computer when the computer program is executed by a computer, the computer can implement the method executed by the mobility management network element in each embodiment of the above method.
  • the computer when the computer program is executed by a computer, the computer can implement the method executed by the terminal device in each embodiment of the above method.
  • Embodiments of the present application also provide a computer program product, which includes instructions.
  • the instructions in the above method embodiments are implemented by a device (such as a mobile management network element, a first device, or a third access device).
  • Network equipment such as data management network elements, terminal equipment, etc. execution method.
  • Embodiments of the present application also provide a communication system, including one or more of the aforementioned network elements (such as mobility management network elements, data management network elements, third access network equipment, first equipment, etc.), and/or terminals equipment.
  • network elements such as mobility management network elements, data management network elements, third access network equipment, first equipment, etc.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer may be a personal computer, a server, or a network device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated.
  • the available media may be magnetic media (such as floppy disks, hard disks, magnetic tapes), optical media (such as DVDs), or semiconductor media (such as solid state disks (SSD)), etc.
  • the aforementioned available media include but Not limited to: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application provides a communication method and apparatus. The method comprises: a mobility management network element sends first indication information to a terminal device connected to a first access network device after determining that the first access network device is untrusted, so as to indicate that the first access network device is untrusted, or instructs to disconnect from the first access network device. After receiving the first indication information, the terminal device is disconnected from the first access network device. The solution provided by the present application improves the communication security of a terminal device.

Description

通信方法和装置Communication methods and devices
本申请要求于2022年04月22日提交中国专利局、申请号为202210429002.7、申请名称为“通信方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on April 22, 2022, with the application number 202210429002.7 and the application title "Communication Method and Device", the entire content of which is incorporated into this application by reference.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种通信方法和装置。The present application relates to the field of communication technology, and in particular, to a communication method and device.
背景技术Background technique
接入网设备可以为特定区域的授权用户设备提供入网功能,但是接入网设备存在被第三方控制的风险。例如,在园区边缘计算场景中,接入网设备通常部署在园区内部,而园区内部机房的安全管理能力较弱,第三方可能会通过一定的方式对接入网设备进行控制。如果第三方控制了接入网设备,便可以对移动通信网络的用户面和控制面进行控制,从而给通信安全带来巨大的风险。Access network equipment can provide network access functions for authorized user equipment in a specific area, but there is a risk that access network equipment may be controlled by a third party. For example, in a campus edge computing scenario, access network equipment is usually deployed inside the campus. However, the security management capabilities of the computer rooms inside the campus are weak, and third parties may control the access network equipment in certain ways. If a third party controls the access network equipment, it can control the user plane and control plane of the mobile communication network, thus posing huge risks to communication security.
因此,如何在接入网设备被控制之后,提高终端设备的通信安全,是值得研究的。Therefore, it is worth studying how to improve the communication security of terminal equipment after the access network equipment is controlled.
发明内容Contents of the invention
本申请提供了一种通信方法和装置,可以在接入网设备被控制的情况下,提高终端设备的通信安全。This application provides a communication method and device, which can improve the communication security of terminal equipment when the access network equipment is controlled.
第一方面,提供了一种通信方法,该方法包括:移动管理网元确定第一接入网设备不可信;该移动管理网元向连接该第一接入网设备的终端设备发送第一指示信息,该第一指示信息用于指示该第一接入网设备不可信,或者用于指示断开与该第一接入网设备的连接。In a first aspect, a communication method is provided, which method includes: a mobility management network element determines that a first access network device is untrustworthy; and the mobility management network element sends a first indication to a terminal device connected to the first access network device. Information, the first indication information is used to indicate that the first access network device is untrustworthy, or to instruct to disconnect from the first access network device.
基于上述方案,在移动管理网元确定第一接入网设备不可信后,可以向该第一接入网设备下的终端设备指示该第一接入网设备不可信,或者指示断开与第一接入网设备的连接,以便终端设备可以根据移动管理网元的指示,断开与第一接入网设备的连接,从而提高终端设备的通信安全。Based on the above solution, after the mobility management network element determines that the first access network device is untrustworthy, it can indicate to the terminal device under the first access network device that the first access network device is untrustworthy, or instruct it to disconnect from the third access network device. The first access network device is connected so that the terminal device can disconnect from the first access network device according to the instructions of the mobility management network element, thereby improving the communication security of the terminal device.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:该移动管理网元确定第二接入网设备不可信;该移动管理网元向该终端设备发送该第二接入网设备的标识。With reference to the first aspect, in some implementations of the first aspect, the method further includes: the mobility management network element determines that the second access network device is untrustworthy; the mobility management network element sends the second access network device to the terminal device. The identification of the device connected to the network.
应理解,该第二接入网设备可以包括一个或多个接入网设备。It should be understood that the second access network device may include one or more access network devices.
该第二接入网设备为以下任一种设备:该移动管理网元控制的接入网设备;与该第一接入网设备连接的接入网设备;该终端设备物理临近的接入网设备;该终端设备可以接入的接入网设备。The second access network device is any of the following devices: an access network device controlled by the mobility management network element; an access network device connected to the first access network device; an access network physically adjacent to the terminal device Equipment; access network equipment that the terminal equipment can access.
基于上述方案,如果移动管理网元确定有一个或多个接入网设备不可信,则移动管理网元可以将该一个或多个接入网设备的标识发送给终端设备,以便终端设备在后续小区接入过程不接入该一个或多个接入网设备,进一步提高终端设备的通信安全。Based on the above solution, if the mobility management network element determines that one or more access network devices are untrustworthy, the mobility management network element can send the identification of the one or more access network devices to the terminal device so that the terminal device can subsequently The cell access process does not access the one or more access network devices, further improving the communication security of the terminal equipment.
可选地,移动管理网元还可以向该终端设备发送该第一接入网设备的标识。 Optionally, the mobility management network element may also send the identification of the first access network device to the terminal device.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:该移动管理网元向该终端设备发送计时器信息,该计时器信息用于指示该第一接入网设备不可信的时间。With reference to the first aspect, in some implementations of the first aspect, the method further includes: the mobility management network element sending timer information to the terminal device, the timer information being used to indicate that the first access network device is unavailable. letter time.
基于上述方案,移动管理网元还可以向终端设备发送计时器信息,以指示第一接入网设备不可信的时间,从而可以使得终端设备,在计时器信息指示的时间到期后,确定可以接入该第一接入网设备的小区,及提高了终端设备的通信安全,又保障了第一接入网设备的资源的有效利用。Based on the above solution, the mobility management network element can also send timer information to the terminal device to indicate the time when the first access network device is untrustworthy, so that the terminal device can determine that it can be used after the time indicated by the timer information expires. Access to the cell of the first access network device improves communication security of the terminal device and ensures effective utilization of resources of the first access network device.
结合第一方面,在第一方面的某些实现方式中,该移动管理网元向终端设备发送第一指示信息,包括:该移动管理网元向该终端设备发送去注册请求消息,该去注册请求消息用于请求该终端设备从当前连接的网络去注册,该去注册请求消息包括该第一指示信息。With reference to the first aspect, in some implementations of the first aspect, the mobility management network element sends the first instruction information to the terminal device, including: the mobility management network element sends a deregistration request message to the terminal device, and the deregistration request message is sent to the terminal device. The request message is used to request the terminal device to deregister from the currently connected network, and the deregistration request message includes the first indication information.
基于上述方案,移动管理网元可以通过去注册请求消息向终端设备发送第一指示信息,也就是说,移动管理网元可以在向终端设备发送第一指示信息时,同时请求终端设备去注册。在终端设备去注册之后,移动管理网元可以删除第一终端设备的上下文,从而可以节省移动管理网元的资源。Based on the above solution, the mobility management network element can send the first indication information to the terminal device through the de-registration request message. That is to say, the mobility management network element can request the terminal device to deregister while sending the first indication information to the terminal device. After the terminal device is de-registered, the mobility management network element can delete the context of the first terminal device, thereby saving resources of the mobility management network element.
结合第一方面,在第一方面的某些实现方式中,该移动管理网元向该终端设备发送去注册请求消息,包括:该移动管理网元判断该第一接入网设备的覆盖范围是否有备选接入网设备;在该第一接入网设备的覆盖范围有备选接入网设备的情况下,该移动管理网元向该终端设备发送该去注册请求消息。With reference to the first aspect, in some implementations of the first aspect, the mobility management network element sends a de-registration request message to the terminal device, including: the mobility management network element determines whether the coverage of the first access network device is There is an alternative access network device; when there is an alternative access network device in the coverage area of the first access network device, the mobility management network element sends the deregistration request message to the terminal device.
基于上述方案,移动管理网元可以在第一接入网设备的覆盖范围没有备选接入网设备的情况下,请求终端设备去注册,也就是说,当终端设备没有其他备选的可接入的接入网设备时,移动管理网元可以触发终端设备去注册,即不再保留终端设备的上下文,以节省移动管理网元的资源。Based on the above solution, the mobility management network element can request the terminal device to register when there is no alternative access network device within the coverage range of the first access network device. That is to say, when the terminal device has no other alternative access network device, When an access network device enters, the mobility management network element can trigger the terminal device to register, that is, the context of the terminal device is no longer retained, thereby saving the resources of the mobility management network element.
结合第一方面,在第一方面的某些实现方式中,在该终端设备通过第三代合作伙伴计划技术和非第三代合作伙伴计划技术接入网络的情况下,该移动管理网元向终端设备发送第一指示信息,包括:该移动管理网元通过非第三代合作伙伴计划技术互通功能网元向该终端设备发送该第一指示信息。Combined with the first aspect, in some implementations of the first aspect, when the terminal device accesses the network through the third generation partner plan technology and the non-third generation partner plan technology, the mobile management network element provides The terminal device sends the first instruction information, including: the mobility management network element sends the first instruction information to the terminal device through a non-3rd generation partnership program technology interoperability function network element.
基于上述方案,在终端设备还通过非第三代合作伙伴计划技术接入网络的情况下,移动管理网元可以通过非第三代合作伙伴计划技术互通功能网元向终端设备发送第一指示信息,以防止第一接入网设备被第三方控制后,无法向终端设备转发该第一指示信息的情况。Based on the above solution, when the terminal device also accesses the network through non-3rd generation partner program technology, the mobile management network element can send the first instruction information to the terminal device through the non-3rd generation partner program technology interworking function network element , to prevent the first access network device from being unable to forward the first indication information to the terminal device after it is controlled by a third party.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:该移动管理网元向第三接入网设备发送配置信息,该配置信息用于指示不向该第一接入网设备的小区进行切换。With reference to the first aspect, in some implementations of the first aspect, the method further includes: the mobility management network element sending configuration information to a third access network device, the configuration information being used to indicate not to provide access to the first access network device. Network equipment cell to switch.
基于上述方案,移动管理网元可以通过配置信息,指示第三接入网设备不向第一接入网设备的小区进行切换,因此,根据该配置信息,在终端设备进行小区切换的时候,第三接入网设备不将终端设备切换到第一接入网设备的小区,从而提高通信安全。Based on the above solution, the mobility management network element can instruct the third access network device not to perform handover to the cell of the first access network device through configuration information. Therefore, according to the configuration information, when the terminal device performs cell handover, the third access network device The third access network device does not switch the terminal device to the cell of the first access network device, thereby improving communication security.
可选地,该方法还包括:在移动管理网元向第三接入网设备发送配置信息之前,该方法还包括:移动管理网元确定第三接入网设备,该第三接入网设备为以下任一种设备:该移动管理网元控制的接入网设备;与该第一接入网设备连接的接入网设备;与该第一接入网设备连接的接入网设备;该终端设备相邻的接入网设备;该终端设备能够接入的接入网设备。Optionally, the method further includes: before the mobility management network element sends the configuration information to the third access network device, the method further includes: the mobility management network element determines the third access network device, and the third access network device It is any of the following equipment: access network equipment controlled by the mobility management network element; access network equipment connected to the first access network equipment; access network equipment connected to the first access network equipment; The access network equipment adjacent to the terminal equipment; the access network equipment that the terminal equipment can access.
结合第一方面,在第一方面的某些实现方式中,在该移动管理网元确定第一接入网设 备不可信之前,该方法还包括:该移动管理网元接收来自安全策略控制网元的第二指示信息,该第二指示信息用于指示该第一接入网设备不可信。In conjunction with the first aspect, in some implementations of the first aspect, the mobility management network element determines the first access network device Before the device is untrusted, the method further includes: the mobility management network element receiving second indication information from the security policy control network element, the second indication information being used to indicate that the first access network device is untrusted.
基于上述方案,移动管理网元可以根据安全策略控制网元的指示信息确定第一接入网设备不可信。Based on the above solution, the mobility management network element can determine that the first access network device is untrustworthy according to the instruction information of the security policy control network element.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:该移动管理网元释放与该第一接入网设备的连接;该移动管理网元触发该终端设备的会话去激活。With reference to the first aspect, in some implementations of the first aspect, the method further includes: the mobility management network element releases the connection with the first access network device; the mobility management network element triggers the session deletion of the terminal device. activation.
基于上述方案,移动管理网元在确定第一接入网设备不可信之后,可以释放与第一接入网设备的连接,并触发终端设备的会话的去激活,以防止第一接入网设备对移动接入网络的用户面和数据面进行控制,从而提高通信安全。Based on the above solution, after determining that the first access network device is untrustworthy, the mobility management network element can release the connection with the first access network device and trigger the deactivation of the session of the terminal device to prevent the first access network device from Control the user plane and data plane of the mobile access network to improve communication security.
结合第一方面,在第一方面的某些实现方式中,该方法还包括:在该移动管理网元没有接收到该终端设备的确认消息的情况下,该移动管理网元向数据管理网元发送该第一接入网设备的标识、该终端设备的标识和第三指示信息,该确认消息用于指示该终端设备成功接收到该第一指示信息,该第三指示信息用于指示该第一接入网设备不可信,或者用于指示向该终端设备指示该接入网设备不可信。With reference to the first aspect, in some implementations of the first aspect, the method further includes: when the mobility management network element does not receive a confirmation message from the terminal device, the mobility management network element reports to the data management network element Send the identification of the first access network device, the identification of the terminal device and third indication information. The confirmation message is used to indicate that the terminal device successfully received the first indication information. The third indication information is used to indicate that the third indication information is received. An access network device is not trustworthy, or is used to indicate to the terminal device that the access network device is not trustworthy.
基于上述方案,当移动管理网元没有收到终端设备的确认消息时,或者说,当终端设备没有收到来自移动管理网元的第一指示信息时,移动管理网元可以将第一接入网设备的标识和终端设备的标识发送给数据管理网元,并向该数据管理网元指示该第一接入网设备不可信,或者指示向终端设备指示该第一接入网设备不可信。基于此,数据管理网元可以在终端设备重新接入网络之后,向终端设备指示第一接入网设备不可信,以便终端设备不接入第一接入网设备的小区,提高终端设备的通信安全。Based on the above solution, when the mobility management network element does not receive the confirmation message from the terminal device, or in other words, when the terminal device does not receive the first indication information from the mobility management network element, the mobility management network element can access the first The identifier of the network device and the identifier of the terminal device are sent to the data management network element, and the data management network element is instructed to indicate that the first access network device is untrustworthy, or the first access network device is instructed to be indicated to the terminal device to be untrustworthy. Based on this, the data management network element can indicate to the terminal device that the first access network device is untrustworthy after the terminal device reconnects to the network, so that the terminal device does not access the cell of the first access network device and improves the communication of the terminal device. Safety.
第二方面,提供了一种通信方法,该方法包括:终端设备接收来自移动管理网元的第一指示信息,该第一指示信息用于指示该终端设备所连接的第一接入网设备不可信,或者用于指示断开与该第一接入网设备的连接;该终端设备接收该第一指示信息之后,断开与该第一接入网设备的连接。In a second aspect, a communication method is provided. The method includes: a terminal device receiving first indication information from a mobility management network element, the first indication information being used to indicate that the first access network device connected to the terminal device is unavailable. message, or used to instruct to disconnect from the first access network device; after receiving the first instruction message, the terminal device disconnects from the first access network device.
基于上述方案,移动管理网元向终端设备指示第一接入网设备不可信,或者指示断开与第一接入网设备的连接后,终端设备断开与第一接入网设备的连接,防止第一接入网设备对终端设备的通信进行控制,提高终端设备的通信安全。Based on the above solution, the mobility management network element indicates to the terminal device that the first access network device is untrustworthy, or after instructing to disconnect from the first access network device, the terminal device disconnects from the first access network device, Preventing the first access network device from controlling communication of the terminal device improves communication security of the terminal device.
结合第二方面,在第二方面的某些实现方式中,该终端设备接收该第一指示信息之后,该方法还包括:该终端设备存储第一策略信息,该第一策略信息用于指示不接入该第一接入网设备的小区。With reference to the second aspect, in some implementations of the second aspect, after the terminal device receives the first indication information, the method further includes: the terminal device stores first policy information, the first policy information is used to indicate not to A cell that accesses the first access network device.
基于上述方案,终端设备接收到第一指示信息之后,保存用于指示不接入第一接入网设备的小区的第一策略信息。也就是说,当终端设备后续在进行小区接入的时候,根据该第一策略信息,不接入第一接入设备的小区,从而提高终端设备的通信安全。Based on the above solution, after receiving the first indication information, the terminal device saves the first policy information for instructing not to access the cell of the first access network device. That is to say, when the terminal device subsequently performs cell access, it will not access the cell of the first access device according to the first policy information, thereby improving communication security of the terminal device.
结合第二方面,在第二方面的某些实现方式中,该方法还包括:该终端设备接收来自该移动管理网元的计时器信息,该计时器信息用于指示该第一接入网设备不可信的时间;在该计时器信息所指示的时间到期后,该终端设备删除该第一策略信息。With reference to the second aspect, in some implementations of the second aspect, the method further includes: the terminal device receiving timer information from the mobility management network element, the timer information being used to indicate the first access network device Untrustworthy time; after the time indicated by the timer information expires, the terminal device deletes the first policy information.
基于上述方案,移动管理网元还可以通过计时器信息向终端设备指示第一接入网设备不可信的时间。在这种情况下,当该计时器信息所指示的时间到期后,终端设备可以删除第一策略信息。也就是说,在该计时器信息所指示的时间到期后,终端设备可以接入第一接入网设备的小区。通过上述方案,既可以提高终端设备的通信安全,又可以减少第一接 入网设备的资源浪费。Based on the above solution, the mobility management network element can also indicate to the terminal device the time when the first access network device is untrustworthy through timer information. In this case, when the time indicated by the timer information expires, the terminal device may delete the first policy information. That is to say, after the time indicated by the timer information expires, the terminal device can access the cell of the first access network device. Through the above solution, the communication security of terminal equipment can be improved and the first connection can be reduced. The resources of the network equipment are wasted.
结合第二方面,在第二方面的某些实现方式中,该方法还包括:该终端设备接收来自该移动管理网元的第二接入网设备的标识;该终端设备存储第二策略信息,该第二策略信息用于指示不接入该第二接入网设备的小区。With reference to the second aspect, in some implementations of the second aspect, the method further includes: the terminal device receiving the identification of the second access network device from the mobility management network element; the terminal device storing the second policy information, The second policy information is used to indicate not to access the cell of the second access network device.
应理解,第二接入网设备可以包括一个或多个接入网设备。It should be understood that the second access network device may include one or more access network devices.
基于上述方案,当移动管理网元确定一个或多个接入网设备不可信时,可以将该一个或多个接入网设备的标识发送给终端设备,以便终端设备保存用于指示不接入第二接入网设备的小区的第二策略信息。也就是说,当终端设备后续在进行小区接入的时候,根据该第二策略信息,终端设备不接入第二接入网设备的小区,从而提高终端设备的通信安全。Based on the above solution, when the mobility management network element determines that one or more access network devices are untrustworthy, the identification of the one or more access network devices can be sent to the terminal device so that the terminal device can save it and use it to indicate not to access. Second policy information of the cell of the second access network device. That is to say, when the terminal device subsequently performs cell access, according to the second policy information, the terminal device does not access the cell of the second access network device, thereby improving communication security of the terminal device.
结合第二方面,在第二方面的某些实现方式中,该终端设备接收来自移动管理网元的第一指示信息,包括:该终端设备接收来自该移动管理网元的去注册请求消息,该去注册请求消息用于请求该终端设备从当前连接的网络去注册,该去注册请求消息包括该第一指示信息。With reference to the second aspect, in some implementations of the second aspect, the terminal device receives the first indication information from the mobility management network element, including: the terminal device receives a deregistration request message from the mobility management network element, the The deregistration request message is used to request the terminal device to deregister from the currently connected network, and the deregistration request message includes the first indication information.
基于上述方案,移动管理网元可以通过去注册请求消息向终端设备发送第一指示信息,也就是说,移动管理网元可以在向终端设备发送第一指示信息时,同时请求终端设备去注册。在这种情况下,当终端设备去注册之后,移动管理网元可以删除第一终端设备的上下文,从而可以节省移动管理网元的资源。Based on the above solution, the mobility management network element can send the first indication information to the terminal device through the de-registration request message. That is to say, the mobility management network element can request the terminal device to deregister while sending the first indication information to the terminal device. In this case, after the terminal device deregisters, the mobility management network element can delete the context of the first terminal device, thereby saving resources of the mobility management network element.
结合第二方面,在第二方面的某些实现方式中,在该终端设备还通过非第三代合作伙伴计划技术接入网络的情形下,该终端设备接收来自移动管理网元的第一指示信息,包括:该终端设备通过非第三代合作伙伴计划技术互通功能网元接收来自该移动管理网元的该第一指示信息。In connection with the second aspect, in some implementations of the second aspect, in the case where the terminal device also accesses the network through non-3rd generation partnership plan technology, the terminal device receives the first indication from the mobility management network element The information includes: the terminal device receives the first instruction information from the mobility management network element through a non-3rd generation partner program technology interworking function network element.
基于上述方案,在终端设备还通过非第三代合作伙伴计划技术接入网络的情况下,移动管理网元可以通过非第三代合作伙伴计划技术互通功能网元向终端设备发送第一指示信息,以防止第一接入网设备被第三方控制后,移动管理网元无法向终端设备转发该第一指示信息的情况。Based on the above solution, when the terminal device also accesses the network through non-3rd generation partner program technology, the mobile management network element can send the first instruction information to the terminal device through the non-3rd generation partner program technology interworking function network element , to prevent the mobility management network element from being unable to forward the first indication information to the terminal device after the first access network device is controlled by a third party.
结合第二方面,在第二方面的某些实现方式中,该方法还包括:该终端设备向该移动管理网元发送确认消息,该确认消息用于指示该终端设备成功接收该第一指示信息。With reference to the second aspect, in some implementations of the second aspect, the method further includes: the terminal device sending a confirmation message to the mobility management network element, the confirmation message being used to indicate that the terminal device successfully receives the first indication information. .
第三方面,提供了一种通信方法,该方法包括:第一设备接收来自安全策略控制网元的第二指示信息,该第二指示信息用于指示第一接入网设备不可信;该第一设备向第三接入网设备发送配置信息,该配置信息包括该第一接入网设备的标识和小区切换策略,该小区切换策略用于指示不将终端设备切换到该第一接入网设备的小区。In a third aspect, a communication method is provided, which method includes: a first device receiving second indication information from a security policy control network element, the second indication information being used to indicate that the first access network device is untrustworthy; A device sends configuration information to a third access network device. The configuration information includes an identification of the first access network device and a cell switching policy. The cell switching policy is used to indicate not to switch the terminal device to the first access network. device cell.
应理解,第一设备可以是任意网络设备,例如,第一设备可以是移动管理网元,或者,该第一设备还可以是网络管理设备,本申请不作限定。It should be understood that the first device can be any network device. For example, the first device can be a mobility management network element, or the first device can also be a network management device, which is not limited in this application.
基于上述方案,第一设备从安全策略控制网元接收到第二指示信息之后,可以根据该第二指示信息确定第一接入网设备不可信。基于此,第一设备可以向第三接入网设备发送配置信息,以指示不将终端设备切换到第一接入网设备的小区,以便第三接入网设备不将终端设备切换到第一接入网设备的小区,提高终端设备的通信安全。Based on the above solution, after receiving the second indication information from the security policy control network element, the first device can determine that the first access network device is untrustworthy based on the second indication information. Based on this, the first device may send configuration information to the third access network device to instruct not to switch the terminal device to the cell of the first access network device, so that the third access network device does not switch the terminal device to the first cell. Cells with access network equipment improve communication security of terminal equipment.
结合第三方面,在第三方面的某些实现方式中,该方法还包括:该第一设备根据该第一接入网设备确定该第三接入网设备,该第三接入网设备为以下任一种设备:移动管理网元控制的接入网设备、第一接入网设备相邻的接入网设备、第一接入网设备连接的接入网 设备、终端设备附近的、可能会连接的接入网设备。With reference to the third aspect, in some implementations of the third aspect, the method further includes: the first device determines the third access network device based on the first access network device, and the third access network device is Any of the following equipment: access network equipment controlled by the mobility management network element, access network equipment adjacent to the first access network equipment, access network connected to the first access network equipment Access network equipment that may be connected to equipment and terminal equipment.
第四方面,提供了一种一种通信方法,该方法包括:第三接入网设备接收来自第一设备的配置信息,该配置信息包括该小区切换策略,该小区切换策略用于指示不将终端设备切换到该第一接入网设备的小区;该第三接入网设备根据该小区切换策略确定不切换到该第一接入网设备的小区。In a fourth aspect, a communication method is provided, which method includes: a third access network device receives configuration information from the first device, the configuration information includes the cell switching policy, and the cell switching policy is used to indicate not to use the cell switching policy. The terminal device switches to the cell of the first access network device; the third access network device determines not to switch to the cell of the first access network device according to the cell switching policy.
基于上述方案,第三接入网设备可以根据第一设备的配置信息,不切换到第一接入网设备的小区,从而提高通信安全。Based on the above solution, the third access network device can not switch to the cell of the first access network device according to the configuration information of the first device, thereby improving communication security.
第五方面,提供了一种通信方法,该方法包括:数据管理网元接收来自移动管理网元的终端设备的标识和第一接入网设备的标识和第三指示信息,该第三指示信息用于指示该第一接入网设备不可信,或者该第三指示信息用于指示向该终端设备通知该接入网设备不可信;该数据管理网元接收该第三指示信息之后,向该终端设备发送第四指示信息,该第四指示信息用于指示该第一接入网设备不可信。In a fifth aspect, a communication method is provided. The method includes: the data management network element receiving the identification of the terminal device and the identification of the first access network device and third indication information from the mobility management network element. The third indication information It is used to indicate that the first access network device is not trustworthy, or the third indication information is used to instruct the terminal device to notify the access network device that the access network device is not trustworthy; after receiving the third indication information, the data management network element sends a notification to the terminal device. The terminal device sends fourth indication information, where the fourth indication information is used to indicate that the first access network device is untrustworthy.
应理解,如果数据管理网元接收到第三指示信息时,该终端设备未接入网络,则数据管理网元在该终端设备接入网络之后,向该终端设备发送该第四指示信息。It should be understood that if the terminal device is not connected to the network when the data management network element receives the third indication information, the data management network element will send the fourth indication information to the terminal device after the terminal device accesses the network.
基于上述方案,如果终端设备没有接收到来自移动管理网元的用于指示第一接入网设备不可信的信息,可数据管理网元可以在终端设备重新接入网络之后,向终端设备指示第一接入网设备不可信,以便终端设备不接入第一接入网设备的小区,提高终端设备的通信安全。Based on the above solution, if the terminal device does not receive the information from the mobility management network element indicating that the first access network device is untrustworthy, the data management network element can indicate to the terminal device that the first access network device is untrustworthy after the terminal device reconnects to the network. The first access network device is untrustworthy, so that the terminal device does not access the cell of the first access network device, thereby improving communication security of the terminal device.
第六方面,提供通信装置,该装置用于执行上述第一方面至第四方面提供的任一方法。具体地,该装置可以包括用于执行第一方面至第四方面提供的方法的单元和/或模块,如处理模块和/或收发模块(也可以成为通信模块)。在一种实现方式中,该装置为网络设备,例如该装置为移动管理网元,或数据管理网元,或第一设备。当该装置为网络设备时,通信模块可以是收发器,或,输入/输出接口;处理模块可以是处理器。A sixth aspect provides a communication device, which is used to perform any of the methods provided in the above first to fourth aspects. Specifically, the device may include units and/or modules for executing the methods provided in the first to fourth aspects, such as a processing module and/or a transceiver module (which may also be a communication module). In one implementation, the device is a network device, for example, the device is a mobility management network element, a data management network element, or a first device. When the device is a network device, the communication module may be a transceiver, or an input/output interface; the processing module may be a processor.
在一种实现方式中,该装置为用于网络设备中的芯片、芯片系统或电路。当该装置为用于通信设备中的芯片、芯片系统或电路时,通信模块可以是该芯片、芯片系统或电路上的输入/输出接口、接口电路、输出电路、输入电路、管脚或相关电路等;处理模块可以是处理器、处理电路或逻辑电路等。In one implementation, the device is a chip, chip system or circuit used in network equipment. When the device is a chip, chip system or circuit used in a communication device, the communication module may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip, chip system or circuit etc.; the processing module may be a processor, a processing circuit or a logic circuit, etc.
一种可能情况,该装置为移动管理网元中的芯片、芯片系统或电路。在该情况下,该装置可以包括用于执行第一方面提供的方法的单元和/或模块,如处理单元和/或通信单元。In one possible case, the device is a chip, chip system or circuit in the mobile management network element. In this case, the apparatus may comprise units and/or modules for performing the method provided in the first aspect, such as a processing unit and/or a communication unit.
另一种可能情况,该装置为第一设备,或者第一设备中的芯片、芯片系统或电路。在该情况下,该装置可以包括用于执行第三方面提供的方法的单元和/或模块,如处理模块和/或收发模块。In another possible situation, the device is the first device, or a chip, chip system or circuit in the first device. In this case, the device may include units and/or modules for performing the method provided in the third aspect, such as a processing module and/or a transceiver module.
另一种可能情况,该装置为第三接入网设备,或者第三接入网设备中的芯片、芯片系统或电路。在该情况下,该装置可以包括用于执行第四方面提供的方法的单元和/或模块,如处理模块和/或收发模块。In another possible situation, the device is a third access network device, or a chip, chip system or circuit in the third access network device. In this case, the device may include units and/or modules for performing the method provided in the fourth aspect, such as a processing module and/or a transceiver module.
另一种情况,该装置为数据管理网元,或者数据管理网元中的芯片、芯片系统或电路。在该情况下,该装置可以包括用于执行第五方面提供的方法的单元和/或模块,如处理模块和/或收发模块。In another case, the device is a data management network element, or a chip, chip system or circuit in the data management network element. In this case, the device may include units and/or modules for performing the method provided in the fifth aspect, such as a processing module and/or a transceiver module.
在另一种实现方式中,该装置为终端设备。当该装置为终端设备时,通信单元可以是收发器,或,输入/输出接口;处理单元可以是处理器。 In another implementation, the device is a terminal device. When the device is a terminal device, the communication unit may be a transceiver, or an input/output interface; the processing unit may be a processor.
一种可能情况,该装置为终端设备或终端设备(10)中的芯片、芯片系统或电路。在该情况下,该装置可以包括用于执行第二方面提供的方法的单元和/或模块,如处理模块和/或收发模块。In one possible case, the device is a terminal device or a chip, a chip system or a circuit in the terminal device (10). In this case, the device may include units and/or modules for performing the method provided in the second aspect, such as a processing module and/or a transceiver module.
可选地,上述收发器可以为收发电路。可选地,上述输入/输出接口可以为输入/输出电路。Optionally, the above-mentioned transceiver may be a transceiver circuit. Optionally, the above input/output interface may be an input/output circuit.
可选地,上述收发器可以为收发电路。可选地,上述输入/输出接口可以为输入/输出电路。Optionally, the above-mentioned transceiver may be a transceiver circuit. Optionally, the above input/output interface may be an input/output circuit.
第七方面,提供一种通信装置,该装置包括:存储器,用于存储程序;处理器,用于执行存储器存储的程序,当存储器存储的程序被执行时,处理器用于执行上述第一方面至第五方面提供的任一方法。A seventh aspect provides a communication device. The device includes: a memory for storing a program; a processor for executing the program stored in the memory. When the program stored in the memory is executed, the processor is configured to execute the above-mentioned first aspect to Any method provided by the fifth aspect.
第八方面,本申请提供一种处理器,用于执行上述各方面提供的方法。在执行这些方法的过程中,上述方法中有关发送上述信息和获取/接收上述信息的过程,可以理解为由处理器输出上述信息的过程,以及处理器接收输入的上述信息的过程。在输出上述信息时,处理器将该上述信息输出给收发器,以便由收发器进行发射。该上述信息在由处理器输出之后,还可能需要进行其他的处理,然后再到达收发器。类似的,处理器接收输入的上述信息时,收发器获取/接收该上述信息,并将其输入处理器。更进一步的,在收发器收到该上述信息之后,该上述信息可能需要进行其他的处理,然后再输入处理器。In an eighth aspect, this application provides a processor for executing the methods provided in the above aspects. During the execution of these methods, the process of sending the above information and obtaining/receiving the above information in the above method can be understood as the process of the processor outputting the above information, and the process of the processor receiving the input above information. When outputting the above information, the processor outputs the above information to the transceiver for transmission by the transceiver. After the above information is output by the processor, it may also need to undergo other processing before reaching the transceiver. Similarly, when the processor receives the above information input, the transceiver obtains/receives the above information and inputs it into the processor. Furthermore, after the transceiver receives the above information, the above information may need to undergo other processing before being input to the processor.
基于上述原理,举例来说,前述方法中提及的接收请求消息可以理解为处理器接收输入的信息。Based on the above principles, for example, the receiving request message mentioned in the foregoing method can be understood as the processor receiving input information.
对于处理器所涉及的发射、发送和获取/接收等操作,如果没有特殊说明,或者,如果未与其在相关描述中的实际作用或者内在逻辑相抵触,则均可以更加一般性的理解为处理器输出和接收、输入等操作,而不是直接由射频电路和天线所进行的发射、发送和接收操作。For operations such as emission, sending, and acquisition/reception involved in the processor, if there is no special explanation, or if it does not conflict with its actual role or internal logic in the relevant description, it can be more generally understood as a processor. Output and receive, input and other operations, rather than the transmit, send and receive operations performed directly by radio frequency circuits and antennas.
在实现过程中,上述处理器可以是专门用于执行这些方法的处理器,也可以是执行存储器中的计算机指令来执行这些方法的处理器,例如通用处理器。上述存储器可以为非瞬时性(non-transitory)存储器,例如只读存储器(read only memory,ROM),其可以与处理器集成在同一块芯片上,也可以分别设置在不同的芯片上,本申请实施例对存储器的类型以及存储器与处理器的设置方式不做限定。During implementation, the above-mentioned processor may be a processor specifically designed to perform these methods, or may be a processor that executes computer instructions in a memory to perform these methods, such as a general-purpose processor. The above-mentioned memory can be a non-transitory memory, such as a read-only memory (ROM), which can be integrated on the same chip as the processor, or can be separately provided on different chips. This application The embodiment does not limit the type of memory and the arrangement of the memory and the processor.
第九方面,提供一种计算机可读存储介质,该计算机可读介质存储用于设备执行的程序代码,该程序代码包括用于执行上述第一方面至第五方面提供的任一方法。A ninth aspect provides a computer-readable storage medium that stores program code for device execution, where the program code includes execution of any of the methods provided in the above-mentioned first to fifth aspects.
第十方面,提供一种包含指令的计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述第一方面至第五方面提供的任一方法。A tenth aspect provides a computer program product containing instructions, which when the computer program product is run on a computer, causes the computer to execute any of the methods provided in the first to fifth aspects.
第十一方面,提供一种芯片,该芯片包括处理器与通信接口,该处理器通过该通信接口读取存储器上存储的指令,执行上述第一方面至第五方面提供的任一方法。In an eleventh aspect, a chip is provided. The chip includes a processor and a communication interface. The processor reads instructions stored in the memory through the communication interface and executes any of the methods provided in the first to fifth aspects.
可选地,作为一种实现方式,该芯片还可以包括存储器,该存储器中存储有指令,该处理器用于执行该存储器上存储的指令,当该指令被执行时,该处理器用于执行上述第一方面至第五方面提供的任一方法。Optionally, as an implementation manner, the chip may also include a memory, in which instructions are stored, and the processor is used to execute the instructions stored in the memory. When the instructions are executed, the processor is used to execute the above-mentioned first step. Any method provided by the first aspect to the fifth aspect.
第十二方面,提供一种通信系统,包括前述的移动管理网元、第一设备、数据管理网元中的一个或多个。In a twelfth aspect, a communication system is provided, including one or more of the aforementioned mobility management network element, first device, and data management network element.
可选地,该通信系统还可以包括上述第三接入网设备。 Optionally, the communication system may also include the above-mentioned third access network device.
可选地,该通信系统还可以包括上述终端设备。Optionally, the communication system may also include the above-mentioned terminal device.
附图说明Description of the drawings
图1示出了一种网络架构的示意图。Figure 1 shows a schematic diagram of a network architecture.
图2示出了另一种网络架构示意图。Figure 2 shows another schematic diagram of network architecture.
图3是本申请实施例提供的一种通信方法300的示意流程图。Figure 3 is a schematic flow chart of a communication method 300 provided by an embodiment of the present application.
图4是本申请实施例提供的一种通信方法400的示意流程图。Figure 4 is a schematic flow chart of a communication method 400 provided by an embodiment of the present application.
图5是本申请实施例提供的一种通信方法500的示意性流程图。Figure 5 is a schematic flow chart of a communication method 500 provided by an embodiment of the present application.
图6是本申请实施例提供的一种通信方法600的示意性流程图。Figure 6 is a schematic flow chart of a communication method 600 provided by an embodiment of the present application.
图7是本申请实施例提供的一种通信方法700的示意性流程图。Figure 7 is a schematic flow chart of a communication method 700 provided by an embodiment of the present application.
图8是本申请一个实施例提供的通信装置的示意性框图。Figure 8 is a schematic block diagram of a communication device provided by an embodiment of the present application.
图9是本申请另一个实施例提供的通信装置的示意性框图。Figure 9 is a schematic block diagram of a communication device provided by another embodiment of the present application.
图10是本申请又一个实施例提供的通信装置的示意性框图。Figure 10 is a schematic block diagram of a communication device provided by yet another embodiment of the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。其中,在本申请的描述中,除非另有说明,“多个”的含义是两个或两个以上。In order to make the purpose, technical solutions and advantages of the present application clearer, the present application will be described in further detail below in conjunction with the accompanying drawings. The specific operation methods in the method embodiments can also be applied to the device embodiments or system embodiments. Among them, in the description of this application, unless otherwise stated, the meaning of "plurality" is two or more.
在本申请的各个实施例中,如果没有特殊说明以及逻辑冲突,不同的实施例之间的术语和/或描述具有一致性、且可以相互引用,不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In the various embodiments of this application, if there is no special explanation or logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referenced to each other. The technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.
可以理解的是,在本申请中涉及的各种数字编号仅为描述方便进行的区分,并不用来限制本申请的范围。上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定。It can be understood that the various numerical numbers involved in this application are only for convenience of description and are not used to limit the scope of this application. The size of the serial numbers of the above processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”以及其他各种术语标号等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth" and other various terminology labels (if any) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
本申请提供的技术方案可以应用于各种通信系统,例如:第五代(5th generation,5G)或新无线(new radio,NR)系统、长期演进(long term evolution,LTE)系统、LTE频分双工(frequency division duplex,FDD)系统、LTE时分双工(time division duplex,TDD)系统等。本申请提供的技术方案还可以应用于未来的通信系统,如第六代移动通信系统。本申请提供的技术方案还可以应用于设备到设备(device to device,D2D)通信,车到万物(vehicle-to-everything,V2X)通信,机器到机器(machine to machine,M2M)通信,机器类型通信(machine type communication,MTC),以及物联网(internet of things,IoT)通信系统或者其他通信系统。The technical solutions provided by this application can be applied to various communication systems, such as fifth generation (5th generation, 5G) or new radio (NR) systems, long term evolution (LTE) systems, LTE frequency division Duplex (frequency division duplex, FDD) system, LTE time division duplex (TDD) system, etc. The technical solution provided by this application can also be applied to future communication systems, such as the sixth generation mobile communication system. The technical solution provided by this application can also be applied to device-to-device (D2D) communication, vehicle-to-everything (V2X) communication, machine-to-machine (M2M) communication, machine type Communication (machine type communication, MTC), and Internet of Things (Internet of things, IoT) communication systems or other communication systems.
下面将结合图1和图2举例说明本申请实施例适用的5G系统。应理解,本文中描述 的5G系统仅是示例,不应对本申请构成任何限定。The following will illustrate the 5G system applicable to the embodiments of this application with reference to Figures 1 and 2. It should be understood that described herein The 5G system is only an example and should not constitute any limitation on this application.
还应理解,5G系统中某些网元之间可以采用服务化接口,或点对点的接口进行通信,下面结合图1和图2分别介绍基于点对点接口的5G系统框架,以及基于服务化接口的5G系统框架。It should also be understood that some network elements in the 5G system can use service-based interfaces or point-to-point interfaces to communicate. The following describes the 5G system framework based on point-to-point interfaces and 5G based on service-based interfaces in conjunction with Figure 1 and Figure 2. system framework.
作为示例性说明,图1示出了本申请实施例适用的5G系统100的架构示意图。图1为基于点对点接口的5G网络架构示意图。如图1所示,该网络架构可以包括但不限于以下网元(或者称为功能网元、功能实体、节点、设备等):As an exemplary illustration, FIG. 1 shows a schematic architectural diagram of a 5G system 100 applicable to the embodiment of the present application. Figure 1 is a schematic diagram of the 5G network architecture based on point-to-point interfaces. As shown in Figure 1, the network architecture may include but is not limited to the following network elements (also known as functional network elements, functional entities, nodes, devices, etc.):
(无线)接入网设备(radio access network,(R)AN)、接入和移动性管理功能(access and mobility management function,AMF)网元、会话管理功能(session management function,SMF)网元、用户面功能(user plane function,UPF)网元、策略控制功能(policy control function,PCF)网元、统一数据管理(unified data management,UDM)网元、AF网元、数据网络(data network,DN)、网络切片选择功能(network slice selection function,NSSF)、认证服务器功能(authentication server function,AUSF)、统一数据管理(unified data management,UDM)、BSF网元、统一数据存储(unified data repository,UDR)等。(Wireless) access network equipment (radio access network, (R)AN), access and mobility management function (AMF) network elements, session management function (SMF) network elements, User plane function (UPF) network element, policy control function (PCF) network element, unified data management (UDM) network element, AF network element, data network (DN) ), network slice selection function (NSSF), authentication server function (AUSF), unified data management (UDM), BSF network element, unified data repository (UDR) )wait.
下面对图1中示出的各网元进行简单介绍:The following is a brief introduction to each network element shown in Figure 1:
1、用户设备(user equipment,UE):可以称为终端设备(terminal equipment)、终端装置、接入终端、用户单元、用户站、移动站、移动台(mobile station,MS)、移动终端(mobile terminal,MT)、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。终端设备可以是一种向用户提供语音/数据连通性的设备,例如,具有无线连接功能的手持式设备、车载设备等。目前,一些终端的举例可以为:手机(mobile phone)、平板电脑(pad)、带无线收发功能的电脑(如笔记本电脑、掌上电脑等)、移动互联网设备(mobile internet device,MID)、虚拟现实(virtual reality,VR)设备、增强现实(augmented reality,AR)设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、蜂窝电话、无绳电话、会话启动协议(session initiation protocol,SIP)电话、无线本地环路(wireless local loop,WLL)站、个人数字助理(personal digital assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,5G网络中的终端设备或者未来演进的公用陆地移动通信网络(public land mobile network,PLMN)中的终端设备等。1. User equipment (UE): can be called terminal equipment (terminal equipment), terminal device, access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal (mobile terminal, MT), remote station, remote terminal, mobile device, user terminal, terminal, wireless communications equipment, user agent or user device. The terminal device may be a device that provides voice/data connectivity to the user, such as a handheld device, a vehicle-mounted device, etc. with wireless connectivity capabilities. At present, some examples of terminals can be: mobile phones, tablets, computers with wireless transceiver functions (such as laptops, handheld computers, etc.), mobile Internet devices (mobile internet device, MID), virtual reality (virtual reality, VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical Terminals, wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, wireless terminals in smart homes, cellular phones, cordless Telephone, session initiation protocol (SIP) telephone, wireless local loop (WLL) station, personal digital assistant (PDA), handheld device with wireless communication capabilities, computing device or connection Other processing equipment to wireless modems, vehicle-mounted equipment, wearable devices, terminal equipment in the 5G network or terminal equipment in the future evolved public land mobile communication network (public land mobile network, PLMN), etc.
此外,终端设备还可以是物联网(Internet of things,IoT)系统中的终端设备。IoT是未来信息技术发展的重要组成部分,其主要技术特点是将物品通过通信技术与网络连接,从而实现人机互连,物物互连的智能化网络。IoT技术可以通过例如窄带(narrow band,NB)技术,做到海量连接,深度覆盖,终端省电。In addition, the terminal device can also be a terminal device in an Internet of things (IoT) system. IoT is an important part of the future development of information technology. Its main technical feature is to connect objects to the network through communication technology, thereby realizing an intelligent network of human-computer interconnection and object interconnection. IoT technology can achieve massive connections, deep coverage, and terminal power saving through narrowband (NB) technology, for example.
此外,终端设备还可以包括智能打印机、火车探测器等,主要功能包括收集数据(部分终端设备)、接收网络设备的控制信息与下行数据,并发送电磁波,向网络设备传输上行数据。In addition, terminal equipment can also include smart printers, train detectors, etc. Its main functions include collecting data (some terminal equipment), receiving control information and downlink data from network equipment, and sending electromagnetic waves to transmit uplink data to network equipment.
应理解,用户设备可以是任何可以接入网络的设备。终端设备与接入网设备之间可以采用某种空口技术相互通信。 It should be understood that the user equipment can be any device that can access the network. Terminal equipment and access network equipment can communicate with each other using some air interface technology.
可选地,用户设备可以用于充当基站。例如,用户设备可以充当调度实体,其在V2X或D2D等中的用户设备之间提供侧行链路信号。比如,蜂窝电话和汽车利用侧行链路信号彼此通信。蜂窝电话和智能家居设备之间通信,而无需通过基站中继通信信号。Optionally, the user equipment can be used to act as a base station. For example, user equipment may act as a scheduling entity that provides sidelink signals between user equipments in V2X or D2D, etc. For example, cell phones and cars use sidelink signals to communicate with each other. Cell phones and smart home devices communicate between each other without having to relay communication signals through base stations.
2、(无线)接入网((radio)access network,(R)AN)设备:用于为特定区域的授权用户设备提供入网功能,并能够根据用户设备的级别,业务的需求等使用不同服务质量的传输隧道。2. (Radio) access network (R)AN) equipment: used to provide network access functions for authorized user equipment in a specific area, and can use different services according to the level of user equipment, business needs, etc. Quality transmission tunnel.
(R)AN能够管理无线资源,为用户设备提供接入服务,进而完成控制信号和用户设备数据在用户设备和核心网之间的转发,(R)AN也可以理解为传统网络中的基站。(R)AN can manage wireless resources, provide access services to user equipment, and then complete the forwarding of control signals and user equipment data between user equipment and the core network. (R)AN can also be understood as a base station in a traditional network.
示例性地,本申请实施例中的接入网设备可以是用于与用户设备通信的任意一种具有无线收发功能的通信设备。该接入网设备包括但不限为演进型节点B(evolved Node B,eNB)或5G,如,NR,系统中的gNB,或,传输点(TRP或TP),5G系统中的基站的一个或一组(包括多个天线面板)天线面板,或者,还可以为构成gNB或传输点的网络节点,如基带单元(BBU),或,分布式单元(distributed unit,DU)等。Illustratively, the access network device in the embodiment of the present application may be any communication device with wireless transceiver functions used to communicate with user equipment. The access network equipment includes but is not limited to evolved Node B (eNB) or 5G, such as NR, gNB in the system, or transmission point (TRP or TP), one of the base stations in the 5G system Or a group (including multiple antenna panels) of antenna panels, or it can also be a network node that constitutes a gNB or transmission point, such as a baseband unit (BBU), or a distributed unit (DU), etc.
在一些部署中,gNB可以包括集中式单元(centralized unit,CU)和DU。gNB还可以包括有源天线单元(active antenna unit,AAU)。CU实现gNB的部分功能,DU实现gNB的部分功能。比如,CU负责处理非实时协议和服务,实现无线资源控制(radio resource control,RRC),分组数据汇聚层协议(packet data convergence protocol,PDCP)层的功能。DU负责处理物理层协议和实时服务,实现无线链路控制(radio link control,RLC)层、媒体接入控制(media access control,MAC)层和物理(physical,PHY)层的功能。AAU实现部分物理层处理功能、射频处理及有源天线的相关功能。由于RRC层的信息最终会变成PHY层的信息,或者,由PHY层的信息转变而来,因而,在这种架构下,高层信令,如RRC层信令,也可以认为是由DU发送的,或者,由DU+AAU发送的。可以理解的是,接入网设备可以为包括CU节点、DU节点、AAU节点中一项或多项的设备。此外,可以将CU划分为接入网(radio access network,RAN)中的接入网设备,也可以将CU划分为核心网(core network,CN)中的接入网设备,本申请对此不做限定。In some deployments, gNB may include centralized units (CUs) and DUs. The gNB may also include an active antenna unit (AAU). CU implements some functions of gNB, and DU implements some functions of gNB. For example, CU is responsible for processing non-real-time protocols and services, implementing radio resource control (RRC), and packet data convergence protocol (PDCP) layer functions. DU is responsible for processing physical layer protocols and real-time services, and implementing the functions of the radio link control (RLC) layer, media access control (MAC) layer and physical (physical, PHY) layer. AAU implements some physical layer processing functions, radio frequency processing and active antenna related functions. Since RRC layer information will eventually become PHY layer information, or transformed from PHY layer information, in this architecture, high-level signaling, such as RRC layer signaling, can also be considered to be sent by DU , or sent by DU+AAU. It can be understood that the access network device may be a device including one or more of a CU node, a DU node, and an AAU node. In addition, the CU can be divided into access network equipment in the access network (radio access network, RAN), or the CU can be divided into access network equipment in the core network (core network, CN). This application does not Make limitations.
3、用户面功能(user plane function,UPF)网元:用于分组路由和转发以及用户面数据的服务质量(quality of service,QoS)处理等。3. User plane function (UPF) network element: used for packet routing and forwarding and quality of service (QoS) processing of user plane data.
在5G通信系统中,该用户面网元可以是用户面功能(user plane function,UPF)网元。在未来通信系统中,用户面网元仍可以是UPF网元,或者,还可以有其它的名称,本申请不做限定。In the 5G communication system, the user plane network element may be a user plane function (UPF) network element. In future communication systems, user plane network elements can still be UPF network elements, or they can have other names, which are not limited in this application.
4、接入和移动管理功能(access and mobility management function,AMF)网元:接入和移动管理功能网元主要用于移动性管理和接入管理等,可以用于实现MME功能中除会话管理之外的其它功能,例如,接入授权/鉴权等功能。4. Access and mobility management function (AMF) network element: The access and mobility management function network element is mainly used for mobility management and access management, etc., and can be used to implement MME functions in addition to session management. Other functions, such as access authorization/authentication and other functions.
在未来通信系统中,接入和移动管理设备仍可以是AMF,或者,还可以有其它的名称,本申请不做限定。In future communication systems, the access and mobility management equipment may still be an AMF, or may have other names, which are not limited in this application.
5、会话管理功能(session management function,SMF)网元:主要用于会话管理、用户设备的网络互连协议(internet protocol,IP)地址分配和管理、选择可管理用户平面功能、策略控制和收费功能接口的终结点以及下行数据通知等。5. Session management function (SMF) network element: mainly used for session management, Internet protocol (IP) address allocation and management of user equipment, selection of manageable user plane functions, policy control and charging The endpoint of the functional interface and downstream data notification, etc.
在未来通信系统中,会话管理网元仍可以是SMF网元,或者,还可以有其它的名称,本申请不做限定。 In future communication systems, the session management network element can still be an SMF network element, or it can also have other names, which is not limited in this application.
6、策略控制功能(policy control function,PCF)网元:用于指导网络行为的统一策略框架,为控制面功能网元(例如AMF,SMF等)提供策略规则信息等。6. Policy control function (PCF) network element: a unified policy framework used to guide network behavior and provide policy rule information for control plane functional network elements (such as AMF, SMF, etc.).
在未来通信系统中,策略控制网元仍可以是PCF网元,或者,还可以有其它的名称,本申请不做限定。In future communication systems, the policy control network element can still be a PCF network element, or it can also have other names, which is not limited in this application.
7、应用功能(application function,AF):用于进行应用影响的数据路由,无线接入网络开放功能网元,与策略框架交互进行策略控制等。7. Application function (AF): used for data routing affected by applications, wireless access network open function network elements, interaction with the policy framework for policy control, etc.
在未来通信系统中,应用网元仍可以是AF网元,或者,还可以有其它的名称,本申请不做限定。In future communication systems, application network elements can still be AF network elements, or they can have other names, which are not limited in this application.
8、数据管理网元:用于处理UE标识,接入鉴权,注册以及移动性管理等。数据管理网元可以指的是系统100中的统一数据管理(unified data management,UDM)网元,和/或统一数据存储(unified data repository,UDR)网元。8. Data management network element: used to process UE identification, access authentication, registration and mobility management, etc. The data management network element may refer to a unified data management (UDM) network element in the system 100 and/or a unified data repository (UDR) network element.
9、认证服务器(authentication server function,AUSF)网元:用于鉴权服务、产生密钥实现对用户设备的双向鉴权,支持统一的鉴权框架。9. Authentication server function (AUSF) network element: used for authentication services, generating keys to implement two-way authentication of user equipment, and supporting a unified authentication framework.
在未来通信系统中,认证服务器功能网元仍可以是AUSF网元,或者,还可以有其它的名称,本申请不做限定。In future communication systems, the authentication server functional network element can still be an AUSF network element, or it can also have other names, which is not limited in this application.
10、网络数据分析功能(network data analytics function,NWDAF)网元:用于识别网络切片实例、加载网络切片实例的负载级别信息。网络数据分析功能可使NF消费者订阅或取消订阅定期通知,并在超过阈值的情况下,通知消费者。10. Network data analytics function (NWDAF) network element: used to identify network slicing instances and load load level information of network slicing instances. The network data analysis function enables NF consumers to subscribe or unsubscribe to periodic notifications and notify consumers when thresholds are exceeded.
在未来通信系统中,网络数据分析功能网元仍可以是NWDAF网元,或者,还可以有其它的名称,本申请不做限定。In future communication systems, network data analysis function network elements can still be NWDAF network elements, or they can have other names, which are not limited in this application.
11、数据网络(data network,DN):DN是位于运营商网络之外的网络,运营商网络可以接入多个DN,DN上可部署多种业务,可为终端设备提供数据和/或语音等服务。例如,DN是某智能工厂的私有网络,智能工厂安装在车间的传感器可为终端设备,DN中部署了传感器的控制服务器,控制服务器可为传感器提供服务。传感器可与控制服务器通信,获取控制服务器的指令,根据指令将采集的传感器数据传送给控制服务器等。又例如,DN是某公司的内部办公网络,该公司员工的手机或者电脑可为终端设备,员工的手机或者电脑可以访问公司内部办公网络上的信息、数据资源等。11. Data network (DN): DN is a network located outside the operator's network. The operator's network can access multiple DNs. A variety of services can be deployed on the DN, which can provide data and/or voice for terminal devices. Waiting for service. For example, DN is a private network of a smart factory. The sensors installed in the workshop of the smart factory can be terminal devices. The control server of the sensor is deployed in the DN, and the control server can provide services for the sensor. The sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions. For another example, DN is the internal office network of a company. The mobile phones or computers of employees of the company can be used as terminal devices. The employees' mobile phones or computers can access information and data resources on the company's internal office network.
图1中Nausf、Nnef、Npcf、Nudm、Naf、Namf、Nsmf、N1、N2、N3、N4,以及N6为接口序列号。这些接口序列号的含义可参见3GPP标准协议中定义的含义,在此不做限制。In Figure 1, Nausf, Nnef, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers. The meaning of these interface serial numbers can be found in the meaning defined in the 3GPP standard protocol, and is not limited here.
在图1所示的网络架构中,各网元之间可以通过图中所示的接口通信。如图所示,UE和AMF之间可以通过N1接口进行交互,交互消息例如可以称为N1消息(N1Message)。RAN和AMF之间可以通过N2接口进行交互,N2接口可以用于非接入层(non-access stratum,NAS)消息的发送等。RAN和UPF之间可以通过N3接口进行交互,N3接口可以用于传输用户面的数据等。SMF和UPF之间可以通过N4接口进行交互,N4接口可以用于传输例如N3连接的隧道标识信息,数据缓存指示信息,以及下行数据通知消息等信息。UPF和DN之间可以通过N6接口进行交互,N6接口可以于传输用户面的数据等。其他接口与各网元之间的关系如1中所示,为了简洁,这里不一一详述。In the network architecture shown in Figure 1, network elements can communicate with each other through the interfaces shown in the figure. As shown in the figure, the UE and the AMF can interact through the N1 interface, and the interaction message can be called an N1 message (N1Message), for example. RAN and AMF can interact through the N2 interface, which can be used for sending non-access stratum (NAS) messages. RAN and UPF can interact through the N3 interface, which can be used to transmit user plane data, etc. SMF and UPF can interact through the N4 interface. The N4 interface can be used to transmit information such as tunnel identification information of the N3 connection, data cache indication information, and downlink data notification messages. UPF and DN can interact through the N6 interface, which can transmit user plane data, etc. The relationship between other interfaces and each network element is shown in 1. For the sake of simplicity, they will not be described in detail here.
如图2所示,为基于点对点接口的5G网络架构示意图,其中的网元的功能的介绍可以参考1中对应的网元的功能的介绍,不再赘述。图2与图1的主要区别在于:图2中的 各个网元之间的接口是点对点的接口,而不是服务化的接口。As shown in Figure 2, it is a schematic diagram of the 5G network architecture based on point-to-point interfaces. For the introduction of the functions of the network elements, please refer to the introduction of the functions of the corresponding network elements in 1, and will not be described again. The main difference between Figure 2 and Figure 1 is: in Figure 2 The interface between each network element is a point-to-point interface, not a service-oriented interface.
在图2所示的架构中,各个网元之间的接口名称及功能如下:In the architecture shown in Figure 2, the interface names and functions between each network element are as follows:
1)N7:PCF与SMF之间的接口,用于下发协议数据单元(protocol data unit,PDU)会话粒度以及业务数据流粒度控制策略。1) N7: The interface between PCF and SMF, used to deliver protocol data unit (PDU) session granularity and business data flow granularity control policy.
2)N15:PCF与AMF之间的接口,用于下发UE策略及接入控制相关策略。2) N15: The interface between PCF and AMF, used to deliver UE policies and access control related policies.
3)N5:AF与PCF之间的接口,用于应用业务请求下发以及网络事件上报。3) N5: The interface between AF and PCF, used for issuing application service requests and reporting network events.
4)N4:SMF与UPF之间的接口,用于控制面与用户面之间传递信息,包括控制面向用户面的转发规则、QoS控制规则、流量统计规则等的下发以及用户面的信息上报。4) N4: The interface between SMF and UPF, used to transfer information between the control plane and the user plane, including controlling the delivery of forwarding rules for the user plane, QoS control rules, traffic statistics rules, etc., and reporting of user plane information. .
5)N11:SMF与AMF之间的接口,用于传递RAN和UPF之间的PDU会话隧道信息、传递发送给UE的控制消息、传递发送给RAN的无线资源控制信息等。5) N11: The interface between SMF and AMF, used to transfer PDU session tunnel information between RAN and UPF, transfer control messages sent to UE, transfer radio resource control information sent to RAN, etc.
6)N2:AMF与RAN之间的接口,用于传递核心网侧至RAN的无线承载控制信息等。6) N2: The interface between AMF and RAN, used to transmit wireless bearer control information from the core network side to the RAN.
7)N1:AMF与UE之间的接口,接入无关,用于向UE传递QoS控制规则等。7) N1: The interface between AMF and UE, independent of access, is used to deliver QoS control rules to UE, etc.
8)N8:AMF与UDM间的接口,用于AMF向UDM获取接入与移动性管理相关签约数据与鉴权数据,以及AMF向UDM注册UE当前移动性管理相关信息等。8) N8: The interface between AMF and UDM, used for AMF to obtain access and mobility management-related subscription data and authentication data from UDM, and for AMF to register UE's current mobility management-related information with UDM.
9)N10:SMF与UDM间的接口,用于SMF向UDM获取会话管理相关签约数据,以及SMF向UDM注册UE当前会话相关信息等。9) N10: The interface between SMF and UDM, used for SMF to obtain session management-related subscription data from UDM, and for SMF to register UE current session-related information with UDM.
10)N35:UDM与UDR间的接口,用于UDM从UDR中获取用户签约数据信息。10) N35: The interface between UDM and UDR, used by UDM to obtain user subscription data information from UDR.
11)N36:PCF与UDR间的接口,用于PCF从UDR中获取策略相关签约数据以及应用数据相关信息。11) N36: The interface between PCF and UDR, used for PCF to obtain policy-related contract data and application data-related information from UDR.
12)N12:AMF和AUSF间的接口,用于AMF向AUSF发起鉴权流程,其中可携带SUCI作为签约标识;12) N12: The interface between AMF and AUSF, used for AMF to initiate the authentication process to AUSF, which can carry SUCI as the contract identification;
13)N13:UDM与AUSF间的接口,用于AUSF向UDM获取用户鉴权向量,以执行鉴权流程。13) N13: The interface between UDM and AUSF, used by AUSF to obtain the user authentication vector from UDM to perform the authentication process.
应理解,上述命名仅为便于区分不同的功能而定义,不应对本申请构成任何限定。本申请并不排除在5G网络以及未来其它的网络中采用其他命名的可能。例如,在6G网络中,上述各个网元中的部分或全部可以沿用5G中的术语,也可能采用其他名称等。图1中的各个网元之间的接口名称只是一个示例,具体实现中接口的名称可能为其他的名称,本申请对此不作具体限定。此外,上述各个网元之间的所传输的消息(或信令)的名称也仅仅是一个示例,对消息本身的功能不构成任何限定。It should be understood that the above nomenclature is only defined to facilitate the differentiation of different functions and should not constitute any limitation on this application. This application does not rule out the possibility of using other naming in 5G networks and other future networks. For example, in a 6G network, some or all of the above network elements may use the terminology used in 5G, or may adopt other names. The interface names between each network element in Figure 1 are just an example. In specific implementations, the names of the interfaces may be other names, and this application does not specifically limit this. In addition, the names of the messages (or signaling) transmitted between the various network elements are only examples and do not constitute any limitation on the function of the messages themselves.
可以理解的是,上述网元或者功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。为方便说明,本申请后续,以网络设备为接入和移动管理网元AMF,基站为无线接入网络RAN为例进行说明。It can be understood that the above network elements or functions can be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform). For convenience of explanation, in the following description of this application, the network device is the access and mobility management network element AMF, and the base station is the wireless access network RAN as an example.
应理解,上述应用于本申请实施例的网络架构仅是一种举例说明,适用本申请实施例的网络架构并不局限于此,任何能够实现上述各个网元的功能的网络架构都适用于本申请实施例。It should be understood that the above network architecture applied to the embodiments of the present application is only an example. The network architecture applicable to the embodiments of the present application is not limited to this. Any network architecture that can realize the functions of each of the above network elements is suitable for this application. Application examples.
本申请实施例描述的网络架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术 问题,同样适用。The network architecture and business scenarios described in the embodiments of this application are for the purpose of explaining the technical solutions of the embodiments of this application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of this application. Those of ordinary skill in the art will know that with the network With the evolution of architecture and the emergence of new business scenarios, the technical solutions provided by the embodiments of this application are suitable for similar technologies. question, the same applies.
本申请实施例的各个方面或特征可以用于实现成方法,或者通过装置或标准编程和/或工程技术的制品进行实现。本申请中使用的术语“制品”涵盖可从任何计算机可读器件、载体或介质访问的计算机程序。例如,计算机可读介质可以包括,但不限于:磁存储器件(例如,硬盘、软盘或磁带等),光盘(例如,压缩盘(compact disc,CD)、数字通用盘(digital versatile disc,DVD)等),智能卡和闪存器件(例如,可擦写可编程只读存储器(erasable programmable read-only memory,EPROM)、卡、棒或钥匙驱动器等)。另外,本文描述的各种存储介质可代表用于存储信息的一个或多个设备和/或其它机器可读介质。术语“机器可读介质”可包括但不限于,无线信道和能够存储、包含和/或承载指令和/或数据的各种其它介质。Various aspects or features of embodiments of the present application may be implemented as methods, or may be implemented by means of devices or articles of standard programming and/or engineering techniques. The term "article of manufacture" as used in this application encompasses a computer program accessible from any computer-readable device, carrier or medium. For example, computer-readable media may include, but are not limited to: magnetic storage devices (e.g., hard disks, floppy disks, tapes, etc.), optical disks (e.g., compact discs (CD), digital versatile discs (DVD)) etc.), smart cards and flash memory devices (e.g. erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.). Additionally, the various storage media described herein may represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.
为了便于理解本申请实施例的技术方案,在以5G架构为基础介绍本申请实施例的方案之前,首先对本申请实施例可能涉及到的5G中的一些术语或概念,以及本申请可能涉及但上述网络架构未示出的网元进行简单描述。In order to facilitate understanding of the technical solutions of the embodiments of the present application, before introducing the solutions of the embodiments of the present application based on the 5G architecture, first of all, some terms or concepts in 5G that may be involved in the embodiments of the present application, as well as the above-mentioned terms that may be involved in this application Network elements that are not shown in the network architecture are briefly described.
1、5G架构。1. 5G architecture.
第三代合作伙伴计划(3rd generation partnership project,3GPP)中定义的演进分组系统(evolved packet system,EPS)包括基于服务化接口的5G网络架构中或基于点对点接口的5G网络架构中,5G网络可分为三部分,分别是UE、DN和运营商网络。The evolved packet system (EPS) defined in the 3rd generation partnership project (3GPP) includes a 5G network architecture based on service-oriented interfaces or a 5G network architecture based on point-to-point interfaces. The 5G network can It is divided into three parts, namely UE, DN and operator network.
其中,运营商网络可以包括图1中除UE和DN之外所示的网元中的一个或者多个,或者还可以包括其他的网元,本申请对于5G网络结构不做限定,可以参考目前相关技术中的介绍。Among them, the operator's network may include one or more of the network elements shown in Figure 1 except for the UE and DN, or may also include other network elements. This application does not limit the 5G network structure. You may refer to the current Introduction to related technologies.
2、边缘计算2. Edge computing
移动通信的飞速发展促进了各种新型业务的不断涌现,除了传统的移动宽带、物联网之外,移动通信催生了许多新的应用领域如增强现实(augmented reality,AR)技术、虚拟现实(virtual reality,VR)技术、车联网技术、工业控制、IOT等,同时对网络带宽、时延等性能也提出了更高的需求,网络负荷进一步加重。The rapid development of mobile communications has promoted the continuous emergence of various new services. In addition to traditional mobile broadband and the Internet of Things, mobile communications have spawned many new application fields such as augmented reality (AR) technology, virtual reality (virtual reality), etc. reality, VR) technology, Internet of Vehicles technology, industrial control, IOT, etc., have also put forward higher demands on network bandwidth, delay and other performance, further increasing the network load.
LTE中传统的集中式锚点部署方式越来越难以支撑快速增长的移动业务流量模型。一方面,在锚点网关集中式部署的网络中,增长的流量最终集中在网关及核心机房处,对回程网络带宽、机房吞吐量和网关规格提出了越来越高的要求;另一方面,从接入网到锚点网关长距离的回程网络和复杂的传输环境,导致用户报文传输的较大时延和抖动。The traditional centralized anchor point deployment method in LTE is increasingly difficult to support the rapidly growing mobile service traffic model. On the one hand, in a network with centralized deployment of anchor gateways, the increased traffic is ultimately concentrated at the gateway and core computer room, which places higher and higher requirements on backhaul network bandwidth, computer room throughput, and gateway specifications; on the other hand, The long-distance backhaul network and complex transmission environment from the access network to the anchor gateway lead to large delays and jitter in user packet transmission.
基于上述情况,业界提出了边缘计算(edge computing,EC)。边缘计算通过将用户面网元及业务处理能力下移到网络边缘,实现了分布式的业务流量本地处理,避免了流量的过度集中,从而大大降低了对核心机房和集中网关的规格要求。同时边缘计算也缩短了回程网络的距离,降低了用户报文的端到端传输时延和抖动,使得超低时延业务的部署称为可能。Based on the above situation, the industry has proposed edge computing (EC). By moving user plane network elements and business processing capabilities down to the edge of the network, edge computing realizes local processing of distributed business traffic and avoids excessive concentration of traffic, thus greatly reducing the specification requirements for core computer rooms and centralized gateways. At the same time, edge computing also shortens the distance of the backhaul network and reduces the end-to-end transmission delay and jitter of user messages, making it possible to deploy ultra-low-latency services.
3、园区边缘计算3. Campus edge computing
园区边缘计算指的是将边缘计算应用于智能园区的一种技术。通过将边缘计算与智能园区相结合,可以进行快速部署,实现本地业务闭环,以更优化的网络,为园区用户节省传输,保证体验。Campus edge computing refers to a technology that applies edge computing to smart campuses. By combining edge computing with smart campuses, rapid deployment can be achieved, local business closed-loop can be realized, and a more optimized network can save transmission and ensure user experience for campus users.
4、安全策略控制网元(security policy control function,SPCF)4. Security policy control function (SPCF)
SPCF主要负责安全事件、信息收集分析等,可以为控制面功能网元(例如AMF、SMF 等)提供安全策略控制。在未来通信系统中,安全策略控制网元仍可以是SPCF,或者,还可以有其他的名称,本申请不作限定。SPCF is mainly responsible for security events, information collection and analysis, etc. It can provide control plane functional network elements (such as AMF, SMF etc.) provide security policy control. In future communication systems, the security policy control network element can still be SPCF, or it can also have other names, which are not limited in this application.
上文结合图1和图2介绍了本申请实施例能够应用的场景,还简单介绍了本申请中涉及的基本概念,下文中将结合附图详细介绍本申请提供的通信方法和装置。The above describes applicable scenarios of the embodiments of the present application with reference to Figures 1 and 2, and also briefly introduces the basic concepts involved in the present application. The communication method and device provided by the present application will be introduced in detail below with reference to the accompanying drawings.
下文示出的实施例并未对本申请实施例提供的方法的执行主体的具体结构特别限定,只要能够通过运行记录有本申请实施例的提供的方法的代码的程序,以根据本申请实施例提供的方法进行通信即可,例如,本申请实施例提供的方法的执行主体可以是核心网设备和终端设备,或者是核心网设备或者终端设备中能够调用程序并执行程序的功能模块。The embodiments shown below do not specifically limit the specific structure of the execution body of the method provided by the embodiment of the present application, as long as it can be provided according to the embodiment of the present application by running a program that records the code of the method provided by the embodiment of the present application. For example, the execution subject of the method provided by the embodiment of the present application can be the core network device and the terminal device, or a functional module in the core network device or the terminal device that can call the program and execute the program.
为了便于理解本申请实施例,做出以下几点说明。In order to facilitate understanding of the embodiments of the present application, the following points are explained.
第一,在本申请中,“用于指示”可以理解为“使能”,“使能”可以包括直接使能和间接使能。当描述某一信息用于使能A时,可以包括该信息直接使能A或间接使能A,而并不代表该信息中一定携带有A。First, in this application, "for indicating" can be understood as "enabling", and "enabling" can include direct enabling and indirect enabling. When describing a piece of information used to enable A, it can include that the information directly enables A or indirectly enables A, but it does not mean that the information must contain A.
将信息所使能的信息称为待使能信息,则具体实现过程中,对待使能信息进行使能的方式有很多种,例如但不限于,可以直接使能待使能信息,如待使能信息本身或者该待使能信息的索引等。也可以通过使能其他信息来间接使能待使能信息,其中该其他信息与待使能信息之间存在关联关系。还可以仅仅使能待使能信息的一部分,而待使能信息的其他部分则是已知的或者提前约定的。例如,还可以借助预先约定(例如协议规定)的各个信息的排列顺序来实现对特定信息的使能,从而在一定程度上降低使能开销。同时,还可以识别各个信息的通用部分并统一使能,以降低单独使能同样的信息而带来的使能开销。The information enabled by the information is called to-be-enabled information. In the specific implementation process, there are many ways to enable the to-be-enabled information. For example, but not limited to, the to-be-enabled information can be directly enabled, such as to-be-enabled information. The enabling information itself or the index of the information to be enabled, etc. The information to be enabled can also be indirectly enabled by enabling other information, where there is an association relationship between the other information and the information to be enabled. It is also possible to enable only a part of the information to be enabled, while other parts of the information to be enabled are known or agreed in advance. For example, the enabling of specific information can also be achieved by means of a pre-agreed (for example, protocol stipulated) arrangement order of each piece of information, thereby reducing the enabling overhead to a certain extent. At the same time, the common parts of each information can also be identified and enabled uniformly to reduce the enabling overhead caused by enabling the same information individually.
第二,在本申请中示出的第一、第二以及各种数字编号(例如,“#1”、“#2”等)仅为描述方便,用于区分的对象,并不用来限制本申请实施例的范围。例如,区分不同消息等。而不是用于描述特定的顺序或先后次序。应该理解这样描述的对象在适当情况下可以互换,以便能够描述本申请的实施例以外的方案。Second, the first, second and various numerical numbers (for example, "#1", "#2", etc.) shown in this application are only for convenience of description and are used to distinguish objects, and are not used to limit this application. Scope of Application Embodiments. For example, distinguish between different messages, etc. It is not used to describe a specific order or sequence. It is to be understood that objects so described are interchangeable where appropriate to enable description of aspects other than the embodiments of the present application.
第三,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。Third, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device that includes a series of steps or units and need not be limited to those explicitly listed may include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
第四,在本申请中,“预配置”可包括预先定义,例如,协议定义。其中,“预先定义”可以通过在设备(例如,包括各个网元)中预先保存相应的代码、表格或其他可用于指示相关信息的方式来实现,本申请对于其具体的实现方式不做限定。Fourth, in this application, "preconfigured" may include predefined, for example, protocol definitions. Among them, "pre-definition" can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in the device (for example, including each network element). This application does not limit its specific implementation method.
第五,本申请实施例中涉及的“保存”,可以是指的保存在一个或者多个存储器中。所述一个或者多个存储器,可以是单独的设置,也可以是集成在编码器或者译码器,处理器、或通信装置中。所述一个或者多个存储器,也可以是一部分单独设置,一部分集成在译码器、处理器、或通信装置中。存储器的类型可以是任意形式的存储介质,本申请并不对此限定。Fifth, the “save” involved in the embodiments of this application may refer to saving in one or more memories. The one or more memories may be provided separately, or may be integrated in an encoder or decoder, a processor, or a communication device. The one or more memories may also be partially provided separately and partially integrated in the decoder, processor, or communication device. The type of memory can be any form of storage medium, and this application is not limited thereto.
第六,本申请实施例中涉及的“协议”可以是指通信领域的标准协议,例如可以包括5G协议、新空口(new radio,NR)协议以及应用于未来的通信系统中的相关协议,本申请对此不做限定。Sixth, the "protocol" involved in the embodiments of this application may refer to standard protocols in the communication field, which may include, for example, 5G protocols, new radio (NR) protocols, and related protocols applied in future communication systems. There are no restrictions on this application.
第七,本申请说明书附图部分的方法流程图中的虚线框表示可选的步骤。Seventh, the dotted boxes in the method flow chart in the accompanying drawings of this application represent optional steps.
以下,以网元之间的交互为例详细说明本申请实施例提供的通信方法。应理解,本申 请中的各实施例中术语和步骤可以互相参考。In the following, the communication method provided by the embodiment of the present application will be described in detail by taking the interaction between network elements as an example. It should be understood that this application The terms and steps in the various embodiments in the application may be referred to each other.
图3示出了本申请实施例提供的方法300的示例性流程图。下面结合各个步骤对方法300作示例性说明。Figure 3 shows an exemplary flowchart of the method 300 provided by the embodiment of the present application. The method 300 is exemplarily described below in conjunction with each step.
可选地,S301,移动管理网元确定第一接入网设备不可信。Optionally, S301, the mobility management network element determines that the first access network device is untrustworthy.
示例性地,移动管理网元可以根据其他网元的指示确定第一接入网设备不可信。例如,移动管理网元接收来自安全策略控制网元的第二指示信息,该第二指示信息用于指示该第一接入网设备不可信。移动管理网元接收到该第二指示信息之后,根据该第二指示信息确定该第一接入网设备不可信;或者,移动管理网元也可以自行确定第一接入网设备不可信,具体实现方式本申请不作限定。For example, the mobility management network element may determine that the first access network device is untrustworthy based on instructions from other network elements. For example, the mobility management network element receives second indication information from the security policy control network element, and the second indication information is used to indicate that the first access network device is untrustworthy. After receiving the second indication information, the mobility management network element determines that the first access network device is not trustworthy according to the second indication information; or, the mobility management network element can also determine on its own that the first access network device is not trustworthy, specifically The implementation method is not limited in this application.
应理解,移动管理网元确定第一接入网设备不可信,还可以说是,移动管理网元确定第一接入网设备被第三者控制,或者还可以说是,移动管理网元确定第一接入网设备不安全等。It should be understood that the mobility management network element determines that the first access network device is not trustworthy. It can also be said that the mobility management network element determines that the first access network device is controlled by a third party. It can also be said that the mobility management network element determines that the first access network device is controlled by a third party. The first access network equipment is not secure, etc.
S302,移动管理网元向连接第一接入网设备的终端设备发送第一指示信息。对应地,终端设备接收来自移动管理网元的该第一指示信息。S302: The mobility management network element sends the first instruction information to the terminal device connected to the first access network device. Correspondingly, the terminal device receives the first indication information from the mobility management network element.
示例性地,移动管理网元确定第一接入网设备不可信之后,向连接第一接入网设备的终端设备发送第一指示信息。例如,移动管理网元确定第一接入网设备不可信之后,查询连接在第一接入网设备上的终端设备,然后向该终端设备发送第一指示信息。应理解,第一接入网设备上可能连接有多个终端设备,为了方便,这里以其中一个终端设备为例进行说明。Exemplarily, after determining that the first access network device is untrustworthy, the mobility management network element sends the first indication information to the terminal device connected to the first access network device. For example, after determining that the first access network device is untrustworthy, the mobility management network element queries the terminal device connected to the first access network device, and then sends the first indication information to the terminal device. It should be understood that multiple terminal devices may be connected to the first access network device. For convenience, one of the terminal devices is used as an example for description here.
该第一指示信息用于指示该第一接入网设备不可信,或者,该第一指示信息用于指示断开与第一接入网设备的连接。应理解,除了上述示例以外,该第一指示信息还可能指示其他内容,例如,该第一指示信息用于指示第一接入网设备被第三者控制,或者,该第一指示信息用于指示第一接入网设备不安全等,本申请不作限定。The first indication information is used to indicate that the first access network device is not trustworthy, or the first indication information is used to indicate to disconnect from the first access network device. It should be understood that in addition to the above examples, the first indication information may also indicate other contents. For example, the first indication information is used to indicate that the first access network device is controlled by a third party, or the first indication information is used to indicate that the first access network device is controlled by a third party. Indicating that the first access network equipment is unsafe, etc., is not limited by this application.
可选地,移动管理网元在向终端设备发送第一指示信息之前,还可以判断终端设备的无线资源控制连接状态(包括连接态、空闲态、非激活态等)。在终端设备处于连接态且终端设备连接第一接入网设备,移动管理网元向终端设备发送该第一指示信息。Optionally, before sending the first indication information to the terminal device, the mobility management network element may also determine the radio resource control connection state of the terminal device (including connected state, idle state, inactive state, etc.). When the terminal device is in the connected state and the terminal device is connected to the first access network device, the mobility management network element sends the first indication information to the terminal device.
可选地,移动管理网元确定向终端设备发送第一指示信息之前,还可以判断第一接入网设备的覆盖范围是否有备选接入网设备,其中,这里的备选接入网设备可以指的是与第一接入网设备连接的接入网设备,或者指的是可以用于第一接入网设备的覆盖范围内的终端设备接入网络的其他接入网设备。应理解,在第一接入网设备有备选接入网设备的情况下,终端设备与第一接入网设备断开连接之后,可以根据需求选择接入到备选接入网设备上。Optionally, before determining to send the first indication information to the terminal device, the mobility management network element may also determine whether there is an alternative access network device in the coverage area of the first access network device, where the alternative access network device here It may refer to an access network device connected to the first access network device, or to other access network devices that can be used for terminal devices within the coverage of the first access network device to access the network. It should be understood that when the first access network device has an alternative access network device, after the terminal device is disconnected from the first access network device, it can choose to access the alternative access network device according to needs.
可选地,当移动管理网元确定第一接入网设备没有备选接入网设备的情况下,移动管理网元可以向终端设备发送去注册请求消息,并将第一指示信息携带在该去注册请求消息中。该去注册请求消息用于请求该终端设备从网络去注册。终端设备接收到来自移动管理网元的去注册请求消息后,可以向移动管理网元发送去注册接受消息。移动管理网元接收到该去注册接受消息后,触发网络侧执行终端设备的去注册流程。在去注册流程中,移动管理网元删除终端设备的上下文。Optionally, when the mobility management network element determines that the first access network device has no alternative access network device, the mobility management network element may send a deregistration request message to the terminal device and carry the first indication information in the Go to the registration request message. The de-registration request message is used to request the terminal device to de-register from the network. After receiving the de-registration request message from the mobility management network element, the terminal device may send a de-registration acceptance message to the mobility management network element. After receiving the de-registration acceptance message, the mobility management network element triggers the network side to execute the de-registration process of the terminal device. In the de-registration process, the mobility management network element deletes the context of the terminal device.
需要说明的是,第一接入网设备没有备选接入网设备时,如果终端设备断开与第一接入网设备的连接,可能没有(或者说可能短时间内找不到)其他接入网设备来接入网络, 此时移动管理网元可以触发终端设备的去注册,去注册流程中移动管理网元删除终端设备的上下文,从而可以节省移动管理网元的资源。而如果第一接入网设备有备选接入网设备时,移动管理网元可以不用触发终端设备的去注册,也就是说,移动管理网元可以保留终端设备的上下文。在这种情况下,终端设备断开与第一接入网设备的连接之后,可以采用重定向或者移动性注册更新流程快速重新接入网络,从而可以提高终端设备入网的效率,提高用户体验。It should be noted that when the first access network device has no alternative access network device, if the terminal device disconnects from the first access network device, there may not be (or may not be found in a short time) other connections. Network access equipment to access the network, At this time, the mobile management network element can trigger the de-registration of the terminal device. During the de-registration process, the mobile management network element deletes the context of the terminal device, thereby saving the resources of the mobile management network element. If the first access network device has an alternative access network device, the mobility management network element does not need to trigger the de-registration of the terminal device. That is to say, the mobility management network element can retain the context of the terminal device. In this case, after the terminal device disconnects from the first access network device, the redirection or mobility registration update process can be used to quickly reconnect to the network, thereby improving the efficiency of the terminal device's network access and improving user experience.
应理解,移动管理网元向终端设备发送第一指示信息的时候,可以携带第一接入网设备的标识,也可以不携带第一接入网设备的标识。在没有携带第一接入网设备的标识的情况下,该第一指示信息可以是用于向该终端设备指示该终端设备当前连接的接入网设备不可信,或者说,该第一指示信息用于向该终端设备指示断开与当前连接的接入网设备的连接,等。It should be understood that when the mobility management network element sends the first indication information to the terminal device, it may or may not carry the identifier of the first access network device. In the case where the identification of the first access network device is not carried, the first indication information may be used to indicate to the terminal device that the access network device currently connected to the terminal device is not trustworthy, or in other words, the first indication information Used to instruct the terminal device to disconnect from the currently connected access network device, etc.
可选地,在终端设备仅通过第三代合作伙伴计划(3rd generation partnership project,3GPP)技术接入网络的情况下,移动管理网元可以通过非接入层消息(即通过第三代合作伙伴计划技术)向终端设备发送第一指示信息;在终端设备通过第三代合作伙伴计划技术和非第三代合作伙伴计划技术接入网络的情况下,移动管理网元通过非第三代合作伙伴计划技术互通功能(non-3gpp interworking function,N3IWF)网元向终端设备发送第一指示信息。也就是说,如果移动管理网元既可以通过非接入层消息向终端设备发送第一指示信息,又可以通过其他方式向终端设备发送第一指示信息,则移动管理网元优先采用其他方式。Optionally, in the case where the terminal device only accesses the network through the 3rd generation partnership project (3GPP) technology, the mobility management network element can use non-access layer messages (i.e., through the 3rd generation partnership project). planning technology) to send the first instruction information to the terminal device; in the case where the terminal device accesses the network through the third generation partner planning technology and the non-third generation partner planning technology, the mobile management network element passes the non-third generation partner planning technology The planned technical interworking function (non-3gpp interworking function, N3IWF) network element sends the first instruction information to the terminal device. That is to say, if the mobility management network element can send the first indication information to the terminal device through a non-access layer message or can send the first indication information to the terminal device through other methods, the mobility management network element will give priority to using other methods.
需要说明的是,由于终端设备连接在第一接入网设备上,当移动管理网元通过非接入层消息向终端设备发送第一指示信息时,该非接入层消息需要通过第一接入网设备转发给终端设备。由于第一接入网设备不可信,因此第一接入网设备可能不会转发该非接入层消息,导致终端设备无法成功接收该第一指示信息。如果移动管理网元通过非第三代合作伙伴计划技术向终端设备发送第一指示信息,则可以防止由于第一接入网设备不转发非接入层消息,导致第一指示信息无法成功送达终端设备的情况。It should be noted that since the terminal device is connected to the first access network device, when the mobility management network element sends the first indication information to the terminal device through a non-access layer message, the non-access layer message needs to pass through the first access network device. The network access device forwards it to the terminal device. Since the first access network device is not trustworthy, the first access network device may not forward the non-access layer message, resulting in the terminal device being unable to successfully receive the first indication information. If the mobility management network element sends the first instruction information to the terminal device through non-3rd generation partner program technology, it can prevent the first instruction information from being successfully delivered due to the first access network device not forwarding the non-access layer message. The situation of the terminal equipment.
可选地,S303,移动管理网元向终端设备发送第二接入网设备的标识。对应地,终端设备接收来自移动管理网元的第二接入网设备的标识。Optionally, S303, the mobility management network element sends the identifier of the second access network device to the terminal device. Correspondingly, the terminal device receives the identification of the second access network device from the mobility management network element.
示例性地,如果移动管理网元确定第二接入网设备不可信(移动管理网元可以根据其他网元的指示确定第二接入网设备不可信,也可以自行确定第二接入网设备不可信),则移动管理网元还可以向该终端设备发送该第二接入网设备的标识。其中,该第二接入网设备可以包括一个或多个接入网设备。也就是说,如果移动管理网元确定除了第一接入网设备以外还有其他一个或多个接入网设备不可信,则移动管理网元可以将该一个或多个接入网设备的标识发送给终端设备。For example, if the mobility management network element determines that the second access network device is not trustworthy (the mobility management network element can determine that the second access network device is not trustworthy based on instructions from other network elements, or it can determine that the second access network device is not trustworthy by itself) untrusted), the mobility management network element may also send the identification of the second access network device to the terminal device. The second access network device may include one or more access network devices. That is to say, if the mobility management network element determines that in addition to the first access network device, there are one or more other access network devices that are not trustworthy, the mobility management network element can change the identity of the one or more access network devices to sent to the terminal device.
可选地,S304,移动管理网元向终端设备发送计时器信息。对应地,终端设备接收来自移动管理网元的该计时器信息。Optionally, S304, the mobility management network element sends timer information to the terminal device. Correspondingly, the terminal device receives the timer information from the mobility management network element.
示例性地,移动管理网元还可以向终端设备发送计时器信息,该计时器信息用于指示某一个或多个接入网设备不可信的时间。For example, the mobility management network element may also send timer information to the terminal device, where the timer information is used to indicate the time when one or more access network devices are untrustworthy.
在一种可能的实现方式中,该计时器信息用于指示第一接入网设备不可信的时间。也就是说,当该计时器信息所指示的时间到期后,可以认为第一接入网设备重新变得可信,或者说第一接入网设备重新恢复安全,或者说可以接入第一接入网设备的小区。 In a possible implementation, the timer information is used to indicate the time when the first access network device is untrustworthy. That is to say, when the time indicated by the timer information expires, it can be considered that the first access network device becomes trustworthy again, or that the first access network device regains security, or that it can access the first access network device. Cell for access network equipment.
在另一种可能的实现方式中,该移动管理网元还向该终端设备发送了第二接入网设备的标识,此时该计时器信息可以用于指示第一接入网设备和第二接入网设备不可信的时间,或者该计时器信息可以用于指示第一接入网设备和第二接入网设备中的一个或多个接入网设备不可信的时间,或者该计时器信息用于指示第二接入网设备中的一个或多个接入网设备不可信的时间。In another possible implementation, the mobility management network element also sends the identification of the second access network device to the terminal device. At this time, the timer information can be used to indicate the first access network device and the second access network device. The time when the access network device is untrustworthy, or the timer information can be used to indicate the time when one or more access network devices in the first access network device and the second access network device are untrustworthy, or the timer The information is used to indicate the time when one or more access network devices in the second access network device are untrustworthy.
在又一种可能的实现方式中,该移动管理网元还向终端设备发送了第二接入网设备的标识,此时该移动管理网元可以向终端设备发送多个计时器信息,该多个计时器信息与第一接入网设备和第二接入网设备中的多个接入网设备一一对应,该多个计时器信息分别用于指示多个接入网设备不可信的时间。此时,该多个计时器信息所指示的时间可以相同也可以不同,本申请不作限定。In another possible implementation manner, the mobility management network element also sends the identifier of the second access network device to the terminal device. At this time, the mobility management network element can send multiple timer information to the terminal device. The timer information corresponds one-to-one to multiple access network devices in the first access network device and the second access network device, and the multiple timer information is used to indicate the untrustworthy time of the multiple access network devices respectively. . At this time, the times indicated by the plurality of timer information may be the same or different, and are not limited in this application.
可选地,终端设备接收到第一指示信息之后,可以向移动管理网元发送确认消息,该确认消息用于指示终端设备成功接收到该第一指示信息。移动管理网元根据该确认消息,确定第一指示信息发送成功。Optionally, after receiving the first indication information, the terminal device may send a confirmation message to the mobility management network element, where the confirmation message is used to indicate that the terminal device successfully received the first indication information. The mobility management network element determines that the first indication information is sent successfully based on the confirmation message.
可选地,如果移动管理网元没有接收到来自终端设备的确认消息,则移动管理网元确定第一指示信息没有发送成功,在这种情况下,移动管理网元可以向数据管理网元发送该终端设备的标识和该第一接入网设备的标识。可选地,还可以发送一个指示信息,该指示信息用于指示第一接入网设备不可信,或者该指示信息用于指示终端设备未能接收到用于指示第一接入网设备不可信的信息,或者该指示信息用于指示终端设备未能获知第一接入网设备不可信。可选地,移动管理网元还向数据管理网元发送第二接入网设备的标识。数据管理网元接收并保存该终端设备的标识、该第一接入网设备的标识,可选地还有第二接入网设备的标识。在该终端设备重新接入网络之后,数据管理网元向该终端设备发送用于指示第一接入网设备和第二接入网设备不可信的指示信息,以便终端设备在后续小区接入过程,不接入该第一接入网设备和第二接入网设备的小区,从而提高终端设备的通信安全。Optionally, if the mobility management network element does not receive the confirmation message from the terminal device, the mobility management network element determines that the first indication information was not sent successfully. In this case, the mobility management network element may send the first indication message to the data management network element. The identifier of the terminal device and the identifier of the first access network device. Optionally, an indication information may also be sent, the indication information being used to indicate that the first access network device is not trustworthy, or the indication information being used to indicate that the terminal device failed to receive the information indicating that the first access network device is not trustworthy. information, or the indication information is used to indicate that the terminal device fails to learn that the first access network device is untrustworthy. Optionally, the mobility management network element also sends the identification of the second access network device to the data management network element. The data management network element receives and stores the identity of the terminal device, the identity of the first access network device, and optionally the identity of the second access network device. After the terminal device reconnects to the network, the data management network element sends indication information indicating that the first access network device and the second access network device are untrustworthy to the terminal device, so that the terminal device can access the network in the subsequent process. , do not access the cell of the first access network device and the second access network device, thereby improving communication security of the terminal device.
S305,终端设备接收到第一指示信息之后,断开与第一接入网设备的连接。S305: After receiving the first instruction information, the terminal device disconnects from the first access network device.
示例性地,终端设备接收到第一指示信息之后,根据该第一指示信息断开与第一接入网设备的连接。Exemplarily, after receiving the first indication information, the terminal device disconnects the connection with the first access network device according to the first indication information.
可选地,S306,终端设备存储第一策略信息。Optionally, S306, the terminal device stores the first policy information.
示例性地,终端设备接收到第一指示信息之后,存储第一策略信息。Exemplarily, after receiving the first indication information, the terminal device stores the first policy information.
该第一策略信息可以是第一指示信息,也可以是其他信息。该第一策略信息在不同场景下还可以有不同的名称,例如,该第一策略信息还可以称作配置信息,或者指示信息等,本申请不作限定。该第一策略信息用于终端设备不接入第一接入网设备的小区,或者说该第一策略信息用于终端设备接入除第一接入网设备以外的接入网设备的小区。终端设备可以根据该第一策略信息选择小区进行接入。例如,在小区接入过程,终端设备接收到某个接入网设备广播的系统消息,该系统消息包括该接入网设备的标识,终端设备判断该接入网设备的标识是否与第一接入网设备的标识相同,如果相同的话,则终端设备不尝试接入该接入网设备的小区;如果不同的话,则终端设备可以尝试接入该接入网设备的小区。The first policy information may be first instruction information or other information. The first policy information may also have different names in different scenarios. For example, the first policy information may also be called configuration information, or indication information, etc., which is not limited in this application. The first policy information is used in a cell where the terminal device does not access the first access network device, or in other words, the first policy information is used in a cell where the terminal device accesses an access network device other than the first access network device. The terminal device may select a cell for access based on the first policy information. For example, during the cell access process, the terminal device receives a system message broadcast by an access network device. The system message includes the identifier of the access network device. The terminal device determines whether the identifier of the access network device is the same as the first access network device. The identifiers of network access devices are the same. If they are the same, the terminal device does not try to access the cell of the access network device; if they are different, the terminal device can try to access the cell of the access network device.
可选地,如果终端设备还接收到用于指示第一接入网设备不可信的时间的计时器信息,则在计时器信息指示的时间到期之后,终端设备删除该第一策略信息。也就是说,在计时器信息指示的时间到期后,终端设备可以尝试接入该第一接入网设备的小区。Optionally, if the terminal device also receives timer information indicating the time when the first access network device is untrustworthy, the terminal device deletes the first policy information after the time indicated by the timer information expires. That is to say, after the time indicated by the timer information expires, the terminal device may try to access the cell of the first access network device.
可选地,如果终端设备还接收到来自移动管理网元的第二接入网设备的标识,则终端 设备可以在接收到第二接入网设备的标识之后,存储第二策略信息。该第二策略信息用于终端设备不接入第二接入网设备的小区。应理解,第一策略信息和第二策略信息可以是同一个信元,也可以是不同的信元,本申请不作限定。Optionally, if the terminal device also receives the identification of the second access network device from the mobility management network element, the terminal The device may store the second policy information after receiving the identification of the second access network device. The second policy information is used in a cell where the terminal device does not access the second access network device. It should be understood that the first policy information and the second policy information may be the same information element or different information elements, which is not limited in this application.
可选地,第一设备向第三接入网设备发送配置信息,该配置信息用于指示不向第一接入网设备的小区进行切换。其中,该第三接入网设备可以包括一个或多个接入网设备。该第一设备可以是任意网络设备,例如,该第一设备可以是移动管理网元,或者,该第一设备可以是网络管理设备。具体例如,第一设备接收来自安全策略控制网元的第二指示信息,该第二指示信息用于指示第一接入网设备不可信,第一设备可以根据该第二指示信息向第三接入网设备发送该配置信息。Optionally, the first device sends configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device. The third access network device may include one or more access network devices. The first device may be any network device. For example, the first device may be a mobility management network element, or the first device may be a network management device. For example, the first device receives second indication information from the security policy control network element. The second indication information is used to indicate that the first access network device is untrustworthy. The first device can send a request to the third access network device according to the second indication information. The network access device sends the configuration information.
可选地,第一设备可以先确定第三接入网设备。该第三接入网设备可以是第一设备控制或管理的接入网设备,或者,该第三接入网设备是第一接入网设备相邻的接入网设备,或者,该第三接入网设备是与第一接入网设备连接的接入网设备,或者,该第三接入网设备是终端设备附近的接入网设备,或者,该第三接入网设备是终端设备可以接入的接入网设备,本申请不作限定。该配置信息可以是第一指示信息,也可以是其他信息。在不同场景中,该配置信息还可能有其他名称,例如,该配置信息还可以叫做策略信息、指示信息,或者小区接入策略等,本申请不作限定。Optionally, the first device may first determine the third access network device. The third access network device may be an access network device controlled or managed by the first device, or the third access network device may be an access network device adjacent to the first access network device, or the third access network device may The access network device is an access network device connected to the first access network device, or the third access network device is an access network device near the terminal device, or the third access network device is a terminal device Access network equipment that can be accessed is not limited in this application. The configuration information may be first indication information or other information. In different scenarios, the configuration information may also have other names. For example, the configuration information may also be called policy information, indication information, or cell access policy, etc., which is not limited in this application.
对应地,第三接入网设备接收来自第一设备的该配置信息之后,可以保存该配置信息,并根据该配置信息执行小区切换。例如,在小区切换过程,第三接入网设备上的某个终端设备对候选小区的信号强度进行测量,然后向第三接入网设备上报测量报告。第三接入网设备接收到该测量报告之后,如果候选小区所在的接入网设备的标识与第一接入网设备的标识相同,则第三接入网设备不将该终端设备切换到该候选小区,从而可以提高终端设备的通信安全。可选地,第一设备还可以向该第三接入网设备发送计时器信息,该计时器信息用于指示第一接入网设备不可信的时间。在这种情况下,在该计时器信息指示的时间到期后,第三接入网设备可以删除该配置信息,或者说第三接入网设备可以修改该配置信息,使得修改后的配置信息指示可以向第一接入网设备的小区进行切换。Correspondingly, after receiving the configuration information from the first device, the third access network device can save the configuration information and perform cell switching based on the configuration information. For example, during the cell handover process, a terminal device on the third access network device measures the signal strength of the candidate cell, and then reports the measurement report to the third access network device. After the third access network device receives the measurement report, if the identity of the access network device where the candidate cell is located is the same as the identity of the first access network device, the third access network device does not switch the terminal device to the candidate cells, thereby improving the communication security of terminal equipment. Optionally, the first device may also send timer information to the third access network device, where the timer information is used to indicate a time when the first access network device is untrustworthy. In this case, after the time indicated by the timer information expires, the third access network device can delete the configuration information, or the third access network device can modify the configuration information, so that the modified configuration information Indicates that handover can be performed to the cell of the first access network device.
应理解,上述示例是以该配置信息用于指示不向第一接入网设备的小区进行切换为例进行说明的,但如果第一设备还确定第二接入网设备不可信,则第一设备还可以通过该配置信息向第三接入网设备指示不向第二接入网设备的小区进行切换,具体实现方式与上述示例类似,这里不再赘述。It should be understood that the above example is based on the example that the configuration information is used to indicate not to perform handover to the cell of the first access network device. However, if the first device also determines that the second access network device is not trustworthy, the first device The device can also use the configuration information to instruct the third access network device not to perform handover to the cell of the second access network device. The specific implementation method is similar to the above example and will not be described again here.
基于上述方案,在移动管理网元确定第一接入网设备不可信后,可以向与该第一接入网设备连接的终端设备指示该第一接入网设备不可信,或者指示断开与第一接入网设备的连接,以便终端设备可以根据移动管理网元的指示,断开与第一接入网设备的连接,从而提高终端设备的通信安全。Based on the above solution, after the mobility management network element determines that the first access network device is untrustworthy, it may indicate to the terminal device connected to the first access network device that the first access network device is untrustworthy, or may instruct the terminal device to disconnect from the first access network device. The connection with the first access network device is such that the terminal device can disconnect from the first access network device according to the instructions of the mobility management network element, thereby improving communication security of the terminal device.
下面以5G系统为基础,介绍本申请实施例提供的通信方法。应理解,后续方法400至方法700可应用于图1或图2所示的网络架构中。Based on the 5G system, the communication method provided by the embodiment of this application is introduced below. It should be understood that subsequent methods 400 to 700 can be applied to the network architecture shown in Figure 1 or Figure 2 .
图4示出了本申请实施例提供的方法400的示例性流程图。在一种实现方式中,方法400中的AMF1可对应于方法300中的移动管理网元,方法400中的RAN1可对应于方法300中的第一接入网设备,方法400中的RAN2可对应于方法300中的第二接入网设备,方法400UE可对应于方法300中的终端设备,方法400中的指示信息#1可以对应于方法300中的第一指示信息。方法400可应用于图1或图2所示的网络架构中。 Figure 4 shows an exemplary flow chart of the method 400 provided by the embodiment of the present application. In one implementation, AMF1 in method 400 may correspond to the mobility management network element in method 300, RAN1 in method 400 may correspond to the first access network device in method 300, and RAN2 in method 400 may correspond to For the second access network device in the method 300, the method 400 UE may correspond to the terminal device in the method 300, and the indication information #1 in the method 400 may correspond to the first indication information in the method 300. The method 400 can be applied in the network architecture shown in Figure 1 or Figure 2.
在方法400中,AMF1确定RAN1不可信之后,向RAN1上的UE指示RAN1不可信(或指示断开与RAN1的连接),但没有触发该UE的去注册流程,在UE根据AMF1的指示断开与RAN1的连接后,UE可以通过重定向流程或者移动性注册流程快速重新接入网络,从而可以提高UE重新接入网络的效率,提高用户体验。下面结合各个步骤对方法400作示例性说明。In method 400, after AMF1 determines that RAN1 is not trustworthy, it indicates to the UE on RAN1 that RAN1 is not trustworthy (or indicates to disconnect from RAN1), but does not trigger the deregistration process of the UE. After the UE disconnects according to the instruction of AMF1 After connecting to RAN1, the UE can quickly re-access the network through the redirection process or mobility registration process, which can improve the efficiency of the UE re-accessing the network and improve user experience. The following is an exemplary description of the method 400 in combination with each step.
S401,AMF1确定RAN1不可信。S401, AMF1 determines that RAN1 is not trustworthy.
应理解,本申请对AMF1确定RAN1不可信的具体方式不做限定。在一种可能的实现方式中,SPCF确定RAN1不可信之后,通知AMF1该RAN1不可信,其中该AMF1是与该RAN1对应的AMF。在另一种可能的实现方式中,AMF1也可以自行确定RAN1不可信,本申请不作限定。It should be understood that this application does not limit the specific way in which AMF1 determines that RAN1 is untrustworthy. In a possible implementation manner, after determining that RAN1 is untrustworthy, the SPCF notifies AMF1 that RAN1 is untrustworthy, where AMF1 is the AMF corresponding to RAN1. In another possible implementation, AMF1 can also determine on its own that RAN1 is not trustworthy, which is not limited in this application.
可选地,S402,AMF1确定RAN1有备选RAN。Optionally, S402, AMF1 determines that RAN1 has an alternative RAN.
示例性地,AMF1确定RAN1不可信之后,可以判断RAN1的覆盖范围是否有备选RAN,其中,这里的备选RAN可以指的是与RAN1连接的RAN,或者指的是可以用于RAN1的覆盖范围内的UE接入网络的RAN,该备选RAN可以是5G基站(gNB),也可以是4G基站(eNB),或者是其他网络系统下的基站,本申请不作限定。For example, after AMF1 determines that RAN1 is untrustworthy, it can determine whether there is an alternative RAN in the coverage area of RAN1, where the alternative RAN here may refer to the RAN connected to RAN1, or may refer to the coverage that can be used for RAN1 The RAN of the UE access network within the range can be a 5G base station (gNB), a 4G base station (eNB), or a base station under other network systems, which is not limited in this application.
具体例如,RAN1为私网(如园区网络)下的某个基站,如果存在某个公网基站可以覆盖RAN1的覆盖范围,则表示RAN1有备选RAN;又例如,RAN1为公网下的某个基站,如果存在某个4G基站可以覆盖RAN1的覆盖范围,则表示RAN1有备选RAN。For example, RAN1 is a base station under a private network (such as a campus network). If there is a public network base station that can cover the coverage area of RAN1, it means that RAN1 has an alternative RAN; for another example, RAN1 is a base station under the public network. base stations. If there is a 4G base station that can cover the coverage area of RAN1, it means that RAN1 has an alternative RAN.
AMF1可以结合PLMN ID、TAI等判断RAN1是否有备选RAN,具体方式本申请不作限定。AMF1 can combine PLMN ID, TAI, etc. to determine whether RAN1 has an alternative RAN. The specific method is not limited in this application.
可选地,AMF还可以验证RRC连接状态(包括连接态、空闲态、非激活态等)以及UE接入网络的方式(包括3GPP方式和非3GPP方式),其中,该UE指的是连接在RAN1上的UE,或者说,该UE是通过RAN1接入网络的。应理解,RAN1上可能连接有一个或多个UE,为了方便,这里以其中的一个UE为例进行说明。Optionally, the AMF can also verify the RRC connection status (including connected state, idle state, inactive state, etc.) and the way the UE accesses the network (including 3GPP mode and non-3GPP mode), where the UE refers to the UE connected to the network. The UE on RAN1, or in other words, the UE accesses the network through RAN1. It should be understood that one or more UEs may be connected to RAN1. For convenience, one of the UEs is taken as an example for description here.
当UE处于连接态,且UE连接RAN1时,则AMF1通知UE该RAN1不可信。具体如S403所示。When the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy. The details are shown in S403.
S403,AMF1向UE发送指示信息#1。对应地,UE接收来自AMF1的指示信息#1。S403. AMF1 sends indication information #1 to the UE. Correspondingly, the UE receives indication information #1 from AMF1.
示例性地,该指示信息#1用于指示该UE所连接的RAN(即RAN1)不可信,或者,该指示信息#1用于指示UE断开当前网络连接,或者,该指示信息#1用于指示该UE切换到其他RAN,或者,该指示信息#1用于指示UE进行重定向。For example, the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information #1 is used to instruct the UE to disconnect the current network connection, or the indication information #1 is is used to instruct the UE to switch to other RAN, or the indication information #1 is used to instruct the UE to perform redirection.
应理解,指示信息#1可以承载于现有流程的某个消息中,例如PDU会话建立响应消息或去注册请求消息。也就是说,AMF1可以复用现有的消息,向UE指示RAN1不可信,从而可以节省信令开销;或者,该指示信息#1也可以承载于AMF1新生成的消息中,从而无需对现有消息中的内容进行更改。It should be understood that the indication information #1 can be carried in a certain message in the existing process, such as a PDU session establishment response message or a deregistration request message. That is to say, AMF1 can reuse the existing message to indicate to the UE that RAN1 is not trustworthy, thereby saving signaling overhead; or, the indication information #1 can also be carried in a newly generated message by AMF1, thereby eliminating the need to modify the existing message. Change the content in the message.
应理解,当UE仅通过3GPP注册到网络时,AMF1可以通过NAS消息向UE发送指示信息#1。It should be understood that when the UE only registers with the network through 3GPP, AMF1 may send the indication information #1 to the UE through the NAS message.
还应理解,如果RAN1有备选RAN,则AMF1可以保留UE的上下文。也就是说,AMF1不触发UE去注册。需要说明的是,由于RAN1有备选RAN,UE如果断开与RAN1的连接,则UE可以重新接入到备选RAN上,由于AMF1保留有UE的上下文,则UE可以通过重定向或者移动性注册更新流程快速接入备选RAN,从而可以提高UE接入网络 的效率,提升用户体验。It should also be understood that AMF1 may retain the UE's context if RAN1 has an alternative RAN. In other words, AMF1 does not trigger the UE to register. It should be noted that since RAN1 has an alternative RAN, if the UE disconnects from RAN1, the UE can reconnect to the alternative RAN. Since AMF1 retains the context of the UE, the UE can use redirection or mobility to The registration update process quickly accesses the alternative RAN, thereby improving UE access to the network. efficiency and improve user experience.
可选地,AMF1还可以向UE1发送RAN1的标识。Optionally, AMF1 may also send the identification of RAN1 to UE1.
可选地,如果AMF1确定RAN2不可信,AMF1还可以向UE发送RAN2的标识。应理解,AMF1可以根据其他网元的指示确定RAN2不可信,也可以自行确定该RAN2不可信,本申请不作限定。其中,该RAN2可以包括一个或多个RAN,也就是说,如果AMF1确定有一个或多个RAN不可信,则AMF1可以将该一个或多个RAN的标识发送给UE1。例如,SPCF确定有多个RAN不可信之后,通知AMF1该多个RAN不可信,在这种情况下,AMF1可以向UE发送该多个不可信的RAN的标识。Optionally, if AMF1 determines that RAN2 is not trustworthy, AMF1 may also send the identification of RAN2 to the UE. It should be understood that AMF1 can determine that RAN2 is untrustworthy based on instructions from other network elements, or can determine on its own that RAN2 is untrustworthy, which is not limited in this application. The RAN2 may include one or more RANs. That is to say, if AMF1 determines that one or more RANs are untrustworthy, AMF1 may send the identifier of the one or more RANs to UEl. For example, after SPCF determines that multiple RANs are untrustworthy, it notifies AMF1 that the multiple RANs are untrustworthy. In this case, AMF1 can send the identifiers of the multiple untrusted RANs to the UE.
应理解,上述两种可选的方案还可以描述为:AMF1向UE1发送RAN ID列表,该RAN ID列表包括一个或多个不可信的RAN的标识,该RAN ID列表包括RAN1的标识和/或RAN2的标识。It should be understood that the above two optional solutions can also be described as: AMF1 sends a RAN ID list to UE1. The RAN ID list includes the identification of one or more untrusted RANs. The RAN ID list includes the identification of RAN1 and/or Identification of RAN2.
可选地,AMF1还可以向UE发送计时器(timer)信息,该计时器信息可以用于指示RAN1不可信的时间,或者,该计时器信息用于指示该RAN ID列表中的某一个或多个RAN不可信的时间。因此,当该计时器信息指示的时间到期后,UE可以确定该计时器信息对应的RAN恢复可信,或者说,UE可以将该计时器信息对应的RAN的标识从不可信的RAN ID列表中删除,或者说,UE可以接入该计时器信息对应的RAN的小区。应理解,AMF1可以向UE发送多个计时器,该多个计时器信息可以分别与多个不可信的RAN对应。Optionally, AMF1 can also send timer information to the UE. The timer information can be used to indicate the time when RAN1 is untrustworthy, or the timer information can be used to indicate one or more of the RAN ID lists. A time when RAN cannot be trusted. Therefore, when the time indicated by the timer information expires, the UE can determine that the RAN corresponding to the timer information is restored to be trusted, or in other words, the UE can remove the identity of the RAN corresponding to the timer information from the untrusted RAN ID list. deleted, or in other words, the UE can access the RAN cell corresponding to the timer information. It should be understood that AMF1 may send multiple timers to the UE, and the multiple timer information may respectively correspond to multiple untrusted RANs.
S404,UE向AMF1发送Ack(确认)消息。对应地,AMF1接收来自UE的Ack消息。S404: The UE sends an Ack (acknowledgement) message to AMF1. Correspondingly, AMF1 receives the Ack message from the UE.
示例性地,UE接收来自AMF1的指示信息#1之后,向AMF1回复Ack消息。AMF1接收到来自UE的Ack消息后,确定指示信息#1送达了UE,或者说确定UE获知了RAN1不可信的信息。For example, after receiving the indication information #1 from AMF1, the UE replies with an Ack message to AMF1. After receiving the Ack message from the UE, AMF1 determines that the indication information #1 has been delivered to the UE, or that the UE has learned the untrustworthy information of RAN1.
S405,UE断开与RAN1的连接。S405, the UE disconnects from RAN1.
示例性地,UE接收来自AMF1的指示信息#1之后,根据该指示信息#1确定RAN1不可信,然后UE断开与RAN1的连接。For example, after receiving the indication information #1 from AMF1, the UE determines that RAN1 is untrustworthy according to the indication information #1, and then the UE disconnects from RAN1.
可选地,S406,UE存储策略信息。Optionally, S406, the UE stores policy information.
示例性地,UE存储策略信息。该策略信息用于UE不接入不可信RAN的小区。下面对几种可能的实现方式作示例性说明。Illustratively, the UE stores policy information. This policy information is used for the UE not to access cells of untrusted RAN. Several possible implementation methods are illustrated below.
在一种可能的实现方式中,UE确定RAN1不可信之后,存储策略信息(记为策略信息#1),并在小区接入过程基于该策略信息#1选择小区进行接入,该策略信息#1用于UE不接入RAN1的小区。例如,在小区接入过程,UE接收到某个RAN广播的系统消息,该系统消息包括该RAN的标识,UE判断该RAN的标识是否与RAN1的标识相同,如果相同的话,则UE不尝试接入该RAN的小区;如果不同的话,则UE可以尝试接入该RAN的小区。可选地,如果UE还接收到指示RAN1不可信的时间的计时器信息,则在计时器信息指示的时间到期之后,UE删除策略信息#1,也就是说计时器到期后,UE可以尝试接入该RAN1的小区。In a possible implementation, after the UE determines that RAN1 is untrustworthy, it stores policy information (recorded as policy information #1), and selects a cell for access based on the policy information #1 during the cell access process. The policy information #1 1 is used for cells where the UE does not access RAN1. For example, during the cell access process, the UE receives a system message broadcast by a certain RAN. The system message includes the identifier of the RAN. The UE determines whether the identifier of the RAN is the same as the identifier of RAN1. If they are the same, the UE does not attempt to connect. Enter the cell of the RAN; if different, the UE may try to access the cell of the RAN. Optionally, if the UE also receives timer information indicating the time when RAN1 is untrustworthy, the UE deletes policy information #1 after the time indicated by the timer information expires. That is to say, after the timer expires, the UE can Try to access the cell of RAN1.
在另一种可能的实现方式中,UE接收到RAN ID列表,该RAN ID列表包括RAN1的标识和/或RAN2的标识。在这种情况下,UE存储策略信息(记为策略信息#2),并在小区接入过程基于该策略信息#2选择小区进行接入,该策略信息#2用于UE不接入该RAN ID列表对应的RAN。例如,在小区接入过程,UE接收某个RAN广播的系统消息,该系 统消息中包括该RAN的标识,UE判断该RAN的标识是否包括在RANID列表中,如果在的话,则UE不尝试接入该RAN的小区,如果不在的话,则UE可以尝试接入该RAN的小区。可选地,如果UE还接收到用于指示该RAN ID列表中的一个或多个RAN不可信的时间的计时器信息,则在计时器信息指示的时间到期后,UE将该计时器信息对应的RAN的标识从该RAN ID列表中删除。In another possible implementation, the UE receives a RAN ID list, and the RAN ID list includes the identity of RAN1 and/or the identity of RAN2. In this case, the UE stores policy information (denoted as policy information #2), and selects a cell for access based on the policy information #2 during the cell access process. The policy information #2 is used for the UE not to access the RAN. RAN corresponding to the ID list. For example, during the cell access process, the UE receives a system message broadcast by a certain RAN. The identity of the RAN is included in the system message. The UE determines whether the identity of the RAN is included in the RANID list. If it is, the UE does not try to access the cell of the RAN. If not, the UE can try to access the cell of the RAN. community. Optionally, if the UE also receives timer information indicating the time when one or more RANs in the RAN ID list are untrustworthy, the UE will use the timer information after the time indicated by the timer information expires. The corresponding RAN identifier is deleted from the RAN ID list.
需要说明的是,策略信息#1和策略信息#2可以是两个独立的信元,也可以是一个信元,本申请不作限定。It should be noted that policy information #1 and policy information #2 may be two independent cells or one cell, which is not limited in this application.
可选地,S407,AMF1释放与RAN1的N2连接,触发PDU会话去激活。Optionally, S407, AMF1 releases the N2 connection with RAN1, triggering PDU session deactivation.
示例性地,AMF1确定RAN1不可信之后,释放与RAN1的N2连接,并触发UE对应的PDU会话去激活,具体过程本申请不作限定。For example, after AMF1 determines that RAN1 is untrustworthy, it releases the N2 connection with RAN1 and triggers the deactivation of the PDU session corresponding to the UE. The specific process is not limited in this application.
应理解,S407可以在S401之后便执行,也就是说AMF1可以在确定RAN1不可信之后,便释放与RAN1之间的N2连接;或者,S407也可以在S404之后执行,本申请不作限定。It should be understood that S407 can be executed after S401, which means that AMF1 can release the N2 connection with RAN1 after determining that RAN1 is untrustworthy; or, S407 can also be executed after S404, which is not limited in this application.
可选地,S408,AMF1向UDM发送UE的标识和RAN1的标识。对应地,UDM接收来自AMF1的UE的标识和RAN1的标识。Optionally, S408, AMF1 sends the identity of the UE and the identity of RAN1 to the UDM. Correspondingly, UDM receives the identity of the UE from AMF1 and the identity of RAN1.
示例性地,如果AMF1没有接收到来自UE的Ack消息,则AMF1确定UE没有接收到来自AMF1的指示信息#1,或者说,AMF1确定UE没有能获知RAN1不可信的信息,则AMF1可以将该UE的标识和该RAN1的标识发送给UDM,可选地,AMF1还可以向UDM发送一个指示信息#2,该指示信息#2用于指示该RAN1不可信,或者用于指示UE没有获知RAN1不可信的信息,或者用于指示UDM通知UE该RAN1不可信。For example, if AMF1 does not receive the Ack message from UE, then AMF1 determines that UE has not received indication information #1 from AMF1, or in other words, AMF1 determines that UE does not have information that can know that RAN1 is untrustworthy, then AMF1 can send the The identity of the UE and the identity of RAN1 are sent to UDM. Optionally, AMF1 can also send an indication message #2 to UDM. The indication message #2 is used to indicate that RAN1 is not trustworthy, or to indicate that the UE has not learned that RAN1 is untrustworthy. Information about the trust, or used to instruct UDM to notify the UE that RAN1 is not trustworthy.
可选地,如果AMF1还确定RAN2不可信,则AMF1还可以向UDM发送RAN2的标识。Optionally, if AMF1 also determines that RAN2 is not trustworthy, AMF1 may also send the identification of RAN2 to UDM.
或者,S408还可以描述为:AMF1向UDM发送RAN ID列表,该RAN ID列表包括RAN1的标识和/或RAN2的标识。Alternatively, S408 can also be described as: AMF1 sends a RAN ID list to UDM, and the RAN ID list includes the identifier of RAN1 and/or the identifier of RAN2.
可选地,S409,UDM保存UE的标识和RAN1的标识。Optionally, S409, UDM saves the identity of the UE and the identity of RAN1.
示例性地,UDM接收来自AMF1的UE的标识和RAN1的标识之后,保存UE的标识和该RAN1的标识。可选地,UDM如果还接收到来自AMF1的RAN2的标识,则UDM还保存RAN2的标识。For example, after receiving the identity of the UE and the identity of RAN1 from AMF1, UDM saves the identity of the UE and the identity of RAN1. Optionally, if the UDM also receives the identifier of RAN2 from AMF1, the UDM also saves the identifier of RAN2.
或者,S409还可以描述为:如果UDM接收到来自AMF1的RAN ID列表,则UDM保存该RAN ID列表。Alternatively, S409 can also be described as: If the UDM receives the RAN ID list from AMF1, the UDM saves the RAN ID list.
应理解,在一种可能的实现方式中,AMF1也可以不向UDM发送UE1的标识和RAN1的标识,而在本地维护UE1的标识和RAN1的标识(或者是RAN ID列表)。It should be understood that in a possible implementation, AMF1 may not send the identity of UE1 and the identity of RAN1 to the UDM, but locally maintain the identity of UE1 and the identity of RAN1 (or a RAN ID list).
可选地,UE与RAN1断开连接之后,可能会重新接入网络。下面结合2个示例进行示例性说明。Optionally, after the UE disconnects from RAN1, it may reconnect to the network. The following is an illustrative explanation combined with 2 examples.
示例1:S410,UE通过重定向流程接入4G网络。Example 1: S410, the UE accesses the 4G network through the redirection process.
示例性地,eNB为RAN1的某一备选RAN,UE断开与RAN1的连接之后,可以通过该eNB和与该eNB对应的MME接入4G网络。MME可以通过AMF1获得UE的上下文。For example, the eNB is an alternative RAN of RAN1. After the UE disconnects from the RAN1, it can access the 4G network through the eNB and the MME corresponding to the eNB. The MME can obtain the context of the UE through AMF1.
可选地,S411,UDM向UE发送RAN1的标识和指示信息#3。Optionally, S411, UDM sends the identification and indication information #3 of RAN1 to the UE.
示例性地,如果UDM在S409保存了UE的标识和RAN1的标识,则在UE通过4G 基站重新接入网络之后,UDM可以通过4G与5G网络的互通流程向UE发送RAN1的标识和指示信息#3,其中该指示信息#3用于指示RAN1不可信。For example, if the UDM saves the identity of the UE and the identity of RAN1 in S409, then the UE passes the 4G After the base station reconnects to the network, UDM can send the identification of RAN1 and indication information #3 to the UE through the interworking process of the 4G and 5G networks, where the indication information #3 is used to indicate that RAN1 is not trustworthy.
应理解,如果UDM在S409还接收并保存了RAN2的标识,则UDM还向UE发送RAN2的标识,此时该指示信息#3还用于指示RAN2不可信。It should be understood that if the UDM also receives and saves the identifier of RAN2 in S409, the UDM also sends the identifier of RAN2 to the UE. At this time, the indication information #3 is also used to indicate that RAN2 is untrustworthy.
或者,S411还可以描述为:如果UDM在S409接收并保存了RAN ID列表,UDM向UE发送RAN ID列表和指示信息#3,该指示信息#3用于指示该RAN ID列表对应的RAN不可信。应理解,UE接收到来自UDM的RAN1的标识和指示信息#3之后,可以存储策略信息,该策略信息用于UE不接入RAN1(可选地还包括RAN2)的小区。具体实现过程可以参考S406,这里不再赘述。Alternatively, S411 can also be described as: If the UDM receives and saves the RAN ID list in S409, the UDM sends the RAN ID list and indication information #3 to the UE. The indication information #3 is used to indicate that the RAN corresponding to the RAN ID list is not trustworthy. . It should be understood that after receiving the identification and indication information #3 of RAN1 from UDM, the UE can store policy information, which is used for cells in which the UE does not access RAN1 (optionally also including RAN2). For the specific implementation process, please refer to S406 and will not be repeated here.
应理解,如果AMF1是在本地维护了UE的标识和RAN1(可选地还包括RAN2)的标识,则S411可以由AMF1执行。It should be understood that if AMF1 locally maintains the identity of the UE and the identity of RAN1 (optionally also including RAN2), S411 may be performed by AMF1.
示例2:S412,UE通过移动性注册更新流程重新接入5G网络。Example 2: S412, the UE reconnects to the 5G network through the mobility registration update process.
示例性地,RAN3为RAN1的某一备选RAN,UE断开与RAN1的连接之后,可以通过RAN3和AMF2重新接入5G网络。AMF2可以从AMF1获得UE的上下文。应理解,AMF2可能与AMF1相同,也可能与AMF1不同。如果AMF2与AMF1相同,则AMF2不需要执行从AMF1获得UE的上下文的步骤。For example, RAN3 is an alternative RAN to RAN1. After the UE disconnects from RAN1, it can reconnect to the 5G network through RAN3 and AMF2. AMF2 can obtain the context of the UE from AMF1. It should be understood that AMF2 may be the same as AMF1 or may be different from AMF1. If AMF2 is the same as AMF1, then AMF2 does not need to perform the steps of obtaining the UE's context from AMF1.
可选地,S413,UDM向UE发送RAN1的标识和指示信息#4,该指示信息#4用于指示RAN1不可信。Optionally, S413, UDM sends the identification of RAN1 and indication information #4 to the UE. The indication information #4 is used to indicate that RAN1 is untrustworthy.
应理解,如果UDM在S409还接收并保存了RAN2的标识,则UDM还向UE发送RAN2的标识,此时该指示信息#4还用于指示RAN2不可信。It should be understood that if the UDM also receives and saves the identifier of RAN2 in S409, the UDM also sends the identifier of RAN2 to the UE. At this time, the indication information #4 is also used to indicate that RAN2 is untrustworthy.
或者,S413还可以描述为:如果UDM在S409接收并保存了RAN ID列表,UDM向UE发送RAN ID列表和指示信息#4,该指示信息#4用于指示该RAN ID列表对应的RAN不可信。Alternatively, S413 can also be described as: If the UDM receives and saves the RAN ID list in S409, the UDM sends the RAN ID list and indication information #4 to the UE. The indication information #4 is used to indicate that the RAN corresponding to the RAN ID list is not trustworthy. .
图5示出了本申请实施例提供的方法500的示例性流程图。在一种实现方式中,方法500中的AMF1可对应于方法300中的移动管理网元,方法500中的RAN1可对应于方法300中的第一接入网设备,方法500中的RAN2可对应于方法300中的第二接入网设备,方法500中的UE可对应于方法300中的终端设备,方法500中的指示信息#1可以对应于方法300中的第一指示信息。Figure 5 shows an exemplary flowchart of the method 500 provided by the embodiment of the present application. In one implementation, AMF1 in method 500 may correspond to the mobility management network element in method 300, RAN1 in method 500 may correspond to the first access network device in method 300, and RAN2 in method 500 may correspond to For the second access network device in method 300, the UE in method 500 may correspond to the terminal device in method 300, and the indication information #1 in method 500 may correspond to the first indication information in method 300.
在方法500中,AMF1确定RAN1不可信之后,向RAN1上的UE指示RAN1不可信(或指示断开与RAN1的连接),并触发该UE的去注册流程。在UE断开与RAN1的连接后,UE可以通过初始注册流程重新接入网络。通过这种方式,AMF1可以释放UE的上下文,从而可以节省AMF1的资源。下面结合各个步骤对方法500作示例性说明。In method 500, after AMF1 determines that RAN1 is not trustworthy, it indicates to the UE on RAN1 that RAN1 is not trustworthy (or instructs to disconnect from RAN1), and triggers the deregistration process of the UE. After the UE disconnects from RAN1, the UE can re-access the network through the initial registration process. In this way, AMF1 can release the context of the UE, thereby saving AMF1's resources. The method 500 is exemplarily described below in conjunction with each step.
S501,AMF1确定RAN1不可信。S501, AMF1 determines that RAN1 is not trustworthy.
应理解,本申请对AMF1确定RAN1不可信的具体方式不作限定,具体说明可参考方法400中的S401。It should be understood that this application does not limit the specific manner in which AMF1 determines that RAN1 is untrustworthy, and reference may be made to S401 in method 400 for specific instructions.
可选地,S502,AMF1确定RAN1没有备选RAN。Optionally, S502, AMF1 determines that RAN1 has no alternative RAN.
示例性地,AMF1确定RAN1不可信之后,判断RAN1的覆盖范围是否有备选RAN。For example, after AMF1 determines that RAN1 is untrustworthy, it determines whether there is an alternative RAN in the coverage area of RAN1.
另一方面,AMF1还可以验证UE的RRC连接状态(包括连接态、空闲态、非激活态等)以及UE接入网络的方式(包括3GPP方式和非3GPP方式)。On the other hand, AMF1 can also verify the RRC connection status of the UE (including connected state, idle state, inactive state, etc.) and the mode of the UE accessing the network (including 3GPP mode and non-3GPP mode).
当UE处于连接态,且UE连接RAN1时,AMF1通知UE该RAN1不可信。 When the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy.
应理解,如果UE仅通过3GPP接入网络,则AMF1可以通过NAS消息向UE指示RAN1不可信。It should be understood that if the UE only accesses the network through 3GPP, AMF1 may indicate to the UE that RAN1 is untrustworthy through a NAS message.
还应理解,如果RAN1没有备选RAN,则AMF1可以在去注册流程向UE指示RAN1不可信。具体如S503所示。It should also be understood that if RAN1 has no alternative RAN, AMF1 may indicate to the UE that RAN1 is untrustworthy during the de-registration process. The details are shown in S503.
S503,AMF1向UE发送去注册请求消息。S503. AMF1 sends a deregistration request message to the UE.
示例性地,该去注册请求消息用于请求终端设备从网络去注册。For example, the deregistration request message is used to request the terminal device to deregister from the network.
该去注册请求消息包括指示信息#1,该指示信息#1用于指示该UE所连接的RAN(即RAN1)不可信,或者,该指示信息用于指示断开与RAN1的连接,或者,该指示信息#1用于指示该UE切换到其他RAN,或者,该指示信息#1用于指示UE进行重定向。The deregistration request message includes indication information #1. The indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information is used to indicate to disconnect from RAN1, or the The indication information #1 is used to instruct the UE to switch to another RAN, or the indication information #1 is used to instruct the UE to perform redirection.
需要说明的是,RAN1没有备选RAN,则UE如果断开与RAN1的连接,可能没有(或者说短时间可能找不到)其他RAN用于接入网络,则AMF1可以触发UE的去注册,去注册流程中AMF1删除UE的上下文,从而可以节省AMF1的资源。It should be noted that RAN1 has no alternative RAN. If the UE disconnects from RAN1, there may not be (or may not be found in a short time) other RANs for accessing the network, and AMF1 can trigger the UE to deregister. During the de-registration process, AMF1 deletes the context of the UE, thereby saving AMF1's resources.
可选地,该去注册请求消息可以包括RAN1的标识。Optionally, the deregistration request message may include the identity of RAN1.
可选地,该去注册请求消息还可以包括RAN ID列表,该RAN ID列表包括一个或多个不可信的RAN的标识。例如,SPCF确定有多个RAN不可信之后,通知AMF1该多个RAN不可信,在这种情况下,AMF1可以向UE发送该RAN ID列表。Optionally, the de-registration request message may also include a RAN ID list, which includes the identification of one or more untrusted RANs. For example, after SPCF determines that multiple RANs are untrustworthy, it notifies AMF1 that the multiple RANs are untrustworthy. In this case, AMF1 can send the RAN ID list to the UE.
可选地,该去注册请求消息还可以包括计时器信息,该计时器信息可以用于指示RAN1不可信的时间,或者,该计时器信息用于指示该RAN ID列表中的某一个或多个RAN不可信的时间。因此,当该计时器信息指示的时间到期后,UE可以确定该计时器对应的RAN可信,或者说,UE可以将该计时器信息对应的RAN的标识从不可信的RAN ID列表中删除。Optionally, the de-registration request message may also include timer information, which may be used to indicate the time when RAN1 is untrustworthy, or the timer information may be used to indicate one or more of the RAN ID lists. RAN can't be trusted at all times. Therefore, when the time indicated by the timer information expires, the UE can determine that the RAN corresponding to the timer is trustworthy, or in other words, the UE can delete the identifier of the RAN corresponding to the timer information from the untrusted RAN ID list. .
S504,UE向AMF1发送去注册接受消息。S504: The UE sends a deregistration acceptance message to AMF1.
示例性地,UE接收来自AMF1的去注册请求消息之后,向AMF1发送去注册接受消息。Exemplarily, after receiving the deregistration request message from AMF1, the UE sends a deregistration accept message to AMF1.
进一步地,AMF1触发网络侧对UE去注册,具体过程可参考现有协议,本申请不作限定。Further, AMF1 triggers the network side to de-register the UE. The specific process may refer to the existing protocol, which is not limited in this application.
S505,UE断开与RAN1的连接。S505, the UE disconnects from RAN1.
可选地,S506,UE存储策略信息。Optionally, S506, the UE stores policy information.
可选地,S507,AMF1向UDM发送UE的标识和RAN1的标识。Optionally, S507, AMF1 sends the identity of the UE and the identity of RAN1 to the UDM.
可选地,S508,UDM存储UE的标识和RAN1的标识。Optionally, S508, UDM stores the identity of the UE and the identity of RAN1.
应理解,S505至S508与方法400中的S405、S406、S408、S409类似,为了简洁,这里不再赘述。It should be understood that S505 to S508 are similar to S405, S406, S408, and S409 in method 400, and will not be described again here for the sake of brevity.
可选地,UE与RAN1断开连接之后,可能会重新接入网络。下面结合2个示例进行示例性说明。Optionally, after the UE disconnects from RAN1, it may reconnect to the network. The following is an illustrative explanation combined with 2 examples.
示例1:S509,UE通过初始注册流程接入4G网络。Example 1: S509, the UE accesses the 4G network through the initial registration process.
示例性地,eNB为RAN1的某一备选RAN,UE断开与RAN1的连接之后,可以通过该eNB和与该eNB对应的MME接入4G网络。应理解,由于网络侧执行了UE的去注册流程,因此在S509,UE通过初始注册流程接入到4G网络。For example, the eNB is an alternative RAN of RAN1. After the UE disconnects from the RAN1, it can access the 4G network through the eNB and the MME corresponding to the eNB. It should be understood that since the network side performs the de-registration process of the UE, in S509, the UE accesses the 4G network through the initial registration process.
S510,UDM向UE发送RAN1的标识和指示信息#3。S510. UDM sends the identification and indication information #3 of RAN1 to the UE.
应理解,S510与方法400中的S411类似,为了简洁,这里不再赘述。 It should be understood that S510 is similar to S411 in method 400, and will not be described again here for the sake of brevity.
示例2:S511,UE通过初始注册流程重新接入5G网络。Example 2: S511, the UE re-accesses the 5G network through the initial registration process.
示例性地,RAN3为RAN1的某一备选RAN,UE断开与RAN1的连接之后,可以通过RAN3与AMF2重新接入5G网络。应理解,由于网络侧执行了UE的去注册流程,因此在S511,UE通过初始注册流程接入到5G网络For example, RAN3 is an alternative RAN to RAN1. After the UE disconnects from RAN1, it can reconnect to the 5G network through RAN3 and AMF2. It should be understood that since the network side performs the de-registration process of the UE, in S511, the UE accesses the 5G network through the initial registration process.
S512,UDM向UE发送RAN1的标识和指示信息#4。S512: UDM sends the identification and indication information #4 of RAN1 to the UE.
应理解,S512与方法400中的S511类似,为了简洁,这里不再赘述。It should be understood that S512 is similar to S511 in method 400, and will not be described again here for the sake of brevity.
图6示出了本申请实施例提供的方法600的示例性流程图。在一种实现方式中,方法600中的AMF1可对应于方法300中的移动管理网元,方法600中的RAN1可对应于方法300中的第一接入网设备,方法600中的RAN2可对应于方法300中的第二接入网设备,方法600中的UE可对应于方法300中的终端设备,方法600中的N3IWF/TNGF可对应于方法300中的非第三代合作伙伴计划技术互通功能网元,方法600中的指示信息#1可以对应于方法300中的第一指示信息。Figure 6 shows an exemplary flowchart of the method 600 provided by the embodiment of the present application. In one implementation, AMF1 in method 600 may correspond to the mobility management network element in method 300, RAN1 in method 600 may correspond to the first access network device in method 300, and RAN2 in method 600 may correspond to For the second access network device in the method 300, the UE in the method 600 may correspond to the terminal device in the method 300, and the N3IWF/TNGF in the method 600 may correspond to the non-3rd Generation Partnership Project technical interworking in the method 300. Functional network element, the indication information #1 in the method 600 may correspond to the first indication information in the method 300.
在方法600中,AMF1确定RAN1不可信之后,如果AMF1发现UE通过3GPP和非3GPP接入网络,则AMF1可以通过非3GPP的方式向UE发送指示信息#1,以触发UE断开与RAN1的连接,从而防止出现因RAN1不转发NAS消息导致指示信息#1无法送达UE的情况。下面结合各个步骤对方法600作示例性说明。In method 600, after AMF1 determines that RAN1 is untrustworthy, if AMF1 finds that the UE accesses the network through 3GPP and non-3GPP, AMF1 can send indication information #1 to the UE through non-3GPP to trigger the UE to disconnect from RAN1 , thereby preventing the situation where indication information #1 cannot be delivered to the UE due to RAN1 not forwarding the NAS message. The following is an exemplary description of the method 600 in combination with each step.
S601,AMF1确定RAN1不可信。S601, AMF1 determines that RAN1 is not trustworthy.
应理解,本申请对AMF1确定RAN1不可信的具体方式不作限定,具体说明可参考方法400中的S401,这里不再赘述。It should be understood that this application does not limit the specific manner in which AMF1 determines that RAN1 is untrustworthy. For specific description, reference may be made to S401 in method 400, which will not be described again here.
可选地,S602,AMF1确定UE通过3GPP和非3GPP接入网络。Optionally, S602, AMF1 determines that the UE accesses the network through 3GPP or non-3GPP.
示例性地,AMF1确定RAN1不可信之后,可以验证UE的RRC连接状态(包括连接态、空闲态、非激活态等)以及UE接入网络的方式(包括3GPP方式和非3GPP方式)。For example, after AMF1 determines that RAN1 is untrustworthy, it can verify the RRC connection status of the UE (including connected state, idle state, inactive state, etc.) and the method of the UE accessing the network (including 3GPP method and non-3GPP method).
如果UE处于连接态且UE连接RAN1时,则AMF1通知UE该RAN1不可信。If the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy.
如果UE同时通过3GPP和非3GPP接入网络,则AMF1可以通过N3IWF/TNGF通知UE该RAN1不可信。具体如S603至S605所示。If the UE accesses the network through 3GPP and non-3GPP at the same time, AMF1 can notify the UE that RAN1 is not trustworthy through N3IWF/TNGF. Details are shown in S603 to S605.
S603,AMF1向非3GPP互通功能(Non-3GPP interworking function,N3IWF)网元/受信任的非3GPP网关功能(trusted non-3gpp gateway function,TNGF)网元发送N2消息。S603, AMF1 sends the N2 message to the non-3GPP interworking function (N3IWF) network element/trusted non-3GPP gateway function (TNGF) network element.
示例性地,该N2消息中包括指示信息#1,该指示信息#1用于指示该UE所连接的RAN(即RAN1)不可信,或者,该指示信息用于指示UE断开与RAN1的连接,或者,该指示信息用于指示该UE切换到其他RAN。Exemplarily, the N2 message includes indication information #1. The indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information is used to instruct the UE to disconnect from RAN1. , or the indication information is used to instruct the UE to switch to other RAN.
可选地,该N2消息中可以包括RAN1的标识。Optionally, the N2 message may include the identity of RAN1.
可选地,该N2消息还可以包括RAN ID列表,该RAN ID列表包括多个不可信的RAN的标识,其中包括RAN1的标识。Optionally, the N2 message may also include a RAN ID list, which includes the identities of multiple untrusted RANs, including the identity of RAN1.
可选地,该N2消息还可以包括计时器,该计时器用于指示RAN1不可信的时间,或者该计时器用于指示该RAN ID列表中的某一个或多个RAN不可信的时间。也就是说,当计时器到期,UE可以确定该计时器对应的RAN变得可信,或者说,UE可以将计时器对应的RAN的标识从该RAN ID列表中删除。Optionally, the N2 message may also include a timer, which is used to indicate the time when RAN1 is untrustworthy, or the timer is used to indicate the time when one or more RANs in the RAN ID list are untrustworthy. That is to say, when the timer expires, the UE can determine that the RAN corresponding to the timer has become trusted, or in other words, the UE can delete the identity of the RAN corresponding to the timer from the RAN ID list.
S604,T3IWF/TNGF向UE发送指示信息#1。S604, T3IWF/TNGF sends indication information #1 to the UE.
示例性地,T3IWF/TNGF接收到来自AMF1的N2消息之后,向UE发送指示信息#1。For example, after receiving the N2 message from AMF1, T3IWF/TNGF sends indication information #1 to the UE.
可选地,T3IWF/TNGF还可以向UE发送RAN ID列表,和/或计时器,本申请不作限 定。Optionally, T3IWF/TNGF can also send a RAN ID list and/or timer to the UE, which is not limited by this application. Certainly.
S605,UE通过T3IWF/TNGF向AMF1发送Ack消息。S605: The UE sends an Ack message to AMF1 through T3IWF/TNGF.
示例性地,UE接收到指示信息#1之后,可以通过T3IWF/TNGF向AMF1发送Ack消息。For example, after receiving the indication information #1, the UE may send an Ack message to AMF1 through T3IWF/TNGF.
S606,UE断开与RAN1的连接。S606: The UE disconnects from RAN1.
应理解,S606与方法400中的S405类似,这里不再赘述。It should be understood that S606 is similar to S405 in method 400 and will not be described again here.
S607,UE存储策略信息。S607: The UE stores policy information.
示例性地,UE存储策略信息。该策略信息用于UE不接入不可信RAN的小区,或者,该策略信息用于UE不通过3GPP的方式接入网络。Illustratively, the UE stores policy information. This policy information is used for the UE not to access a cell of an untrusted RAN, or this policy information is used for the UE not to access the network through 3GPP.
在一种实现方式中,根据该策略信息,UE在接收到新的指示之前,不尝试通过3GPP接入网络。In one implementation, according to the policy information, the UE does not attempt to access the network through 3GPP before receiving a new indication.
在另一种实现方式中,UE根据策略信息选择小区进行接入,具体实现方式与方法400中的S406类似,为了简洁,这里不再赘述。In another implementation manner, the UE selects a cell for access according to the policy information. The specific implementation manner is similar to S406 in method 400. For the sake of simplicity, details will not be described here.
应理解,S608至S609与方法400中的S408至S409类似,这里不再赘述。It should be understood that S608 to S609 are similar to S408 to S409 in method 400, and will not be described again here.
还应理解,UE断开与RAN1的连接之后,可以通过重定向流程接入4G网络,或者通过移动性注册更新流程重新接入5G网络,具体过程与方法400中的示例1(S410-S411)和示例2(S412-S413)类似,这里不再赘述。It should also be understood that after the UE disconnects from RAN1, it can access the 4G network through the redirection process, or re-access the 5G network through the mobility registration update process. Example 1 (S410-S411) in the specific process and method 400 It is similar to Example 2 (S412-S413) and will not be described again here.
图7示出了本申请实施例提供的通信方法700的示例性流程图。在一种实现方式中,方法700中的SPCF可对应于方法300中的安全策略控制网元,方法700中的AMF1/网络管理设备可对应于方法300中的第一设备,方法700中的RAN4可对应于方法300中的第三接入网设备。Figure 7 shows an exemplary flow chart of the communication method 700 provided by the embodiment of the present application. In one implementation, the SPCF in method 700 may correspond to the security policy control network element in method 300, the AMF1/network management device in method 700 may correspond to the first device in method 300, and the RAN4 in method 700 It may correspond to the third access network device in method 300.
在方法700中,AMF1/网络管理设备确定RAN1不可信之后,可以向其他RAN(例如图7中的RAN4)指示不将UE切换到RAN1的小区,以提高通信安全。应理解,方法700可以独立实施,也可以与方法400至方法600结合实施,例如,方法700可以作为方法400的并列方案,在方法400中的S401之后执行,本申请不作限定。下面结合各个步骤对方法700作示例性说明。In method 700, after the AMF1/network management device determines that RAN1 is untrustworthy, it may instruct other RANs (such as RAN4 in Figure 7) not to switch the UE to the cell of RAN1 to improve communication security. It should be understood that method 700 can be implemented independently or in combination with methods 400 to 600. For example, method 700 can be used as a parallel solution of method 400 and executed after S401 in method 400, which is not limited by this application. The following is an exemplary description of the method 700 in combination with each step.
S701,SPCF向AMF1/网络管理设备发送指示信息#3。对应地,AMF1/网络管理设备接收来自SPCF的指示信息#3。S701, SPCF sends instruction information #3 to AMF1/network management device. Correspondingly, AMF1/network management device receives indication information #3 from SPCF.
示例性地,SPCF确定RAN1不可信之后,可以向AMF1/网络管理设备发送指示信息#3,该指示信息#3用于指示该RAN1不可信。该网络管理设备例如是操作、管理和维护(operation,administration and maintenance,OAM)设备。为了方便,后续以OAM为网络管理设备为例进行说明。需要说明的是,本申请实施例中的AMF1/网络管理设备指的是AMF1或者网络管理设备,其他类似地方不再重复说明。For example, after the SPCF determines that RAN1 is not trustworthy, it may send indication information #3 to the AMF1/network management device. The indication information #3 is used to indicate that RAN1 is not trustworthy. The network management device is, for example, an operation, administration and maintenance (OAM) device. For convenience, the following description will take OAM as the network management device as an example. It should be noted that the AMF1/network management device in the embodiment of this application refers to the AMF1 or the network management device, and other similar places will not be repeatedly explained.
可选地,如果SPCF确定有多个RAN不可信,则该指示信息#3可以用于指示该多个RAN不可信。作为一种实现方式,SPCF可以向AMF1/OAM发送RAN ID列表,该RAN ID列表包括一个或多个不可信的RAN的标识。Optionally, if the SPCF determines that multiple RANs are untrustworthy, the indication information #3 may be used to indicate that the multiple RANs are untrustworthy. As an implementation method, SPCF can send a RAN ID list to AMF1/OAM. The RAN ID list includes the identification of one or more untrusted RANs.
可选地,SPCF还可以向AMF1/OAM发送计时器,该计时器用于指示RAN1不可信的时间。Optionally, SPCF can also send a timer to AMF1/OAM, which is used to indicate the time when RAN1 is untrustworthy.
AMF1/OAM接收到指示信息#3之后,可以保存RAN1的标识。如果OAM还接收到用于指示RAN1不可信时间的计时器,则在该计时器到期后,OAM可以删除该RAN1的 标识。After receiving the instruction message #3, AMF1/OAM can save the identity of RAN1. If the OAM also receives a timer indicating the untrusted time of RAN1, after the timer expires, the OAM can delete the RAN1 logo.
S702,AMF1/OAM向RAN4发送配置信息。S702, AMF1/OAM sends configuration information to RAN4.
示例性地,AMF1/OAM接收到来自SPCF的指示信息#3之后,可以向RAN4发送配置信息,该配置信息包括RAN1的标识和小区切换策略,该小区切换策略用于不将UE切换到RAN1的小区。For example, after receiving the instruction information #3 from SPCF, AMF1/OAM can send configuration information to RAN4. The configuration information includes the identity of RAN1 and the cell switching strategy. The cell switching strategy is used to not switch the UE to RAN1. community.
可选地,该配置信息还可以包括RAN ID列表,以及计时器,本申请不作限定。Optionally, the configuration information may also include a RAN ID list and a timer, which are not limited in this application.
应理解,该RAN4可以是任意RAN,也可以是与RAN1有连接的RAN,或者说是与RAN1有重叠覆盖的RAN,或者说是AMF1控制的任意RAN,或者是与RAN1物理相邻的RAN,本申请不作限定。It should be understood that the RAN4 can be any RAN, or it can be a RAN connected to RAN1, or a RAN that has overlapping coverage with RAN1, or any RAN controlled by AMF1, or a RAN that is physically adjacent to RAN1. This application is not limited.
RAN4接收到该配置信息之后,根据该配置信息执行小区切换。例如,在小区切换过程,RAN4上的某个UE对候选小区的信号强度进行测量,然后向RAN4上报候选小区的测量报告。RAN4接收来自UE的测量报告之后,如果候选小区所在的RAN的标识与RAN1的标识相同(或者包括在RAN ID列表中),RAN4确定不将UE切换到该候选小区上或者说,RAN4不将该候选小区作为目标小区。After receiving the configuration information, RAN4 performs cell handover according to the configuration information. For example, during the cell handover process, a UE on RAN4 measures the signal strength of the candidate cell, and then reports the measurement report of the candidate cell to RAN4. After RAN4 receives the measurement report from the UE, if the identity of the RAN where the candidate cell is located is the same as the identity of RAN1 (or is included in the RAN ID list), RAN4 determines not to handover the UE to the candidate cell, or in other words, RAN4 does not switch the candidate cell. The candidate cell is used as the target cell.
应理解,方法700可以独立实施,也可以与方法400至方法600结合实施,本申请不作限定。It should be understood that method 700 can be implemented independently or in combination with methods 400 to 600, which is not limited in this application.
基于上述方案,AMF1/OAM从SPCF接收到指示信息#3之后,可以根据该指示信息#3确定RAN1不可信。基于此,AMF1/OAM可以向RAN4发送配置信息,以指示不将UE切换到RAN1的小区,以便RAN4不将终端设备切换到RAN1的小区,提高UE的通信安全。Based on the above solution, after receiving the indication information #3 from the SPCF, AMF1/OAM can determine that RAN1 is not trustworthy based on the indication information #3. Based on this, AMF1/OAM can send configuration information to RAN4 to instruct not to switch the UE to the cell of RAN1, so that RAN4 does not switch the terminal device to the cell of RAN1, thereby improving the communication security of the UE.
相应于上述各方法实施例给出的方法,本申请实施例还提供了相应的装置,该装置包括用于执行上述各个方法实施例相应的模块。该模块可以是软件,也可以是硬件,或者是软件和硬件结合。可以理解的是,上述各方法实施例所描述的技术特征同样适用于以下装置实施例,因此,未详细描述的内容可以参见上文方法实施例,为了简洁,这里不再赘述。Corresponding to the methods provided in each of the above method embodiments, embodiments of the present application also provide corresponding devices, which include modules for executing corresponding modules in each of the above method embodiments. The module can be software, hardware, or a combination of software and hardware. It can be understood that the technical features described in the above method embodiments are also applicable to the following device embodiments. Therefore, content that is not described in detail can be referred to the above method embodiments. For the sake of brevity, they will not be described again here.
图8是本申请实施例提供的通信装置10的示意性框图。该装置10包括收发模块11和处理模块12。收发模块11可以实现相应的通信功能,处理模块12用于进行数据处理,或者说该收发模块11用于执行接收和发送相关的操作,该处理模块12用于执行除了接收和发送以外的其他操作。收发模块11还可以称为通信接口或通信单元。FIG. 8 is a schematic block diagram of the communication device 10 provided by the embodiment of the present application. The device 10 includes a transceiver module 11 and a processing module 12 . The transceiver module 11 can implement corresponding communication functions, and the processing module 12 is used to perform data processing, or in other words, the transceiver module 11 is used to perform operations related to receiving and sending, and the processing module 12 is used to perform other operations besides receiving and sending. . The transceiver module 11 may also be called a communication interface or communication unit.
可选地,该装置10还可以包括存储模块13,该存储模块13可以用于存储指令和/或数据,处理模块12可以读取存储模块中的指令和/或数据,以使得装置实现前述各个方法实施例中设备或网元的动作。Optionally, the device 10 may also include a storage module 13, which may be used to store instructions and/or data, and the processing module 12 may read the instructions and/or data in the storage module, so that the device implements each of the foregoing. Actions of the device or network element in the method embodiment.
在第一种设计中,该装置10可对应于上文方法实施例中的移动管理网元(如方法300中的移动管理网元,或者是方法400至方法700中的AMF1),或者是移动管理网元的组成部件(如芯片)。In the first design, the device 10 may correspond to the mobility management network element in the above method embodiment (such as the mobility management network element in method 300, or AMF1 in methods 400 to 700), or a mobile management network element. Management network element components (such as chips).
该装置10可实现对应于上文方法实施例中的移动管理网元执行的步骤或者流程,其中,收发模块11可用于执行上文方法实施例中移动管理网元的收发相关的操作,处理模块12可用于执行上文方法实施例中移动移动管理网元的处理相关的操作。The device 10 can implement steps or processes corresponding to the execution of the mobility management network element in the above method embodiment, wherein the transceiver module 11 can be used to perform operations related to the transceiver of the mobility management network element in the above method embodiment, and the processing module 12 It can be used to perform operations related to processing of the mobile mobility management network element in the above method embodiment.
在一种可能的实现方式,处理模块12,用于确定第一接入网设备不可信;收发模块11,用于向连接该第一接入网设备的终端设备发送第一指示信息,该第一指示信息用于指示该第一接入网设备不可信,或者用于指示断开与该第一接入网设备的连接。 In a possible implementation, the processing module 12 is used to determine that the first access network device is untrustworthy; the transceiver module 11 is used to send first indication information to a terminal device connected to the first access network device. An indication information is used to indicate that the first access network device is untrustworthy, or to instruct to disconnect from the first access network device.
可选地,处理模块12,还用于,确定第二接入网设备不可信;收发模块11,还用于向该终端设备发送该第二接入网设备的标识。Optionally, the processing module 12 is also configured to determine that the second access network device is untrustworthy; the transceiver module 11 is also configured to send the identification of the second access network device to the terminal device.
可选地,收发模块11,还用于向该终端设备发送计时器信息,该计时器信息用于指示该第一接入网设备不可信的时间。Optionally, the transceiver module 11 is also configured to send timer information to the terminal device, where the timer information is used to indicate the time when the first access network device is untrustworthy.
可选地,收发模块11,具体用于向该终端设备发送去注册请求消息,该去注册请求消息用于请求该终端设备从当前连接的网络去注册,该去注册请求消息包括该第一指示信息。Optionally, the transceiver module 11 is specifically configured to send a de-registration request message to the terminal device. The de-registration request message is used to request the terminal device to de-register from the currently connected network. The de-registration request message includes the first indication. information.
可选地,在该终端设备通过第三代合作伙伴计划技术和非第三代合作伙伴计划技术接入网络的情况下,收发模块11,具体用于通过非第三代合作伙伴计划技术互通功能网元向该终端设备发送该第一指示信息。Optionally, when the terminal device accesses the network through the third generation partnership program technology and the non-third generation partnership program technology, the transceiver module 11 is specifically used to interoperate through the non-third generation partnership program technology. The network element sends the first indication information to the terminal device.
可选地,收发模块11,还用于向第三接入网设备发送配置信息,该配置信息用于指示不向该第一接入网设备的小区进行切换。Optionally, the transceiver module 11 is also configured to send configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device.
可选地,收发模块11,还用于接收来自安全策略控制网元的第二指示信息,该第二指示信息用于指示该第一接入网设备不可信。Optionally, the transceiver module 11 is also configured to receive second indication information from the security policy control network element, where the second indication information is used to indicate that the first access network device is untrustworthy.
在第二种设计中,该装置10可对应于上文方法实施例中的终端设备(如方法300中的终端设备,或者是方法400-方法600中的UE),或者是终端设备的组成部件(如芯片)。In the second design, the device 10 may correspond to the terminal equipment in the above method embodiment (such as the terminal equipment in method 300, or the UE in methods 400 to 600), or a component of the terminal equipment. (such as chips).
该装置10可实现对应于上文方法实施例中的终端设备执行的步骤或者流程,其中,收发模块11可用于执行上文方法实施例中终端设备的收发相关的操作,处理模块12可用于执行上文方法实施例中终端设备的处理相关的操作。The device 10 can implement steps or processes corresponding to those performed by the terminal device in the above method embodiment, wherein the transceiver module 11 can be used to perform operations related to the transceiver of the terminal device in the above method embodiment, and the processing module 12 can be used to perform Operations related to processing of the terminal device in the above method embodiment.
一种可能的实现方式,收发模块11,用于接收来自移动管理网元的第一指示信息,该第一指示信息用于指示该终端设备所连接的第一接入网设备不可信,或者用于指示断开与该第一接入网设备的连接;处理模块12,用于断开与该第一接入网设备的连接。In one possible implementation, the transceiver module 11 is configured to receive first indication information from the mobility management network element. The first indication information is used to indicate that the first access network device connected to the terminal device is not trustworthy, or is used to indicate that the first access network device connected to the terminal device is untrustworthy. To instruct to disconnect from the first access network device; the processing module 12 is configured to disconnect from the first access network device.
可选地,处理模块12,还用于存储第一策略信息,该第一策略信息用于指示不接入该第一接入网设备的小区。Optionally, the processing module 12 is also configured to store first policy information, where the first policy information is used to indicate a cell in which the first access network device is not to be accessed.
可选地,收发模块11,还用于接收来自该移动管理网元的计时器信息,该计时器信息用于指示该第一接入网设备不可信的时间;处理模块12,还用于在该计时器信息所指示的时间到期后,删除该第一策略信息。Optionally, the transceiver module 11 is also configured to receive timer information from the mobility management network element, where the timer information is used to indicate the time when the first access network device is untrustworthy; the processing module 12 is also configured to After the time indicated by the timer information expires, the first policy information is deleted.
可选地,收发模块11,还用于接收来自该移动管理网元的第二接入网设备的标识;处理模块12,还用于存储第二策略信息,该第二策略信息用于指示不接入该第二接入网设备的小区。Optionally, the transceiver module 11 is also configured to receive the identity of the second access network device from the mobility management network element; the processing module 12 is also configured to store second policy information, the second policy information is used to indicate that no A cell that accesses the second access network device.
收发模块11,具体用于接收来自该移动管理网元的去注册请求消息,该去注册请求消息用于请求该终端设备从当前连接的网络去注册,该去注册请求消息包括该第一指示信息。The transceiver module 11 is specifically configured to receive a de-registration request message from the mobility management network element. The de-registration request message is used to request the terminal device to de-register from the currently connected network. The de-registration request message includes the first indication information. .
可选地,在该终端设备还通过非第三代合作伙伴计划技术接入网络的情形下,收发模块11,具体用于通过非第三代合作伙伴计划技术互通功能网元接收来自该移动管理网元的该第一指示信息。Optionally, in the case where the terminal device also accesses the network through non-3rd Generation Partner Program technology, the transceiver module 11 is specifically configured to receive information from the mobile management network element through non-3rd Generation Partner Program technology interworking function network element. The first indication information of the network element.
应理解,各模块执行上述相应步骤的具体过程在上述各方法实施例中已经详细说明,为了简洁,在此不再赘述。It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in each of the above method embodiments, and will not be described again for the sake of brevity.
还应理解,这里的装置10以功能模块的形式体现。这里的术语“模块”可以指应用特有集成电路(application specific integrated circuit,ASIC)、电子电路、用于执行一个或 多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选例子中,本领域技术人员可以理解,装置10可以具体为上述实施例中的移动管理网元,可以用于执行上述各方法实施例中与移动管理网元对应的各个流程和/或步骤;或者,装置10可以具体为上述实施例中的终端设备,可以用于执行上述各方法实施例中与终端设备对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should also be understood that the device 10 here is embodied in the form of a functional module. The term "module" as used herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, for executing a or Multiple software or firmware programs of processors (eg, shared processors, dedicated processors, or group processors, etc.) and memory, merged logic, and/or other suitable components to support the described functionality. In an optional example, those skilled in the art can understand that the device 10 can be specifically the mobility management network element in the above embodiments, and can be used to execute various processes and/or corresponding to the mobility management network element in the above method embodiments. or steps; alternatively, the apparatus 10 may be specifically a terminal device in the above embodiments, and may be used to execute various processes and/or steps corresponding to the terminal devices in the above method embodiments. To avoid duplication, they will not be described again here.
上述各个方案的装置10具有实现上述方法中的设备(如移动管理网元,又如第一设备,又如第三接入网设备,又如数据管理网元,又如终端设备等)所执行的相应步骤的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块;例如收发模块可以由收发机替代(例如,收发模块中的发送单元可以由发送机替代,收发模块中的接收单元可以由接收机替代),其它单元,如处理模块等可以由处理器替代,分别执行各个方法实施例中的收发操作以及相关的处理操作。The apparatus 10 of each of the above solutions is executed by equipment (such as a mobility management network element, a first device, a third access network device, a data management network element, a terminal device, etc.) that implements the above method. function of the corresponding steps. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions; for example, the transceiver module can be replaced by a transceiver (for example, the sending unit in the transceiver module can be replaced by a transmitter, and the receiving unit in the transceiver module can be replaced by a receiver. Instead), other units, such as processing modules, etc. can be replaced by processors to respectively perform the sending and receiving operations and related processing operations in each method embodiment.
此外,上述收发模块11还可以是收发电路(例如可以包括接收电路和发送电路),处理模块可以是处理电路。In addition, the above-mentioned transceiver module 11 may also be a transceiver circuit (for example, it may include a receiving circuit and a transmitting circuit), and the processing module may be a processing circuit.
图9是本申请实施例提供另一种通信装置20的示意图。该装置20包括处理器21,处理器21用于执行存储器22存储的计算机程序或指令,或读取存储器22存储的数据/信令,以执行上文各方法实施例中的方法。可选地,处理器21为一个或多个。FIG. 9 is a schematic diagram of another communication device 20 according to an embodiment of the present application. The device 20 includes a processor 21, which is used to execute computer programs or instructions stored in the memory 22, or read data/signaling stored in the memory 22, to perform the methods in each of the above method embodiments. Optionally, there are one or more processors 21 .
可选地,如图9所示,该装置20还包括存储器22,存储器22用于存储计算机程序或指令和/或数据。该存储器22可以与处理器21集成在一起,或者也可以分离设置。可选地,存储器22为一个或多个。Optionally, as shown in Figure 9, the device 20 further includes a memory 22, which is used to store computer programs or instructions and/or data. The memory 22 may be integrated with the processor 21 or may be provided separately. Optionally, there are one or more memories 22 .
可选地,如图9所示,该装置20还包括收发器23,收发器23用于信号的接收和/或发送。例如,处理器21用于控制收发器23进行信号的接收和/或发送。Optionally, as shown in Figure 9, the device 20 also includes a transceiver 23, which is used for receiving and/or transmitting signals. For example, the processor 21 is used to control the transceiver 23 to receive and/or transmit signals.
作为一种方案,该装置20用于实现上文各个方法实施例中由移动管理网元执行的操作。As a solution, the device 20 is used to implement the operations performed by the mobility management network element in each of the above method embodiments.
例如,处理器21用于执行存储器22存储的计算机程序或指令,以实现上文各个方法实施例中移动管理网元的相关操作,例如,处理器21执行存储器22存储的计算机程序或执行,可以实现图3中的移动管理网元执行的方法,或者用于指示图4至图7中AMF1执行的方法。For example, the processor 21 is used to execute the computer program or instructions stored in the memory 22 to implement the related operations of the mobility management network element in each of the above method embodiments. For example, the processor 21 executes the computer program or instructions stored in the memory 22 to implement The method performed by the mobility management network element in Figure 3, or the method used to instruct the AMF1 in Figures 4 to 7.
作为另一种方案,该装置20用于实现上文各个方法实施例中由终端设备执行的操作。As another solution, the device 20 is used to implement the operations performed by the terminal device in each of the above method embodiments.
例如,处理器21用于执行存储器22存储的计算机程序或指令,以实现上文各个方法实施例中终端设备的相关操作。例如,处理器21执行存储器22存储的计算机程序或执行,可以实现图3中的终端设备执行的方法,或者用于指示图4至图7中UE执行的方法。For example, the processor 21 is used to execute computer programs or instructions stored in the memory 22 to implement related operations of the terminal device in each of the above method embodiments. For example, the processor 21 executes the computer program or execution stored in the memory 22, which may implement the method executed by the terminal device in FIG. 3, or be used to instruct the method executed by the UE in FIGS. 4 to 7.
应理解,本申请实施例中提及的处理器可以是中央处理单元(central processing unit,CPU),还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that the processor mentioned in the embodiments of this application may be a central processing unit (CPU), or other general-purpose processor, digital signal processor (DSP), or application-specific integrated circuit (ASIC). application specific integrated circuit (ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
还应理解,本申请实施例中提及的存储器可以是易失性存储器和/或非易失性存储器。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储 器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM)。例如,RAM可以用作外部高速缓存。作为示例而非限定,RAM包括如下多种形式:静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory and/or a non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM), programmable read-only memory Programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM). For example, RAM can be used as an external cache. By way of example and not limitation, RAM includes the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), Double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).
需要说明的是,当处理器为通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件时,存储器(存储模块)可以集成在处理器中。It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, the memory (storage module) can be integrated in the processor.
还需要说明的是,本文描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should also be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
图10是本申请实施例提供一种芯片系统30的示意图。该芯片系统30(或者也可以称为处理系统)包括逻辑电路31以及输入/输出接口(input/output interface)32。FIG. 10 is a schematic diagram of a chip system 30 provided by an embodiment of the present application. The chip system 30 (or can also be called a processing system) includes a logic circuit 31 and an input/output interface 32.
其中,逻辑电路31可以为芯片系统30中的处理电路。逻辑电路31可以耦合连接存储单元,调用存储单元中的指令,使得芯片系统30可以实现本申请各实施例的方法和功能。输入/输出接口32,可以为芯片系统30中的输入输出电路,将芯片系统30处理好的信息输出,或将待处理的数据或信令信息输入芯片系统30进行处理。The logic circuit 31 may be a processing circuit in the chip system 30 . The logic circuit 31 can be coupled to the memory unit and call instructions in the memory unit, so that the chip system 30 can implement the methods and functions of various embodiments of the present application. The input/output interface 32 can be an input/output circuit in the chip system 30, which outputs information processed by the chip system 30, or inputs data or signaling information to be processed into the chip system 30 for processing.
具体地,例如,若移动管理网元安装了该芯片系统30,逻辑电路31与输入/输出接口32耦合,逻辑电路31可以确定第一接入网设备不可信,然后通过输入/输出接口32发送第一指示信息。又如,若终端设备安装了该芯片系统30,逻辑电路31与输入/输出接口32耦合,逻辑电路31可通过输入/输出接口32接收第一指示信息,输入/输出接口32可以将第一指示信息输入逻辑电路31进行处理,逻辑电路31可以根据第一指示信息断开与第一接入网设备的连接。Specifically, for example, if the mobile management network element is installed with the chip system 30, the logic circuit 31 is coupled with the input/output interface 32, the logic circuit 31 can determine that the first access network device is not trustworthy, and then send it through the input/output interface 32. First instruction message. For another example, if the terminal device is equipped with the chip system 30, the logic circuit 31 is coupled to the input/output interface 32, the logic circuit 31 can receive the first instruction information through the input/output interface 32, and the input/output interface 32 can transmit the first instruction information. The information is input to the logic circuit 31 for processing, and the logic circuit 31 can disconnect from the first access network device according to the first instruction information.
作为一种方案,该芯片系统30用于实现上文各个方法实施例中由移动管理网元(如图3中的移动管理网元,或者图4-图7中的AMF1)执行的操作。As a solution, the chip system 30 is used to implement the operations performed by the mobility management network element (the mobility management network element in Figure 3, or AMF1 in Figures 4-7) in each of the above method embodiments.
例如,逻辑电路31用于实现上文方法实施例中由移动管理网元执行的处理相关的操作,如,图3所示实施例中的移动管理网元执行的处理相关的操作,或图4至图7中任意一个所示实施例中的AMF1执行的处理相关的操作;输入/输出接口32用于实现上文方法实施例中由移动管理网元执行的发送和/或接收相关的操作,如,图3所示实施例中的移动管理网元执行的发送和/或接收相关的操作,或图4至图7中任意一个所示实施例中的AMF1执行的发送和/或接收相关的操作。For example, the logic circuit 31 is used to implement the processing-related operations performed by the mobility management network element in the above method embodiment, such as the processing-related operations performed by the mobility management network element in the embodiment shown in Figure 3, or Figure 4 to the processing related operations performed by AMF1 in any embodiment shown in Figure 7; the input/output interface 32 is used to implement the sending and/or receiving related operations performed by the mobility management network element in the above method embodiment, For example, the sending and/or receiving related operations performed by the mobility management network element in the embodiment shown in Figure 3, or the sending and/or receiving related operations performed by AMF1 in any one of the embodiments shown in Figures 4 to 7. operate.
作为另一种方案,该芯片系统30用于实现上文各个方法实施例中由终端设备(如图3中的终端设备,或图4-图7中的UE)执行的操作。As another solution, the chip system 30 is used to implement the operations performed by the terminal device (the terminal device in Figure 3, or the UE in Figures 4 to 7) in each of the above method embodiments.
例如,逻辑电路31用于实现上文方法实施例中由终端设备设备执行的处理相关的操作,如,图3所示实施例中的终端设备执行的处理相关的操作,或图4至图7中任意一个所示实施例中的UE执行的处理相关的操作;输入/输出接口32用于实现上文方法实施例中由终端设备执行的发送和/或接收相关的操作,如,图3所示实施例中的终端设备执行 的发送和/或接收相关的操作,或图4至图7中任意一个所示实施例中的UE执行的发送和/或接收相关的操作。For example, the logic circuit 31 is used to implement the processing-related operations performed by the terminal device in the above method embodiment, such as the processing-related operations performed by the terminal device in the embodiment shown in Figure 3, or Figures 4 to 7 Processing-related operations performed by the UE in any of the embodiments shown; the input/output interface 32 is used to implement the sending and/or reception-related operations performed by the terminal device in the above method embodiments, such as shown in Figure 3 The terminal device in the illustrated embodiment executes Transmitting and/or receiving related operations, or transmitting and/or receiving related operations performed by the UE in any one of the embodiments shown in FIGS. 4 to 7 .
本申请实施例还提供一种计算机可读存储介质,其上存储有用于实现上述各方法实施例中由设备执行的方法的计算机指令。Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the methods executed by the device in each of the above method embodiments are stored.
例如,该计算机程序被计算机执行时,使得该计算机可以实现上述方法各实施例中由移动管理网元执行的方法。For example, when the computer program is executed by a computer, the computer can implement the method executed by the mobility management network element in each embodiment of the above method.
又如,该计算机程序被计算机执行时,使得该计算机可以实现上述方法各实施例中由终端设备执行的方法。For another example, when the computer program is executed by a computer, the computer can implement the method executed by the terminal device in each embodiment of the above method.
本申请实施例还提供一种计算机程序产品,包含指令,该指令被计算机执行时以实现上述各方法实施例中由设备(如移动管理网元,又如第一设备,又如第三接入网设备,又如数据管理网元,又如终端设备等)执行的方法。Embodiments of the present application also provide a computer program product, which includes instructions. When the instructions are executed by a computer, the instructions in the above method embodiments are implemented by a device (such as a mobile management network element, a first device, or a third access device). Network equipment, such as data management network elements, terminal equipment, etc.) execution method.
本申请实施例还提供一种通信的系统,包括前述的一个或多个网元(如移动管理网元、数据管理网元、第三接入网设备、第一设备等),和/或终端设备。Embodiments of the present application also provide a communication system, including one or more of the aforementioned network elements (such as mobility management network elements, data management network elements, third access network equipment, first equipment, etc.), and/or terminals equipment.
上述提供的任一种装置中相关内容的解释及有益效果均可参考上文提供的对应的方法实施例,此处不再赘述。For explanations of relevant content and beneficial effects of any of the devices provided above, please refer to the corresponding method embodiments provided above, and will not be described again here.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。此外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。例如,所述计算机可以是个人计算机,服务器,或者网络设备等。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD)等。例如,前述的可用介质包括但不限于:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. For example, the computer may be a personal computer, a server, or a network device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated. The available media may be magnetic media (such as floppy disks, hard disks, magnetic tapes), optical media (such as DVDs), or semiconductor media (such as solid state disks (SSD)), etc. For example, the aforementioned available media include but Not limited to: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。 The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (17)

  1. 一种通信方法,其特征在于,包括:A communication method, characterized by including:
    移动管理网元确定第一接入网设备不可信;The mobility management network element determines that the first access network device is not trustworthy;
    所述移动管理网元向连接所述第一接入网设备的终端设备发送第一指示信息,所述第一指示信息用于指示所述第一接入网设备不可信,或者用于指示断开与所述第一接入网设备的连接。The mobility management network element sends first indication information to a terminal device connected to the first access network device. The first indication information is used to indicate that the first access network device is untrustworthy, or to indicate that the first access network device is disconnected. Open a connection with the first access network device.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1, further comprising:
    所述移动管理网元确定第二接入网设备不可信;The mobility management network element determines that the second access network device is not trustworthy;
    所述移动管理网元向所述终端设备发送所述第二接入网设备的标识。The mobility management network element sends the identification of the second access network device to the terminal device.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, characterized in that, the method further includes:
    所述移动管理网元向所述终端设备发送计时器信息,所述计时器信息用于指示所述第一接入网设备不可信的时间。The mobility management network element sends timer information to the terminal device, where the timer information is used to indicate the time when the first access network device is untrustworthy.
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述移动管理网元向终端设备发送第一指示信息,包括:The method according to any one of claims 1 to 3, characterized in that the mobility management network element sends first indication information to the terminal device, including:
    所述移动管理网元向所述终端设备发送去注册请求消息,所述去注册请求消息用于请求所述终端设备从当前连接的网络去注册,所述去注册请求消息包括所述第一指示信息。The mobility management network element sends a deregistration request message to the terminal device. The deregistration request message is used to request the terminal device to deregister from the currently connected network. The deregistration request message includes the first indication. information.
  5. 根据权利要求1至3中任一项所述的方法,其特征在于,在所述终端设备通过第三代合作伙伴计划技术和非第三代合作伙伴计划技术接入网络的情况下,所述移动管理网元向终端设备发送第一指示信息,包括:The method according to any one of claims 1 to 3, characterized in that when the terminal device accesses the network through the third generation partnership program technology and the non-third generation partnership program technology, the The mobility management network element sends first instruction information to the terminal device, including:
    所述移动管理网元通过非第三代合作伙伴计划技术互通功能网元向所述终端设备发送所述第一指示信息。The mobility management network element sends the first instruction information to the terminal device through a non-3rd generation partnership program technology interworking function network element.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 5, characterized in that the method further includes:
    所述移动管理网元向第三接入网设备发送配置信息,所述配置信息用于指示不向所述第一接入网设备的小区进行切换。The mobility management network element sends configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device.
  7. 根据权利要求1至6中任一项所述的方法,其特征在于,在所述移动管理网元确定第一接入网设备不可信之前,所述方法还包括:The method according to any one of claims 1 to 6, characterized in that, before the mobility management network element determines that the first access network device is untrustworthy, the method further includes:
    所述移动管理网元接收来自安全策略控制网元的第二指示信息,所述第二指示信息用于指示所述第一接入网设备不可信。The mobility management network element receives second indication information from the security policy control network element, and the second indication information is used to indicate that the first access network device is untrustworthy.
  8. 一种通信方法,其特征在于,包括:A communication method, characterized by including:
    终端设备接收来自移动管理网元的第一指示信息,所述第一指示信息用于指示所述终端设备所连接的第一接入网设备不可信,或者用于指示断开与所述第一接入网设备的连接;The terminal device receives first indication information from the mobility management network element. The first indication information is used to indicate that the first access network device connected to the terminal device is untrustworthy, or to indicate disconnection from the first access network device. Connection of access network equipment;
    所述终端设备接收所述第一指示信息之后,断开与所述第一接入网设备的连接。After receiving the first indication information, the terminal device disconnects from the first access network device.
  9. 根据权利要求8所述的方法,其特征在于,所述终端设备接收所述第一指示信息之后,所述方法还包括:The method according to claim 8, characterized in that after the terminal device receives the first indication information, the method further includes:
    所述终端设备存储第一策略信息,所述第一策略信息用于指示不接入所述第一接入网设备的小区。The terminal device stores first policy information, and the first policy information is used to indicate not to access a cell of the first access network device.
  10. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method of claim 9, further comprising:
    所述终端设备接收来自所述移动管理网元的计时器信息,所述计时器信息用于指示所 述第一接入网设备不可信的时间;The terminal device receives timer information from the mobility management network element, and the timer information is used to indicate that the The time when the first access network device is untrustworthy;
    在所述计时器信息所指示的时间到期后,所述终端设备删除所述第一策略信息。After the time indicated by the timer information expires, the terminal device deletes the first policy information.
  11. 根据权利要求8至10中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 8 to 10, characterized in that the method further includes:
    所述终端设备接收来自所述移动管理网元的第二接入网设备的标识;The terminal device receives the identification of the second access network device from the mobility management network element;
    所述终端设备存储第二策略信息,所述第二策略信息用于指示不接入所述第二接入网设备的小区。The terminal device stores second policy information, and the second policy information is used to indicate not to access a cell of the second access network device.
  12. 根据权利要求8至11中任一项所述的方法,其特征在于,所述终端设备接收来自移动管理网元的第一指示信息,包括:The method according to any one of claims 8 to 11, characterized in that the terminal device receives the first indication information from the mobility management network element, including:
    所述终端设备接收来自所述移动管理网元的去注册请求消息,所述去注册请求消息用于请求所述终端设备从当前连接的网络去注册,所述去注册请求消息包括所述第一指示信息。The terminal device receives a de-registration request message from the mobility management network element. The de-registration request message is used to request the terminal device to de-register from the currently connected network. The de-registration request message includes the first Instructions.
  13. 根据权利要求8至11中任一项所述的方法,其特征在于,在所述终端设备还通过非第三代合作伙伴计划技术接入网络的情形下,The method according to any one of claims 8 to 11, characterized in that when the terminal device also accesses the network through non-3rd Generation Partnership Project technology,
    所述终端设备接收来自移动管理网元的第一指示信息,包括:The terminal device receives the first indication information from the mobility management network element, including:
    所述终端设备通过非第三代合作伙伴计划技术互通功能网元接收来自所述移动管理网元的所述第一指示信息。The terminal device receives the first indication information from the mobility management network element through a non-3rd Generation Partnership Project technology interworking function network element.
  14. 一种通信装置,其特征在于,所述装置包括一个或多个功能模块,所述一个或多个功能模块:用于执行如权利要求1至7中任一项所述的方法,或者用于执行如权利要求8至13中任一项所述的方法。A communication device, characterized in that the device includes one or more functional modules, and the one or more functional modules are: used to perform the method according to any one of claims 1 to 7, or used to The method as claimed in any one of claims 8 to 13 is carried out.
  15. 一种通信装置,其特征在于,包括:A communication device, characterized by including:
    处理器,用于执行存储器中存储的计算机程序,以使得所述装置执行如权利要求1至7中任一项所述的方法,或者以使得所述装置执行如权利要求8至13中任一项所述的方法。Processor, configured to execute a computer program stored in the memory, so that the device performs the method as claimed in any one of claims 1 to 7, or so that the device performs the method as claimed in any one of claims 8 to 13 method described in the item.
  16. 一种计算机程序产品,其特征在于,所述计算机程序产品包括用于执行如权利要求1至7中任一项所述的方法的指令,或者,所述计算机程序产品包括用于执行如权利要求8至13中任一项所述的方法的指令。A computer program product, characterized in that the computer program product includes instructions for executing the method as claimed in any one of claims 1 to 7, or the computer program product includes instructions for executing the method as claimed in any one of claims 1 to 7. Instructions for the method described in any one of 8 to 13.
  17. 一种计算机可读存储介质,其特征在于,包括:所述计算机可读存储介质存储有计算机程序;所述计算机程序在计算机上运行时,使得所述计算机执行如权利要求1至7中任一项所述的方法,或者使得所述计算机执行如权利要求8至13中任一项所述的方法。 A computer-readable storage medium, characterized by comprising: the computer-readable storage medium stores a computer program; when the computer program is run on a computer, it causes the computer to execute any one of claims 1 to 7 The method described in claim 8, or causing the computer to perform the method described in any one of claims 8 to 13.
PCT/CN2023/088566 2022-04-22 2023-04-17 Communication method and apparatus WO2023202503A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210429002.7 2022-04-22
CN202210429002.7A CN116980897A (en) 2022-04-22 2022-04-22 Communication method and device

Publications (1)

Publication Number Publication Date
WO2023202503A1 true WO2023202503A1 (en) 2023-10-26

Family

ID=88419200

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/088566 WO2023202503A1 (en) 2022-04-22 2023-04-17 Communication method and apparatus

Country Status (2)

Country Link
CN (1) CN116980897A (en)
WO (1) WO2023202503A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110035787A1 (en) * 2008-04-11 2011-02-10 Telefonaktiebolaget Lm Ericsson (Publ) Access Through Non-3GPP Access Networks
US20210136582A1 (en) * 2018-06-30 2021-05-06 Nokia Solutions And Networks Oy Method and apparatus for handling authentication failure during security association establishment
WO2021096410A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Methods for trust information in communication network and related communication equipment and communication device
WO2021165446A1 (en) * 2020-02-21 2021-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Determination of trust relationship of non-3gpp access networks in 5gc

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110035787A1 (en) * 2008-04-11 2011-02-10 Telefonaktiebolaget Lm Ericsson (Publ) Access Through Non-3GPP Access Networks
US20210136582A1 (en) * 2018-06-30 2021-05-06 Nokia Solutions And Networks Oy Method and apparatus for handling authentication failure during security association establishment
WO2021096410A1 (en) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Methods for trust information in communication network and related communication equipment and communication device
WO2021165446A1 (en) * 2020-02-21 2021-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Determination of trust relationship of non-3gpp access networks in 5gc

Also Published As

Publication number Publication date
CN116980897A (en) 2023-10-31

Similar Documents

Publication Publication Date Title
US11464067B2 (en) Core network awareness of user equipment, UE, state
US11638204B2 (en) Handling limited network slice availability
CN114143871B (en) Network connection method, network disconnection method and communication device
TW201507538A (en) User equipment and device-to-device communication selection method thereof
KR20200089316A (en) Communication method and communication device
WO2020150876A1 (en) Session establishment method, terminal device, and network device
WO2020221223A1 (en) Communication method, apparatus and system
JP2023520274A (en) Wireless communication method, terminal equipment and network equipment
CN110418395B (en) Capability opening method, related device, system and medium
AU2021308253A1 (en) Communication method and communication apparatus
WO2021218563A1 (en) Method and device for transmitting data
US20240155325A1 (en) Information obtaining method and apparatus, and system
CN107113692B (en) Communication method and apparatus
WO2023185555A1 (en) Group communication method, apparatus and system
WO2023131158A1 (en) Communication method, apparatus and system
US20230031092A1 (en) Data transmission method and communication apparatus
WO2023273880A1 (en) Transmission mode switching method and related apparatus
WO2023202503A1 (en) Communication method and apparatus
WO2022022082A1 (en) Communication method and communication apparatus
CN114731544B (en) Data transmission method, device and system based on network slice
CN117223303A (en) Communication method, device and storage medium
WO2023197772A1 (en) Communication method and related apparatus
WO2023104070A1 (en) Method and apparatus for selecting edge application server
WO2024001897A1 (en) Communication method and apparatus
WO2023116740A1 (en) Communication method and communication apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23791158

Country of ref document: EP

Kind code of ref document: A1