WO2023202503A1 - Procédé et appareil de communication - Google Patents

Procédé et appareil de communication Download PDF

Info

Publication number
WO2023202503A1
WO2023202503A1 PCT/CN2023/088566 CN2023088566W WO2023202503A1 WO 2023202503 A1 WO2023202503 A1 WO 2023202503A1 CN 2023088566 W CN2023088566 W CN 2023088566W WO 2023202503 A1 WO2023202503 A1 WO 2023202503A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
terminal device
network element
information
mobility management
Prior art date
Application number
PCT/CN2023/088566
Other languages
English (en)
Chinese (zh)
Inventor
赵鹏涛
李岩
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023202503A1 publication Critical patent/WO2023202503A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/30Connection release

Definitions

  • the present application relates to the field of communication technology, and in particular, to a communication method and device.
  • Access network equipment can provide network access functions for authorized user equipment in a specific area, but there is a risk that access network equipment may be controlled by a third party.
  • access network equipment is usually deployed inside the campus.
  • the security management capabilities of the computer rooms inside the campus are weak, and third parties may control the access network equipment in certain ways. If a third party controls the access network equipment, it can control the user plane and control plane of the mobile communication network, thus posing huge risks to communication security.
  • This application provides a communication method and device, which can improve the communication security of terminal equipment when the access network equipment is controlled.
  • a communication method includes: a mobility management network element determines that a first access network device is untrustworthy; and the mobility management network element sends a first indication to a terminal device connected to the first access network device.
  • Information, the first indication information is used to indicate that the first access network device is untrustworthy, or to instruct to disconnect from the first access network device.
  • the mobility management network element determines that the first access network device is untrustworthy, it can indicate to the terminal device under the first access network device that the first access network device is untrustworthy, or instruct it to disconnect from the third access network device.
  • the first access network device is connected so that the terminal device can disconnect from the first access network device according to the instructions of the mobility management network element, thereby improving the communication security of the terminal device.
  • the method further includes: the mobility management network element determines that the second access network device is untrustworthy; the mobility management network element sends the second access network device to the terminal device. The identification of the device connected to the network.
  • the second access network device may include one or more access network devices.
  • the second access network device is any of the following devices: an access network device controlled by the mobility management network element; an access network device connected to the first access network device; an access network physically adjacent to the terminal device Equipment; access network equipment that the terminal equipment can access.
  • the mobility management network element can send the identification of the one or more access network devices to the terminal device so that the terminal device can subsequently The cell access process does not access the one or more access network devices, further improving the communication security of the terminal equipment.
  • the mobility management network element may also send the identification of the first access network device to the terminal device.
  • the method further includes: the mobility management network element sending timer information to the terminal device, the timer information being used to indicate that the first access network device is unavailable. letter time.
  • the mobility management network element can also send timer information to the terminal device to indicate the time when the first access network device is untrustworthy, so that the terminal device can determine that it can be used after the time indicated by the timer information expires.
  • Access to the cell of the first access network device improves communication security of the terminal device and ensures effective utilization of resources of the first access network device.
  • the mobility management network element sends the first instruction information to the terminal device, including: the mobility management network element sends a deregistration request message to the terminal device, and the deregistration request message is sent to the terminal device.
  • the request message is used to request the terminal device to deregister from the currently connected network, and the deregistration request message includes the first indication information.
  • the mobility management network element can send the first indication information to the terminal device through the de-registration request message. That is to say, the mobility management network element can request the terminal device to deregister while sending the first indication information to the terminal device. After the terminal device is de-registered, the mobility management network element can delete the context of the first terminal device, thereby saving resources of the mobility management network element.
  • the mobility management network element sends a de-registration request message to the terminal device, including: the mobility management network element determines whether the coverage of the first access network device is There is an alternative access network device; when there is an alternative access network device in the coverage area of the first access network device, the mobility management network element sends the deregistration request message to the terminal device.
  • the mobility management network element can request the terminal device to register when there is no alternative access network device within the coverage range of the first access network device. That is to say, when the terminal device has no other alternative access network device, When an access network device enters, the mobility management network element can trigger the terminal device to register, that is, the context of the terminal device is no longer retained, thereby saving the resources of the mobility management network element.
  • the mobile management network element when the terminal device accesses the network through the third generation partner plan technology and the non-third generation partner plan technology, the mobile management network element provides The terminal device sends the first instruction information, including: the mobility management network element sends the first instruction information to the terminal device through a non-3rd generation partnership program technology interoperability function network element.
  • the mobile management network element can send the first instruction information to the terminal device through the non-3rd generation partner program technology interworking function network element , to prevent the first access network device from being unable to forward the first indication information to the terminal device after it is controlled by a third party.
  • the method further includes: the mobility management network element sending configuration information to a third access network device, the configuration information being used to indicate not to provide access to the first access network device. Network equipment cell to switch.
  • the mobility management network element can instruct the third access network device not to perform handover to the cell of the first access network device through configuration information. Therefore, according to the configuration information, when the terminal device performs cell handover, the third access network device The third access network device does not switch the terminal device to the cell of the first access network device, thereby improving communication security.
  • the method further includes: before the mobility management network element sends the configuration information to the third access network device, the method further includes: the mobility management network element determines the third access network device, and the third access network device It is any of the following equipment: access network equipment controlled by the mobility management network element; access network equipment connected to the first access network equipment; access network equipment connected to the first access network equipment; The access network equipment adjacent to the terminal equipment; the access network equipment that the terminal equipment can access.
  • the mobility management network element determines the first access network device Before the device is untrusted, the method further includes: the mobility management network element receiving second indication information from the security policy control network element, the second indication information being used to indicate that the first access network device is untrusted.
  • the mobility management network element can determine that the first access network device is untrustworthy according to the instruction information of the security policy control network element.
  • the method further includes: the mobility management network element releases the connection with the first access network device; the mobility management network element triggers the session deletion of the terminal device. activation.
  • the mobility management network element can release the connection with the first access network device and trigger the deactivation of the session of the terminal device to prevent the first access network device from Control the user plane and data plane of the mobile access network to improve communication security.
  • the method further includes: when the mobility management network element does not receive a confirmation message from the terminal device, the mobility management network element reports to the data management network element Send the identification of the first access network device, the identification of the terminal device and third indication information.
  • the confirmation message is used to indicate that the terminal device successfully received the first indication information.
  • the third indication information is used to indicate that the third indication information is received.
  • An access network device is not trustworthy, or is used to indicate to the terminal device that the access network device is not trustworthy.
  • the mobility management network element when the mobility management network element does not receive the confirmation message from the terminal device, or in other words, when the terminal device does not receive the first indication information from the mobility management network element, the mobility management network element can access the first The identifier of the network device and the identifier of the terminal device are sent to the data management network element, and the data management network element is instructed to indicate that the first access network device is untrustworthy, or the first access network device is instructed to be indicated to the terminal device to be untrustworthy. Based on this, the data management network element can indicate to the terminal device that the first access network device is untrustworthy after the terminal device reconnects to the network, so that the terminal device does not access the cell of the first access network device and improves the communication of the terminal device. Safety.
  • a communication method includes: a terminal device receiving first indication information from a mobility management network element, the first indication information being used to indicate that the first access network device connected to the terminal device is unavailable. message, or used to instruct to disconnect from the first access network device; after receiving the first instruction message, the terminal device disconnects from the first access network device.
  • the mobility management network element indicates to the terminal device that the first access network device is untrustworthy, or after instructing to disconnect from the first access network device, the terminal device disconnects from the first access network device, Preventing the first access network device from controlling communication of the terminal device improves communication security of the terminal device.
  • the method further includes: the terminal device stores first policy information, the first policy information is used to indicate not to A cell that accesses the first access network device.
  • the terminal device after receiving the first indication information, saves the first policy information for instructing not to access the cell of the first access network device. That is to say, when the terminal device subsequently performs cell access, it will not access the cell of the first access device according to the first policy information, thereby improving communication security of the terminal device.
  • the method further includes: the terminal device receiving timer information from the mobility management network element, the timer information being used to indicate the first access network device Untrustworthy time; after the time indicated by the timer information expires, the terminal device deletes the first policy information.
  • the mobility management network element can also indicate to the terminal device the time when the first access network device is untrustworthy through timer information. In this case, when the time indicated by the timer information expires, the terminal device may delete the first policy information. That is to say, after the time indicated by the timer information expires, the terminal device can access the cell of the first access network device.
  • the method further includes: the terminal device receiving the identification of the second access network device from the mobility management network element; the terminal device storing the second policy information, The second policy information is used to indicate not to access the cell of the second access network device.
  • the second access network device may include one or more access network devices.
  • the identification of the one or more access network devices can be sent to the terminal device so that the terminal device can save it and use it to indicate not to access.
  • Second policy information of the cell of the second access network device That is to say, when the terminal device subsequently performs cell access, according to the second policy information, the terminal device does not access the cell of the second access network device, thereby improving communication security of the terminal device.
  • the terminal device receives the first indication information from the mobility management network element, including: the terminal device receives a deregistration request message from the mobility management network element, the The deregistration request message is used to request the terminal device to deregister from the currently connected network, and the deregistration request message includes the first indication information.
  • the mobility management network element can send the first indication information to the terminal device through the de-registration request message. That is to say, the mobility management network element can request the terminal device to deregister while sending the first indication information to the terminal device. In this case, after the terminal device deregisters, the mobility management network element can delete the context of the first terminal device, thereby saving resources of the mobility management network element.
  • the terminal device in the case where the terminal device also accesses the network through non-3rd generation partnership plan technology, receives the first indication from the mobility management network element
  • the information includes: the terminal device receives the first instruction information from the mobility management network element through a non-3rd generation partner program technology interworking function network element.
  • the mobile management network element can send the first instruction information to the terminal device through the non-3rd generation partner program technology interworking function network element , to prevent the mobility management network element from being unable to forward the first indication information to the terminal device after the first access network device is controlled by a third party.
  • the method further includes: the terminal device sending a confirmation message to the mobility management network element, the confirmation message being used to indicate that the terminal device successfully receives the first indication information. .
  • a communication method includes: a first device receiving second indication information from a security policy control network element, the second indication information being used to indicate that the first access network device is untrustworthy; A device sends configuration information to a third access network device.
  • the configuration information includes an identification of the first access network device and a cell switching policy.
  • the cell switching policy is used to indicate not to switch the terminal device to the first access network. device cell.
  • the first device can be any network device.
  • the first device can be a mobility management network element, or the first device can also be a network management device, which is not limited in this application.
  • the first device after receiving the second indication information from the security policy control network element, the first device can determine that the first access network device is untrustworthy based on the second indication information. Based on this, the first device may send configuration information to the third access network device to instruct not to switch the terminal device to the cell of the first access network device, so that the third access network device does not switch the terminal device to the first cell.
  • Cells with access network equipment improve communication security of terminal equipment.
  • the method further includes: the first device determines the third access network device based on the first access network device, and the third access network device is Any of the following equipment: access network equipment controlled by the mobility management network element, access network equipment adjacent to the first access network equipment, access network connected to the first access network equipment Access network equipment that may be connected to equipment and terminal equipment.
  • a communication method which method includes: a third access network device receives configuration information from the first device, the configuration information includes the cell switching policy, and the cell switching policy is used to indicate not to use the cell switching policy.
  • the terminal device switches to the cell of the first access network device; the third access network device determines not to switch to the cell of the first access network device according to the cell switching policy.
  • the third access network device can not switch to the cell of the first access network device according to the configuration information of the first device, thereby improving communication security.
  • a communication method includes: the data management network element receiving the identification of the terminal device and the identification of the first access network device and third indication information from the mobility management network element.
  • the third indication information It is used to indicate that the first access network device is not trustworthy, or the third indication information is used to instruct the terminal device to notify the access network device that the access network device is not trustworthy; after receiving the third indication information, the data management network element sends a notification to the terminal device.
  • the terminal device sends fourth indication information, where the fourth indication information is used to indicate that the first access network device is untrustworthy.
  • the data management network element will send the fourth indication information to the terminal device after the terminal device accesses the network.
  • the data management network element can indicate to the terminal device that the first access network device is untrustworthy after the terminal device reconnects to the network.
  • the first access network device is untrustworthy, so that the terminal device does not access the cell of the first access network device, thereby improving communication security of the terminal device.
  • a sixth aspect provides a communication device, which is used to perform any of the methods provided in the above first to fourth aspects.
  • the device may include units and/or modules for executing the methods provided in the first to fourth aspects, such as a processing module and/or a transceiver module (which may also be a communication module).
  • the device is a network device, for example, the device is a mobility management network element, a data management network element, or a first device.
  • the communication module may be a transceiver, or an input/output interface; the processing module may be a processor.
  • the device is a chip, chip system or circuit used in network equipment.
  • the communication module may be an input/output interface, interface circuit, output circuit, input circuit, pin or related circuit on the chip, chip system or circuit etc.
  • the processing module may be a processor, a processing circuit or a logic circuit, etc.
  • the device is a chip, chip system or circuit in the mobile management network element.
  • the apparatus may comprise units and/or modules for performing the method provided in the first aspect, such as a processing unit and/or a communication unit.
  • the device is the first device, or a chip, chip system or circuit in the first device.
  • the device may include units and/or modules for performing the method provided in the third aspect, such as a processing module and/or a transceiver module.
  • the device is a third access network device, or a chip, chip system or circuit in the third access network device.
  • the device may include units and/or modules for performing the method provided in the fourth aspect, such as a processing module and/or a transceiver module.
  • the device is a data management network element, or a chip, chip system or circuit in the data management network element.
  • the device may include units and/or modules for performing the method provided in the fifth aspect, such as a processing module and/or a transceiver module.
  • the device is a terminal device.
  • the communication unit may be a transceiver, or an input/output interface;
  • the processing unit may be a processor.
  • the device is a terminal device or a chip, a chip system or a circuit in the terminal device (10).
  • the device may include units and/or modules for performing the method provided in the second aspect, such as a processing module and/or a transceiver module.
  • the above-mentioned transceiver may be a transceiver circuit.
  • the above input/output interface may be an input/output circuit.
  • the above-mentioned transceiver may be a transceiver circuit.
  • the above input/output interface may be an input/output circuit.
  • a seventh aspect provides a communication device.
  • the device includes: a memory for storing a program; a processor for executing the program stored in the memory.
  • the processor is configured to execute the above-mentioned first aspect to Any method provided by the fifth aspect.
  • this application provides a processor for executing the methods provided in the above aspects.
  • the process of sending the above information and obtaining/receiving the above information in the above method can be understood as the process of the processor outputting the above information, and the process of the processor receiving the input above information.
  • the processor When outputting the above information, the processor outputs the above information to the transceiver for transmission by the transceiver. After the above information is output by the processor, it may also need to undergo other processing before reaching the transceiver.
  • the transceiver obtains/receives the above information and inputs it into the processor. Furthermore, after the transceiver receives the above information, the above information may need to undergo other processing before being input to the processor.
  • the receiving request message mentioned in the foregoing method can be understood as the processor receiving input information.
  • the above-mentioned processor may be a processor specifically designed to perform these methods, or may be a processor that executes computer instructions in a memory to perform these methods, such as a general-purpose processor.
  • the above-mentioned memory can be a non-transitory memory, such as a read-only memory (ROM), which can be integrated on the same chip as the processor, or can be separately provided on different chips.
  • ROM read-only memory
  • a ninth aspect provides a computer-readable storage medium that stores program code for device execution, where the program code includes execution of any of the methods provided in the above-mentioned first to fifth aspects.
  • a tenth aspect provides a computer program product containing instructions, which when the computer program product is run on a computer, causes the computer to execute any of the methods provided in the first to fifth aspects.
  • a chip in an eleventh aspect, includes a processor and a communication interface.
  • the processor reads instructions stored in the memory through the communication interface and executes any of the methods provided in the first to fifth aspects.
  • the chip may also include a memory, in which instructions are stored, and the processor is used to execute the instructions stored in the memory.
  • the processor is used to execute the above-mentioned first step. Any method provided by the first aspect to the fifth aspect.
  • a communication system including one or more of the aforementioned mobility management network element, first device, and data management network element.
  • the communication system may also include the above-mentioned third access network device.
  • the communication system may also include the above-mentioned terminal device.
  • Figure 1 shows a schematic diagram of a network architecture.
  • Figure 2 shows another schematic diagram of network architecture.
  • Figure 3 is a schematic flow chart of a communication method 300 provided by an embodiment of the present application.
  • Figure 4 is a schematic flow chart of a communication method 400 provided by an embodiment of the present application.
  • Figure 5 is a schematic flow chart of a communication method 500 provided by an embodiment of the present application.
  • Figure 6 is a schematic flow chart of a communication method 600 provided by an embodiment of the present application.
  • Figure 7 is a schematic flow chart of a communication method 700 provided by an embodiment of the present application.
  • Figure 8 is a schematic block diagram of a communication device provided by an embodiment of the present application.
  • Figure 9 is a schematic block diagram of a communication device provided by another embodiment of the present application.
  • Figure 10 is a schematic block diagram of a communication device provided by yet another embodiment of the present application.
  • the technical solutions provided by this application can be applied to various communication systems, such as fifth generation (5th generation, 5G) or new radio (NR) systems, long term evolution (LTE) systems, LTE frequency division Duplex (frequency division duplex, FDD) system, LTE time division duplex (TDD) system, etc.
  • the technical solution provided by this application can also be applied to future communication systems, such as the sixth generation mobile communication system.
  • the technical solution provided by this application can also be applied to device-to-device (D2D) communication, vehicle-to-everything (V2X) communication, machine-to-machine (M2M) communication, machine type Communication (machine type communication, MTC), and Internet of Things (Internet of things, IoT) communication systems or other communication systems.
  • D2D device-to-device
  • V2X vehicle-to-everything
  • M2M machine-to-machine
  • MTC machine type Communication
  • Internet of Things Internet of things, IoT
  • 5G system framework based on point-to-point interfaces and 5G based on service-based interfaces in conjunction with Figure 1 and Figure 2. system framework.
  • FIG. 1 shows a schematic architectural diagram of a 5G system 100 applicable to the embodiment of the present application.
  • Figure 1 is a schematic diagram of the 5G network architecture based on point-to-point interfaces.
  • the network architecture may include but is not limited to the following network elements (also known as functional network elements, functional entities, nodes, devices, etc.):
  • Wired wireless
  • R radio access network
  • AMF access and mobility management function
  • SMF session management function
  • UPF User plane function
  • PCF policy control function
  • UDM unified data management
  • AF AF network element
  • DN data network
  • NSSF network slice selection function
  • AUSF authentication server function
  • UDM unified data management
  • BSF BSF network element
  • UDR unified data repository
  • User equipment can be called terminal equipment (terminal equipment), terminal device, access terminal, user unit, user station, mobile station, mobile station (MS), mobile terminal (mobile terminal, MT), remote station, remote terminal, mobile device, user terminal, terminal, wireless communications equipment, user agent or user device.
  • the terminal device may be a device that provides voice/data connectivity to the user, such as a handheld device, a vehicle-mounted device, etc. with wireless connectivity capabilities.
  • terminals can be: mobile phones, tablets, computers with wireless transceiver functions (such as laptops, handheld computers, etc.), mobile Internet devices (mobile internet device, MID), virtual reality (virtual reality, VR) equipment, augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical Terminals, wireless terminals in smart grids, wireless terminals in transportation safety, wireless terminals in smart cities, wireless terminals in smart homes, cellular phones, cordless Telephone, session initiation protocol (SIP) telephone, wireless local loop (WLL) station, personal digital assistant (PDA), handheld device with wireless communication capabilities, computing device or connection Other processing equipment to wireless modems, vehicle-mounted equipment, wearable devices, terminal equipment in the 5G network or terminal equipment in the future evolved public land mobile communication network (public land mobile network, PLMN), etc.
  • mobile Internet devices mobile internet device, MID
  • virtual reality virtual reality
  • VR virtual reality
  • AR augmented reality
  • wireless terminals in industrial control wireless terminals in self-driv
  • the terminal device can also be a terminal device in an Internet of things (IoT) system.
  • IoT Internet of things
  • Its main technical feature is to connect objects to the network through communication technology, thereby realizing an intelligent network of human-computer interconnection and object interconnection.
  • IoT technology can achieve massive connections, deep coverage, and terminal power saving through narrowband (NB) technology, for example.
  • NB narrowband
  • terminal equipment can also include smart printers, train detectors, etc. Its main functions include collecting data (some terminal equipment), receiving control information and downlink data from network equipment, and sending electromagnetic waves to transmit uplink data to network equipment.
  • the user equipment can be any device that can access the network. Terminal equipment and access network equipment can communicate with each other using some air interface technology.
  • the user equipment can be used to act as a base station.
  • user equipment may act as a scheduling entity that provides sidelink signals between user equipments in V2X or D2D, etc.
  • V2X or D2D a scheduling entity that provides sidelink signals between user equipments in V2X or D2D, etc.
  • cell phones and cars use sidelink signals to communicate with each other.
  • Cell phones and smart home devices communicate between each other without having to relay communication signals through base stations.
  • Radio access network (R)AN) equipment used to provide network access functions for authorized user equipment in a specific area, and can use different services according to the level of user equipment, business needs, etc. Quality transmission tunnel.
  • (R)AN can manage wireless resources, provide access services to user equipment, and then complete the forwarding of control signals and user equipment data between user equipment and the core network.
  • (R)AN can also be understood as a base station in a traditional network.
  • the access network device in the embodiment of the present application may be any communication device with wireless transceiver functions used to communicate with user equipment.
  • the access network equipment includes but is not limited to evolved Node B (eNB) or 5G, such as NR, gNB in the system, or transmission point (TRP or TP), one of the base stations in the 5G system Or a group (including multiple antenna panels) of antenna panels, or it can also be a network node that constitutes a gNB or transmission point, such as a baseband unit (BBU), or a distributed unit (DU), etc.
  • eNB evolved Node B
  • 5G such as NR, gNB in the system, or transmission point (TRP or TP)
  • TRP or TP transmission point
  • BBU baseband unit
  • DU distributed unit
  • gNB may include centralized units (CUs) and DUs.
  • the gNB may also include an active antenna unit (AAU).
  • CU implements some functions of gNB
  • DU implements some functions of gNB.
  • CU is responsible for processing non-real-time protocols and services, implementing radio resource control (RRC), and packet data convergence protocol (PDCP) layer functions.
  • RRC radio resource control
  • PDCP packet data convergence protocol
  • DU is responsible for processing physical layer protocols and real-time services, and implementing the functions of the radio link control (RLC) layer, media access control (MAC) layer and physical (physical, PHY) layer.
  • RLC radio link control
  • MAC media access control
  • PHY physical layer
  • the access network device may be a device including one or more of a CU node, a DU node, and an AAU node.
  • the CU can be divided into access network equipment in the access network (radio access network, RAN), or the CU can be divided into access network equipment in the core network (core network, CN). This application does not Make limitations.
  • UPF User plane function
  • QoS quality of service
  • the user plane network element may be a user plane function (UPF) network element.
  • UPF user plane function
  • user plane network elements can still be UPF network elements, or they can have other names, which are not limited in this application.
  • Access and mobility management function (AMF) network element The access and mobility management function network element is mainly used for mobility management and access management, etc., and can be used to implement MME functions in addition to session management. Other functions, such as access authorization/authentication and other functions.
  • the access and mobility management equipment may still be an AMF, or may have other names, which are not limited in this application.
  • Session management function (SMF) network element mainly used for session management, Internet protocol (IP) address allocation and management of user equipment, selection of manageable user plane functions, policy control and charging The endpoint of the functional interface and downstream data notification, etc.
  • IP Internet protocol
  • the session management network element can still be an SMF network element, or it can also have other names, which is not limited in this application.
  • PCF Policy control function
  • the policy control network element can still be a PCF network element, or it can also have other names, which is not limited in this application.
  • Application function used for data routing affected by applications, wireless access network open function network elements, interaction with the policy framework for policy control, etc.
  • application network elements can still be AF network elements, or they can have other names, which are not limited in this application.
  • Data management network element used to process UE identification, access authentication, registration and mobility management, etc.
  • the data management network element may refer to a unified data management (UDM) network element in the system 100 and/or a unified data repository (UDR) network element.
  • UDM unified data management
  • UTR unified data repository
  • AUSF Authentication server function
  • the authentication server functional network element can still be an AUSF network element, or it can also have other names, which is not limited in this application.
  • Network data analytics function network element: used to identify network slicing instances and load load level information of network slicing instances.
  • the network data analysis function enables NF consumers to subscribe or unsubscribe to periodic notifications and notify consumers when thresholds are exceeded.
  • network data analysis function network elements can still be NWDAF network elements, or they can have other names, which are not limited in this application.
  • DN Data network
  • DN is a network located outside the operator's network.
  • the operator's network can access multiple DNs.
  • a variety of services can be deployed on the DN, which can provide data and/or voice for terminal devices. Waiting for service.
  • DN is a private network of a smart factory.
  • the sensors installed in the workshop of the smart factory can be terminal devices.
  • the control server of the sensor is deployed in the DN, and the control server can provide services for the sensor.
  • the sensor can communicate with the control server, obtain instructions from the control server, and transmit the collected sensor data to the control server according to the instructions.
  • DN is the internal office network of a company.
  • the mobile phones or computers of employees of the company can be used as terminal devices.
  • the employees' mobile phones or computers can access information and data resources on the company's internal office network.
  • Nausf, Nnef, Npcf, Nudm, Naf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface serial numbers.
  • the meaning of these interface serial numbers can be found in the meaning defined in the 3GPP standard protocol, and is not limited here.
  • network elements can communicate with each other through the interfaces shown in the figure.
  • the UE and the AMF can interact through the N1 interface, and the interaction message can be called an N1 message (N1Message), for example.
  • N1Message N1 message
  • RAN and AMF can interact through the N2 interface, which can be used for sending non-access stratum (NAS) messages.
  • NAS non-access stratum
  • RAN and UPF can interact through the N3 interface, which can be used to transmit user plane data, etc.
  • SMF and UPF can interact through the N4 interface.
  • the N4 interface can be used to transmit information such as tunnel identification information of the N3 connection, data cache indication information, and downlink data notification messages.
  • UPF and DN can interact through the N6 interface, which can transmit user plane data, etc.
  • the relationship between other interfaces and each network element is shown in 1. For the sake of simplicity, they will not be described in detail here.
  • FIG 2 it is a schematic diagram of the 5G network architecture based on point-to-point interfaces.
  • the interface between each network element is a point-to-point interface, not a service-oriented interface.
  • N7 The interface between PCF and SMF, used to deliver protocol data unit (PDU) session granularity and business data flow granularity control policy.
  • PDU protocol data unit
  • N15 The interface between PCF and AMF, used to deliver UE policies and access control related policies.
  • N5 The interface between AF and PCF, used for issuing application service requests and reporting network events.
  • N4 The interface between SMF and UPF, used to transfer information between the control plane and the user plane, including controlling the delivery of forwarding rules for the user plane, QoS control rules, traffic statistics rules, etc., and reporting of user plane information. .
  • N11 The interface between SMF and AMF, used to transfer PDU session tunnel information between RAN and UPF, transfer control messages sent to UE, transfer radio resource control information sent to RAN, etc.
  • N2 The interface between AMF and RAN, used to transmit wireless bearer control information from the core network side to the RAN.
  • N1 The interface between AMF and UE, independent of access, is used to deliver QoS control rules to UE, etc.
  • N8 The interface between AMF and UDM, used for AMF to obtain access and mobility management-related subscription data and authentication data from UDM, and for AMF to register UE's current mobility management-related information with UDM.
  • N10 The interface between SMF and UDM, used for SMF to obtain session management-related subscription data from UDM, and for SMF to register UE current session-related information with UDM.
  • N35 The interface between UDM and UDR, used by UDM to obtain user subscription data information from UDR.
  • N36 The interface between PCF and UDR, used for PCF to obtain policy-related contract data and application data-related information from UDR.
  • N12 The interface between AMF and AUSF, used for AMF to initiate the authentication process to AUSF, which can carry SUCI as the contract identification;
  • N13 The interface between UDM and AUSF, used by AUSF to obtain the user authentication vector from UDM to perform the authentication process.
  • the above network elements or functions can be network elements in hardware devices, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (for example, a cloud platform).
  • a platform for example, a cloud platform.
  • the network device is the access and mobility management network element AMF
  • the base station is the wireless access network RAN as an example.
  • Computer-readable media may include, but are not limited to: magnetic storage devices (e.g., hard disks, floppy disks, tapes, etc.), optical disks (e.g., compact discs (CD), digital versatile discs (DVD)) etc.), smart cards and flash memory devices (e.g. erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.).
  • magnetic storage devices e.g., hard disks, floppy disks, tapes, etc.
  • optical disks e.g., compact discs (CD), digital versatile discs (DVD)
  • smart cards and flash memory devices e.g. erasable programmable read-only memory (EPROM), cards, sticks or key drives, etc.
  • various storage media described herein may represent one or more devices and/or other machine-readable media for storing information.
  • machine-readable medium may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.
  • the evolved packet system (EPS) defined in the 3rd generation partnership project (3GPP) includes a 5G network architecture based on service-oriented interfaces or a 5G network architecture based on point-to-point interfaces.
  • the 5G network can It is divided into three parts, namely UE, DN and operator network.
  • the operator's network may include one or more of the network elements shown in Figure 1 except for the UE and DN, or may also include other network elements.
  • This application does not limit the 5G network structure. You may refer to the current Introduction to related technologies.
  • AR augmented reality
  • VR virtual reality
  • IOT industrial control
  • the traditional centralized anchor point deployment method in LTE is increasingly difficult to support the rapidly growing mobile service traffic model.
  • the increased traffic is ultimately concentrated at the gateway and core computer room, which places higher and higher requirements on backhaul network bandwidth, computer room throughput, and gateway specifications;
  • the long-distance backhaul network and complex transmission environment from the access network to the anchor gateway lead to large delays and jitter in user packet transmission.
  • edge computing By moving user plane network elements and business processing capabilities down to the edge of the network, edge computing realizes local processing of distributed business traffic and avoids excessive concentration of traffic, thus greatly reducing the specification requirements for core computer rooms and centralized gateways. At the same time, edge computing also shortens the distance of the backhaul network and reduces the end-to-end transmission delay and jitter of user messages, making it possible to deploy ultra-low-latency services.
  • Campus edge computing refers to a technology that applies edge computing to smart campuses. By combining edge computing with smart campuses, rapid deployment can be achieved, local business closed-loop can be realized, and a more optimized network can save transmission and ensure user experience for campus users.
  • SPCF Security policy control function
  • SPCF is mainly responsible for security events, information collection and analysis, etc. It can provide control plane functional network elements (such as AMF, SMF etc.) provide security policy control. In future communication systems, the security policy control network element can still be SPCF, or it can also have other names, which are not limited in this application.
  • the embodiments shown below do not specifically limit the specific structure of the execution body of the method provided by the embodiment of the present application, as long as it can be provided according to the embodiment of the present application by running a program that records the code of the method provided by the embodiment of the present application.
  • the execution subject of the method provided by the embodiment of the present application can be the core network device and the terminal device, or a functional module in the core network device or the terminal device that can call the program and execute the program.
  • for indicating can be understood as “enabling”, and “enabling” can include direct enabling and indirect enabling.
  • enabling can include direct enabling and indirect enabling.
  • the information enabled by the information is called to-be-enabled information.
  • the to-be-enabled information can be directly enabled, such as to-be-enabled information.
  • the enabling information itself or the index of the information to be enabled, etc.
  • the information to be enabled can also be indirectly enabled by enabling other information, where there is an association relationship between the other information and the information to be enabled. It is also possible to enable only a part of the information to be enabled, while other parts of the information to be enabled are known or agreed in advance.
  • the enabling of specific information can also be achieved by means of a pre-agreed (for example, protocol stipulated) arrangement order of each piece of information, thereby reducing the enabling overhead to a certain extent.
  • the common parts of each information can also be identified and enabled uniformly to reduce the enabling overhead caused by enabling the same information individually.
  • preconfigured may include predefined, for example, protocol definitions.
  • pre-definition can be realized by pre-saving corresponding codes, tables or other methods that can be used to indicate relevant information in the device (for example, including each network element). This application does not limit its specific implementation method.
  • the “save” involved in the embodiments of this application may refer to saving in one or more memories.
  • the one or more memories may be provided separately, or may be integrated in an encoder or decoder, a processor, or a communication device.
  • the one or more memories may also be partially provided separately and partially integrated in the decoder, processor, or communication device.
  • the type of memory can be any form of storage medium, and this application is not limited thereto.
  • the "protocol” involved in the embodiments of this application may refer to standard protocols in the communication field, which may include, for example, 5G protocols, new radio (NR) protocols, and related protocols applied in future communication systems. There are no restrictions on this application.
  • Figure 3 shows an exemplary flowchart of the method 300 provided by the embodiment of the present application.
  • the method 300 is exemplarily described below in conjunction with each step.
  • the mobility management network element determines that the first access network device is untrustworthy.
  • the mobility management network element may determine that the first access network device is untrustworthy based on instructions from other network elements. For example, the mobility management network element receives second indication information from the security policy control network element, and the second indication information is used to indicate that the first access network device is untrustworthy. After receiving the second indication information, the mobility management network element determines that the first access network device is not trustworthy according to the second indication information; or, the mobility management network element can also determine on its own that the first access network device is not trustworthy, specifically The implementation method is not limited in this application.
  • the mobility management network element determines that the first access network device is not trustworthy. It can also be said that the mobility management network element determines that the first access network device is controlled by a third party. It can also be said that the mobility management network element determines that the first access network device is controlled by a third party. The first access network equipment is not secure, etc.
  • the mobility management network element sends the first instruction information to the terminal device connected to the first access network device.
  • the terminal device receives the first indication information from the mobility management network element.
  • the mobility management network element after determining that the first access network device is untrustworthy, sends the first indication information to the terminal device connected to the first access network device. For example, after determining that the first access network device is untrustworthy, the mobility management network element queries the terminal device connected to the first access network device, and then sends the first indication information to the terminal device. It should be understood that multiple terminal devices may be connected to the first access network device. For convenience, one of the terminal devices is used as an example for description here.
  • the first indication information is used to indicate that the first access network device is not trustworthy, or the first indication information is used to indicate to disconnect from the first access network device. It should be understood that in addition to the above examples, the first indication information may also indicate other contents. For example, the first indication information is used to indicate that the first access network device is controlled by a third party, or the first indication information is used to indicate that the first access network device is controlled by a third party. Indicating that the first access network equipment is unsafe, etc., is not limited by this application.
  • the mobility management network element may also determine the radio resource control connection state of the terminal device (including connected state, idle state, inactive state, etc.). When the terminal device is in the connected state and the terminal device is connected to the first access network device, the mobility management network element sends the first indication information to the terminal device.
  • the mobility management network element may also determine whether there is an alternative access network device in the coverage area of the first access network device, where the alternative access network device here It may refer to an access network device connected to the first access network device, or to other access network devices that can be used for terminal devices within the coverage of the first access network device to access the network. It should be understood that when the first access network device has an alternative access network device, after the terminal device is disconnected from the first access network device, it can choose to access the alternative access network device according to needs.
  • the mobility management network element may send a deregistration request message to the terminal device and carry the first indication information in the Go to the registration request message.
  • the de-registration request message is used to request the terminal device to de-register from the network.
  • the terminal device may send a de-registration acceptance message to the mobility management network element.
  • the mobility management network element triggers the network side to execute the de-registration process of the terminal device. In the de-registration process, the mobility management network element deletes the context of the terminal device.
  • the mobile management network element can trigger the de-registration of the terminal device. During the de-registration process, the mobile management network element deletes the context of the terminal device, thereby saving the resources of the mobile management network element. If the first access network device has an alternative access network device, the mobility management network element does not need to trigger the de-registration of the terminal device. That is to say, the mobility management network element can retain the context of the terminal device. In this case, after the terminal device disconnects from the first access network device, the redirection or mobility registration update process can be used to quickly reconnect to the network, thereby improving the efficiency of the terminal device's network access and improving user experience.
  • the mobility management network element when it sends the first indication information to the terminal device, it may or may not carry the identifier of the first access network device.
  • the first indication information may be used to indicate to the terminal device that the access network device currently connected to the terminal device is not trustworthy, or in other words, the first indication information Used to instruct the terminal device to disconnect from the currently connected access network device, etc.
  • the mobility management network element can use non-access layer messages (i.e., through the 3rd generation partnership project). planning technology) to send the first instruction information to the terminal device; in the case where the terminal device accesses the network through the third generation partner planning technology and the non-third generation partner planning technology, the mobile management network element passes the non-third generation partner planning technology
  • the planned technical interworking function non-3gpp interworking function, N3IWF
  • the mobility management network element will give priority to using other methods.
  • the terminal device since the terminal device is connected to the first access network device, when the mobility management network element sends the first indication information to the terminal device through a non-access layer message, the non-access layer message needs to pass through the first access network device.
  • the network access device forwards it to the terminal device. Since the first access network device is not trustworthy, the first access network device may not forward the non-access layer message, resulting in the terminal device being unable to successfully receive the first indication information.
  • the mobility management network element sends the first instruction information to the terminal device through non-3rd generation partner program technology, it can prevent the first instruction information from being successfully delivered due to the first access network device not forwarding the non-access layer message. The situation of the terminal equipment.
  • the mobility management network element sends the identifier of the second access network device to the terminal device.
  • the terminal device receives the identification of the second access network device from the mobility management network element.
  • the mobility management network element may also send the identification of the second access network device to the terminal device.
  • the second access network device may include one or more access network devices. That is to say, if the mobility management network element determines that in addition to the first access network device, there are one or more other access network devices that are not trustworthy, the mobility management network element can change the identity of the one or more access network devices to sent to the terminal device.
  • the mobility management network element sends timer information to the terminal device.
  • the terminal device receives the timer information from the mobility management network element.
  • the mobility management network element may also send timer information to the terminal device, where the timer information is used to indicate the time when one or more access network devices are untrustworthy.
  • the timer information is used to indicate the time when the first access network device is untrustworthy. That is to say, when the time indicated by the timer information expires, it can be considered that the first access network device becomes trustworthy again, or that the first access network device regains security, or that it can access the first access network device.
  • Cell for access network equipment when the time indicated by the timer information expires, it can be considered that the first access network device becomes trustworthy again, or that the first access network device regains security, or that it can access the first access network device.
  • the mobility management network element also sends the identification of the second access network device to the terminal device.
  • the timer information can be used to indicate the first access network device and the second access network device. The time when the access network device is untrustworthy, or the timer information can be used to indicate the time when one or more access network devices in the first access network device and the second access network device are untrustworthy, or the timer The information is used to indicate the time when one or more access network devices in the second access network device are untrustworthy.
  • the mobility management network element also sends the identifier of the second access network device to the terminal device.
  • the mobility management network element can send multiple timer information to the terminal device.
  • the timer information corresponds one-to-one to multiple access network devices in the first access network device and the second access network device, and the multiple timer information is used to indicate the untrustworthy time of the multiple access network devices respectively.
  • the times indicated by the plurality of timer information may be the same or different, and are not limited in this application.
  • the terminal device may send a confirmation message to the mobility management network element, where the confirmation message is used to indicate that the terminal device successfully received the first indication information.
  • the mobility management network element determines that the first indication information is sent successfully based on the confirmation message.
  • the mobility management network element may send the first indication message to the data management network element.
  • the identifier of the terminal device and the identifier of the first access network device may also be sent, the indication information being used to indicate that the first access network device is not trustworthy, or the indication information being used to indicate that the terminal device failed to receive the information indicating that the first access network device is not trustworthy. information, or the indication information is used to indicate that the terminal device fails to learn that the first access network device is untrustworthy.
  • the mobility management network element also sends the identification of the second access network device to the data management network element.
  • the data management network element receives and stores the identity of the terminal device, the identity of the first access network device, and optionally the identity of the second access network device. After the terminal device reconnects to the network, the data management network element sends indication information indicating that the first access network device and the second access network device are untrustworthy to the terminal device, so that the terminal device can access the network in the subsequent process. , do not access the cell of the first access network device and the second access network device, thereby improving communication security of the terminal device.
  • the terminal device disconnects the connection with the first access network device according to the first indication information.
  • the terminal device stores the first policy information.
  • the terminal device after receiving the first indication information, stores the first policy information.
  • the first policy information may be first instruction information or other information.
  • the first policy information may also have different names in different scenarios.
  • the first policy information may also be called configuration information, or indication information, etc., which is not limited in this application.
  • the first policy information is used in a cell where the terminal device does not access the first access network device, or in other words, the first policy information is used in a cell where the terminal device accesses an access network device other than the first access network device.
  • the terminal device may select a cell for access based on the first policy information. For example, during the cell access process, the terminal device receives a system message broadcast by an access network device.
  • the system message includes the identifier of the access network device.
  • the terminal device determines whether the identifier of the access network device is the same as the first access network device.
  • the identifiers of network access devices are the same. If they are the same, the terminal device does not try to access the cell of the access network device; if they are different, the terminal device can try to access the cell of the access network device.
  • the terminal device deletes the first policy information after the time indicated by the timer information expires. That is to say, after the time indicated by the timer information expires, the terminal device may try to access the cell of the first access network device.
  • the terminal device may store the second policy information after receiving the identification of the second access network device.
  • the second policy information is used in a cell where the terminal device does not access the second access network device. It should be understood that the first policy information and the second policy information may be the same information element or different information elements, which is not limited in this application.
  • the first device sends configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device.
  • the third access network device may include one or more access network devices.
  • the first device may be any network device.
  • the first device may be a mobility management network element, or the first device may be a network management device.
  • the first device receives second indication information from the security policy control network element.
  • the second indication information is used to indicate that the first access network device is untrustworthy.
  • the first device can send a request to the third access network device according to the second indication information.
  • the network access device sends the configuration information.
  • the first device may first determine the third access network device.
  • the third access network device may be an access network device controlled or managed by the first device, or the third access network device may be an access network device adjacent to the first access network device, or the third access network device may The access network device is an access network device connected to the first access network device, or the third access network device is an access network device near the terminal device, or the third access network device is a terminal device Access network equipment that can be accessed is not limited in this application.
  • the configuration information may be first indication information or other information. In different scenarios, the configuration information may also have other names. For example, the configuration information may also be called policy information, indication information, or cell access policy, etc., which is not limited in this application.
  • the third access network device can save the configuration information and perform cell switching based on the configuration information. For example, during the cell handover process, a terminal device on the third access network device measures the signal strength of the candidate cell, and then reports the measurement report to the third access network device. After the third access network device receives the measurement report, if the identity of the access network device where the candidate cell is located is the same as the identity of the first access network device, the third access network device does not switch the terminal device to the candidate cells, thereby improving the communication security of terminal equipment.
  • the first device may also send timer information to the third access network device, where the timer information is used to indicate a time when the first access network device is untrustworthy.
  • the third access network device can delete the configuration information, or the third access network device can modify the configuration information, so that the modified configuration information Indicates that handover can be performed to the cell of the first access network device.
  • the above example is based on the example that the configuration information is used to indicate not to perform handover to the cell of the first access network device. However, if the first device also determines that the second access network device is not trustworthy, the first device The device can also use the configuration information to instruct the third access network device not to perform handover to the cell of the second access network device.
  • the specific implementation method is similar to the above example and will not be described again here.
  • the mobility management network element may indicate to the terminal device connected to the first access network device that the first access network device is untrustworthy, or may instruct the terminal device to disconnect from the first access network device.
  • the connection with the first access network device is such that the terminal device can disconnect from the first access network device according to the instructions of the mobility management network element, thereby improving communication security of the terminal device.
  • Figure 4 shows an exemplary flow chart of the method 400 provided by the embodiment of the present application.
  • AMF1 in method 400 may correspond to the mobility management network element in method 300
  • RAN1 in method 400 may correspond to the first access network device in method 300
  • RAN2 in method 400 may correspond to
  • the method 400 UE may correspond to the terminal device in the method 300
  • the indication information #1 in the method 400 may correspond to the first indication information in the method 300.
  • the method 400 can be applied in the network architecture shown in Figure 1 or Figure 2.
  • method 400 after AMF1 determines that RAN1 is not trustworthy, it indicates to the UE on RAN1 that RAN1 is not trustworthy (or indicates to disconnect from RAN1), but does not trigger the deregistration process of the UE. After the UE disconnects according to the instruction of AMF1 After connecting to RAN1, the UE can quickly re-access the network through the redirection process or mobility registration process, which can improve the efficiency of the UE re-accessing the network and improve user experience.
  • the following is an exemplary description of the method 400 in combination with each step.
  • AMF1 determines that RAN1 is not trustworthy.
  • AMF1 determines that RAN1 is untrustworthy.
  • the SPCF after determining that RAN1 is untrustworthy, the SPCF notifies AMF1 that RAN1 is untrustworthy, where AMF1 is the AMF corresponding to RAN1.
  • AMF1 can also determine on its own that RAN1 is not trustworthy, which is not limited in this application.
  • S402 determines that RAN1 has an alternative RAN.
  • AMF1 determines whether there is an alternative RAN in the coverage area of RAN1, where the alternative RAN here may refer to the RAN connected to RAN1, or may refer to the coverage that can be used for RAN1
  • the RAN of the UE access network within the range can be a 5G base station (gNB), a 4G base station (eNB), or a base station under other network systems, which is not limited in this application.
  • RAN1 is a base station under a private network (such as a campus network). If there is a public network base station that can cover the coverage area of RAN1, it means that RAN1 has an alternative RAN; for another example, RAN1 is a base station under the public network. base stations. If there is a 4G base station that can cover the coverage area of RAN1, it means that RAN1 has an alternative RAN.
  • AMF1 can combine PLMN ID, TAI, etc. to determine whether RAN1 has an alternative RAN.
  • the specific method is not limited in this application.
  • the AMF can also verify the RRC connection status (including connected state, idle state, inactive state, etc.) and the way the UE accesses the network (including 3GPP mode and non-3GPP mode), where the UE refers to the UE connected to the network.
  • one or more UEs may be connected to RAN1.
  • one of the UEs is taken as an example for description here.
  • AMF1 When the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy. The details are shown in S403.
  • AMF1 sends indication information #1 to the UE.
  • the UE receives indication information #1 from AMF1.
  • the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information #1 is used to instruct the UE to disconnect the current network connection, or the indication information #1 is is used to instruct the UE to switch to other RAN, or the indication information #1 is used to instruct the UE to perform redirection.
  • the indication information #1 can be carried in a certain message in the existing process, such as a PDU session establishment response message or a deregistration request message. That is to say, AMF1 can reuse the existing message to indicate to the UE that RAN1 is not trustworthy, thereby saving signaling overhead; or, the indication information #1 can also be carried in a newly generated message by AMF1, thereby eliminating the need to modify the existing message. Change the content in the message.
  • AMF1 may send the indication information #1 to the UE through the NAS message.
  • AMF1 may retain the UE's context if RAN1 has an alternative RAN. In other words, AMF1 does not trigger the UE to register. It should be noted that since RAN1 has an alternative RAN, if the UE disconnects from RAN1, the UE can reconnect to the alternative RAN. Since AMF1 retains the context of the UE, the UE can use redirection or mobility to The registration update process quickly accesses the alternative RAN, thereby improving UE access to the network. efficiency and improve user experience.
  • AMF1 may also send the identification of RAN1 to UE1.
  • AMF1 may also send the identification of RAN2 to the UE. It should be understood that AMF1 can determine that RAN2 is untrustworthy based on instructions from other network elements, or can determine on its own that RAN2 is untrustworthy, which is not limited in this application.
  • the RAN2 may include one or more RANs. That is to say, if AMF1 determines that one or more RANs are untrustworthy, AMF1 may send the identifier of the one or more RANs to UEl. For example, after SPCF determines that multiple RANs are untrustworthy, it notifies AMF1 that the multiple RANs are untrustworthy. In this case, AMF1 can send the identifiers of the multiple untrusted RANs to the UE.
  • AMF1 sends a RAN ID list to UE1.
  • the RAN ID list includes the identification of one or more untrusted RANs.
  • the RAN ID list includes the identification of RAN1 and/or Identification of RAN2.
  • AMF1 can also send timer information to the UE.
  • the timer information can be used to indicate the time when RAN1 is untrustworthy, or the timer information can be used to indicate one or more of the RAN ID lists.
  • AMF1 may send multiple timers to the UE, and the multiple timer information may respectively correspond to multiple untrusted RANs.
  • S404 The UE sends an Ack (acknowledgement) message to AMF1.
  • AMF1 receives the Ack message from the UE.
  • the UE After receiving the indication information #1 from AMF1, the UE replies with an Ack message to AMF1. After receiving the Ack message from the UE, AMF1 determines that the indication information #1 has been delivered to the UE, or that the UE has learned the untrustworthy information of RAN1.
  • the UE determines that RAN1 is untrustworthy according to the indication information #1, and then the UE disconnects from RAN1.
  • the UE stores policy information.
  • the UE stores policy information. This policy information is used for the UE not to access cells of untrusted RAN. Several possible implementation methods are illustrated below.
  • the UE After the UE determines that RAN1 is untrustworthy, it stores policy information (recorded as policy information #1), and selects a cell for access based on the policy information #1 during the cell access process.
  • the policy information #1 1 is used for cells where the UE does not access RAN1.
  • the UE receives a system message broadcast by a certain RAN.
  • the system message includes the identifier of the RAN.
  • the UE determines whether the identifier of the RAN is the same as the identifier of RAN1. If they are the same, the UE does not attempt to connect. Enter the cell of the RAN; if different, the UE may try to access the cell of the RAN.
  • the UE deletes policy information #1 after the time indicated by the timer information expires. That is to say, after the timer expires, the UE can Try to access the cell of RAN1.
  • the UE receives a RAN ID list, and the RAN ID list includes the identity of RAN1 and/or the identity of RAN2.
  • the UE stores policy information (denoted as policy information #2), and selects a cell for access based on the policy information #2 during the cell access process.
  • the policy information #2 is used for the UE not to access the RAN.
  • RAN corresponding to the ID list For example, during the cell access process, the UE receives a system message broadcast by a certain RAN. The identity of the RAN is included in the system message. The UE determines whether the identity of the RAN is included in the RANID list. If it is, the UE does not try to access the cell of the RAN.
  • the UE can try to access the cell of the RAN. community.
  • the UE also receives timer information indicating the time when one or more RANs in the RAN ID list are untrustworthy, the UE will use the timer information after the time indicated by the timer information expires. The corresponding RAN identifier is deleted from the RAN ID list.
  • policy information #1 and policy information #2 may be two independent cells or one cell, which is not limited in this application.
  • S407, AMF1 releases the N2 connection with RAN1, triggering PDU session deactivation.
  • AMF1 determines that RAN1 is untrustworthy, it releases the N2 connection with RAN1 and triggers the deactivation of the PDU session corresponding to the UE.
  • the specific process is not limited in this application.
  • S407 can be executed after S401, which means that AMF1 can release the N2 connection with RAN1 after determining that RAN1 is untrustworthy; or, S407 can also be executed after S404, which is not limited in this application.
  • S408, AMF1 sends the identity of the UE and the identity of RAN1 to the UDM.
  • UDM receives the identity of the UE from AMF1 and the identity of RAN1.
  • AMF1 determines that UE has not received indication information #1 from AMF1, or in other words, AMF1 determines that UE does not have information that can know that RAN1 is untrustworthy, then AMF1 can send the The identity of the UE and the identity of RAN1 are sent to UDM.
  • AMF1 can also send an indication message #2 to UDM.
  • the indication message #2 is used to indicate that RAN1 is not trustworthy, or to indicate that the UE has not learned that RAN1 is untrustworthy. Information about the trust, or used to instruct UDM to notify the UE that RAN1 is not trustworthy.
  • AMF1 may also send the identification of RAN2 to UDM.
  • S408 can also be described as: AMF1 sends a RAN ID list to UDM, and the RAN ID list includes the identifier of RAN1 and/or the identifier of RAN2.
  • S409, UDM saves the identity of the UE and the identity of RAN1.
  • UDM After receiving the identity of the UE and the identity of RAN1 from AMF1, UDM saves the identity of the UE and the identity of RAN1. Optionally, if the UDM also receives the identifier of RAN2 from AMF1, the UDM also saves the identifier of RAN2.
  • S409 can also be described as: If the UDM receives the RAN ID list from AMF1, the UDM saves the RAN ID list.
  • AMF1 may not send the identity of UE1 and the identity of RAN1 to the UDM, but locally maintain the identity of UE1 and the identity of RAN1 (or a RAN ID list).
  • the UE may reconnect to the network.
  • the following is an illustrative explanation combined with 2 examples.
  • Example 1 S410, the UE accesses the 4G network through the redirection process.
  • the eNB is an alternative RAN of RAN1.
  • the UE After the UE disconnects from the RAN1, it can access the 4G network through the eNB and the MME corresponding to the eNB.
  • the MME can obtain the context of the UE through AMF1.
  • S411, UDM sends the identification and indication information #3 of RAN1 to the UE.
  • the UDM can send the identification of RAN1 and indication information #3 to the UE through the interworking process of the 4G and 5G networks, where the indication information #3 is used to indicate that RAN1 is not trustworthy.
  • the UDM also receives and saves the identifier of RAN2 in S409, the UDM also sends the identifier of RAN2 to the UE. At this time, the indication information #3 is also used to indicate that RAN2 is untrustworthy.
  • S411 can also be described as: If the UDM receives and saves the RAN ID list in S409, the UDM sends the RAN ID list and indication information #3 to the UE.
  • the indication information #3 is used to indicate that the RAN corresponding to the RAN ID list is not trustworthy.
  • the UE can store policy information, which is used for cells in which the UE does not access RAN1 (optionally also including RAN2). For the specific implementation process, please refer to S406 and will not be repeated here.
  • S411 may be performed by AMF1.
  • Example 2 S412, the UE reconnects to the 5G network through the mobility registration update process.
  • RAN3 is an alternative RAN to RAN1. After the UE disconnects from RAN1, it can reconnect to the 5G network through RAN3 and AMF2. AMF2 can obtain the context of the UE from AMF1. It should be understood that AMF2 may be the same as AMF1 or may be different from AMF1. If AMF2 is the same as AMF1, then AMF2 does not need to perform the steps of obtaining the UE's context from AMF1.
  • S413, UDM sends the identification of RAN1 and indication information #4 to the UE.
  • the indication information #4 is used to indicate that RAN1 is untrustworthy.
  • the UDM also receives and saves the identifier of RAN2 in S409, the UDM also sends the identifier of RAN2 to the UE. At this time, the indication information #4 is also used to indicate that RAN2 is untrustworthy.
  • S413 can also be described as: If the UDM receives and saves the RAN ID list in S409, the UDM sends the RAN ID list and indication information #4 to the UE.
  • the indication information #4 is used to indicate that the RAN corresponding to the RAN ID list is not trustworthy. .
  • FIG. 5 shows an exemplary flowchart of the method 500 provided by the embodiment of the present application.
  • AMF1 in method 500 may correspond to the mobility management network element in method 300
  • RAN1 in method 500 may correspond to the first access network device in method 300
  • RAN2 in method 500 may correspond to
  • the UE in method 500 may correspond to the terminal device in method 300
  • the indication information #1 in method 500 may correspond to the first indication information in method 300.
  • method 500 after AMF1 determines that RAN1 is not trustworthy, it indicates to the UE on RAN1 that RAN1 is not trustworthy (or instructs to disconnect from RAN1), and triggers the deregistration process of the UE. After the UE disconnects from RAN1, the UE can re-access the network through the initial registration process. In this way, AMF1 can release the context of the UE, thereby saving AMF1's resources.
  • the method 500 is exemplarily described below in conjunction with each step.
  • AMF1 determines that RAN1 is not trustworthy.
  • S502 AMF1 determines that RAN1 has no alternative RAN.
  • AMF1 determines that RAN1 is untrustworthy, it determines whether there is an alternative RAN in the coverage area of RAN1.
  • AMF1 can also verify the RRC connection status of the UE (including connected state, idle state, inactive state, etc.) and the mode of the UE accessing the network (including 3GPP mode and non-3GPP mode).
  • AMF1 When the UE is in the connected state and the UE is connected to RAN1, AMF1 notifies the UE that RAN1 is not trustworthy.
  • AMF1 may indicate to the UE that RAN1 is untrustworthy through a NAS message.
  • AMF1 may indicate to the UE that RAN1 is untrustworthy during the de-registration process. The details are shown in S503.
  • AMF1 sends a deregistration request message to the UE.
  • the deregistration request message is used to request the terminal device to deregister from the network.
  • the deregistration request message includes indication information #1.
  • the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information is used to indicate to disconnect from RAN1, or the The indication information #1 is used to instruct the UE to switch to another RAN, or the indication information #1 is used to instruct the UE to perform redirection.
  • RAN1 has no alternative RAN. If the UE disconnects from RAN1, there may not be (or may not be found in a short time) other RANs for accessing the network, and AMF1 can trigger the UE to deregister. During the de-registration process, AMF1 deletes the context of the UE, thereby saving AMF1's resources.
  • the deregistration request message may include the identity of RAN1.
  • the de-registration request message may also include a RAN ID list, which includes the identification of one or more untrusted RANs.
  • a RAN ID list which includes the identification of one or more untrusted RANs. For example, after SPCF determines that multiple RANs are untrustworthy, it notifies AMF1 that the multiple RANs are untrustworthy. In this case, AMF1 can send the RAN ID list to the UE.
  • the de-registration request message may also include timer information, which may be used to indicate the time when RAN1 is untrustworthy, or the timer information may be used to indicate one or more of the RAN ID lists.
  • RAN can't be trusted at all times. Therefore, when the time indicated by the timer information expires, the UE can determine that the RAN corresponding to the timer is trustworthy, or in other words, the UE can delete the identifier of the RAN corresponding to the timer information from the untrusted RAN ID list. .
  • S504 The UE sends a deregistration acceptance message to AMF1.
  • the UE after receiving the deregistration request message from AMF1, the UE sends a deregistration accept message to AMF1.
  • AMF1 triggers the network side to de-register the UE.
  • the specific process may refer to the existing protocol, which is not limited in this application.
  • the UE stores policy information.
  • S507, AMF1 sends the identity of the UE and the identity of RAN1 to the UDM.
  • S508, UDM stores the identity of the UE and the identity of RAN1.
  • S505 to S508 are similar to S405, S406, S408, and S409 in method 400, and will not be described again here for the sake of brevity.
  • the UE may reconnect to the network.
  • the following is an illustrative explanation combined with 2 examples.
  • Example 1 S509, the UE accesses the 4G network through the initial registration process.
  • the eNB is an alternative RAN of RAN1. After the UE disconnects from the RAN1, it can access the 4G network through the eNB and the MME corresponding to the eNB. It should be understood that since the network side performs the de-registration process of the UE, in S509, the UE accesses the 4G network through the initial registration process.
  • UDM sends the identification and indication information #3 of RAN1 to the UE.
  • S510 is similar to S411 in method 400, and will not be described again here for the sake of brevity.
  • Example 2 S511, the UE re-accesses the 5G network through the initial registration process.
  • RAN3 is an alternative RAN to RAN1. After the UE disconnects from RAN1, it can reconnect to the 5G network through RAN3 and AMF2. It should be understood that since the network side performs the de-registration process of the UE, in S511, the UE accesses the 5G network through the initial registration process.
  • UDM sends the identification and indication information #4 of RAN1 to the UE.
  • S512 is similar to S511 in method 400, and will not be described again here for the sake of brevity.
  • FIG. 6 shows an exemplary flowchart of the method 600 provided by the embodiment of the present application.
  • AMF1 in method 600 may correspond to the mobility management network element in method 300
  • RAN1 in method 600 may correspond to the first access network device in method 300
  • RAN2 in method 600 may correspond to
  • the UE in the method 600 may correspond to the terminal device in the method 300
  • the N3IWF/TNGF in the method 600 may correspond to the non-3rd Generation Partnership Project technical interworking in the method 300.
  • Functional network element, the indication information #1 in the method 600 may correspond to the first indication information in the method 300.
  • AMF1 determines that RAN1 is untrustworthy, if AMF1 finds that the UE accesses the network through 3GPP and non-3GPP, AMF1 can send indication information #1 to the UE through non-3GPP to trigger the UE to disconnect from RAN1 , thereby preventing the situation where indication information #1 cannot be delivered to the UE due to RAN1 not forwarding the NAS message.
  • the following is an exemplary description of the method 600 in combination with each step.
  • AMF1 determines that RAN1 is not trustworthy.
  • S602 determines that the UE accesses the network through 3GPP or non-3GPP.
  • AMF1 determines that RAN1 is untrustworthy, it can verify the RRC connection status of the UE (including connected state, idle state, inactive state, etc.) and the method of the UE accessing the network (including 3GPP method and non-3GPP method).
  • AMF1 notifies the UE that RAN1 is not trustworthy.
  • AMF1 can notify the UE that RAN1 is not trustworthy through N3IWF/TNGF. Details are shown in S603 to S605.
  • AMF1 sends the N2 message to the non-3GPP interworking function (N3IWF) network element/trusted non-3GPP gateway function (TNGF) network element.
  • N3IWF non-3GPP interworking function
  • TNGF non-3GPP gateway function
  • the N2 message includes indication information #1.
  • the indication information #1 is used to indicate that the RAN (i.e., RAN1) to which the UE is connected is not trustworthy, or the indication information is used to instruct the UE to disconnect from RAN1. , or the indication information is used to instruct the UE to switch to other RAN.
  • the N2 message may include the identity of RAN1.
  • the N2 message may also include a RAN ID list, which includes the identities of multiple untrusted RANs, including the identity of RAN1.
  • the N2 message may also include a timer, which is used to indicate the time when RAN1 is untrustworthy, or the timer is used to indicate the time when one or more RANs in the RAN ID list are untrustworthy. That is to say, when the timer expires, the UE can determine that the RAN corresponding to the timer has become trusted, or in other words, the UE can delete the identity of the RAN corresponding to the timer from the RAN ID list.
  • a timer which is used to indicate the time when RAN1 is untrustworthy, or the timer is used to indicate the time when one or more RANs in the RAN ID list are untrustworthy. That is to say, when the timer expires, the UE can determine that the RAN corresponding to the timer has become trusted, or in other words, the UE can delete the identity of the RAN corresponding to the timer from the RAN ID list.
  • T3IWF/TNGF sends indication information #1 to the UE.
  • T3IWF/TNGF After receiving the N2 message from AMF1, T3IWF/TNGF sends indication information #1 to the UE.
  • T3IWF/TNGF can also send a RAN ID list and/or timer to the UE, which is not limited by this application. Certainly.
  • S605 The UE sends an Ack message to AMF1 through T3IWF/TNGF.
  • the UE may send an Ack message to AMF1 through T3IWF/TNGF.
  • S606 The UE disconnects from RAN1.
  • S606 is similar to S405 in method 400 and will not be described again here.
  • S607 The UE stores policy information.
  • the UE stores policy information. This policy information is used for the UE not to access a cell of an untrusted RAN, or this policy information is used for the UE not to access the network through 3GPP.
  • the UE does not attempt to access the network through 3GPP before receiving a new indication.
  • the UE selects a cell for access according to the policy information.
  • the specific implementation manner is similar to S406 in method 400. For the sake of simplicity, details will not be described here.
  • S608 to S609 are similar to S408 to S409 in method 400, and will not be described again here.
  • Example 1 S410-S411) in the specific process and method 400 It is similar to Example 2 (S412-S413) and will not be described again here.
  • Figure 7 shows an exemplary flow chart of the communication method 700 provided by the embodiment of the present application.
  • the SPCF in method 700 may correspond to the security policy control network element in method 300
  • the AMF1/network management device in method 700 may correspond to the first device in method 300
  • the RAN4 in method 700 It may correspond to the third access network device in method 300.
  • method 700 after the AMF1/network management device determines that RAN1 is untrustworthy, it may instruct other RANs (such as RAN4 in Figure 7) not to switch the UE to the cell of RAN1 to improve communication security.
  • RAN4 RAN4 in Figure 7
  • method 700 can be implemented independently or in combination with methods 400 to 600.
  • method 700 can be used as a parallel solution of method 400 and executed after S401 in method 400, which is not limited by this application. The following is an exemplary description of the method 700 in combination with each step.
  • SPCF sends instruction information #3 to AMF1/network management device.
  • AMF1/network management device receives indication information #3 from SPCF.
  • the SPCF may send indication information #3 to the AMF1/network management device.
  • the indication information #3 is used to indicate that RAN1 is not trustworthy.
  • the network management device is, for example, an operation, administration and maintenance (OAM) device.
  • OAM operation, administration and maintenance
  • the following description will take OAM as the network management device as an example.
  • the AMF1/network management device in the embodiment of this application refers to the AMF1 or the network management device, and other similar places will not be repeatedly explained.
  • the indication information #3 may be used to indicate that the multiple RANs are untrustworthy.
  • SPCF can send a RAN ID list to AMF1/OAM.
  • the RAN ID list includes the identification of one or more untrusted RANs.
  • SPCF can also send a timer to AMF1/OAM, which is used to indicate the time when RAN1 is untrustworthy.
  • AMF1/OAM can save the identity of RAN1. If the OAM also receives a timer indicating the untrusted time of RAN1, after the timer expires, the OAM can delete the RAN1 logo.
  • AMF1/OAM sends configuration information to RAN4.
  • AMF1/OAM can send configuration information to RAN4.
  • the configuration information includes the identity of RAN1 and the cell switching strategy.
  • the cell switching strategy is used to not switch the UE to RAN1. community.
  • the configuration information may also include a RAN ID list and a timer, which are not limited in this application.
  • the RAN4 can be any RAN, or it can be a RAN connected to RAN1, or a RAN that has overlapping coverage with RAN1, or any RAN controlled by AMF1, or a RAN that is physically adjacent to RAN1. This application is not limited.
  • RAN4 After receiving the configuration information, RAN4 performs cell handover according to the configuration information. For example, during the cell handover process, a UE on RAN4 measures the signal strength of the candidate cell, and then reports the measurement report of the candidate cell to RAN4. After RAN4 receives the measurement report from the UE, if the identity of the RAN where the candidate cell is located is the same as the identity of RAN1 (or is included in the RAN ID list), RAN4 determines not to handover the UE to the candidate cell, or in other words, RAN4 does not switch the candidate cell. The candidate cell is used as the target cell.
  • method 700 can be implemented independently or in combination with methods 400 to 600, which is not limited in this application.
  • AMF1/OAM can determine that RAN1 is not trustworthy based on the indication information #3. Based on this, AMF1/OAM can send configuration information to RAN4 to instruct not to switch the UE to the cell of RAN1, so that RAN4 does not switch the terminal device to the cell of RAN1, thereby improving the communication security of the UE.
  • embodiments of the present application also provide corresponding devices, which include modules for executing corresponding modules in each of the above method embodiments.
  • the module can be software, hardware, or a combination of software and hardware. It can be understood that the technical features described in the above method embodiments are also applicable to the following device embodiments. Therefore, content that is not described in detail can be referred to the above method embodiments. For the sake of brevity, they will not be described again here.
  • FIG. 8 is a schematic block diagram of the communication device 10 provided by the embodiment of the present application.
  • the device 10 includes a transceiver module 11 and a processing module 12 .
  • the transceiver module 11 can implement corresponding communication functions, and the processing module 12 is used to perform data processing, or in other words, the transceiver module 11 is used to perform operations related to receiving and sending, and the processing module 12 is used to perform other operations besides receiving and sending.
  • the transceiver module 11 may also be called a communication interface or communication unit.
  • the device 10 may also include a storage module 13, which may be used to store instructions and/or data, and the processing module 12 may read the instructions and/or data in the storage module, so that the device implements each of the foregoing. Actions of the device or network element in the method embodiment.
  • the device 10 may correspond to the mobility management network element in the above method embodiment (such as the mobility management network element in method 300, or AMF1 in methods 400 to 700), or a mobile management network element.
  • Management network element components such as chips).
  • the device 10 can implement steps or processes corresponding to the execution of the mobility management network element in the above method embodiment, wherein the transceiver module 11 can be used to perform operations related to the transceiver of the mobility management network element in the above method embodiment, and the processing module 12 It can be used to perform operations related to processing of the mobile mobility management network element in the above method embodiment.
  • the processing module 12 is used to determine that the first access network device is untrustworthy; the transceiver module 11 is used to send first indication information to a terminal device connected to the first access network device.
  • An indication information is used to indicate that the first access network device is untrustworthy, or to instruct to disconnect from the first access network device.
  • the processing module 12 is also configured to determine that the second access network device is untrustworthy; the transceiver module 11 is also configured to send the identification of the second access network device to the terminal device.
  • the transceiver module 11 is also configured to send timer information to the terminal device, where the timer information is used to indicate the time when the first access network device is untrustworthy.
  • the transceiver module 11 is specifically configured to send a de-registration request message to the terminal device.
  • the de-registration request message is used to request the terminal device to de-register from the currently connected network.
  • the de-registration request message includes the first indication. information.
  • the transceiver module 11 when the terminal device accesses the network through the third generation partnership program technology and the non-third generation partnership program technology, the transceiver module 11 is specifically used to interoperate through the non-third generation partnership program technology.
  • the network element sends the first indication information to the terminal device.
  • the transceiver module 11 is also configured to send configuration information to the third access network device, where the configuration information is used to indicate not to perform handover to the cell of the first access network device.
  • the transceiver module 11 is also configured to receive second indication information from the security policy control network element, where the second indication information is used to indicate that the first access network device is untrustworthy.
  • the device 10 may correspond to the terminal equipment in the above method embodiment (such as the terminal equipment in method 300, or the UE in methods 400 to 600), or a component of the terminal equipment. (such as chips).
  • the device 10 can implement steps or processes corresponding to those performed by the terminal device in the above method embodiment, wherein the transceiver module 11 can be used to perform operations related to the transceiver of the terminal device in the above method embodiment, and the processing module 12 can be used to perform Operations related to processing of the terminal device in the above method embodiment.
  • the transceiver module 11 is configured to receive first indication information from the mobility management network element.
  • the first indication information is used to indicate that the first access network device connected to the terminal device is not trustworthy, or is used to indicate that the first access network device connected to the terminal device is untrustworthy.
  • the processing module 12 is configured to disconnect from the first access network device.
  • the processing module 12 is also configured to store first policy information, where the first policy information is used to indicate a cell in which the first access network device is not to be accessed.
  • the transceiver module 11 is also configured to receive timer information from the mobility management network element, where the timer information is used to indicate the time when the first access network device is untrustworthy; the processing module 12 is also configured to After the time indicated by the timer information expires, the first policy information is deleted.
  • the transceiver module 11 is also configured to receive the identity of the second access network device from the mobility management network element; the processing module 12 is also configured to store second policy information, the second policy information is used to indicate that no A cell that accesses the second access network device.
  • the transceiver module 11 is specifically configured to receive a de-registration request message from the mobility management network element.
  • the de-registration request message is used to request the terminal device to de-register from the currently connected network.
  • the de-registration request message includes the first indication information. .
  • the transceiver module 11 is specifically configured to receive information from the mobile management network element through non-3rd Generation Partner Program technology interworking function network element.
  • the first indication information of the network element is specifically configured to receive information from the mobile management network element through non-3rd Generation Partner Program technology interworking function network element.
  • the device 10 here is embodied in the form of a functional module.
  • module may refer to an application specific integrated circuit (ASIC), an electronic circuit, for executing a or Multiple software or firmware programs of processors (eg, shared processors, dedicated processors, or group processors, etc.) and memory, merged logic, and/or other suitable components to support the described functionality.
  • ASIC application specific integrated circuit
  • the device 10 can be specifically the mobility management network element in the above embodiments, and can be used to execute various processes and/or corresponding to the mobility management network element in the above method embodiments. or steps; alternatively, the apparatus 10 may be specifically a terminal device in the above embodiments, and may be used to execute various processes and/or steps corresponding to the terminal devices in the above method embodiments. To avoid duplication, they will not be described again here.
  • the apparatus 10 of each of the above solutions is executed by equipment (such as a mobility management network element, a first device, a third access network device, a data management network element, a terminal device, etc.) that implements the above method. function of the corresponding steps.
  • This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above functions; for example, the transceiver module can be replaced by a transceiver (for example, the sending unit in the transceiver module can be replaced by a transmitter, and the receiving unit in the transceiver module can be replaced by a receiver.
  • other units, such as processing modules, etc. can be replaced by processors to respectively perform the sending and receiving operations and related processing operations in each method embodiment.
  • transceiver module 11 may also be a transceiver circuit (for example, it may include a receiving circuit and a transmitting circuit), and the processing module may be a processing circuit.
  • FIG. 9 is a schematic diagram of another communication device 20 according to an embodiment of the present application.
  • the device 20 includes a processor 21, which is used to execute computer programs or instructions stored in the memory 22, or read data/signaling stored in the memory 22, to perform the methods in each of the above method embodiments.
  • processors 21 there are one or more processors 21 .
  • the device 20 further includes a memory 22, which is used to store computer programs or instructions and/or data.
  • the memory 22 may be integrated with the processor 21 or may be provided separately.
  • the device 20 also includes a transceiver 23, which is used for receiving and/or transmitting signals.
  • the processor 21 is used to control the transceiver 23 to receive and/or transmit signals.
  • the device 20 is used to implement the operations performed by the mobility management network element in each of the above method embodiments.
  • the processor 21 is used to execute the computer program or instructions stored in the memory 22 to implement the related operations of the mobility management network element in each of the above method embodiments.
  • the processor 21 executes the computer program or instructions stored in the memory 22 to implement The method performed by the mobility management network element in Figure 3, or the method used to instruct the AMF1 in Figures 4 to 7.
  • the device 20 is used to implement the operations performed by the terminal device in each of the above method embodiments.
  • the processor 21 is used to execute computer programs or instructions stored in the memory 22 to implement related operations of the terminal device in each of the above method embodiments.
  • the processor 21 executes the computer program or execution stored in the memory 22, which may implement the method executed by the terminal device in FIG. 3, or be used to instruct the method executed by the UE in FIGS. 4 to 7.
  • processors mentioned in the embodiments of this application may be a central processing unit (CPU), or other general-purpose processor, digital signal processor (DSP), or application-specific integrated circuit (ASIC).
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc.
  • the memory mentioned in the embodiments of the present application may be a volatile memory and/or a non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM), programmable read-only memory Programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be random access memory (RAM).
  • RAM can be used as an external cache.
  • RAM includes the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), Double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct rambus RAM, DR RAM).
  • the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component
  • the memory storage module
  • memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
  • FIG. 10 is a schematic diagram of a chip system 30 provided by an embodiment of the present application.
  • the chip system 30 (or can also be called a processing system) includes a logic circuit 31 and an input/output interface 32.
  • the logic circuit 31 may be a processing circuit in the chip system 30 .
  • the logic circuit 31 can be coupled to the memory unit and call instructions in the memory unit, so that the chip system 30 can implement the methods and functions of various embodiments of the present application.
  • the input/output interface 32 can be an input/output circuit in the chip system 30, which outputs information processed by the chip system 30, or inputs data or signaling information to be processed into the chip system 30 for processing.
  • the logic circuit 31 can determine that the first access network device is not trustworthy, and then send it through the input/output interface 32. First instruction message.
  • the logic circuit 31 can receive the first instruction information through the input/output interface 32, and the input/output interface 32 can transmit the first instruction information. The information is input to the logic circuit 31 for processing, and the logic circuit 31 can disconnect from the first access network device according to the first instruction information.
  • the chip system 30 is used to implement the operations performed by the mobility management network element (the mobility management network element in Figure 3, or AMF1 in Figures 4-7) in each of the above method embodiments.
  • the logic circuit 31 is used to implement the processing-related operations performed by the mobility management network element in the above method embodiment, such as the processing-related operations performed by the mobility management network element in the embodiment shown in Figure 3, or Figure 4 to the processing related operations performed by AMF1 in any embodiment shown in Figure 7;
  • the input/output interface 32 is used to implement the sending and/or receiving related operations performed by the mobility management network element in the above method embodiment, For example, the sending and/or receiving related operations performed by the mobility management network element in the embodiment shown in Figure 3, or the sending and/or receiving related operations performed by AMF1 in any one of the embodiments shown in Figures 4 to 7. operate.
  • the chip system 30 is used to implement the operations performed by the terminal device (the terminal device in Figure 3, or the UE in Figures 4 to 7) in each of the above method embodiments.
  • the logic circuit 31 is used to implement the processing-related operations performed by the terminal device in the above method embodiment, such as the processing-related operations performed by the terminal device in the embodiment shown in Figure 3, or Figures 4 to 7 Processing-related operations performed by the UE in any of the embodiments shown;
  • the input/output interface 32 is used to implement the sending and/or reception-related operations performed by the terminal device in the above method embodiments, such as shown in Figure 3
  • the terminal device in the illustrated embodiment executes Transmitting and/or receiving related operations, or transmitting and/or receiving related operations performed by the UE in any one of the embodiments shown in FIGS. 4 to 7 .
  • Embodiments of the present application also provide a computer-readable storage medium on which computer instructions for implementing the methods executed by the device in each of the above method embodiments are stored.
  • the computer when the computer program is executed by a computer, the computer can implement the method executed by the mobility management network element in each embodiment of the above method.
  • the computer when the computer program is executed by a computer, the computer can implement the method executed by the terminal device in each embodiment of the above method.
  • Embodiments of the present application also provide a computer program product, which includes instructions.
  • the instructions in the above method embodiments are implemented by a device (such as a mobile management network element, a first device, or a third access device).
  • Network equipment such as data management network elements, terminal equipment, etc. execution method.
  • Embodiments of the present application also provide a communication system, including one or more of the aforementioned network elements (such as mobility management network elements, data management network elements, third access network equipment, first equipment, etc.), and/or terminals equipment.
  • network elements such as mobility management network elements, data management network elements, third access network equipment, first equipment, etc.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer may be a personal computer, a server, or a network device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, e.g., the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more available media integrated.
  • the available media may be magnetic media (such as floppy disks, hard disks, magnetic tapes), optical media (such as DVDs), or semiconductor media (such as solid state disks (SSD)), etc.
  • the aforementioned available media include but Not limited to: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande concerne un procédé et un appareil de communication. Le procédé comprend les étapes suivantes : un élément de réseau de gestion de mobilité envoie des premières informations d'indication à un dispositif terminal connecté à un premier dispositif de réseau d'accès après avoir déterminé que le premier dispositif de réseau d'accès est non sécurisé, de façon à indiquer que le premier dispositif de réseau d'accès est non sécurisé, ou ordonne de se déconnecter du premier dispositif de réseau d'accès. Après réception des premières informations d'indication, le dispositif terminal est déconnecté du premier dispositif de réseau d'accès. La solution fournie par la présente demande améliore la sécurité de communication d'un dispositif terminal.
PCT/CN2023/088566 2022-04-22 2023-04-17 Procédé et appareil de communication WO2023202503A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210429002.7A CN116980897A (zh) 2022-04-22 2022-04-22 通信方法和装置
CN202210429002.7 2022-04-22

Publications (1)

Publication Number Publication Date
WO2023202503A1 true WO2023202503A1 (fr) 2023-10-26

Family

ID=88419200

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/088566 WO2023202503A1 (fr) 2022-04-22 2023-04-17 Procédé et appareil de communication

Country Status (2)

Country Link
CN (1) CN116980897A (fr)
WO (1) WO2023202503A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110035787A1 (en) * 2008-04-11 2011-02-10 Telefonaktiebolaget Lm Ericsson (Publ) Access Through Non-3GPP Access Networks
US20210136582A1 (en) * 2018-06-30 2021-05-06 Nokia Solutions And Networks Oy Method and apparatus for handling authentication failure during security association establishment
WO2021096410A1 (fr) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Procédés d'informations de confiance dans un réseau de communication, équipement de communication et dispositif de communication associés
WO2021165446A1 (fr) * 2020-02-21 2021-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Détermination d'une relation de confiance de réseaux d'accès non-3gpp en 5gc

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110035787A1 (en) * 2008-04-11 2011-02-10 Telefonaktiebolaget Lm Ericsson (Publ) Access Through Non-3GPP Access Networks
US20210136582A1 (en) * 2018-06-30 2021-05-06 Nokia Solutions And Networks Oy Method and apparatus for handling authentication failure during security association establishment
WO2021096410A1 (fr) * 2019-11-11 2021-05-20 Telefonaktiebolaget Lm Ericsson (Publ) Procédés d'informations de confiance dans un réseau de communication, équipement de communication et dispositif de communication associés
WO2021165446A1 (fr) * 2020-02-21 2021-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Détermination d'une relation de confiance de réseaux d'accès non-3gpp en 5gc

Also Published As

Publication number Publication date
CN116980897A (zh) 2023-10-31

Similar Documents

Publication Publication Date Title
US11464067B2 (en) Core network awareness of user equipment, UE, state
US11638204B2 (en) Handling limited network slice availability
CN114143871B (zh) 网络连接方法、网络去连接方法及通信装置
TW201507538A (zh) 使用者設備及其裝置對裝置通訊選擇方法
KR20200089316A (ko) 통신 방법 및 통신 디바이스
WO2020221223A1 (fr) Procédé, appareil et système de communication
WO2020150876A1 (fr) Procédé d'établissement de session, dispositif terminal et dispositif de réseau
JP2023520274A (ja) 無線通信方法、端末機器及びネットワーク機器
WO2019206322A1 (fr) Procédé d'ouverture de capacités, dispositif et système associés
AU2021308253A1 (en) Communication method and communication apparatus
WO2023185555A1 (fr) Procédé, appareil et système de communication de groupe
US20230031092A1 (en) Data transmission method and communication apparatus
WO2022022082A1 (fr) Procédé de communication et appareil de communication
WO2021218563A1 (fr) Procédé et dispositif de transmission de données
WO2023202503A1 (fr) Procédé et appareil de communication
CN107113692B (zh) 通信方法和设备
WO2023197772A1 (fr) Procédé de communication et appareil associé
US20240155325A1 (en) Information obtaining method and apparatus, and system
CN104303553A (zh) 数据处理方法、装置及系统
WO2023104070A1 (fr) Procédé et appareil de sélection d'un serveur applicatif de périphérie
WO2023116740A1 (fr) Procédé de communication et appareil de communication
WO2024001897A1 (fr) Procédé et appareil de communication
WO2023273880A1 (fr) Procédé de commutation de mode de transmission et appareil associé
WO2023207958A1 (fr) Procédé de transmission de politique, et appareil et système de communication
WO2023143448A1 (fr) Procédé et appareil de communication de groupe

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23791158

Country of ref document: EP

Kind code of ref document: A1