WO2024012356A1

WO2024012356A1 - Device data path management and control method, device, terminal, and network side device

Info

Publication number: WO2024012356A1
Application number: PCT/CN2023/106235
Authority: WO
Inventors: 谢振华
Original assignee: 维沃移动通信有限公司
Priority date: 2022-07-13
Filing date: 2023-07-07
Publication date: 2024-01-18
Also published as: CN117440466A

Abstract

The present application relates to the field of mobile communications, and discloses a device data path management and control method, a device, a terminal, and a network side device. The device data path management and control method in embodiments of the present application comprises: a first network function receives first information from a second network function, the first information comprising rule information and rule event information; and according to the first information, the first network function executes at least one of the following: on the basis of the rule information, sending relay rule information to a first device; on the basis of the rule event information, sending relay rule event information to the first device; on the basis of the rule information, configuring forwarding rule information for a third network function; and on the basis of the rule event information, validating or invalidating the configuration of the forwarding rule information.

Description

Device data path management and control methods, devices, terminals and network-side devices

cross reference

This invention requires the priority of the Chinese patent application submitted to the China Patent Office on July 13, 2022, with the application number 202210821333.5 and the invention name "Equipment Data Path Management and Control Method, Equipment, Terminal and Network Side Equipment". All of the application The contents are incorporated herein by reference.

Technical field

This application belongs to the field of mobile communication technology, and specifically relates to a device data path management and control method, equipment, terminals and network side equipment.

Background technique

Related technologies support remote downloading of the Internet of Things (IoT). Taking Credential downloading as an example, when the access device of the Internet of Things needs to download credentials remotely, it needs to request the mobile network to open the download path, but for the mobile network There are security risks in the open path. For example, the attacked device will use this path to frequently send information to attack the mobile network.

Contents of the invention

Embodiments of the present application provide a device data path management and control method, device, terminal and network side device, which can solve the problem of security risks in the opened path.

In the first aspect, a device data path management and control method is provided, which is applied to the first network function. The method includes:

The first network function receives first information from the second network function, the first information including rule information and rule event information;

According to the first information, the first network function performs at least one of the following:

Based on the rule information, send relay rule information to the first device;

Based on the rule event information, send relay rule event information to the first device;

Based on the rule information, forward the rule information to a third network function configuration;

Validate or invalidate the configuration of the forwarding rule information based on the rule event information;

Wherein, the relay rule information is used to instruct the first device to forward the rules of data between the mobile network and the third device, and the forwarding rule information is used to instruct the third network function to forward the data between the mobile network and the data network. rules for data, the rule event information is used to indicate the valid or invalid condition of the rule information, the relay rule event information is used to indicate the valid or invalid condition of the relay rule information, the third device It is a device that receives data from the mobile network side or sends data to the mobile network side through the first device.

In the second aspect, a device data path management and control device is provided, including:

A first transmission module configured to receive first information from the second network function, where the first information includes rule information and rule event information;

A first execution module, configured to execute at least one of the following according to the first information:

Based on the rule information, send relay rule information to the first device;

In the third aspect, a device data path management and control method is provided, applied to the first device, and the method includes:

The first device receives second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay indication;

According to the second information, the first device performs at least one of the following:

Forward data between the mobile network and the third device based on the relay rule information;

Validate or invalidate the relay rule information based on the relay rule event information;

Based on the termination relay indication, terminate the forwarding of data between the mobile network and the third device; wherein the third device is a device that receives data from the mobile network side or sends data to the mobile network side through the first device. .

In the fourth aspect, a device data path management and control device is provided, including:

The second transmission module is configured to receive second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay indication;

A second execution module, configured to execute at least one of the following according to the second information:

Based on the termination relay indication, terminate the forwarding of data between the mobile network and the third device; wherein the third device receives data from the mobile network side or sends data to the mobile network side through the device access management and control device. device of.

In the fifth aspect, a device data path management and control method is provided, which is applied to the second network function. The method includes:

The second network function sends first information to the first network function, where the first information includes rule information and rule event information.

In the sixth aspect, a device data path management and control device is provided, including:

The third execution module is used to obtain the first information;

The third transmission module is configured to send first information to the first network function, where the first information includes rule information and rule event information.

The seventh aspect provides a device data path management and control method applied to a third device. The method includes:

The third device sends third information to the first device or the second device, where the third information includes rule event information for data forwarding;

Wherein, the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid; the third device is a device that receives data from the mobile network side through the first device or sends data to the mobile network side. .

In an eighth aspect, a device data path management and control device is provided, including:

The fourth execution module is used to obtain the third information;

A fourth transmission module, configured to send the third information to the first device or the second device, where the third information includes rule event information for data forwarding;

Wherein, the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid; the device access management and control device is to receive data from the mobile network side through the first device or send data to the mobile network side. device of.

In the ninth aspect, a device data path management and control method is provided, applied to the second device, and the method includes:

The second device sends fourth information to the second network function, where the fourth information includes rule event information for data forwarding; the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid.

In a tenth aspect, a device data path management and control device is provided, including:

The fifth execution module is used to obtain the fourth information;

The fifth transmission module is configured to send fourth information to the second network function, where the fourth information includes rule event information for data forwarding; the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid.

In an eleventh aspect, a terminal is provided. The terminal includes a processor and a memory. The memory stores programs or instructions that can be run on the processor. When the program or instructions are executed by the processor, the following is implemented: The steps of the method described in the third, seventh or ninth aspect.

In a twelfth aspect, a terminal is provided, including a processor and a communication interface, wherein the processor is configured to perform at least one of the following according to the second information: forwarding based on the relay rule information Data between the mobile network and the third device; Validating or invalidating the relay rule information based on the relay rule event information; Terminating forwarding of data between the mobile network and the third device based on the termination relay indication , the communication interface is used to receive second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; and a termination relay indication.

In a thirteenth aspect, a network side device is provided. The network side device includes a processor and a memory. The memory stores programs or instructions that can be run on the processor. The program or instructions are used by the processor. When executed, the steps of the method described in the first aspect or the fifth aspect are implemented.

In a fourteenth aspect, a device data path management and control system is provided, including: a first device, a second device, a third device, a first network function and a second network function. The first network function can be used to perform the following steps: The steps of the device data path management and control method described in one aspect, the first device can be used to perform the steps of the device data path management and control method described in the third aspect, and the second network function can be used to perform the steps of the device data path management and control method described in the fifth aspect. The steps of the device data path management and control method described in the seventh aspect, the third device can be used to perform the steps of the device data path management and control method described in the seventh aspect, and the second device can be used to perform the device data path management and control method described in the ninth aspect. Steps of the path management method.

In a fifteenth aspect, a readable storage medium is provided. Programs or instructions are stored on the readable storage medium. When the programs or instructions are executed by a processor, the steps of the method described in the first aspect are implemented, or the steps of the method are implemented. The steps of the method described in the third aspect, or the steps of implementing the method described in the fifth aspect, or the steps of the method described in the seventh aspect, or the steps of the method described in the ninth aspect.

In a sixteenth aspect, a chip is provided. The chip includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the method described in the first aspect. The steps of the method, or the steps of realizing the method described in the third aspect, or the steps of realizing the method described in the fifth aspect, or the steps of realizing the method described in the seventh aspect, or realizing the steps of the method described in the ninth aspect steps of the method described.

In a seventeenth aspect, a computer program/program product is provided, the computer program/program product is stored in a storage medium, and the computer program/program product is executed by at least one processor to implement the first aspect The steps of the method, or the steps of the method described in the third aspect, or the steps of the method described in the fifth aspect, or the steps of the method described in the seventh aspect, or the ninth aspect steps of the method.

In this embodiment of the present application, by receiving first information from the second network function, the first information includes rule information and rule event information; and performing at least one of the following according to the first information: based on the rule information, sending relay rule information to the first device; based on the rule event information, sending relay rule event information to the first device; based on the rule information, forwarding the rule information to a third network function configuration; based on the rule event information , valid or invalid configuration of the forwarding rule information, so that the data path between the third device and the mobile network can be effectively configured according to the rule event information. Effective management and control to improve the security of mobile networks.

Description of drawings

Figure 1 is a schematic structural diagram of a wireless communication system applicable to the embodiment of the present application;

Figure 2 is a schematic structural diagram of a device data path management system provided by an embodiment of the present application;

Figure 3 is a schematic flow chart of a device data path management and control method provided by an embodiment of the present application;

Figure 4 is a schematic diagram of the signaling flow of a device data path management and control method provided by an embodiment of the present application;

Figure 5 is a schematic structural diagram of a device data path management and control device provided by an embodiment of the present application;

Figure 6 is a schematic flowchart of another device data path management and control method provided by an embodiment of the present application;

Figure 7 is a schematic structural diagram of another device data path management and control device provided by an embodiment of the present application;

Figure 8 is a schematic flow chart of another device data path management and control method provided by an embodiment of the present application;

Figure 9 is a schematic structural diagram of another device data path management and control device provided by an embodiment of the present application;

Figure 10 is a schematic flowchart of another device data path management and control method provided by an embodiment of the present application;

Figure 11 is a schematic structural diagram of another device data path management and control device provided by an embodiment of the present application;

Figure 12 is a schematic flow chart of another device data path management and control method provided by an embodiment of the present application;

Figure 13 is a schematic structural diagram of another device data path management and control device provided by an embodiment of the present application;

Figure 14 is a schematic structural diagram of a communication device provided by an embodiment of the present application;

Figure 15 is a schematic structural diagram of a terminal that implements an embodiment of the present application;

Figure 16 is a schematic structural diagram of a network side device that implements an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art fall within the scope of protection of this application.

The terms "first", "second", etc. in the description and claims of this application are used to distinguish similar objects and are not used to describe a specific order or sequence. It is to be understood that the terms so used are interchangeable under appropriate circumstances so that the embodiments of the present application can be practiced in sequences other than those illustrated or described herein, and that "first" and "second" are distinguished objects It is usually one type, and the number of objects is not limited. For example, the first object can be one or multiple. also, In the description and claims, "and/or" means at least one of the connected objects, and the character "/" generally means that the related objects are in an "or" relationship.

It is worth pointing out that the technology described in the embodiments of this application is not limited to Long Term Evolution (LTE)/LTE Evolution (LTE-Advanced, LTE-A) systems, and can also be used in other wireless communication systems, such as code Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access, OFDMA), Single-carrier Frequency Division Multiple Access (SC-FDMA) and other systems. The terms "system" and "network" in the embodiments of this application are often used interchangeably, and the described technology can be used not only for the above-mentioned systems and radio technologies, but also for other systems and radio technologies. The following description describes a New Radio (NR) system for example purposes, and NR terminology is used in much of the following description, but these techniques can also be applied to applications other than NR system applications, such as 6th ^generation Generation, 6G) communication system.

Figure 1 shows a block diagram of a wireless communication system to which embodiments of the present application are applicable. The wireless communication system includes a terminal 11 and a network side device 12. The terminal 11 may be a mobile phone, a tablet computer (Tablet Personal Computer), a laptop computer (Laptop Computer), or a notebook computer, a personal digital assistant (Personal Digital Assistant, PDA), a palmtop computer, a netbook, or a super mobile personal computer. (ultra-mobile personal computer, UMPC), mobile Internet device (Mobile Internet Device, MID), augmented reality (AR)/virtual reality (VR) equipment, robots, wearable devices (Wearable Device) , Vehicle User Equipment (VUE), Pedestrian User Equipment (PUE), smart home (home equipment with wireless communication functions, such as refrigerators, TVs, washing machines or furniture, etc.), game consoles, personal computers (personal computer, PC), teller machine or self-service machine and other terminal-side devices. Wearable devices include: smart watches, smart bracelets, smart headphones, smart glasses, smart jewelry (smart bracelets, smart bracelets, smart rings, smart necklaces, smart anklets) bracelets, smart anklets, etc.), smart wristbands, smart clothing, etc. It should be noted that the embodiment of the present application does not limit the specific type of the terminal 11. The network side device 12 may include an access network device or a core network device, where the access network device 12 may also be called a radio access network device, a radio access network (Radio Access Network, RAN), a radio access network function or Wireless access network unit. The access network device 12 may include a base station, a Wireless Local Area Network (WLAN) access point or a WiFi node, etc. The base station may be called a Node B, an evolved Node B (eNB), an access point, Base Transceiver Station (BTS), radio base station, radio transceiver, Basic Service Set (BSS), Extended Service Set (ESS), home B-node, home evolved B-node , sending and receiving points (Transmitting Receiving Point (TRP) or some other appropriate terminology in the field, as long as the same technical effect is achieved, the base station is not limited to specific technical terms. It should be noted that in the embodiment of this application, only TRP in the NR system is used. The base station is taken as an example for introduction, and the specific type of base station is not limited. Core network equipment may include but is not limited to at least one of the following: core network nodes, core network functions, mobility management entities (Mobility Management Entity, MME), access mobility management functions (Access and Mobility Management Function, AMF), session management functions (Session Management Function, SMF), User Plane Function (UPF), Policy Control Function (PCF), Policy and Charging Rules Function (PCRF), Edge Application Service Discovery function (Edge Application Server Discovery Function, EASDF), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), centralized network configuration ( Centralized network configuration (CNC), Network Repository Function (NRF), Network Exposure Function (NEF), Local NEF (Local NEF, or L-NEF), Binding Support Function (Binding Support Function, BSF), application function (Application Function, AF), etc. It should be noted that in the embodiment of this application, only the core network equipment in the NR system is used as an example for introduction, and the specific type of the core network equipment is not limited.

The device data path management and control method, device, terminal and network-side device provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings through some embodiments and application scenarios.

As shown in Figure 2 or Figure 3, the embodiment of the present application provides a device data path management and control method. The execution subject of the method is the first network function. In other words, the method can be performed by software or hardware installed on the first network function. to execute. The method includes the following steps.

S310. The first network function receives first information from the second network function, where the first information includes rule information and rule event information.

The device data path management and control system of the embodiment of the present application improves network security by managing and controlling the data path of the third device 203 (which may also be called an access device) accessing the mobile network. Taking the Internet of Things as an example, as shown in Figure 2, the data network where the third device 203 is located may be Personal IoT Networks (PIN), and the third device 203 may be a Personal IoT Device (PIN Element, PINE), the data network also includes a first device 201 and a second device 202. The first device 201 is a personal Internet of Things device (PIN Elements with Gateway Capability, PEGC) connected to the mobile network and has a gateway function, so The second device 202 is a personal Internet of Things device (PIN Elements with Management Capability, PEMC) with a management function for managing a third device. The mobile network mainly includes: a first network function 211, a second network function 212 and a third network function 213, where the first network function 211 may be a session management function (Session Management Function, SMF) in the mobile network. , The second network function 212 may be a personal IoT management function (PINMF) connected to the network where the third device is located, and the second network function 212 may also be a network exposure function (NEF). Or a policy control function (Policy Control Function, PCF), the third network function 213 may be a user plane function (User Plane Function, UPF) used to perform routing and forwarding of user plane data packets.

The rule information is used to indicate the relevant data transmission rules of the data path for the third device to access the mobile network. The rule information may include relay rule information and forwarding rule information. The relay rule information is used to indicate the third device. A device forwards a rule for data between a mobile network and a third device, and the forwarding rule information is used to instruct the third network function to forward a rule for data between a mobile network and a data network. In one implementation, the rule information can be specifically expressed as routing information (Routing Information, Routing Info), and the relay rule information can be specifically expressed as device and network routing information (Device to Network Routing Information, D2N Routing). Info), the forwarding rule information may be specifically expressed as inter-network routing information (Network Routing Information, Network Routing Info).

Optionally, the relay rule information and the forwarding rule information include at least one of the following:

Uplink data filtering rules, specifically expressed as uplink data filter (Uplink packet filter, UL packet filter);

Downlink data filtering rules, specifically expressed as downlink data filters (Downlink packet filters, DL packet filter);

Upstream data forwarding rules;

Downstream data forwarding rules.

The rule event information is used to indicate the valid or invalid condition of the rule information. Based on the rule event information, the relay rule event information corresponding to the relay rule information and the forwarding rule event information corresponding to the forwarding rule information can be determined respectively. , the relay rule event information is used to indicate a valid or invalid condition of the relay rule information, and the forwarding rule event information is used to indicate a valid or invalid condition of the forwarding rule information.

Optionally, the rule event information includes at least one of the following corresponding to the rule information:

Duration information (Duration), valid time information, invalid time information, illegal access instructions, and number of illegal accesses.

Optionally, the relay rule event information includes at least one of the following corresponding to the relay rule information:

Duration information, valid time information, invalid time information.

The forwarding rule event is configured to include at least one of the following corresponding to the forwarding rule information:

Duration information, valid time information, invalid time information, illegal access instructions, and number of illegal accesses.

In one implementation, the configuration of valid or invalid forwarding rule information based on the rule event information may include:

Forwarding rule event information is determined based on the rule event information, and based on the forwarding rule event information, valid or invalid forwarding rule information is configured.

The content of the forwarding rule event information may be equal to the content of the rule event information, that is, the first network function may directly regard the rule event information as the forwarding rule event information to determine the valid or invalid conditions for forwarding the rule information. For simplicity, in In the following embodiments, rule event information is used as an example to determine the valid or invalid conditions for forwarding rule information.

The duration information may be used to indicate the validity period of the corresponding rule information, relay rule information or forwarding rule information. The validity period is not necessarily the absolute period of the duration information rule, and may be greater than or less than the duration information. The time range of the rule may also deviate from the time range of the duration information rule. For example, the starting time of the validity period is within the time range of the duration information rule, and the end time of the validity period is within the time range of the duration information rule. outside the time range. There can be various ways to determine whether the validity period is valid. For example, you can set a timer to determine that the validity period is valid if the timer does not expire, and determine that the validity period has expired if the timer times out.

The valid time information may be used to indicate the valid time or time range of the corresponding rule information, relay rule information or forwarding rule information.

The invalid time information may be used to indicate the time or time range when the corresponding rule information, relay rule information or forwarding rule information is invalid.

The violation access indication is used to indicate that when data that does not match the rule information or the forwarding rule information is detected, the rule information or the forwarding rule information is invalid.

The number of illegal accesses is used to indicate that when data that does not match the rule information or forwarding rule information is detected and exceeds the number of illegal accesses, the rule information or the forwarding rule information is invalidated.

When the third device needs to access the mobile network, the third device may send a data forwarding request to the second network function through the second device and/or the third device. Specifically, the third device may send third information to the first device or the second device, and the third information may include rule event information for data forwarding; wherein the rule event information is used to indicate that it is determined that the data forwarding is valid. or invalid information. The second device sends fourth information to the second network function according to the third information, where the fourth information includes rule event information for data forwarding. The second network function sends the first information to the first network function according to the fourth information.

It should be understood that the rule event information can be determined in various ways. In one implementation, the rule event information can be provided by the first device; in another implementation, the rule event information It may be provided by the second device or determined or adjusted based on the rule event information sent by the first device; in another implementation manner, the rule event information may also be provided by the second network Functionality is determined based on local policy and/or rule event information sent by the second device.

S320. According to the first information, the first network function performs at least one of the following:

Based on the rule information, send relay rule information to the first device;

Based on the rule information, configure forwarding rule information to a third network function to enable the third network function to forward data between the mobile network and the third device;

Wherein, the third device is a device that receives data from the mobile network side or sends data to the mobile network side through the first device.

After the first device obtains the relay rule information and the relay rule event information from the mobile network side, that is, from the first network function, it may perform at least one of the following:

Based on the relay rule event information, the relay rule information is valid or invalid.

In one implementation, when the relay rule event information includes duration information, the valid or invalid relay rule information based on the relay rule event information includes at least one of the following:

If the validity period determined based on the duration information is valid, the first device enables the relay rule information;

In the event that the validity period determined based on the duration information expires, the first device deactivates the relay rule information.

In another implementation, when the relay rule event information includes valid time information, the valid or invalid relay rule information based on the relay rule event information includes:

When the current time reaches the time or time range determined by the valid time information, the first device enables the relay rule information.

In another embodiment, when the relay rule event information includes relay invalidation time information, validating or invalidating the relay rule information based on the relay rule event information includes:

When the current time reaches the time or time range determined by the relay invalid time information, the first device deactivates the relay rule information.

After the first network function configures the forwarding rule information to the third network function, the configuration of the forwarding rule information can be valid or invalid based on the relevant information included in the rule event information.

In one implementation, when the rule event information includes duration information, the configuration of valid or invalid forwarding rule information based on the rule event information includes at least one of the following:

If the validity period determined based on the duration information is valid, the first network function indicates to the third network function that the forwarding rule information is valid;

In the event that the validity period determined based on the duration information expires, the first network function indicates to the third network function that the forwarding rule information is invalid, for example, instructs to delete or invalidates the forwarding rule information.

In another implementation, when the rule event information includes valid time information, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

When the current time reaches the time or time range determined by the valid time information, the first network function indicates to the third network function that the forwarding rule information is valid.

In another implementation, when the rule event information includes invalid time information, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

When the current time reaches the time or time range determined by the invalid time information, the first network function indicates to the third network function that the forwarding rule information is invalid.

In another implementation, when the rule event information includes a violation access indication, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

In the event that data that does not match the rule information is detected, the first network function indicates to the third network function that the forwarding rule information is invalid.

In another embodiment, when the rule event information includes the number of access violations, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

When it is detected that data that does not match the rule information exceeds the number of illegal accesses, the first network function indicates to the third network function that the forwarding rule information is invalid.

Optionally, when the rule event information includes a violation access indication and/or a violation access count, when data that does not match the rule information is detected or when data that does not match the rule information is detected. In the case where the data exceeds the number of illegal accesses, the method also includes:

The first network function sends a termination relay indication to the first device, where the termination relay indication is used to instruct the first device to terminate forwarding data between the mobile network and the third device.

After receiving the relay termination indication, the first device terminates forwarding data between the mobile network and the third device based on the relay termination indication.

Based on the above embodiment, as shown in Figure 4, this application implements a signaling process of a device data path management and control method:

A1.PINE sends third information to PEGC or PEMC, which may include:

PINE first establishes a direct connection with PEGC and sends a remote provisioning request (Remote Provisioning Request) carrying third information to PEGC. The third information may include: personal Internet of Things identifier (PIN Identifier, PIN ID), PINE identifier (PINE ID) and rule event information. The rule event information takes Duration as an example;

PEGC can directly send a Remote Provisioning Request to PEMC; PEGC can also first send a PEMC notification message (PEMC Notification) to PINMF. The PEMC Notification includes a PEGC identification (PEGC ID) and a Remote Provisioning Request, and then PINMF sends it to the PEMC. PEMC Notification.

A2. PEMC sends a Remote Provisioning Request carrying fourth information to PINMF. The fourth information may include PIN ID, PINE ID, PEMC ID (PEMC ID), PEGC ID and Duration; wherein, the PEMC may be adjusted from step A1 Duration received.

A3-A4.PINMF sends the first information to SMF, which may include:

PINMF sends a Remote Provisioning Request carrying the first information to the PCF through the N5 interaction protocol or NEF. The first information may include: optional User Permanent Identifier (Subscription Permanent Identifier, SUPI) or Generic Public User Identifier (Generic Public Subscription Identifier) , GPSI), terminal address (UE address), optional data network name (Data Network Name, DNN) or slice related information (such as Single Network Slice Selection Assistance Information (S-NSSAI), network Slice identification (Network Slice Instance, NSI)), PIN ID, PINE ID, device and inter-network routing information (Device to Network Routing Information, D2N Routing Info), uplink packet filters (UL Packet filters), downlink packet filters ( DL Packet filters) and Duration. PINMF can determine Duration based on local policies. The D2N Routing Info and DL Packet filters can be generated based on PINE;

PCF sends a Remote Provisioning Request carrying the first information to SMF.

A5.SMF interacts with UPF and configures forwarding rule information to UPF.

A6.SMF and PEGC perform Protocol Data Unit Session Modification (PDU Session Modification), and send second information to PEGC through the N1 message. The second information may include PIN ID, PINE ID, and D2N Routing Info. and Duration.

A7.-A10 SMF sends feedback information to PCF, PCF sends feedback information to PINMF, PINMF sends feedback information to PEMC, and PEMC sends feedback information to PINE.

At this point, PINE can interact with the provision server through the mobile network, and the provision server can be managed by a ^3rd party device or processor.

A11 When the validity period based on Duration expires, SMF interacts with UPF and instructs the invalid forwarding rule information; accordingly, PEGC will also invalidate the relay rule information.

It can be seen from the technical solutions of the above embodiments that the embodiments of the present application receive first information from the second network function, where the first information includes rule information and rule event information; and perform at least one of the following based on the first information: based on The rule information sends relay rule information to the first device; based on the rule event information, sends relay rule event information to the first device; based on the rule information information, and configure the forwarding rule information to the third network function; based on the rule event information, the configuration of the forwarding rule information is valid or invalid, so that the data path between the third device and the mobile network can be effectively controlled according to the rule event information, Improve mobile network security.

For the device data path management and control method provided by the embodiments of the present application, the execution subject may be a device data path management and control device. In the embodiments of this application, the device data path management and control device performing the device data path management and control method is used as an example to illustrate the device data path management and control device provided by the embodiments of this application.

As shown in Figure 5, the device data path management and control device includes: a first transmission module 501 and a first execution module 502.

The first transmission module 501 is configured to receive first information from a second network function, where the first information includes rule information and rule event information; the first execution module 502 is configured to perform at least the following based on the first information: One item:

Based on the rule information, send relay rule information to the first device;

Optionally, the rule event information includes at least one of the following corresponding to the forwarding rule information:

Duration information, valid time information, invalid time information.

Optionally, in the case where the rule event information includes duration information, the first execution module 502 is configured to perform at least one of the following:

If the validity period determined based on the duration information is valid, indicate to the third network function that the forwarding rule information is valid;

In the event that the validity period determined based on the duration information expires, indicating to the third network function that the forwarding rule information expires.

Optionally, when the rule event information includes valid time information, the first execution The line module 502 is configured to indicate to the third network function that the forwarding rule information is valid when the current time reaches the time or time range determined by the valid time information.

Optionally, in the case where the rule event information includes invalid time information, the first execution module 502 is configured to send a request to the third execution module when the current time reaches the time or time range determined by the invalid time information. Three network functions indicate that the forwarding rule information is invalid.

Optionally, when the rule event information includes a violation access indication, the first execution module 502 is configured to report data to the third network function when data that does not match the rule information is detected. Indicates that the forwarding rule information is invalid.

Optionally, in the case where the rule event information includes the number of illegal accesses, the first execution module 502 is configured to, if it detects that data that does not match the rule information exceeds the number of illegal accesses, The third network function indicates that the forwarding rule information is invalid.

Optionally, in the case where the rule event information includes a violation access indication and/or a violation access count, the first execution module 502 is also configured to send a termination relay indication to the first device, where the termination relay indication Used to instruct the first device to terminate forwarding data between the mobile network and the third device.

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.

It can be seen from the technical solutions of the above embodiments that the embodiments of the present application receive first information from the second network function, where the first information includes rule information and rule event information; and perform at least one of the following based on the first information: based on The rule information sends relay rule information to the first device; based on the rule event information, sends relay rule event information to the first device; based on the rule information, forwards the rule information to a third network function configuration; based on The rule event information is a configuration of valid or invalid forwarding rule information, so that the data path between the third device and the mobile network can be effectively managed and controlled based on the rule event information, thereby improving the security of the mobile network.

The device data path management and control device in the embodiment of the present application may be an electronic device, such as an electronic device with an operating system, or may be a component in the electronic device, such as an integrated circuit or chip. The electronic device may be a terminal or other devices other than the terminal. For example, terminals may include but are not limited to the types of terminals 11 listed above, and other devices may be servers, network attached storage (Network Attached Storage, NAS), etc., which are not specifically limited in the embodiment of this application.

The equipment data path management and control device provided by the embodiment of the present application can implement each process implemented by the method embodiment of Figures 3 to 4, and achieve the same technical effect. To avoid duplication, no details will be given here. narrate.

As shown in Figure 6, this embodiment of the present application provides a device data path management and control method. The execution subject of the method is the first device. In other words, the method can be executed by software or hardware installed on the first device. The method includes the following steps.

S610. The first device receives second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay instruction;

S620. According to the second information, the first device performs at least one of the following:

Duration information; valid time information; invalid time information.

Optionally, in the case where the relay rule event information includes duration information, the valid or invalid relay rule information based on the relay rule event information includes at least one of the following:

Optionally, in the case where the relay rule event information includes valid time information, the valid or invalid relay rule information based on the relay rule event information includes:

Optionally, in the case where the relay rule event information includes relay invalidation time information, validating or invalidating the relay rule information based on the relay rule event information includes:

Optionally, the relay rule information includes at least one of the following:

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.

Optionally, before the first device receives the second information from the mobile network side, the method further includes:

Send fourth information to the second device or the second network function, where the fourth information includes rule event information for data forwarding.

Optionally, the rule event information is received from the third device.

Optionally, the rule event information includes at least one of the following:

Optionally, the violation access indication is used to instruct the first device to terminate forwarding data between the mobile network and the third device when data that does not match the rule information is detected.

Optionally, the number of illegal accesses is used to instruct the first device to terminate forwarding data between the mobile network and the third device when detecting data that does not match the rule information exceeds the number of illegal accesses.

Steps S610-S620 can implement the method embodiment shown in Figure 3-4 and obtain the same technical effect, and the repeated parts will not be described again here.

It can be known from the technical solutions of the above embodiments that the embodiments of the present application receive second information from the mobile network side, and the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay instructions; and perform at least one of the following according to the second information: forward data between the mobile network and the third device based on the relay rule information; valid or invalidate the relay rule based on the relay rule event information Information; based on the termination relay indication, the forwarding of data between the mobile network and the third device is terminated, so that the data path between the third device and the mobile network can be effectively controlled according to the rule event information, and the security of the mobile network can be improved.

As shown in Figure 7, the device data path management and control device includes: a second transmission module 701 and a second execution module 702.

The second transmission module 701 is used to receive second information from the mobile network side. The second information includes at least one of the following: relay rule information and relay rule event information; termination of relay instructions; the second execution Module 702 is configured to perform at least one of the following according to the second information:

Optionally, the relay rule event information includes the following: One item missing:

Duration information; valid time information; invalid time information.

Optionally, in the case where the relay rule event information includes duration information, the second execution module 702 is configured to perform at least one of the following:

If the validity period determined based on the duration information is valid, enable the relay rule information;

In the event that the validity period determined based on the duration information expires, the relay rule information is deactivated.

Optionally, in the case where the relay rule event information includes valid time information, the second execution module 702 is configured to enable all the events when the current time reaches the time or time range determined by the valid time information. Describe relay rule information.

Optionally, when the relay rule event information includes relay invalidation time information, the second execution module 702 is configured to: when the current time reaches the time or time range determined by the relay invalidation time information, Disable the relay rule information.

Optionally, the relay rule information includes at least one of the following:

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.

Optionally, before the first device receives the second information from the mobile network side, the second transmission module 701 is also configured to send fourth information to the second device or the second network function, where the fourth information includes rules for data forwarding. event information.

Optionally, the rule event information is received from the third device.

Optionally, the rule event information includes at least one of the following:

Optionally, the illegal access indication is used to instruct to terminate the forwarding of data between the mobile network and the third device when data that does not match the rule information is detected.

Optionally, the number of illegal accesses is used to indicate that when data that does not match the rule information is detected to exceed the number of illegal accesses, the forwarding of data between the mobile network and the third device is terminated.

It can be known from the technical solutions of the above embodiments that the embodiments of the present application receive second information from the mobile network side, and the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay instructions; and perform at least one of the following according to the second information: forward data between the mobile network and the third device based on the relay rule information; valid or invalidate the relay rule based on the relay rule event information information; based on the termination relay indication, terminate the forwarding movement The data between the network and the third device can effectively control the data path between the third device and the mobile network based on rule event information, thereby improving the security of the mobile network.

The device data path management and control device provided by the embodiment of the present application can implement each process implemented by the method embodiment in Figure 6 and achieve the same technical effect. To avoid duplication, the details will not be described here.

As shown in Figure 8, this embodiment of the present application provides a device data path management and control method. The method is executed by the second network function. In other words, the method can be executed by software or hardware installed in the second network function. The method includes the following steps.

S810. The second network function sends first information to the first network function, where the first information includes rule information and rule event information.

Optionally, the rule event information includes at least one of the following:

Optionally, the rule information includes at least one of the following:

Relay rule information and forwarding rule information;

Wherein, the relay rule information indicates the rules for the first device to forward data between the mobile network and the third device, and the forwarding rule information is used to indicate the rules for the third network function to forward data between the mobile network and the data network, so The third device is a device that receives data from the mobile network side or sends data to the mobile network side through the first device.

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.

Optionally, the rule event information is received from the first device or the second device.

Step S810 can implement the method embodiment shown in Figures 3-4 and obtain the same technical effect, and the repeated parts will not be described again here.

It can be seen from the technical solutions of the above embodiments that the embodiments of the present application send the first information to the first network function, where the first information includes rule information and rule event information, so that the third device and the mobile network can be configured according to the rule event information. Effectively manage and control data paths to improve the efficiency of mobile networks safety.

As shown in Figure 9, the device data path management and control device includes: a third transmission module 901 and a third execution module 902.

The third execution module 902 is used to obtain the first information; the third transmission module 901 is used to send the first information to the first network function, where the first information includes rule information and rule event information.

Optionally, the rule event information includes at least one of the following:

Optionally, the rule information includes at least one of the following:

Relay rule information and forwarding rule information;

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.

It can be seen from the technical solutions of the above embodiments that the embodiments of the present application send the first information to the first network function, where the first information includes rule information and rule event information, so that the third device and the mobile network can be configured according to the rule event information. Effectively manage and control data paths to improve the security of mobile networks.

The device data path management and control device provided by the embodiment of the present application can implement each process implemented by the method embodiment in Figure 8 and achieve the same technical effect. To avoid duplication, the details will not be described here.

As shown in Figure 10, an embodiment of the present application provides a device data path management and control method. The execution subject of the method is a third device. In other words, the method can be executed by software or hardware installed on the third device. The method includes the following steps.

S1010. The third device sends third information to the first device or the second device, where the third information includes rule event information for data forwarding;

Optionally, the rule event information includes at least one of the following:

Optionally, the number of illegal accesses is used to indicate that when data that does not match the rule information is detected to exceed the number of illegal accesses, instruct the first device to terminate forwarding between the mobile network and the third device. data.

Step S1010 can implement the method embodiment shown in Figures 3-4 and obtain the same technical effect, and the repeated parts will not be described again here.

It can be known from the technical solutions of the above embodiments that the embodiments of the present application send third information to the first device or the second device. The third information includes rule event information for data forwarding; wherein the rule event information is used to indicate Relevant information that determines whether the data forwarding is valid or invalid can effectively control the data path between the third device and the mobile network based on the rule event information, thereby improving the security of the mobile network.

As shown in Figure 11, the device data path management and control device includes: a fourth transmission module 1101 and a fourth execution module 1102.

The fourth execution module 1102 is used to obtain third information; the fourth transmission module 1101 is used to send the third information to the first device or the second device, where the third information includes rule event information for data forwarding. ; Wherein, the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid; the device access management and control device is to receive data from the mobile network side through the first device or send data to the mobile network side. data device.

Optionally, the rule event information includes at least one of the following:

Duration information, valid time information, invalid time information, illegal access instructions, illegal access Ask the number of times.

The device data path management and control device provided by the embodiment of the present application can implement each process implemented by the method embodiment in Figure 10 and achieve the same technical effect. To avoid duplication, the details will not be described here.

As shown in Figure 12, this embodiment of the present application provides a device data path management and control method. The execution subject of the method is the second device. In other words, the method can be executed by software or hardware installed on the second device. The method also includes the following steps.

S1210. The second device sends fourth information to the second network function, where the fourth information includes rule event information for data forwarding; the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid.

Optionally, the rule event information includes at least one of the following:

Optionally, the rule event information is received from the third device or the first device;

Optionally, the illegal access indication is used to instruct the first device to terminate forwarding data between the mobile network and the third device when data that does not match the rule information is detected.

Optionally, the number of illegal accesses is used to indicate that when data that does not match the rule information is detected to exceed the number of illegal accesses, instruct the first device to terminate forwarding between the mobile network and the third device. backup data.

Step S1210 can implement the method embodiment shown in Figures 3-4 and obtain the same technical effect, and the repeated parts will not be described again here.

It can be seen from the technical solutions of the above embodiments that the embodiments of the present application send fourth information to the second network function. The fourth information includes rule event information for data forwarding; the rule event information is used to indicate the determination of the data forwarding. Valid or invalid relevant information, so that the data path between the third device and the mobile network can be effectively controlled based on the rule event information, and the security of the mobile network can be improved.

As shown in Figure 13, the device data path management and control device includes: a fifth transmission module 1301 and a fifth execution module 1302.

The fifth execution module 1302 is used to obtain fourth information; the fifth transmission module 1301 is used to send fourth information to the second network function, where the fourth information includes rule event information for data forwarding; the rule event The information is used to indicate relevant information that determines whether the data forwarding is valid or invalid.

Optionally, the rule event information includes at least one of the following:

The device data path management and control device in the embodiment of the present application may be an electronic device, such as an electronic device with an operating system, or may be a component in the electronic device, such as an integrated circuit or chip. The electronic device may be a terminal or other devices other than the terminal. For example, the terminal can The types of terminals 11 include but are not limited to those listed above. Other devices may be servers, network attached storage (Network Attached Storage, NAS), etc., which are not specifically limited in the embodiments of this application.

The device data path management and control device provided by the embodiment of the present application can implement each process implemented by the method embodiment in Figure 12 and achieve the same technical effect. To avoid duplication, the details will not be described here.

Optionally, as shown in Figure 14, this embodiment of the present application also provides a communication device 1400, which includes a processor 1401 and a memory 1402. The memory 1402 stores programs or instructions that can be run on the processor 1401, such as , when the communication device 1400 is a terminal, when the program or instruction is executed by the processor 1401, each step of the above device data path management and control method embodiment is implemented, and the same technical effect can be achieved. When the communication device 1400 is a network-side device, when the program or instruction is executed by the processor 1401, each step of the above device data path management and control method embodiment is implemented, and the same technical effect can be achieved. To avoid duplication, the details are not repeated here.

An embodiment of the present application also provides a terminal, including a processor and a communication interface. The processor is configured to perform at least one of the following according to the second information: forwarding the communication between the mobile network and a third device based on the relay rule information. data; based on the relay rule event information, the relay rule information is valid or invalid; based on the termination relay indication, terminates the forwarding of data between the mobile network and the third device, and the communication interface is used to receive from the mobile network side Second information, the second information includes at least one of the following: relay rule information and relay rule event information; and an instruction to terminate relay. This terminal embodiment corresponds to the above-mentioned terminal-side method embodiment. Each implementation process and implementation manner of the above-mentioned method embodiment can be applied to this terminal embodiment, and can achieve the same technical effect. Specifically, FIG. 15 is a schematic diagram of the hardware structure of a terminal that implements an embodiment of the present application.

The terminal 1500 includes but is not limited to: a radio frequency unit 1501, a network module 1502, an audio output unit 1503, an input unit 1504, a sensor 1505, a display unit 1506, a user input unit 1507, an interface unit 1508, a memory 1509, a processor 1510, etc. At least some parts.

Those skilled in the art can understand that the terminal 1500 may also include a power supply (such as a battery) that supplies power to various components. The power supply may be logically connected to the processor 1510 through a power management system, thereby managing charging, discharging, and power consumption through the power management system. Management and other functions. The terminal structure shown in FIG. 15 does not constitute a limitation on the terminal. The terminal may include more or fewer components than shown in the figure, or some components may be combined or arranged differently, which will not be described again here.

It should be understood that in the embodiment of the present application, the input unit 1504 may include a graphics processing unit (GPU) 15041 and a microphone 15042. The GPU 15041 is used for recording data by an image capture device (such as a camera) in the video capture mode or the image capture mode. The image data obtained from still pictures or videos is processed. The display unit 1506 may include a display panel 15061, which may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1507 includes a touch panel 15071 and at least one of other input devices 15072 . touch surface Board 15071, also known as touch screen. The touch panel 15071 may include two parts: a touch detection device and a touch controller. Other input devices 15072 may include but are not limited to physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, and joysticks, which will not be described again here.

In this embodiment of the present application, after receiving downlink data from the network side device, the radio frequency unit 1501 can transmit it to the processor 1510 for processing; in addition, the radio frequency unit 1501 can send uplink data to the network side device. Generally, the radio frequency unit 1501 includes, but is not limited to, an antenna, amplifier, transceiver, coupler, low noise amplifier, duplexer, etc.

Memory 1509 may be used to store software programs or instructions as well as various data. The memory 1509 may mainly include a first storage area for storing programs or instructions and a second storage area for storing data, wherein the first storage area may store an operating system, an application program or instructions required for at least one function (such as a sound playback function, Image playback function, etc.) etc. Additionally, memory 1509 may include volatile memory or nonvolatile memory, or memory 1509 may include both volatile and nonvolatile memory. Among them, non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically removable memory. Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synch link DRAM) , SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DRRAM). Memory 1509 in embodiments of the present application includes, but is not limited to, these and any other suitable types of memory.

The processor 1510 may include one or more processing units; optionally, the processor 1510 integrates an application processor and a modem processor, where the application processor mainly handles operations related to the operating system, user interface, application programs, etc., Modem processors mainly process wireless communication signals, such as baseband processors. It can be understood that the above modem processor may not be integrated into the processor 1510.

The radio frequency unit 1501 is configured to receive second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; and a relay termination indication.

Processor 1510, configured to perform at least one of the following according to the second information:

Based on the termination relay indication, forwarding of data between the mobile network and the third device is terminated.

Duration information; valid time information; invalid time information.

Optionally, in the case where the relay rule event information includes duration information, the processor 1510 is configured to perform at least one of the following:

Optionally, in the case where the relay rule event information includes valid time information, the processor 1510 is configured to enable the medium when the current time reaches the time or time range determined by the valid time information. Following rule information.

Optionally, when the relay rule event information includes relay invalid time information, the processor 1510 is configured to deactivate the relay when the current time reaches the time or time range determined by the relay invalid time information. The relay rule information.

Optionally, the relay rule information includes at least one of the following:

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.

Optionally, before the first device receives the second information from the mobile network side, the radio frequency unit 1501 is also configured to send fourth information to the second device or the second network function, where the fourth information includes rule event information for data forwarding. .

Optionally, the rule event information is received from the third device.

Optionally, the rule event information includes at least one of the following:

The embodiments of this application can effectively control the data path between the third device and the mobile network based on rule event information, thereby improving the security of the mobile network.

Specifically, the embodiment of the present application also provides a network side device. As shown in Figure 16, the network side device 1600 includes: a processor 1601, a network interface 1602, and a memory 1603. The network interface 1602 is, for example, a common public radio interface (CPRI).

Specifically, the network side device 1600 in this embodiment of the present invention also includes: instructions or programs stored in the memory 1603 and executable on the processor 1601. The processor 1601 calls the instructions or programs in the memory 1603 to execute Figure 5 or Figure 9 The execution methods of each module are shown and achieve the same technical effect. To avoid repetition, they will not be described in detail here.

Embodiments of the present application also provide a readable storage medium. Programs or instructions are stored on the readable storage medium. When the program or instructions are executed by a processor, each process of the above device data path management and control method embodiment is implemented, and can To achieve the same technical effect, to avoid repetition, we will not repeat them here.

Wherein, the processor is the processor in the terminal described in the above embodiment. The readable storage medium may be non-volatile or non-transient. The readable storage medium may include computer-readable storage media, such as computer read-only memory ROM, random access memory RAM, and magnetic disks. Or CD, etc.

An embodiment of the present application further provides a chip. The chip includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the above device data path management and control method. Each process in the example can achieve the same technical effect. To avoid repetition, we will not repeat it here.

It should be understood that the chips mentioned in the embodiments of this application may also be called system-on-chip, system-on-a-chip, system-on-chip or system-on-chip, etc.

Embodiments of the present application further provide a computer program/program product. The computer program/program product is stored in a storage medium. The computer program/program product is executed by at least one processor to implement the above device data path management and control method. Each process of the embodiment can achieve the same technical effect, so to avoid repetition, it will not be described again here.

Embodiments of the present application also provide a device data path management and control system, including: a first device, a second device, a third device, a first network function and a second network function. The first device, the second device, the third device The three devices, the first network function and the second network function may be used to perform the steps of the device data path management and control method as described above.

It should be noted that, in this document, the terms "comprising", "comprises" or any other variations thereof are intended to cover a non-exclusive inclusion, such that a process, method, article or device that includes a series of elements not only includes those elements, It also includes other elements not expressly listed or inherent in the process, method, article or apparatus. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of additional identical elements in a process, method, article or apparatus that includes that element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, but may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions may be performed, for example, the methods described may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be used in other examples Be combined.

Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better. implementation. Based on this understanding, the technical solution of the present application can be embodied in the form of a computer software product that is essentially or contributes to related technologies. The computer software product is stored in a storage medium (such as ROM/RAM, disk, CD), including several instructions to cause a terminal (which can be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in various embodiments of this application.

The embodiments of the present application have been described above in conjunction with the accompanying drawings. However, the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Inspired by this application, many forms can be made without departing from the purpose of this application and the scope protected by the claims, all of which fall within the protection of this application.

Claims

A device data path management and control method, including:

The first network function receives first information from the second network function, the first information including rule information and rule event information;

According to the first information, the first network function performs at least one of the following:

Based on the rule information, send relay rule information to the first device;

Based on the rule event information, send relay rule event information to the first device;

Based on the rule information, forward the rule information to a third network function configuration;

Validate or invalidate the configuration of the forwarding rule information based on the rule event information;

Wherein, the relay rule information is used to instruct the first device to forward the rules of data between the mobile network and the third device, and the forwarding rule information is used to instruct the third network function to forward the data between the mobile network and the data network. rules for data, the rule event information is used to indicate the valid or invalid condition of the rule information, the relay rule event information is used to indicate the valid or invalid condition of the relay rule information, the third device It is a device that receives data from the mobile network side or sends data to the mobile network side through the first device.
The method according to claim 1, wherein the rule event information includes at least one of the following corresponding to the forwarding rule information:

Duration information, valid time information, invalid time information, illegal access instructions, and number of illegal accesses.
The method according to claim 1, wherein the relay rule event information includes at least one of the following corresponding to the relay rule information:

Duration information, valid time information, invalid time information.
The method of claim 2, wherein, in the case where the rule event information includes duration information, the configuration of valid or invalid forwarding rule information based on the rule event information includes at least one of the following :

If the validity period determined based on the duration information is valid, the first network function indicates to the third network function that the forwarding rule information is valid;

In the event that the validity period determined based on the duration information expires, the first network function indicates to the third network function that the forwarding rule information expires.
The method according to claim 2, wherein, in the case where the rule event information includes valid time information, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

When the current time reaches the time or time range determined by the valid time information, the first network function indicates to the third network function that the forwarding rule information is valid.
The method of claim 2, wherein when the rule event information includes invalid In the case of intermittent information, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

When the current time reaches the time or time range determined by the invalid time information, the first network function indicates to the third network function that the forwarding rule information is invalid.
The method according to claim 2, wherein, in the case where the rule event information includes a violation access indication, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

In the event that data that does not match the rule information is detected, the first network function indicates to the third network function that the forwarding rule information is invalid.
The method according to claim 2, wherein, in the case where the rule event information includes the number of access violations, the configuration of valid or invalid forwarding rule information based on the rule event information includes:

When it is detected that data that does not match the rule information exceeds the number of illegal accesses, the first network function indicates to the third network function that the forwarding rule information is invalid.
The method according to claim 2, 7 or 8, wherein, in the case where the rule event information includes a violation access indication and/or a violation access number, the method further includes:

The first network function sends a termination relay indication to the first device, where the termination relay indication is used to instruct the first device to terminate forwarding data between the mobile network and the third device.
The method according to claim 1, wherein the relay rule information and the forwarding rule information include at least one of the following:

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.
A device data path management and control device, including:

A first transmission module configured to receive first information from the second network function, where the first information includes rule information and rule event information;

A first execution module, configured to execute at least one of the following according to the first information:

Based on the rule information, send relay rule information to the first device;

Based on the rule event information, send relay rule event information to the first device;

Based on the rule information, forward the rule information to a third network function configuration;

Validate or invalidate the configuration of the forwarding rule information based on the rule event information;

Wherein, the relay rule information is used to instruct the first device to forward the rules of data between the mobile network and the third device, and the forwarding rule information is used to instruct the third network function to forward the data between the mobile network and the data network. data rules, the rule event information is used to indicate the rule information Valid or invalid conditions, the relay rule event information is used to indicate the valid or invalid conditions of the relay rule information, and the third device receives data from the mobile network side through the first device or sends data to the mobile network side. A device that sends data on the network side.
A device data path management and control method, including:

The first device receives second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay indication;

According to the second information, the first device performs at least one of the following:

Forward data between the mobile network and the third device based on the relay rule information;

Validate or invalidate the relay rule information based on the relay rule event information;

Based on the termination relay indication, terminate the forwarding of data between the mobile network and the third device; wherein the third device is a device that receives data from the mobile network side or sends data to the mobile network side through the first device. .
The method according to claim 12, wherein the relay rule event information includes at least one of the following corresponding to the relay rule information:

Duration information; valid time information; invalid time information.
The method of claim 13, wherein, in the case where the relay rule event information includes duration information, the valid or invalid relay rule information based on the relay rule event information includes the following: At least one:

If the validity period determined based on the duration information is valid, the first device enables the relay rule information;

In the event that the validity period determined based on the duration information expires, the first device deactivates the relay rule information.
The method according to claim 13, wherein, in the case where the relay rule event information includes valid time information, validating or invalidating the relay rule information based on the relay rule event information includes:

When the current time reaches the time or time range determined by the valid time information, the first device enables the relay rule information.
The method of claim 13, wherein, in the case where the relay rule event information includes relay invalidation time information, validating or invalidating the relay rule information based on the relay rule event information, include:

When the current time reaches the time or time range determined by the relay invalid time information, the first device deactivates the relay rule information.
The method according to claim 12, wherein the relay rule information includes at least one of the following:

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.
The method according to claim 12, wherein before the first device receives the second information from the mobile network side, the method further includes:

Send fourth information to the second device or the second network function, where the fourth information includes rule event information for data forwarding.
The method of claim 18, wherein the rule event information is received from the third device.
The method according to claim 18, wherein the rule event information includes at least one of the following:

Duration information, valid time information, invalid time information, illegal access instructions, and number of illegal accesses.
The method according to claim 20, wherein the violation access indication is used to instruct the first device to terminate forwarding data between the mobile network and the third device when data that does not match the rule information is detected. .
The method according to claim 20, wherein the number of violation accesses is used to indicate that when data that does not match the rule information is detected to exceed the number of violation accesses, instruct the first device to terminate forwarding the mobile network and Data between third devices.
A device data path management and control device, including:

The second transmission module is configured to receive second information from the mobile network side, where the second information includes at least one of the following: relay rule information and relay rule event information; termination of relay indication;

A second execution module, configured to execute at least one of the following according to the second information:

Forward data between the mobile network and the third device based on the relay rule information;

Validate or invalidate the relay rule information based on the relay rule event information;

Based on the termination relay indication, terminate the forwarding of data between the mobile network and the third device; wherein the third device receives data from the mobile network side or sends data to the mobile network side through the device access management and control device. device of.
A device data path management and control method, including:

The second network function sends first information to the first network function, where the first information includes rule information and rule event information.
The method according to claim 24, wherein the rule event information includes at least one of the following:

Duration information, valid time information, invalid time information, illegal access instructions, and number of illegal accesses.
The method according to claim 24 or 25, wherein the rule information includes at least one of the following:

Relay rule information and forwarding rule information;

Wherein, the relay rule information indicates the rules for the first device to forward data between the mobile network and the third device, and the forwarding rule information is used to indicate the rules for the third network function to forward data between the mobile network and the data network, so The third device is a device that receives data from the mobile network side or sends data to the mobile network side through the first device.
The method according to claim 26, wherein the relay rule information and the forwarding rule information include at least one of the following:

Upstream data filtering rules;

Downstream data filtering rules;

Upstream data forwarding rules;

Downstream data forwarding rules.
The method of claim 24, wherein the rule event information is received from the first device or the second device.
A device data path management and control device, including:

The third execution module is used to obtain the first information;

The third transmission module is configured to send first information to the first network function, where the first information includes rule information and rule event information.
A device data path management and control method, including:

The third device sends third information to the first device or the second device, where the third information includes rule event information for data forwarding;

Wherein, the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid; the third device is a device that receives data from the mobile network side through the first device or sends data to the mobile network side. .
The method according to claim 30, wherein the rule event information includes at least one of the following:

Duration information, valid time information, invalid time information, illegal access instructions, and number of illegal accesses.
The method according to claim 31, wherein the violation access indication is used to instruct the first device to terminate forwarding between the mobile network and the third device when data that does not match the rule information is detected. The data.
The method according to claim 31, wherein the number of violation accesses is used to indicate that when data that does not match the rule information is detected to exceed the number of violation accesses, instruct the first device to terminate forwarding the mobile network and Data between the third devices.
A device data path management and control device, including:

The fourth execution module is used to obtain the third information;

A fourth transmission module, configured to send the third information to the first device or the second device, where the third information includes rule event information for data forwarding;

Wherein, the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid; the device access management and control device is to receive data from the mobile network side through the first device or send data to the mobile network side. device of.
A device data path management and control method, including:

The second device sends fourth information to the second network function, where the fourth information includes rule event information for data forwarding; the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid.
The method according to claim 35, characterized in that the rule event information includes at least one of the following:

Duration information, valid time information, invalid time information, illegal access instructions, and number of illegal accesses.
The method of claim 35, wherein the rule event information is received from a third device or the first device;

Wherein, the third device is a device that receives data from the mobile network side or sends data to the mobile network side through the first device.
The method according to claim 36, wherein the violation access indication is used to instruct the first device to terminate forwarding data between the mobile network and the third device when data that does not match the rule information is detected.
The method according to claim 36, wherein the number of violation accesses is used to indicate that when data that does not match the rule information is detected to exceed the number of violation accesses, instruct the first device to terminate forwarding the mobile network and the third party. data between devices.
A device data path management and control device, including:

The fifth execution module is used to obtain the fourth information;

The fifth transmission module is configured to send fourth information to the second network function, where the fourth information includes rule event information for data forwarding; the rule event information is used to indicate relevant information for determining whether the data forwarding is valid or invalid.
A terminal, including a processor and a memory, the memory stores programs or instructions that can be run on the processor, and when the programs or instructions are executed by the processor, the implementation as claimed in any one of claims 12 to 22 is provided. The device data path management and control method described above, or the steps of implementing the device data path management and control method as described in any one of claims 30 to 33, or the steps of implementing the device data path management and control method as described in any one of claims 35 to 39.
A network side device, including a processor and a memory. The memory stores programs or instructions that can be run on the processor. When the program or instructions are executed by the processor, any one of claims 1 to 10 is implemented. The device data path management and control method described in claim 24, or the steps to implement the device data path management and control method described in any one of claims 24 to 28.
A readable storage medium on which programs or instructions are stored. When the programs or instructions are executed by a processor, the device data path management and control method as described in any one of claims 1-10 is implemented, or the The device data path management and control method according to any one of claims 12 to 22, or the device data path management and control method according to any one of claims 24 to 28, or the device data path management and control method according to any one of claims 30 to 33. The device data path management and control method described above, or the steps to implement the device data path management and control method as described in any one of claims 35 to 39.