WO2024093783A1 - Operation execution method and apparatus, terminal and network function - Google Patents

Abstract

The present application belongs to the technical field of communication. Disclosed are an operation execution method and apparatus, a terminal and a network function. The operation execution method in the embodiments of the present application comprises at least one of the following: a first terminal sending a first non-access stratum (NAS) message and/or first indication information to a network side, wherein the first NAS message is used for indicating a first operation, the first indication information is used for indicating the first operation, and the first operation comprises at least one of authentication, certification and authorization; and the first terminal receiving fifth indication information, which is sent by the network side, wherein the fifth indication information is used for indicating at least one of the following: allowing or not allowing the first operation, allowing or not allowing the first operation to be executed by means of a control plane of the network side, and allowing or not allowing the first operation to be executed by means of a user plane of the network side.

Description

Operation execution method, device, terminal and network function

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to a Chinese patent application filed with the Chinese Patent Office on November 4, 2022, with application number 202211395204.0 and title “Operation Execution Method, Device, Terminal and Network Function”, the entire contents of which are incorporated by reference in this application.

Technical Field

The present application belongs to the field of communication technology, and specifically relates to an operation execution method, device, terminal and network function.

Background technique

The Internet of Things is a network covering multiple devices based on the computer Internet, using sensor networks, radio frequency identification technology, wireless data communication and other technologies. In this network, devices can communicate with each other. Its essence is to use radio frequency automatic identification (RFID) technology to achieve mutual communication between devices through wireless data links and computer Internet.

Among them, with the development of technology, the Personal Internet of Things (PIN) has gradually emerged on the basis of the Internet of Things, that is, by building a personal domain network centered on the terminal, promoting the high integration of the terminal and the operator network, promoting the good coordination between the terminal and the Internet of Things devices, and improving the overall user experience and quality of use. Among them, the Internet of Things device generally refers to the terminal device used in certain specific scenarios or specific services, such as smart home devices, smart utilities, e-health and smart wearable devices.

However, currently there is no clear corresponding authentication-related operation method for the devices in the PIN, which reduces the security of these devices accessing the PIN.

Summary of the invention

The embodiments of the present application provide an operation execution method, apparatus, terminal, and network function to implement authentication-related operations on a device in a PIN, thereby improving the security of accessing the PIN.

In a first aspect, an operation execution method is provided, comprising:

The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, wherein the first non-access layer NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

The first terminal receives fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

In a second aspect, an operation execution method is provided, comprising:

The first network function sends fifth indication information to the first terminal;

and / or,

The first network function receives a first non-access stratum NAS message and/or first indication information sent by the first terminal, wherein the first non-access stratum NAS message is used to indicate the first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

In response to the first non-access stratum NAS message and/or the first indication information, the first network function performs at least one of the following:

Sending fifth indication information to the first terminal;

instructing a second network function and the first terminal to perform the first operation;

The fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

allowing or not allowing execution of the first operation through a control plane of the mobile network where the first network function is located;

Allow or not allow the first operation to be performed through a user plane of a mobile network where the first network function is located.

In a third aspect, an operation execution method is provided, including:

The third network function performs a second operation;

The second operation includes at least one of the following:

The third network function sends rule information to the first terminal;

The third network function sends data protocol unit PDU session configuration information to the first network function.

In a fourth aspect, an operation execution method is provided, comprising:

The second terminal sends configuration information to the first terminal in the personal Internet of Things PIN.

In a fifth aspect, an operation execution method is provided, including:

The fifth network function sends fourth indication information to the third network function, wherein the fourth indication information is used to instruct the third network function to perform the second operation;

The second operation includes at least one of the following:

The third network function sends rule information to the first terminal;

The third network function sends data protocol unit PDU session configuration information to the first network function.

In a sixth aspect, an operation execution device is provided, including:

A first sending module, configured to send a first non-access stratum NAS message and/or first indication information to a network side, wherein the first non-access stratum NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

The first receiving module is configured to receive fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane on the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

In a seventh aspect, an operation execution device is provided, including:

A second sending module, used to send fifth indication information to the first terminal;

and / or,

A second receiving module, configured to receive a first non-access stratum NAS message and/or first indication information sent by the first terminal, wherein the first non-access stratum NAS message is used to indicate the first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

A first processing module is configured to, in response to the first non-access layer NAS message and/or the first indication information, perform at least one of the following:

Sending fifth indication information to the first terminal;

instructing a second network function and the first terminal to perform the first operation;

The fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

allowing or not allowing the first operation to be performed through a control plane of the mobile network;

The first operation is allowed or not allowed to be performed through a user plane of the mobile network.

In an eighth aspect, an operation execution device is provided, including:

A second processing module, used for performing a second operation;

The second operation includes at least one of the following:

Sending rule information of the personal Internet of Things PIN to the first terminal;

Send data protocol unit PDU session configuration information to the first network function.

In a ninth aspect, an operation execution device is provided, comprising:

The third sending module is used to send configuration information to the first terminal in the personal Internet of Things PIN.

In a tenth aspect, an operation execution device is provided, comprising:

a fourth sending module, configured to send fourth indication information to the third network function, wherein the fourth indication information is used to instruct the third network function to perform a second operation;

The second operation includes at least one of the following:

The third network function sends rule information to the first terminal;

The third network function sends data protocol unit PDU session configuration information to the first network function.

In the eleventh aspect, a terminal is provided, which includes a processor and a memory, wherein the memory stores a program or instruction that can be executed on the processor, and when the program or instruction is executed by the processor, the steps of the method described in the first aspect or the fourth aspect are implemented.

In the twelfth aspect, a network function is provided, including a processor and a memory, wherein the memory stores programs or instructions that can be run on the processor, and when the programs or instructions are executed by the processor, the steps of the method described in the second aspect, the third aspect, or the fifth aspect are implemented.

In a thirteenth aspect, an operation execution system is provided, including: a first terminal, a second terminal, a first network function, a second network function, a third network function, a fourth network function, and at least two of a fifth network function, wherein the first terminal can be used to execute the steps of the operation execution method as described in the first aspect above, the second terminal can be used to execute the steps of the operation execution method as described in the fourth aspect above, and the first network function can be used to execute the steps of the operation execution method as described in the fourth aspect above. The steps of the operation execution method described in the second aspect, the third network function can be used to execute the steps of the operation execution method described in the third aspect, the fifth network function can be used to execute the steps of the operation execution method described in the fifth aspect, and the second network function and the fifth network function can be used to cooperate with at least one of the first terminal, the second terminal, the first network function, the third network function and the fifth network function to execute the steps of the operation execution method described in any one of claims 1-46.

In the fourteenth aspect, a readable storage medium is provided, on which a program or instruction is stored. When the program or instruction is executed by a processor, the steps of the method described in the first aspect, the second aspect, the third aspect, the fourth aspect, or the fifth aspect are implemented.

In the fifteenth aspect, a chip is provided, comprising a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the method described in the first aspect, the second aspect, the third aspect, the fourth aspect, or the fifth aspect.

In the sixteenth aspect, a computer program/program product is provided, wherein the computer program/program product is stored in a storage medium, and the computer program/program product is executed by at least one processor to implement the steps of the method described in the first aspect or the second aspect or the third aspect or the fourth aspect or the fifth aspect.

In the seventeenth aspect, an embodiment of the present application provides an operation execution determination device, which is used to execute the steps of the operation execution method described in the first aspect or the second aspect or the third aspect or the fourth aspect or the fifth aspect.

In an embodiment of the present application, the first terminal can send a first non-access layer NAS message and/or first indication information to the network side, wherein the first non-access layer NAS message is used to indicate a first operation, and the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, authentication, and authorization; and/or the first terminal receives fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

It can be seen that the first terminal can instruct the network side to perform at least one of the authentication, authentication, and authorization operations by sending a first non-access layer NAS message, or instruct the network side to perform at least one of the authentication, authentication, and authorization operations by sending a first indication information, or instruct the network side to perform at least one of the authentication, authentication, and authorization operations by sending a first NAS message and a first indication information; and can also receive the fifth indication information sent by the network side. Therefore, the operation execution method of the embodiment of the present application can be used to perform at least one of the authentication, authentication, and authorization operations on the device in the PIN, that is, the present application clarifies the authentication, authentication, and authorization operations in the PIN, thereby improving the security of accessing the PIN.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a block diagram of a wireless communication system to which an embodiment of the present application can be applied;

FIG2 is a flow chart of an operation execution method in an embodiment of the present application;

FIG3 is a flow chart of another operation execution method in an embodiment of the present application;

FIG4 is a flow chart of another operation execution method in an embodiment of the present application;

FIG5 is a flow chart of another operation execution method in an embodiment of the present application;

FIG6 is a flow chart of another operation execution method in an embodiment of the present application;

FIG7 is a flowchart of implementation mode 1 of the operation execution method of the embodiment of the present application;

FIG8 is a flow chart of implementation mode 2 of the operation execution method of an embodiment of the present application;

FIG9 is a flow chart of an operation execution device in an embodiment of the present application;

FIG10 is a flow chart of another operation execution device in an embodiment of the present application;

FIG11 is a flow chart of another operation execution device in an embodiment of the present application;

FIG12 is a flow chart of another operation execution device in an embodiment of the present application;

FIG13 is a flow chart of another operation execution device in an embodiment of the present application;

FIG14 is a block diagram of a communication device in an embodiment of the present application;

FIG15 is a block diagram of a terminal in an embodiment of the present application;

FIG16 is a structural block diagram of a network function in an embodiment of the present application;

FIG. 17 is a structural block diagram of another network function in an embodiment of the present application.

Specific embodiments

The following will be combined with the drawings in the embodiments of the present application to clearly describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field belong to the scope of protection of this application.

The terms "first", "second", etc. in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the terms used in this way are interchangeable under appropriate circumstances, so that the embodiments of the present application can be implemented in an order other than those illustrated or described here, and the objects distinguished by "first" and "second" are generally of the same type, and the number of objects is not limited. For example, the first object can be one or more. In addition, "and/or" in the specification and claims represents at least one of the connected objects, and the character "/" generally represents that the objects associated with each other are in an "or" relationship.

It is worth noting that the technology described in the embodiments of the present application is not limited to the Long Term Evolution (LTE)/LTE-Advanced (LTE-A) system, but can also be used in other wireless communication systems, such as Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Orthogonal Frequency Division Multiple Access (OFDMA), Single-carrier Frequency Division Multiple Access (SC-FDMA) and other systems. The terms "system" and "network" in the embodiments of the present application are often used interchangeably, and the described technology can be used for the above-mentioned systems and radio technologies as well as other systems and radio technologies. The following description describes a new radio (NR) system for example purposes, and NR terms are used in most of the following descriptions, but these technologies can also be applied to applications other than NR system applications, such as the ^6th Generation (6G) communication system.

FIG1 shows a block diagram of a wireless communication system applicable to the embodiment of the present application. The wireless communication system includes a terminal 11 and a network function 12. The terminal 11 may be a mobile phone, a tablet computer (Tablet Personal Computer), Laptop Computer (also called notebook computer), Personal Digital Assistant (PDA), PDA, netbook, ultra-mobile personal computer (UMPC), mobile Internet Device (MID), augmented reality (AR)/virtual reality (VR) equipment, robot, wearable device (Wearable Device), vehicle-mounted equipment (VUE), pedestrian terminal (PUE), smart home (home equipment with wireless communication function, such as refrigerator, TV, washing machine or furniture, etc.), game console, personal computer (personal computer, PC), teller machine or self-service machine and other terminal side equipment, wearable device includes: smart watch, smart bracelet, smart headset, smart glasses, smart jewelry (smart bracelet, smart bracelet, smart ring, smart necklace, smart anklet, smart anklet, etc.), smart wristband, smart clothing, etc. It should be noted that the specific type of terminal 11 is not limited in the embodiment of the present application. The network function 12 may include an access network device or a core network device, wherein the access network device 12 may also be referred to as a radio access network device, a radio access network (RAN), a radio access network function or a radio access network unit. The access network device 12 may include a base station, a WLAN access point or a WiFi node, etc. The base station may be referred to as a node B, an evolved node B (eNB), an access point, a base transceiver station (BTS), a radio base station, a radio transceiver, a basic service set (BSS), an extended service set (ESS), a home B node, a home evolved B node, a transmitting and receiving point (TRP) or some other suitable term in the field, as long as the same technical effect is achieved, the base station is not limited to a specific technical vocabulary, it should be noted that in the embodiment of the present application, only the base station in the NR system is used as an example for introduction, and the specific type of the base station is not limited.

The core network equipment may include but is not limited to at least one of the following: core network nodes, core network functions, mobility management entity (Mobility Management Entity, MME), access mobility management function (Access and Mobility Management Function, AMF), session management function (Session Management Function, SMF), user plane function (User Plane Function, UPF), policy control function (Policy Control Function, PCF), policy and charging rules function unit (Policy and Charging Rules Function, PCRF), edge application service discovery function (Edge Application Server Discovery ... user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user plane function (User Plane Function, UPF), user ion, EASDF), Unified Data Management (UDM), Unified Data Repository (UDR), Home Subscriber Server (HSS), Centralized network configuration (CNC), Network Repository Function (NRF), Network Exposure Function (NEF), Local NEF (L-NEF), Binding Support Function (BSF), Application Function (AF), etc. It should be noted that in the embodiments of the present application, only the core network device in the NR system is taken as an example for introduction, and the specific type of the core network device is not limited.

The following is a detailed description of the operation execution method provided by the embodiments of the present application through some embodiments and their application scenarios in combination with the accompanying drawings.

In the first aspect, referring to FIG. 2 , which is a flowchart of an operation execution method provided in an embodiment of the present application, the method may include the following steps 201 and/or 202:

Step 201: A first terminal sends a first non-access stratum NAS message and/or first indication information to a network side.

Here, the first terminal can send a first non-access layer NAS message and/or a first indication information to the first network function, where the first terminal can be, for example, a terminal with gateway capability, i.e., a gateway terminal (PIN Element with Gateway Capability, PEGC); the first network function can be, for example, a session management function (Session Management Function, SMF) or an access and mobility management function (Access and Mobility Management Function, AMF).

Among them, the first non-access layer NAS message is used to indicate the first operation, and the first indication information is used to indicate the first operation. It can be seen that in the embodiment of the present application, the first terminal can send a first non-access layer NAS message to the network side (such as the above-mentioned first network function) to instruct the network side to perform the first operation (that is, trigger the network side to perform the first operation through a NAS message); or, it can send a first indication information to the network side to instruct the network side to perform the first operation (that is, instruct the network side device to perform the first operation through an indication information); or, it can also send a first NAS message and a first indication information to the network side to instruct the network side to perform the first operation (that is, instruct the network side to perform the first operation through a NAS message and an indication information), here, the first NAS message and the first indication information can be independent, or the first indication information can be carried in the first NAS message.

In addition, the first operation includes at least one of the following:

Authentication, authentication, and authorization.

Step 202: The first terminal receives fifth indication information sent by the network side.

The fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

Optionally, before step 201 or 202, the method further includes:

The first terminal interacts with the network side to establish a PDU session;

The above step 202 “the first terminal receives the fifth indication information sent by the network side” includes:

The first terminal receives a PDU session establishment/modification confirmation message sent by the network side, and the PDU session establishment/modification confirmation message carries the fifth indication information.

That is, the network side may carry the fifth indication information in a PDU session confirmation message and send it to the first terminal.

Optionally, the above step 202 “the first terminal receives fifth indication information sent by the network side” includes:

The first terminal receives the fifth indication information sent by the network side in response to the first non-access layer NAS message and/or the first indication information.

It can be seen from this that after receiving the PDU session establishment/modification request message sent by the first terminal, the network side can carry the fifth indication information in the PDU session establishment confirmation/modification confirmation message and send it to the first terminal to inform the first terminal whether it allows the first operation; or after receiving the first non-access layer NAS message and/or the first indication information sent by the first terminal, the network side can send the fifth indication information to the first terminal to inform the first terminal whether it allows the first operation.

It can be known from the above steps 201 to 202 that in an embodiment of the present application, the first terminal can send a first non-access layer NAS message and/or a first indication information to the network side, wherein the first non-access layer NAS message is used to indicate a first operation, and the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, authentication, and authorization; and/or, the first terminal receives fifth indication information sent by the network side, wherein the fifth indication information is used for at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

It can be seen that the first terminal can instruct the network side to perform at least one of the authentication, certification, and authorization operations by sending a first non-access layer NAS message, or instruct the network side to perform at least one of the authentication, certification, and authorization operations by sending a first indication information, or instruct the network side to perform at least one of the authentication, certification, and authorization operations by sending a first NAS message and a first indication information; and can also receive the fifth indication information sent by the network side. Therefore, the operation execution method of the embodiment of the present application can be used to perform at least one of the authentication, certification, and authorization operations on the device in the PIN, thereby improving the security of accessing the PIN.

It should be noted that the first terminal may also meet the following conditions 1 or 2:

Case 1: The first terminal can also have the function of a personal Internet of Things device (PIN Element, PINE) and gateway capabilities, that is, PEGC and PINE can be combined into one device.

Case 2: The first terminal may not have the PINE capability. For example, the first terminal only has the gateway capability, that is, PEGC and PINE are independently configured.

Optionally, in the above situation 1, before the above step 201 "the first terminal sends a first non-access layer NAS message and/or first indication information to the network side", the method further includes:

The first terminal interacts with the network side to establish a protocol data unit (PDU) session.

That is, the first terminal formed by combining PEGC and PINE can also establish a PDU session with the network side before sending the first non-access layer NAS message and/or the first indication information to the network side.

Among them, before the first terminal sends the first non-access layer NAS message and/or the first indication information to the network side, if a PDU session is established, the first terminal can subsequently use the modification process of the subsequent PDU session to send the first non-access layer NAS message to the network side.

Optionally, the first non-access layer NAS message is a PDU session modification request. That is, in the aforementioned situation 1, the first terminal can send the PDU modification request as the first NAS message to the network side to trigger the network side to perform the first operation.

Optionally, the first indication information includes at least one of the following items A-1 to A-3:

Item A-1: an instruction for instructing to perform the first operation;

Item A-2: information of the first terminal;

Item A-3: Information about a second network function, wherein the second network function is used to perform the first operation.

The information of the first terminal may include at least one of an identifier, an IP address, and a MAC address.

The above-mentioned item A-1 indicates that the first terminal can display and instruct the network side to perform the first operation;

The above item A-2 indicates that the first terminal can implicitly instruct the network side to perform the first operation through the information of the first terminal.

For example, when the network side receives the first indication information sent by the first terminal including the above-mentioned indication for instructing to perform the first operation, it can determine that the first operation needs to be performed on the first terminal based on the displayed indication content; when the network side receives the first indication information sent by the first terminal including the above-mentioned information of the first terminal, it can also determine that the first operation needs to be performed on the first terminal through the implicit indication content.

In the above item A-3, the second network function may be, for example, an external data network authentication and authorization center (AAA), that is, the first terminal may also inform the network side which network function performs the first operation.

Optionally, in the aforementioned situation 2, the first terminal sends a first non-access layer NAS message and/or first indication information to the network side, including:

When or after a connection is established between the first terminal and the first device, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side.

Here, the first device may be a PINE.

That is, when or after the connection is established between the first terminal and the first device, the first terminal may instruct the network side to perform the first operation.

Optionally, when or after the connection is established between the first terminal and the first device, the first terminal sends the first non-access layer NAS message and/or the first indication information to the network side, including:

The first terminal receives the first message sent by the first device, or receives the sixth message sent by the second terminal;

The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side in response to the first message or the sixth message;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the personal Internet of Things PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The sixth message is used to instruct the first terminal or the first device to communicate with the second network function;

The second network function is used to perform the first operation.

When the first message is used to indicate establishment of a connection between the first device and the first terminal, the first message may be a connection request sent by the first device to the first terminal, or may be a connection request sent by the first terminal to the first device.

It can be seen from this that when the first terminal receives the first message sent by the first device, it can trigger the first terminal to send the above-mentioned first non-access layer NAS message and/or first indication information to the network side device, so that the network side performs the first operation on the first device; or, when the first terminal receives the above-mentioned sixth message sent by the second terminal, it can trigger the first terminal to send the above-mentioned first non-access layer NAS message and/or first indication information to the network side device, so that the network side performs the first operation on the first device.

Optionally, the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request. That is, in the aforementioned situation 2, the first terminal can send the PDU modification request or the PDU session establishment request as the first NAS message to the network side to trigger the network side to perform the first operation.

Optionally, the first indication information includes at least one of the following items B-1 to B-4:

Item B-1: an instruction for instructing to perform the first operation;

Item B-2: information about the first device;

Item B-3: information of the first terminal;

Item B-4: Information about a second network function, wherein the second network function is used to perform the first operation.

The information of the first terminal may include at least one of an identifier, an IP address, and a MAC address; the information of the first device may include at least one of an identifier, an IP address, and a MAC address.

The above item B-1 indicates that the first terminal can display and instruct the network side to perform the first operation;

Item B-2 above indicates that the first terminal may implicitly instruct the network side to perform the first operation through information of the first device;

The above item B-3 indicates that the first terminal can implicitly instruct the network side to perform the first operation through the information of the first terminal;.

For example, when the network side receives the first indication information sent by the first terminal including the above-mentioned indication for instructing to perform the first operation, it can be determined based on the displayed indication content that the first operation needs to be performed on the device (i.e., the first device) that sends the above-mentioned first message to the first terminal; when the network side receives the first indication information sent by the first terminal including the information of the above-mentioned first device, it can also be determined through the implicit indication content that the first operation needs to be performed on the first device; when the network side receives the first indication information sent by the first terminal including the information of the above-mentioned first terminal, it can also be determined through the implicit indication content that the first operation needs to be performed on the device (i.e., the first device) that sends the above-mentioned first message to the first terminal.

In the above item B-4, the second network function may be, for example, an external data network authentication and authorization center (AAA), that is, the first terminal may also inform the network side which network function performs the first operation.

Optionally, after the first terminal sends a first non-access layer NAS message and/or first indication information to the network side, the method further includes:

The first terminal receives second indication information sent by the network side, wherein the second indication information is used to indicate a result of the first operation:

The first terminal performs at least one of the following items C-1 to C-3 according to the second indication information:

Item C-1: allowing or rejecting the first message sent by the first device to be received by the first terminal;

Item C-2: Allow or deny processing of data of the first device;

Item C-3: allowing, retaining or releasing the connection between the first terminal and the first device;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Among them, after the network side receives the first non-access layer NAS message and/or the first indication information, it performs the first operation on the first device according to the indication of the first non-access layer NAS message and/or the first indication information, thereby returning the result of executing the first operation to the first terminal. In this way, the first terminal can execute at least one of the above items C-1 to C-3 according to the result of executing the first operation.

Optionally, the method further comprises:

The first terminal executes at least one of the following items G-1 to G- according to the fifth indication information:

Item G-1: Execute or stop executing the first operation;

Item G-2: sending or stopping sending sixth indication information to the second network function, where the sixth indication information is used to instruct the second network function to perform the first operation;

Item G-3: sending or stopping sending a fourth message to the second network function, where the fourth message is a message related to performing the first operation;

Item G-4: receiving or stopping receiving a fifth message from the second network function, where the fifth message is a message related to performing the first operation;

Item G-5: allowing or rejecting the first message sent by the first device and received by the first terminal;

Item G-6: Allow or deny processing of data on the first device;

Item G-7: allowing, retaining or releasing the connection between the first terminal and the first device;

The first message is used to indicate at least one of the following:

Establish a connection between the first device and the first terminal, access the first terminal, access the PIN where the first terminal is located, communicate with the network side, and communicate with the second network function.

The above-mentioned item G-1 indicates: when the fifth indication information indicates that the first operation is allowed, or the first operation is allowed to be performed through the control plane of the network side, or the first operation is allowed to be performed through the user plane of the network side, the first terminal performs the first operation; when the fifth indication information does not allow the first operation, or does not allow the first operation to be performed through the control plane of the network side, or does not allow the first operation to be performed through the user plane of the network side, the first terminal stops performing the first operation.

The above G-2 item indicates that: when the fifth indication information indicates that the first operation is allowed, or the first operation is allowed to be performed through the control plane of the network side, or the first operation is allowed to be performed through the user plane of the network side, the first terminal sends the sixth indication information to the second network function; when the fifth indication information indicates that the first operation is not allowed, or the first operation is not allowed to be performed through the control plane of the network side, or the first operation is not allowed to be performed through the user plane of the network side, the first terminal stops sending the sixth indication information to the second network function;

The above-mentioned item G-3 indicates that: when the fifth indication information indicates that the first operation is allowed, or the first operation is allowed to be performed through the control plane of the network side, or the first operation is allowed to be performed through the user plane of the network side, the first terminal sends the fourth message to the second network function; when the fifth indication information indicates that the first operation is not allowed, or the first operation is not allowed to be performed through the control plane of the network side, or the first operation is not allowed to be performed through the user plane of the network side, the first terminal stops sending the fourth message to the second network function;

The above-mentioned item G-4 indicates: when the fifth indication information indicates that the first operation is allowed, or the first operation is allowed to be performed through the control plane of the network side, or the first operation is allowed to be performed through the user plane of the network side, the fifth message from the second network function is received; when the fifth indication information indicates that the first operation is not allowed, or the first operation is not allowed to be performed through the control plane of the network side, or the first operation is not allowed to be performed through the user plane of the network side, the fifth message from the second network function is stopped;

The above G-5 item indicates: when the fifth indication information indicates that the first operation is allowed, or the control plane on the network side is allowed When performing the first operation or allowing the first operation to be performed through the user plane of the network side, allowing the first message sent by the first device received by the first terminal; when the fifth indication information indicates that the first operation is not allowed, or the first operation is not allowed to be performed through the control plane of the network side, or the first operation is not allowed to be performed through the user plane of the network side, rejecting the first message sent by the first device received by the first terminal;

The above-mentioned item G-6 indicates that: when the fifth indication information indicates that the first operation is allowed, or the first operation is allowed to be performed through the control plane of the network side, or the first operation is allowed to be performed through the user plane of the network side, the processing of the data of the first device is allowed; when the fifth indication information indicates that the first operation is not allowed, or the first operation is not allowed to be performed through the control plane of the network side, or the first operation is not allowed to be performed through the user plane of the network side, the processing of the data of the first device is rejected;

The above-mentioned item G-7 indicates: when the fifth indication information indicates that the first operation is allowed, or the first operation is allowed to be performed through the control plane of the network side, or the first operation is allowed to be performed through the user plane of the network side, the connection between the first terminal and the first device is allowed or retained; when the fifth indication information indicates that the first operation is not allowed, or the first operation is not allowed to be performed through the control plane of the network side, or the first operation is not allowed to be performed through the user plane of the network side, the connection between the first terminal and the first device is released.

Optionally, the first terminal receiving the second indication information sent by the network side includes:

The first terminal receives a second NAS message sent by the network side, wherein the second NAS message carries the second indication information.

That is, the network side may carry the second indication information used to indicate the result of executing the first operation in the second NAS message, and send the message to the first terminal.

Optionally, the second indication information satisfies at least one of the following items D-1 to D-2:

Item D-1: indicating the result of the first operation by an identifier or a name of the second NAS message;

Item D-1: Indicate the result of the first operation through a cause value.

The above item D-1 represents the identifier or name of different second NAS messages, indicating different results of the first operation.

Optionally, the indicating a result of the first operation by using an identifier or a name of the second NAS message includes at least one of the following:

Indicating that the first operation is successful through a PDU session modification confirmation message or a PDU session establishment confirmation message;

The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject message.

That is, if the second NAS message sent by the network side to the first terminal is a PDU session modification confirmation message or a PDU session establishment confirmation message, it indicates that the first operation is executed successfully; if the second NAS message sent by the network side to the first terminal is a PDU session modification rejection message or a PDU session establishment rejection message, it indicates that the first operation fails.

That is, when the network side successfully executes the first operation, it returns a PDU session modification confirmation message or a PDU session establishment confirmation message to the first terminal; when the network side fails to execute the first operation, it returns a PDU session modification rejection message or a PDU session establishment rejection message to the first terminal.

The above-mentioned item D-2 indicates that the result of the first operation indicating a difference is displayed by the cause value.

Optionally, the result of the first operation indicated by the reason value includes at least one of the following indications:

a failure reason value and/or a failure indication, used to indicate that the first operation failed;

A success reason value and/or a success indication, used to indicate that the first operation is successful;

In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.

That is, if the second NAS message sent by the network side includes a failure cause value and/or a failure indication, it indicates that the first operation has failed; if the second NAS message sent by the network side does not include a failure cause value and/or a failure indication, it indicates that the first operation has been successfully executed.

Alternatively, if the second NAS message sent by the network side includes a success reason value and/or a success indication, it indicates that the first operation is executed successfully; if the second NAS message sent by the network side does not include a success reason value and/or a success indication, it indicates that the first operation fails.

Alternatively, if the second NAS message sent by the network side includes a failure reason value and/or a failure indication, it indicates that the first operation has failed to execute; if the second NAS message sent by the network side includes a success reason value and/or a success indication, it indicates that the first operation has been executed successfully.

Optionally, the method further comprises at least one of the following:

The first terminal receives a second message from the network side, and sends the second message to the first device;

The first terminal receives a third message from the first device, and sends the third message to the network side;

The second message and the third message are messages involved in executing the first operation, that is, the second message and the third message are messages that the first device and the network side need to interact with when executing the first operation.

It can be seen from this that, during the process of executing the first operation on the network side, the first terminal can also forward interaction messages for the first device and the network side.

For example, if during the execution of the first process, the network side needs to request the identification information of the first device, the network side may send a second message to the first terminal for requesting the identification information of the first device, so that the first terminal sends the second message to the first device, and the first device returns a third message carrying the identification information of the first device to the first terminal, and the first terminal returns the third message to the network side.

Optionally, the second message is an extensible authentication protocol (EAP) message, and the third message is an EAP message.

In addition, the specific implementation of the above step 201 can be as described in the following method 1, method 2 or method 3:

Mode 1: Optionally, the method further includes:

The first terminal receives the rule information sent by the network side;

The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, including:

The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the rule information.

It can be seen from this that the first terminal can send the first non-access layer NAS message and/or the first indication information according to the rule information sent by the network side (i.e., the third network function, such as the policy control function entity (Policy Control Function, PCF)).

Optionally, the rule information is used to indicate at least one of the following items E-1 to E-2:

Item E-1: the first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

Item E-2: At least one first target device requires the first operation or does not require the first operation.

Among them, the target PIN is one of the PINs created by the second terminal; the first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.

The above item E-1 indicates that the rule information can indicate whether the first operation needs to be performed for the PIN, that is, whether the first operation needs to be performed is indicated with the PIN as the granularity.

The above-mentioned item E-2 indicates that the rule information may also indicate whether the first operation needs to be performed for each PINE, that is, indicating whether the first operation needs to be performed with PINE as the granularity.

Among them, after the second terminal (for example, the management terminal (PIN Element with Management Capability, PEMC)) creates a PIN, it can notify the fifth network function (for example, the application function (Application Function, AF)) that it has created a PIN, and indicate whether the first operation needs to be applied to the PIN and/or indicate whether a PINE needs the first operation, so that the fifth network function notifies the third network function (for example, PCF) whether the first operation needs to be applied to the PIN and/or indicates whether a PINE needs the first operation, so that the third network function generates rule information for indicating the above-mentioned E-1 items and/or E-2 items.

Optionally, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the rule information, including at least one of the following:

When the rule information indicates that the first device needs the first operation, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side;

When the rule information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions H-1 to H-4 is met, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side:

Item H-1: the first non-access stratum NAS message and/or the first indication information is related to the target PIN;

Item H-2: The connection between the first terminal and the first device is related to the target PIN;

Item H-3: the first message sent by the first device and received by the first terminal is related to the target PIN;

Item H-4: The first device is associated with the target PIN;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

It is understood that, when the rule information indicates that the first operation does not need to be applied to the target PIN, or When the above conditions H-1 to H-4 are not met, the first terminal does not send the first non-access layer NAS message and/or the first indication information to the network side;

When the rule information indicates that the first device does not need the first operation, the first terminal does not send the first non-access stratum NAS message and/or the first indication information to the network side.

Mode 2: Optionally, the method further includes:

The first terminal receives configuration information sent by the second terminal;

The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, including:

The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the configuration information.

It can be seen from this that the first terminal can send the first non-access stratum NAS message and/or the first indication information according to the configuration information sent by the second terminal (for example, PEMC).

Optionally, the configuration information is used to indicate at least one of the following items F-1 to F-2:

Item F-1: the first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

Item F-2: At least one second target device requires the first operation or does not require the first operation.

Among them, the target PIN is one of the PINs created by the second terminal; the second target device is a device that needs to access the personal Internet of Things PIN or mobile network through the first terminal.

The above item F-1 indicates that the configuration information can indicate whether the first operation needs to be performed for the PIN, that is, whether the first operation needs to be performed is indicated with the PIN as the granularity.

The above item F-2 indicates that the configuration information may also indicate whether the first operation needs to be performed for each PINE, that is, indicating whether the first operation needs to be performed with PINE as the granularity.

After creating the PIN, the second terminal may indicate to the first terminal whether the first operation needs to be applied to the PIN and/or whether a PIN needs the first operation.

Optionally, when the configuration information indicates that the first device requires the first operation, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side;

When the configuration information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions L-1 to L-4 is met, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side:

Item L-1: the first non-access stratum NAS message and/or the first indication information is related to the target PIN;

Item L-2: The connection between the first terminal and the first device is related to the target PIN;

Item L-3: the first message sent by the first device and received by the first terminal is related to the target PIN;

Item L-4: The first device is associated with the target PIN;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

It can be understood that, when the configuration information indicates that the first operation does not need to be applied to the target PIN, or the above conditions L-1 to L-4 are not met, the first terminal does not send the first non-access layer NAS message and/or the first indication information to the network side;

When the configuration information indicates that the first device does not need the first operation, the first terminal does not send the first non-access stratum NAS message and/or the first indication information to the network side.

Mode three, optionally, the method further includes:

The first terminal receives the PIN rule information sent by the network side;

The first terminal receives configuration information sent by the second terminal;

The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, including:

The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the rule information and the configuration information.

It can be seen from this that the first terminal can send the first non-access stratum NAS message and/or the first indication information according to the rule information sent by the network side and the configuration information sent by the second terminal.

Here, the content indicated by the rule information can refer to the aforementioned method 1, and the content indicated by the configuration information can refer to the aforementioned method 2. That is, both the rule information and the configuration information can perform the aforementioned PIN granularity indication and PINE granularity indication.

Optionally, the first terminal sends the first non-access layer NAS message and/or the first indication information to the network side according to the rule information and the configuration information, including:

According to the predetermined rule information and the configuration information, whichever has a higher priority, the first non-access layer NAS message and/or the first indication information is sent to the network side.

Here, when the one with a higher priority between the rule information and the configuration information is the rule information, the specific method of sending the first non-access layer NAS message and/or the first indication information to the network side according to the rule information is the same as the aforementioned method one; when the one with a higher priority between the rule information and the configuration information is the configuration information, the specific method of sending the first non-access layer NAS message and/or the first indication information to the network side according to the configuration information is the same as the aforementioned method two and is not repeated here.

Optionally, the method further comprises:

When the second indication information indicates that the first operation is successful, the first terminal sends information of the first device to the network side.

It can be seen from this that when the first operation is successfully executed on the network side, the first terminal can also send information of the first device to the network side (for example, the first network function).

The information of the first device may include address information of the first device (eg, IP address).

In a second aspect, an embodiment of the present application provides an operation execution method. As shown in FIG. 3 , the method may include the following steps 301 and/or 302 and 303:

Step 301: The first network function sends fifth indication information to the first terminal.

The fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

allowing or not allowing execution of the first operation through a control plane of the mobile network where the first network function is located;

Allow or not allow the first operation to be performed through a user plane of a mobile network where the first network function is located.

Optionally, before step 301, the method further includes:

The first network function interacts with the first terminal to establish a PDU session;

Step 301 “the first network function sends fifth indication information to the first terminal” includes:

The first network function sends a PDU session establishment/modification confirmation message to the first terminal, and the PDU session establishment/modification confirmation message carries the fifth indication information.

That is, the first network function may carry the fifth indication information in a PDU session establishment/modification confirmation message and send it to the first terminal.

Step 302: The first network function receives a first non-access stratum NAS message and/or first indication information sent by the first terminal.

The first non-access stratum NAS message is used to indicate the first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization.

Here, the first terminal can send a first non-access layer NAS message and/or a first indication information to the first network function, where the first terminal can be, for example, a terminal with gateway capability, i.e., a gateway terminal (PIN Element with Gateway Capability, PEGC); the first network function can be, for example, a session management function (Session Management Function, SMF) or an access and mobility management function (Access and Mobility Management Function, AMF).

In addition, the first non-access layer NAS message is used to indicate the first operation, and the first indication information is used to indicate the first operation. It can be seen that in the embodiment of the present application, the first terminal can send a first non-access layer NAS message to the network side (such as the above-mentioned first network function) to instruct the network side to perform the first operation (that is, trigger the network side to perform the first operation through a NAS message); or, it can send a first indication information to the network side to instruct the network side to perform the first operation (that is, instruct the network side device to perform the first operation through an indication information); or, it can also send a first NAS message and a first indication information to the network side to instruct the network side to perform the first operation (that is, instruct the network side to perform the first operation through a NAS message and an indication information), where the first NAS message and the first indication information can be independent, or the first indication information can be carried in the first NAS message.

In addition, the first operation includes at least one of the following:

Authentication, attestation/identification, authorization.

Step 303: The first network function performs at least one of the following in response to the first non-access stratum NAS message and/or the first indication information:

Sending fifth indication information to the first terminal;

Instruct a second network function and the first terminal to perform the first operation.

As can be seen from the foregoing, the first network function can establish/modify the PDU session after receiving the PDU sent by the first terminal. After the request message, the fifth indication information is carried in the PDU session establishment/modification confirmation message and sent to the first terminal to inform the first terminal whether it allows the first operation; or after the first network function receives the first non-access layer NAS message and/or the first indication information sent by the first terminal, the fifth indication information is sent to the first terminal to inform the first terminal whether it allows the first operation.

It can be known from the above steps 301 to 302 that in an embodiment of the present application, the first network function is capable of receiving a first non-access layer NAS message and/or a first indication information sent by the first terminal, thereby responding to the first non-access layer NAS message and/or the first indication information, sending fifth indication information to the first terminal and/or instructing the second network function and the first terminal to perform a first operation; and/or, the first network function sends the fifth indication information to the first terminal; wherein the first non-access layer NAS message is used to indicate the first operation, the first indication information is used to indicate the first operation, the first operation includes at least one of authentication, authentication, and authorization, and the fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

allowing or not allowing execution of the first operation through a control plane of the mobile network where the first network function is located;

Allow or not allow the first operation to be performed through a user plane of a mobile network where the first network function is located.

It can be seen that the first terminal can instruct the network side to perform at least one of the authentication, certification, and authorization operations by sending a first non-access layer NAS message, or instruct the network side to perform at least one of the authentication, certification, and authorization operations by sending a first indication information, or instruct the network side to perform at least one of the authentication, certification, and authorization operations by sending a first NAS message and a first indication information; and can also receive the fifth indication information sent by the network side. Therefore, the operation execution method of the embodiment of the present application can be used to perform at least one of the authentication, certification, and authorization operations on the device in the PIN, thereby improving the security of accessing the PIN.

Optionally, when the first network function instructs the second network function and the first terminal to perform the first operation, the method further includes:

The first network function receives third indication information sent by the second network function, wherein the third indication information is used to indicate a result of the first operation;

The first network function sends second indication information to the first terminal according to the third indication information, where the second indication information is used to indicate a result of the first operation.

Here, the second network function is used to perform the first operation. After the second network function performs the first operation, it can return third indication information indicating the result of the first operation to the first network function, and then the first network function returns second indication information indicating the result of the first operation to the first terminal based on the third indication information.

It should be noted that the first terminal may also meet the following conditions 1 or 2:

Case 1: The first terminal can also have the function of a personal Internet of Things device (PIN Element, PINE) and gateway capabilities, that is, PEGC and PINE can be combined into one device.

Case 2: The first terminal may not have the PINE capability. For example, the first terminal only has the gateway capability, that is, PEGC and PINE are independently configured.

Optionally, in the above situation 1, before the first network function receives the first non-access layer NAS message and/or the first indication information sent by the first terminal in the above step 302, the method further includes:

The first network function interacts with the first terminal to establish a protocol data unit (PDU) session.

That is, the first terminal formed by combining PEGC and PINE can also establish a PDU session with the network side before sending the first non-access layer NAS message and/or the first indication information to the network side.

Among them, before the first terminal sends the first non-access layer NAS message and/or the first indication information to the network side, if a PDU session is established, the first terminal can subsequently use the modification process of the subsequent PDU session to send the first non-access layer NAS message to the network side.

Optionally, the first non-access layer NAS message is a PDU session modification request. That is, in the aforementioned situation 1, the first terminal can send the PDU modification request as the first NAS message to the network side to trigger the network side to perform the first operation.

Optionally, the first indication information includes at least one of the following items A-1 to A-3:

Item A-1: an instruction for instructing to perform the first operation;

Item A-2: information of the first terminal;

Item A-3: Information about a second network function, wherein the second network function is used to perform the first operation.

The relevant explanations of items A-1 to A-3 can be found in the previous text and will not be repeated here.

Optionally, in the above situation 2, the first indication information includes at least one of the following items B-1 to B-4:

Item B-1: an instruction for instructing to perform the first operation;

Item B-2: information about the first device;

Item B-3: information of the first terminal;

Item B-4: Information about a second network function, wherein the second network function is used to perform the first operation.

The relevant explanations of Items B-1 to B-4 can be found in the previous text and will not be repeated here.

Optionally, the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request. That is, in the aforementioned situation 2, the first terminal can send the PDU modification request or the PDU session establishment request as the first NAS message to the network side to trigger the network side to perform the first operation.

Optionally, the first network function sending second indication information to the first terminal according to the third indication information includes:

The first network function sends a second NAS message to the first terminal according to the third indication information, wherein the second NAS message carries the second indication information.

That is, the first network function may carry the second indication information used to indicate the result of executing the first operation in the second NAS message, and send the message to the first terminal.

Optionally, the second indication information satisfies at least one of the following items D-1 to D-2:

Item D-1: indicating the result of the first operation by an identifier or a name of the second NAS message;

Item D-1: Indicate the result of the first operation through a cause value.

The above item D-1 represents the identifier or name of different second NAS messages, indicating different results of the first operation.

Optionally, the indicating a result of the first operation by using an identifier or a name of the second NAS message includes at least one of the following:

Indicating that the first operation is successful through a PDU session modification confirmation message or a PDU session establishment confirmation message;

The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject message.

That is, if the second NAS message sent by the network side to the first terminal is a PDU session modification confirmation message or a PDU session establishment confirmation message, it indicates that the first operation is executed successfully; if the second NAS message sent by the network side to the first terminal is a PDU session modification rejection message or a PDU session establishment rejection message, it indicates that the first operation fails.

That is, when the network side successfully executes the first operation, it returns a PDU session modification confirmation message or a PDU session establishment confirmation message to the first terminal; when the network side fails to execute the first operation, it returns a PDU session modification rejection message or a PDU session establishment rejection message to the first terminal.

The above-mentioned item D-2 indicates that the result of the first operation indicating a difference is displayed by the cause value.

Optionally, the result of the first operation indicated by the reason value includes at least one of the following indications:

a failure reason value and/or a failure indication, used to indicate that the first operation failed;

A success reason value and/or a success indication, used to indicate that the first operation is successful;

In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.

That is, if the second NAS message sent by the network side includes a failure cause value and/or a failure indication, it indicates that the first operation has failed; if the second NAS message sent by the network side does not include a failure cause value and/or a failure indication, it indicates that the first operation has been successfully executed.

Alternatively, if the second NAS message sent by the network side includes a success reason value and/or a success indication, it indicates that the first operation is executed successfully; if the second NAS message sent by the network side does not include a success reason value and/or a success indication, it indicates that the first operation fails.

Alternatively, if the second NAS message sent by the network side includes a failure reason value and/or a failure indication, it indicates that the first operation has failed to execute; if the second NAS message sent by the network side includes a success reason value and/or a success indication, it indicates that the first operation has been executed successfully.

Optionally, the method further comprises at least one of the following:

The first network function receives a second message forwarded by the first terminal for the first device;

The first network function sends a third message to the first terminal, so that the first terminal forwards the third message to the first device;

The second message and the third message are messages involved in executing the first operation, that is, the second message and the third message are messages that the first device and the network side need to interact with when executing the first operation.

It can be seen from this that during the process of the first network function performing the first operation, the first terminal can also forward the interaction message for the first device and the first network function.

For example, if the first network function needs to request the identification information of the first device during the execution of the first process, the first network function may send a second message for requesting the identification information of the first device to the first terminal, so that the first terminal The terminal sends the second message to the first device, so that the first device returns a third message carrying the identification information of the first device to the first terminal, and the first terminal returns the third message to the first network function.

Optionally, in the aforementioned step 303, the first network function instructs the second network function to perform the first operation, including:

The first network function sends identification information of the first device to the second network function to instruct the second network function to perform the first operation.

Optionally, the first network function instructs the second network function and the first terminal to perform the first operation in response to the first non-access layer NAS message, including at least one of the following items V-1 to V-5:

Item V-1: the first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message;

Item V-2: the first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message and the first association information between the PDU session related information and the PIN instance or session;

Item V-3: the first network function instructs the second network function and the first terminal to perform the first operation based on the PIN instance or session related information in the first non-access layer NAS message;

Item V-4: the first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information and the PIN service indication information in the first non-access layer NAS message;

Item V-5: The first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message, and the second association information between the PDU session related information and the PIN service.

The above-mentioned V-1 item indicates that if the PDU session related information in the first non-access layer NAS message is specific information, the first network function instructs the second network function and the first terminal to perform the first operation, otherwise the second network function and the first terminal are not instructed to perform the first operation. Here, the PDU session related information may include at least one of the PDU session identifier, the data network name (Data Network Name, DNN), and the network slice selection auxiliary information (Single Network Slice Selection Assistance Information, S-NSSAI). For example, when the PDU session identifier in the first NAS message is the same as the specific identifier, the first network function instructs the second network function and the first terminal to perform the first operation.

The above-mentioned V-2 item indicates: if there is a PIN instance or session corresponding to the PDU session related information in the first non-access layer NAS message in the first association information, the first network function instructs the second network function and the first terminal to perform the first operation, otherwise the second network function and the first terminal are not instructed to perform the first operation. Here, the PDU session related information may include at least one of the PDU session identifier, DNN, and S-NSSAI. For example, when there is a PIN instance or session corresponding to the PDU session identifier in the first NAS message in the first association information, the first network function instructs the second network function and the first terminal to perform the first operation.

The above item V-3 indicates that: if the first non-access layer NAS message includes PIN instance or session related information, the first network function instructs the second network function and the first terminal to perform the first operation, otherwise the second network function and the first terminal are not instructed to perform the first operation. Here, the PIN instance or session related information may include a PIN instance or a session identifier.

The above-mentioned item V-4 indicates that: the first non-access layer NAS message contains indication information indicating that the PDU session related information is related to the PIN service (that is, it is related to the PIN service, rather than other services such as telephone service and video service), and the first network function instructs the second network function and the first terminal to perform the first operation, otherwise the second network function and the first terminal are not instructed to perform the first operation. Here, the PDU session related information may include at least one of the PDU session identifier, DNN, and S-NSSAI.

The above-mentioned item V-5 indicates that: if the second association information indicates that the PDU session-related information in the first non-access layer NAS message is related to the PIN service (referring to the PIN service, not other services such as telephone service and video service), the first network function instructs the second network function and the first terminal to perform the first operation, otherwise the second network function and the first terminal are not instructed to perform the first operation. Here, the PDU session-related information may include at least one of the PDU session identifier, DNN, and S-NSSAI. For example, when there is a PIN service corresponding to the PDU session identifier in the first NAS message in the second association information, the first network function instructs the second network function and the first terminal to perform the first operation.

It is understandable that the first network function may also instruct the second network function and the first terminal to perform the first operation according to the information of the sending device of the received first NAS message. For example, when the first NAS message is sent by a device with gateway capabilities (that is, when the first terminal is a terminal with gateway capabilities), the first network function instructs the second network function and the first terminal to perform the first operation; when the first NAS message is not sent by a device with gateway capabilities (that is, when the first terminal is not a terminal with gateway capabilities), the first network function does not instruct the second network function and the first terminal to perform the first operation.

Optionally, the method further comprises:

The first network function learns at least one of the following from the third network function:

the first associated information;

The second associated information.

Here, the third network function may be PCF or UDM.

Optionally, the method further comprises:

When the second indication information indicates that the first operation is successful, the first network function receives information about the first device sent by the first terminal;

The first device is a device that needs to access the PIN or the network where the first network function is located through the first terminal.

It can be seen from this that when the first operation is successfully executed on the network side, the first terminal can also send information of the first device to the network side (for example, the first network function).

The information of the first device may include address information of the first device (eg, IP address).

Optionally, the method further comprises:

When the first network function learns the message filtering rule and the message filtering rule is related to the first device, the first network function uses the message filtering rule to configure a fourth network function.

Here, the fourth network function may be, for example, a user plane function (User Port Function, UPF).

In a third aspect, the embodiment of the present application further provides an operation execution method, as shown in FIG4 , the method includes the following step 401:

Step 401: The third network function performs a second operation.

The second operation includes at least one of the following:

The third network function sends rule information to the first terminal;

The third network function sends data protocol unit PDU session configuration information to the first network function.

Here, the third network function may be, for example, PCF or UDM.

Optionally, the rule information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one first target device requires the first operation or does not require the first operation;

The first operation includes at least one of authentication, certification, and authorization;

The first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.

Optionally, the PDU session configuration information includes at least one of the following:

First association information between PDU session related information and PIN instance or session;

The second association information between the PDU session related information and the PIN service.

Among them, after the first terminal receives the rule information, it can send the first non-access layer NAS message and/or the first indication information to the first network function according to the rule information. The specific sending method can be found in the above description and will not be repeated here.

After the first network function receives the PDU session configuration information, it can instruct the second network function and the first terminal to perform the first operation according to the PDU session configuration information (i.e., the first association information and/or the second association information). The specific implementation method can be found in the above description and will not be repeated here.

Optionally, before the third network function performs the second operation, the method further includes:

The third network function acquires fourth indication information, wherein the fourth indication information is used to instruct the third network function to perform the second operation;

The third network function performs the second operation, including:

The third network function performs the second operation according to the fourth indication information.

Optionally, the third network function acquires the fourth indication information, including:

The third network function receives the fourth indication information sent by the fifth network function.

Here, the fifth network function may be AF.

Among them, after the second terminal (for example, the management terminal (PIN Element with Management Capability, PEMC)) creates a PIN, it can notify the fifth network function (for example, the application function (Application Function, AF)) that it has created a PIN and indicate that the first operation needs to be applied to the PIN, so that the fifth network function sends the above-mentioned fourth indication information to the third network function, thereby triggering the third network function to perform the above-mentioned second operation.

In a fourth aspect, the present application embodiment further provides an operation execution method, as shown in FIG5 , the method may include The steps 501 are as follows:

Step 501: The second terminal sends configuration information to the first terminal in the personal Internet of Things PIN.

Here, the second terminal may be, for example, PEMC, and the first terminal may be, for example, PEGC.

Optionally, the configuration information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one second target device requires the first operation or does not require the first operation;

The first operation includes at least one of authentication, certification, and authorization;

The second target device is a device that needs to access the personal Internet of Things PIN or mobile network through the first terminal.

In addition, after receiving the configuration information, the first terminal can send a first non-access layer NAS message and/or a first indication information to the first network function according to the configuration information. The specific sending method can be found in the above description and will not be repeated here.

In a fifth aspect, the embodiment of the present application further provides an operation execution method, as shown in FIG6 , the method may include the following step 601:

Step 601: The fifth network function sends fourth indication information to the third network function.

Here, the fifth network function may be AF.

The fourth indication information is used to instruct the third network function to perform a second operation;

The second operation includes at least one of the following:

The third network function sends rule information to the first terminal;

The third network function sends data protocol unit PDU session configuration information to the first network function.

Optionally, the rule information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one first target device requires the first operation or does not require the first operation;

Wherein, the first operation includes at least one of authentication, certification, and authorization;

The first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.

Optionally, the PDU session configuration information includes at least one of the following:

First association information between PDU session related information and PIN instance or session;

The second association information between the PDU session related information and the PIN service.

Among them, after the first terminal receives the rule information, it can send the first non-access layer NAS message and/or the first indication information to the first network function according to the rule information. The specific sending method can be found in the above description and will not be repeated here.

After the first network function receives the PDU session configuration information, it can instruct the second network function and the first terminal to perform the first operation according to the PDU session configuration information (i.e., the first association information and/or the second association information). The specific implementation method can be found in the above description and will not be repeated here.

In summary, the specific implementation of the operation execution method of the embodiment of the present application can be described in the following implementation mode 1 or 2.

Implementation method 1: as shown in FIG. 7 , it includes the following steps 71 to 716 (the first operation mentioned above includes authentication and/or authorization for illustration).

Step 71: The PEMC creates a PIN, can notify the AF that a PIN has been created, and can indicate whether access to the PIN requires 5G core network-assisted authentication and/or authorization.

Among them, PEMC can ask PINE for device information (for example, PEMC asks PINE for device information when PINE accesses PIN) to learn whether PINE has a credential, so that when PINE has a credential, when such PINE is added to a PIN, AF is instructed that the PINE needs authentication and/or authorization assisted by the 5G core network. Here, the credential is the authentication information.

Step 72: AF may notify PCF directly or through NEF whether the PIN requires authentication and/or authorization assisted by the 5G core network.

Step 73: After the PCF learns whether the PIN requires authentication and/or authorization assisted by the 5G core network, it generates rule information and sends the rule information to each PEGC in the PIN through the AMF.

The rule information is used to indicate whether access to the PIN requires authentication and/or authorization assisted by the 5G core network.

Step 74: The first PINE connects to the PEGC to access the PIN (eg, the first PINE sends a connection request to the PEGC).

Step 75: If the rule information obtained by PEGC indicates that the PIN requires authentication and/or authorization assisted by the 5G core network, configuration information is obtained from PEMC, wherein the configuration information is used to indicate whether at least one PINE requires authentication and/or authorization assisted by the 5G core network.

Step 76: If the configuration information indicates that the first PINE requires authentication and/or authorization assisted by the 5G core network, the PEGC sends a first NAS message to the SMF, wherein the first NAS message carries an indication for indicating authentication and/or authorization; if the configuration information indicates that the first PINE does not require authentication and/or authorization assisted by the core network, the PEGC does not send the first NAS message to the SMF.

Among them, the first NAS message can be a PDU session modification request (PDU Session Modification Request) or a PDU session establishment request (PDU Session Establishment Request).

Step 77: If the SMF receives the first NAS message, it determines whether the first PINE needs to be authenticated and/or authorized based on the relevant information of the first NAS message, and then executes the following step 78 when determining whether the first PINE needs to be authenticated and/or authorized;

The relevant information of the first NAS message includes at least one of the following:

PDU session related information in the first NAS message (e.g. PDU session identifier, DNN, S-NASSAI);

First association information between PDU session related information and PIN instance or session;

PIN instance or session related information (e.g. PIN identifier) in the first NAS message;

The PDU session related information and the PIN service indication information in the first NAS message (i.e., indicating that the PDU session related information in the first NAS message is related to the PIN service);

Second association information between the PDU session related information and the PIN service;

Information of the device sending the first NAS message.

Step 78: SMF sends a first EAP message to PEGC, so that PEGC forwards the first EAP message to PINE, wherein the first EAP message is used to request the ID of PINE; the first EAP message may be an EAP identity in an EAP request (EAP Request);

Step 79: PINE sends a second EAP message to PEGC, so that PEGC forwards the first EAP message to SMF, wherein the second EAP message carries the ID of PINE; the second EAP message may be an EAP identity in an EAP response (EAP Response);

Step 710: SMF sends a second EAP message to the external data network authentication authority (AAA).

Step 711: AAA and PINE exchange EAP messages (such as EAP Request, EAP Response) through SMF, UPF, and PEGC to complete the authentication and/or authorization process.

Step 712: If the authentication and/or authorization is successful, AAA (eg, through UPF) sends an EAP success (EAP-Success message) to SMF.

Step 713: If SMF receives the EAP-Success message, SMF sends a PDU session establishment acknowledgment (PDU Session Establishment Ack) or a PDU session modification acknowledgment (PDU Session Modification Ack) to PEGC, otherwise it sends a PDU session establishment reject (PDU Session Establishment Reject) or a PDU session modification reject (PDU Session Modification Reject).

Wherein, the above-mentioned PDU Session Establishment Ack or PDU Session Modification Ack may also carry at least one of the indication of successful authentication and/or authorization and the reason value of successful authentication and/or authorization;

The above-mentioned PDU Session Establishment Reject or PDU Session Modification Reject may also carry at least one of the indication of authentication and/or authorization failure and the reason value of authentication and/or authorization failure.

Step 714: If the PEGC receives a PDU Session Establishment Ack or a PDU Session Modification Ack, the PEGC allows the first PINE to connect to access the PIN, otherwise the PEGC rejects the connection of the first PINE.

Step 715: If PEGC receives PDU Session Establishment Ack or PDU Session Modification Ack, PEGC can also send the IP address of the first PINE to SMF.

Step 716: SMF can authorize the communication configuration of the PIN (including message filtering rules) based on the received IP address of the first PINE, such as accepting the message filtering rules related to the first PINE (i.e., accepting the message filtering rules containing the IP address of the PINE).

In this implementation, SMF may be replaced by AMF, and UPF may be replaced by authentication service function (AUSF); or UPF or AUSF may not be involved in this implementation.

Implementation method 2: as shown in FIG8 , includes the following steps 81 to 811 .

Step 81: PEGC establishes a PDU Session and initiates a PDU session establishment request (PDU Session Establishment Request).

Step 82: SMF returns a PDU Session Establishment Ack message, carrying the fifth indication information, and the first operation includes at least one of authentication, certification, and authorization.

The fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the mobile network where the SMF is located;

Allow or not allow the first operation to be performed through the user plane of the mobile network where the SMF is located.

Step 83: The first PINE connects to the PEGC to access the PIN (eg, the first PINE sends a connection request to the PEGC).

Step 84: PEMC creates a PIN and can notify AF that a PIN has been created. PEMC can send a Communication Request message to PEGC to indicate that one or more PINEs of PEGC need to perform the first operation.

Among them, if the fifth indication information in the aforementioned step 82 indicates that the first operation is not allowed, or an operation is not allowed to be performed through the control plane of the mobile network where the SMF is located, or the first operation is not allowed to be performed through the user plane of the mobile network where the SMF is located, then the subsequent steps stop executing, otherwise the subsequent steps are executed.

Step 85: PEGC sends a PDU Session Modification Request to SMF, which may carry at least one of the first indication information, the first PINE information, the PEGC information, and the AAA information. The first indication information is used to indicate the first operation.

Step 86: If the SMF allows the first operation, or allows the AAA in step 85 to perform the first operation, or allows the PEGC or the first PINE in step 85 to perform the first operation, or allows the PEGC or the first PINE in step 85 and the AAA to perform the first operation, it returns a PDU Session Modification Ack message; otherwise, it returns a PDU Session Modification Reject message, which may carry indication information for indicating that the first operation is not allowed.

Step 87: If the first operation is allowed, the PEGC may send a first EAP message to the first PINE to request the ID of the first PINE; the first EAP message may be an EAP identity in an EAP request (EAP Request);

Step 88: PINE sends a second EAP message to PEGC, carrying the ID of the first PINE; the second EAP message can be the EAP identity (EAP Identity) in the EAP response (EAP Response).

Step 89: PEGC sends the ID of the first PINE to the external data network authentication authority (AAA) through the user of the 5G system.

Step 810: AAA and PINE exchange EAP messages (such as EAP Request and EAP Response) through PEGC to perform the first operation.

Step 811: If the first operation is successful, AAA sends an EAP-Success message to PEGC, otherwise it sends an EAP failure (send EAP-Failure) message. If PEGC receives EAP-Success, it allows the first PINE to connect to access the PIN, otherwise PEGC rejects the connection of the first PINE.

In this implementation, SMF may be replaced by AMF, and UPF may be replaced by authentication service function (AUSF); or UPF or AUSF may not be involved in this implementation.

It should be noted that only the main contents or related messages related to each step are marked in FIG. 7 and FIG. 8 . For details, please refer to the detailed description of each step in the previous text.

In addition, the above-mentioned Implementation Mode 1 and Implementation Mode 2 are only two implementation modes of the embodiment of the present application, that is, the specific implementation mode of the operation execution method of the embodiment of the present application is not limited thereto, and can also be various possible combinations of the aforementioned contents.

The operation execution method provided in the embodiment of the present application can be executed by an operation execution device. In the embodiment of the present application, the operation execution device provided in the embodiment of the present application is described by taking the operation execution method executed by the operation execution device as an example.

In a sixth aspect, an embodiment of the present application provides an operation execution device, which is applied to a first terminal. As shown in FIG9 , the operation execution device 90 includes the following modules:

A first sending module 901 is configured to send a first non-access stratum NAS message and/or first indication information to a network side, wherein the first non-access stratum NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

The first receiving module 902 is configured to receive fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

Optionally, the device further comprises:

The first establishing module is used to interact with the network side to establish a protocol data unit PDU session before the first sending module 901 sends the first non-access layer NAS message and/or the first indication information to the network side.

Optionally, the first non-access layer NAS message is a PDU session modification request.

Optionally, the first indication information includes at least one of the following:

an instruction for instructing to perform the first operation;

information of the first terminal;

Information about a second network function, wherein the second network function is used to perform the first operation.

Optionally, the first sending module 901 includes:

The first sending submodule is used for, when or after the connection between the first terminal and the first device is established, for the first terminal to send the first non-access layer NAS message and/or the first indication information to the network side.

Optionally, the first sending submodule is specifically used for:

receiving a first message sent by the first device, or receiving a sixth message sent by the second terminal;

In response to the first message or the sixth message, sending the first non-access stratum NAS message and/or the first indication information to the network side;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the personal Internet of Things PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The sixth message is used to instruct the first terminal or the first device to communicate with the second network function;

The second network function is used to perform the first operation.

Optionally, the first indication information includes at least one of the following:

an instruction for instructing to perform the first operation;

information of the first device;

information of the first terminal;

information of a second network function, where the second network function is used to perform the first operation.

Optionally, the device further comprises:

A third receiving module is configured to receive second indication information sent by the network side after the first sending module 901 sends the first non-access layer NAS message and/or the first indication information to the network side, wherein the second indication information is used to indicate a result of the first operation:

The third processing module is configured to perform at least one of the following according to the second indication information:

Allow or deny the first message sent by the first device to be received by the first terminal;

Allow or deny processing of data of the first device;

Allow, retain or release the connection between the first terminal and the first device;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Optionally, the device further comprises:

The fourth processing module is configured to perform at least one of the following according to the fifth indication information:

Execute or stop executing the first operation;

Sending or stopping sending sixth indication information to the second network function, where the sixth indication information is used to instruct the second network function to perform the first operation;

sending or stopping sending a fourth message to the second network function, where the fourth message is a message involved in performing the first operation;

receiving or stopping receiving a fifth message from the second network function, where the fifth message is a message related to performing the first operation;

Allow or reject a first message sent by a first device and received by the first terminal;

Allow or deny processing of data of the first device;

Allow, retain or release the connection between the first terminal and the first device;

The first message is used to indicate at least one of the following:

Establish a connection between the first device and the first terminal, access the first terminal, access the PIN where the first terminal is located, communicate with the network side, and communicate with the second network function.

Optionally, the first receiving module 902 is specifically configured to:

A second NAS message sent by the network side is received, wherein the second NAS message carries the second indication information.

Optionally, the second indication information satisfies at least one of the following:

Indicating a result of the first operation by an identifier or a name of the second NAS message;

The result of the first operation is indicated by a cause value.

Optionally, the indicating a result of the first operation by using an identifier or a name of the second NAS message includes at least one of the following:

Indicating that the first operation is successful through a PDU session modification confirmation message or a PDU session establishment confirmation message;

The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject message.

Optionally, the result of the first operation indicated by the reason value includes at least one of the following indications:

a failure reason value and/or a failure indication, used to indicate that the first operation failed;

A success reason value and/or a success indication, used to indicate that the first operation is successful;

In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.

Optionally, the device further comprises at least one of the following modules:

A first forwarding module, configured to receive a second message from the network side, and send the second message to the first device;

A second forwarding module, configured to receive a third message from the first device, and send the third message to the network side;

The second message and the third message are respectively messages involved in executing the first operation.

Optionally, the second message is an Extensible Authentication Protocol (EAP) message, and the third message is an EAP message.

Optionally, the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request.

Optionally, the device further comprises:

A fourth receiving module, used to receive the rule information sent by the network side;

The first sending module includes:

The second sending submodule is used to send the first non-access layer NAS message and/or the first indication information to the network side according to the rule information.

Optionally, the rule information is used to indicate at least one of the following:

The first operation needs to be applied to a target PIN or the first operation does not need to be applied to the target PIN;

At least one first target device requires the first operation or does not require the first operation.

Optionally, the second sending submodule is specifically configured to perform at least one of the following:

When the rule information indicates that the first device needs the first operation, sending the first non-access stratum NAS message and/or the first indication information to the network side;

When the rule information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions is met, sending the first non-access stratum NAS message and/or the first indication information to the network side:

The first non-access stratum NAS message and/or the first indication information are related to the target PIN;

The connection between the first terminal and the first device is associated with the target PIN;

The first message sent by the first device and received by the first terminal is related to the target PIN;

the first device being associated with the target PIN;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Optionally, the device further comprises:

A fifth receiving module, configured to receive configuration information sent by the second terminal;

The first sending module 901 includes:

The third sending submodule is used for the first terminal to send the first non-access layer NAS message and/or the first indication information to the network side according to the configuration information.

Optionally, the configuration information is used to indicate at least one of the following:

The first operation needs to be applied to a target PIN or the first operation does not need to be applied to the target PIN;

At least one second target device requires the first operation or does not require the first operation.

Optionally, the third sending submodule is specifically configured to perform at least one of the following:

When the configuration information indicates that the first device needs the first operation, sending the first non-access stratum NAS message and/or the first indication information to the network side;

When the configuration information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions is met, sending the first non-access stratum NAS message and/or the first indication information to the network side:

The first non-access stratum NAS message and/or the first indication information are related to the target PIN;

The connection between the first terminal and the first device is associated with the target PIN;

The first message sent by the first device and received by the first terminal is related to the target PIN;

the first device being associated with the target PIN;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Optionally, the device further comprises:

A fifth sending module is used to send information of the first device to the network side when the second indication information indicates that the first operation is successful.

Optionally, the first terminal is a terminal with gateway capability.

The operation execution device in the embodiment of the present application can be an electronic device, such as an electronic device with an operating system, or a component in an electronic device, such as an integrated circuit or a chip. The electronic device can be a terminal, for example The terminal may include but is not limited to the types of the terminal 11 listed above, and the embodiment of the present application does not make any specific limitation.

The operation execution device provided in the embodiment of the present application can implement each process implemented by the method embodiment of Figure 2 and achieve the same technical effect. To avoid repetition, it will not be repeated here.

In a seventh aspect, an embodiment of the present application provides an operation execution device, which is applied to a first network function. As shown in FIG10 , the operation execution device 100 includes the following modules:

The second sending module 1001 is used to send fifth indication information to the first terminal;

and / or,

The second receiving module 1002 is configured to receive a first non-access stratum NAS message and/or first indication information sent by the first terminal, wherein the first non-access stratum NAS message is used to indicate the first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

The first processing module 1003 is configured to, in response to the first non-access stratum NAS message and/or the first indication information, perform at least one of the following:

Sending fifth indication information to the first terminal;

instructing a second network function and the first terminal to perform the first operation;

The fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

allowing or not allowing the first operation to be performed through a control plane of the mobile network;

The first operation is allowed or not allowed to be performed through a user plane of the mobile network.

Optionally, the device further comprises:

a sixth receiving module, configured to receive third indication information sent by the second network function when the first network function instructs the second network function and the first terminal to perform the first operation, wherein the third indication information is used to indicate a result of the first operation;

The sixth sending module is used to send second indication information to the first terminal according to the third indication information, where the second indication information is used to indicate a result of the first operation.

Optionally, the device further comprises:

The second establishing module is used to interact with the first terminal to establish a protocol data unit PDU session before the first network function receives the first non-access layer NAS message and/or the first indication information sent by the first terminal.

Optionally, the first non-access layer NAS message is a PDU session modification request.

Optionally, the first indication information includes at least one of the following:

an instruction for instructing to perform the first operation;

information of the first terminal;

information of the second network function.

Optionally, the first indication information includes at least one of the following:

an instruction for instructing to perform the first operation;

Information of the first device, wherein the first device needs to access the personal IoT PIN through the first terminal or a device in the network where the first network function is located;

information of the first terminal;

information of the second network function.

Optionally, the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request.

Optionally, the sixth sending module is specifically configured to:

According to the third indication information, a second NAS message is sent to the first terminal, wherein the second NAS message carries the second indication information.

Optionally, the second indication information satisfies at least one of the following:

indicating a result of the first operation by an identifier or a name of the second NAS message;

The result of the first operation is indicated by a cause value.

Optionally, the indicating a result of the first operation by using an identifier or a name of the second NAS message includes at least one of the following:

Indicating a successful result of the first operation through a PDU session modification confirmation or a PDU session establishment confirmation;

The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject message.

Optionally, the result of the first operation indicated by the reason value includes at least one of the following indications:

a failure reason value and/or a failure indication, used to indicate that the first operation failed;

A success reason value and/or a success indication, used to indicate that the first operation is successful;

In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.

Optionally, when the first processing module instructs the second network function and the first terminal to perform the first operation in response to the first non-access layer NAS message, the first processing module is specifically configured to perform at least one of the following:

Instructing the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message;

Instructing the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message and the first association information between the PDU session related information and the PIN instance or session;

Instructing the second network function and the first terminal to perform the first operation based on the PIN instance or session related information in the first non-access stratum NAS message;

Instructing the second network function and the first terminal to perform the first operation based on the PDU session related information and the PIN service indication information in the first non-access layer NAS message;

Based on the PDU session related information in the first non-access layer NAS message, and the second association information between the PDU session related information and the PIN service, the second network function and the first terminal are instructed to perform the first operation.

Optionally, the device further comprises:

The fifth processing module is configured to obtain at least one of the following from the third network function:

the first associated information;

The second associated information.

Optionally, the device further comprises:

A seventh receiving module, configured to receive information about the first device sent by the first terminal when the second indication information indicates that the first operation is successful;

The first device is a device that needs to access the PIN or the network where the first network function is located through the first terminal.

Optionally, the device further comprises:

A configuration module is used for, when the first network function learns a message filtering rule and the message filtering rule is related to the first device, the first network function uses the message filtering rule to configure a fourth network function.

The operation execution device in the embodiment of the present application can be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device can be a network function. Exemplarily, the network function can include but is not limited to the types of network functions 12 listed above, and the embodiment of the present application does not specifically limit this.

The operation execution device provided in the embodiment of the present application can implement each process implemented by the method embodiment of Figure 3 and achieve the same technical effect. To avoid repetition, it will not be repeated here.

In an eighth aspect, an embodiment of the present application provides an operation execution device, which is applied to a third network function. As shown in FIG11 , the operation execution device 110 includes the following modules:

The second processing module 1101 is used to perform a second operation;

The second operation includes at least one of the following:

Sending rule information of the personal Internet of Things PIN to the first terminal;

Send data protocol unit PDU session configuration information to the first network function.

Optionally, the rule information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one first target device requires the first operation or does not require the first operation;

The first operation includes at least one of authentication, certification, and authorization;

The first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.

Optionally, the PDU session configuration information includes at least one of the following:

First association information between PDU session related information and PIN instance or session;

The second association information between the PDU session related information and the PIN service.

Optionally, the device further comprises:

a sixth processing module, configured to obtain fourth indication information before the second processing module 1101 performs the second operation, wherein the fourth indication information is used to instruct the third network function to perform the second operation;

The second processing module 1101 is specifically used for:

The second operation is performed according to the fourth indication information.

Optionally, the sixth processing module is specifically configured to:

The third network function receives the fourth indication information sent by the fifth network function.

The operation execution device in the embodiment of the present application can be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device can be a network function, and illustratively, the network function can include but is not limited to the types of network functions 12 listed above, which are not specifically limited in the embodiment of the present application.

The operation execution device provided in the embodiment of the present application can implement each process implemented by the method embodiment of Figure 4 and achieve the same technical effect. To avoid repetition, it will not be repeated here.

In a ninth aspect, an embodiment of the present application provides an operation execution device, which is applied to a second terminal. As shown in FIG12 , the operation execution device 120 includes the following modules:

The third sending module 1201 is used to send configuration information to the first terminal in the personal Internet of Things PIN.

The first terminal in the personal Internet of Things PIN created by the second terminal device sends configuration information.

Optionally, the configuration information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one second target device requires the first operation or does not require the first operation;

The first operation includes at least one of authentication, certification, and authorization;

The second target device is a device that needs to access the personal Internet of Things PIN or mobile network through the first terminal.

The operation execution device in the embodiment of the present application can be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device can be a terminal, and illustratively, the terminal can include but is not limited to the types of the terminal 11 listed above, and the embodiment of the present application does not specifically limit it.

The operation execution device provided in the embodiment of the present application can implement each process implemented by the method embodiment of Figure 5 and achieve the same technical effect. To avoid repetition, it will not be repeated here.

In a tenth aspect, an embodiment of the present application provides an operation execution device, which is applied to the fifth network function. As shown in FIG. 13 , the operation execution device 130 includes the following modules:

The fourth sending module 1301 is configured to send fourth indication information to the third network function, wherein the fourth indication information is used to instruct the third network function to perform a second operation;

The second operation includes at least one of the following:

The third network function sends rule information to the first terminal;

The third network function sends data protocol unit PDU session configuration information to the first network function.

Optionally, the rule information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one first target device requires the first operation or does not require the first operation;

The first operation includes at least one of authentication, certification, and authorization;

The first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.

Optionally, the PDU session configuration information includes at least one of the following:

First association information between PDU session related information and PIN instance or session;

The second association information between the PDU session related information and the PIN service.

The operation execution method in the embodiment of the present application can be an electronic device, such as an electronic device with an operating system, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device can be a network function, and illustratively, the network function can include but is not limited to the types of network functions 12 listed above, which are not specifically limited in the embodiment of the present application.

The operation execution device provided in the embodiment of the present application can implement each process implemented by the method embodiment of Figure 6 and achieve the same technical effect. To avoid repetition, it will not be repeated here.

Optionally, as shown in FIG14, the embodiment of the present application further provides a communication device 1400, including a processor 1401 and a memory 1402, the memory 1402 stores a program or instruction that can be run on the processor 1401, for example, when the communication device 1400 is a terminal, the program or instruction is executed by the processor 1401 to implement the various steps of the above-mentioned operation execution method embodiment, and can achieve the same technical effect. When the communication device 1400 is a network function, the program or instruction is executed by the processor 1401 to implement the various steps of the above-mentioned operation execution method embodiment, and can achieve the same technical effect, to avoid repetition, it will not be repeated here.

The embodiment of the present application also provides a terminal, as shown in FIG14 , which is a schematic diagram of the hardware structure of a terminal for implementing the embodiment of the present application.

The terminal 1400 includes but is not limited to: a radio frequency unit 1401, a network module 1402, an audio output unit 1403, an input unit 1404, a sensor 1405, a display unit 1406, a user input unit 1407, an interface unit 1408, a memory 1409 and at least some of the components of the processor 1410.

Those skilled in the art will appreciate that the terminal 1400 may also include a power source (such as a battery) for supplying power to each component, and the power source may be logically connected to the processor 1410 through a power management system, so as to implement functions such as charging, discharging, and power consumption management through the power management system. The terminal structure shown in FIG14 does not constitute a limitation on the terminal, and the terminal may include more or fewer components than shown in the figure, or combine certain components, or arrange components differently, which will not be described in detail here.

It should be understood that in the embodiment of the present application, the input unit 1404 may include a graphics processing unit (GPU) 14041 and a microphone 14042, and the graphics processor 14041 processes the image data of a static picture or video obtained by an image capture device (such as a camera) in a video capture mode or an image capture mode. The display unit 1406 may include a display panel 14061, and the display panel 14061 may be configured in the form of a liquid crystal display, an organic light emitting diode, etc. The user input unit 1407 includes a touch panel 14071 and at least one of other input devices 14072. The touch panel 14071 is also called a touch screen. The touch panel 14071 may include two parts: a touch detection device and a touch controller. Other input devices 14072 may include, but are not limited to, a physical keyboard, function keys, and the like. (such as volume control buttons, power buttons, etc.), trackballs, mice, and joysticks, which will not be repeated here.

In the embodiment of the present application, after receiving downlink data from the network function, the RF unit 1401 can transmit the data to the processor 1410 for processing; in addition, the RF unit 1401 can send uplink data to the network function. Generally, the RF unit 1401 includes but is not limited to an antenna, an amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, etc.

The memory 1409 can be used to store software programs or instructions and various data. The memory 1409 may mainly include a first storage area for storing programs or instructions and a second storage area for storing data, wherein the first storage area may store an operating system, an application program or instruction required for at least one function (such as a sound playback function, an image playback function, etc.), etc. In addition, the memory 1409 may include a volatile memory or a non-volatile memory, or the memory 1409 may include both volatile and non-volatile memories. Among them, the non-volatile memory may be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), or a flash memory. The volatile memory may be a random access memory (RAM), a static random access memory (SRAM), a dynamic random access memory (DRAM), a synchronous dynamic random access memory (SDRAM), a double data rate synchronous dynamic random access memory (DDRSDRAM), an enhanced synchronous dynamic random access memory (ESDRAM), a synchronous link dynamic random access memory (SLDRAM) and a direct memory bus random access memory (DRRAM). The memory 1409 in the embodiment of the present application includes but is not limited to these and any other suitable types of memory.

The processor 1410 may include one or more processing units; optionally, the processor 1410 integrates an application processor and a modem processor, wherein the application processor mainly processes operations related to an operating system, a user interface, and application programs, and the modem processor mainly processes wireless communication signals, such as a baseband processor. It is understandable that the modem processor may not be integrated into the processor 1410.

In a first aspect, when the terminal 1400 serves as a first terminal, the radio frequency unit 1401 is used to send a first non-access layer NAS message and/or first indication information to the network side, wherein the first non-access layer NAS message is used to indicate a first operation, and the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, authentication, and authorization;

The radio frequency unit 1401 is further used to: receive fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

allowing or not allowing the first operation;

Allowing or not allowing the first operation to be performed through the control plane of the network side;

Allow or not allow the first operation to be performed through the user plane of the network side.

Optionally, before the radio frequency unit 1401 sends the first non-access layer NAS message and/or the first indication information to the network side, the processor 1410 is used to: interact with the network side to establish a protocol data unit PDU session.

Optionally, the first non-access layer NAS message is a PDU session modification request.

Optionally, the first indication information includes at least one of the following:

an instruction for instructing to perform the first operation;

information of the first terminal;

Information about a second network function, wherein the second network function is used to perform the first operation.

Optionally, the radio frequency unit 1401 sends a first non-access layer NAS message and/or first indication information to the network side, specifically used for:

When or after the connection is established between the first terminal and the first device, the first non-access layer NAS message and/or the first indication information is sent to the network side.

Optionally, when or after the connection is established between the first terminal and the first device, the radio frequency unit 1401 sends the first non-access layer NAS message and/or the first indication information to the network side, specifically for:

receiving a first message sent by the first device, or receiving a sixth message sent by the second terminal;

In response to the first message or the sixth message, sending the first non-access stratum NAS message and/or the first indication information to the network side;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the personal Internet of Things PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The sixth message is used to instruct the first terminal or the first device to communicate with the second network function;

The second network function is used to perform the first operation.

Optionally, the first indication information includes at least one of the following:

an instruction for instructing to perform the first operation;

information of the first device;

information of the first terminal;

information of a second network function, where the second network function is used to perform the first operation.

Optionally, after the radio frequency unit 1401 sends the first non-access layer NAS message and/or the first indication information to the network side, it is further configured to:

Receiving second indication information sent by the network side, wherein the second indication information is used to indicate a result of the first operation:

The processor 1410 is further configured to: perform at least one of the following according to the second indication information:

Allow or deny the first message sent by the first device to be received by the first terminal;

Allow or deny processing of data of the first device;

Allow, retain or release the connection between the first terminal and the first device;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Optionally, the processor 1410 is further configured to:

According to the fifth instruction information, perform at least one of the following:

Execute or stop executing the first operation;

Sending or stopping sending sixth indication information to the second network function, where the sixth indication information is used to instruct the second network function to perform the first operation;

sending or stopping sending a fourth message to the second network function, where the fourth message is a message involved in performing the first operation;

receiving or stopping receiving a fifth message from the second network function, where the fifth message is a message related to performing the first operation;

Allow or reject a first message sent by a first device and received by the first terminal;

Allow or deny processing of data of the first device;

Allow, retain or release the connection between the first terminal and the first device;

The first message is used to indicate at least one of the following:

Establish a connection between the first device and the first terminal, access the first terminal, access the PIN where the first terminal is located, communicate with the network side, and communicate with the second network function.

Optionally, the radio frequency unit 1401 receives the second indication information sent by the network side, specifically configured to:

A second NAS message sent by the network side is received, wherein the second NAS message carries the second indication information.

Optionally, the second indication information satisfies at least one of the following:

indicating a result of the first operation by an identifier or a name of the second NAS message;

The result of the first operation is indicated by a cause value.

Optionally, the indicating a result of the first operation by using an identifier or a name of the second NAS message includes at least one of the following:

Indicating that the first operation is successful through a PDU session modification confirmation message or a PDU session establishment confirmation message;

The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject message.

Optionally, the result of the first operation indicated by the reason value includes at least one of the following indications:

a failure reason value and/or a failure indication, used to indicate that the first operation failed;

A success reason value and/or a success indication, used to indicate that the first operation is successful;

In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.

Optionally, the radio frequency unit 1401 is further configured to perform at least one of the following:

receiving a second message from the network side, and sending the second message to the first device;

receiving a third message from the first device, and sending the third message to the network side;

The second message and the third message are respectively messages involved in executing the first operation.

Optionally, the second message is an Extensible Authentication Protocol (EAP) message, and the third message is an EAP message.

Optionally, the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request.

Optionally, the radio frequency unit 1401 is further used to: receive rule information sent by the network side;

The radio frequency unit 1401 sends a first non-access layer NAS message and/or a first indication information to the network side, specifically used for:

According to the rule information, the first non-access layer NAS message and/or the first indication information are sent to the network side.

Optionally, the rule information is used to indicate at least one of the following:

The first operation needs to be applied to a target PIN or the first operation does not need to be applied to the target PIN;

At least one first target device requires the first operation or does not require the first operation.

Optionally, the radio frequency unit 1401 sends the first non-access layer NAS message and/or the first indication information to the network side according to the rule information, specifically configured to perform at least one of the following:

When the rule information indicates that the first device needs the first operation, sending the first non-access stratum NAS message and/or the first indication information to the network side;

When the rule information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions is met, sending the first non-access stratum NAS message and/or the first indication information to the network side:

The first non-access stratum NAS message and/or the first indication information are related to the target PIN;

The connection between the first terminal and the first device is associated with the target PIN;

The first message sent by the first device and received by the first terminal is related to the target PIN;

the first device being associated with the target PIN;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Optionally, the radio frequency unit 1401 is further configured to:

The first terminal receives configuration information sent by the second terminal;

The radio frequency unit 1401 sends a first non-access layer NAS message and/or first indication information to the network side, specifically used for:

According to the configuration information, the first non-access stratum NAS message and/or the first indication information are sent to the network side.

Optionally, the configuration information is used to indicate at least one of the following:

The first operation needs to be applied to a target PIN or the first operation does not need to be applied to the target PIN;

At least one second target device requires the first operation or does not require the first operation.

Optionally, the radio frequency unit 1401 sends the first non-access layer NAS message and/or the first indication information to the network side according to the configuration information, specifically configured to perform at least one of the following:

When the configuration information indicates that the first device needs the first operation, sending the first non-access stratum NAS message and/or the first indication information to the network side;

When the configuration information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions is met, sending the first non-access stratum NAS message and/or the first indication information to the network side:

The first non-access stratum NAS message and/or the first indication information are related to the target PIN;

The connection between the first terminal and the first device is associated with the target PIN;

The first message sent by the first device and received by the first terminal is related to the target PIN;

the first device being associated with the target PIN;

The first message is used to indicate at least one of the following:

Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

The second network function is used to perform the first operation.

Optionally, the radio frequency unit 1401 is further used to: send information of the first device to the network side when the second indication information indicates that the first operation is successful.

Optionally, the first terminal is a terminal with gateway capability.

In the second aspect, when the terminal 1400 is used as the second terminal, the radio frequency unit 1401 is used to send configuration information to the first terminal in the personal Internet of Things PIN.

Optionally, the configuration information is used to indicate at least one of the following:

The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

At least one second target device requires the first operation or does not require the first operation;

The first operation includes at least one of authentication, certification, and authorization;

The second target device is a device that needs to access the personal Internet of Things PIN or mobile network through the first terminal.

The embodiment of the present application also provides a network function. As shown in FIG15 , the network function 1500 includes: an antenna 151, a radio frequency device 152, a baseband device 153, a processor 154, and a memory 155. The antenna 151 is connected to the radio frequency device 152. In the uplink direction, the radio frequency device 152 receives information through the antenna 151 and sends the received information to the baseband device 153 for processing. In the downlink direction, the baseband device 153 processes the information to be sent and sends it to the radio frequency device 152. The radio frequency device 152 processes the received information and sends it out through the antenna 151.

The method for executing the network function in the above embodiment may be implemented in the baseband device 153, which includes a baseband processor.

The baseband device 153 may include, for example, at least one baseband board, on which a plurality of chips are arranged, as shown in FIG15 , wherein one of the chips is, for example, a baseband processor, which is connected to the memory 155 through a bus interface to call a program in the memory 155 and execute the network function operations shown in the above method embodiment.

The network function may also include a network interface 156, which may be, for example, a common public radio interface (CPRI).

Specifically, the network function 1500 of the embodiment of the present invention further includes: instructions or programs stored in the memory 155 and executable on the processor 154, and the processor 154 calls the instructions or programs in the memory 155 to execute the method shown in FIG. The same technical effect is achieved by the method, so it will not be described here to avoid repetition.

The embodiment of the present application also provides a network function. As shown in FIG16 , the network function 1600 includes: a processor 1601, a network interface 1602, and a memory 1603. The network interface 1602 is, for example, a common public radio interface (CPRI).

Specifically, the network function 1600 of the embodiment of the present invention also includes: instructions or programs stored in the memory 1603 and executable on the processor 1601. The processor 1601 calls the instructions or programs in the memory 1603 to execute the method shown in Figure 3 or Figure 4 or Figure 6, and achieves the same technical effect. To avoid repetition, it will not be repeated here.

An embodiment of the present application also provides a readable storage medium, on which a program or instruction is stored. When the program or instruction is executed by a processor, each process of the above-mentioned operation execution method embodiment is implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

The processor is the processor in the terminal described in the above embodiment. The readable storage medium may be non-volatile or non-transient. The readable storage medium may include a computer-readable storage medium, such as a computer read-only memory ROM, a random access memory RAM, a magnetic disk or an optical disk.

An embodiment of the present application further provides a chip, which includes a processor and a communication interface, wherein the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement the various processes of the operation execution method embodiment described in any one of the first to fifth aspects above, and can achieve the same technical effect. To avoid repetition, it will not be repeated here.

It should be understood that the chip mentioned in the embodiments of the present application can also be called a system-level chip, a system chip, a chip system or a system-on-chip chip, etc.

An embodiment of the present application further provides a computer program/program product, which is stored in a storage medium. The computer program/program product is executed by at least one processor to implement the various processes of the operation execution method embodiment described in any one of the first to fifth aspects above, and can achieve the same technical effect. To avoid repetition, it will not be repeated here.

An embodiment of the present application also provides an operation execution system, including: a terminal and a network function, wherein the terminal can be used to execute the steps of the operation execution method described in the first aspect or the fourth aspect above, and the network function can be used to execute the steps of the operation execution method described in the second aspect or the third aspect or the fifth aspect above.

It should be noted that, in this article, the terms "comprise", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises one..." does not exclude the presence of other identical elements in the process, method, article or device including the element. In addition, it should be noted that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved, for example, the described method may be performed in an order different from that described, and various steps may also be added, omitted, or combined. In addition, the features described with reference to certain examples may be combined in other examples.

Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application, or the part that contributes to the relevant technology, can be embodied in the form of a computer software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a number of instructions for a terminal (which can be a mobile phone, computer, server, air conditioner, or network function, etc.) to execute the methods described in each embodiment of the present application.

The embodiments of the present application are described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present application, ordinary technicians in this field can also make many forms without departing from the purpose of the present application and the scope of protection of the claims, all of which are within the protection of the present application.

Claims (60)

1. An operation execution method, comprising at least one of the following:

   The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, wherein the first non-access layer NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

   The first terminal receives fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

   allowing or not allowing the first operation;

   Allowing or not allowing the first operation to be performed through the control plane of the network side;

   Allow or not allow the first operation to be performed through the user plane of the network side.
2. The method according to claim 1, wherein, before the first terminal sends a first non-access stratum NAS message and/or a first indication information to the network side, the method further comprises:

   The first terminal interacts with the network side to establish a protocol data unit (PDU) session.
3. The method according to claim 2, wherein the first non-access layer NAS message is a PDU session modification request.
4. The method according to any one of claims 1 to 3, wherein the first indication information includes at least one of the following:

   an instruction for instructing to perform the first operation;

   information of the first terminal;

   Information about a second network function, wherein the second network function is used to perform the first operation.
5. The method according to claim 1 or 2, wherein the first terminal sends a first non-access stratum NAS message and/or first indication information to the network side, comprising:

   When or after a connection is established between the first terminal and the first device, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side.
6. The method according to claim 5, wherein when or after the connection between the first terminal and the first device is established, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side, comprising:

   The first terminal receives the first message sent by the first device, or receives the sixth message sent by the second terminal;

   The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side in response to the first message or the sixth message;

   The first message is used to indicate at least one of the following:

   Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the personal Internet of Things PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

   The sixth message is used to instruct the first terminal or the first device to communicate with the second network function;

   The second network function is used to perform the first operation.
7. The method according to claim 5 or 6, wherein the first indication information includes at least one of the following:

   an instruction for instructing to perform the first operation;

   information of the first device;

   information of the first terminal;

   information of a second network function, where the second network function is used to perform the first operation.
8. The method according to any one of claims 5 to 7, wherein after the first terminal sends a first non-access layer NAS message and/or first indication information to the network side, the method further comprises:

   The first terminal receives second indication information sent by the network side, wherein the second indication information is used to indicate a result of the first operation:

   The first terminal performs at least one of the following according to the second indication information:

   Allow or deny the first message sent by the first device to be received by the first terminal;

   Allow or deny processing of data of the first device;

   Allow, retain or release the connection between the first terminal and the first device;

   The first message is used to indicate at least one of the following:

   Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

   The second network function is used to perform the first operation.
9. The method according to any one of claims 1, 5-8, wherein the method further comprises:

   The first terminal performs at least one of the following according to the fifth indication information:

   Execute or stop executing the first operation;

   Sending or stopping sending sixth indication information to the second network function, where the sixth indication information is used to instruct the second network function to perform the first operation;

   sending or stopping sending a fourth message to the second network function, where the fourth message is a message involved in performing the first operation;

   receiving or stopping receiving a fifth message from the second network function, where the fifth message is a message related to performing the first operation;

   Allow or reject a first message sent by a first device and received by the first terminal;

   Allow or deny processing of data of the first device;

   Allow, retain or release the connection between the first terminal and the first device;

   The first message is used to indicate at least one of the following:

   Establish a connection between the first device and the first terminal, access the first terminal, access the PIN where the first terminal is located, communicate with the network side, and communicate with the second network function.
10. The method according to claim 8, wherein the first terminal receives the second indication information sent by the network side, comprising:

    The first terminal receives a second NAS message sent by the network side, wherein the second NAS message The second indication information is carried.
11. The method according to claim 10, wherein the second indication information satisfies at least one of the following:

    indicating a result of the first operation by an identifier or a name of the second NAS message;

    The result of the first operation is indicated by a cause value.
12. The method according to claim 11, wherein the indicating the result of the first operation by the identifier or name of the second NAS message comprises at least one of the following:

    Indicating that the first operation is successful through a PDU session modification confirmation message or a PDU session establishment confirmation message;

    The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject message.
13. The method according to claim 11, wherein the result of the first operation indicated by the cause value includes at least one of the following indications:

    a failure reason value and/or a failure indication, used to indicate that the first operation failed;

    A success reason value and/or a success indication, used to indicate that the first operation is successful;

    In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

    In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.
14. The method according to any one of claims 5 to 13, wherein the method further comprises at least one of the following:

    The first terminal receives a second message from the network side, and sends the second message to the first device;

    The first terminal receives a third message from the first device, and sends the third message to the network side;

    The second message and the third message are respectively messages involved in executing the first operation.
15. The method according to claim 14, wherein the second message is an Extensible Authentication Protocol (EAP) message, and the third message is an EAP message.
16. The method according to any one of claims 5 to 15, wherein the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request.
17. The method according to any one of claims 1 to 16, wherein the method further comprises:

    The first terminal receives the rule information sent by the network side;

    The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, including:

    The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the rule information.
18. The method according to claim 17, wherein the rule information is used to indicate at least one of the following:

    The first operation needs to be applied to a target PIN or the first operation does not need to be applied to the target PIN;

    At least one first target device requires the first operation or does not require the first operation.
19. The method according to claim 18, wherein the first terminal sends a The network side sends the first non-access layer NAS message and/or the first indication information, including at least one of the following:

    When the rule information indicates that the first device needs the first operation, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side;

    When the rule information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions is met, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side:

    The first non-access stratum NAS message and/or the first indication information are related to the target PIN;

    The connection between the first terminal and the first device is associated with the target PIN;

    The first message sent by the first device and received by the first terminal is related to the target PIN;

    the first device being associated with the target PIN;

    The first message is used to indicate at least one of the following:

    Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the PIN where the first terminal is located, communicating with the network side, and communicating with the second network function;

    The second network function is used to perform the first operation.
20. The method according to any one of claims 1 to 19, wherein the method further comprises:

    The first terminal receives configuration information sent by the second terminal;

    The first terminal sends a first non-access layer NAS message and/or first indication information to the network side, including:

    The first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the configuration information.
21. The method according to claim 20, wherein the configuration information is used to indicate at least one of the following:

    The first operation needs to be applied to a target PIN or the first operation does not need to be applied to the target PIN;

    At least one second target device requires the first operation or does not require the first operation.
22. The method according to claim 21, wherein the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side according to the configuration information, including at least one of the following:

    When the configuration information indicates that the first device needs the first operation, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side;

    When the configuration information indicates that the first operation needs to be applied to the target PIN and at least one of the following conditions is met, the first terminal sends the first non-access stratum NAS message and/or the first indication information to the network side:

    The first non-access stratum NAS message and/or the first indication information are related to the target PIN;

    The connection between the first terminal and the first device is associated with the target PIN;

    The first message sent by the first device and received by the first terminal is related to the target PIN;

    the first device being associated with the target PIN;

    The first message is used to indicate at least one of the following:

    Establishing a connection between the first device and the first terminal, accessing the first terminal, accessing the first The PIN where the terminal is located, communicates with the network side, and communicates with the second network function;

    The second network function is used to perform the first operation.
23. The method according to any one of claims 8 to 22, wherein the method further comprises:

    When the second indication information indicates that the first operation is successful, the first terminal sends information of the first device to the network side.
24. The method according to any one of claims 1-23, wherein the first terminal is a terminal with gateway capability.
25. An operation execution method, comprising:

    The first network function sends fifth indication information to the first terminal;

    and / or,

    The first network function receives a first non-access stratum NAS message and/or first indication information sent by the first terminal, wherein the first non-access stratum NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

    In response to the first non-access stratum NAS message and/or the first indication information, the first network function performs at least one of the following:

    Sending the fifth indication information to the first terminal;

    instructing a second network function and the first terminal to perform the first operation;

    The fifth indication information is used to indicate at least one of the following:

    allowing or not allowing the first operation;

    allowing or not allowing execution of the first operation through a control plane of the mobile network where the first network function is located;

    Allow or not allow the first operation to be performed through a user plane of a mobile network where the first network function is located.
26. The method according to claim 25, wherein, when the first network function instructs the second network function and the first terminal to perform the first operation, the method further comprises:

    The first network function receives third indication information sent by the second network function, wherein the third indication information is used to indicate a result of the first operation;

    The first network function sends second indication information to the first terminal according to the third indication information, where the second indication information is used to indicate a result of the first operation.
27. The method according to claim 25 or 26, wherein, before the first network function receives the first non-access stratum NAS message and/or the first indication information sent by the first terminal, the method further comprises:

    The first network function interacts with the first terminal to establish a protocol data unit (PDU) session.
28. The method according to claim 27, wherein the first non-access stratum (NAS) message is a PDU session modification request.
29. The method according to any one of claims 25 to 28, wherein the first indication information includes at least one of the following:

    an instruction for instructing to perform the first operation;

    information of the first terminal;

    information of the second network function.
30. The method according to claim 25 or 26, wherein the first indication information includes at least one of the following:

    an instruction for instructing to perform the first operation;

    Information of a first device, wherein the first device is a device that needs to access a personal Internet of Things PIN or a network where the first network function is located through the first terminal;

    information of the first terminal;

    information of the second network function.
31. The method according to any one of claims 25, 26, and 30, wherein the first non-access layer NAS message is a PDU session modification request or a PDU session establishment request.
32. The method according to any one of claims 26 to 31, wherein the first network function sends second indication information to the first terminal according to the third indication information, comprising:

    The first network function sends a second NAS message to the first terminal according to the third indication information, wherein the second NAS message carries the second indication information.
33. The method according to claim 26 or 32, wherein the second indication information satisfies at least one of the following:

    indicating a result of the first operation by an identifier or a name of the second NAS message;

    The result of the first operation is indicated by a cause value.
34. The method of claim 33, wherein the indicating the result of the first operation by the identifier or name of the second NAS message comprises at least one of the following:

    Indicating a successful result of the first operation through a PDU session modification confirmation or a PDU session establishment confirmation;

    The failure of the first operation is indicated by a PDU session modification reject message or a PDU session establishment reject.
35. The method according to claim 33, wherein the result of the first operation indicated by the cause value includes at least one of the following indications:

    a failure reason value and/or a failure indication, used to indicate that the first operation failed;

    A success reason value and/or a success indication, used to indicate that the first operation is successful;

    In a case where the second NAS message does not include the failure cause value and/or the failure indication, indicating that the first operation is successful;

    In a case where the second NAS message does not include the success cause value and/or the success indication, it indicates that the first operation fails.
36. The method according to any one of claims 25 to 35, wherein the first network function instructs the second network function and the first terminal to perform the first operation in response to the first non-access stratum NAS message, including at least one of the following:

    The first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message;

    The first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message and the first association information between the PDU session related information and the PIN instance or session;

    The first network function instructs the second network function and the first terminal to perform the first operation based on the PIN instance or session related information in the first non-access layer NAS message;

    The first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information and the PIN service indication information in the first non-access layer NAS message;

    The first network function instructs the second network function and the first terminal to perform the first operation based on the PDU session related information in the first non-access layer NAS message, and the second association information between the PDU session related information and the PIN service.
37. The method according to claim 36, wherein the method further comprises:

    The first network function learns at least one of the following from the third network function:

    the first associated information;

    The second associated information.
38. The method according to any one of claims 25 to 37, wherein the method further comprises:

    When the second indication information indicates that the first operation is successful, the first network function receives information about the first device sent by the first terminal;

    The first device is a device that needs to access the PIN or the network where the first network function is located through the first terminal.
39. The method according to claim 38, wherein the method further comprises:

    When the first network function learns the message filtering rule and the message filtering rule is related to the first device, the first network function uses the message filtering rule to configure a fourth network function.
40. An operation execution method, comprising:

    The third network function performs a second operation;

    The second operation includes at least one of the following:

    The third network function sends rule information to the first terminal;

    The third network function sends data protocol unit PDU session configuration information to the first network function.
41. The method according to claim 40, wherein the rule information is used to indicate at least one of the following:

    The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

    At least one first target device requires the first operation or does not require the first operation;

    The first operation includes at least one of authentication, certification, and authorization;

    The first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.
42. The method according to claim 40 or 41, wherein the PDU session configuration information includes at least one of the following:

    First association information between PDU session related information and PIN instance or session;

    The second association information between the PDU session related information and the PIN service.
43. The method according to any one of claims 40 to 42, wherein before the third network function performs the second operation, the method further comprises:

    The third network function acquires fourth indication information, wherein the fourth indication information is used to instruct the third network function to perform the second operation;

    The third network function performs the second operation, including:

    The third network function performs the second operation according to the fourth indication information.
44. The method according to claim 43, wherein the third network function obtains the fourth indication information, comprising:

    The third network function receives the fourth indication information sent by the fifth network function.
45. An operation execution method, comprising:

    The second terminal sends configuration information to the first terminal in the personal Internet of Things PIN.
46. The method according to claim 45, wherein the configuration information is used to indicate at least one of the following:

    The first operation needs to be applied to the target PIN or the first operation does not need to be applied to the target PIN;

    At least one second target device requires the first operation or does not require the first operation;

    The first operation includes at least one of authentication, certification, and authorization;

    The second target device is a device that needs to access the personal Internet of Things PIN or mobile network through the first terminal.
47. An operation execution method, comprising:

    The fifth network function sends fourth indication information to the third network function, wherein the fourth indication information is used to instruct the third network function to perform the second operation;

    The second operation includes at least one of the following:

    The third network function sends rule information to the first terminal;

    The third network function sends data protocol unit PDU session configuration information to the first network function.
48. The method according to claim 47, wherein the rule information is used to indicate at least one of the following:

    The first operation needs to be applied to the target personal IoT PIN or the first operation does not need to be applied to the target personal IoT PIN;

    At least one first target device requires the first operation or does not require the first operation;

    The first operation includes at least one of authentication, certification, and authorization;

    The first target device is a device that needs to access the personal Internet of Things PIN or the mobile network where the third network function is located through the first terminal.
49. The method according to claim 47 or 48, wherein the PDU session configuration information includes at least one of the following:

    First association information between PDU session related information and PIN instance or session;

    The second association information between the PDU session related information and the PIN service.
50. An operation execution device, comprising at least one of the following modules:

    A first sending module, configured to send a first non-access stratum NAS message and/or first indication information to a network side, wherein the first non-access stratum NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

    The first receiving module is configured to receive fifth indication information sent by the network side, wherein the fifth indication information is used to indicate at least one of the following:

    allowing or not allowing the first operation;

    Allowing or not allowing the first operation to be performed through the control plane of the network side;

    Allow or not allow the first operation to be performed through the user plane of the network side.
51. An operation execution device, comprising:

    A second sending module, used to send fifth indication information to the first terminal;

    and / or,

    A second receiving module, configured to receive a first non-access stratum NAS message and/or first indication information sent by the first terminal, wherein the first non-access stratum NAS message is used to indicate a first operation, the first indication information is used to indicate the first operation, and the first operation includes at least one of authentication, certification, and authorization;

    A first processing module is configured to, in response to the first non-access layer NAS message and/or the first indication information, perform at least one of the following:

    Sending the fifth indication information to the first terminal;

    instructing a second network function and the first terminal to perform the first operation;

    The fifth indication information is used to indicate at least one of the following:

    allowing or not allowing the first operation;

    allowing or not allowing the first operation to be performed through a control plane of the mobile network;

    The first operation is allowed or not allowed to be performed through a user plane of the mobile network.
52. An operation execution device, comprising:

    A second processing module, used for performing a second operation;

    The second operation includes at least one of the following:

    Sending rule information of the personal Internet of Things PIN to the first terminal;

    Send data protocol unit PDU session configuration information to the first network function.
53. An operation execution device, comprising:

    The third sending module is used to send configuration information to the first terminal in the personal Internet of Things PIN.
54. An operation execution device, comprising:

    a fourth sending module, configured to send fourth indication information to the third network function, wherein the fourth indication information is used to instruct the third network function to perform a second operation;

    The second operation includes at least one of the following:

    The third network function sends rule information to the first terminal;

    The third network function sends data protocol unit PDU session configuration information to the first network function.
55. A terminal, comprising a processor and a memory, wherein the memory stores a program or instruction that can be run on the processor, and when the program or instruction is executed by the processor, the steps of the operation execution method as described in any one of claims 1 to 24 are implemented, or the steps of the operation execution method as described in any one of claims 45 to 46 are implemented.
56. A network function, comprising a processor and a memory, wherein the memory stores a program or instruction that can be run on the processor, and when the program or instruction is executed by the processor, it implements the steps of the operation execution method as described in any one of claims 25 to 39, or implements the steps of the operation execution method as described in any one of claims 40 to 44, or implements the steps of the operation execution method as described in any one of claims 47 to 49.
57. A readable storage medium, wherein the readable storage medium stores a program or instruction, and when the program or instruction is executed by a processor, it implements the operation execution method as described in any one of claims 1 to 24, or implements the steps of the operation execution method as described in any one of claims 25 to 39, or implements the steps of the operation execution method as described in any one of claims 40 to 44, or implements the steps of the operation execution method as described in any one of claims 45 to 46, or implements the steps of the operation execution method as described in any one of claims 47 to 49.
58. A chip, wherein the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run a program or instruction to implement the operation execution method as described in any one of claims 1 to 24, or to implement the steps of the operation execution method as described in any one of claims 25 to 39, or to implement the steps of the operation execution method as described in any one of claims 40 to 44, or to implement the steps of the operation execution method as described in any one of claims 45 to 46, or to implement the steps of the operation execution method as described in any one of claims 47 to 49.
59. A computer program product, wherein the program product is stored in a non-volatile storage medium, and the program product is executed by at least one processor to implement the operation execution method as described in any one of claims 1 to 24, or implement the steps of the operation execution method as described in any one of claims 25 to 39, or implement the steps of the operation execution method as described in any one of claims 40 to 44, or implement the steps of the operation execution method as described in any one of claims 45 to 46, or implement the steps of the operation execution method as described in any one of claims 47 to 49.
60. An operation execution device, wherein the device is used to execute the operation execution method as described in any one of claims 1 to 24, or to execute the steps of the operation execution method as described in any one of claims 25 to 39, or to execute the steps of the operation execution method as described in any one of claims 40 to 44, or to execute the steps of the operation execution method as described in any one of claims 45 to 46, or to execute the steps of the operation execution method as described in any one of claims 47 to 49.