WO2024098937A1

WO2024098937A1 - Communication method, communication apparatus, and storage medium

Info

Publication number: WO2024098937A1
Application number: PCT/CN2023/117772
Authority: WO
Inventors: 雷骜; 吴义壮; 李�赫; 郭龙华
Original assignee: 华为技术有限公司
Priority date: 2022-11-07
Filing date: 2023-09-08
Publication date: 2024-05-16
Also published as: CN117998361A

Abstract

Disclosed in the present application are a communication method, a communication apparatus, and a storage medium. The method comprises: a first user equipment acquiring a security policy, wherein the security policy is used for indicating whether to use end-to-end security protection for a sidelink communication service, and the end-to-end security protection is implemented between two user equipments corresponding to the sidelink communication service; and then, the first user equipment determining, according to the security policy, to execute a first operation, wherein the first operation is used for establishing a sidelink communication service between the first user equipment and a second user equipment. In the embodiments of the present application, on the basis of a security policy, a user equipment, which uses a sidelink communication service, can be provided with better security control.

Description

Communication method, communication device, and storage medium

This application claims priority to the Chinese patent application filed with the China Patent Office on November 7, 2022, with application number 202211383863.2 and application name “Communication Method, Communication Device, and Storage Medium”, all contents of which are incorporated by reference in this application.

Technical Field

The present application relates to the field of communication technology, and in particular to a communication method, a communication device, and a storage medium.

Background technique

Proximity-based services (ProSe) communication, also known as short-range service communication, is a typical service scenario in end-to-end (D2D) communication, which allows direct communication between user equipment (UE). When the source UE and the target UE cannot achieve ProSe communication through a direct link between the two, a UE-to-UE relay communication connection can be established through a relay device to achieve ProSe communication between the source UE and the target UE.

Currently, there are many different implementation schemes for UE-to-UE relay communication, including layer 2-based relay communication and layer 3-based relay communication. However, the above different schemes differ in security, so how to provide better security control for user equipment has become an urgent problem to be solved.

Summary of the invention

The present application provides a communication method, a communication device, and a storage medium, which can provide better security control for user equipment using side chain communication services.

In a first aspect, the present application provides a communication method, the method comprising: a first user device obtains a security policy, wherein the security policy is used to indicate whether to use end-to-end security protection for a side chain communication service, and the end-to-end security protection is implemented between two user devices corresponding to the side chain communication service; the first user device determines to perform a first operation according to the security policy, wherein the first operation is used to establish a side chain communication service between the first user device and a second user device.

In this solution, security control is performed on the first user device based on the security policy. The first user device is a user device that needs to use the sidelink communication service; the sidelink communication service is a communication service between two user devices based on the sidelink, for example, it can be a ProSe communication service or a ranging and positioning service; the security policy is used to indicate whether to use end-to-end security protection for the sidelink communication service. The first user device determines the first operation to be performed based on the security policy it obtains, and the first operation is used to establish a sidelink communication service between the first user device (i.e., the source UE) and the second user device (i.e., the target UE).

When the security policy indicates that end-to-end security protection is used for the side chain communication service, the first user device determines, according to the security policy, that the first operation to be performed is an operation that can support end-to-end security protection between the first user device and the second user device; when the security policy indicates that end-to-end security protection is not used for the side chain communication service, the first operation is an operation that does not support end-to-end security protection between the first user device and the second user device; when the security policy indicates that end-to-end security protection is preferentially used for the side chain communication service, the first operation is an operation that preferentially supports end-to-end security protection between the first user device and the second user device.

That is to say, the first user device will perform different operations according to the instructions of different security policies, and different operations have different levels of support for end-to-end security protection (support, non-support or priority support), thereby achieving better and more flexible security control for the first user device.

Based on the first aspect, in a possible implementation scheme, the above-mentioned security policy indicates the use of end-to-end security protection for the side chain communication service, and the first operation includes: the first user device receives a message from at least one relay device, wherein the message of at least one relay device includes a relay service identifier of a layer 2 relay service; the first user device establishes a connection with a first relay device among the at least one relay device, wherein the message of the first relay device received by the first user device includes the relay service identifier of the layer 2 relay service, and the above-mentioned link is used to send service data of the side chain communication service between the first user device and the second user device.

In this solution, the sidelink communication service specifically refers to the ProSe communication service (or ProSe relay communication service). For the ProSe relay communication service, it can be implemented based on a layer 2 relay mechanism or a layer 3 relay mechanism. The former can support end-to-end security protection for the two UEs corresponding to the ProSe relay communication service, while the latter does not support end-to-end security protection for the two UEs corresponding to the ProSe relay communication service. If the security policy obtained by the first user device indicates the use of end-to-end security protection for the sidelink communication service, the first user device determines that the first operation to be executed needs to support the implementation of end-to-end security protection in the ProSe relay communication service between the first user device and the second user device, that is, the first user device determines to implement the ProSe relay communication service based on the layer 2 relay mechanism, thereby executing the layer 2 relay mechanism. The corresponding operation includes: the first user equipment establishes a connection with the second user equipment through the layer 2 relay device, and then implements the ProSe relay communication service between the first user equipment and the second user equipment based on the connection.

Based on the first aspect, in a possible implementation scheme, the security policy indicates that end-to-end security protection should not be used for the side chain communication service, and the first operation includes: the first user device receives a message from at least one relay device, wherein the message of at least one relay device includes a relay service identifier of a layer-3 relay service; the first user device establishes a relay connection with a first relay device among the at least one relay device, wherein the message of the first relay device received by the first user device includes the relay service identifier of the layer-3 relay service, and the relay link is used to send service data of the side chain communication service between the first user device and the second user device.

In this solution, the side chain communication service specifically refers to the ProSe communication service (or the ProSe relay communication service). For the ProSe relay communication service, it can be implemented based on the layer 2 relay mechanism or the layer 3 relay mechanism. The former can support end-to-end security protection for the two UEs corresponding to the ProSe relay communication service, and the latter does not support end-to-end security protection for the two UEs corresponding to the ProSe relay communication service. If the security policy obtained by the first user device indicates that end-to-end security protection is not used for the side chain communication service, the first operation determined to be executed by the first user device does not need to support end-to-end security protection in the ProSe relay communication service between the first user device and the second user device, that is, the first user device determines to implement the ProSe relay communication service based on the layer 3 relay mechanism, thereby executing the corresponding operation of the layer 3 relay mechanism, including: the first user device establishes a relay connection with the second user device through the layer 3 relay device, and then implements the ProSe relay communication service between the first user device and the second user device based on the relay connection.

Based on the first aspect, in a possible implementation scheme, the security policy includes a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.

In this solution, the security policy includes a relay service flag of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service, so that the function of configuring the relay service identifier to the first user equipment can be implemented through the security policy. In addition, it is also possible to indirectly indicate whether to use end-to-end security protection for the side chain communication service based on the type of relay service identifier carried in the security policy. For example, assuming that the security policy only includes a relay service identifier, when the security policy only includes a relay service identifier of a layer 2 relay service, the security policy indicates that the relay service identifier of the layer 2 relay service is used to discover the relay device required in the ProSe relay communication service, thereby indirectly indicating that end-to-end security protection is to be used for the ProSe relay communication service; when the security policy only includes a relay service identifier of a layer 3 relay service, the security policy indicates that the relay service identifier of the layer 3 relay service is used to discover the relay device required in the ProSe relay communication service, thereby indirectly indicating that end-to-end security protection is not used for the ProSe relay communication service.

Based on the first aspect, in a possible implementation scheme, the security policy includes priority information, which is used to indicate that the relay service identifier of the layer 2 relay service needs to be used first, or the priority information is used to indicate that the relay service identifier of the layer 3 relay mechanism needs to be used first.

In this solution, the security policy includes priority information, so that whether to use end-to-end security protection for the side chain communication service can be indicated according to the priority information. When the priority information indicates that the relay service identifier of the layer 2 relay service needs to be used first, the security policy indirectly indicates that the end-to-end security protection should be used first for the side chain communication service.

Based on the first aspect, in a possible implementation scheme, the security policy indicates the use of end-to-end security protection for the side chain communication service, and the first operation includes: the first user device sends a first ranging request to the second user device through a link with the second user device, wherein the first ranging request indicates measuring the distance and/or angle between the second user device and the auxiliary device, and the ranging result of the first ranging request is used to determine the distance and/or angle between the first user device and the second user device.

In this solution, the sidelink communication service specifically refers to the ranging and positioning service (or indirect sidelink positioning service). It should be understood that the indirect sidelink positioning service is based on the auxiliary device to realize the ranging/positioning between the source UE and the target UE. It can have different implementation schemes, including the first indirect ranging scheme and the second indirect ranging scheme. For details, please refer to the introduction of the specific embodiments of the specification. Among them, the first indirect ranging scheme requires the source UE to send a ranging request to the target UE through the connection between it and the target UE, and then the source UE receives the ranging result between the auxiliary device and the target UE sent by the target UE. Since the ranging result is not sent through the auxiliary device, it can support end-to-end security protection between the first user equipment and the second user equipment. The second indirect ranging scheme requires the source UE to send a ranging request to the auxiliary UE, and then the source UE receives the ranging result between the auxiliary device and the target UE sent by the auxiliary device. Since the ranging result is not sent through the auxiliary device, it does not support end-to-end security protection between the first user equipment and the second user equipment. If the security policy obtained by the first user equipment indicates the use of end-to-end security protection for the sidelink communication service, the first user equipment determines that the first operation to be executed needs to support end-to-end security protection in the indirect ranging and positioning service between the first user equipment and the second user equipment, that is, the first user equipment determines to use the first indirect ranging scheme to implement the indirect ranging and positioning service between it and the second user equipment, and then determines to execute the relevant actions of the source UE in the first indirect ranging scheme, including: the first user equipment sends a first ranging request to the second user equipment through the link between the first user equipment and the second user equipment to instruct the second user equipment to measure the distance and/or angle between the second user equipment and the auxiliary device, and then the first user equipment receives the ranging result between the second user equipment and the auxiliary device sent by the second user equipment through the above link, so that the distance between the first user equipment and the second user equipment can be determined. distance and/or angle.

Based on the first aspect, in a possible implementation scheme, before the first user equipment sends the first ranging request to the second user equipment through the link with the second user equipment, the method also includes: the first user equipment determines whether a link can be established with the second user equipment; when the first user equipment determines that a link can be established with the second user equipment, the first user equipment sends the first ranging request to the second user equipment through the link with the second user equipment.

It can be understood that since the first user device and the second user device in the first indirect ranging scheme need to transmit the ranging request and the ranging result through the link between them, and the ranging result is not sent through the auxiliary device, the first indirect ranging scheme requires that a link can be established between the first user device and the second user device. Therefore, before the first user device sends the first ranging request to the second user device through the link with the second user device, the first user device needs to determine whether it can establish a link with the second user device. In the case where the first user device determines that a link can be established with the second user device, the first user device sends the first ranging request to the second user device through the link with the second user device. In the case where the first user device determines that it is not available to establish a link with the second user device, the first indirect ranging scheme cannot be continued, and the first indirect ranging scheme fails.

Based on the first aspect, in a possible implementation scheme, the security policy indicates that end-to-end security protection is not used for the side chain communication service, and the first operation includes: the first user device sends a second ranging request to the auxiliary device through a direct link with the auxiliary device, wherein the second ranging request indicates measuring the distance and/or angle between the second user device and the auxiliary device, and the ranging result of the second ranging request is used to determine the distance and/or angle between the first user device and the second user device.

In this solution, the sidelink communication service specifically refers to the ranging and positioning service (or indirect sidelink positioning service). If the security policy obtained by the first user device indicates that end-to-end security protection is not used for the sidelink communication service, the first user device determines that the first operation to be performed does not need to support end-to-end security protection in the indirect ranging and positioning service between the first user device and the second user device, that is, the first user device determines to use the second indirect ranging scheme to implement the indirect ranging and positioning service between it and the second user device, and then determines to perform the relevant actions of the source UE in the second indirect ranging scheme, including: the first user device sends a second ranging request to the auxiliary device through a direct link between the auxiliary device to instruct the auxiliary device to measure the distance and/or angle between the second user device and the auxiliary device, and then the first user device receives the ranging result between the second user device and the auxiliary device sent by the auxiliary device through the above-mentioned direct link, so that the distance and/or angle between the first user device and the second user device can be determined.

Based on the first aspect, in a possible implementation scheme, the first user equipment obtains the security policy, which may include: the first user equipment receives the security policy from a core network element.

In this solution, the first user equipment can obtain the security policy from the core network element, that is, the security policy is not directly configured on the first user equipment. The first user equipment can obtain the security policy from the core network element when/before the side chain communication service needs to be executed, and the first user equipment can also store the obtained security policy locally for future use when the security policy is directly obtained from the local, and no longer needs to be obtained from the core network element.

Based on the first aspect, in a possible implementation scheme, the core network element is one or more of a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.

Based on the first aspect, in a possible implementation scheme, the security policy is determined by the above-mentioned core network element according to the user information of the first user device, wherein the user information includes one or more of the user identifier, user group identifier, geographic location, and network location of the first user device.

That is, the core network element may determine a security policy for the first user equipment according to one or more user information related to the first user equipment. The user information may be from the first user equipment, or from the core network element or other equipment.

Based on the first aspect, in a possible implementation scheme, before the first user equipment receives the security policy from the core network element, the method further includes: the first user equipment sends the above user information to the core network element.

That is to say, the first user equipment may actively send user information to the core network element so that the core network element may determine a security policy for the first user equipment according to the user information.

Based on the first aspect, in a possible implementation scheme, the first user equipment obtains a security policy, including: the first user equipment obtains the security policy stored in the first user equipment.

That is, the security policy may be pre-stored on the first user device, may be directly pre-configured on the first user device, or may be previously obtained from a core network element and stored locally. When the first user device needs to perform a side chain communication service, it may directly obtain the security policy locally to determine subsequent operations.

In a second aspect, the present application provides another communication method, which includes: a first network device receives a request message sent by a first user device, wherein the request message includes first user information of the first user device; the first network device determines a security policy based on the first user information, wherein the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service, and the end-to-end security protection is implemented between two user devices corresponding to the side chain communication service; the first network device sends the security policy to the first user device.

In this solution, the first network device is responsible for sending a security policy to the user device, and the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service. When the first network device receives a request message from the first user device, it can determine the corresponding security policy for the first user device based on the first user information carried in the request message, and then send it to the first user device, so that the first user device can determine the operation it adopts when establishing the policy communication service based on the security policy, realizing flexible control of the end-to-end security of the user device on the network side.

Based on the second aspect, in a possible implementation scheme, the side chain communication service is a proximity service communication service based on a relay device, or the side chain communication service is a ranging and positioning service based on an auxiliary device.

That is to say, the side chain communication service can be a ProSe relay communication service or an indirect ranging and positioning service.

Based on the second aspect, in a possible implementation scheme, the side chain communication service is a proximity service communication service based on a relay device, and the security policy includes a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.

That is to say, in the case where the side chain communication service is a ProSe relay communication service, the security policy sent by the first network device to the first user device may include one or more of the relay service identifier of the layer 2 relay service and the relay service identifier of the layer 3 relay service. Therefore, the first network device can implement the function of configuring the relay service identifier to the first user device through the security policy. It is also possible to indirectly indicate whether to use end-to-end security protection for the side chain communication service based on the type of relay service identifier carried in the security policy. For example, assuming that the security policy only includes the relay service identifier, when the security policy only includes the relay service identifier of the layer 2 relay service, the security policy indicates that the relay service identifier of the layer 2 relay service is used to discover the relay device required in the ProSe relay communication service, thereby indirectly indicating that end-to-end security protection is to be used for the ProSe relay communication service; when the security policy only includes the relay service identifier of the layer 3 relay service, the security policy indicates that the relay service identifier of the layer 3 relay service is used to discover the relay device required in the ProSe relay communication service, thereby indirectly indicating that end-to-end security protection is not used for the ProSe relay communication service.

Based on the second aspect, in a possible implementation scheme, the side chain communication service is a proximity service communication service based on a relay device, and the security policy includes priority information, wherein the priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used first, or the priority information is used to indicate that the relay service identifier of the layer 3 relay service needs to be used first.

In the present solution, the security policy includes priority information, so that the first user device can be indicated whether to use end-to-end security protection for the side-link communication service it is to perform based on the priority information in the security policy. When the above priority information indicates that the relay service identifier of the layer 2 relay service needs to be used first, the security policy indirectly indicates that end-to-end security protection should be used first for the side-link communication service. When the above priority information indicates that the relay service identifier of the layer 3 relay service needs to be used first, the security policy indirectly indicates that end-to-end security protection should not be used first for the side-link communication service, that is, the layer 3 relay mechanism that does not support end-to-end security should be used first to establish the ProSe relay communication service.

Based on the second aspect, in a possible implementation scheme, the first network device is one or more of a policy management network element, a direct communication discovery name management network element, an access management network element, or a data management network element.

Based on the second aspect, in a possible implementation scheme, the first user information includes one or more of a user identifier, a user group identifier, a geographic location, and a network location of the first user device.

That is, the first user equipment may send one or more types of user information to the first network equipment, so that the first network equipment determines a security policy for the first user equipment based on the above information.

Based on the second aspect, in a possible implementation scheme, the first network device determines a security policy based on first user information, including: the first network device obtains second user information, wherein the second user information includes one or more of a user identifier, a user group identifier, a geographic location, and a network location of the first user device; the first network device determines the security policy based on the first user information and the second user information.

In this solution, in addition to receiving the first user information uploaded by the first user device, the first network device can also obtain the second user information, and then determine the security policy for the first user device based on the first user information and the second user device. In other words, the information used to determine the security policy can have two parts, one part comes from the first user device, and the other part comes from other devices (the first network device or the second network device).

Based on the second aspect, in a possible implementation scheme, the second user information is obtained by the first network device from the second network device, wherein the second network device is one or more of an application server, an application function network element, a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.

In a third aspect, the present application provides a communication device, comprising a unit or module for executing any implementation scheme in the first aspect.

In a fourth aspect, the present application provides a communication device, comprising a unit or module for executing any implementation scheme in the second aspect above.

In a fifth aspect, the present application embodiment provides a communication device, including a processor and a memory; the processor and the memory may be connected to each other via a bus or may be integrated together. The processor is used to read the program code stored in the memory so that the device executes the method of any one of the embodiments of the first aspect or the second aspect above.

In a sixth aspect, an embodiment of the present application provides a chip or a chip system, comprising: a processor for executing a method of any embodiment of the first aspect or the second aspect above.

In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium; the computer-readable storage medium is used to store an implementation code of the method of any embodiment of the first aspect or the second aspect above.

In an eighth aspect, an embodiment of the present application provides a computer program (product), which includes program instructions. When the computer program product is executed, it is used to execute the method of any one of the embodiments of the first aspect or the second aspect above.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

FIG1 is a schematic diagram of the architecture of a 5G mobile communication system provided in an embodiment of the present application;

FIG2 is a schematic diagram of a scenario of UE-to-UE relay communication provided in an embodiment of the present application;

FIG3 is a schematic diagram of a process for establishing ProSe communication provided in an embodiment of the present application;

FIG4 is a schematic diagram of a protocol stack of a layer 2 relay mechanism provided in an embodiment of the present application;

FIG5 is a schematic diagram of a protocol stack of a layer 3 relay mechanism provided in an embodiment of the present application;

FIG6 is a schematic diagram of a ranging scenario provided in an embodiment of the present application;

FIG7 is a schematic diagram of a side chain positioning scenario provided in an embodiment of the present application;

FIG8 is a schematic diagram of a flow chart of a first indirect ranging solution provided in an embodiment of the present application;

FIG9 is a schematic diagram of a flow chart of a second indirect ranging solution provided in an embodiment of the present application;

FIG10 is a flow chart of a communication method provided in an embodiment of the present application;

FIG11 is a flow chart of another communication method provided in an embodiment of the present application;

FIG12 is a schematic diagram of a flow chart of a security policy acquisition method provided in an embodiment of the present application;

FIG13 is a flow chart of another security policy acquisition method provided in an embodiment of the present application;

FIG14 is a schematic diagram of the structure of a communication device provided in an embodiment of the present application;

FIG15 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application;

FIG16 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application.

Detailed ways

The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

It should be noted that the terms used in the embodiments of the present application are only for the purpose of describing specific embodiments, and are not intended to limit the present application. The singular forms of "a", "said" and "the" used in the embodiments of the present application and the appended claims are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that the term "and/or" used herein refers to any or all possible combinations of one or more associated listed items.

It should also be noted that the user equipment (UE) in the embodiments of the present application may refer to a mobile phone, a smart terminal, a vehicle-mounted terminal, a vehicle-mounted device, a drone, a wearable device, a multimedia device or a streaming media device, etc. It may also refer to an access network device, such as a base station, a relay station, an access point, a vehicle-mounted device, and a network side device, etc. The embodiments of the present application do not make specific limitations on this.

In order to facilitate understanding of the technical solutions of the embodiments of the present application, some technical terms and application scenarios involved in the embodiments of the present application are first introduced below.

1. Fifth generation (5G) mobile communication system (referred to as 5G system (5G system, 5GS)):

Please refer to Figure 1, which is a schematic diagram of the 5GS architecture. The 5GS defined by the 3rd Generation Partnership Project (3GPP) includes: an access network (AN) and a core network (CN), and may also include terminals.

The above-mentioned terminal may be a terminal with a transceiver function, or a chip or chip system that can be set in the terminal. The terminal may also be called a user equipment (UE), an access terminal, a subscriber unit, a user station, a mobile station (MS), a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, a user agent or a user device, etc. The terminal in the embodiment of the present application may be a mobile phone, a cellular phone, a smart phone, a tablet computer, a wireless data card, a personal digital assistant (PDA), a wireless modem, a handheld device, a laptop computer, a machine type communication (MTC) terminal, a computer with a wireless transceiver function, a virtual reality (VR) terminal, an augmented reality (A The terminal of the present application may also be a vehicle-mounted module, a vehicle-mounted module group, a vehicle-mounted component, a vehicle-mounted chip or a vehicle-mounted unit built into a vehicle as one or more components or units.

The above-mentioned AN is used to implement access-related functions, and can provide network access functions for authorized users in a specific area, and can determine transmission links of different qualities to transmit user data according to the user level, business requirements, etc. AN forwards control signals and user data between the terminal and CN. AN can include: access network equipment, also known as radio access network (RAN) equipment. CN is mainly responsible for maintaining the subscription data of the mobile network and providing terminal with session management, mobility management, policy management, and security authentication functions. CN mainly includes the following: user plane function (UPF), authentication server function (AUSF), access and mobility management function (AMF), session management function (SMF), network slice selection function (NSSF), network exposure function (NEF), network repository function (NRF), policy control function (PCF), unified data management (UDM), unified data storage (UDR), and application function (AF).

As shown in Figure 1, the UE accesses the 5G network through the RAN device, and the UE communicates with the AMF through the N1 interface (referred to as N1); the RAN communicates with the AMF through the N2 interface (referred to as N2); the RAN communicates with the UPF through the N3 interface (referred to as N3); the SMF communicates with the UPF through the N4 interface (referred to as N4), and the UPF accesses the data network (DN) through the N6 interface (referred to as N6). In addition, the control plane functions such as AUSF, AMF, SMF, NSSF, NEF, NRF, PCF, UDM, UDR or AF shown in Figure 1 interact using service-oriented interfaces. For example, the service-oriented interface provided by AUSF includes Nausf; the service-oriented interface provided by AMF includes Namf; the service-oriented interface provided by SMF includes Nsmf; the service-oriented interface provided by NSSF includes Nnssf; the service-oriented interface provided by NEF includes Nnef; the service-oriented interface provided by NRF includes Nnrf; the service-oriented interface provided by PCF includes Npcf; the service-oriented interface provided by UDM includes Nudm; the service-oriented interface provided by UDR includes Nudr; the service-oriented interface provided by AF includes Naf.

The RAN device may be a device that provides access to the UE. For example, the RAN device may include: a next-generation mobile communication system, such as an access network device of 6G, such as a 6G base station, or in the next-generation mobile communication system, the network device may also have other naming methods, which are all included in the protection scope of the embodiments of the present application, and the present application does not make any restrictions on this. Alternatively, the RAN device may also include 5G, such as a gNB in a new radio (NR) system, or one or a group of antenna panels (including multiple antenna panels) of a base station in 5G, or a network node constituting a gNB, a transmission point (transmission and reception point, TRP or transmission point, TP) or a transmission measurement function (transmission measurement function, TMF), such as a baseband unit (building base band unit, BBU), or a centralized unit (centralized unit, CU) or a distributed unit (distributed unit, DU), an RSU with base station function, or a wired access gateway, or a 5G core network. Alternatively, RAN equipment may also include access points (APs) in wireless fidelity (WiFi) systems, wireless relay nodes, wireless backhaul nodes, various forms of macro base stations, micro base stations (also called small stations), relay stations, access points, wearable devices, vehicle-mounted devices, and so on.

UPF is mainly responsible for user data processing (including forwarding, receiving, billing, etc.). For example, UPF can receive user data from the data network (DN) and forward the user data to the UE through the access network equipment. UPF can also receive user data from the UE through the access network equipment and forward the user data to the DN. DN refers to the operator network that provides data transmission services to users. For example, Internet protocol (IP), multimedia service (IMS), Internet, etc. DN can be an operator's external network or a network controlled by an operator, used to provide business services to the UE. In the protocol data unit (PDU) session, the UPF directly connected to the DN through N6 is also called the protocol data unit session anchor (PSA).

AUSF is mainly used to perform security authentication of UE.

AMF is mainly used for mobility management in mobile networks, such as user location update, user network registration, user switching, etc.

SMF is mainly used for session management in mobile networks, such as session establishment, modification, and release. Specific functions include allocating Internet Protocol (IP) addresses to users and selecting UPFs that provide data packet forwarding functions.

PCF mainly supports providing a unified policy framework to control network behavior, provides policy rules to the control layer network functions, and is responsible for obtaining user subscription information related to policy decisions. PCF can provide policies to AMF, SMF, etc., such as quality of service (QoS) policy, slice selection policy, etc. In some embodiments, PCF can provide a UE with proximity services (ProSe) function with a policy for ProSe service use, and PCF can also provide a UE with ranging/positioning service function with a policy for ranging/positioning service use.

NSSF is mainly used to select network slices for UE.

NEF is mainly used to support the opening of capabilities and events. For example, NEF can open some capabilities of the 5G network to third-party applications through the application program interface (API). Third-party applications obtain some capabilities of the 5G network by calling the API provided by NEF through AF, so that third-party applications can control certain behaviors of the 5G network and UE.

UDM is mainly used to store user data, such as contract data, authentication/authorization data, etc.

UDR is mainly used to store structured data, which may include contract data and policy data, externally exposed structured data, and application-related data.

AF mainly supports interaction with CN to provide services, such as influencing data routing decisions, policy control functions, or providing some third-party services to the network side.

It can be understood that the functions mentioned in the embodiments of the present application can also be expressed as functional network elements or functional entities. For example, UPF can be expressed as UPF network element, AMF can be expressed as AMF network element, SMF can be expressed as SMF network element, PCF can be expressed as PCF network element, and so on, without limitation.

2. Short distance communication:

With the rapid development of mobile communications, the widespread application of new business types, such as video chat, virtual reality (VR), augmented reality (AR) and other data services, has increased users' demand for bandwidth. In this regard, short-range communication, such as device-to-device (D2D) communication, is a solution.

D2D communication allows UEs to communicate directly with each other, for example, through the PC5 interface (the link that the UE directly connects through the PC5 interface is also called the sidelink (SL)), which can realize the information transmission of the data plane and the control plane. In this way, users can share spectrum resources with other cell users under the control of the cell network, effectively improving the utilization rate of spectrum resources. D2D communication includes: one-to-many communication and one-to-one communication. One-to-many communication usually corresponds to multicast and broadcast communication, and one-to-one communication usually corresponds to unicast communication. In one-to-one communication, if the sending UE and the receiving UE are in a close range, they can communicate directly after discovering each other.

3. Proximity-based services (ProSe) communications:

ProSe communication, also known as short-range service communication, is a typical service scenario in D2D communication. ProSe communication can include proximity service direct communication (referred to as ProSe direct communication), proximity service UE-to-UE relay communication (referred to as ProSe U2U relay communication), and proximity service UE-to-network relay communication (referred to as ProSe U2N relay communication). Taking the ProSe U2N relay communication scenario as an example, as shown in Figure 2, when the source UE (source UE) needs to transmit data with the target UE (target UE) through ProSe communication, if the source UE cannot establish a ProSe direct communication link to the target UE due to reasons such as too far distance or weak signal strength, the source UE can establish a UE-to-UE relay communication connection (referred to as U2U relay connection) with the target UE through the assistance of a UE-to-UE relay (referred to as a relay UE), thereby realizing ProSe U2U relay communication. For the sake of ease of description, ProSe U2U relay communication is hereinafter referred to as ProSe relay communication.

Please refer to FIG. 3 , which is a schematic diagram of a process for establishing ProSe communication provided by the present application, including the following steps:

S301: ProSe UE obtains ProSe parameters.

ProSe parameters are parameters used to implement ProSe communication. ProSe parameters may include ProSe policy. ProSe policy may be used to indicate a mechanism (referred to as access mechanism) for source UE to access target UE through relay UE, and access mechanism may include at least one of the following: layer 2 (also referred to as layer 2, layer 2, L2) relay mechanism (L2relay), layer 3 (also referred to as layer 3, layer3, L3) relay mechanism (L3relay). It should be understood that in the embodiment of the present application, the layer 2 relay mechanism may also be referred to as layer 2 relay mechanism or layer 2 relay service, and the layer 3 relay mechanism may also be referred to as layer 3 relay mechanism or layer 3 relay service.

As shown in FIG4 , FIG4 is a schematic diagram of the protocol stack of the layer 2 relay mechanism, wherein the protocol layers involved include: Internet protocol (internet protocol, IP) protocol layer, service data adaptation protocol (service data adaptation protocol, SDAP) layer, packet data convergence protocol The relay mechanism of layer 2 is a mechanism for the source UE to access the target UE through the relay device of layer 2. At this time, the security between the source UE and the target UE is end-to-end (E2E) and is established between the PDCP layer of the source UE and the PDCP layer of the target UE. The relay device determines how to forward the information of the source UE to the target UE based on the information in the ADAPT layer, and will not parse the PDCP layer (responsible for encrypting the upper layer information, etc.). Therefore, the relay device transparently transmits the PDCP layer of the source UE and the target UE and the upper layer information of the PDCP layer, such as the control plane signaling for the unicast connection between the source UE and the target UE or the user plane data of PC5 unicast. It should be additionally explained that, in the layer 2 relay mechanism, the source UE and the relay UE can establish a direct link, the relay UE and the target UE can establish a direct link, and the source UE and the target UE can establish a direct link.

As shown in Figure 5, Figure 5 is a schematic diagram of the protocol stack of the layer 3 relay mechanism. The layer 3 relay mechanism is a mechanism for the source UE to access the target UE through the layer 3 relay device. At this time, the security between the source UE and the target UE is established in segments, including the security from the PDCP layer of the source UE to the PDCP layer of the relay device, and the security from the PDCP layer of the relay device to the PDCP layer of the target UE. The relay device needs to parse the PDCP layer to determine how to forward control plane signaling and user plane data to the target UE. It should be additionally explained that in the layer 3 relay mechanism, the source UE and the relay UE can establish a direct link, and the relay UE and the target UE can establish a direct link, but the source UE and the target UE can only establish a link, not a direct link. It can be seen that both the layer 2 relay mechanism and the layer 3 relay mechanism require the source UE and the relay UE, and the relay UE and the target UE to establish direct links. However, compared with the layer 3 relay mechanism, the layer 2 relay mechanism also needs to establish additional direct links between the source UE and the target UE. Therefore, compared with the layer 3 relay mechanism to implement the ProSe relay communication service, the layer 2 relay mechanism to implement the ProSe relay communication service requires more direct links to be established, and the overall link establishment speed will be slower, the time from triggering the ProSe relay communication service to establishing the ProSe relay communication will be longer, the efficiency will be lower, and more resources of the user equipment will be occupied. It should be noted that in the layer 2 relay mechanism, the source UE can be called the source UE of the 5G ProSe layer 2 relay mechanism, the ProSe layer 2 source UE, or the layer 2 source UE. Similarly, in the layer 3 relay mechanism, the source UE can be called the source UE of the 5G ProSe layer 3 relay mechanism, the ProSe layer 3 source UE, or the layer 3 source UE. Similarly, in the layer 2 relay mechanism, the relay device (relay UE) can be called the relay UE of the 5G ProSe layer 2 relay mechanism, the ProSe layer 2 relay UE, or the layer 2 relay UE. Similarly, in the layer 3 relay mechanism, the relay device (relay UE) can be called the relay UE of the 5G ProSe layer 3 relay mechanism, the ProSe layer 3 relay UE, or the layer 3 relay UE.

The ProSe policy may be used to indicate a mechanism for establishing a PC5 connection (referred to as a PC5 connection mechanism) and the above-mentioned access mechanism. For example, the ProSe policy may include a relay service code (RSC), which may be used to indicate a PC5 connection mechanism and an access mechanism. The relay service code may also be referred to as a relay service identifier.

Optionally, the ProSe parameters obtained by the ProSe UE may have different sources. For example, the ProSe UE may obtain the ProSe parameters from the PCF, which are recorded as ProSe parameters 1. For the ProSe policy, the ProSe UE may send a 5G ProSe policy configuration request message to the AMF, and the 5G ProSe policy configuration request message may include information indicating the UE-to-UE relay communication capability (ability) of 5G ProSe, for example, the ProSe UE has the relay communication capability as a source UE or target UE of layer 2, and/or, the ProSe UE has the relay communication capability as a source UE or target UE of layer 3. The ProSe UE has the relay communication capability as a source UE or target UE of layer 2, which means that the UE supports the use of the relay mechanism of layer 2 to communicate with another ProSe UE through the relay UE. The ProSe UE has the relay communication capability as a source UE or target UE of layer 3, which means that the UE supports the use of the relay mechanism of layer 3 to communicate with another ProSe UE through the relay UE. For another example, the ProSe UE has the relay communication capability as a layer 2 relay UE, and/or the ProSe UE has the relay communication capability as a layer 3 relay UE. The relay communication capability of the ProSe UE as a layer 2 relay UE means that the UE supports the use of the layer 2 relay mechanism to relay the communication between the source UE and the target UE. The relay communication capability of the ProSe UE as a layer 3 relay UE means that the UE supports the use of the layer 3 relay mechanism to relay the communication between the source UE and the target UE. The AMF can obtain the ProSe subscription information of the ProSe UE from the UDM, and determine whether the ProSe UE has the UE-to-UE relay communication capability of 5G ProSe according to the ProSe subscription information of the ProSe UE. In this way, the AMF can send a 5G ProSe policy configuration request message to the sending PCF, so that the PCF sends the ProSe policy to the ProSe UE through the UE configuration update (UCU) process.

The ProSe UE can obtain the ProSe parameters from the ProSe application server, which are recorded as ProSe parameters 2.

ProSe UE can also obtain ProSe parameters from the universal integrated circuit card (UICC) of ProSe UE, which is recorded as ProSe parameter 3.

The ProSe UE can also obtain ProSe parameters from the ProSe UE's mobile equipment (ME), which is recorded as ProSe parameter 4.

Optionally, ProSe parameters from different sources may have different priorities. For example, the use priorities of ProSe parameters are from high to low: ProSe parameter 1, ProSe parameter 2, ProSe parameter 3, and ProSe parameter 4. The ProSe UE may determine which ProSe parameter to use according to the use priorities of the ProSe parameters from high to low, and record it as the target ProSe parameter. In this case, the ProSe UE can determine which PC5 connection mechanism and access mechanism to use based on the target ProSe parameters.

S302: ProSe UE performs ProSe discovery.

ProSe discovery is used for mutual discovery between source UE and relay UE, or between relay UE and target UE. TS 23.304 defines two discovery modes of ProSe discovery, including: model A and model B.

In mode A, the interacting UEs include: announcing UE and monitoring UE. After obtaining the ProSe parameters, the announcing UE can actively broadcast a discovery request for discovering specific ProSe services (such as video chat, AR, VR). After obtaining the ProSe parameters, the monitoring UE can actively monitor the discovery request for discovering specific ProSe services. In this way, after receiving the discovery request broadcast by the announcing UE, the monitoring UE can determine whether the specific ProSe service indicated in the discovery request broadcast by the announcing UE meets its own needs, thereby determining whether to continue the subsequent process.

In mode A, the announcing UE in the ProSe discovery scenario may be a relay UE, and the listening UE may be a source UE. The relay UE may broadcast a discovery announcing message, and the discovery broadcast message may include the RSC supported by the relay UE. After receiving the discovery broadcast message, the source UE may determine whether the RSC included in the discovery broadcast message is the RSC required for ProSe communication (assuming that RSC1 is required). If the discovery broadcast message carries RSC1, the source UE determines that RSC1 is the RSC required for the ProSe communication to be implemented by itself, and then continues to perform subsequent steps for the relay device. If the discovery broadcast message carries RSC2, the source UE determines that RSC2 is not the RSC required for ProSe communication, and then does not perform subsequent steps for the relay device.

In mode B, the interacting UEs include: discoveree UE and discoverer UE. After obtaining the ProSe parameters, the discoverer UE can actively broadcast a discovery request for discovering a specific ProSe service. After obtaining the ProSe parameters, the discoverer UE can actively listen to the discovery request for discovering a specific ProSe service. In this way, after receiving the discovery request broadcast by the discoverer UE, the discoverer UE can determine whether it has discovered the specific ProSe service indicated in the request. If the discoverer UE supports the ProSe service indicated in the discovery broadcast message, the discoverer UE responds to the discovery request broadcast by the discoverer UE, otherwise, the discoverer UE does not respond to the discovery request broadcast by the discoverer UE. If the discoverer UE receives a response from the discoverer UE, the discoverer UE can continue to perform subsequent steps, otherwise the process ends.

In mode B, the discoverer UE may be a relay UE, and the discoverer UE may be a source UE or a target UE. The source UE or the target UE may broadcast a discovery request message, and the discovery request message may include the RSC required for ProSe communication, assuming it is RSC1 or RSC4. After receiving the discovery request message, the relay UE may determine whether the relay UE supports RSC1 or RSC4. If the relay UE determines that it supports RSC1 or RSC4, the relay UE may respond to the source UE or the target UE and send a discovery response message to indicate that the relay UE supports RSC1 or RSC4, otherwise, the relay UE does not respond to the source UE or the target UE. For the source UE or the target UE, if the source UE or the target UE receives the discovery response message, it may continue to execute the subsequent steps, otherwise, the process ends.

S303: The source UE establishes a UE-to-UE relay connection with the target UE via the relay UE.

In the relay mechanism of layer 2, the source UE can establish a PC5 connection with the relay UE through the PC5 connection mechanism, the relay UE can establish a PC5 connection with the target UE through the PC5 connection mechanism, and then the source UE can establish a PC5 connection with the target UE through the PC5 connection mechanism. The specific implementation principle can refer to the relevant introduction in step S301, which is not repeated here. In the relay mechanism of layer 3, the source UE can establish a PC5 connection with the relay UE through the PC5 connection mechanism, and the relay UE can establish a PC5 connection with the target UE through the PC5 connection mechanism.

S304: The source UE performs Prose U2U relay communication with the target UE through the relay UE.

Specifically, the source UE can use the aforementioned access mechanism to perform Prose U2U relay communication with the target UE through the relay UE. The specific implementation principle can be found in the previous introduction and will not be repeated here.

4. Ranging services and SL positioning services:

The ranging service (or ranging service) and the sidelink positioning service (or sidelink positioning service) are two services commonly used between UEs.

The ranging service can be used to determine the angle and/or distance between two UEs. Taking Figure 6 as an example, UE1 can receive a ranging service request from a core network element (network function, NF), an application server (application server, AS), an application function (application function, AF) or a third-party UE (3rd party UE or 3rd UE), which indicates that the distance and/or angle (or direction) between UE1 and UE2 needs to be measured and calculated, and then UE1 (as the source UE) performs the ranging service with UE2 (as the target UE) based on the request, thereby obtaining the corresponding ranging result. It can be understood that in addition to the ranging service request sent by other nodes to trigger UE1 to perform the ranging service, UE1 can also actively generate/trigger the ranging demand and then perform the ranging service with UE2.

The sidelink positioning service can be used to calculate the location of the target UE. The sidelink specifically refers to the link between UEs that is not connected through a network, but directly connected through the PC5 interface between UEs. The sidelink positioning service is implemented based on the sidelink. Taking Figure 7 as an example, assuming that UE1 is the source UE and UE2 is the target UE, UE1 performs ranging service on UE2 to obtain the corresponding ranging result, which may include measurement data and/or The calculation results (angle and/or position calculation results) calculated based on the measurement data. The location management function (LMF) obtains the location of UE1 and the ranging results of UE1 and UE2, and then calculates the location of UE2. It can be understood that the sidelink positioning service depends on the results of the ranging service.

It should be noted that in the embodiments of the present application, the ranging service and the sidechain positioning service are collectively referred to as the ranging positioning service. The ranging positioning service mentioned below may refer to the ranging service, the sidechain positioning service, or both. The ranging positioning service may include direct ranging positioning and indirect ranging positioning.

Direct ranging positioning refers to the ranging positioning service that can be performed directly between the source UE and the target UE without the help of auxiliary equipment. Among them, the source UE in the ranging positioning service scenario is the party that needs to measure the distance and/or angle of the target UE relative to itself, and the target UE is the party being measured in the ranging positioning service. The source UE needs to measure the distance, angle (direction) and/or position of the target UE.

Indirect ranging and positioning refers to the ranging and positioning service that requires the use of auxiliary equipment to perform ranging and/or positioning between the source UE and the target UE. Among them, the auxiliary equipment is responsible for providing auxiliary ranging functions in the indirect ranging service between the source UE and the target UE. The ranging result between the source UE and the target UE can be determined based on the ranging result between the source UE and the auxiliary equipment and the ranging result between the auxiliary equipment and the target UE. For example, in the case where a ranging and positioning service is required between the source UE and the target UE, if the target UE is outside the signal coverage of the source UE or the communication signal between the two is not good, the source UE cannot perform direct ranging and positioning on the target UE. At this time, only indirect ranging and positioning can be used to obtain the ranging result between the source UE and the target UE to realize the ranging and positioning service.

There are many different schemes for indirect ranging positioning services, including a first indirect ranging scheme (referred to as Scheme 1) and a second indirect ranging scheme (referred to as Scheme 2), which are introduced below.

Please refer to FIG8 , which is a schematic diagram of the process of the first indirect ranging solution provided by the present application, which may include the following steps:

S801: Authorization and acquisition of ranging and positioning service strategies.

It should be understood that the UE needs to go through the registration, authorization, policy acquisition and other processes related to the ranging and positioning service before it can have the ability and right to implement the ranging and positioning service. Specifically, the UE can obtain the authorization of the ranging and positioning service (can be authorized as a source UE or a target UE), the policy used by the ranging and positioning service, etc. from the PCF. For example, as shown in Figure 8, both UE1 and UE2 can obtain the authorization of the ranging and positioning service and the policy of the ranging and positioning service from the PCF, thereby having the ranging and positioning service function. Here, it is assumed that UE1 is authorized as the source UE and UE2 is authorized as the target UE.

S802: Device discovery.

Specifically, UE1 can discover UE2 through the discovery process, and then establish a link with UE2. The discovery mode adopted can be, for example, mode A or mode B (see the previous introduction), without specific limitation. The link between UE1 and UE2 can be a direct link, such as a PC5 direct link, or a U2U relay communication link implemented through a relay device. The discovery and selection of the above-mentioned relay device are not specifically limited here, and please refer to the relevant introduction in the previous article.

UE1 also discovers one or more auxiliary devices through the discovery process, then selects an auxiliary device from the one or more auxiliary devices, and establishes a PC5 connection with the selected auxiliary device (called the target auxiliary device), so that the ranging service can be performed between UE1 and the target auxiliary device. UE2 also establishes a PC5 connection with the target auxiliary device, so that the ranging service can be performed between UE2 and the target auxiliary device. It should be additionally noted that the PC5 link established between UE2 and the target auxiliary device can be a direct link or a link established through UE-to-UE relay (for details, please refer to the description in 3. Proximity-based services (ProSe) communication above).

The auxiliary device is a device that can provide an auxiliary ranging function in the indirect ranging and positioning service between UE1 and UE2. The embodiment of the present application does not specifically limit the method of discovering and selecting the auxiliary device.

For example, UE1 may discover one or more auxiliary devices by executing the discovery process, and it can select a target auxiliary device from them, and send the information of the target auxiliary device to UE2 through the link between UE1 and UE2. The target auxiliary device can be the device that is first discovered by UE1 among the one or more auxiliary devices, or the target auxiliary device can be the device with the best signal strength between UE1 and UE2 among the one or more auxiliary devices. UE1 and UE2 respectively establish PC5 connections with the target auxiliary device, and then the indirect ranging service between UE1 and UE2 can be realized through the target auxiliary device.

S803: UE1 sends a ranging request to UE2.

As can be seen from the introduction in step S802, UE1 discovers UE2 through the discovery process and establishes a PC5 connection with UE2. Therefore, in step S803, UE1 can send a ranging request to UE2 through the PC5 connection, wherein the ranging request is used to instruct UE2 to perform a ranging service on the auxiliary device to obtain a ranging result between UE2 and the auxiliary device.

S804: UE1 and the auxiliary device perform a ranging service.

Specifically, based on the PC5 connection established between UE1 and the auxiliary device, UE1 can perform a ranging service on the auxiliary device, so that UE1 can obtain corresponding measurement data. UE1 performs calculations based on the measurement data, and then obtains the ranging calculation results between UE1 and the auxiliary device (including the calculation results of the distance and/or angle between UE1 and the auxiliary device).

It should be noted that the measurement data is not the measurement result of the angle or distance, but the data generated in the ranging service process, which is used for distance or angle calculation, and further calculation is required based on the measurement data to obtain the final angle or distance measurement result. For example, a ranging service is performed between UE1 and an auxiliary device. UE1 can send ranging information to the auxiliary device at the first moment, and the auxiliary device determines that the ranging information is received at the second moment. Then the auxiliary device sends a feedback message to UE1 at the third moment. The feedback message carries the timestamp of the third moment. UE1 determines that the feedback message is received at the fourth moment, and then the distance between UE1 and the auxiliary device can be calculated based on the measurement data at the first moment, the second moment, the third moment and the fourth moment. It should be understood that the ranging process in the above example is only an example and does not constitute a specific limitation. There may be other specific ranging methods.

S805: UE2 and the auxiliary device perform ranging service.

Specifically, based on the PC5 connection established between UE2 and the auxiliary device, UE2 can perform a ranging service on the auxiliary device, so that UE2 can obtain a corresponding ranging result, and the ranging result may include measurement data and/or a ranging calculation result calculated based on the measurement data. In other words, UE2 can calculate based on the obtained measurement data to obtain the distance and/or angle between UE2 and the auxiliary device, and UE2 may not perform calculations on its own after obtaining the measurement data.

It should be noted that, because the ranging service between UE2 and the auxiliary device and the ranging service between UE1 and the auxiliary device can be performed separately, there is no limitation on the execution order of the above step S804 and step S805. For example, step S804 can be performed before step S805, step S804 can also be performed in parallel with step S805, and step S804 can also be performed after step S805.

S806: UE2 sends the ranging result between UE2 and the auxiliary device to UE1.

It should be noted that UE2 sends the above ranging result through the link between UE2 and UE1, rather than sending the above ranging result to UE1 through the auxiliary device.

The ranging result between UE2 and the auxiliary device may include at least one of the following: measurement data between UE2 and the auxiliary device, and a ranging calculation result (ie, an angle and/or distance calculation result) calculated based on the measurement data between UE2 and the auxiliary device.

For example, UE2 can directly send the measurement data obtained in step S805 to UE1 through the link established between UE1 and UE2, and then UE1 calculates the angle and/or distance between UE2 and the auxiliary device based on the above measurement data. For another example, UE2 can also calculate the angle and/or distance between UE2 and the auxiliary device based on the measurement data it obtains, and then send the calculation result to UE1 through the link between UE1 and UE2, so that UE1 does not need to perform the above calculation again.

It should be noted that there is no limitation on the order in which the above steps S804 and S806 are executed. For example, step S804 may be executed before step S806; step S804 may be executed in parallel with step S806; step S804 may be executed after step S806, that is, UE1 may start the ranging service between UE1 and the auxiliary device only after receiving the ranging result between UE2 and the auxiliary device.

S807: UE1 calculates the ranging result between UE1 and UE2.

Specifically, in step S805, UE1 can obtain the ranging result between UE1 and the auxiliary device by performing the ranging service with the auxiliary device, and in step S806, UE1 receives the ranging result between UE2 and the auxiliary device. Based on the above two ranging results, UE1 can calculate the ranging result between UE1 and UE2.

Please refer to FIG. 9, which is a schematic diagram of the process of the second indirect ranging solution provided by the present application, which may include the following steps:

S901: Auxiliary device discovery.

Specifically, the source UE can discover one or more auxiliary devices through the discovery process, and then select an auxiliary device from the one or more auxiliary devices, and subsequently use the selected auxiliary device to implement the indirect ranging and positioning service between the source UE and the target UE. Among them, the auxiliary device is a device that can provide an assisted ranging function in the indirect ranging and positioning service between the source UE and the target UE. The auxiliary device can establish a PC5 connection with the source UE and the target UE2 respectively, and then implement assisted ranging based on the above connection.

It should be noted that in the second indirect ranging scheme, there may be a direct link or no direct link between the source UE and the target UE, and there may be a connection established based on a relay device (referred to as UE-to-UE relay connection) or no UE-to-UE relay connection between the source UE and the target UE. In the second indirect ranging scheme, the source UE and the target UE neither interact through a direct link, such as transmitting indirect ranging related information (including ranging requests, ranging results, etc.), nor through a link established by a UE-to-UE relay. The embodiments of the present application do not specifically limit the method for discovering and selecting auxiliary devices.

It should also be noted that before this step, there are also UE authorization and policy acquisition steps. Please refer to S801 for details, which will not be repeated here.

S902-S903: The source UE establishes a PC5 connection with the auxiliary device, and sends a ranging request to the auxiliary device through the PC5 connection.

The ranging request is used to instruct the auxiliary device to perform a ranging service on the target UE.

S904: Authentication process.

Specifically, after receiving the ranging request from the source UE, the auxiliary device may choose to authenticate it to determine whether UE1 is authorized to perform the ranging service. If the auxiliary device determines that the source UE is authorized to perform the ranging service, the auxiliary device responds to the ranging request of the source UE. Continue to execute the subsequent steps. If the auxiliary device determines that the source UE is not authorized to perform the ranging service, the subsequent steps are not executed.

It should be noted that step S904 is an optional step, that is, the auxiliary device may authenticate the source UE and then execute the subsequent ranging service, or the auxiliary device may directly execute the subsequent steps without authenticating the source UE.

S905: The auxiliary device performs a ranging service with the target UE.

Specifically, based on the PC5 connection established between the auxiliary device and the target UE, the auxiliary device performs a ranging service on the target UE, so that the auxiliary device can obtain a ranging result between the auxiliary device and the target UE. The ranging result may include measurement data and/or a ranging calculation result calculated based on the measurement data. In other words, the auxiliary device may perform calculations based on the obtained measurement data to obtain a ranging calculation result of the distance and/or angle between the auxiliary device and the target UE. After obtaining the measurement data, the auxiliary device may not perform calculations.

S906: The source UE and the auxiliary device perform a ranging service.

Specifically, based on the PC5 connection established between the source UE and the auxiliary device, the source UE can perform a ranging service on the auxiliary device, so that the source UE can obtain corresponding measurement data. The source UE performs calculations based on the measurement data, and then obtains the ranging calculation results between the source UE and the auxiliary device (including the calculation results of the distance and/or angle between the source UE and the auxiliary device).

It should be noted that, because the ranging service between the source UE and the auxiliary device and the ranging service between the auxiliary device and the target UE can be performed separately, there is no limitation on the execution order of the above step S905 and step S906. For example, step S906 can be executed before step S905, step S906 can also be executed in parallel with step S905, and step S906 can also be executed after step S906.

S907: The auxiliary device sends the ranging result between the auxiliary device and the target UE to the source UE.

Among them, the ranging result between the auxiliary device and the target UE may include at least one of the following: measurement data between the auxiliary device and the target UE, and a ranging calculation result (including angle and/or distance calculation results) calculated based on the measurement data between the target UE and the auxiliary device.

For example, the auxiliary device can send the above-mentioned measurement data obtained by it directly to the source UE through the link between the source UE and the auxiliary device, and then the source UE calculates the angle and/or distance between the auxiliary device and the target UE based on the above-mentioned measurement data. For another example, the auxiliary device can also calculate the angle and/or distance between the auxiliary device and the target UE based on the measurement data obtained by it, and then send the calculation result to the source UE through the link between the source UE and the auxiliary device, so that the source UE does not need to perform the above-mentioned calculation again.

It should be noted that there is no limitation on the order in which the above steps S907 and S905 are executed. For example, step S905 may be executed before step S907; step S905 may also be executed in parallel with step S907; step S905 may also be executed after step S907, that is, the source UE may start to execute the ranging service between the source UE and the auxiliary device after receiving the ranging result between the auxiliary device and the target UE, so as to obtain the ranging result between the source UE and the auxiliary device.

S908: The source UE calculates the ranging result between the source UE and the target UE.

Specifically, in step S906, the source UE can obtain the ranging result between the source UE and the auxiliary device by performing the ranging service with the auxiliary device, and in step S907, the source UE receives the ranging result between the auxiliary device and the target UE sent by the auxiliary device. Then, in step S908, the source UE can calculate the ranging result between the source UE and the target UE based on the above two ranging results.

As can be seen from the previous introduction, in the indirect ranging positioning scenario between the source UE and the target UE, the source UE needs to obtain the ranging result between the source UE and the auxiliary device (recorded as the first ranging result), as well as the ranging result between the auxiliary UE and the target UE (recorded as the second ranging result). The ranging result between the source UE and the target UE can be calculated by combining the first ranging result and the second ranging result.

For the above-mentioned scheme one, since a connection is established between the target UE and the source UE, the target UE can receive a ranging request from the source UE, and then actively perform a ranging service on the auxiliary device according to the ranging request of the source UE, so that the target UE obtains a second ranging result. Then, the target UE can directly send the second ranging result to the source UE based on the connection between the target UE and the source UE without passing through the auxiliary device, and the auxiliary device will not obtain the second ranging result at this time. It can be understood that the ranging result is location-related information, which is usually privacy-sensitive information. Since the indirect ranging scheme requires the assistance of an auxiliary device, there may be a risk of privacy leakage at the auxiliary device for UE1 and UE2. Because the auxiliary device in scheme one does not obtain the second ranging result, in the spacing ranging service scenario of scheme one, there will be no problem of privacy data leakage, and end-to-end security can be guaranteed in the indirect ranging service between the source UE and the target UE.

For the above-mentioned scheme 2, since there is no connection established between the source UE and the target UE (cannot be established or has not been established), the source UE chooses to send a ranging request to the auxiliary device to instruct the auxiliary device to perform a ranging service on the target UE. Alternatively, even if a connection is established between the source UE and the target UE, the source UE can also choose to use scheme 2 to send the above-mentioned ranging request to the auxiliary device. The auxiliary device actively performs a ranging service on the target UE based on the ranging request sent by the source UE, so that the auxiliary device can obtain a second ranging result. Then, the auxiliary device sends the second ranging result to the source UE based on the connection between it and the source UE. It can be understood that because the auxiliary device in scheme 2 can obtain the second ranging result, there is a risk of privacy data leakage at the auxiliary device in the spacing ranging service scenario of scheme 2, so end-to-end security cannot be guaranteed in the indirect ranging service between the source UE and the target UE.

Based on the above content, the first embodiment of the communication method provided by the present application is introduced below.

Please refer to FIG. 10 , which is a flow chart of a communication method provided in an embodiment of the present application, which is used in a ProSe service scenario and may include the following steps:

S1001: A first user device obtains a security policy.

The first user equipment is a user equipment with ProSe function. For example, an application for providing/requiring the use of ProSe function may be installed on the first user equipment, and the first user equipment completes the authorization, parameter/policy acquisition and other processes related to ProSe to the PCF, so that the first user equipment has ProSe function.

Among them, the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service. The side chain communication service is a communication service implemented based on the side chain. In this embodiment, the side chain communication service refers to the ProSe communication service based on the relay device, that is, the ProSe relay communication service. The end-to-end security protection for such services as ProSe relay communication is implemented between the two user devices corresponding to the ProSe communication service, that is, the source UE and the target UE in the same ProSe communication service. End-to-end security protection is implemented between the source UE and the target UE. As can be seen from the previous introduction, ProSe relay communication can be implemented based on a layer 2 relay mechanism or a layer 3 relay mechanism. The layer 2 relay device in the layer 2 relay mechanism will not parse the PDCP layer (responsible for encrypting the upper layer information, etc.), it will transparently transmit the PDCP layer of the source UE and the target UE and the upper layer information of the PDCP layer, so that the security between the source UE and the target UE can be established end-to-end between the PDCP layer of the source UE and the PDCP layer of the target UE, thereby supporting end-to-end security protection for the ProSe relay communication service. Since the layer 3 relay device in the layer 3 relay mechanism needs to parse the PDCP layer, end-to-end security cannot be established between the source UE and the target UE, thereby failing to support end-to-end security protection in the ProSe relay communication service.

Therefore, in the ProSe relay communication scenario, the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service, and can be further used to indicate whether to use the layer 2 relay mechanism to establish ProSe relay communication (or to indicate whether to use the layer 3 relay mechanism to establish ProSe relay communication).

If the security policy acquired by the first user equipment indicates to use end-to-end security protection for ProSe relay communication, the first user equipment may determine to use a layer 2 relay mechanism to implement ProSe relay communication between the first user equipment itself and other user equipments according to the security policy.

If the security policy indicates that end-to-end security protection is not used for ProSe relay communication, the first user device can determine to use the layer 3 relay mechanism to implement ProSe relay communication between the first user device itself and other user devices according to the security policy. If the security policy indicates that end-to-end security protection is used preferentially for ProSe relay communication, the first user device can determine to use the layer 2 relay mechanism preferentially to implement ProSe relay communication between the first user device itself and other user devices according to the security policy, and if it is determined that the layer 2 relay mechanism cannot be used, the layer 3 relay mechanism is used to implement ProSe relay communication between the first user device itself and other user devices. It should be noted that the embodiment of the present application does not specifically limit the situation where the layer 2 relay mechanism cannot be used. For example, the first user device does not find any layer 2 relay device within a certain period of time, so the first user device determines that the layer 2 relay mechanism cannot be used, and then tries the layer 3 relay mechanism.

If the security policy indicates that end-to-end security protection is not used for ProSe relay communication (perhaps due to efficiency, resource occupation and other factors), the first user device can determine, based on the security policy, to use the layer 3 relay mechanism to implement ProSe relay communication between the first user device itself and other user devices. If it is determined that the layer 3 relay mechanism cannot be used, the layer 2 relay mechanism is used to implement ProSe relay communication between the first user device and other user devices. It should be noted that the embodiment of the present application does not specifically limit the situation where the layer 3 relay mechanism cannot be used. For example, the first user device does not find any layer 3 relay device within a certain period of time, so the first user device determines that the layer 3 relay mechanism cannot be used, and then tries the layer 2 relay mechanism.

In a possible embodiment, the security policy acquired by the first user equipment is stored on the first user equipment.

For example, a user device may consist of a mobile equipment (ME) and a universal integrated circuit card (UICC), and the security policy may be pre-configured in the mobile equipment or pre-configured on the UICC card.

It should be understood that UICC is a general term for smart cards with defined physical characteristics. It is a component of user equipment and is mainly used to store user information, authentication keys, short messages, payment methods and other information. It can be used by the network to identify the customer identity, store information, register with the network, etc. A variety of logical modules/applications (applications) can be included in the UICC, such as the subscriber identity module (SIM), the universal subscriber identity module (USIM), the IP multimedia service identity module (ISIM), etc. The logical modules/applications in the UICC can exist alone or in multiple at the same time. The above security policy is pre-configured in the UICC, and can be pre-configured in any of the above logical modules/applications.

In another possible embodiment, the security policy may come from a core network element, which may be one or more of a policy management element (PCF), a direct discovery name management function (DDNMF), an access management element (AMF), or a data management element (UDM/UDR). For example, the first user device may actively send a request message to the core network element, and the request message may carry user information, and then receive the security policy sent by the core network element. Optionally, the above user The information may include one or more of a user identifier (eg, a user permanent identifier (SUbscription Permanent Identifier, SUPI)) corresponding to the first user equipment, a user group identifier, a geographic location, and a network location.

How the first user equipment obtains the security policy from the core network element and how the core network element determines the corresponding security policy for the first user equipment will be specifically introduced in Figures 12 and 13 later in the text and will not be repeated here.

It should be noted that the embodiment of the present application does not impose any specific restrictions on the execution order of step S1001, as long as it is executed before step S1003. For example, step S1001 can be executed before step S1002, can be executed in parallel with step S1002, or can be executed between step S1002 and step S1003, that is, after the first user equipment triggers the relay communication demand, the first user equipment obtains the security policy.

S1002: The first user equipment triggers a ProSe relay communication requirement.

It should be noted that the embodiment of the present application does not specifically limit how the first user equipment triggers the ProSe relay communication requirement.

In some possible embodiments, the first user equipment may receive a request from other devices, thereby triggering a ProSe relay communication requirement. The other devices may be NF, AS, AF or 3rd UE, etc., which are not specifically limited.

The above request may be a request that explicitly indicates to perform ProSe relay communication with the second user equipment (ie, the target UE), so the first user equipment may directly trigger the ProSe relay communication requirement according to the received request.

The above request may also be a request to instruct to perform ProSe communication with the second user equipment (it does not specify whether it is ProSe direct communication or ProSe relay communication), so the first user equipment may first choose to perform ProSe direct communication with the second user equipment based on the instruction of the request. However, the first user equipment finds that the conditions for ProSe direct communication with the target UE are not met, for example, the target UE is outside the signal range of the source UE, or the communication quality between the source UE and the target UE is not good enough, etc. At this time, the first user equipment determines that it cannot perform ProSe direct communication with the target UE, thereby triggering the need to perform ProSe communication with the target UE through the relay device, that is, triggering the ProSe relay communication demand.

In some other possible embodiments, the first user equipment may also trigger the ProSe relay communication requirement by itself.

For example, the user performs a certain specific operation on the first user device (for example, the user clicks a video chat button on an APP related to the ProSe service installed on the first user device), thereby triggering the ProSe communication demand/relay communication demand of the first user device. It should be understood that if the ProSe communication demand is triggered, the first user device may also trigger the ProSe relay communication demand after selecting to perform ProSe direct communication but failing.

S1003: The first user equipment determines to perform a first operation according to a security policy, where the first operation is used to establish a ProSe relay communication service between the first user equipment and the second user equipment.

As described in step S1001, the security policy is used to indicate whether to perform end-to-end security protection on the ProSe relay communication service. The first user equipment determines whether to use end-to-end security protection for the ProSe relay communication service to be executed by itself according to the security policy.

If the security policy indicates that end-to-end security protection is to be used for ProSe relay communication, and the first user equipment determines to perform a first operation according to the security policy, then the first operation needs to support end-to-end security protection between the first user equipment and the second user equipment. The first operation at this time includes: receiving a message from at least one relay device; then, the first user equipment establishes a connection with a first relay device among the at least one relay device, wherein the first relay device is one of the at least one relay device and can be selected by the first user equipment according to certain conditions (for the selection of the relay device, please refer to the relevant introduction in the previous text), and the message from the first relay device received by the first user equipment includes a relay service identifier of the layer 2 relay service, and the above link is used to send service data of the ProSe relay communication service between the first user equipment and the second user equipment. It should be noted that the messages of at least one relay device received by the first user device include the relay service identifier of the layer 2 relay service, or the messages of at least one relay device received by the first user device include the relay service identifier of the layer 2 relay service and the relay service identifier of the layer 3 relay service, that is, the first user device can choose to only receive messages from the layer 2 relay device, or it can accept messages from both the layer 2 relay device and the layer 3 relay device, but it will only select the layer 2 relay device to establish the ProSe relay communication between the first user device and the second user device.

That is, when the first user equipment determines to use end-to-end security protection for ProSe relay communication according to the security policy, it means to use the layer 2 relay mechanism to establish ProSe relay communication with the second user equipment, thereby determining to perform actions corresponding to the establishment of the layer 2 relay service, including: using the relay service code of the layer 2 relay service, discovering the layer 2 relay device, establishing a connection with the layer 2 relay device, etc. In other words, the first user equipment will only select a relay device from the layer 2 relay devices, thereby establishing a U2U relay connection between the first user equipment and the second user equipment, and then based on the U2U relay connection, the ProSe relay communication service between the first user equipment and the second user equipment is implemented, and end-to-end security protection between the first user equipment and the second user equipment can be implemented.

If the security policy indicates that end-to-end security protection is not used for ProSe relay communication, the first user equipment determines to perform a first operation according to the security policy, and the first operation does not need to support end-to-end security protection between the first user equipment and the second user equipment. The first operation includes: receiving a message from at least one relay device; then, the first user device establishes a connection with a first relay device among the at least one relay device, wherein the first relay device is a relay device among the at least one device and can be selected by the first user device according to certain conditions, and the message from the first relay device received by the first user device includes a relay service identifier of a layer 3 relay service; the above link is used to send service data of a ProSe relay communication service between the first user device and the second user device.

That is, when the first user equipment determines according to the security policy that it is not necessary to use end-to-end security protection for ProSe relay communication, it means that the layer 3 relay mechanism can be used to establish ProSe relay communication with the second user equipment, thereby determining to perform actions corresponding to the establishment of the layer 3 relay service, including: using the relay service code of the layer 3 relay service, discovering the layer 3 relay device, establishing a connection with the layer 3 relay device, etc. In other words, the first user equipment will only select a relay device from the layer 3 relay devices, thereby establishing a U2U relay connection between the first user equipment and the second user equipment, and then based on the U2U relay connection, the ProSe relay communication service between the first user equipment and the second user equipment is realized, but the end-to-end security protection between the first user equipment and the second user equipment cannot be realized. It should be noted that the messages of at least one relay device received by the first user equipment all include the relay service identifier of the layer 3 relay service, or the messages of at least one relay device received by the first user equipment include the relay service identifier of the layer 2 relay service and the relay service identifier of the layer 3 relay service, that is, the first user equipment can choose to only receive messages from the layer 3 relay device, or it can accept messages from both the layer 2 relay device and the layer 3 relay device, but it will only select the layer 3 relay device to establish the ProSe relay communication between the first user equipment and the second user equipment. If the security policy indicates that end-to-end security protection is preferentially used for ProSe relay communication, and the first user equipment determines to perform the first operation according to the security policy, then the first operation needs to preferentially support end-to-end security protection between the first user equipment and the second user equipment. At this time, the first operation includes: receiving a message from at least one relay device; then, the first user equipment establishes a relay connection with a first relay device among the at least one relay device, wherein the message of the first relay device received by the first user equipment includes the relay service identifier of the layer 2 relay service, and the first relay device is one of the at least one relay device, and can The first user device makes a selection according to certain conditions (for the selection of relay devices, please refer to the relevant introduction above). Further, if the first user device determines that it is impossible to establish a link with the relay device corresponding to the relay service identifier of any layer 2 relay service, the first user device establishes a connection with the second relay device in the at least one relay device, wherein the message of the second relay device received by the first user device includes the relay service identifier of the layer 3 relay service, and the second relay device is one of the at least one relay device, which can be selected by the first user device according to certain conditions (for the selection of relay devices, please refer to the relevant introduction above). The above link is used to send service data of the ProSe relay communication service between the first user device and the second user device.

That is, when the first user equipment determines, according to the security policy, that it is necessary to give priority to end-to-end security protection for ProSe relay communication, it means that it is necessary to give priority to using the layer 2 relay mechanism to establish ProSe relay communication with the second user equipment, thereby determining to first perform actions corresponding to the establishment of the layer 2 relay service, including: using the relay service code of the layer 2 relay service, discovering the layer 2 relay device, establishing a connection with the layer 2 relay device, etc. When the first user equipment determines that it is impossible to use the layer 2 relay mechanism to establish ProSe relay communication with the second user equipment, the first user equipment determines to use the layer 3 relay mechanism to establish ProSe relay communication with the second user equipment, thereby determining to perform actions corresponding to the establishment of the layer 3 relay service, including: using the relay service code of the layer 3 relay service, discovering the layer 3 relay device, establishing a connection with the layer 3 relay device, etc. That is to say, the first user equipment preferentially selects a relay device from the layer 2 relay devices, and selects a layer 3 relay device when the layer 2 relay device cannot be selected, thereby establishing a U2U relay connection between the first user equipment and the second user equipment, and then implementing the ProSe relay communication service between the first user equipment and the second user equipment based on the U2U relay connection. This method can preferentially implement end-to-end security protection between the first user equipment and the second user equipment, but also ensures the link between the first user equipment and the second user equipment when end-to-end security protection cannot be performed, so as to implement the ProSe relay communication service between the first user equipment and the second user equipment.

If the security policy indicates that end-to-end security protection is not used for ProSe relay communication, and the first user equipment determines to perform a first operation according to the security policy, then the first operation needs to preferentially support not using end-to-end security protection between the first user equipment and the second user equipment. The first operation at this time includes: receiving a message from at least one relay device; then, the first user equipment establishes a relay connection with a first relay device among the at least one relay device, wherein the message of the first relay device received by the first user equipment includes a relay service identifier of a layer 3 relay service, and the first relay device is a relay device among the at least one relay device. The first user device is selected according to certain conditions (for the selection of relay devices, please refer to the relevant introduction above). Further, if the first user device determines that it is impossible to establish a link with the relay device corresponding to the relay service identifier of any layer 3 relay service, the first user device establishes a connection with the second relay device in the at least one relay device, wherein the message of the second relay device received by the first user device includes the relay service identifier of the layer 2 relay service, and the second relay device is one of the at least one relay device, which can be selected by the first user device according to certain conditions (for the selection of relay devices, please refer to the relevant introduction above). The above link is used to send service data of the ProSe relay communication service between the first user device and the second user device.

That is, when the first user equipment determines according to the security policy that it is preferred not to use end-to-end security protection for ProSe relay communication, it means that it is preferred to use the layer 3 relay mechanism to establish ProSe relay communication with the second user equipment, thereby determining to first execute the layer 3 relay service. Establish corresponding actions. When the first user equipment determines that it is impossible to use the layer 3 relay mechanism to establish ProSe relay communication with the second user equipment, the first user equipment determines to use the layer 2 relay mechanism to establish ProSe relay communication with the second user equipment, thereby determining to perform actions corresponding to the establishment of the layer 3 relay service. That is, the first user equipment preferentially selects a relay device from the layer 3 relay devices, and then selects the layer 2 relay device when the layer 3 relay device cannot be selected, thereby establishing a U2U relay connection between the first user equipment and the second user equipment, and then implementing the ProSe relay communication service between the first user equipment and the second user equipment based on the U2U relay connection. It should be understood that this method gives priority to the use of the layer 3 relay mechanism, which may be due to considerations such as service startup efficiency and resource occupation, but also turns to the use of the layer 2 relay mechanism when the layer 3 relay mechanism cannot be used to implement the ProSe relay communication service between the first user equipment and the second user equipment.

The following is an introduction to the form of security policies.

In a possible embodiment, the security policy may be explicit instruction information.

For example, the security policy may be explicit indication information, indicating that end-to-end security protection must be used for the ProSe relay communication service, or indicating that a layer 2 relay mechanism must be used in the ProSe relay communication service, or indicating that a relay service identifier of a layer 2 relay service must be used to discover the relay device required in the ProSe relay communication service.

For another example, the security policy may be clear indication information, indicating not to use end-to-end security protection for the ProSe relay communication service, or indicating not to use the layer 2 relay mechanism in the ProSe relay communication service, or indicating that the layer 3 relay mechanism must be used in the ProSe relay communication service, or indicating that the relay service identifier of the layer 3 relay service must be used to discover the relay device required in the ProSe relay communication service.

For another example, the security policy may be clear indication information, indicating that end-to-end security protection is given priority for the ProSe relay communication service, or indicating that the layer 2 relay mechanism is given priority in the ProSe relay communication service, or indicating that the relay service identifier of the layer 2 relay service is given priority to discover the relay device required in the ProSe relay communication service.

In another possible embodiment, the security policy includes a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.

For example, the relay service identifier of a layer 2 relay service may be a relay service code of a layer 2 relay service, used to indicate a layer 2 relay mechanism; the relay service identifier of a layer 3 relay service may be a relay service code of a layer 3 relay service, used to indicate a layer 3 relay mechanism.

In the case where the security policy only includes the relay service identifier of the layer 2 relay service, the security policy indicates that the ProSe relay communication service is end-to-end securely protected, that is, the layer 2 relay mechanism is used to establish the ProSe relay communication, and the layer 2 relay service identifier is used to discover the layer 2 relay device. In the case where the security policy only includes the relay service identifier of the layer 3 relay service, the security policy indicates that the ProSe relay communication service is end-to-end securely protected, that is, the layer 3 relay mechanism is used to establish the ProSe relay communication, and the layer 3 relay service identifier is used to discover the layer 3 relay device.

In another possible embodiment, the security policy includes priority information.

If the above priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used first, and at this time the first user equipment has not used the layer 2 relay service to establish the ProSe relay communication it wants to implement (i.e., the ProSe relay communication between the first user equipment and the second user equipment), then the security policy at this time is to indicate that the ProSe relay communication service is to be end-to-end securely protected, that is, it is to use the layer 2 relay mechanism to establish the ProSe relay communication. If the above priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used first, and at this time the first user equipment fails to implement the ProSe relay communication using the layer 2 relay service, then the security policy at this time is to indicate that the ProSe relay communication service is not to be end-to-end securely protected, that is, it is to use the layer 3 relay mechanism to establish the ProSe relay communication.

If the above priority information is used to indicate that the relay service identifier of the layer 3 relay service needs to be used first, and at this time the first user equipment has not yet used the layer 3 relay service to establish the ProSe relay communication it wants to implement (i.e., the ProSe relay communication between the first user equipment and the second user equipment), then the security policy at this time is to indicate that no end-to-end security protection is performed on the ProSe relay communication service, that is, it is necessary to use the layer 3 relay mechanism to establish the ProSe relay communication. If the priority information is used to indicate that the relay service identifier of the layer 3 relay service needs to be used first, and at this time the first user equipment fails to implement the ProSe relay communication using the layer 3 relay service, then the security policy at this time is to indicate that end-to-end security protection is performed on the ProSe relay communication service, that is, it is necessary to use the layer 2 relay mechanism to establish the ProSe relay communication.

It should be noted that, when the security policy includes priority information, the security policy may also include a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.

It should also be noted that the specific form of the priority information in the security policy is not limited in the embodiments of the present application. For example, the priority information may be the order between the relay service identifier of the layer 2 relay service and the relay service identifier of the layer 3 relay service, and the relay service identifier in the previous order needs to be used first. For another example, the priority information may be clear indication information indicating that the relay service identifier of the layer 2 relay service or the relay service identifier of the layer 3 relay service needs to be used first.

The second embodiment of the communication method provided by the present application is introduced below.

Please refer to FIG. 11, which is a flow chart of another communication method provided in an embodiment of the present application, which is used in a ranging and positioning service scenario and may include the following steps:

S1101: A first user equipment obtains a security policy.

The first user equipment is a user equipment with ranging and positioning service functions. For example, an application for providing ranging and positioning service functions may be installed on the first user equipment, and the first user equipment completes authorization, parameter/policy acquisition and other processes related to ranging and positioning services to the PCF, so that the first user equipment has the ranging and positioning service functions.

The above security policy is used to indicate whether to use end-to-end security protection for the side chain communication service.

In this embodiment, the side chain communication service refers to the ranging and positioning service based on the auxiliary device, that is, the indirect ranging and positioning service. It should be understood that the end-to-end security protection for such services as indirect ranging and positioning is implemented between the two user devices corresponding to the indirect ranging and positioning service, that is, the end-to-end security protection is implemented between the source UE and the target UE in the same ranging and positioning service. As can be seen from the previous introduction, the indirect ranging and positioning service can be implemented through Scheme 1 and Scheme 2 (see the previous introduction for details). Since the auxiliary device in Scheme 1 will not obtain the ranging result between the auxiliary device and the target UE (privacy-sensitive information for the source UE and the target UE), there is no risk of privacy leakage by the auxiliary device, so Scheme 1 supports end-to-end security protection for indirect ranging and positioning services. Since the auxiliary device in Scheme 2 will obtain the ranging result between the auxiliary device and the target UE, the ranging result may be leaked at the auxiliary device, and there is a security risk of privacy leakage, so Scheme 2 does not support end-to-end security protection for indirect ranging and positioning services.

Therefore, in the indirect ranging positioning scenario, the security policy is used to indicate whether to use end-to-end security protection for the indirect ranging positioning service, and can be further used to indicate whether to use Solution 1/Solution 2 for the indirect ranging positioning service. If the security policy obtained by the first user device indicates that end-to-end security protection is used for the indirect ranging positioning service, the first user device can determine to use Solution 1 to implement the indirect ranging positioning service between the first user device and other user devices according to the security policy. If the security policy indicates that end-to-end security protection is not used for the indirect ranging positioning service, the first user device can determine to use Solution 2 to implement the indirect ranging positioning service between the first user device and other user devices according to the security policy. If the security policy indicates that end-to-end security protection is used preferentially for the indirect ranging positioning service, the first user device can determine to use Solution 1 preferentially to implement the indirect ranging positioning service between the first user device and other user devices according to the security policy, and if it is determined that Solution 1 cannot implement the indirect ranging positioning service, Solution 2 is used to implement it.

In a possible embodiment, the security policy acquired by the first user equipment is stored on the first user equipment. The specific content of this embodiment can be found in the relevant introduction in step S1001, which will not be repeated here.

In another possible embodiment, the security policy may be from a core network element, and the core network element may be one or more of a policy management element, a direct communication discovery name management element, an access management element, or a data management element. For the specific content of this embodiment, please refer to the relevant introduction in step S1001, which is not repeated here.

It should be noted that the embodiment of the present application does not impose any specific restrictions on the execution order of step S1101, as long as it is executed before step S1103. For example, step S1101 can be executed before step S1102, can be executed in parallel with step S1102, or can be executed between step S1102 and step S1103.

S1102: The first user equipment triggers an indirect ranging and positioning service demand.

It should be noted that the embodiment of the present application does not specifically limit how the first user equipment triggers the indirect ranging and positioning service demand.

In some possible embodiments, the first user equipment may receive a request from other equipment, thereby triggering an indirect ranging and positioning service requirement. The other equipment may be NF, AS, AF or 3rd UE, etc., without specific limitation.

The request may be a request for explicitly instructing to perform an indirect ranging and positioning service with the second user equipment (ie, the target UE), so the first user equipment may directly trigger the indirect ranging and positioning service demand according to the received request.

The above request may also be an indication of the need to perform ranging and positioning services with the second user equipment (it does not specify whether it is direct ranging or indirect ranging), so the first user equipment can first choose to perform direct ranging and positioning services with the second user equipment based on the indication of the request. However, the first user equipment finds that the conditions for direct ranging and positioning services are not met with the target UE, for example, the target UE is outside the signal range of the source UE, or the communication quality between the source UE and the target UE is not good enough, the source UE and the target UE cannot establish a PC5 link, etc. At this time, the first user equipment determines that it cannot perform direct ranging and positioning with the target UE, thereby triggering the service demand for indirect ranging and positioning with the target UE through the auxiliary device, that is, triggering the indirect ranging and positioning service demand.

In some other possible embodiments, the first user equipment may also trigger the indirect ranging and positioning service demand by itself.

For example, the user performs a certain specific operation on the first user device (for example, the user clicks the ranging button on an APP related to the ranging and positioning service installed on the first user device), thereby triggering the ranging and positioning service demand/indirect ranging and positioning service demand of the first user device. It should be understood that if the ranging and positioning service demand is triggered, the first user device may also be trying to perform direct ranging and positioning but failed. Afterwards, the demand for indirect ranging and positioning services was triggered.

S1103: The first user equipment determines to execute a first operation according to a security policy, where the first operation is used to establish an indirect ranging and positioning service between the first user equipment and the second user equipment.

As described in step S1101, the security policy is used to indicate whether to use end-to-end security protection for the indirect ranging positioning service. The first user equipment determines whether to use end-to-end security protection for the indirect ranging positioning service to be executed by itself according to the security policy.

If the security policy indicates the use of end-to-end security protection for the indirect ranging positioning service, and the first user device determines to perform the first operation according to the security policy, then the first operation needs to support end-to-end security protection between the first user device and the second user device. The first operation at this time includes: the first user device sends a first ranging request to the second user device through a link with the second user device, wherein the first ranging request indicates the measurement of the distance and/or angle between the second user device and the auxiliary device, and the ranging result of the first ranging request is used to determine the distance and/or angle between the first user device and the second user device. It should be noted that the link between the first user device and the second user device includes a PC5 direct link and/or a link through a U2U relay.

That is to say, when the first user equipment determines to use end-to-end security protection for the indirect ranging positioning service according to the security policy, it means that the first user equipment will use solution one to implement the indirect ranging positioning service between it and the second user equipment, so as to determine that the first user equipment will perform the action corresponding to the source UE in solution one (see the embodiment of Figure 8 for details), including at least one of the following: establishing a link with the target UE (i.e., the second user equipment), sending a first ranging request to the target UE through the above link, receiving the ranging result between the target UE and the auxiliary device sent by the target UE, and so on. That is to say, the first user equipment will send a first ranging request to the second user equipment through the link between it and the second user equipment to instruct the second user equipment to perform the ranging service on the auxiliary device, and the first user equipment can then receive the ranging result between the second user equipment and the auxiliary device sent by the second user equipment through the above link, and then determine the ranging result between the first user equipment and the second user equipment, and complete the indirect ranging positioning service between the first user equipment and the second user equipment. It can be understood that at this time, the ranging result is not sent via the auxiliary device, thereby avoiding the risk of privacy leakage and realizing end-to-end security protection between the first user equipment and the second user equipment.

If the security policy indicates that end-to-end security protection is not used for the indirect ranging positioning industry, and the first user equipment determines to perform the first operation according to the security policy, then the first operation does not need to support end-to-end security protection between the first user equipment and the second user equipment. The first operation at this time includes: the first user equipment sends a second ranging request to the auxiliary device through a direct link with the auxiliary device, wherein the second ranging request indicates measuring the distance and/or angle between the second user equipment and the auxiliary device, and the ranging result of the second ranging request is used to determine the distance and/or angle between the first user equipment and the second user equipment.

That is, when the first user equipment determines not to use end-to-end security protection for the indirect ranging positioning service according to the security policy, it means that the first user equipment will use solution 2 (see the embodiment of FIG. 9 for details) to implement the indirect ranging positioning service between it and the second user equipment, thereby determining that the first user equipment will perform the action corresponding to the source UE in solution 2, including at least one of the following: establishing a link with the auxiliary device, sending a second ranging request to the auxiliary device through the above link, receiving the ranging result between the target UE and the auxiliary device sent by the auxiliary UE, etc. That is, the first user equipment will send the second ranging request to the auxiliary device through the link between it and the auxiliary device to instruct the auxiliary device to perform the ranging service on the second user equipment, instead of instructing the second user equipment to perform the ranging service on the auxiliary device; accordingly, the first user equipment can receive the ranging result between the auxiliary device and the second user equipment sent by the auxiliary device through the above link, and then determine the ranging result between the first user equipment and the second user equipment, and complete the indirect ranging positioning service between the first user equipment and the second user equipment. It can be understood that the ranging result between the auxiliary device and the second user device needs to be sent to the first user device via the auxiliary device. For the first user device and the second user device that perform indirect ranging services, there will be a risk of privacy leakage at the auxiliary device, and end-to-end security protection between the first user device and the second user device cannot be achieved.

If the security policy indicates that end-to-end security protection is preferentially used for the indirect ranging positioning service, and the first user equipment determines to perform the first operation according to the security policy, then the first operation needs to preferentially support end-to-end security protection between the first user equipment and the second user equipment. At this time, the first operation includes: the first user equipment sends a first ranging request to the second user equipment through a link with the second user equipment, wherein the first ranging request indicates measuring the distance and/or angle between the second user equipment and the auxiliary equipment, and the ranging result of the first ranging request is used to determine the distance and/or angle between the first user equipment and the second user equipment. Further, if the first user equipment fails to execute solution one (for example, a link cannot be established between the first user equipment and the second user equipment, resulting in the first user equipment being unable to send the first ranging request to the second user equipment), the first user equipment uses solution two again to send a second ranging request to the auxiliary equipment, and the second ranging request indicates measuring the distance and/or angle between the auxiliary equipment and the second user equipment, thereby realizing the indirect ranging positioning service between the first user equipment and the second user equipment.

That is to say, when the first user equipment determines to give priority to end-to-end security protection for the indirect ranging positioning service according to the security policy, it means that the first user equipment should give priority to using solution one to implement the indirect ranging positioning service between it and the second user equipment, so that the first user equipment determines to give priority to executing the action corresponding to the source UE in solution one (see the above introduction). When the first user equipment determines that solution one fails to execute, the first user equipment then executes the action corresponding to the source UE in solution two (see the above introduction) to implement the indirect ranging positioning service between the first user equipment and the second user equipment. It can be understood that this method chooses to use scheme 1 first to achieve end-to-end security protection between the first user equipment and the second user equipment as much as possible, and when end-to-end security protection between the first user equipment and the second user equipment cannot be achieved, the indirect ranging positioning service between the first user equipment and the second user equipment can still be achieved through scheme 2.

In a possible embodiment, before the first user equipment sends the first ranging request to the second user equipment through the link with the second user equipment, the first user equipment needs to first determine whether it can establish a link with the second user equipment; when the first user equipment determines that it can establish a link with the second user equipment, the first user equipment then sends the first ranging request to the second user equipment through the link between the first user equipment and the second user equipment.

It can be understood that since the source UE in scheme one needs to send a ranging request to the target UE, and the target UE needs to send the ranging result between the target UE and the auxiliary device to the source UE, scheme one requires a link to be established between the source UE and the target UE. Therefore, after the first user equipment determines to use end-to-end security protection for the indirect ranging positioning service between it and the second user equipment according to the security policy, the first user equipment needs to first determine whether a link can be established between the first user equipment and the second user equipment. A link can be established between the first user equipment and the second user equipment, and there may be the following situations: a link has been established between the first user equipment and the second user equipment; a link has not been established between the first user equipment and the second user equipment but the link establishment condition is met. If a link is not established between the first user equipment and the second user equipment but the link establishment condition is met, the first user equipment establishes a link with the second user equipment. Among them, the link between the first user equipment and the second user equipment can be a direct link (such as a PC5 link) or a U2U relay link based on a relay device, which is not specifically limited in the embodiments of the present application.

If the first user equipment determines that a link can be established between it and the second user equipment, the first user equipment determines that solution one can be used for indirect ranging and positioning services, and then sends a first ranging request to the second user equipment through the link between the first user equipment and the second user equipment. If a link cannot be established between the first user equipment and the second user equipment, the first user equipment determines that solution one cannot be used any more, that is, the first user equipment fails to use solution one for indirect ranging and positioning services.

The following is an introduction to the form of security policies.

For example, the security policy may be clear indication information, the specific content of which indicates the use of end-to-end security protection for the indirect ranging positioning service, or indicates the selection of sending a ranging request to the target UE in the indirect ranging positioning service to obtain the ranging result between the auxiliary device and the target UE.

For another example, the security policy may be clear indication information, the specific content of which indicates not to use end-to-end security protection for the indirect ranging positioning service, or indicates to select to send a ranging request to the auxiliary device in the indirect ranging positioning service to obtain the ranging result between the auxiliary device and the target UE.

For another example, the security policy may be clear indication information, the specific content of which indicates that end-to-end security protection is preferentially used for indirect ranging and positioning services, or indicates that in the indirect ranging and positioning services, a ranging request is preferentially sent to the auxiliary device to obtain the ranging result between the auxiliary device and the target UE.

In summary, the communication method provided in this embodiment performs security control on the user equipment based on the security policy. Among them, the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service; the side chain communication service is a communication service between two user equipments based on the side chain, for example, it can be a ProSe communication service or a ranging and positioning service. The user equipment can obtain the security policy from the local storage or from the core network element.

The operations performed by user devices under the instructions of different security policies are different, which is reflected in different levels of support for end-to-end security protection (including support, non-support, priority support, etc.), which can provide better and more flexible security control mechanisms for user devices. For example, the first user device determines the first operation to be performed based on the security policy it obtains: if the security policy indicates that end-to-end security protection is used for the side chain communication service, the first operation is an operation that can support end-to-end security protection between the first user device and the second user device; if the security policy indicates that end-to-end security protection is not used for the side chain communication service, the first operation is an operation that does not support end-to-end security protection between the first user device and the second user device; if the security policy indicates that end-to-end security protection is used preferentially for the side chain communication service, the first operation is an operation that preferentially supports end-to-end security protection between the first user device and the second user device.

The following is an example of how the UE obtains a security policy from a core network element in conjunction with FIG. 12 and FIG. 13 .

Please refer to FIG. 12 , which is a flowchart of a security policy acquisition method provided in an embodiment of the present application, which may include the following steps:

S1201: AS/AF configures E2E security requirements to the core network.

The AS and AF are application servers and application functions, respectively. AS/AF corresponds to a specific side chain communication service. For example, the side chain communication service can be a ProSe communication service (including a ProSe relay communication service) or a It is a ranging and positioning service (including indirect ranging and positioning service). The above AS/AF can be an application server/application function network element of the APP of the side chain communication service, or it can be an application server/application function network element deployed by the network operator specifically serving the side chain communication service.

Specifically, AS/AF can formulate corresponding E2E security requirements for side chain communication services as needed, and then configure the E2E security requirements to the core network. E2E security requirements can be formulated in a variety of different ways.

In a possible embodiment, the AS/AF may formulate a unified E2E security requirement for the same type of sidelink communication service. The sidelink communication service may be a ProSe communication service or a ranging and positioning service. The unified E2E security requirement refers to the E2E security requirement that all UEs uniformly follow when using the sidelink communication service.

For example, E2E security requirements may include the following options (in actual applications, only two of the options may be provided, and the content of each option is only for example):

Option A: E2E security must be guaranteed.

Option B: Prioritize E2E security (or try to ensure E2E security as much as possible).

Option C: E2E security is not guaranteed.

Taking the ProSe communication service as an example, the AS/AF can select one of the three options as the unified E2E security requirement of the ProSe communication service. If option A is selected, it means that all ProSe communication services must ensure E2E security, that is, any two UEs must ensure E2E security between them when performing ProSe communication services. If option B is selected, it means that all ProSe communication services try to ensure E2E security, that is, any two UEs try to ensure E2E security between them when performing ProSe communication services, but if E2E security cannot be guaranteed according to real-time communication conditions (for example, the ProSe communication method that ensures E2E security cannot be performed), it is acceptable not to ensure E2E security of the ProSe communication service. If option C is selected, it means that all ProSe communication services do not need to ensure E2E security, that is, any two UEs do not need to ensure E2E security between them when performing ProSe communication services.

In another possible embodiment, the AS/AF may formulate different E2E security requirements for the same type of side-chain communication services. Different E2E security requirements may be formulated for different users/user groups under the same type of side-chain communication services, and different E2E security requirements may also be formulated for different geographic locations/network locations. When executing such side-chain communication services, the UE needs to follow the corresponding E2E security requirements. It should be noted that in addition to specifying corresponding security policies based on granularity such as users, user groups, geographic locations, and network locations, there may be other ways of specifying, which are not specifically limited in this application.

For example, the E2E security requirement specified by AS/AF for a user group of the ProSe application is option A. Therefore, for any user in the user group, the UE corresponding to the user needs to follow option A when executing the side chain communication service, that is, E2E security must be guaranteed when executing the side chain communication service.

For another example, the E2E security requirement specified by the AS/AF for a specific geographic location is option B. Therefore, for the UE in the specific geographic location, it needs to follow option B when executing the side chain communication service, that is, it is required to ensure E2E security as much as possible when executing the side chain communication service.

In a possible embodiment, the AS/AF may configure external service parameters to the core network, where the external service parameters include the above-mentioned E2E security requirements.

It should be noted that E2E security requirements can be specified based on a variety of considerations (for example, security, resource occupancy, efficiency, etc.). Taking the ProSe relay communication service as an example, if the security requirements are particularly high, then option A can be selected, that is, E2E security must be guaranteed. For another example, if the security requirements are not particularly strict, and it is expected to ensure E2E security, but a solution that does not ensure E2E security is also acceptable, then option B can be selected, that is, E2E security is prioritized. For another example, if the security requirements are not particularly strict, but the service implementation speed and resource occupancy are more important, then option C can be selected, that is, E2E security is not guaranteed. It should be understood that the ProSe relay communication solution that does not guarantee E2E security is implemented based on the layer 3 relay mechanism. Compared with the layer 2 relay mechanism, it occupies less resources, and the time from triggering the ProSe service requirements to establishing the ProSe relay communication will be shorter and more efficient.

In a possible embodiment, option D may be set: E2E security is not guaranteed first (higher efficiency). Therefore, if efficiency is a priority, option D may be selected, which prioritizes the startup efficiency of the ProSe relay communication service by sacrificing E2E security. According to the security policy requirements specified in option D: the layer 3 relay mechanism is used first to implement the ProSe relay communication service, and when the layer 3 relay mechanism fails, the layer 2 relay mechanism is used to implement the ProSe relay communication service.

S1202: NEF sends the E2E security requirements from AS/AF to UDR for storage.

Specifically, the UDR may store the E2E security requirements in application-specific data.

It should be noted that for core network elements, the E2E security requirements formulated by AS/AF are described in terms of external service parameters (such as external user ID, external user group ID, and geographic location information). For example, AS/AF specifies corresponding E2E security requirements for different external user IDs/external user group IDs/geographic locations.

Therefore, in a possible embodiment, when the NEF receives the E2E security requirement from the AS/AF, it can replace the external service parameters in the E2E security requirement with the corresponding internal service parameters in the network. For example, the NEF can determine the corresponding SUPI according to the external user identity, determine the corresponding internal group identity according to the external group identity, and determine the corresponding network internal location information (such as tracking area) according to the geographical location. (tracking area, TA) or registration area (registration area, RA)), thereby replacing all these external service parameters in the security policy with corresponding internal service parameters. After completing the above replacement, NEF sends the E2E security requirements to UDR for storage.

In another possible embodiment, the NEF may determine corresponding internal service parameters according to the E2E security requirements sent by the AS/AF, and then send the E2E security requirements and the internal service parameters together to the UDR for storage.

In a possible embodiment, the E2E security requirements can also be configured by default on the core network elements (PCF, 5GDDNMF or UDR) instead of coming from AS/AF.

S1203: The UE sends a policy request to the core network.

The above policy request indicates that the policy of the side chain communication service is to be obtained. In this embodiment, the UE obtains the policy of the side chain communication service from the PCF. The side chain communication service can be a ProSe communication service, that is, the UE requests the core network element to obtain the ProSe policy to be used by the ProSe communication service; the side chain communication service can also be a ranging and positioning service, that is, the UE requests the core network element to obtain the policy to be used by the ranging and positioning service.

Optionally, the policy request may indicate all policies (including security policies) to be used for obtaining the side chain communication service, or the policy request may indicate only the security policy to be used for obtaining the side chain communication service.

It should be understood that the policy request sent by the UE is passed to the PCF via the AMF.

S1204-S1205: The PCF determines a security policy for the UE and sends the security policy to the UE.

Among them, the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service.

In the case where the above-mentioned policy request sent by the UE indicates the acquisition of all policies (including security policies) to be used for the side chain communication service, the PCF can determine the policy used by the side chain communication service for the UE according to the data stored in the UDR (including determining the corresponding security policy for the UE according to the E2E security requirements stored in the UDR), and then send these policies together to the UE. It should be understood that the security policy determined by the PCF is delivered to the UE via the AMF.

In the case where the above policy request sent by the UE only indicates obtaining a security policy, the PCF may determine a corresponding security policy for the UE according to the E2E security requirements stored in the UDR, and then send the security policy to the UE.

It should be understood that if the E2E security requirements are stored on the UDR, the PCF obtains the E2E security requirements from the UDR in the above manner to determine the security policy; if the E2E security requirements are configured on the PCF, the PCF can directly determine the security policy based on the locally stored E2E security requirements.

Taking the side chain communication service as the ProSe relay communication service as an example, if the PCF determines that the E2E security requirement corresponding to the UE is option A in step S1201 based on the data stored in the UDR, the security policy determined by the PCF for the UE must be able to instruct the UE to (must) use end-to-end security protection for the ProSe relay communication service. At this time, the specific content of the security policy may be clear indication information, including at least one of the following: (must) use end-to-end security protection for the ProSe relay communication service; (must) use the layer 2 relay mechanism in the ProSe relay communication service; (must) use the relay service identifier of the layer 2 relay service to discover the relay device required in the ProSe relay communication service. The security policy may not be clear indication information. The security policy may include the relay service identifier of the layer 2 relay service but not the relay service identifier of the layer 3 relay service. Therefore, the security policy can also play the same indication role, indicating the use of end-to-end security protection for the ProSe relay communication service.

If it is determined that the E2E security requirement corresponding to the UE is option B in step S1201, the security policy determined by the PCF for the UE must be able to instruct the UE to give priority to end-to-end security protection for the ProSe relay communication service. At this time, the specific content of the security policy may be clear indication information, including at least one of the following: giving priority to end-to-end security protection in the ProSe relay communication service; giving priority to the layer 2 relay mechanism in the ProSe relay communication service; giving priority to the relay service identifier of the layer 2 relay service to discover the relay device required in the ProSe relay communication service. The security policy service may not be clear indication information, and the security policy may include priority information, which is used to indicate that the relay service identifier of the layer 2 relay service is used first, so the security policy can also play the same indication role, indicating that the end-to-end security protection is used first for the ProSe relay communication service. It should be noted that when the security policy contains the above-mentioned priority information, the security policy may also include the relay service identifier of the layer 2 relay service and/or the relay service identifier of the layer 3 relay service, so the PCF can also configure the above-mentioned relay service identifier to the UE by sending the security policy to the UE.

If the PCF determines that the E2E security requirement corresponding to the UE is option C in step S1201 based on the data stored in the UDR, the security policy determined by the PCF for the UE must be able to instruct the UE not to use end-to-end security protection for the ProSe relay communication service, or to indicate that end-to-end security protection is not used for the side chain communication service. At this time, the specific content of the security policy may be clear indication information, including at least one of the following: not using end-to-end security protection for the ProSe relay communication service; not using the layer 2 relay mechanism in the ProSe relay communication service; using the layer 3 relay mechanism in the ProSe relay communication service; using the relay service identifier of the layer 3 relay service to discover the relay device required in the ProSe relay communication service. The security policy may not be clear indication information. The security policy may include the relay service identifier of the layer 3 relay service but not the relay service identifier of the layer 2 relay service. Therefore, the security policy may also play the same indication role, indicating that end-to-end security protection is not used for the ProSe relay communication service.

If it is determined that the E2E security requirement corresponding to the UE is option D in step S1201, the security policy determined by the PCF for the UE must be able to instruct the UE not to use end-to-end security protection for the ProSe relay communication service. At this time, the specific content of the security policy may be clear indication information, including at least one of the following: not to use end-to-end security protection in the ProSe relay communication service; to give priority to the use of the layer 3 relay mechanism in the ProSe relay communication service; to give priority to the use of the relay service identifier of the layer 3 relay service to discover the relay device required in the ProSe relay communication service. The security policy service may not be clear indication information. At this time, the security policy may include priority information, and the priority information is used to indicate that the relay service identifier of the layer 3 relay service is used first. Therefore, the security policy can also play the same indication role, indicating that the ProSe relay communication service is not used first. End-to-end security protection.

Taking the side chain communication service as an indirect ranging and positioning service as an example, if the PCF determines that the security requirement corresponding to the UE is option A in step S1201 based on the data stored in the UDR, the security policy determined by the PCF for the UE must be able to instruct the UE to (must) use end-to-end security protection for the indirect ranging and positioning service. At this time, the specific content of the security policy can be clear instruction information, which can include at least one of the following: (must) use end-to-end security protection for the indirect ranging and positioning service; (must) use scheme 1 in the indirect ranging and positioning service; send a ranging request to the target UE in the indirect ranging and positioning service to obtain the ranging result between the auxiliary device and the target UE.

If the PCF determines that the security requirement corresponding to the UE is option B in step S1201 based on the data stored in the UDR, the security policy determined by the PCF for the UE must be able to instruct the UE to give priority to end-to-end security protection for the indirect ranging positioning service. At this time, the specific content of the security policy can be clear instruction information, which can include at least one of the following: give priority to end-to-end security protection for the indirect ranging positioning service; give priority to scheme 1 in the indirect ranging positioning service; give priority to sending a ranging request to the target UE in the indirect ranging positioning service to obtain the ranging result between the auxiliary device and the target UE.

If the PCF determines that the security requirement corresponding to the UE is option C in step S1201 based on the data stored in the UDR, the security policy determined by the PCF for the UE must be able to instruct the UE not to use end-to-end security protection for the indirect ranging positioning service. At this time, the specific content of the security policy can be clear instruction information, which can include at least one of the following: not using end-to-end security protection for the indirect ranging positioning service; not using solution one in the indirect ranging positioning service; using solution two in the indirect ranging positioning service; sending a ranging request to the auxiliary device in the indirect ranging positioning service to obtain the ranging result between the auxiliary device and the target UE.

It should be noted that the specific content of the explicit indication information in the above two examples is only for example and does not constitute a limitation, and can be appropriately adjusted in actual applications as long as the same meaning can be expressed.

In a possible embodiment, the PCF may determine a security policy based on the first user information carried in the policy request of the UE, wherein the first user information may include one or more of the following information: user identifier (such as SUPI), user group identifier (such as an internal group identifier), geographic location, network location, etc.

For example, the policy request sent by the UE carries SUPI information, and the PCF determines the security policy based on whether the E2E security requirement corresponding to the user identified by the SUPI is stored locally. If yes, the PCF determines the security policy based on the E2E security requirement and then sends the security policy to the UE.

In a possible embodiment, the PCF obtains the second user information, and then determines the security policy according to the second user information and the first user information carried in the policy request. The second user information may include one or more of the following information: user identification (such as SUPI), user group identification (such as internal group identification), geographic location, network location, etc. The second user information is obtained from the second network device, and the second network device may be one or more of an application server, an application function network element, a direct communication discovery name management network element, an access management network element, or a data management network element.

For example, the policy request sent by the UE carries SUPI and user group identification information. The PCF determines whether the user data stored in the UDR includes the SUPI. If so, it continues to determine the security policy for it. The PCF finds that the E2E security requirement corresponding to the user group identifier is stored in the UDR, so it determines the security policy based on the E2E security requirement, and then sends the security policy to the UE.

For another example, the policy request sent by the UE carries SUPI. When AMF forwards the policy request to PCF, it also obtains the UE's location information (such as TA or RA information) and sends it to PCF. PCF determines whether the user data stored in the UDR includes the SUPI. If so, it continues to determine the security policy for it. PCF finds that the E2E security requirements corresponding to the location information are stored in the UDR, so it determines the security policy based on the E2E security requirements, and then sends the security policy to the UE.

Optionally, if the current UE has not yet triggered the side chain communication service demand, the UE can store the security policy locally after receiving it, so that the security policy can be used when the UE triggers the side chain communication service demand later. If the current UE has triggered the side chain communication service demand, it can determine to perform corresponding operations according to the security policy after receiving the security policy from the core network element. For the specific content of the UE performing the corresponding operation according to the determination, please refer to the relevant introduction in Figure 10 and/or Figure 11, which will not be repeated here.

Please refer to FIG. 13 , which is a flowchart of another security policy acquisition method provided in an embodiment of the present application, which may include the following steps:

S1301: The UE registers with the PCF to obtain authorization for the side chain communication service.

The side chain communication service is a ProSe communication service (including a ProSe relay communication service) or a ranging and positioning service (including an indirect ranging and positioning service). For example, the UE obtains authorization for the ranging and positioning service from the PCF, and can be authorized as one or more of the source UE, auxiliary UE, and target UE in the ranging and positioning service, or the UE obtains authorization for the ProSe service from the PCF, and can be authorized as one or more of the source UE, relay UE, and target UE in the ranging and positioning service.

S1302: The UE requests the DDNMF network element to obtain discovery parameters.

It should be understood that when the UE wants to perform a discovery process, it can send a discovery request to the DDNMF to obtain the discovery parameters needed to be used in the discovery process.

In a possible embodiment, the discovery request carries the first user information, and the first user information includes one or more of the following information: user identification (such as SUPI), user group identification (such as internal group identification), geographic location, network location, etc.

S1303: DDNMF requests PCF to obtain E2E security requirements corresponding to the UE.

Specifically, after receiving the above discovery request sent by the UE, the DDNMF may send a request message to the PCF to request to obtain the E2E security requirements corresponding to the UE, and then determine the security policy for the UE according to the E2E security requirements corresponding to the UE. The request message includes part or all of the first user information described in step S1302.

In another possible embodiment, after obtaining the discovery request sent by the UE, the DDNMF obtains the first user information corresponding to the UE from the core network. Specifically, the DDNMF may use the SUPI information of the UE to obtain the first user information corresponding to the UE from the AMF or UDR.

S1304-S1305: The PCF determines the E2E security requirements corresponding to the UE, and sends the E2E security requirements corresponding to the UE to the DDNMF.

In a possible embodiment, the E2E security requirements are configured on the PCF, so the PCF can determine the security requirements corresponding to the UE according to the locally stored E2E security requirements.

In a possible embodiment, the E2E security requirements are stored on the UDR, so the PCF can determine the E2E security requirements corresponding to the UE based on the data stored in the UDR (including the E2E security requirements). It should be noted that the E2E security requirements stored on the UDR can be configured by default or configured by AS/AF. For details, please refer to the relevant introduction in steps S1201 to S1202 in Figure 12, which will not be repeated here.

S1306: DDNMF determines security policies and discovery parameters for the UE.

Specifically, after the DDNMF obtains the E2E security requirements corresponding to the UE from the PCF, a security policy can be determined for the UE according to the E2E security requirements. For how to determine the security policy according to the E2E security requirements, please refer to the relevant introduction in step S1204, which will not be repeated here.

In a possible embodiment, after determining the E2E security requirements corresponding to the UE, the PCF may further determine the security policy required by the UE, and then send the security policy to the DDNMF. At this time, the DDNMF only needs to determine the discovery parameters.

S1307: DDNMF sends security policy and discovery parameters to the UE.

It can be understood that after the UE receives the security discovery parameters, it can execute the corresponding discovery process according to the discovery parameters. If the current UE has not triggered the side chain communication service demand, the UE can store the security policy locally after receiving it, so that the UE can use the security policy when it triggers the side chain communication service demand later. If the current UE has triggered the side chain communication service demand, it can determine to perform corresponding operations according to the security policy after receiving the security policy from the core network element. For the specific content of the UE determining to perform corresponding operations, please refer to the relevant introduction in Figure 10 and/or Figure 11, which will not be repeated here.

It should be noted that the method for obtaining the security policy in Figure 12 relies on the process of UE obtaining the policy from PCF, while the method for obtaining the security policy in Figure 13 relies on the process of UE obtaining discovery parameters from DDNMF, that is, the security policy can be obtained at different times, and the embodiment of the present application does not make specific limitations.

In summary, there are many different ways for the user device to obtain security policies from the core network network element. The above Figures 12 and 13 exemplify two implementation methods. Among them, the security policy acquisition method of Figure 12 can rely on the process of the user device obtaining the policy of the side chain communication service from the PCF, that is, when the user device requests the policy used by the side chain communication service from the PCF, the PCF can determine the security policy for the user device, and then send the security policy and other policies used by the side chain communication service to the user device, thereby realizing the issuance of the security policy and the issuance of other side chain communication side chains. The security policy acquisition method of Figure 13 can rely on the process of the user device obtaining discovery parameters from the DDNMF, that is, the user device will send a discovery request to the DDNMF to obtain the discovery parameters during the execution of the discovery process. At this time, the DDNMF can carry the security policy in the reply message of the discovery request, thereby realizing the issuance of the security policy to the user device. Of course, the user device can also directly request the core network network element to obtain the security policy, so that the core network network element receives the corresponding security policy.

The security policy corresponding to the user equipment can be pre-configured on the core network element, or it can be generated by the core network element according to the AS/AF configuration E2E security requirements. The above core network element can refer to one or more of PCF, DDNMF, AMF, UDM, and UDR. Optionally, AS/AF can configure unified E2E security requirements for the same type of side-link communication services, or it can configure more refined E2E security requirements under the same type of side-link communication services. For example, it can formulate corresponding E2E security requirements based on granularity such as users, user groups, geographic locations, and network locations. E2E security requirements. The core network element can determine a security policy for the user device based on one or more user information, wherein the above user information can all come from the user device, can all come from the core network element, or can be partly from the user device and partly from the core network element, which is not specifically limited in the embodiments of the present application.

The following describes a communication device provided in an embodiment of the present application.

The present application divides the functional modules of the communication device according to the above method embodiment. For example, each functional module can be divided according to each function, or two or more functions can be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of modules in the present application is schematic and is only a logical function division. There may be other division methods in actual implementation. The communication device of the embodiment of the present application will be described in detail below with reference to Figures 14 to 16 as examples.

Please refer to Figure 14, which is a structural diagram of a communication device 1400 provided in an embodiment of the present application, including an acquisition module 1401 and a processing module 1402.

The acquisition module 1401 is used to acquire a security policy, wherein the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service, and the end-to-end security protection is implemented between two user devices (or apparatuses) corresponding to the side chain communication service.

The processing module 1402 is used to determine to execute a first operation according to a security policy, wherein the first operation is used to establish a side chain communication service between the communication device 1400 and a second user equipment.

In a possible embodiment, the above security policy indicates the use of end-to-end security protection for the side chain communication service, and the first operation includes: the communication device 1400 receives a message from at least one relay device, wherein the message of at least one relay device includes a relay service identifier of a layer 2 relay service; the communication device 1400 establishes a connection with a first relay device among the at least one relay device, wherein the message of the first relay device received by the communication device 1400 includes the service identifier of the layer 2 relay service, and the above link is used to send service data of the side chain communication service between the communication device 1400 and the second user device.

In a possible embodiment, the security policy indicates that end-to-end security protection is not used for the side chain communication service, and the first operation includes: the communication device 1400 receives a message from at least one relay device, wherein the message of the at least one relay device includes a relay service identifier of a layer 3 relay service; the communication device 1400 establishes a relay connection with a first relay device among the at least one relay device, wherein the message of the first relay device received by the communication device 1400 includes a relay service identifier of a layer 3 relay service, and the relay link is used to send service data of the side chain communication service between the communication device 1400 and the second user device.

In a possible embodiment, the security policy includes a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.

In a possible embodiment, the security policy includes priority information, where the priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used preferentially.

In a possible embodiment, the security policy indicates the use of end-to-end security protection for the side chain communication service, and the first operation includes: the communication device 1400 sends a first ranging request to the second user equipment through a link with the second user equipment, wherein the first ranging request indicates measuring the distance and/or angle between the second user equipment and the auxiliary device, and the ranging result of the first ranging request is used to determine the distance and/or angle between the communication device 1400 and the second user equipment.

In a possible embodiment, before the communication device 1400 sends the first ranging request to the second user equipment through the link with the second user equipment, the processing module 1402 is further used to determine whether the communication device 1400 can establish a link with the second user equipment; when the communication device 1400 determines that a link can be established with the second user equipment, the processing module 1402 is further used to send the first ranging request to the second user equipment through the link with the second user equipment.

In a possible embodiment, the security policy indicates that end-to-end security protection is not used for the side chain communication service, and the first operation includes: the communication device 1400 sends a second ranging request to the auxiliary device through a direct link with the auxiliary device, wherein the second ranging request indicates measuring the distance and/or angle between the second user equipment and the auxiliary device, and the ranging result of the second ranging request is used to determine the distance and/or angle between the communication device 1400 and the second user equipment.

In a possible embodiment, the communication device 1400 acquires the security policy, which may include: the communication device 1400 receives the security policy from a core network element.

In a possible embodiment, the core network element is one or more of a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.

In a possible embodiment, the security policy is determined by the core network element according to the user information of the communication device 1400, wherein the user information includes one or more of the user identification, user group identification, geographic location, and network location of the communication device 1400.

In a possible embodiment, before the communication device 1400 receives the security policy from the core network element, the method further includes: the communication device 1400 sends the above user information to the core network element.

In a possible embodiment, the communication device 1400 acquires the security policy, including: the communication device 1400 acquires the security policy stored in the communication device 1400 .

It should be noted that the above-mentioned communication device 1400 can correspond to the first user equipment in Figures 10, 11, 12 and/or 13, and is specifically used to implement any embodiment of the communication method of Figures 10 and/or 11. Please refer to the above description for details and no further details will be given here.

Please refer to Figure 15, which is a structural diagram of another communication device 1500 provided in an embodiment of the present application, including a transceiver module 1501 and a processing module 1502.

The transceiver module 1501 is used to receive a request message sent by a first user equipment, wherein the request message includes first user information of the first user equipment.

The processing module 1502 is used to determine a security policy based on the first user information, wherein the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service, and the end-to-end security protection is implemented between the two user devices corresponding to the side chain communication service; the communication device 1500 sends the security policy to the first user device.

In a possible embodiment, the side chain communication service is a proximity service communication service based on a relay device, or the side chain communication service is a ranging and positioning service based on an auxiliary device.

In a possible embodiment, the side chain communication service is a proximity service communication service based on a relay device, and the security policy includes a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.

In a possible embodiment, the side chain communication service is a proximity service communication service based on a relay device, and the security policy includes priority information, wherein the priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used first, or the priority information is used to indicate that the relay service identifier of the layer 3 relay service needs to be used first.

In a possible embodiment, the communication device 1500 is one or more of a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.

In a possible embodiment, the first user information includes one or more of a user identifier, a user group identifier, a geographical location, and a network location of the first user device.

In a possible embodiment, the processing module 1502 is also used to obtain second user information, wherein the second user information includes one or more of a user identifier, a user group identifier, a geographic location, and a network location of the first user device; the processing module 1502 is also used to determine the security policy based on the first user information and the second user information.

In a possible embodiment, the second user information is obtained by the communication device 1500 from a second network device, wherein the second network device is one or more of an application server, an application function network element, a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.

It should be noted that the above-mentioned communication device 1400 can correspond to the core network element in Figures 10 and/or 11, and can also correspond to the first network device in Figures 12 and/or 13. It is specifically used to implement any embodiment of the method on the first network device side of Figures 12 and/or 13. Please refer to the above description for details and no further details will be given here.

Refer to Figure 16, which is a structural diagram of another communication device 1600 provided in an embodiment of the present application.

The communication device 1600 includes a processor 1601, a memory 1602 and a communication interface 1603. The communication device 1600 is specifically used to implement any embodiment of the communication method of Figure 10 or Figure 11, or to implement any embodiment of the first network device side in the security policy acquisition method of Figure 12 or Figure 13. Among them, the processor 1601, the memory 1602 and the communication interface 1603 can be connected to each other through an internal bus 1604, and communication can also be achieved through other means such as wireless transmission. In the embodiment of the present application, the connection through the bus 1604 is taken as an example. The bus 1604 can be a peripheral component interconnect standard (PCI) bus, an extended industry standard architecture (EISA) bus, a unified bus (Ubus or UB), a computer express link (CXL) bus, a cache coherent interconnect for accelerators (CCIX) bus, etc. The bus 1604 can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG16 only uses one thick line, but does not mean that there is only one bus or one type of bus.

The processor 1601 may be composed of at least one general-purpose processor, such as a central processing unit (CPU), or a combination of a CPU and a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof. The processor 1601 executes various types of digital storage instructions, such as software or firmware programs stored in the memory 1602, which enables the communication device 1600 to provide a variety of services.

The memory 1602 is used to store program codes, and the execution is controlled by the processor 1601. The memory 1602 may include a volatile memory (volatile memory), such as a random access memory (RAM); the memory 1602 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD) or a solid-state drive (SSD); the memory 1602 may also include a combination of the above types. The memory 1602 may store program codes, specifically including program codes for executing any embodiment of the communication method of FIG. 10 or FIG. 11, and may also include program codes for implementing any embodiment of the first network device side in the security policy acquisition method of FIG. 12 or FIG. 13, which will not be described in detail here.

The communication interface 1603 may be a wired interface (e.g., an Ethernet interface) or a wireless interface (e.g., a cellular network interface or a wireless LAN interface), or may be an internal interface (e.g., a high-speed serial computer expansion bus (peripheral component interconnect express, PCIe) bus interface). The wired interface or the wireless interface is used to communicate with other devices or modules.

It should be noted that this embodiment can be implemented by a general physical server, for example, an ARM server or an X86 server, or it can be implemented by a virtual machine based on a general physical server combined with NFV technology. A virtual machine refers to a complete computer system with complete hardware system functions and running in a completely isolated environment simulated by software, which is not specifically limited in this application. It should be understood that the communication device 1600 shown in FIG. 16 can also be a server cluster composed of at least one server, which is not specifically limited in this application. The communication device 1600 can also be a host, a laptop, a desktop computer, a smart phone, and other devices, which are not specifically limited.

It should also be noted that FIG. 16 is only a possible implementation of the embodiment of the present application. In practical applications, the communication device 1600 may also include more or fewer components, and the present application does not make specific limitations. For the contents not shown or described in the embodiments of the present application, please refer to the relevant description in the embodiment of the communication method of FIG. 10 or FIG. 11 and the embodiment of the security policy acquisition method of FIG. 12 or FIG. 13, which will not be repeated here.

An embodiment of the present application further provides a computer-readable storage medium, in which instructions are stored. When the computer-readable storage medium is executed on a processor, the method of any embodiment of FIG. 10 or FIG. 11 is implemented.

An embodiment of the present application also provides a computer-readable storage medium, in which instructions are stored. When the computer-readable storage medium is executed on a processor, the method of any embodiment of FIG. 12 or FIG. 13 is implemented.

The embodiment of the present application further provides a computer program product. When the computer program product runs on a processor, the method of any embodiment of FIG. 10 or FIG. 11 is implemented.

The embodiment of the present application also provides a computer program product. When the computer program product runs on a processor, the method of any embodiment of FIG. 12 or FIG. 13 is implemented.

An embodiment of the present application also provides a chip or a chip system, including: a processor, used to execute the method in any of the aforementioned embodiments (such as Figures 10, 11, 12, and 13).

Those skilled in the art can understand that all or part of the processes in the above-mentioned embodiments can be implemented by instructing the relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium, and when the program is executed, it can include the processes of the embodiments of the above-mentioned methods. The storage medium can be a disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM), etc.

What is disclosed above is only a preferred embodiment of the present application, and it certainly cannot be used to limit the scope of rights of the present application. Ordinary technicians in this field can understand that all or part of the processes of implementing the above embodiment and equivalent changes made according to the claims of the present application are still within the scope of the invention.

Claims

A communication method, characterized in that the method comprises:

The first user equipment obtains a security policy, wherein the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service, and the end-to-end security protection is implemented between two user equipments corresponding to the side chain communication service;

The first user equipment determines to perform a first operation according to the security policy, wherein the first operation is used to establish the side chain communication service between the first user equipment and the second user equipment.
The method according to claim 1, characterized in that the security policy indicates the use of the end-to-end security protection for the side chain communication service, and the first operation comprises:

The first user equipment receives a message from at least one relay device;

The first user device establishes a connection with a first relay device among the at least one relay device, wherein the message from the first relay device received by the first user device includes a relay service identifier of a layer 2 relay service, and the link is used to send service data of the side chain communication service between the first user device and the second user device.
The method according to claim 1, characterized in that the security policy indicates that the end-to-end security protection is not used for the side chain communication service, and the first operation comprises:

The first user equipment receives a message from at least one relay device;

The first user device establishes a connection with a first relay device among the at least one relay device, wherein the message from the first relay device received by the first user device includes a relay service identifier of a layer 3 relay service, and the link is used to send service data of the side chain communication service between the first user device and the second user device.
The method according to any one of claims 1 to 3 is characterized in that the security policy includes the relay service identifier of the layer 2 relay service and/or the relay service identifier of the layer 3 relay service.
The method according to claims 1 to 4 is characterized in that the security policy includes priority information, and the priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used preferentially.
The method according to claim 1, characterized in that the security policy indicates the use of the end-to-end security protection for the side chain communication service, and the first operation comprises:

The first user equipment sends a first ranging request to the second user equipment through a link with the second user equipment, wherein the first ranging request indicates measuring the distance and/or angle between the second user equipment and the auxiliary device, and the ranging result of the first ranging request is used to determine the distance and/or angle between the first user equipment and the second user equipment.
The method according to claim 6, characterized in that before the first user equipment sends the first ranging request to the second user equipment through the link with the second user equipment, the method further comprises:

Determining, by the first user equipment, whether a link can be established with the second user equipment;

In a case where the first user equipment determines that a link can be established with the second user equipment, the first user equipment sends the first ranging request to the second user equipment through the link with the second user equipment.
The method according to claim 1, characterized in that the security policy indicates that the end-to-end security protection is not used for the side chain communication service, and the first operation comprises:

The first user equipment sends a second ranging request to the auxiliary equipment through a direct link with the auxiliary equipment, wherein the second ranging request indicates measuring the distance and/or angle between the second user equipment and the auxiliary equipment, and the ranging result of the second ranging request is used to determine the distance and/or angle between the first user equipment and the second user equipment.
The method according to any one of claims 1 to 8, characterized in that the first user equipment obtains the security policy, comprising:

The first user equipment receives the security policy from a core network element.
The method according to claim 9 is characterized in that the core network element is a policy management network element, a direct communication discovery name One or more of a management network element, an access management network element, or a data management network element.
The method according to claim 9 or 10 is characterized in that the security policy is determined by the core network element based on user information of the first user equipment, wherein the user information includes one or more of a user identifier, a user group identifier, a geographic location, and a network location of the first user equipment.
The method according to claim 11, characterized in that before the first user equipment receives the security policy from the core network element, the method further comprises:

The first user equipment sends the user information to the core network element.
The method according to any one of claims 1 to 8, characterized in that the first user equipment obtains the security policy, comprising:

The first user equipment obtains the security policy stored in the first user equipment.
A communication method, characterized in that the method comprises:

The first network device receives a request message sent by a first user equipment, wherein the request message includes first user information of the first user equipment;

The first network device determines a security policy according to the first user information, wherein the security policy is used to indicate whether to use end-to-end security protection for the side chain communication service, and the end-to-end security protection is implemented between two user devices corresponding to the side chain communication service;

The first network device sends the security policy to the first user equipment.
The method according to claim 14 is characterized in that the side chain communication service is a proximity service communication service based on a relay device, or the side chain communication service is a ranging and positioning service based on an auxiliary device.
The method according to claim 14 is characterized in that the side chain communication service is a proximity service communication service based on a relay device, and the security policy includes a relay service identifier of a layer 2 relay service and/or a relay service identifier of a layer 3 relay service.
The method according to claim 14 or 16 is characterized in that the side chain communication service is a proximity service communication service based on a relay device, and the security policy includes priority information, wherein the priority information is used to indicate that the relay service identifier of the layer 2 relay service needs to be used first, or the priority information is used to indicate that the relay service identifier of the layer 3 relay service needs to be used first.
The method according to any one of claims 14 to 17 is characterized in that the first network device is one or more of a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.
The method according to any one of claims 14 to 18 is characterized in that the first user information includes one or more of a user identifier, a user group identifier, a geographic location, and a network location of the first user device.
The method according to any one of claims 14 to 19, wherein the first network device determines a security policy according to the first user information, comprising:

The first network device acquires second user information, wherein the second user information includes one or more of a user identifier, a user group identifier, a geographic location, and a network location of the first user device;

The first network device determines the security policy according to the first user information and the second user information.
The method according to claim 20 is characterized in that the second user information is obtained by the first network device from the second network device, wherein the second network device is one or more of an application server, an application function network element, a policy management network element, a direct communication discovery name management network element, an access management network element or a data management network element.
A communication device, characterized in that it comprises a unit or module for executing the method according to any one of claims 1 to 13.
A communication device, characterized in that it comprises a unit or module for executing the method according to any one of claims 14-21.
A communication device, comprising a processor and a memory;

The memory is used to store computer-executable instructions;

The processor is used to execute the computer-executable instructions so that the method described in any one of claims 1 to 13 is executed; or so that the method described in any one of claims 14 to 21 is executed.
A chip, characterized in that it comprises a processor so that the method described in any one of claims 1 to 13 is executed; or so that the method described in any one of claims 14 to 21 is executed.
A computer-readable storage medium, characterized in that the computer-readable storage medium is used to store a computer program, and when the computer program is executed, the method described in any one of claims 1 to 13 is executed; or, the method described in any one of claims 14 to 21 is executed.
A computer program product, characterized in that the computer program product comprises a computer program or a computer code, and when the computer program or the computer code is run on a computer, the method described in any one of claims 1 to 13 is executed; or the method described in any one of claims 14 to 21 is executed.