CN111226452A

CN111226452A - Business strategy creating method and device

Info

Publication number: CN111226452A
Application number: CN201880066694.5A
Authority: CN
Inventors: 周汉; 夏渊; 胡翔
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2017-10-11
Filing date: 2018-02-14
Publication date: 2020-06-02
Anticipated expiration: 2038-02-14
Also published as: WO2019071901A1; WO2019071472A1; CN111226452B

Abstract

A method and a device for creating a business strategy are provided. The method comprises the following steps: the SMF network element acquires a service identifier and a service strategy installation authentication parameter from the terminal equipment and sends the service identifier and the service strategy installation authentication parameter to the service strategy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating; the SMF network element sends a temporary label and key indication information to the terminal equipment, wherein the temporary label is used for identifying the data message corresponding to the service identifier, the key indication information is used for indicating a service policy execution key, and the service policy execution key is used for verifying the temporary label; the temporary label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameters according to the service identification.

Description

Business strategy creating method and device

Technical Field

The present application relates to the field of wireless communications technologies, and in particular, to a method and an apparatus for creating a service policy.

Background

In a future 5G network architecture, an Application (APP) in a terminal device may actively initiate a service policy creation procedure to a network. After the service policy creation process is completed, a data plane device (such as a gateway device) in the network executes corresponding detection, charging and control policies on the service flow of the APP according to the service policy.

However, in the process of initiating the service policy installation process by the terminal device, if the APP on the terminal device steals the service policies of other APPs, the service policy may be misused. For example, a first service of an application a in the terminal device corresponds to a service policy a, and a second service of an application B corresponds to a service policy B. If the application program B obtains the service identifier of the first service of the application program A in an illegal way, and provides the service identifier of the first service to the network side for policy installation in the process of policy creation, the network side creates a service policy A corresponding to the service identifier of the first service for the second service of the application program B, and charges according to the charging policy corresponding to the service policy A, so that the service policy is misused.

In summary, how to prevent the service policy from being abused in the process of initiating the service policy creation flow by the terminal device is an urgent problem to be solved.

Disclosure of Invention

The embodiment of the application aims to provide a method and a device for creating a business strategy, which are used for solving the problem that the business strategy is abused in the process of initiating a business strategy creating process by a terminal device.

The embodiment of the application provides a method for creating a service policy, which comprises the following steps:

the SMF network element acquires a service identifier and a service strategy installation authentication parameter from the terminal equipment and sends the service identifier and the service strategy installation authentication parameter to the service strategy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the SMF network element sends a label and key indication information to the terminal equipment, wherein the label is used for identifying a data message of a service corresponding to the service identifier, the key indication information is used for indicating a service policy execution key, and the service policy execution key is used for verifying the label; the label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameters according to the service identification.

According to the method provided by the embodiment of the application, before the terminal equipment sends the data message of the service corresponding to the service identifier, the terminal equipment needs to send the service identifier and the service policy installation authentication parameter to the SMF network element, and after the SMF network element determines that the service identifier sent by the terminal equipment and the service policy installation authentication parameter are successfully authenticated, the terminal equipment sends the label and the key indication information to the terminal equipment, so that the terminal equipment can send the data message according to the label and the key indication information. Because the authentication is needed in the process of initiating the service policy creating flow by the terminal device, the service policy corresponding to the service identifier sent by the terminal device can be prevented from being sent by other terminal devices under the conditions of being stolen and the like, and the security of the service policy can be provided.

In an optional embodiment, the method further comprises:

the SMF network element receives a service strategy which is sent by the service strategy authentication network element and corresponds to the service identification; the service policy is used for controlling the data message of the service corresponding to the service identifier.

In an optional embodiment, the method further comprises:

and the SMF network element sends the service strategy, the label and the key indication information to a UPF network element.

In the method, the SMF network element sends information such as the service strategy, the label and the key indication information to the UPF network element, and the UPF network element can identify the data message sent by the terminal equipment according to the label and the key indication information, so that the data message can be controlled according to the service strategy after the data message is identified.

In an optional implementation manner, the key indication information is sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or

And the key indication information is distributed to the service corresponding to the service identifier by the SMF network element.

In an optional implementation manner, the key indication information is a key parameter for generating the service policy enforcement key; or, the key indication information is the service policy execution key.

In an optional implementation manner, the tag is sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or, the label is allocated to the service corresponding to the service identifier by the SMF network element.

In an optional embodiment, the method further comprises:

and the SMF network element sends service variable indication information to the terminal equipment, wherein the service variable indication information indicates a service variable used for checking the label.

In an optional implementation manner, the service variable indication information is sent after performing key encryption by the service policy.

The embodiment of the present application further provides a method for creating a service policy, which is characterized by including:

a Session Management Function (SMF) network element acquires a service identifier and a service policy installation authentication parameter from a User Plane Function (UPF) network element and sends the service identifier and the service policy installation authentication parameter to a service policy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the SMF network element sends a service strategy, a label and key indication information corresponding to the service identifier to the UPF network element, wherein the service strategy is used for controlling a data message of a service corresponding to the service identifier, the label is used for identifying the data message of the service corresponding to the service identifier, the key indication information is used for indicating a service strategy execution key, and the service strategy execution key is used for verifying the label.

In an optional implementation manner, before the SMF network element sends the service policy corresponding to the service identifier to the UPF network element, the method further includes: and the SMF network element receives the service strategy sent by the service strategy authentication network element.

An embodiment of the present application provides a service policy creating device, where the service policy creating device includes a memory, a communication interface, and a processor, where: the memory is used for storing instructions; the processor is configured to execute the memory-stored instructions and control the communication interface to receive and transmit signals, and when the processor executes the memory-stored instructions, the business strategy creation apparatus is configured to perform the method of any one of the possible designs of the above aspects.

An embodiment of the present application provides a service policy creating apparatus, configured to implement the steps of the SMF network element in any one of the foregoing methods, where the service policy creating apparatus includes corresponding functional modules, for example, includes a processing unit, a receiving unit, and a sending unit, which are respectively used to implement the steps in the foregoing methods.

the terminal equipment sends a service identifier and a service strategy installation authentication parameter to a Session Management Function (SMF) network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the terminal equipment receives a label and key indication information from the SMF network element, wherein the key indication information is used for indicating a service policy execution key; the label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier;

and the terminal equipment sends a data message of the service corresponding to the service identifier, wherein the data message comprises the label and a check parameter, and the check parameter is generated after the terminal equipment checks the label according to the service strategy execution key.

According to the method provided by the embodiment of the application, before the terminal equipment sends the data message of the service corresponding to the service identifier, the terminal equipment needs to send the service identifier and the service policy installation authentication parameter to the SMF network element, after the SMF network element determines that the service identifier and the service policy installation authentication parameter sent by the terminal equipment are successfully authenticated, the terminal equipment can receive the label and the key indication information sent by the SMF network element, and thus the terminal equipment can send the data message according to the label and the key indication information. Because the authentication is needed in the process of initiating the service policy creating flow by the terminal device, the service policy corresponding to the service identifier sent by the terminal device can be prevented from being sent by other terminal devices under the conditions of being stolen and the like, and the security of the service policy can be provided.

In an optional implementation manner, before the terminal device sends the service identifier and the service policy installation authentication parameter to the session management function SMF network element, the method further includes:

the terminal equipment acquires the service identifier and a service policy installation derivative key corresponding to the service identifier from an application server;

and the terminal equipment determines the service policy installation authentication parameters according to the service identification and the service policy installation derived key.

In an optional embodiment, the method further comprises:

and the terminal equipment receives service variable indication information from the SMF network element, wherein the service variable indication information indicates a service variable used for checking the label.

The embodiment of the present application further provides a method for creating a service policy, including:

the terminal equipment sends a service identifier and a service strategy installation authentication parameter to a user plane function UPF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the terminal equipment receives a label and key indication information from the UPF network element, wherein the key indication information is used for indicating a service policy execution key;

In an optional implementation manner, the tag and the key indication information are sent to the UPF network element after the session management function SMF network element successfully authenticates the service policy installation authentication parameter according to the service identifier.

In an optional implementation manner, before the terminal device sends the service identifier and the service policy installation authentication parameter to the UPF network element, the method further includes:

An embodiment of the present application provides a service policy creating device, where the service policy creating device includes a memory, a transceiver, and a processor, where: the memory is used for storing instructions; the processor is used for controlling the transceiver to receive and transmit signals according to the instructions stored in the execution memory, and when the processor executes the instructions stored in the execution memory, the service policy creating device is used for executing the steps executed by the terminal equipment in the method.

The embodiment of the present application provides a service policy creating apparatus, configured to implement the steps of the terminal device in the foregoing method, where the service policy creating apparatus includes corresponding functional modules, for example, including a processing unit, a receiving unit, and a sending unit, which are respectively used to implement the steps of the terminal device in the foregoing method.

the method comprises the steps that a service strategy authentication network element receives a service identifier and a service strategy installation authentication parameter sent by a Session Management Function (SMF) network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating; the service identifier and the service strategy installation authentication parameter are sent to the SMF network element by the terminal;

the service policy authentication network element authenticates the service policy installation authentication parameter according to the service identifier, and after the authentication is passed, sends a service policy corresponding to the service identifier to the SMF network element and sends at least one of a service policy, a label and key indication information corresponding to the service identifier to the SMF network element; the label is used for identifying the data message of the service corresponding to the service identification, and the service strategy execution key is used for verifying the label; the service policy is used for controlling the data message of the service corresponding to the service identifier.

According to the method provided by the embodiment of the application, before the terminal equipment sends the data message of the service corresponding to the service identifier, the terminal equipment needs to send the service identifier and the service policy installation authentication parameter to the SMF network element, after the service policy authentication network element successfully authenticates the service identifier and the service policy installation authentication parameter sent by the terminal equipment, the terminal equipment can receive the label and the key indication information sent by the SMF network element, and the terminal equipment can send the data message according to the label and the key indication information. Because the authentication is needed in the process of initiating the service policy creating flow by the terminal device, the service policy corresponding to the service identifier sent by the terminal device can be prevented from being sent by other terminal devices under the conditions of being stolen and the like, and the security of the service policy can be provided.

In an optional implementation manner, the authenticating, by the service policy authentication network element, the service policy installation authentication parameter according to the service identifier includes:

the service policy authentication network element determines a service policy installation key corresponding to the service identifier according to the service identifier;

and the service policy authentication network element generates a service policy installation derived key according to the service policy installation key, and authenticates the service policy installation derived key according to the service policy installation derived key.

and the service policy authentication network element authenticates the service policy installation authentication parameters through the AUSF network element according to the service identifier.

An embodiment of the present application provides a service policy creating device, where the service policy creating device includes a memory, a communication interface, and a processor, where: the memory is used for storing instructions; the processor is used for controlling the communication interface to receive and transmit signals according to the instructions stored in the execution memory, and when the processor executes the instructions stored in the execution memory, the service strategy creating device is used for executing the steps of the service strategy authentication network element of the method.

The embodiment of the present application provides a service policy creating device, which is used for implementing the steps of the service policy authentication network element in the above method, and includes corresponding functional modules, for example, including a processing unit, a receiving unit, a sending unit, and the like, which are respectively used for implementing the steps of the service policy authentication network element in the above method.

Embodiments of the present application provide a computer-readable storage medium, in which computer-readable instructions are stored, and when the computer-readable instructions are read and executed by a computer, the computer is enabled to execute any one of the methods described above.

The embodiment of the application provides a computer program product, which when read and executed by a computer, causes the computer to execute any one of the methods.

The embodiment of the application provides a chip, wherein the chip is connected with a memory and is used for reading and executing a software program stored in the memory so as to realize any one of the methods.

Drawings

FIG. 1 is a schematic diagram of a system architecture suitable for use in embodiments of the present application;

fig. 2 is a schematic diagram of a key relationship provided in an embodiment of the present application;

fig. 3 is a schematic flow chart of a service policy creation method according to an embodiment of the present application;

fig. 4 is a schematic diagram of a service policy creation method provided in an embodiment of the present application;

fig. 4a is a schematic diagram of another service policy creation method provided in the embodiment of the present application;

fig. 4b is a schematic diagram of another service policy creation method provided in the embodiment of the present application;

fig. 5 is a schematic structural diagram of a service policy creating apparatus according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a service policy creating apparatus according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a service policy creating apparatus according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a service policy creating apparatus according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a service policy creating apparatus according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a business policy creating apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a service policy creating device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

Fig. 1 exemplarily shows a schematic diagram of a system architecture suitable for an embodiment of the present application, in the system architecture shown in fig. 1, a terminal device 101 may communicate with a core network via an access network element 102, and the types of the terminal device, the access network, and the core network are not limited in the present invention. A terminal device may refer to a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a User terminal, a wireless communication device, a User agent, or a User Equipment. An access terminal may be a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA), a handheld device with Wireless communication capabilities, a computing device or other processing device connected to a Wireless modem, a vehicle mounted device, a wearable device, a terminal in a future 5G network, etc. For convenience of description, fig. 1 only illustrates 1 terminal, and in an actual network, multiple terminals may coexist, which is not described herein again.

AN Access Network (AN) element 102, which may also be referred to as a Radio Access Network (RAN) element, and hereinafter referred to as AN Access Network element or AN, is mainly responsible for providing wireless connection for the terminal device 101, and ensuring reliable transmission of uplink and downlink data of the terminal device 101. The Access network element 102 may be a gbb (generation Node B) in a 5G System, a Base Transceiver Station (BTS) in a Global System for Mobile communications (GSM) System or a Code Division Multiple Access (CDMA) System, a Base Station NodeB (NB) in a Wideband Code Division Multiple Access (WCDMA) System, an evolved Base Station (eNB or eNodeB) in a Long Term Evolution (Long Term Evolution, LTE) System, or the like.

The Core network may be a gprs (general Packet Radio service) Packet-switched network, an EPC (Evolved Packet Core) network, a subsequent Evolved network of the EPC network, a future 5G (5rd Generation) network, or other networks. Fig. 1 describes functional network elements that may be involved in this embodiment, by taking a 5G core network as an example.

A Session Management Function (SMF) network element 103 may be configured to perform a part of functions of a Mobility Management Entity (MME) in the LTE system, and is mainly responsible for establishing a Session, managing the Session, and the like for the terminal device 101. A suitable User Plane Function (UPF) network element may be selected for the terminal device 101 according to the location information of the terminal device 101.

The UPF network element 104 is a functional network element of the user plane of the terminal device 101, and has main functions including packet routing and forwarding, Quality of Service (QoS) processing of user plane data, and the like.

The Access and Mobility Management (AMF) network element 105 mainly functions include a termination point of a radio Access network control plane, a termination point of a non-Access signaling, Mobility Management, lawful interception, Access authorization or authentication, and the like.

A Policy Control Function (PCF) network element 106 is mainly responsible for the functions of establishing, releasing, and changing a user plane transmission path.

An Authentication Server Function (AUSF) network element 107, whose main functions include user Authentication, etc.

It is understood that the scheme described in the embodiment of the present application may also be applied to an EPC-type core network. The EPC includes functional entities or Network elements such as an MME (Mobility Management Entity), a PCRF, an SGW (Serving Gateway), a PGW (Packet Data Network Gateway), an SCEF (Service Capability Exposure Function), and the like. The MME is responsible for mobility management and connection management of the UE, and selects gateways such as SGW and PGW for the UE. The SGW is connected to the E-UTRAN access network, and the PGW is connected to the AS. The PGW takes charge of the function of a policy enforcement entity in the EPC network, detects the service flow according to the charging and control policy indicated by the PCRF, and enforces the control policy matched with the service flow. The SCEF is used AS an external capability open interface of the core network and is connected with the AS, and the AS signs a service strategy to the core network through the SCEF. And the PCRF manages the service strategy signed or signed by the user and the AS. In actual deployment, the SGW and the PGW may be deployed in a merged manner, that is, the same gateway supports the functions of the SGW and the PGW at the same time. The SGW or the PGW may also perform separation of a Control Plane function and a User Plane function, where a PGW-C (Control Plane) is responsible for interacting with the PCRF to obtain charging and Control policies of the User, and pushing the policies to a PGW-U (User Plane), and the PGW-U is responsible for detecting a service flow, matching the policies, and executing the policies. In the 4G system, the service policy authentication network element described in this embodiment may be implemented by a PCRF, and in a cu (control plane User plane) separated architecture, the session management function described in this embodiment may be implemented by a PGW-C, and the User plane functional network element described in this embodiment may be implemented by a PGW-U.

In the embodiments of the present application, a plurality of keys are involved, and the relationship between each of the keys is described below with reference to the drawings. Specifically, as shown in fig. 2. In fig. 2, the service policy root key is a key configured for the terminal device by the network side, and may also be referred to as an authentication key.

The service subscription key is generated by the service policy root key, and may be obtained by performing hash operation according to the OTT identifier and the service policy root key, for example. The service subscription parameters are generated by service subscription keys

The business strategy installation key is generated through a business strategy root key.

The traffic policy installation derivative key is generated by the traffic policy installation key.

The service policy installation authentication parameters are generated by a service policy installation derivative key.

The service policy execution key is generated by the service policy installation key, and may also be generated in other ways.

The specific generation method and the use method of the above keys will be described later, and will not be described again here.

The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items. The character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.

With reference to the foregoing description, as shown in fig. 3, a schematic flow chart of a service policy creation method provided in the embodiment of the present application is shown. Referring to fig. 3, the method includes:

step 301: the terminal equipment sends a service identifier and a service strategy installation authentication parameter to the SMF network element; the service identifier and the service policy installation authentication parameter are used for initiating service policy creation or service policy update.

In this embodiment of the application, the granularity of the data packet identified by the service identifier may be a service granularity, for example, the data packet identifies a certain service provided by an APP, and the APP may be a wechat program or a pay-for-all program. The granularity of the data packets identified by the service identifier may also be user granularity, such as data packets identifying a user or group of users accessing a service.

The service identifier may correspond to a service Policy (e.g., Policy Control and Charging (PCC) rule), and the network side may perform, according to the service identifier in the data packet, a corresponding detection, Charging, and Control Policy on the data packet by using the service Policy corresponding to the service identifier. Of course, when the granularity of the data packet of the service identifier is the user granularity, the service identifier may also identify the data packet of one user or a group of users at the user level, and the network side may perform corresponding detection, charging and control policies on the data packet of one user or a group of users by using the service policy corresponding to the service identifier according to the service identifier in the data packet.

Step 302: the SMF network element acquires a service identifier and a service strategy installation authentication parameter from the terminal equipment and sends the service identifier and the service strategy installation authentication parameter to the service strategy authentication network element.

In the embodiment of the present application, the function of the service policy authentication network element may be implemented by a PCF network element, may also be implemented by an AUSF network element, and may also be implemented by any other network element, which is not limited in the embodiment of the present invention. When the function of the service policy authentication network element is realized by PCF or AUSF, the service policy authentication network element is a logic function inside the PCF or AUSF network element. It should be noted that, the service policy authentication network element in each embodiment of the present application may further perform a function of service policy authorization, such as authorizing or issuing a service policy corresponding to the service identifier according to the service identifier; the service policy authentication network element can simultaneously support the functions of service policy authentication and service policy authorization, and can also support only one of the functions of service policy authentication and service policy authorization.

Step 303: and the service strategy authentication network element receives the service identifier and the service strategy installation authentication parameter sent by the SMF network element.

And the service identifier and the service strategy installation authentication parameter are sent to the SMF network element by the terminal.

Step 304: and the service policy authentication network element authenticates the service policy installation authentication parameters according to the service identifier, and sends at least one of a service policy, a temporary label and key indication information corresponding to the service identifier to the SMF network element after the authentication is passed.

When the service policy authentication network element does not send the temporary label or the key indication information to the SMF network element, the SMF network element may generate the temporary label or the key indication information.

The temporary label is used for identifying a data message of a service corresponding to the service identifier, and the service policy execution key indicated by the key indication information is used for verifying the data message, such as verifying the temporary label in the data message; the service policy is used for controlling the data message of the service corresponding to the service identifier.

The "temporary label" may also be referred to as "label" or other name, and the name is not limited in the embodiments of the present application.

Step 305: and the SMF network element sends the temporary label and the key indication information to the terminal equipment.

The key indication information is used for indicating a service policy execution key; the temporary label is used for identifying the data message of the service corresponding to the service identification, and the service strategy execution key is used for verifying the temporary label; the temporary label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameters according to the service identification.

Step 306: and the terminal equipment receives a temporary label and key indication information from the SMF network element and sends a data message of a service corresponding to the service identifier, wherein the data message comprises the temporary label and a check parameter, and the check parameter is generated after the terminal equipment executes a key to check the temporary label according to the service strategy.

Before step 301, the terminal device further needs to obtain a service identifier and a service policy installation derived key corresponding to the service identifier through an Application Server (AS), which is an application server providing a service corresponding to the service identifier.

The following describes how the application server determines the traffic policy installation derivative key:

specifically, the application server may obtain a service policy root key assigned by a network operator providing services for the terminal device, and specific content of the process may refer to description in the prior art, which is not described herein again. After The application server obtains The service policy root key, The application server may generate a service signing key according to The service policy root key, for example, The application server performs HASH (HASH) operation according to an Over The Top (OTT) identifier (OTT refers to an application service provided by The application server to a user through The internet, and one OTT may include a plurality of services), a random number generated by The application server, and The service policy root key, and uses a HASH operation result as The service signing key.

After the application server generates the service signing secret key, the service signing authentication parameter can be determined according to the service signing secret key and the OTT mark. For example, the application server performs hash operation on the service subscription key and the OTT identifier, and uses a hash operation result as the service subscription authentication parameter.

After the application server obtains the parameters, the application server may initiate a service policy subscription message to a Network open Function (NEF) Network element, where the service policy subscription message includes a requested service policy, the OTT identifier, the random number, and the like. Optionally, the service policy subscription message may further include a service identifier and the service subscription authentication parameter. As described above, the service subscription authentication parameter is determined according to a service subscription key, which is determined according to a service policy root key. The service identifier may be pre-configured in the application server for the service policy authentication network element.

And after receiving the service strategy signing message sent by the application server, the NEF network element forwards the service strategy signing message to the service strategy authentication network element. After receiving the service policy subscription message, the service policy authentication network element may generate a service policy installation key according to the service policy root key. For example, the service policy authentication network element may perform hash calculation on the service policy root key, the service identifier (in the case that the service policy subscription message includes the service identifier), and the like to obtain the service policy installation key, and of course, the service policy authentication network element may also generate the service policy installation key according to other methods, which is not illustrated herein one by one. Further, the service policy authentication network element may further store the service policy installation key, and establish a corresponding relationship between the service identifier and the service policy installation key.

Optionally, before the service policy authentication network element generates the service policy installation key, the received service subscription authentication parameter may also be verified, and after the verification is confirmed to be passed, the service policy installation key is generated. The specific verification process may be as follows: and the service policy authentication network element generates a service signing key according to the received OTT identifier, the random number and the service policy root key. The algorithm for generating the service signing key by the service policy authentication network element is the same as the algorithm for generating the service signing key by the application server and is an algorithm agreed with the application server in advance.

The service policy authentication network element generates an expected (expected) service signing authentication parameter according to the service signing secret key by adopting an algorithm agreed with the application server in advance, and if the service policy authentication network element determines that the expected service signing authentication parameter is the same as the received service signing authentication parameter, the service signing authentication parameter is determined to pass the verification; and if the expected service subscription authentication parameter is determined to be different from the received service subscription authentication parameter, determining that the service subscription authentication parameter is not verified.

It should be noted that, in the above-mentioned verification process, when the service policy authentication network element is a PCF network element, the service policy authentication network element may independently verify the service subscription authentication parameter, or may forward the service policy subscription message to the AUSF network element, and the AUSF network element verifies the service subscription authentication parameter. When the service policy authentication network element verifies the service subscription authentication parameter through the AUSF network element, the AUSF network element returns a verification result to the service policy authentication network element, and the service policy authentication network element can determine whether the service subscription authentication parameter passes the verification according to the verification result returned by the AUSF network element. After determining that the service subscription authentication parameter passes the verification, the AUSF network element may also generate a service policy installation key, and establish a corresponding relationship between the service identifier and the service policy installation key. Optionally, the AUSF network element may further send the service policy installation key to the service policy authentication network element.

After the service policy authentication network element generates the service policy installation key, the service policy requested by the application server can be authorized. Optionally, when the service policy subscription message does not include the service identifier, the service policy authentication network may further allocate the service identifier to the service policy requested by the application server.

And after the service strategy authentication network element authorizes the service strategy requested by the application server, sending a strategy signing response message to the application server, wherein the strategy signing response message indicates information such as an authorization result of the service strategy requested by the application server. Optionally, the policy subscription response message may further include a service identifier.

After receiving the policy subscription response message, the application server may generate a service policy installation key by using the same method as the service policy authentication network element according to the service subscription key, the service identifier, and the like.

After the application server generates the service policy installation key, when receiving a service request (e.g., a service registration request) sent by the terminal device, the application server may send a service identifier of the requested service to the terminal device, and a service policy installation derivative key corresponding to the service identifier. It should be noted that before sending the service request, the terminal device needs to attach to the network and establish a Transmission Control Protocol (TCP) connection with the application server, and the like, which is not described herein again.

After the terminal device obtains the service identifier and the service policy installation derived key corresponding to the service identifier from the application server, the terminal device may determine the service policy installation authentication parameter according to the service identifier and the service policy installation derived key. Specifically, the terminal device may perform hash calculation on the service identifier and the service policy installation derivative key, and use a result of the hash calculation as the service policy installation authentication parameter, which, of course, may also generate the service policy installation authentication parameter according to other methods, which is not illustrated herein one by one.

After the terminal equipment determines the service identifier and the service policy installation authentication parameter, the terminal equipment can send the service identifier and the service policy installation authentication parameter to the SMF network element through the service policy request message. The service policy request message may be a service policy creation request message, a service policy enabling request message, or a service policy update request message, which is not limited in the embodiment of the present application.

It should be noted that the terminal device may bear the service policy request message through a Non-access stratum (NAS) message, and details of the specific process are not described again.

Correspondingly, in step 302, the SMF network element may obtain a service identifier and a service policy installation authentication parameter through a service policy request message sent by the terminal device, and send the service identifier and the service policy installation authentication parameter to the service policy authentication network element.

In step 304, after receiving the service identifier, the service policy authentication network element determines a service policy installation key corresponding to the service identifier according to the service identifier, and then generates a service policy installation derived key according to the service policy installation key and the service identifier, where the manner in which the service policy authentication network element generates the service policy installation derived key is the same as the manner in which the terminal device generates the service policy installation derived key, and is not described herein again.

After the service policy authentication network element generates the service policy installation derived key, the same method as the terminal equipment is adopted to generate expected service policy installation authentication parameters according to the service policy installation derived key, if the expected service policy installation authentication parameters are determined to be the same as the service policy installation authentication parameters received from the SMF network element, the service policy installation authentication parameters can be determined to pass the authentication, otherwise, the service policy installation authentication parameters are determined not to pass the authentication.

It should be noted that, in the above authentication process, when the service policy authentication network element is a PCF network element, the service policy authentication network element may authenticate the service policy installation authentication parameter independently, or may forward the service policy subscription message to the AUSF network element, so that the service policy installation authentication parameter is authenticated by the AUSF network element according to the service identifier. When the service policy authentication network element authenticates the service policy installation authentication parameter through the AUSF network element, the AUSF network element returns an authentication result to the service policy authentication network element, and the service policy authentication network element can determine whether the service policy installation authentication parameter passes the authentication according to the authentication result returned by the AUSF network element.

And after the service policy authentication network element determines that the service policy installation authentication parameter passes the authentication, distributing a service policy for the service corresponding to the service identifier. Optionally, the service policy authentication network element may further allocate a temporary label to the service corresponding to the service identifier, so as to identify the data packet of the service corresponding to the service identifier through the temporary label; the service policy authentication network element may further generate a service policy execution key for the service corresponding to the service identifier, for example, the service policy authentication network element may perform hash calculation on the service policy installation key and the key parameter, and use the calculation result as the service policy execution key. The key parameter may be a random number, and the like, which is not limited in this embodiment of the present application and may be agreed according to an actual situation.

It should be noted that, when the service policy authentication network element is a PCF network element and authenticates the service policy installation authentication parameter through the AUSF network element, the service policy execution key and the temporary label may also be allocated by the AUSF network element and sent to the service policy authentication network element.

After the service policy authentication network element allocates the service policy, the service policy may be sent to the SMF network element, and at least one of the temporary label and the key indication information may also be sent. The key indication information may be a key parameter for generating the service policy enforcement key, or may be a key for enforcing the service policy.

In step 305, when the service policy authentication network element does not send the key indication information to the SMF network element, the key indication information may also be allocated by the SMF network element for the service corresponding to the service identifier.

Correspondingly, the temporary label may be sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or, the temporary label may also be allocated by the SMF network element to the service corresponding to the service identifier.

The SMF network element may further send the service policy, the temporary label, and the key indication information to the UPF network element, and the UPF network element may execute the key according to the service policy indicated by the key indication information, check the check parameter in the data packet sent by the terminal device, may also determine the data packet of the service corresponding to the service identifier according to the temporary label, and control the data packet of the service corresponding to the service identifier according to the service policy.

In step 306, before the terminal device sends the data packet of the service corresponding to the service identifier, the service policy enforcement key may be determined according to the key indication information, for example, when the key indication information is the service policy enforcement key, the terminal device may directly use the key indication information as the service policy enforcement key; when the key indication information is a key parameter, the terminal device may generate a service policy enforcement key according to the key parameter, and the method for generating the service policy enforcement key may be a method agreed in advance with the SMF network element or the service policy authentication network element, which is not described herein again.

After the terminal device determines the service policy execution key, it may generate a check parameter according to the service policy execution key, the service variable, and the temporary tag. For example, the terminal device may perform hash calculation on the service policy execution key, the service variable, and the temporary label, and use the calculation result as the check parameter. The service variable may be a quintuple of the data packet, or may be a part of the quintuple. The service variable may be agreed in advance, or may be indicated by service variable indication information sent by the SMF network element to the terminal device, for example, the service variable indication information may indicate that the service variable is a source Internet Protocol Address (IP) Address, a source port number, and a destination IP Address in a quintuple of a packet that sends the data packet. Further, the service variable indication information may be sent to the terminal device after the SMF network element performs key encryption through the service policy.

And the terminal equipment encapsulates the verification parameters and the temporary label in a data message, for example, the verification parameters and the temporary label are encapsulated outside the packet head of an IP packet or inside the IP packet in the data message, and the data message is sent to the UPF network element.

After receiving the data packet, the UPF network element verifies the verification parameters according to the service policy execution key indicated by the key indication information sent by the SMF network element, specifically, the UPF network element may generate expected verification parameters according to the service policy execution key indicated by the key indication information sent by the SMF network element, the temporary tag in the data packet, and the service variable in the data packet, in the same way as the terminal device, and if it is determined that the expected verification parameters are the same as the verification parameters in the data packet, it may be determined that the verification is successful, otherwise, it may be determined that the verification is failed.

And after the verification parameters are successfully verified by the UPF network element, performing service control on the data message or processing the data message according to a service strategy corresponding to the temporary label, removing the temporary label and the verification parameters encapsulated in the data message, and sending the data message with the parameters removed to an application server.

The foregoing process is described below by way of a specific example.

Fig. 4 is a schematic diagram of a data message transmission flow provided in the embodiment of the present application.

Step 401: the terminal equipment sends a service request to the application server, and the service request is used for requesting service registration.

Step 402: and after receiving the service request, the application server sends a service request response to the terminal equipment.

The service request response comprises a service identifier of the service requested to be registered by the terminal equipment and a service strategy installation derived key corresponding to the service identifier.

Step 403: and after receiving the service request response, the terminal equipment determines the service policy installation authentication parameters according to the service identifier in the service request response and the service policy installation derived key.

Step 404: and the terminal equipment sends a service strategy request message to the SMF network element.

The service policy request message includes a service identifier and a service policy installation authentication parameter, and the service identifier and the service policy installation authentication parameter are used for initiating service policy creation or service policy update.

Step 405: after receiving the service policy request message, the SMF network element sends the service identifier and the service policy installation authentication parameter in the service policy request message to the service policy authentication network element.

Step 406: and after receiving the service identifier and the service policy installation authentication parameter, the service policy authentication network element authenticates the service policy installation authentication parameter according to the service identifier, and distributes a service policy for the service corresponding to the service identifier after the authentication is passed.

Correspondingly, when the service policy authentication network element determines that the service policy installation authentication parameter authentication fails, a rejection message is sent to the SMF network element, and the rejection message is used for rejecting the request of the terminal equipment. And the SMF network element forwards the received rejection message to the terminal equipment.

Step 407: and the service strategy authentication network element sends the service strategy to the SMF network element.

Optionally, the service policy authentication network element may further send at least one of the temporary label and the key indication information to the SMF network element.

Step 408: and after receiving the service policy, the SMF network element sends the service policy, the temporary label and the key indication information to the UPF network element.

The temporary label may be sent to the SMF network element by the service policy authentication network element, or may be allocated to the service corresponding to the service identifier by the SMF network element; the key indication information may be sent to the SMF network element by the service policy authentication network element, or may be allocated to the service corresponding to the service identifier by the SMF network element.

Step 409: and the SMF network element sends the temporary label and the key indication information to the terminal equipment.

Step 410: and the terminal equipment generates a check parameter according to the service strategy execution key, the service variable and the temporary label.

Step 411: and the terminal equipment encapsulates the verification parameters and the temporary label in a data message, for example, the data message is encapsulated outside the packet head of an IP packet or inside the IP packet in the data message, and the data message is sent to the UPF network element.

Step 412: and after the UPF network element receives the data message, verifying the verification parameters according to the service strategy execution key indicated by the key indication information sent by the SMF network element, after the verification of the verification parameters is successful, executing service control on the data message or processing the data message according to the service strategy corresponding to the temporary label, removing the temporary label and the verification parameters encapsulated in the data message, and sending the data message with the parameters removed to the application server.

When the service variable is an IP quintuple, the UPF can also record the relationship between the service variable in the uplink data message and the service strategy. And after the downlink data message is sent to the UPF, the UPF reverses the service variable in the downlink data message, obtains the service strategy according to the reversed service variable, and executes service control on the downlink data message according to the service strategy.

In another possible embodiment, the terminal device may further send the service identifier and the service policy installation authentication parameter to the SMF network element through the user plane function network element, and the specific flow is shown in fig. 4 a.

Step M01: the terminal equipment sends a service request to the application server, and the service request is used for requesting service registration.

Step M02: and after receiving the service request, the application server sends a service request response to the terminal equipment.

Step M03: and after receiving the service request response, the terminal equipment determines the service policy installation authentication parameters according to the service identifier in the service request response and the service policy installation derived key.

Step M04: the terminal equipment sends a service policy request message to a user plane network element (e.g., UPF) through a user plane.

Step M05: after receiving a service policy request of the UE, a user plane network element (e.g., UPF) sends the service policy request message to the SMF.

Step M06: after receiving the service policy request message, the SMF network element sends the service identifier and the service policy installation authentication parameter in the service policy request message to a service policy authentication network element (e.g., PCF).

Step M07: and after receiving the service identifier and the service policy installation authentication parameter, the service policy authentication network element authenticates the service policy installation authentication parameter according to the service identifier, and distributes a service policy for the service corresponding to the service identifier after the authentication is passed.

Step M08: and the service strategy authentication network element sends the service strategy to the SMF network element.

Step M09: and after receiving the service policy, the SMF network element sends the service policy, the temporary label and the key indication information to the UPF network element.

Step M10: and the UPF network element sends the temporary label and the key indication information to the terminal equipment.

Step M11: and the terminal equipment generates a check parameter according to the service strategy execution key, the service variable and the temporary label.

Step M12: and the terminal equipment encapsulates the verification parameters and the temporary label in a data message and sends the data message to the UPF network element.

Step M13: and after the UPF network element receives the data message, verifying the verification parameters according to the service strategy execution key indicated by the key indication information sent by the SMF network element, after the verification of the verification parameters is successful, executing service control on the data message or processing the data message according to the service strategy corresponding to the temporary label, removing the temporary label and the verification parameters encapsulated in the data message, and sending the data message with the parameters removed to the application server.

It should be noted that, the method for identifying a service policy by using a temporary tag in the above embodiment may also be replaced by a method for identifying a service policy by using a service tag, that is, the temporary tag does not need to be allocated and transmitted in the above method flow, so that system and transmission consumption are saved, and the method flow for identifying a service policy by using a service tag is not described again.

In the embodiments shown in fig. 4 and fig. 4a, the terminal device initiates the service policy creation or the service policy update, and it is conceivable to those skilled in the art that, in one possible embodiment, the service policy creation may also be initiated by the application server. Based on this consideration, fig. 4b shows another method for implementing service policy creation or service policy update.

Step N01: and the terminal equipment sends a service request to the application server.

Step N02: after the application server receives the service request, the application server determines a service identifier according to the service request, and the application server initiates service policy creation or service policy update. Specifically, the application server sends a service policy request to a service policy authentication network element (e.g., PCF). The service policy request message includes a user identifier (e.g., UE IP), a service identifier, and optionally, a service policy installation authentication parameter corresponding to the service identifier. It should be noted that, in the present application, the user identifier is an identifier capable of uniquely identifying or addressing a user, and a specific format and type of the user identifier are not limited. The service policy installation authentication parameter is used for authenticating the service policy request by the service policy authentication network element according to the service policy installation authentication parameter, and the name of the service policy installation authentication parameter is not limited.

Step N03: and after receiving the service policy request message, the service policy authentication network element allocates a service policy (for example, a PCC rule) to the service corresponding to the service identifier. The service policy comprises a processing policy of uplink and downlink data messages of the service corresponding to the service identifier. Optionally, when the service request sent by the application server includes the service policy installation authentication parameter corresponding to the service identifier, the service policy authentication network element may also authenticate the service policy installation authentication parameter according to the service identifier, and after the authentication is passed, the service policy is allocated to the service corresponding to the service identifier; and if the authentication is not passed, sending a rejection message to the application server, wherein the rejection message is used for rejecting the request of the application server.

Step N04: and the service strategy authentication network element sends a service strategy request message to the SMF network element. The service policy request message carries a user identifier, the service policy and the service identifier. It should be noted that, the user identifier sent by the service policy authentication network element to the SMF network element in this step and the user identifier sent by the application server to the PCF in N02 step may be different types of identifiers used for identifying the same user, for example, the IP address of the terminal device used by the user may be sent by the application server to the PCF, and the International Mobile Subscriber Identity (IMSI) of the user may be sent by the PCF to the SMF network element.

Step N05: after receiving the service policy, the SMF network element sends the service identifier and the key indication information, and optionally may further include a temporary label, to the terminal device. When the terminal device does not receive the temporary label, the terminal device may encapsulate a service identifier in the uplink data packet to identify a service corresponding to the data packet; when the terminal device receives the temporary label, the terminal device may select to encapsulate a service identifier or a temporary label in the data packet according to an agreement with the core network, so as to identify a service corresponding to the data packet. It should be noted that the temporary label may be allocated to the service corresponding to the service identifier by the SMF network element, or may be acquired by the SMF network element from another network element of the core network, such as a PCF network element or an AUSF network element; the key indication information may be allocated by the SMF network element for the service corresponding to the service identifier, or may be acquired by the SMF network element from another network element of the core network, such as a PCF network element or an AUSF network element.

Optionally, the SMF network element may further send service variable indication information to the terminal device.

Step N06: after receiving the service policy, the SMF further sends, to the UPF network element, at least one of a data packet processing rule (PCC rule), a service identifier, and a temporary label generated by the service policy, and key indication information. The steps of N05 and N06 are not sequential. Optionally, the SMF network element may further send service variable indication information to the UPF network element. The data message processing rule is generated by the SMF according to the service strategy, namely the SMF generates the data message processing rule according to the received service strategy and sends the data message processing rule to the UPF.

Step N07: and the SMF network element sends a service strategy request response message to the service strategy authentication network element. Optionally, the service policy request response message carries at least one of a service identifier and a temporary label, and key indication information.

Step N08: and the service strategy authentication network element sends a service strategy request response message to the application server. Optionally, the service policy request response message carries at least one of a service identifier and a temporary label, and key indication information. When the application server sends a downlink message to the terminal, the application server encapsulates the service identifier or the temporary label in the data message, for example, outside the packet header of the IP packet or inside the IP packet in the data message. When the service policy request response message further includes the key indication information, the application server generates the verification parameter according to the key indication information, the service identifier or the temporary label, optionally according to the service variable, when sending the downlink message to the terminal, the application server encapsulates the verification parameter and the service identifier or the temporary label in the data message, for example, the verification parameter is encapsulated outside the header of the IP packet or inside the IP packet in the data message, and sends the data message to the UPF network element. When the UPF subsequently receives a downlink message sent to the terminal by the application server, the UPF performs service control on the data message or processes the data message according to a service policy (specifically, a data message processing rule generated by the service policy) corresponding to the service identifier or the temporary label. When the downlink message also comprises a check parameter, after the UPF network element receives the data message, firstly, the UPF network element executes the key to check the check parameter according to the service strategy indicated by the key indication information sent by the SMF network element, and after the check parameter is successfully checked, executes service control on the data message or processes the data message according to the service strategy corresponding to the service identifier or the temporary label.

Step N09: and the terminal equipment encapsulates the service identifier or the temporary label in the data message, for example, the service identifier or the temporary label is encapsulated outside the packet head of the IP packet or in the IP packet in the data message, and the encapsulated data message is sent to the UPF network element. Optionally, based on the consideration of security, when the terminal device obtains the key indication information in step N05, the terminal device further encapsulates the verification parameter in the data packet sent to the UPF, for example, the verification parameter is encapsulated outside the packet header of the IP packet or inside the IP packet in the data packet, and the verification parameter is generated by the terminal device according to the key indication information, the service identifier or the temporary label, and optionally according to the service variable.

Step N10: after the UPF network element receives an uplink data message sent by the terminal equipment, if a check parameter exists, the check parameter is checked according to a service strategy execution key indicated by key indication information sent by the SMF network element, after the check parameter is successfully checked, service control is executed on the data message or the data message is processed according to a service identifier or a data message processing rule corresponding to a temporary label, the temporary label and the check parameter encapsulated in the data message are removed, and the data message with the parameters removed is sent to an application server.

After the UPF is successfully checked, the UPF may further record a relationship between a service variable (e.g., IP quintuple) in the uplink data packet and the service identifier or temporary label. And after the downlink data message is sent to the UPF, the UPF reverses the service variable in the downlink data message, obtains the service identifier or the temporary label according to the reversed service variable, obtains a service strategy according to the service identifier or the temporary label, and executes service control on the downlink data message by adopting the service strategy.

It should be noted that, in the method flow shown in fig. 4b, the Application server may also initiate service policy creation or service policy update through an Application Function (AF) network element; that is, in step N02, the application server sends a service policy request message to the service policy authentication network element through the AF; in step N08, the service policy authentication network element sends a service policy request response message to the AF, and after the AF receives at least one of the service identifier and the temporary label and the key indication information, the AF further needs to send these information to the application server, so that the application server generates the check parameters and encapsulates them in the downlink data message. It should be further noted that the AF may interact with the service policy authentication Network element through a Network Exposure Function (NEF), or may directly interact with the service policy authentication Network element.

As shown in fig. 5, a schematic structural diagram of a service policy creating device is provided for the embodiment of the present application, where the service policy creating device may be configured to execute actions of an SMF network element in the foregoing method embodiments, and the service policy creating device 500 includes:

a receiving unit 501, configured to obtain a service identifier and a service policy installation authentication parameter from a terminal device, and send the service identifier and the service policy installation authentication parameter to a service policy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

a sending unit 501, configured to send a temporary label and key indication information to the terminal device, where the temporary label is used to identify a data packet of a service corresponding to the service identifier, the key indication information is used to indicate a service policy execution key, and the service policy execution key is used to verify the temporary label; the temporary label and the key indication information are generated by the device or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameters according to the service identification.

In an optional implementation manner, the receiving unit 501 is further configured to:

receiving a service strategy corresponding to the service identifier and sent by the service strategy authentication network element; the service policy is used for controlling the data message of the service corresponding to the service identifier.

In an optional implementation manner, the sending unit 502 is further configured to:

and sending the service strategy, the temporary label and the key indication information to a UPF network element.

In an optional implementation manner, the key indication information is sent to the device after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or

And the key indication information is distributed to the service corresponding to the service identifier by the device.

In an optional implementation manner, the temporary tag is sent to the device after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or, the temporary label is allocated to the service corresponding to the service identifier by the device.

and sending service variable indication information to the terminal equipment, wherein the service variable indication information indicates the service variable used for checking the temporary label.

As shown in fig. 6, a schematic structural diagram of a service policy creating apparatus is provided for the embodiment of the present application, where the service policy creating apparatus may be configured to execute actions of terminal devices in the foregoing method embodiments, and the service policy creating apparatus 600 includes:

a transceiver 601, configured to send a service identifier and a service policy installation authentication parameter to a session management function SMF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the transceiver 601 is configured to receive a temporary label and key indication information from the SMF network element, where the key indication information is used to indicate a service policy enforcement key; the temporary label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier;

a processing unit 602, configured to generate a verification parameter after verifying the temporary tag according to the service policy execution key;

the transceiver 601 is configured to send a data packet of a service corresponding to the service identifier, where the data packet includes the temporary tag and the verification parameter.

In an optional implementation manner, before sending the service identifier and the service policy installation authentication parameter to the session management function SMF network element, the transceiver 601 is further configured to:

acquiring the service identifier and a service strategy installation derivative key corresponding to the service identifier from an application server;

the processing unit 602 is configured to determine the service policy installation authentication parameter according to the service identifier and the service policy installation derived key.

In an optional implementation manner, the transceiver 601 is further configured to:

and receiving service variable indication information from the SMF network element, wherein the service variable indication information indicates a service variable used for checking the temporary label.

As shown in fig. 7, a schematic structural diagram of a service policy creating device is provided for the embodiment of the present application, where the service policy creating device may be configured to execute actions of a service policy authentication network element in the foregoing method embodiments, and the service policy creating device 700 includes:

a transceiver unit 701, configured to receive a service identifier and a service policy installation authentication parameter sent by a SMF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating; the service identifier and the service strategy installation authentication parameter are sent to the SMF network element by the terminal;

a processing unit 702, configured to authenticate the service policy installation authentication parameter according to the service identifier;

the transceiver 701 is configured to send, to the SMF network element, a service policy corresponding to the service identifier after the authentication is passed, and send, to the SMF network element, at least one of the service policy, the temporary tag, and the key indication information corresponding to the service identifier; the temporary label is used for identifying the data message of the service corresponding to the service identification, and the service strategy execution key is used for verifying the temporary label; the service policy is used for controlling the data message of the service corresponding to the service identifier.

In an optional implementation manner, the processing unit 702 is specifically configured to:

determining a service strategy installation key corresponding to the service identifier according to the service identifier;

and generating a business strategy installation derivative key according to the business strategy installation key, and authenticating the business strategy installation derivative key according to the business strategy installation derivative key.

and authenticating the service strategy installation authentication parameters through the AUSF network element according to the service identification.

As shown in fig. 8, a schematic structural diagram of a service policy creating device is provided for the embodiment of the present application, and the service policy creating device may be configured to execute actions of an SMF network element in the foregoing method embodiments.

The service policy creation apparatus 800 includes: a processor 801, a communication interface 802, a memory 803; the processor 801, the communication interface 802, and the memory 803 are connected to each other by a bus 804.

The processor 801 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor 801 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.

The memory 803 may include a volatile memory (volatile memory), such as a random-access memory (RAM); the memory may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD); the memory 803 may also comprise a combination of memories of the kind described above.

The communication interface 802 may be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface may be, for example, an ethernet interface. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The Wireless communication interface may be a Wireless Local Area Network (WLAN) interface.

The bus 804 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 8, but that does not indicate only one bus or one type of bus.

The memory 803 may be used to store program instructions that the processor 801 invokes and executes stored in the memory 803 to perform the method steps performed by the SMF in the methods described above in fig. 3, 4a and 4 b. Taking the embodiment of the method described in fig. 4 as an example, the following steps are performed:

acquiring a service identifier and a service policy installation authentication parameter from a terminal device through a communication interface 802, and sending the service identifier and the service policy installation authentication parameter to a service policy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

sending a temporary label and key indication information to the terminal device through a communication interface 802, where the temporary label is used to identify a data packet of a service corresponding to the service identifier, the key indication information is used to indicate a service policy enforcement key, and the service policy enforcement key is used to verify the temporary label; the temporary label and the key indication information are generated by the device or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameters according to the service identification.

In an optional implementation, the processor 801 is further configured to:

receiving the service policy corresponding to the service identifier sent by the service policy authentication network element through a communication interface 802; the service policy is used for controlling the data message of the service corresponding to the service identifier.

In an optional implementation, the processor 801 is further configured to:

and sending the service policy, the temporary label and the key indication information to a UPF network element through a communication interface 802.

In an optional implementation, the processor 801 is further configured to:

and sending service variable indication information to the terminal equipment through a communication interface 802, wherein the service variable indication information indicates a service variable used for checking the temporary label.

As shown in fig. 9, a schematic structural diagram of a service policy creation apparatus is provided for the embodiment of the present application, and the service policy creation apparatus may be configured to execute actions of a terminal device in the foregoing method embodiments.

The business policy creating apparatus 900 includes: a processor 901, a transceiver 902, a memory 903; wherein the processor 901, the transceiver 902 and the memory 903 are connected to each other through a bus 904, wherein the memory 903 may be used for storing program instructions, and the processor 901 calls and executes the program instructions stored in the memory 903 to execute the method steps executed by the terminal in the methods described in fig. 3, fig. 4a and fig. 4 b. The details of other modules may refer to the description of the relevant modules in fig. 8, and are not described herein again. Taking the embodiment of the method described in figure 4 as an example,

the transceiver 902 may be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface may be, for example, an ethernet interface. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The Wireless communication interface may be a Wireless Local Area Network (WLAN) interface, a Radio Frequency (RF) interface, and the like, and the RF interface may communicate with a network device. The RF interface may use any communication standard or protocol, including but not limited to Global System for Mobile communication (GSM) System, General Packet Radio Service (GPRS) System, Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) System, Long Term Evolution (LTE) System, New Radio (NR) System, etc.

A transceiver 902, configured to send a service identifier and a service policy installation authentication parameter to a session management function SMF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the transceiver 902 is configured to receive a temporary label and key indication information from the SMF network element, where the key indication information is used to indicate a service policy enforcement key; the temporary label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier;

a processor 901, configured to generate a verification parameter after verifying the temporary label according to the service policy execution key;

the transceiver 902 is configured to send a data packet of a service corresponding to the service identifier, where the data packet includes the temporary tag and the check parameter.

In an optional implementation manner, before sending the service identifier and the service policy installation authentication parameter to the session management function SMF network element, the transceiver 902 is further configured to:

the processor 901 is configured to determine the service policy installation authentication parameter according to the service identifier and the service policy installation derived key.

In an optional embodiment, the transceiver 902 is further configured to:

As shown in fig. 10, a schematic structural diagram of a service policy creating device is provided for the embodiment of the present application, and the service policy creating device may be configured to execute actions of a service policy authentication network element in the embodiments of the foregoing methods.

The service policy creation apparatus 1000 includes: a processor 1001, a communication interface 1002, and a memory 1003; wherein, the processor 1001, the communication interface 1002 and the memory 1003 are connected to each other through a bus 1004, wherein the memory 1003 may be configured to store program instructions, and the processor 1001 calls and executes the program instructions stored in the memory 1003 to perform the method steps of the service policy authentication network element in the methods described in fig. 3, fig. 4a and fig. 4 b. The specific content of the above modules may refer to the description of the related modules in fig. 8, and is not described herein again. Taking the method described in figure 4 as an example,

a communication interface 1002, configured to receive a service identifier and a service policy installation authentication parameter sent by a session management function SMF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating; the service identifier and the service strategy installation authentication parameter are sent to the SMF network element by the terminal;

a processor 1001, configured to authenticate the service policy installation authentication parameter according to the service identifier;

the communication interface 1002 is configured to send, after the authentication is passed, the service policy corresponding to the service identifier to the SMF network element, and send, to the SMF network element, at least one of the service policy, the temporary tag, and the key indication information corresponding to the service identifier; the temporary label is used for identifying the data message of the service corresponding to the service identification, and the service strategy execution key is used for verifying the temporary label; the service policy is used for controlling the data message of the service corresponding to the service identifier.

In an optional implementation manner, the processor 1001 is specifically configured to:

The embodiment of the present application further provides a computer-readable storage medium, which is used for storing computer software instructions executed by the processor 801, and the computer software instructions include a program executed by the processor 801.

An embodiment of the present application further provides a computer-readable storage medium, configured to store computer software instructions executed by the processor 901, where the computer software instructions include a program executed by the processor 901.

An embodiment of the present application further provides a computer-readable storage medium, which is used for storing computer software instructions executed by the processor 1001 and includes a program executed by the processor 1001.

It should be noted that the UPF described in the embodiment of the present invention can also be implemented by the apparatus shown in fig. 10, when the apparatus shown in fig. 10 implements the function of the UPF described in the above method embodiment, the program instructions stored in the memory 1003 are instructions for executing the UPF function in the embodiment of the present invention, and when the processor 1001 calls and executes the program instructions stored in the memory 1003, the apparatus 1000 executes the method steps executed by the UPF in the method described in fig. 3, fig. 4a, and fig. 4 b.

As shown in fig. 11, a schematic structural diagram of a service policy creating device is provided for the embodiment of the present application, and the service policy creating device may be configured to execute functions and actions of an application server or an application function network element in the foregoing method embodiments.

The business policy creating apparatus 1100 includes: a processor 1101, a communication interface 1102, a memory 1103; wherein the processor 1101, the communication interface 1102 and the memory 1103 are connected to each other through a bus 1104, wherein the memory 1103 can be used for storing program instructions, and the processor 1101 calls and executes the program instructions stored in the memory 1103 to execute the method steps of the application server or the application function network element in the method described in fig. 4 b. The specific content of the above modules may refer to the description of the related modules in fig. 8, and is not described herein again. Taking the method described in figure 4b as an example,

a communication interface 1102, configured to communicate with a terminal through a UPF network element, and further configured to communicate with a service policy authentication network element;

the processor 1101 is configured to determine a service identifier according to a service request sent by a terminal, initiate service policy creation or service policy update to a service policy authentication network element, and process a service policy request response message sent by the service policy authentication network element.

Embodiments of the present application also provide a computer-readable storage medium for storing computer software instructions executed by the processor 1101.

It should be noted that, in the embodiment of the present application, a plurality of message names, network element names, parameter names, and the like are referred to, and those skilled in the art should understand that the names themselves do not limit the present solution, for example, in a specific implementation, the "service identifier" may also be referred to as a "policy identifier" or an "identifier", and the "temporary label" may also be referred to as a "policy label" or a "service label" or a "label", and the like. The embodiments of the present invention are not limited to the above-described embodiments, and any embodiments may be included in the present invention as long as the embodiments have the functions described in the embodiments.

It should also be apparent to one of ordinary skill in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

A business strategy creation method is characterized by comprising the following steps:

a Session Management Function (SMF) network element acquires a service identifier and a service policy installation authentication parameter from a terminal device and sends the service identifier and the service policy installation authentication parameter to a service policy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the SMF network element sends a label and key indication information to the terminal equipment, wherein the label is used for identifying a data message of a service corresponding to the service identifier, the key indication information is used for indicating a service policy execution key, and the service policy execution key is used for verifying the label; the label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameters according to the service identification.
The method of claim 1, further comprising:

the SMF network element receives a service strategy which is sent by the service strategy authentication network element and corresponds to the service identification; the service policy is used for processing the data message of the service corresponding to the service identifier.
The method of claim 1 or 2, wherein after the SMF network element determines the ticket and key indication information, the method further comprises:

and the SMF network element sends the service strategy, the label and the key indication information to a user plane function UPF network element.
The method according to any one of claims 1 to 3, wherein the key indication information is sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or

And the key indication information is distributed to the service corresponding to the service identifier by the SMF network element.
The method according to any of claims 1 to 4, wherein the key indication information is a key parameter for generating the service policy enforcement key; or, the key indication information is the service policy execution key.
The method according to any one of claims 1 to 5, wherein the tag is sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or, the label is allocated to the service corresponding to the service identifier by the SMF network element.
The method of any of claims 1 to 6, further comprising:

and the SMF network element sends service variable indication information to the terminal equipment, wherein the service variable indication information indicates a service variable used for checking the label.
The method of claim 7, wherein the traffic variable indication information is sent after performing key encryption by the traffic policy.
A business strategy creation method is characterized by comprising the following steps:

the terminal equipment sends a service identifier and a service strategy installation authentication parameter to a Session Management Function (SMF) network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the terminal equipment receives a label and key indication information from the SMF network element, wherein the key indication information is used for indicating a service policy execution key; the label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier;

and the terminal equipment sends a data message of the service corresponding to the service identifier, wherein the data message comprises the label and a check parameter, and the check parameter is generated after the terminal equipment calculates the label by using the service strategy execution key.
The method of claim 9, wherein the key indication information is sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or

And the key indication information is distributed to the service corresponding to the service identifier by the SMF network element.
The method according to claim 9 or 10, wherein before the terminal device sends the service identifier and the service policy installation authentication parameter to the PCF network element through the SMF network element, the method further comprises:

the terminal equipment acquires the service identifier and a service policy installation derivative key corresponding to the service identifier from an application server;

and the terminal equipment determines the service policy installation authentication parameters according to the service identification and the service policy installation derived key.
The method according to any one of claims 9 to 11, further comprising:

the terminal equipment receives service variable indication information from the SMF network element, wherein the service variable indication information indicates a service variable used for checking the label;

and the check parameter is generated after the terminal equipment checks the label according to the service strategy execution key and the service variable.
A business strategy creation method is characterized by comprising the following steps:

the method comprises the steps that a service strategy authentication network element receives a service identifier and a service strategy installation authentication parameter sent by a Session Management Function (SMF) network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating; the service identifier and the service strategy installation authentication parameter are sent to the SMF network element by the terminal;

the service policy authentication network element authenticates the service policy installation authentication parameter according to the service identifier, and after the authentication is passed, sends a service policy corresponding to the service identifier to the SMF network element and sends at least one of a service policy, a label and key indication information corresponding to the service identifier to the SMF network element; the label is used for identifying the data message of the service corresponding to the service identification, and the service strategy execution key is used for verifying the label; the service policy is used for processing the data message of the service corresponding to the service identifier.
The method of claim 13, wherein the authenticating the service policy installation authentication parameters by the service policy authentication network element according to the service identifier comprises:

the service policy authentication network element determines a service policy installation key corresponding to the service identifier according to the service identifier;

and the service policy authentication network element generates a service policy installation derived key according to the service policy installation key, and authenticates the service policy installation derived key according to the service policy installation derived key.
The method of claim 13, wherein the authenticating the service policy installation authentication parameters by the service policy authentication network element according to the service identifier comprises:

and the service policy authentication network element authenticates the service policy installation authentication parameters through the AUSF network element according to the service identifier.
A business policy creation apparatus, comprising:

a receiving unit, configured to obtain a service identifier and a service policy installation authentication parameter from a terminal device, and send the service identifier and the service policy installation authentication parameter to a service policy authentication network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

a sending unit, configured to send a tag and key indication information to the terminal device, where the tag is used to identify a data packet of a service corresponding to the service identifier, the key indication information is used to indicate a service policy enforcement key, and the service policy enforcement key is used to verify the tag; the label and the key indication information are generated by the device or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier.
The apparatus of claim 16, wherein the receiving unit is further configured to:

receiving a service strategy corresponding to the service identifier and sent by the service strategy authentication network element; the service policy is used for processing the data message of the service corresponding to the service identifier.
The apparatus according to claim 16 or 17, wherein the sending unit is further configured to:

and sending the service strategy, the label and the key indication information to a user plane function UPF network element.
The apparatus according to any one of claims 16 to 18, wherein the key indication information is sent to the apparatus after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or

And the key indication information is distributed to the service corresponding to the service identifier by the device.
The apparatus according to any one of claims 16 to 19, wherein the key indication information is a key parameter for generating the service policy enforcement key; or, the key indication information is the service policy execution key.
The apparatus according to any one of claims 16 to 20, wherein the tag is sent to the apparatus after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or, the label is allocated to the service corresponding to the service identifier by the device.
The apparatus according to any of claims 16 to 21, wherein the sending unit is further configured to:

and sending service variable indication information to the terminal equipment, wherein the service variable indication information indicates the service variable used for checking the label.
The apparatus of claim 22, wherein the traffic variable indication information is sent after performing key encryption by the traffic policy.
A business policy creation apparatus, comprising:

the receiving and sending unit is used for sending the service identifier and the service strategy installation authentication parameter to the SMF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating;

the receiving and sending unit is configured to receive a tag and key indication information from the SMF network element, where the key indication information is used to indicate a service policy execution key; the label and the key indication information are generated by the SMF network element or the service policy authentication network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier;

the processing unit is used for generating a verification parameter after verifying the label according to the service strategy execution key;

the receiving and sending unit is configured to send a data packet of a service corresponding to the service identifier, where the data packet includes the tag and the verification parameter.
The apparatus of claim 24, wherein the key indication information is sent to the SMF network element after the service policy authentication network element successfully authenticates the service policy installation authentication parameter according to the service identifier; or

And the key indication information is distributed to the service corresponding to the service identifier by the SMF network element.
The apparatus according to claim 24 or 25, wherein before sending the service identifier and the service policy installation authentication parameter to the session management function SMF network element, the transceiver unit is further configured to:

acquiring the service identifier and a service strategy installation derivative key corresponding to the service identifier from an application server;

and the processing unit is used for determining the service policy installation authentication parameters according to the service identifier and the service policy installation derived key.
The apparatus according to any of claims 24 to 26, wherein the transceiver unit is further configured to:

and receiving service variable indication information from the SMF network element, wherein the service variable indication information indicates a service variable used for checking the label.
A business policy creation apparatus, comprising:

the receiving and sending unit is used for receiving the service identifier and the service strategy installation authentication parameter sent by the SMF network element; the service identification and the service strategy installation authentication parameter are used for initiating service strategy creation or service strategy updating; the service identifier and the service strategy installation authentication parameter are sent to the SMF network element by the terminal;

the processing unit is used for authenticating the service strategy installation authentication parameters according to the service identification;

the receiving and sending unit is configured to send, after the authentication is passed, the service policy corresponding to the service identifier to the SMF network element, and send, to the SMF network element, at least one of the service policy, the tag, and the key indication information corresponding to the service identifier; the label is used for identifying the data message of the service corresponding to the service identification, and the service strategy execution key is used for verifying the label; the service policy is used for processing the data message of the service corresponding to the service identifier.
The apparatus according to claim 28, wherein the processing unit is specifically configured to:

determining a service strategy installation key corresponding to the service identifier according to the service identifier;

and generating a business strategy installation derivative key according to the business strategy installation key, and authenticating the business strategy installation derivative key according to the business strategy installation derivative key.
The apparatus according to claim 28, wherein the processing unit is specifically configured to:

and authenticating the service strategy installation authentication parameters through the AUSF network element according to the service identification.
A business strategy creation method is characterized by comprising the following steps:

an Application Function (AF) network element sends a first message to a core network, wherein the first message comprises a user identifier and a service identifier, the service identifier is used for enabling the core network to determine a service strategy corresponding to the service identifier, and a data message of a terminal device corresponding to the user identifier is processed by using the service strategy, and the data message is a data message of a service corresponding to the service identifier;

and the AF network element receives a response message of the first message sent by the core network.
The method as claimed in claim 31, wherein the first message further includes a service policy installation authentication parameter, and the service policy installation authentication parameter is used to enable the core network to authenticate the first message according to the service policy installation authentication parameter before determining the service policy corresponding to the service identifier.
A business strategy creation method is characterized by comprising the following steps:

a service policy authentication network element receives a first message, wherein the first message comprises a first user identifier and a service identifier;

the service policy authentication network element sends the service identifier, the service policy and the second user identifier to the SMF network element; the service policy is a service policy corresponding to the service identifier, the service policy is used for processing a data message of the terminal device corresponding to the first user identifier, and the data message is a data message of a service corresponding to the service identifier; the second subscriber identity and the first subscriber identity identify the same subscriber.
The method of claim 33, wherein the service policy authentication network element further sends a tag corresponding to the service identifier to an SMF network element, and wherein the tag is used to determine the service policy corresponding to the service identifier when the data packet contains the tag.
The method according to claim 33 or 34, wherein the service policy authentication network element further sends key indication information to the SMF network element, the key indication information is used to indicate a service policy enforcement key, and the service policy enforcement key is used to verify the data packet before processing the data packet according to the service policy.
The method as claimed in any one of claims 33 to 35, wherein the first message further includes a service policy installation authentication parameter, and after the service policy authentication network element authenticates the first message according to the service policy installation authentication parameter, the service policy authentication network element determines the service policy corresponding to the service identifier.
The method according to any of claims 33-36, wherein said first message is from an application function, AF, network element or a network presence function, NEF, network element; and the service strategy authentication network element also sends a response message of the first message to the AF network element or the NEF network element.
The method according to any of claims 33-37, wherein the second subscriber identity is the same as the first subscriber identity.
A business strategy creation method is characterized by comprising the following steps:

a session management function SMF network element receives a service identifier, a service policy and a second user identifier sent by a service policy authentication network element, wherein the service policy is used for processing a data message of a terminal device corresponding to the second user identifier, and the data message is a data message of a service corresponding to the service identifier;

the SMF network element sends a data message processing rule generated by the service strategy and the service identifier or a label corresponding to the service identifier to a User Plane Function (UPF) network element, and when the data message contains the service identifier or the label, the service identifier or the label is used for enabling the UPF network element to determine the data message processing rule corresponding to the service identifier or the label;

and the SMF network element sends the service identifier to the terminal equipment corresponding to the second user identifier.
The method of claim 39, wherein the SMF network element further sends the label to the terminal device.
The method according to claim 39 or 40, wherein the SMF network element further sends key indication information to the UPF network element, the key indication information is used to indicate a service policy enforcement key, and the service policy enforcement key is used to enable the UPF network element to verify the data packet before processing the data packet according to the data packet processing rule.
The method according to any of claims 39-41, wherein said SMF network element further sends said key indication information to said terminal device.
The method of any of claims 40-42, wherein the label or key indication information is assigned by the SMF network element or obtained by the SMF network element from a core network element.
The method according to any of claims 41 to 43, wherein said key indication information is a key parameter for generating said traffic policy enforcement key; or, the key indication information is the service policy execution key.
The method of any one of claims 39 to 44, further comprising:

and the SMF network element sends service variable indication information to the terminal equipment and the UPF network element, wherein the service variable indication information is used for indicating a service variable used for verifying the data message.
A business strategy creation method is characterized by comprising the following steps:

the terminal equipment receives a service identifier sent by the SMF network element;

the terminal equipment sends a data message of a service corresponding to the service identifier, wherein the data message comprises the service identifier or a label corresponding to the service identifier; and the service identifier or the label is used for enabling a user plane function UPF network element to determine a data message processing rule corresponding to the service identifier or the label and control the data message according to the data message processing rule.
The method of claim 46, wherein the tag is sent to the terminal device by the SMF network element.
The method of claim 46 or 47, further comprising:

the terminal equipment receives key indication information sent by the SMF network element, wherein the key indication information is used for indicating a service policy to execute a key;

the data message sent by the terminal also comprises a check parameter, and the check parameter is generated after the terminal equipment calculates the service identifier or the label by using the service strategy execution key.
The method of claim 48, further comprising:

the terminal equipment receives service variable indicating information from the SMF network element, wherein the service variable indicating information indicates a service variable used for checking the data message;

and the check parameter is generated after the terminal equipment calculates the service identifier or the label according to the service strategy execution key and the service variable.
A business strategy creation apparatus comprising a memory, a communication interface, and a processor coupled to the memory and the communication interface; the memory is configured to store instructions, the processor is configured to execute the instructions, and the communication interface is configured to communicate with other network devices under control of the processor; wherein the processor, when executing the instructions, performs the method of applying a functional AF network element as described in claims 31-32 above.
A business strategy creation apparatus comprising a memory, a communication interface, and a processor coupled to the memory and the communication interface; the memory is configured to store instructions, the processor is configured to execute the instructions, and the communication interface is configured to communicate with other network devices under control of the processor; wherein the processor when executing the instructions performs the method of the service policy authentication network element as claimed in any of the preceding claims 33-38.
A business strategy creation apparatus comprising a memory, a communication interface, and a processor coupled to the memory and the communication interface; the memory is configured to store instructions, the processor is configured to execute the instructions, and the communication interface is configured to communicate with other network devices under control of the processor; wherein the processor, when executing the instructions, performs the method of the session management function, SMF, network element as recited in claims 33-38 above.
A business strategy creation apparatus comprising a memory, a communication interface, and a processor coupled to the memory and the communication interface; the memory is configured to store instructions, the processor is configured to execute the instructions, and the communication interface is configured to communicate with other network devices under control of the processor; wherein the processor, when executing the instructions, performs the method of the terminal device as recited in claims 33-38 above.
A core network for implementing policy control, comprising a Session Management Function (SMF) network element, a User Plane Function (UPF) network element, and a service policy authentication network element, wherein,

the service policy authentication network element is configured to receive a first message sent by an AF or an NEF, where the first message includes a first user identifier and a service identifier; sending the service identifier, a service policy corresponding to the service identifier and a second user identifier to the SMF network element, wherein the second user identifier and the first user identifier are used for identifying the same user;

the SMF network element is configured to send a data packet processing rule, and the service identifier or a tag corresponding to the service identifier to the UPF network element, where the data packet processing rule is generated by the service policy;

the SMF network element is further configured to send the service identifier to a terminal device corresponding to the second user identifier;

and the UPF network element is used for processing the data message sent by the terminal equipment according to the data message processing rule, wherein the data message comprises the service identifier or the label corresponding to the service identifier.
The core network of claim 54, wherein the SMF network element is further configured to send the tag to the terminal device.
Core network in accordance with claim 54 or 55,

the SMF network element is also used for sending key indication information to the UPF network element, and the key indication information is used for indicating a service policy execution key;

the SMF network element is also used for sending the key indication information to the terminal equipment;

and the UPF network element is also used for verifying the data message according to the service strategy execution key before controlling the data message according to the data message processing rule.
The core network of any one of claims 54 to 56, wherein the first message further includes a service policy installation authentication parameter, the service policy authentication network element is further configured to authenticate the first message according to the service policy installation authentication parameter, and after the authentication is passed, the service policy authentication network element determines a service policy corresponding to the service identifier.
The core network of any of claims 54-56, wherein the SMF network element is further configured to send service variable indication information to the terminal device and the UPF network element, and the service variable indication information is used to indicate a service variable used for checking the data packet.