WO2022165745A1 - Data configuration method and apparatus, system, and storage medium - Google Patents
Data configuration method and apparatus, system, and storage medium Download PDFInfo
- Publication number
- WO2022165745A1 WO2022165745A1 PCT/CN2021/075493 CN2021075493W WO2022165745A1 WO 2022165745 A1 WO2022165745 A1 WO 2022165745A1 CN 2021075493 W CN2021075493 W CN 2021075493W WO 2022165745 A1 WO2022165745 A1 WO 2022165745A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security gateway
- information
- local security
- data
- sub
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 253
- 238000003860 storage Methods 0.000 title claims abstract description 32
- 230000008859 change Effects 0.000 claims abstract description 67
- 230000005540 biological transmission Effects 0.000 claims abstract description 65
- 238000004891 communication Methods 0.000 claims abstract description 35
- 230000004044 response Effects 0.000 claims description 153
- 238000001514 detection method Methods 0.000 claims description 62
- 230000006870 function Effects 0.000 claims description 49
- 230000015654 memory Effects 0.000 claims description 43
- 230000009471 action Effects 0.000 claims description 36
- 238000004590 computer program Methods 0.000 claims description 19
- 239000000463 material Substances 0.000 claims description 18
- 238000007689 inspection Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 84
- 238000003780 insertion Methods 0.000 abstract description 33
- 230000037431 insertion Effects 0.000 abstract description 33
- 238000010586 diagram Methods 0.000 description 28
- 238000012545 processing Methods 0.000 description 16
- 101150107050 PSA2 gene Proteins 0.000 description 12
- 238000007726 management method Methods 0.000 description 10
- 230000004048 modification Effects 0.000 description 9
- 238000012986 modification Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 6
- 230000011664 signaling Effects 0.000 description 6
- 238000013461 design Methods 0.000 description 4
- 238000005538 encapsulation Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000011144 upstream manufacturing Methods 0.000 description 4
- 238000003491 array Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000037361 pathway Effects 0.000 description 3
- 238000013496 data integrity verification Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 208000036829 Device dislocation Diseases 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/02—Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
- H04W8/08—Mobility data transfer
Definitions
- the present application relates to the field of communication technologies, and in particular, to a data configuration method, apparatus, system, and storage medium.
- the data network access identifier (Data Network Access Identifier, DNAI) transformation in the multi-access edge computing (Multi-access Edge Computing, MEC) scenario mainly includes the following processes: application function (Application Function, AF) to Influence process of service routing, Uplink classifier (ULCL) insertion process and AF device notification process.
- application function Application Function, AF
- ULCL Uplink classifier
- the connection and path adjustment of the MEC server are mainly realized by the relevant process of the influence process of the AF device on the service routing.
- the AF device controls the network element (Policy Control Function, PCF) through the policy.
- PCF Policy Control Function
- the device provides the Session Management Function (SMF) device with DNAI available for related applications (that is, the access network entity where the MEC server is located), and the SMF device moves or detects the corresponding data flow due to the user equipment (User Equipment, UE).
- SMF Session Management Function
- a data configuration method, device, system and storage medium are proposed.
- the embodiments of the present application provide a data configuration method, device, system, and storage medium.
- an embodiment of the present application provides a data configuration method for use in a network device, the method comprising:
- the address information of the local security gateway is received, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is the PSA after the UE has changed its DNAI.
- the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the first information sent by the network device to the local security gateway includes routing path information of the MEC server, which is used to configure the connection between the local security gateway and the MEC server, so as to realize the connection between the local security gateway and the MEC server. establishment of the pathway.
- the method further includes:
- First response information corresponding to the first information fed back by the local security gateway is received, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information includes uplink tunnel information of the local security gateway.
- the network device receives the first response information corresponding to the first information fed back by the local security gateway, so that the network device determines the relationship between the local security gateway and the MEC server.
- the establishment of the connection between the two is completed, and the uplink tunnel information of the local security gateway is obtained from the first response information.
- the method further includes:
- the network device sends the update information including the downlink tunnel information of the first PSA to the local security gateway, which is used to configure the downlink tunnel between the local security gateway and the first PSA, thereby realizing the establishment during the ULCL insertion process Pathway of the first PSA to the local security gateway.
- Second response information corresponding to the update information fed back by the local security gateway is received, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- the network device receives the second response information corresponding to the update information fed back by the local security gateway, so that the network device determines that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- the network device includes a The gateway establishes a centralized security gateway with communication connections.
- the local security gateway is selected upon receiving the first DNAI change notification from the SMF device.
- the centralized security gateway subscribes the DNAI change notification event to the SMF device, so as to select the local security gateway when receiving the first DNAI change notification from the SMF device, thus realizing the function of the centralized security gateway as a proxy network element .
- the first DNAI change notification includes the changed DNAI and the security link SA of the path to be changed, and the method further includes:
- the queried application send an AF notification to the corresponding AF device, and the AF notification is used to indicate DNAI changes;
- the centralized security gateway undertakes the function of interacting with the AF device and performing the connection configuration of the MEC server.
- the method further includes:
- the centralized security gateway after receiving the first response information corresponding to the first information fed back by the local security gateway, the centralized security gateway feeds back the fourth response information corresponding to the first DNAI change notification to the SMF device, and cooperates with the SMF device to construct a local The path from the security gateway to the MEC server.
- the method before sending the update information to the local security gateway, the method further includes:
- a second DNAI change notification from the SMF device is received, where the second DNAI change notification includes downlink tunnel information of the first PSA.
- the centralized security gateway after receiving the second DNAI change notification from the SMF device, the centralized security gateway sends update information to the local security gateway to configure the downlink tunnel between the local security gateway and the first PSA.
- the centralized security gateway after receiving the second response information corresponding to the update information fed back by the local security gateway, the centralized security gateway feeds back the fifth response information corresponding to the second DNAI change notification to the SMF device, and cooperates with the SMF device to construct local security The pathway between the gateway and the first PSA.
- the centralized security gateway establishes an IKE relationship with the UE.
- SA the method also includes:
- the third response information corresponding to the context information of the sub-SA fed back by the local security gateway is received, and the third response message is used to indicate that the establishment of the sub-SA is completed.
- the first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;
- the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
- the second sub-SA establishment request includes the second data characteristic, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
- the first sub-SA establishment request in the process of establishing a sub-SA for user plane data transmission between the centralized security gateway and the UE as a proxy for the local security gateway, the first sub-SA establishment request, the first sub-SA establishment response, the second sub-SA
- the information exchange of the establishment request and the establishment response of the second sub SA so that the local security gateway and the UE respectively determine the data flow characteristic information, such as the above-mentioned first data characteristic, second data characteristic, and third data characteristic, so as to realize the information on the local security gateway.
- the establishment of a sub-SA with the UE in the process of establishing a sub-SA for user plane data transmission between the centralized security gateway and the UE as a proxy for the local security gateway.
- the third response information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information
- the Methods also include:
- the network device includes a The security gateway establishes a communication connection with the SMF device.
- the data configuration method provided by the embodiment of the present application is applied to the distributed security gateway scenario, and the ULCL insertion in the distributed security gateway scenario is realized through the information exchange process between the local security gateway and the SMF device.
- the relevant configuration of the security gateway in the process is realized through the information exchange process between the local security gateway and the SMF device.
- the method further includes:
- the first notification information sent by the local security gateway is received, where the first notification information is used to indicate that the establishment of the Internet Key Exchange (Internet Key Exchange, IKE) between the UE and the local security gateway is completed.
- IKE Internet Key Exchange
- the SMF device receives the first notification information sent by the local security gateway, so that the SMF device determines that the establishment of the IKE SA between the UE and the local security gateway is complete.
- the method further includes:
- the second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data packets corresponding to data flow feature information Detection rules and forwarding action rules.
- the SMF device instructs the local security gateway to establish a sub-SA for user plane transmission with the UE by providing service detection rules to the local security gateway, thereby saving the NAS signaling overhead sent to the UE and ensuring local security.
- the method further includes:
- the second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data packets corresponding to data flow feature information Detection rules and forwarding action rules.
- the SMF device receives the second notification information fed back by the local security gateway, so that the SMF device determines that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed, and determines the corresponding data flow characteristic information. Packet inspection rules and forwarding action rules.
- the method further includes:
- a NAS message is sent to the UE through the AMF device, and the NAS message includes the address of the local security gateway.
- the NAS message is enhanced, the SMF device sends the NAS message to the UE through the AMF device, and the NAS message includes the address of the local security gateway, so that the UE and the local security gateway are used for user plane data transmission.
- the establishment of the sub-SA is initiated by the UE, which saves the signaling interaction between the SMF device and the local security gateway.
- the SMF device can control the local security gateway, and notify the UE of the service detection rules of the service data packets that need to be transmitted from the local security gateway through the NAS message, so that the connection between the UE and the local security gateway is used for the user plane.
- the establishment of the sub-SA for data transmission is initiated by the UE, which further saves the signaling interaction between the SMF device and the local security gateway.
- the address information of the local security gateway is sent, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the user equipment UE, and the first PSA is the PSA after the UE has a DNAI change.
- the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the method further includes:
- the first response information corresponding to the first information is fed back, and the first response information includes uplink tunnel information of the local security gateway.
- the method further includes:
- Update information is received, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
- the method further includes:
- the local security gateway and the centralized security gateway establish communication connection, the method further includes:
- the third response information corresponding to the context information of the sub-SA is fed back to the centralized security gateway.
- the first sub-SA establishment request includes the first data feature of the data to be encrypted and transmitted and the corresponding first SA
- the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.
- the local security gateway and the session management function SMF device establish a communication connection, the method further includes:
- the method further includes:
- the corresponding data flow feature information is generated, and a sub-SA for user plane data transmission between the UE and the local security gateway is established;
- the second notification information is fed back to the SMF device, where the second notification information includes the data packet detection rule and the forwarding action rule corresponding to the data flow characteristic information.
- the method further includes:
- second notification information is fed back to the SMF device, where the second notification information includes data packet detection rules and forwarding action rules corresponding to data flow feature information.
- an embodiment of the present application provides a data configuration method, which is used in a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway, and the method includes:
- the network device sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;
- the local security gateway After receiving the first information, the local security gateway sends the address information of the local security gateway.
- the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE.
- the first PSA occurs for the UE. PSA after DNAI changes;
- the network device receives the address information of the local security gateway.
- embodiments of the present application provide a data configuration apparatus for use in a network device, the apparatus comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to execute the instructions When implementing the data configuration method provided by the first aspect or any one of the possible implementation manners of the first aspect.
- embodiments of the present application provide a data configuration apparatus for use in a local security gateway, the apparatus comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to execute The data configuration method provided by the second aspect or any one of the possible implementation manners of the second aspect is implemented when the instruction is executed.
- an embodiment of the present application provides a data configuration apparatus, the apparatus includes at least one unit, and the at least one unit is configured to implement the first aspect or any one of the possible implementations of the first aspect. Data configuration method.
- an embodiment of the present application provides a data configuration apparatus, the apparatus includes at least one unit, and the at least one unit is configured to implement the second aspect or any one of the possible implementations of the second aspect. Data configuration method.
- embodiments of the present application provide a computer program product, comprising computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in an electronic device
- the processor in the electronic device executes the data configuration method provided by the first aspect or any one of the possible implementation manners of the first aspect.
- embodiments of the present application provide a computer program product, comprising computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in an electronic device
- the processor in the electronic device executes the data configuration method provided by the second aspect or any one of the possible implementation manners of the second aspect.
- embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the first aspect or the first aspect is implemented.
- the data configuration method provided by any possible implementation.
- embodiments of the present application provide a non-volatile computer-readable storage medium, on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the second aspect or the second aspect is implemented
- the data configuration method provided by any of the possible implementations.
- an embodiment of the present application provides a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway:
- the network device includes the data configuration device according to the fourth aspect, the local security gateway includes the data configuration device according to the fifth aspect; or, the network device includes the data configuration device according to the sixth aspect, and the local security gateway includes The data configuration apparatus according to the above seventh aspect.
- FIG. 1 shows a schematic structural diagram of an IPSec protocol system.
- Figure 2 shows a schematic diagram of a gateway architecture deploying a security gateway between a UPF device and a DN.
- FIG. 3 shows a flowchart of a process of AF influencing service routing in the related art.
- FIG. 4 shows a flowchart of a ULCL insertion process in the related art.
- FIG. 5 shows a flowchart of an AF device notification process in the related art.
- FIG. 6 shows a schematic structural diagram of a data configuration system provided by an exemplary embodiment of the present application.
- FIG. 7 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.
- FIG. 8 shows a schematic structural diagram of a centralized security gateway scenario provided by an exemplary embodiment of the present application.
- FIG. 9 shows a schematic structural diagram of a distributed security gateway scenario provided by an exemplary embodiment of the present application.
- FIG. 10 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.
- FIG. 11 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 12 shows a schematic diagram of the principle of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 13 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 14 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 15 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 16 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 17 shows a schematic diagram of the principle of a data configuration method provided by another exemplary embodiment of the present application.
- FIG. 18 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.
- FIG. 19 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.
- FIG. 20 shows a schematic structural diagram of a network device provided by an exemplary embodiment of the present application.
- FIG. 21 shows a schematic structural diagram of a local security gateway provided by an exemplary embodiment of the present application.
- “/” may indicate that the objects associated before and after are an “or” relationship, for example, A/B may indicate A or B; “and/or” may be used to describe that there are three types of associated objects A relationship, for example, A and/or B, can mean that A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural.
- words such as “first” and “second” may be used to distinguish technical features with the same or similar functions. The words “first”, “second” and the like do not limit the quantity and execution order, and the words “first”, “second” and the like do not limit the difference.
- words such as “exemplary” or “for example” are used to represent examples, illustrations or illustrations, and any embodiment or design solution described as “exemplary” or “for example” should not be construed are preferred or advantageous over other embodiments or designs.
- the use of words such as “exemplary” or “such as” is intended to present the relevant concepts in a specific manner to facilitate understanding.
- the technical feature is distinguished by “first”, “second”, “third”, “A”, “B”, “C” and “D”, etc.
- the technical features described in the “first”, “second”, “third”, “A”, “B”, “C” and “D” described technical features in no order or order of magnitude.
- 5th Generation Mobile Networks including access network and core network.
- the access network is used to implement functions related to wireless access.
- the core network includes but is not limited to the following logical network elements: radio access network (Radio Access Network, (R)AN), access and mobility management function (Access and Mobility Management Function, AMF) equipment, session management function (Session Management Function, SMF) equipment, User Plane Function (UPF) equipment, Policy Control Function (Policy Control Function) equipment, Unified Data Management (Unified Data Management, UDM) equipment.
- R Radio Access Network
- AMF Access and Mobility Management Function
- SMF Session Management Function
- UPF User Plane Function
- Policy Control Function Policy Control Function
- UDM Unified Data Management
- UE User Equipment
- Base station (Radio Access Network, RAN) equipment provides wireless access equipment for UE, including but not limited to eNodeB, WiFi AP, WiMAX BS, etc.
- the AMF device is used for mobility management in the mobile network, such as user location update, user registration network, user handover, etc.
- the SMF device is used for session management in the mobile network, such as session establishment, modification, and release. Specific functions include assigning IP addresses to users and selecting UPF devices that provide packet forwarding functions.
- the PCF device is responsible for providing policies, such as QoS policies, slice selection policies, and the like, to the AMF device and the SMF device.
- the UDM device is used to store user data, such as subscription information and authentication/authorization information.
- the AF device is responsible for providing services to the 3GPP network, such as affecting service routing, interacting with the PCF device for policy control, and the like.
- the UPF device is used to process user packets, such as forwarding and accounting.
- a data network (DN, Data Network) is a network used to provide users with data transmission services, such as IP Multi-media Service (IMS), Internet, and so on.
- IMS IP Multi-media Service
- the UE accesses the DN by establishing a session (PDU session) between the UE to the RAN to the UPF device to the DN.
- IP Security Internet Protocol Security
- the two communicating parties perform encryption and data source authentication at the IP layer to ensure the confidentiality of data packets, data consistency, data source authentication and anti-replay during network transmission.
- IPSec The security services provided by IPSec include: (1) Data source authentication: peer-to-peer identity authentication, non-repudiation; (2) Integrity protection: to ensure that data is not tampered with during transmission; (3) Confidentiality: for transmission (4) Replay protection: refuse to receive old or duplicate messages.
- SA Security Association
- SAD Security Association Database
- SPI Security Parameter Index
- Security policy Configured by the user, it decides what kind of protection to provide for IP data packets, and in what way to implement the protection.
- SP attributes include protected data flow (ACL), security proposal (encapsulation mode, security protocol, encryption and authentication algorithm), key configuration method, local/peer IP address of the secure tunnel, IKE peer, etc.
- Security policy database Usually an ordered structure that uses access control lists to describe data flow characteristics. The interfaces that define the way data flows and security services are implementation-dependent. When an IP packet is received or is about to be sent, the first thing to do is to look up the SPD to decide what to do with it. There are 3 possible processing methods: drop, not use IPSec and use IPSec.
- IPSec provides security services based on policy rules defined by SPD, and these rules are added by administrators or applications. There are three processing methods when data packets pass through IPSec entities: IPSec protection, discarding or bypassing. The judgment basis for the protocol to make processing decisions is called Selectors, which includes the IP of the data packet and the header information of the next layer. Selectors are defined for each policy in SPD.
- IPSec protocol system including two security processing protocols and a key exchange protocol.
- the IPSec protocol system 10 includes an Authentication Header (Authentication Header, AH) protocol 11 , an Encapsulating Security Payload (Encapsulating Security Payload, ESP) protocol 12 and an IKE protocol 13 .
- AH protocol 11 is used to provide functions such as data source authentication, data integrity verification, and anti-replay attack; it does not support data encryption.
- ESP protocol 12 is used to provide functions such as data source authentication, data integrity verification, anti-replay attack, and data encryption.
- AH protocol 11 and ESP protocol 12 can be used alone or nested. These combinations can be used between two hosts, two security gateways (firewall and router), or between a host and a security gateway.
- the IKE protocol 13 is used for key management, and defines the methods for performing identity authentication, negotiating encryption algorithms and generating shared session keys between communicating entities. Protocol 13 negotiates the protocol uniform allocation identifier of the SA. The IKE protocol 13 keeps the result of the key negotiation in the SA for later use by the AH protocol 11 and the ESP protocol 12.
- IPSec encapsulation modes include transport mode and tunnel mode. Among them, in the transmission mode, no new IP header is generated, and the AH packet or ESP packet header is inserted after the IP header of the original data packet but before all transport layer protocols, usually used between the host and the host ( IPSec scenarios where the data transmission point is equal to the encryption point). In tunnel mode, the AH or ESP header is inserted before the original IP header, and a new IP header is generated and placed before the AH or ESP. It is usually used in the scenario where the private network communicates with the private network through the public network.
- a solution without changing the current network architecture is to deploy a security gateway between the UPF device and the DN.
- the gateway architecture is shown in Figure 2.
- a new security gateway 20 is established between the interface between the UPF device and the DN, and the communication between the UE22 and the security gateway 20 implements E2E encryption at the IP layer, and the encryption key is derived from the negotiated key based on the IPsec protocol between the UE22 and the security gateway 20,
- the encryption policy is managed by the security gateway 20 and the UE 22 through negotiation.
- the data network access identifier (Data Network Access Identifier, DNAI) transformation in the MEC scenario is mainly implemented by the following three processes.
- the flowchart of the process of AF's influence on service routing is shown in Figure 3.
- the AF device notifies the SMF device of the information such as the DNAI supporting the MEC service, the corresponding location area, and service flow through the PCF. .
- the AF device generates an AF request, where the AF request includes an AF service identifier and an AF notification receiving method (if the AF notification needs to be received).
- the AF request may also include the AF device identifier, the corresponding DNAI list, the application identifier of the corresponding service, and the traffic filtering information.
- the traffic filtering information is used to identify the application service flow.
- the AF request may also include N6 routing information, N6 routing information. The information is used to establish the port information of the N6 connection with the UPF device.
- Step 302 the AF device sends the generated AF request to a Network Exposure Function (NEF) device.
- NEF Network Exposure Function
- Step 303a the NEF device stores the information in the AF request in a Unified Data Repository (Unified Data Repository, UDR) device.
- UDR Unified Data Repository
- Step 303b the NEF device notifies the AF device of the storage/update/deletion of the information.
- Step 304 if the PCF device has subscribed to the notification of the AF request, the UDR device will notify the PCF device of the modification of the corresponding AF request.
- Step 305 the PCF device decides to modify the current PDU session according to the information requested by the AF, generates a policy and charging control rule (Policy and Charging Control Rule-PCC Rule, PCC rule) according to the AF request, and interacts with the SMF device.
- Policy and Charging Control Rule-PCC Rule Policy and Charging Control Rule-PCC Rule, PCC rule
- This can include subscription events for AF notifications.
- Step 306 the SMF device receives the PCC rule sent by the PCF device, and adjusts the current PDU session according to the PCC rule.
- the flowchart of the ULCL insertion process is shown in FIG. 4 .
- the SMF decides to execute the rules issued by the process of Figure 1 and inserts the ULCL by detecting the corresponding service flow through the change of the area.
- the SMF needs to adjust the forwarding rules of PSA1, PSA2, and ULCL respectively to ensure that the corresponding uplink and downlink data packets are transmitted from the correct user plane network element.
- the ULCL insertion process includes but is not limited to the following steps:
- Step 401 the UE establishes a PDU session with PSA1.
- the SMF device locally stores the uplink port information used by the session PSA1 to connect with the RAN device, and the RAN device uses the downlink port information to connect to the PSA1.
- Step 402 the SMF device selects and configures the PSA2, including configuring the N6 port of the PSA2, and acquiring the uplink port of the PSA2.
- Step 403 the SMF device selects and configures the ULCL/Branching Point (Branching Point, BP).
- the BP is a distribution point for IPv6, and can also be expressed as BP(IPv6).
- Selecting and configuring ULCL/BP by the SMF device includes: configuring the uplink tunnel from ULCL to PSA1 and PSA2 according to the uplink port information of PSA1 and PSA2, and configuring the downlink tunnel from ULCL to RAN according to the downlink port information of RAN. And obtain the downlink port information that ULCL uses for PSA1 and PSA2 and the uplink port information that ULCL uses for RAN. At the same time, you also need to configure the forwarding rules related to each port.
- Step 404 the SMF device updates the downlink data forwarding rule of PSA1.
- the downlink tunnel from PSA1 to ULCL is configured according to the downlink port information of ULCL for PSA1.
- Step 405 the SMF device updates the forwarding rule of PSA2.
- the downlink tunnel of PSA2 is configured according to the downlink port information of ULCL for PSA2.
- Step 406 the SMF device updates the forwarding rules of the RAN uplink data.
- an uplink tunnel from the RAN to the ULCL is established according to the uplink port information used by the ULCL for the RAN.
- Step 407 the SMF device notifies the UE of the new IP prefix list (IP-prefix) of PSA2, which can also be expressed as IPv6 prefix or IP-prefix (IPv6).
- IP-prefix IP prefix list
- IPv6 IP-prefix
- IPv6 IP-prefix
- Step 408 the SMF device updates the IP prefix list of PSA1, which can also be expressed as IPv6 prefix or IP-prefix (IPv6).
- the above steps 407 and 408 update the respective IPv6 addresses for the IPv6 address transmission mechanism. After the BP is inserted, the routing path is changed, and the information of the BP will be added to the IPv6 addresses of PSA1 and PSA2.
- the notification information includes one of an early notification and a late notification.
- the AF device notification process includes but is not limited to the following steps:
- Step 501 the SMF device is triggered by the condition of the AF notification subscribed by the AF device.
- step 502a if the AF device subscribes to the early notification through the NEF device, step 502a is performed; if the AF device subscribes to the late notification through the NEF device, step 504a is performed.
- Step 502a if the AF device subscribes to the early notification through the NEF device, the SMF device notifies the NEF device of the target DNAI of the current PDU session.
- Step 502b the NEF device sends a service impact notification to the AF device.
- step 502c is not executed.
- Step 502c the SMF device notifies the AF device of the target DNAI of the current PDU session.
- the SMF device directly notifies the AF device of the target DNAI of the current PDU session.
- Step 502d the AF device sends reply information to the NEF device.
- the AF device responds to the NEF device immediately or after redeploying the application of the target DNAI to the NEF device.
- the AF device will carry the N6 routing information corresponding to the target DNAI in the reply message.
- Step 502e the NEF device notifies the SMF device of application redeployment information.
- the NEF device After the NEF device receives the reply information from the AF device, the NEF device triggers a matching notification message to notify the SMF device of the redeployment information of the application, where the redeployment information includes the N6 routing information of the target DNAI of the application redeployment.
- Step 502f the AF device sends reply information to the SMF device.
- the AF device directly replies to the SMF device immediately or replies to the SMF device after redeploying the application of the target DNAI.
- the AF device will carry detailed N6 routing information to the target DNAI in the reply message.
- Step 503 the SMF device performs DNAI change or addition/modification/removal of the UPF device.
- the SMF device may wait for the AF device's reply information before step 503, and then proceed to the step after receiving the AF device's reply information. 503.
- Step 504a if the AF device subscribes to the late notification through the NEF device, the SMF device notifies the NEF device of the target DNAI of the current PDU session.
- the SMF device may have been waiting for the reply information from the AF before this step, and then activate the new user plane transmission path after receiving the reply information from the AF device.
- Step 504b the NEF device sends a service impact notification to the AF device.
- step 504c is not executed.
- Step 504c the SMF device notifies the AF device of the target DNAI of the current PDU session.
- the SMF device directly notifies the AF device of the target DNAI of the current PDU session.
- Step 504d after the AF device receives the notification message from the NEF device or the SMF device, the AF device detects whether it can serve the target DNAI.
- the AF device selects the target AF device for the target DNAI and performs AF device migration.
- Step 504e the AF device sends reply information to the NEF device.
- the AF device responds to the NEF device immediately or after redeploying the application of the target DNAI to the NEF device.
- the AF device will carry the N6 routing information corresponding to the target DNAI in the reply message. If the AF device is changed, the AF device will include an AF device switching instruction in the reply message, including the target AF device identifier and notify the target AF device of the target address.
- Step 504f the NEF device notifies the SMF device of application redeployment information.
- the NEF device After the NEF device receives the reply information from the AF device, the NEF device triggers a matching notification message to notify the SMF device of the redeployment information of the application, where the redeployment information includes the N6 routing information of the target DNAI of the application redeployment.
- Step 504g the AF device sends reply information to the SMF device.
- the AF device directly replies to the SMF device immediately or replies to the SMF device after redeploying the application of the target DNAI.
- the AF device will carry detailed N6 routing information to the target DNAI in the reply message. If the AF device is changed, the AF device will include an AF device switching instruction in the reply message, including the target AF device identifier and notify the target AF device of the target address.
- the connection and path adjustment of the MEC server are mainly realized by the related processes of AF influence on service routing (AF influence traffic routing).
- AF influence traffic routing AF influence traffic routing
- the SMF device triggers the new PSA/ULCL insertion process due to UE movement or detection of the corresponding data flow.
- the device notifies the DNAI change, and obtains the N6 configuration options and related routing rules required by the PSA/ULCL through the reply information of the AF device, and then configures the new PSA/ULCL.
- the embodiment of the present application provides a data configuration method.
- the information exchange process between the local security gateway and the network device is designed, and the relevant configuration inserted into the ULCL process is implemented, so that after the local security gateway is introduced
- the subsequent inserting ULCL process can be completed normally, which ensures the reliability of data transmission.
- FIG. 6 shows a schematic structural diagram of a data configuration system 60 provided by an exemplary embodiment of the present application.
- the data configuration system 60 includes a local security gateway 62 , a MEC server 64 and a PSA 66 .
- the local security gateway 62 is a security gateway established between the interface of the UPF device and the DN.
- the MEC server 64 includes an edge application server (Edge Application Server, EAS).
- EAS Edge Application Server
- PSA66 is a UPF device.
- PSA66 includes a first PSA and a second PSA, the first PSA is the updated PSA, that is, "new PSA", and the second PSA is the PSA before updating, that is, "old PSA”.
- the local security gateway 62 is used to receive the first information, and the first information is used to obtain the address information of the local security gateway 62; the local security gateway 62 is also used to send the address information of the local security gateway 62, and the local security gateway 62
- the address information of the gateway 62 is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is the PSA after the UE has undergone a DNAI change.
- FIG. 7 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application, and the method is used in the data configuration system shown in FIG. 1 .
- the method includes the following steps.
- Step 701 The network device sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway.
- the network device may be a centralized security gateway, or a core network element, such as an SMF device.
- a centralized security gateway or a core network element, such as an SMF device.
- SMF device a core network element
- the network device sends first information to the local security gateway, where the first information is used to instruct the local security gateway to feed back the address information of the local security gateway.
- Step 702 after receiving the first information, the local security gateway sends the address information of the local security gateway.
- the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE.
- the local security gateway receives the first information sent by the network device. After receiving the first information, the address information of the local security gateway is sent to the network device.
- the address information of the local security gateway is configured for the first PSA, that is, the PSA after the UE has undergone DNAI changes, the address information is used to transmit data from the UE, and the address information is the routing purpose of the local security gateway corresponding to the data Address information.
- the local security gateway After receiving the first information, the local security gateway sends first response information corresponding to the first information to the network device, where the first response information includes address information of the local security gateway.
- the address information of the local security gateway is used to identify the local security gateway.
- the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the local security gateway establishes a connection between the local security gateway and the MEC server according to the first information.
- the local security gateway feeds back first response information corresponding to the first information. That is, the local security gateway sends the first response information to the network device, and the first response information is also called feedback completion information.
- the first response information is used to indicate the connection establishment situation between the local security gateway and the MEC server.
- the first response information includes address information of the local security gateway.
- the first response information further includes uplink tunnel information of the local security gateway.
- the uplink tunnel information of the local security gateway is information of the uplink tunnel used by the local security gateway to receive uplink data.
- Step 703 the network device receives the address information of the local security gateway.
- the network device receives the address information of the local security gateway sent by the local security gateway.
- the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.
- the embodiment of the present application provides a data configuration method.
- the network device After the network device sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway.
- the address information of the gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway and network are designed.
- the information exchange process of the device realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.
- the application scenarios involved in the embodiments of the present application may include two application scenarios, a centralized security gateway scenario and a distributed security gateway scenario.
- the interaction with the local security gateway is added to the ULCL insertion process, and the ULCL insertion process can interact with the local security gateway.
- the two application scenarios are described below.
- FIG. 8 shows a schematic structural diagram of a centralized security gateway scenario provided by an exemplary embodiment of the present application.
- the centralized security gateway scenario includes IKE gateway 801 , IPSec gateway 802 , UE 803 , gNB 804 , UPF device 805 , application server 806 , AMF device 807 , SMF device 808 , NEF device 809 , AF device 810 , and PCF device 811 .
- the IKE gateway 801 is a centralized security gateway, and the centralized security gateway is a centralized deployment gateway.
- the IPSec gateway 802 is a distributed security gateway, that is, a local security gateway, and the local security gateway is a distributed deployment gateway for user plane data transmission. Supports transport mode in IPSec encapsulation mode.
- the IKE gateway 801 is configured to establish a connection with the SMF device 808 by subscribing to the PCF device 811 .
- the IKE gateway 801 is further configured to directly communicate with the SMF device 808 in the form of notification and response after the connection is established with the SMF device 808 .
- the IKE gateway 801 is also used to select, configure and manage the IPSec gateway 802 .
- the IKE gateway 801 is also used to control the distribution of keys and certificates of the IPSec gateway 802 and the establishment of the SA. That is, the sub-SA of the IPSec gateway 802 is established by the IKE gateway 801, and the IKE gateway 801 configures the local security context and N6 forwarding rules.
- the IKE gateway 801 is configured to configure IP addresses of other network elements when establishing a sub-SA.
- the target IP address can be additionally carried when the sub-SA is established.
- the IKE gateway 801 is also used to configure user-face SA for other IP addresses.
- the IPSec gateway 802 is used for establishing a user face SA with the UE 803, encrypting data and protecting integrity.
- a user plane forwarding channel exists between the UPF device 805 and the IKE gateway 801 , and the UPF device 805 is configured to forward the user plane IPSec signaling of the UE 803 to the IKE gateway 801 through the user plane forwarding channel.
- the IPSec gateway 802 and the UPF device 805 are connected through the N6 tunnel, the downlink data packets are encrypted by the IPSec gateway 802 and then sent to the UE 803 , and the uplink data packets are decrypted by the IPSec gateway 802 and then sent to the application server 806 .
- the application server 806 is an EMC server, ie EAS.
- FIG. 9 shows a schematic structural diagram of a distributed security gateway scenario provided by an exemplary embodiment of the present application.
- the distributed security gateway scenario includes IPSec gateway 901 , UE 902 , gNB 903 , UPF device 904 , application server 905 , AMF device 906 , SMF device 907 , NEF device 908 , and AF device 909 .
- the IPSec gateway 901 is a distributed security gateway, that is, a local security gateway, and the local security gateway is a gateway deployed in a distributed manner for user plane data transmission.
- Each (group) of UPF devices has its own independent IPSec gateway 901 .
- the SMF device can obtain the address of the IPSec gateway 901 and configure the IPSec gateway 901 . That is, each (group) UPF device 904 is jointly deployed with a specific IPSec gateway 901, the UPF device 904 is associated with the IPSec gateway 901, and each IPSec gateway 901 has complete IKE and user plane functions. Every time the UE 902 replaces the UPF device 904 or establishes a connection with the new UPF device 904, it needs to re-establish a new SA (including IKE and user face SA) with the corresponding IPSec gateway 901.
- SA including IKE and user face SA
- the IPSec gateway 901 is controlled and configured by the SMF device 907, and supports the tunnel mode and the transmission mode in the IPSec encapsulation mode.
- the IPSec gateway 901 and the UPF device 904 are connected through the N6 tunnel, the downlink data packets are encrypted by the IPSec gateway 901 and sent to the UE 902, and the uplink data packets are decrypted by the IPSec gateway 901 and then sent to the application server 905.
- the UPF device 904 is a PSA
- the application server 905 is an EMC server, ie, EAS.
- FIG. 10 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the centralized security gateway scenario shown in FIG. 8 .
- the method includes the following steps.
- Step 1001 The centralized security gateway sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway.
- the centralized security gateway establishes a communication connection with the local security gateway, and the centralized security gateway sends the first information to the local security gateway.
- the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the centralized security gateway is an IKE gateway
- the local security gateway is an IPSec gateway.
- Step 1002 after receiving the first information sent by the centralized security gateway, the local security gateway feeds back the address information of the local security gateway, and the address information of the local security gateway is configured for the first PSA for the routing purpose of transmitting data from the UE Address information.
- the first PSA is the PSA after the UE undergoes DNAI changes.
- the local security gateway After receiving the first information sent by the centralized security gateway, the local security gateway obtains the address information of the local security gateway, and feeds back the address information of the local security gateway to the centralized security gateway.
- the first information includes routing path information of the MEC server.
- the local security gateway After receiving the first information sent by the centralized security gateway, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway.
- the first response information includes uplink tunnel information of the local security gateway.
- connection between the local security gateway and the MEC server can be established before the centralized security gateway sends the first information to the local security gateway, or the first information sent by the centralized security gateway to the local security gateway can be completed. information to configure.
- This embodiment of the present application does not limit this.
- only the first information includes routing path information of the MEC server as an example for description.
- Step 1003 the centralized security gateway receives the address information of the local security gateway.
- the centralized security gateway receives the address information of the local security gateway sent by the local security gateway.
- the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.
- the embodiments of the present application provide a data configuration method.
- the centralized security gateway After the centralized security gateway sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway.
- the address information of the local security gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway is designed.
- the information exchange process with the centralized security gateway implements the relevant configuration of the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, ensuring the reliability of data transmission.
- FIG. 11 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the centralized security gateway scenario shown in FIG. 8 .
- the method includes the following steps.
- Step 1100 the centralized security gateway establishes an IKE SA with the UE through the IKEv2 protocol.
- the centralized security gateway establishes an IKE SA with the UE through the IKEv2 protocol.
- the centralized security gateway establishes a communication connection with the local security gateway.
- the centralized security gateway is an IKE gateway
- the local security gateway is an IPSec gateway.
- Step 1101 the AF device subscribes the DNAI change notification event to the SMF device through the centralized security gateway proxy through the PCF device.
- the AF device sends an AF request to the centralized security gateway, and the IKE gateway summarizes the AF request, maps each AF request to a corresponding SA according to a preset mapping relationship, and provides the mapped SA to the SMF device.
- Step 1102 the SMF device triggers a DNAI change notification event, and selects the updated first PSA.
- the SMF device triggers the DNAI change notification event, and selects the local UPF device in the corresponding area as the updated first PSA.
- Step 1103 the SMF device sends the first DNAI change notification to the centralized security gateway.
- the SMF device sends a first DNAI change notification to the centralized security gateway, where the first DNAI change notification is used to indicate a DNAI change notification event.
- the first DNAI change notification includes the changed DNAI and the SA of the path to be changed.
- Step 1104 the centralized security gateway selects the local security gateway.
- the centralized security gateway selects the local security gateway when receiving the first DNAI change notification.
- the centralized security gateway receives the DNAI change notification sent by the SMF device, and the DNAI change notification includes the changed DNAI and the corresponding SA.
- the centralized security gateway queries the application to be changed in the route according to the changed DNAI and the SA of the route to be changed.
- the centralized security gateway maps the provided DNAI and SA to an application identifier, where the application identifier is the identifier of the application whose path is to be changed, and selects the local security gateway according to the DNAI and the application identifier.
- Step 1105 the centralized security gateway sends an AF notification to the corresponding AF device according to the queried application.
- the centralized security gateway sends an AF notification to the corresponding AF device according to the queried application, and the AF notification is used to indicate DNAI changes.
- the centralized security gateway determines the corresponding AF transaction identifier according to the queried application identifier, and feeds back the AF notification to the AF device corresponding to the AF transaction identifier.
- Step 1106 the AF device feeds back the routing path information of the MEC server to the centralized security gateway.
- the AF device After receiving the AF notification, the AF device selects the corresponding MEC server for adjustment, and feeds back the routing path information of the MEC server to the centralized security gateway.
- the adjustment includes service activation, user information transfer, and the like.
- Step 1107 the centralized security gateway sends the first information to the local security gateway.
- the first information is used to obtain address information of the local security gateway.
- the centralized security gateway receives the routing path information of the MEC server fed back by the AF device. After receiving the routing path information of the MEC server, the centralized security gateway sends first information to the local security gateway, where the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server .
- Step 1108 the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway.
- the first response information includes address information of the local security gateway.
- the local security gateway feeds back the first response information corresponding to the first information to the centralized security gateway.
- the local security gateway After receiving the first information sent by the centralized security gateway, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, that is, after the configuration of the local security gateway is completed, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway.
- the first response information further includes uplink tunnel information of the local security gateway.
- Step 1109 the centralized security gateway feeds back fourth response information corresponding to the first DNAI change notification to the SMF device.
- the centralized security gateway After receiving the first response information, the centralized security gateway feeds back the fourth response information corresponding to the first DNAI change notification to the SMF device.
- the centralized security gateway After receiving the first response information corresponding to the first information fed back by the local security gateway, the centralized security gateway feeds back fourth response information corresponding to the first DNAI change notification to the SMF device, where the fourth response message includes uplink tunnel information of the local security gateway.
- the first response information and the fourth response message are both used to indicate that the connection establishment between the local security gateway and the MEC server is completed.
- Step 1110 the SMF device establishes an N4 session with the selected first PSA.
- the SMF device initiates the N4 session establishment process to the selected first PSA, configures the N4 context, and sends the N4 first information to the first PSA.
- the N4 first information includes the upstream tunnel information of the local security gateway and the upstream tunnel information of the local security gateway. Used to establish an upstream tunnel from the first PSA to the local security gateway. After receiving the N4 first information, the first PSA sends the downlink tunnel information of the first PSA to the SMF device.
- Step 1111 the SMF device sends a second DNAI change notification to the centralized security gateway, where the second DNAI change notification includes downlink tunnel information of the first PSA.
- the SMF device sends the downlink tunnel information of the first PSA to the centralized security gateway through the second DNAI change notification.
- Step 1112 the centralized security gateway sends update information to the local security gateway.
- the centralized security gateway sends update information to the local security gateway, the update information is used to instruct the PSA to be updated from the second PSA to the first PSA.
- the update information includes the updated downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure the downlink tunnel between the local security gateway and the first PSA.
- the downlink tunnel information of the first PSA is information of the downlink tunnel used by the first PSA to receive downlink data.
- Step 1113 the local security gateway feeds back the second response information corresponding to the update information to the centralized security gateway.
- the local security gateway After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the local security gateway feeds back second response information corresponding to the update information.
- the second response information is used to indicate the establishment of the downlink tunnel between the local security gateway and the first PSA.
- the local security gateway after receiving the update information sent by the centralized security gateway, the local security gateway establishes a downlink tunnel between the local security gateway and the first PSA. After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
- Step 1114 the centralized security gateway feeds back fifth response information corresponding to the second DNAI change notification to the SMF device.
- the centralized security gateway receives the second response information corresponding to the update information fed back by the local security gateway; and feeds back the fifth response information corresponding to the second DNAI change notification to the SMF device; wherein the second response information and the fifth response information are both used to indicate The establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- the centralized security gateway feeds back the fifth response information to the SMF device, notifying the SMF device that the connection between the first PSA, the local security gateway and the MEC server has been established.
- Step 1115 the SMF device selects and configures the ULCL.
- the SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.
- Step 1116 the SMF device configures the downlink tunnel from the second PSA to the ULCL through the N4 session modification process.
- Step 1117 the SMF device configures the downlink tunnel from the first PSA to the ULCL through the N4 session modification process.
- Step 1118 the SMF device sends a third DNAI change notification to the centralized security gateway, where the third DNAI change notification is used to indicate that the ULCL insertion is completed.
- Step 1119 the centralized security gateway sends a first sub-SA establishment request to the local security gateway.
- the centralized security gateway sends the first sub-SA establishment request to the local security gateway.
- the first sub-SA establishment request includes a first data feature of the data to be encrypted and transmitted and a corresponding first SA, and the first SA includes an encryption algorithm and a security parameter index (security parameter index, SPI).
- SPI security parameter index
- the first data feature is TS1
- the first SA is SA1.
- Step 1120 the local security gateway feeds back the first sub-SA establishment response to the centralized security gateway.
- the local security gateway After receiving the first SA establishment request sent by the centralized security gateway, the local security gateway feeds back a first sub-SA establishment response to the centralized security gateway.
- the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway. This random number is used to generate the key.
- the second data feature is TS1*
- the second SA is SA1*
- the key generation material of the local security gateway is Ke1
- the random number of the local security gateway is N1.
- Step 1121 the centralized security gateway sends a second sub-SA establishment request to the UE.
- the centralized security gateway initiates a procedure for establishing a sub-SA to the UE, so that the UE and the local security gateway establish a sub-SA for user plane data transmission through the transmission mode.
- the centralized security gateway sends a second sub-SA establishment request to the UE.
- the second sub-SA establishment request includes the second data feature, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
- Step 1122 the UE feeds back the second sub-SA establishment response to the centralized security gateway.
- the UE feeds back the second sub-SA establishment response to the centralized security gateway.
- the second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
- the confirmed third data feature and the corresponding third SA are the TS2 and the corresponding SA2 confirmed by the UE.
- the key generation material of the UE and the random number of the UE are Ke2 and N2 on the UE side.
- first data feature, second data feature, and third data feature are all bidirectional data flow feature information, that is, it includes not only the filtering rules of data packets sent out, but also the data received inward.
- the filtering rules for packets may change due to the need for confirmation by the local security gateway and the UE respectively.
- Step 1123 the centralized security gateway sends the context information of the sub-SA to the local security gateway.
- the context information of the sub-SA sent by the centralized security gateway to the local security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the UE and the local security gateway.
- the context information of the sub-SA includes SPI, bidirectional data flow characteristic information, encryption algorithm, encryption key or encryption material, and random number used to generate the encryption key.
- the context information of the sub-SA further includes a security certificate and authentication information for verifying the user's identity.
- Step 1124 the local security gateway feeds back the third response information corresponding to the context information of the sub-SA to the centralized security gateway.
- the local security gateway receives the context information of the sub-SA sent by the centralized security gateway; after the establishment of the sub-SA is completed, it feeds back the third response information corresponding to the context information of the sub-SA to the centralized security gateway.
- the centralized security gateway receives third response information corresponding to the context information of the sub-SA fed back by the local security gateway, and the third response message is used to indicate that the establishment of the sub-SA is completed.
- Step 1125 the centralized security gateway sends the third notification information to the SMF device, and the third notification information includes the packet detection rule (Packet Detection Rule, PDR) and the forwarding action rule (Forwarding action rule, FAR) corresponding to the data flow feature information.
- PDR Packet Detection Rule
- FAR Forwarding action rule
- the third notification information includes Data packet detection rules and forwarding action rules corresponding to data flow feature information.
- the data flow characteristic information is the data flow characteristic information of the local security gateway. That is, the data packet detection rules and the forwarding action rules are the data packet detection rules and the forwarding action rules of the local security gateway.
- the local security gateway sends the data packet detection rules and forwarding action rules corresponding to the data flow feature information to the centralized security gateway, and after the centralized security gateway receives it, it will include the data packet detection rules and forwarding action rules. Notification messages are sent to the SMF device.
- Step 1126 the SMF device updates the first information of the ULCL according to the third notification information.
- the SMF device After receiving the third notification information sent by the centralized security gateway, the SMF device updates the first information of the ULCL according to the packet detection rules and forwarding action rules in the third notification information, so that the data protected by the sub-SA of the local security gateway Packets are forwarded through the local security gateway.
- the centralized security gateway is the IKE gateway
- the local security gateway is the IPSec gateway 2.
- the data configuration method applied in the centralized security gateway scenario includes but is not limited to the following steps:
- Step 120 the IKE gateway establishes an IKE SA with the UE through the IKEv2 protocol
- Step 121 the AMF/SMF/PCF device executes the above-mentioned ULCL/BP insertion process
- Step 122 the above-mentioned DNAI change process is performed between the IKE gateway and the AMF/SMF/PCF device;
- Step 123a the IKE gateway distributes the key to the IPSec gateway 2;
- Step 123b the IKE gateway initiates the establishment process of the sub-SA to the UE, so that the UE and the IPSec gateway 2 establish the sub-SA for user plane data transmission through the transmission mode;
- Step 124 the IKE gateway notifies the application server of 2DNAI changes or routing rules.
- an embodiment of the present application provides a data configuration method, which is applied in a centralized security gateway scenario.
- the centralized security gateway as a proxy network element, undertakes to interact with AF devices and perform MEC Functions for server connection configuration.
- the centralized IKE gateway is still changing in the DNAI, inserted into the ULCL process, and cooperates with the SMF device to build a path from the ULCL to the first PSA to the local security gateway to the MEC server.
- the centralized security gateway acts as a proxy for the local security gateway and the UE to establish a sub-SA for user plane data transmission, and sends the corresponding security context and other information to the local security gateway, so that in the centralized security gateway scenario , when the SMF device triggers the DNAI change, the insertion of the ULCL is completed and the transmission mode SA path between the UE and the local security gateway is established.
- the security gateway is divided into a centralized security gateway and a local security gateway, and the message transmission between the two gateways is designed to enhance the function of the centralized security gateway, and realize the ULCL insertion process of the security gateway in the MEC scenario.
- the relevant configuration is almost unchanged to the UE.
- the centralized security gateway needs to report the data packet detection on the sub-SA of the local security gateway to the SMF device. rules and forwarding action rules, and reconfigure the ULCL to ensure that the corresponding data packets are forwarded normally through the local security gateway.
- FIG. 13 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the distributed security gateway scenario shown in FIG. 9 .
- the method includes the following steps.
- Step 1301 the SMF device sends first information to the local security gateway, where the first information is used to acquire address information of the local security gateway.
- a communication connection is established between the SMF device and the local security gateway, and the SMF device sends the first information to the local security gateway.
- the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server.
- Step 1302 after receiving the first information sent by the SMF device, the local security gateway feeds back address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE .
- the first PSA is the PSA after the UE undergoes DNAI changes.
- the local security gateway After receiving the first information sent by the SMF device, the local security gateway acquires address information of the local security gateway, and feeds back the address information of the local security gateway to the SMF device.
- the first information includes routing path information of the MEC server.
- the local security gateway After receiving the first information sent by the SMF device, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the SMF device.
- the first response information includes uplink tunnel information of the local security gateway.
- connection between the local security gateway and the MEC server can be established before the SMF device sends the first information to the local security gateway, or it can be configured through the first information sent by the SMF device to the local security gateway. .
- This embodiment of the present application does not limit this.
- only the first information includes routing path information of the MEC server as an example for description.
- Step 1303 the SMF device receives the address information of the local security gateway.
- the SMF device receives the address information of the local security gateway sent by the local security gateway.
- the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.
- the embodiment of the present application provides a data configuration method.
- the SMF device sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway.
- the address information of the gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway and SMF are designed.
- the information exchange process of the device realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.
- FIG. 14 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.
- the method is used in the distributed security gateway scenario shown in FIG. 9 , and the SMF device establishes communication with the local security gateway. connect.
- the method includes the following steps.
- Step 1400 the SMF device performs the discovery of the MEC server and the selection process of the first PSA and the ULCL.
- the SMF device triggers and executes the discovery of the MEC server and the selection process of the first PSA and ULCL.
- the SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.
- the SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.
- the SMF device selects the first PSA. Since the PSA is associated with the local security gateway in the distributed security gateway scenario, when the first PSA is selected, the local security gateway corresponding to the first PSA can also be determined.
- Step 1401 the SMF device sends an AF notification to the AF device.
- the SMF device sends an AF notification to the AF device, and the AF notification is used to indicate DNAI changes.
- the AF device feeds back the AF notification response after receiving the AF notification.
- the SMF device sends an AF notification to the AF device, and obtains the routing path information of the MEC server from the AF device.
- the MEC server is EAS.
- the routing path information of the MEC server includes port information used by the MEC server to establish an N6 connection.
- Step 1402 the SMF device sends the first information to the local security gateway.
- the first information is used to obtain address information of the local security gateway.
- the first information includes routing path information of the MEC server.
- the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the SMF device sends the routing path information of the MEC server to the local security gateway through the first information, so as to configure the connection between the local security gateway and the MEC server.
- Step 1403 the local security gateway feeds back the first response information corresponding to the first information to the SMF device.
- the first response information includes address information of the local security gateway.
- the local security gateway after receiving the first information sent by the SMF device, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the SMF device.
- the first response information includes uplink tunnel information of the local security gateway.
- Step 1404 the SMF device establishes an N4 session with the first PSA.
- the SMF device initiates an N4 session establishment process to the first PSA, that is, the SMF device sends the upstream tunnel information of the local security gateway to the first PSA, and obtains the downlink tunnel information for receiving downlink data from the local security gateway from the first PSA.
- Step 1405 the SMF device sends update information to the local security gateway, where the update information includes the updated downlink tunnel information of the first PSA.
- the downlink tunnel information is used to configure the downlink tunnel between the local security gateway and the first PSA.
- Step 1406 the local security gateway feeds back the second response information corresponding to the update information to the SMF device.
- the local security gateway After receiving the update information sent by the SMF device, the local security gateway establishes a downlink tunnel between the local security gateway and the first PSA. After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
- Step 1407 the SMF device selects and configures the ULCL.
- the SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.
- Step 1408 the SMF device configures the downlink tunnel from the second PSA to the ULCL through the N4 session modification process.
- Step 1409 the SMF device configures the downlink tunnel from the first PSA to the ULCL through the N4 session modification process.
- the embodiments of the present application provide a data configuration method, which is applied to a distributed security gateway scenario, through the information exchange between the local security gateway and core network elements such as SMF devices and AF devices.
- the process implements establishing a path from the ULCL to the first PSA to the local security gateway to the MEC server during the ULCL insertion process.
- the SMF device can control the local security gateway, and configure the context related to its connection establishment, so that in the scenario of the distributed security gateway, the corresponding data path is configured while ULCL insertion is performed.
- FIG. 15 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- the method is used in the distributed security gateway scenario shown in FIG. 9 , where the SMF device and the local security gateway establish a communication connection.
- the method includes the following steps.
- Step 1500 the SMF device performs the process of MEC server discovery and ULCL/BP insertion.
- Step 1501 the SMF device sends an N1 message to the AMF device, where the N1 message includes the address of the local security gateway.
- the SMF device queries the address of the local security gateway after inserting the ULCL/BP, and encapsulates the address of the local security gateway in an N1 message and sends it to the AMF device.
- Step 1502 the AMF device sends a NAS message to the UE, where the NAS message includes the address of the local security gateway.
- the AMF device After receiving the N1 message sent by the SMF device, the AMF device sends the enhanced NAS message to the UE,
- the NAS message includes the address of the local security gateway.
- the NAS message is used to instruct the UE to establish an IKE SA with the local security gateway.
- Step 1503 the UE establishes an IKE SA with the local security gateway.
- the UE receives an enhanced NAS message sent by the AMF device, where the enhanced NAS message includes the address of the local security gateway. After the UE receives the enhanced NAS message, the UE initiates the IKE SA establishment process with the local security gateway.
- Step 1504 the local security gateway sends first notification information to the SMF device, where the first notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed.
- the SMF device receives the first notification information sent by the local security gateway.
- Step 1505 the SMF device sends a user plane SA establishment request to the local security gateway.
- the SMF device sends a user plane SA establishment request to the local security gateway, and the user plane SA establishment request includes service detection rules.
- the service detection rule includes a data packet detection rule that needs to be encrypted and decrypted through the local security gateway
- the sending form of the service detection rule may be in the form of PDR, or may be in the form of data flow characteristic information. Both PDR and data flow feature information here are bidirectional.
- Step 1506 the local security gateway generates corresponding data flow feature information according to the service detection rule, and establishes a sub-SA between the UE and the local security gateway for user plane data transmission.
- the local security gateway receives the user plane SA establishment request sent by the SMF device, and the user plane SA establishment request includes service detection rules; according to the service detection rules, the corresponding data flow feature information is generated, and the connection between the UE and the local security gateway is used for user plane data. Transported child SA.
- Step 1507 the local security gateway feeds back second notification information to the SMF device, where the second notification information is used to indicate that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed.
- the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.
- Step 1508 the SMF device updates the routing and forwarding rules to the ULCL.
- the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
- the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
- the embodiments of the present application provide a data configuration method, which is applied to a distributed security gateway scenario, realizes the configuration of SA after inserting ULCL and establishing a relevant data transmission tunnel, and realizes the After the ULCL insertion procedure is completed, the SA between the UE and the local security gateway is established.
- the SMF device can control the local security gateway, and send to it the data packet detection rules and forwarding action rules that need to be sent from the local security gateway.
- the embodiment of the present application further enhances the NAS message, and the SMF device can notify the UE through the NAS message, instructing the UE to establish an IKE SA with the local security gateway.
- the SMF device instructs the local security gateway and the UE to establish a sub-SA for user plane transmission, thereby saving the NAS signaling overhead sent to the UE and ensuring the establishment of the local security gateway and the UE.
- the efficiency of the sub-SA is a factor of the number of service detection rules to the local security gateway.
- FIG. 16 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
- the method is used in the distributed security gateway scenario shown in FIG. 9 , where the SMF device and the local security gateway establish a communication connection.
- the method includes the following steps.
- Step 1600 the SMF device performs the process of MEC server discovery and ULCL/BP insertion.
- Step 1601 the SMF device sends an N1 message to the AMF device, where the N1 message includes the address of the local security gateway.
- the SMF device queries the address of the local security gateway after inserting the ULCL/BP, and encapsulates the address of the local security gateway in an N1 message and sends it to the AMF device.
- Step 1602 the AMF device sends a NAS message to the UE, where the NAS message includes the address of the local security gateway and the service detection rule of the local security gateway.
- the AMF device After receiving the N1 message sent by the SMF device, the AMF device sends the enhanced NAS message to the UE, where the NAS message includes the address of the local security gateway.
- the NAS message is used to instruct the UE to establish an IKE SA with the security gateway.
- the service detection rules of the local security gateway are service detection rules of service data packets that need to be transmitted from the local security gateway.
- the detection rule of the service data packet may be in the form of PDR, or may be in the form of data flow characteristic information.
- Step 1603 the UE establishes an IKE SA with the local security gateway.
- the UE receives an enhanced NAS message sent by the AMF device, where the enhanced NAS message includes the address of the local security gateway. After the UE receives the enhanced NAS message, the UE initiates the IKE SA establishment process with the local security gateway.
- Step 1604 the UE establishes a sub-SA for user plane data transmission with the local security gateway according to the service detection rule issued by the AMF device.
- Step 1605 the local security gateway feeds back notification information to the SMF device, where the notification information is used to indicate that the IKE SA and the sub-SA for user plane data transmission are established.
- the notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed, and the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed.
- the notification information includes first notification information and second notification information.
- the first notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed.
- the second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed.
- the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.
- the SMF device receives notification information fed back by the local security gateway.
- Step 1606 the SMF device updates the routing and forwarding rules to the ULCL.
- the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
- the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
- the embodiments of the present application provide a data configuration method, which is applied in a distributed security gateway scenario, and realizes the configuration of SA after inserting ULCL and establishing a related data transmission tunnel.
- the device sends a NAS message to the UE, and the NAS message includes the address of the local security gateway and the service detection rules of the local security gateway, so that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is initiated by the UE, saving energy
- the signaling interaction between the SMF device and the local security gateway is implemented.
- the local security gateway is IPSec gateway 2
- the data configuration method applied in the distributed security gateway scenario includes but is not limited to the following steps:
- Step 171 the AMF/SMF/PCF device executes the ULCL/BP insertion process
- Step 172 the AMF/SMF/PCF device performs session modification (address of IPSec gateway 2);
- Step 173 establish IKE SA and IPSec SA between UE and IPSec gateway 2;
- Step 174 the IPSec gateway 2 notifies the application server 2 of DNAI changes or routing rules.
- FIG. 18 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.
- the data configuration apparatus can be implemented as a whole or a part of the network device through software, hardware or a combination of the two.
- the data configuration apparatus may include: a sending unit 1810 and a receiving unit 1820 .
- a sending unit 1810 configured to send first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;
- the receiving unit 1820 is configured to receive address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the user equipment UE, and the first PSA is a DNAI change for the UE Post PSA.
- the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the device further includes:
- the receiving unit 1820 is further configured to receive first response information corresponding to the first information fed back by the local security gateway, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information includes the local security gateway. Gateway's uplink tunnel information.
- the device further includes:
- the sending unit 1810 is further configured to send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
- the device further includes:
- the receiving unit 1820 is further configured to receive second response information corresponding to the update information fed back by the local security gateway, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- the network device includes a centralized security gateway that establishes a communication connection with the local security gateway.
- the device further includes:
- the sending unit 1810 is further configured to subscribe the DNAI change notification event to the SMF device;
- the processing unit is further configured to select the local security gateway when receiving the first DNAI change notification of the SMF device.
- the first DNAI change notification includes the changed DNAI and the safety link SA of the path to be changed, and the apparatus further includes:
- the processing unit is further configured to query the application of the path to be changed according to the changed DNAI and the SA of the path to be changed;
- the sending unit 1810 is further configured to send an AF notification to the corresponding application function AF device according to the queried application, where the AF notification is used to indicate DNAI changes;
- the receiving unit 1820 is further configured to receive the routing path information of the MEC server fed back by the AF device.
- the device further includes:
- the sending unit 1810 is further configured to feed back the fourth response information corresponding to the first DNAI change notification to the SMF device after receiving the first response information corresponding to the first information fed back by the local security gateway;
- both the first response information and the fourth response message include uplink tunnel information of the local security gateway, and both the first response information and the fourth response message are used to indicate that the connection establishment between the local security gateway and the MEC server is completed.
- the device further includes:
- the receiving unit 1820 is further configured to receive a second DNAI change notification from the SMF device, where the second DNAI change notification includes downlink tunnel information of the first PSA.
- the device further includes:
- the sending unit 1810 is further configured to, after receiving the second response information corresponding to the update information fed back by the local security gateway, feed back the fifth response information corresponding to the second DNAI change notification to the SMF device;
- the second response information and the fifth response information are both used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- the centralized security gateway establishes an IKE SA with the UE, and the apparatus further includes:
- the receiving unit 1820 is further configured to, after sending the first sub-SA establishment request to the local security gateway, receive the first sub-SA establishment response fed back by the local security gateway;
- the receiving unit 1820 is further configured to, after sending the second sub-SA establishment request to the UE, receive the second sub-SA establishment response fed back by the UE; the context information of the sub-SA sent to the local security gateway, the context information of the sub-SA is used for configuration A sub-SA for transmitting user plane data between the UE and the local security gateway;
- the receiving unit 1820 is further configured to receive third response information corresponding to the context information of the sub-SA fed back by the local security gateway, where the third response message is used to indicate that the establishment of the sub-SA is completed.
- the first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;
- the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
- the second sub-SA establishment request includes the second data characteristic, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
- the second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
- the third response information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information, and the device further includes:
- the sending unit 1810 is further configured to send third notification information to the SMF device, where the third notification information includes data packet detection rules and forwarding action rules.
- the network device includes an SMF device that has established a communication connection with the local security gateway.
- the device further includes:
- the receiving unit 1820 is further configured to receive the first notification information sent by the local security gateway, where the first notification information is used to indicate that the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed.
- the device further includes:
- the sending unit 1810 is further configured to send a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes a service detection rule;
- the receiving unit 1820 is further configured to receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data Packet detection rules and forwarding action rules corresponding to flow feature information.
- the device further includes:
- the receiving unit 1820 is further configured to receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data Packet detection rules and forwarding action rules corresponding to flow feature information.
- the device further includes:
- the sending unit 1810 is further configured to send a NAS message to the UE through the AMF device after inserting the ULCL or BP, where the NAS message includes the address of the local security gateway.
- the NAS message includes service detection rules for service data packets that need to be transmitted from the local security gateway.
- FIG. 19 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.
- the data configuration device can be implemented as all or a part of the local security gateway through software, hardware or a combination of the two.
- the data configuration apparatus may include: a receiving unit 1910 and a sending unit 1920 .
- a receiving unit 1910 configured to receive first information, where the first information is used to obtain address information of the local security gateway;
- the sending unit 1920 is configured to send the address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is after the UE has a DNAI change. PSA.
- the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
- the device further includes:
- the sending unit 1920 is further configured to feed back first response information corresponding to the first information after the connection between the local security gateway and the MEC server is established, where the first response information includes uplink tunnel information of the local security gateway.
- the device further includes:
- the receiving unit 1910 is further configured to receive update information, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
- the device further includes:
- the sending unit 1920 is further configured to feed back second response information corresponding to the update information after the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- the local security gateway establishes a communication connection with the centralized security gateway
- the apparatus further includes:
- the sending unit 1920 is further configured to, after receiving the first sub-SA establishment request sent by the centralized security gateway, feed back the first sub-SA establishment response to the centralized security gateway;
- the receiving unit 1910 is further configured to receive the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the user equipment UE and the local security gateway;
- the sending unit 1920 is further configured to feed back the third response information corresponding to the context information of the sub-SA to the centralized security gateway after the sub-SA is established.
- the first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA
- the first sub-SA establishment response includes the second data characteristic accepted by the local security gateway , the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.
- the local security gateway establishes a communication connection with the session management function SMF device, and the apparatus further includes:
- the sending unit 1920 is further configured to send the first notification information to the SMF device after the establishment of the IKE SA between the UE and the local security gateway is completed.
- the device further includes:
- the receiving unit 1910 is further configured to receive a user plane SA establishment request sent by the SMF device, where the user plane SA establishment request includes a service detection rule;
- a processing unit configured to generate corresponding data flow feature information according to the service detection rule, and establish a sub-SA for user plane data transmission between the UE and the local security gateway;
- the sending unit 1920 is further configured to feed back second notification information to the SMF device after the establishment of the sub-SA is completed, where the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.
- the device further includes:
- the sending unit 1920 is further configured to feed back second notification information to the SMF device after the sub-SA for user plane data transmission between the UE and the local security gateway is established, where the second notification information includes data packets corresponding to the data flow feature information Detection rules and forwarding action rules.
- FIG. 20 shows a schematic structural diagram of a network device provided by an exemplary embodiment of the present application, where the network device may be the above-mentioned centralized security gateway or SMF device.
- the network device includes: a processor 201 , a receiver 202 , a transmitter 203 , a memory 204 and a bus 205 .
- the processor 201 includes one or more processing cores, and the processor 201 executes various functional applications and information processing by running software programs and modules.
- the receiver 202 and the transmitter 203 may be implemented as a communication component, which may be a communication chip, and the communication chip may include a receiving module, a transmitting module, a modulation and demodulation module, etc., for modulating and/or demodulating information. tune and receive or transmit that information via wireless signals.
- the memory 204 is connected to the processor 201 through the bus 205 .
- the memory 204 stores program instructions and data necessary for the network device.
- the processor 201 is configured to execute program instructions and data in the memory 204 to implement the functions of each step performed by the network device in each method embodiment of the present application.
- the processor 201 controls the receiver 202 to implement the receiving function on the called network device side in the above steps by running at least one program instruction in the memory 204; the processor 201 controls the transmitter by running at least one program instruction in the memory 204 203 to implement the sending function on the called network device side in each of the above steps.
- memory 204 may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static anytime access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable Except programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
- SRAM static anytime access memory
- EEPROM electrically erasable programmable read only memory
- EPROM erasable except programmable read only memory
- PROM programmable read only memory
- ROM read only memory
- magnetic memory flash memory
- flash memory magnetic disk or optical disk.
- Figure 20 only shows a simplified design of the network device.
- the network device may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all network devices that can implement the present application are within the protection scope of the present application .
- FIG. 21 shows a schematic structural diagram of a local security gateway provided by an exemplary embodiment of the present application.
- the local security gateway includes: a processor 211 , a receiver 212 , a transmitter 213 , a memory 214 and a bus 215 .
- the processor 211 includes one or more processing cores, and the processor 211 executes various functional applications and information processing by running software programs and modules.
- the receiver 212 and the transmitter 213 may be implemented as a communication component, which may be a communication chip, and the communication chip may include a receiving module, a transmitting module, a modulation and demodulation module, etc., for modulating and/or demodulating information. tune and receive or transmit that information via wireless signals.
- the memory 214 is connected to the processor 211 through the bus 215 .
- the memory 214 stores necessary program instructions and data for the local security gateway.
- the processor 211 is configured to execute program instructions and data in the memory 214 to implement the functions of each step performed by the local security gateway in each method embodiment of the present application.
- the processor 211 controls the receiver 212 to implement the receiving function on the called local security gateway side in the above steps by running at least one program instruction in the memory 214; the processor 211 controls the transmission by running at least one program instruction in the memory 214.
- the device 213 is used to implement the sending function on the called local security gateway side in the above steps.
- memory 214 may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static anytime access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable Except programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
- SRAM static anytime access memory
- EEPROM electrically erasable programmable read only memory
- EPROM erasable except programmable read only memory
- PROM programmable read only memory
- ROM read only memory
- magnetic memory flash memory
- flash memory magnetic disk or optical disk.
- Figure 21 only shows a simplified design of the local security gateway.
- the local security gateway may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all local security gateways that can implement the present application are within the protection scope of the present application within.
- An embodiment of the present application provides a data configuration apparatus, the apparatus includes: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the above method executed by a network device when the processor is configured to execute the instructions.
- An embodiment of the present application provides a data configuration device, the device includes: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the above method executed by the local security gateway when the processor is configured to execute the instructions .
- Embodiments of the present application provide a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are executed in a processor of an electronic device , the processor in the electronic device executes the above method executed by the network device.
- Embodiments of the present application provide a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are executed in a processor of an electronic device , the processor in the electronic device executes the above method executed by the local security gateway.
- An embodiment of the present application provides a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway.
- the network device includes a data configuration device as shown in FIG. 18 .
- the security gateway includes the data configuration apparatus shown in FIG. 19 ; or, the network device includes the network device shown in FIG. 20 , and the local security gateway includes the local security gateway shown in FIG. 21 .
- Embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the foregoing method executed by a network device is implemented.
- Embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, implement the above method executed by the local security gateway.
- a computer-readable storage medium may be a tangible device that can hold and store instructions for use by the instruction execution device.
- the computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
- Computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (Electrically Programmable Read-Only-Memory, EPROM or flash memory), static random access memory (Static Random-Access Memory, SRAM), portable compact disk read-only memory (Compact Disc Read-Only Memory, CD - ROM), Digital Video Disc (DVD), memory sticks, floppy disks, mechanically encoded devices, such as punch cards or raised structures in grooves on which instructions are stored, and any suitable combination of the foregoing .
- RAM random access memory
- ROM read only memory
- EPROM erasable programmable read-only memory
- EPROM Errically Programmable Read-Only-Memory
- SRAM static random access memory
- portable compact disk read-only memory Compact Disc Read-Only Memory
- CD - ROM Compact Disc Read-Only Memory
- DVD Digital Video Disc
- memory sticks floppy disks
- Computer readable program instructions or code described herein may be downloaded to various computing/processing devices from a computer readable storage medium, or to an external computer or external storage device over a network such as the Internet, a local area network, a wide area network, and/or a wireless network.
- the network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers.
- a network adapter card or network interface in each computing/processing device receives computer-readable program instructions from a network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in each computing/processing device .
- the computer program instructions used to perform the operations of the present application may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more source or object code written in any combination of programming languages, including object-oriented programming languages such as Smalltalk, C++, etc., and conventional procedural programming languages such as the "C" language or similar programming languages.
- the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement.
- the remote computer may be connected to the user's computer through any kind of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or, may be connected to an external computer (eg, use an internet service provider to connect via the internet).
- electronic circuits such as programmable logic circuits, Field-Programmable Gate Arrays (FPGA), or Programmable Logic Arrays (Programmable Logic Arrays), are personalized by utilizing state information of computer-readable program instructions.
- Logic Array, PLA the electronic circuit can execute computer readable program instructions to implement various aspects of the present application.
- These computer readable program instructions may be provided to the processor of a general purpose computer, special purpose computer or other programmable data processing apparatus to produce a machine that causes the instructions when executed by the processor of the computer or other programmable data processing apparatus , resulting in means for implementing the functions/acts specified in one or more blocks of the flowchart and/or block diagrams.
- These computer readable program instructions can also be stored in a computer readable storage medium, these instructions cause a computer, programmable data processing apparatus and/or other equipment to operate in a specific manner, so that the computer readable medium on which the instructions are stored includes An article of manufacture comprising instructions for implementing various aspects of the functions/acts specified in one or more blocks of the flowchart and/or block diagrams.
- Computer readable program instructions can also be loaded onto a computer, other programmable data processing apparatus, or other equipment to cause a series of operational steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process , thereby causing instructions executing on a computer, other programmable data processing apparatus, or other device to implement the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.
- each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more functions for implementing the specified logical function(s) executable instructions.
- the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
- each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations can be implemented in hardware (eg, circuits or ASICs (Application) that perform the corresponding functions or actions. Specific Integrated Circuit, application-specific integrated circuit)), or can be implemented by a combination of hardware and software, such as firmware.
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present application relates to the technical field of communications, and in particular, to a data configuration method and apparatus, a system, and a storage medium. The method is used in a network device. The method comprises: sending first information to a local security gateway, the first information being used for acquiring address information of the local security gateway; and receiving the address information of the local security gateway, the address information of the local security gateway being routing destination address information configured for a first PSA and used for transmitting data from a UE, the first PSA being a PSA after a DNAI in the UE changes. According to embodiments of the present application, in the change process of a DNAI, an information exchange process of a local security gateway and a network device is designed, and related configuration in a ULCL insertion process is implemented, so that the subsequent ULCL insertion process can be completed normally after the local security gateway is introduced, thereby ensuring the reliability of data transmission.
Description
本申请涉及通信技术领域,尤其涉及一种数据配置方法、装置、系统及存储介质。The present application relates to the field of communication technologies, and in particular, to a data configuration method, apparatus, system, and storage medium.
相关技术中,多址边缘计算(Multi-access Edge Computing,MEC)场景下的数据网络访问标识符(Data Network Access Identifier,DNAI)变换主要包括如下几个过程:应用功能(Application Function,AF)对业务路由的影响过程、上行分类器(Uplink classifier,ULCL)插入过程以及AF设备通知过程。In the related art, the data network access identifier (Data Network Access Identifier, DNAI) transformation in the multi-access edge computing (Multi-access Edge Computing, MEC) scenario mainly includes the following processes: application function (Application Function, AF) to Influence process of service routing, Uplink classifier (ULCL) insertion process and AF device notification process.
基于相关技术中的方法,在MEC场景下,MEC服务器的连接和路径调整主要由AF设备对业务路由的影响过程的相关流程实现,先由AF设备通过策略控制网元(Policy Control Function,PCF)设备向会话管理功能(Session Management Function,SMF)设备提供相关应用可用的DNAI(即MEC服务器所在的接入网实体),SMF设备因用户设备(User Equipment,UE)移动或检测到对应的数据流后,触发新协议数据单元会话锚点(PDU session anchor,PSA)/ULCL插入流程,在选择完对应的PSA/ULCL后,向AF设备通知DNAI变化,并通过AF设备的回复信息获取PSA/ULCL所需的N6配置选项和相关路由规则,再对新PSA/ULCL进行配置。Based on the methods in the related art, in the MEC scenario, the connection and path adjustment of the MEC server are mainly realized by the relevant process of the influence process of the AF device on the service routing. First, the AF device controls the network element (Policy Control Function, PCF) through the policy. The device provides the Session Management Function (SMF) device with DNAI available for related applications (that is, the access network entity where the MEC server is located), and the SMF device moves or detects the corresponding data flow due to the user equipment (User Equipment, UE). Then, trigger the new protocol data unit session anchor (PDU session anchor, PSA)/ULCL insertion process, after selecting the corresponding PSA/ULCL, notify the AF device of the DNAI change, and obtain the PSA/ULCL through the reply information of the AF device Required N6 configuration options and related routing rules, and then configure the new PSA/ULCL.
在相关技术中的场景下,添加了额外的安全网关后,需要将与MEC服务器以及与更新后的PSA建立连接的设备修改为安全网关,导致后续插入ULCL流程无法正常完成的问题。In the scenario in the related art, after adding an additional security gateway, the devices that establish connections with the MEC server and the updated PSA need to be modified to be security gateways, resulting in the problem that the subsequent inserting ULCL process cannot be completed normally.
发明内容SUMMARY OF THE INVENTION
有鉴于此,提出了一种数据配置方法、装置、系统及存储介质。本申请实施例提供了一种数据配置方法、装置、系统及存储介质,通过在DNAI变化的流程中,设计了本地安全网关与网络设备的信息交互流程,实现了插入ULCL流程中的相关配置,从而使得在引入本地安全网关后后续的插入ULCL流程能够正常完成,保证了数据传输的可靠性。In view of this, a data configuration method, device, system and storage medium are proposed. The embodiments of the present application provide a data configuration method, device, system, and storage medium. By designing the information exchange process between the local security gateway and the network device in the process of DNAI change, the related configuration inserted into the ULCL process is realized, Therefore, after the introduction of the local security gateway, the subsequent inserting ULCL process can be completed normally, which ensures the reliability of data transmission.
第一方面,本申请的实施例提供了一种数据配置方法,用于网络设备中,该方法包括:In a first aspect, an embodiment of the present application provides a data configuration method for use in a network device, the method comprising:
向本地安全网关发送第一信息,第一信息用于获取本地安全网关的地址信息;sending first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;
接收本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。The address information of the local security gateway is received, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is the PSA after the UE has changed its DNAI.
在该实现方式中,提供了一种数据配置方法,网络设备向本地安全网关发送用于获取本地安全网关的地址信息的第一信息后,接收本地安全网关的地址信息,该本地安全网关的地址信息是为第一PSA即UE发生DNAI变化后的PSA配置的,提供了用于传输来自UE的数据的路由目的地址信息;即在DNAI变化的流程中,设计了本地 安全网关与网络设备的信息交互流程,实现了插入ULCL流程中的相关配置,从而使得在引入本地安全网关后后续的插入ULCL流程能够正常完成,保证了数据传输的可靠性。In this implementation manner, a data configuration method is provided. After the network device sends the first information for obtaining the address information of the local security gateway to the local security gateway, the network device receives the address information of the local security gateway, the address of the local security gateway. The information is configured for the first PSA, that is, the PSA after the UE has undergone DNAI change, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the information of the local security gateway and network equipment is designed. The interaction process realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.
结合第一方面,在第一方面的第一种可能的实现方式中,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。With reference to the first aspect, in a first possible implementation manner of the first aspect, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
在该实现方式中,网络设备向本地安全网关发送的第一信息包括MEC服务器的路由路径信息,用于配置本地安全网关与MEC服务器之间的连接,以便实现对本地安全网关到MEC服务器之间的通路的建立。In this implementation manner, the first information sent by the network device to the local security gateway includes routing path information of the MEC server, which is used to configure the connection between the local security gateway and the MEC server, so as to realize the connection between the local security gateway and the MEC server. establishment of the pathway.
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,该方法还包括:In combination with the first possible implementation manner of the first aspect, in the second possible implementation manner of the first aspect, the method further includes:
接收本地安全网关反馈的第一信息对应的第一响应信息,第一响应信息用于指示本地安全网关与MEC服务器之间的连接建立完成,第一响应信息包括本地安全网关的上行隧道信息。First response information corresponding to the first information fed back by the local security gateway is received, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information includes uplink tunnel information of the local security gateway.
在该实现方式中,在本地安全网关与MEC服务器之间的连接建立完成后,网络设备接收本地安全网关反馈的第一信息对应的第一响应信息,以便网络设备确定本地安全网关与MEC服务器之间的连接建立完成,并从第一响应信息中获取本地安全网关的上行隧道信息。In this implementation manner, after the connection between the local security gateway and the MEC server is established, the network device receives the first response information corresponding to the first information fed back by the local security gateway, so that the network device determines the relationship between the local security gateway and the MEC server. The establishment of the connection between the two is completed, and the uplink tunnel information of the local security gateway is obtained from the first response information.
结合第一方面,在第一方面的第三种可能的实现方式中,该方法还包括:With reference to the first aspect, in a third possible implementation manner of the first aspect, the method further includes:
向本地安全网关发送更新信息,更新信息包括第一PSA的下行隧道信息,下行隧道信息用于配置本地安全网关与第一PSA之间的下行隧道。Send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
在该实现方式中,网络设备向本地安全网关发送包括第一PSA的下行隧道信息的更新信息,用于配置本地安全网关与第一PSA之间的下行隧道,从而实现了在ULCL插入过程中建立第一PSA到本地安全网关的通路。In this implementation manner, the network device sends the update information including the downlink tunnel information of the first PSA to the local security gateway, which is used to configure the downlink tunnel between the local security gateway and the first PSA, thereby realizing the establishment during the ULCL insertion process Pathway of the first PSA to the local security gateway.
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,该方法还包括:With reference to the third possible implementation manner of the first aspect, in the fourth possible implementation manner of the first aspect, the method further includes:
接收本地安全网关反馈的更新信息对应的第二响应信息,第二响应信息用于指示本地安全网关与第一PSA之间的下行隧道建立完成。Second response information corresponding to the update information fed back by the local security gateway is received, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
在该实现方式中,网络设备接收本地安全网关反馈的更新信息对应的第二响应信息,以便网络设备确定本地安全网关与第一PSA之间的下行隧道建立完成。In this implementation manner, the network device receives the second response information corresponding to the update information fed back by the local security gateway, so that the network device determines that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
结合第一方面和第一方面的第一种至第四种可能的实现方式中的任意一种可能的实现方式,在第一方面的第五种可能的实现方式中,网络设备包括与本地安全网关建立有通信连接的集中式安全网关。With reference to the first aspect and any one of the possible implementation manners of the first to fourth possible implementation manners of the first aspect, in a fifth possible implementation manner of the first aspect, the network device includes a The gateway establishes a centralized security gateway with communication connections.
在该实现方式中,将安全网关拆分为集中式安全网关和本地安全网关,并设计这两个网关之间的消息传输,增强集中式安全网关的功能,实现MEC场景下ULCL插入流程中安全网关的相关配置,对UE几乎无改动。In this implementation, the security gateway is divided into a centralized security gateway and a local security gateway, and the message transmission between the two gateways is designed to enhance the function of the centralized security gateway and realize the security in the ULCL insertion process in the MEC scenario. The relevant configuration of the gateway is almost unchanged to the UE.
结合第一方面的第五种可能的实现方式,在第一方面的第六种可能的实现方式中,集中式安全网关向本地安全网关发送第一信息之前,还包括:With reference to the fifth possible implementation manner of the first aspect, in the sixth possible implementation manner of the first aspect, before the centralized security gateway sends the first information to the local security gateway, the method further includes:
向SMF设备订阅DNAI变化通知事件;Subscribe DNAI change notification events to SMF devices;
在接收到SMF设备的第一DNAI变化通知时,选取本地安全网关。The local security gateway is selected upon receiving the first DNAI change notification from the SMF device.
在该实现方式中,集中式安全网关向SMF设备订阅DNAI变化通知事件,以便在接收到SMF设备的第一DNAI变化通知时,选取本地安全网关,实现了集中式安全网关作为代理网元的功能。In this implementation, the centralized security gateway subscribes the DNAI change notification event to the SMF device, so as to select the local security gateway when receiving the first DNAI change notification from the SMF device, thus realizing the function of the centralized security gateway as a proxy network element .
结合第一方面的第六种可能的实现方式,在第一方面的第七种可能的实现方式中,第一DNAI变化通知包括变化的DNAI和待改变路径的安全联结SA,该方法还包括:With reference to the sixth possible implementation manner of the first aspect, in the seventh possible implementation manner of the first aspect, the first DNAI change notification includes the changed DNAI and the security link SA of the path to be changed, and the method further includes:
根据变化的DNAI和待改变路径的SA,查询待改变路径的应用;According to the changed DNAI and the SA of the path to be changed, query the application of the path to be changed;
根据查询到的应用,向对应的AF设备发送AF通知,AF通知用于指示DNAI变化;According to the queried application, send an AF notification to the corresponding AF device, and the AF notification is used to indicate DNAI changes;
接收AF设备反馈的MEC服务器的路由路径信息。Receive the routing path information of the MEC server fed back by the AF device.
在该实现方式中,集中式安全网关作为代理网元,承担了与AF设备进行交互,并进行MEC服务器连接配置的功能。In this implementation manner, the centralized security gateway, as a proxy network element, undertakes the function of interacting with the AF device and performing the connection configuration of the MEC server.
结合第一方面的第六种可能的实现方式,在第一方面的第八种可能的实现方式中,该方法还包括:With reference to the sixth possible implementation manner of the first aspect, in the eighth possible implementation manner of the first aspect, the method further includes:
在接收到本地安全网关反馈的第一信息对应的第一响应信息后,向SMF设备反馈第一DNAI变化通知对应的第四响应信息;After receiving the first response information corresponding to the first information fed back by the local security gateway, feeding back the fourth response information corresponding to the first DNAI change notification to the SMF device;
其中,第一响应信息和第四响应消息均包括本地安全网关的上行隧道信息,第一响应信息和第四响应消息均用于指示本地安全网关与MEC服务器之间的连接建立完成。Wherein, both the first response information and the fourth response message include uplink tunnel information of the local security gateway, and both the first response information and the fourth response message are used to indicate that the connection establishment between the local security gateway and the MEC server is completed.
在该实现方式中,集中式安全网关在接收到本地安全网关反馈的第一信息对应的第一响应信息后,向SMF设备反馈第一DNAI变化通知对应的第四响应信息,配合SMF设备构建本地安全网关到MEC服务器的通路。In this implementation manner, after receiving the first response information corresponding to the first information fed back by the local security gateway, the centralized security gateway feeds back the fourth response information corresponding to the first DNAI change notification to the SMF device, and cooperates with the SMF device to construct a local The path from the security gateway to the MEC server.
结合第一方面的第六种可能的实现方式,在第一方面的第九种可能的实现方式中,向本地安全网关发送更新信息之前,还包括:With reference to the sixth possible implementation manner of the first aspect, in the ninth possible implementation manner of the first aspect, before sending the update information to the local security gateway, the method further includes:
接收SMF设备的第二DNAI变化通知,第二DNAI变化通知包括第一PSA的下行隧道信息。A second DNAI change notification from the SMF device is received, where the second DNAI change notification includes downlink tunnel information of the first PSA.
在该实现方式中,集中式安全网关接收SMF设备的第二DNAI变化通知后,向本地安全网关发送更新信息,实现对本地安全网关与第一PSA之间的下行隧道的配置。In this implementation manner, after receiving the second DNAI change notification from the SMF device, the centralized security gateway sends update information to the local security gateway to configure the downlink tunnel between the local security gateway and the first PSA.
结合第一方面的第九种可能的实现方式,在第一方面的第十种可能的实现方式中,该方法还包括:With reference to the ninth possible implementation manner of the first aspect, in the tenth possible implementation manner of the first aspect, the method further includes:
在接收到本地安全网关反馈的更新信息对应的第二响应信息后,向SMF设备反馈第二DNAI变化通知对应的第五响应信息;After receiving the second response information corresponding to the update information fed back by the local security gateway, feeding back the fifth response information corresponding to the second DNAI change notification to the SMF device;
其中,第二响应信息和第五响应信息均用于指示本地安全网关与第一PSA之间的下行隧道建立完成。The second response information and the fifth response information are both used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
在该实现方式中,集中式安全网关在接收到本地安全网关反馈的更新信息对应的第二响应信息后,向SMF设备反馈第二DNAI变化通知对应的第五响应信息,配合SMF设备构建本地安全网关与第一PSA之间的通路。In this implementation manner, after receiving the second response information corresponding to the update information fed back by the local security gateway, the centralized security gateway feeds back the fifth response information corresponding to the second DNAI change notification to the SMF device, and cooperates with the SMF device to construct local security The pathway between the gateway and the first PSA.
结合第一方面的第六种至第十种可能的实现方式中的任意一种可能的实现方式,在第一方面的第十一种可能的实现方式中,集中式安全网关与UE建立有IKE SA,该 方法还包括:With reference to any one of the sixth to tenth possible implementations of the first aspect, in the eleventh possible implementation of the first aspect, the centralized security gateway establishes an IKE relationship with the UE. SA, the method also includes:
在向本地安全网关发送第一子SA建立请求后,接收本地安全网关反馈的第一子SA建立响应;After sending the first sub-SA establishment request to the local security gateway, receive the first sub-SA establishment response fed back by the local security gateway;
在向UE发送第二子SA建立请求后,接收UE反馈的第二子SA建立响应;After sending the second sub-SA establishment request to the UE, receive the second sub-SA establishment response fed back by the UE;
向本地安全网关发送的子SA的上下文信息,子SA的上下文信息用于配置UE与本地安全网关之间用于传输用户面数据的子SA;The context information of the sub-SA sent to the local security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the UE and the local security gateway;
接收本地安全网关反馈的子SA的上下文信息对应的第三响应信息,第三响应消息用于指示子SA建立完成。The third response information corresponding to the context information of the sub-SA fed back by the local security gateway is received, and the third response message is used to indicate that the establishment of the sub-SA is completed.
在该实现方式中,集中式安全网关代理本地安全网关与UE建立用于用户面数据传输的子SA,并将相应的子SA的上下文信息发送至本地安全网关,从而使得在集中式安全网关场景下,实现对UE与本地安全网关之间用于传输用户面数据的子SA的建立。In this implementation, the centralized security gateway acts as a proxy for the local security gateway to establish a sub-SA with the UE for user plane data transmission, and sends the context information of the corresponding sub-SA to the local security gateway, so that in the centralized security gateway scenario Next, the establishment of a sub-SA for transmitting user plane data between the UE and the local security gateway is implemented.
结合第一方面的第十一种可能的实现方式,在第一方面的第十二种可能的实现方式中,With reference to the eleventh possible implementation manner of the first aspect, in the twelfth possible implementation manner of the first aspect,
第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA;The first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;
第一子SA建立响应包括本地安全网关接受的第二数据特征、对应的第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数;The first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
第二子SA建立请求包括第二数据特征、第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数;The second sub-SA establishment request includes the second data characteristic, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
第二子SA建立响应包括确认的第三数据特征、对应的第三SA、UE的密钥生成材料和UE的随机数。The second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
在该实现方式中,在集中式安全网关代理本地安全网关与UE建立用于用户面数据传输的子SA的过程中,通过第一子SA建立请求、第一子SA建立响应、第二子SA建立请求和第二子SA建立响应的信息交互,使得本地安全网关与UE分别确定数据流特征信息,比如上述的第一数据特征、第二数据特征、第三数据特征,以便实现对本地安全网关与UE之间子SA的建立。In this implementation, in the process of establishing a sub-SA for user plane data transmission between the centralized security gateway and the UE as a proxy for the local security gateway, the first sub-SA establishment request, the first sub-SA establishment response, the second sub-SA The information exchange of the establishment request and the establishment response of the second sub SA, so that the local security gateway and the UE respectively determine the data flow characteristic information, such as the above-mentioned first data characteristic, second data characteristic, and third data characteristic, so as to realize the information on the local security gateway. The establishment of a sub-SA with the UE.
结合第一方面的第十一种可能的实现方式,在第一方面的第十三种可能的实现方式中,第三响应信息包括数据流特征信息对应的数据包检测规则和转发动作规则,该方法还包括:With reference to the eleventh possible implementation manner of the first aspect, in the thirteenth possible implementation manner of the first aspect, the third response information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information, and the Methods also include:
向SMF设备发送第三通知信息,第三通知信息包括数据包检测规则和转发动作规则。Send third notification information to the SMF device, where the third notification information includes data packet detection rules and forwarding action rules.
在该实现方式中,由于使用传输模式,上行数据包的目的IP地址和下行数据包的源IP地址均不是本地安全网关,所以需要由集中式安全网关向SMF设备上报本地安全网关的子SA上的数据包检测规则和转发动作规则,并重新配置ULCL,从而确保对应数据包通过本地安全网关正常的转发。In this implementation, due to the use of the transmission mode, the destination IP address of the uplink data packet and the source IP address of the downlink data packet are not the local security gateway, so the centralized security gateway needs to report to the SMF device the sub-SA of the local security gateway. and reconfigure the ULCL to ensure the normal forwarding of the corresponding data packets through the local security gateway.
结合第一方面和第一方面的第一种至第四种可能的实现方式中的任意一种可能的实现方式,在第一方面的第十四种可能的实现方式中,网络设备包括与本地安全网关建立有通信连接的SMF设备。With reference to the first aspect and any one of the possible implementation manners of the first to fourth possible implementation manners of the first aspect, in the fourteenth possible implementation manner of the first aspect, the network device includes a The security gateway establishes a communication connection with the SMF device.
在该实现方式中,本申请实施例提供的数据配置方法应用于分布式安全网关场景 下,通过本地安全网关与SMF设备之间的信息交互过程,实现了在分布式安全网关的场景下ULCL插入流程中安全网关的相关配置。In this implementation manner, the data configuration method provided by the embodiment of the present application is applied to the distributed security gateway scenario, and the ULCL insertion in the distributed security gateway scenario is realized through the information exchange process between the local security gateway and the SMF device. The relevant configuration of the security gateway in the process.
结合第一方面的第十四种可能的实现方式,在第一方面的第十五种可能的实现方式中,该方法还包括:With reference to the fourteenth possible implementation manner of the first aspect, in the fifteenth possible implementation manner of the first aspect, the method further includes:
接收本地安全网关发送的第一通知信息,第一通知信息用于指示UE与本地安全网关之间的因特网密钥交换协议(Internet Key Exchange,IKE)建立完成。The first notification information sent by the local security gateway is received, where the first notification information is used to indicate that the establishment of the Internet Key Exchange (Internet Key Exchange, IKE) between the UE and the local security gateway is completed.
在该实现方式中,SMF设备接收本地安全网关发送的第一通知信息,使得SMF设备确定UE与本地安全网关之间的IKE SA建立完成。In this implementation, the SMF device receives the first notification information sent by the local security gateway, so that the SMF device determines that the establishment of the IKE SA between the UE and the local security gateway is complete.
结合第一方面的第十五种可能的实现方式,在第一方面的第十六种可能的实现方式中,该方法还包括:With reference to the fifteenth possible implementation manner of the first aspect, in the sixteenth possible implementation manner of the first aspect, the method further includes:
向本地安全网关发送用户面SA建立请求,用户面SA建立请求包括业务检测规则;Send a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes service detection rules;
接收本地安全网关反馈的第二通知信息,第二通知信息用于指示UE与本地安全网关之间用于用户面数据传输的子SA建立完成,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data packets corresponding to data flow feature information Detection rules and forwarding action rules.
在该实现方式中,SMF设备通过向本地安全网关提供业务检测规则,指示本地安全网关与UE建立用于用户面传输的子SA,从而节省了发送给UE的NAS信令开销,保证了本地安全网关与UE建立子SA的效率。In this implementation, the SMF device instructs the local security gateway to establish a sub-SA for user plane transmission with the UE by providing service detection rules to the local security gateway, thereby saving the NAS signaling overhead sent to the UE and ensuring local security. Efficiency of gateway and UE establishing sub-SA.
结合第一方面的第十五种可能的实现方式,在第一方面的第十七种可能的实现方式中,该方法还包括:With reference to the fifteenth possible implementation manner of the first aspect, in the seventeenth possible implementation manner of the first aspect, the method further includes:
接收本地安全网关反馈的第二通知信息,第二通知信息用于指示UE与本地安全网关之间用于用户面数据传输的子SA建立完成,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data packets corresponding to data flow feature information Detection rules and forwarding action rules.
在该实现方式中,SMF设备接收本地安全网关反馈的第二通知信息,以便SMF设备确定UE与本地安全网关之间用于用户面数据传输的子SA建立完成,并确定数据流特征信息对应的数据包检测规则和转发动作规则。In this implementation manner, the SMF device receives the second notification information fed back by the local security gateway, so that the SMF device determines that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed, and determines the corresponding data flow characteristic information. Packet inspection rules and forwarding action rules.
结合第一方面的第十五种可能的实现方式,在第一方面的第十八种可能的实现方式中,该方法还包括:With reference to the fifteenth possible implementation manner of the first aspect, in the eighteenth possible implementation manner of the first aspect, the method further includes:
在插入ULCL或分支点(branch point,BP)后,通过AMF设备向UE发送NAS消息,NAS消息包括本地安全网关的地址。After inserting the ULCL or branch point (Branch Point, BP), a NAS message is sent to the UE through the AMF device, and the NAS message includes the address of the local security gateway.
在该实现方式中,对NAS消息进行了增强,SMF设备通过AMF设备将NAS消息发送至UE,NAS消息包括本地安全网关的地址,从而使得UE与本地安全网关之间用于用户面数据传输的子SA的建立由UE发起,节省了SMF设备与本地安全网关之间的信令交互。In this implementation, the NAS message is enhanced, the SMF device sends the NAS message to the UE through the AMF device, and the NAS message includes the address of the local security gateway, so that the UE and the local security gateway are used for user plane data transmission. The establishment of the sub-SA is initiated by the UE, which saves the signaling interaction between the SMF device and the local security gateway.
结合第一方面的第十五种可能的实现方式,在第一方面的第十九种可能的实现方式中,NAS消息包括需要从本地安全网关进行传输的业务数据包的业务检测规则。With reference to the fifteenth possible implementation manner of the first aspect, in the nineteenth possible implementation manner of the first aspect, the NAS message includes a service detection rule for a service data packet that needs to be transmitted from the local security gateway.
在该实现方式中,SMF设备可对本地安全网关进行控制,通过NAS消息通知UE需要从本地安全网关进行传输的业务数据包的业务检测规则,从而使得UE与本地安全网关之间用于用户面数据传输的子SA的建立由UE发起,进一步节省了SMF设备与本地安全网关之间的信令交互。In this implementation, the SMF device can control the local security gateway, and notify the UE of the service detection rules of the service data packets that need to be transmitted from the local security gateway through the NAS message, so that the connection between the UE and the local security gateway is used for the user plane. The establishment of the sub-SA for data transmission is initiated by the UE, which further saves the signaling interaction between the SMF device and the local security gateway.
第二方面,本申请的实施例提供了一种数据配置方法,用于本地安全网关中,方法包括:In a second aspect, the embodiments of the present application provide a data configuration method for use in a local security gateway, the method comprising:
接收第一信息,第一信息用于获取本地安全网关的地址信息;receiving first information, where the first information is used to obtain address information of the local security gateway;
发送本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自用户设备UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。The address information of the local security gateway is sent, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the user equipment UE, and the first PSA is the PSA after the UE has a DNAI change.
结合第二方面,在第二方面的第一种可能的实现方式中,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。With reference to the second aspect, in a first possible implementation manner of the second aspect, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,该方法还包括:With reference to the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect, the method further includes:
在本地安全网关与MEC服务器之间的连接建立完成后,反馈第一信息对应的第一响应信息,第一响应信息包括本地安全网关的上行隧道信息。After the connection between the local security gateway and the MEC server is established, the first response information corresponding to the first information is fed back, and the first response information includes uplink tunnel information of the local security gateway.
结合第二方面的第一种可能的实现方式,在第二方面的第三种可能的实现方式中,该方法还包括:With reference to the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the method further includes:
接收更新信息,更新信息包括第一PSA的下行隧道信息,下行隧道信息用于配置本地安全网关与第一PSA之间的下行隧道。Update information is received, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
结合第二方面的第三种可能的实现方式,在第二方面的第四种可能的实现方式中,该方法还包括:With reference to the third possible implementation manner of the second aspect, in the fourth possible implementation manner of the second aspect, the method further includes:
在本地安全网关与第一PSA之间的下行隧道建立完成后,反馈更新信息对应的第二响应信息。After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
结合第二方面和第一种至第四种可能的实现方式中的任意一种可能的实现方式,在第二方面的第五种可能的实现方式中,本地安全网关与集中式安全网关建立有通信连接,该方法还包括:In combination with the second aspect and any one of the first to fourth possible implementations, in a fifth possible implementation of the second aspect, the local security gateway and the centralized security gateway establish communication connection, the method further includes:
在接收到集中式安全网关发送的第一子SA建立请求后,向集中式安全网关反馈第一子SA建立响应;After receiving the first sub-SA establishment request sent by the centralized security gateway, feeding back the first sub-SA establishment response to the centralized security gateway;
接收集中式安全网关发送的子SA的上下文信息,子SA的上下文信息用于配置用户设备UE与本地安全网关之间用于传输用户面数据的子SA;receiving the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA used for transmitting user plane data between the user equipment UE and the local security gateway;
在子SA建立完成后,向集中式安全网关反馈子SA的上下文信息对应的第三响应信息。After the establishment of the sub-SA is completed, the third response information corresponding to the context information of the sub-SA is fed back to the centralized security gateway.
结合第二方面的第五种可能的实现方式,在第二方面的第六种可能的实现方式中,第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA,第一子SA建立响应包括本地安全网关接受的第二数据特征、对应的第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数。With reference to the fifth possible implementation manner of the second aspect, in the sixth possible implementation manner of the second aspect, the first sub-SA establishment request includes the first data feature of the data to be encrypted and transmitted and the corresponding first SA , the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.
结合第二方面和第一种至第四种可能的实现方式中的任意一种可能的实现方式,在第二方面的第七可能的实现方式中,本地安全网关与会话管理功能SMF设备建立有通信连接,方法还包括:In combination with the second aspect and any one of the first to fourth possible implementations, in a seventh possible implementation of the second aspect, the local security gateway and the session management function SMF device establish a communication connection, the method further includes:
在UE与本地安全网关之间的IKE SA建立完成后,向SMF设备发送第一通知信息。After the establishment of the IKE SA between the UE and the local security gateway is completed, the first notification information is sent to the SMF device.
结合第二方面的第七可能的实现方式,在第二方面的第八种可能的实现方式中,该方法还包括:With reference to the seventh possible implementation manner of the second aspect, in the eighth possible implementation manner of the second aspect, the method further includes:
接收SMF设备发送的用户面SA建立请求,用户面SA建立请求包括业务检测规则;Receive a user plane SA establishment request sent by the SMF device, and the user plane SA establishment request includes a service detection rule;
根据业务检测规则,生成对应的数据流特征信息,建立UE与本地安全网关之间用于用户面数据传输的子SA;According to the service detection rule, the corresponding data flow feature information is generated, and a sub-SA for user plane data transmission between the UE and the local security gateway is established;
在子SA建立完成后向SMF设备反馈第二通知信息,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。After the establishment of the sub-SA is completed, the second notification information is fed back to the SMF device, where the second notification information includes the data packet detection rule and the forwarding action rule corresponding to the data flow characteristic information.
结合第二方面的第七可能的实现方式,在第二方面的第九种可能的实现方式中,该方法还包括:With reference to the seventh possible implementation manner of the second aspect, in the ninth possible implementation manner of the second aspect, the method further includes:
在UE与本地安全网关之间用于用户面数据传输的子SA建立完成后,向SMF设备反馈第二通知信息,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。After the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed, second notification information is fed back to the SMF device, where the second notification information includes data packet detection rules and forwarding action rules corresponding to data flow feature information.
第三方面,本申请的实施例提供了一种数据配置方法,用于数据配置系统中,数据配置系统包括本地安全网关和与本地安全网关建立有通信连接的网络设备,该方法包括:In a third aspect, an embodiment of the present application provides a data configuration method, which is used in a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway, and the method includes:
网络设备向本地安全网关发送第一信息,第一信息用于获取本地安全网关的地址信息;The network device sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;
本地安全网关接收到第一信息后,发送本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA;After receiving the first information, the local security gateway sends the address information of the local security gateway. The address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE. The first PSA occurs for the UE. PSA after DNAI changes;
网络设备接收本地安全网关的地址信息。The network device receives the address information of the local security gateway.
第四方面,本申请的实施例提供了一种数据配置装置,用于网络设备中,该装置包括:处理器;用于存储处理器可执行指令的存储器;其中,处理器被配置为执行指令时实现上述第一方面或第一方面中的任意一种可能的实现方式所提供的数据配置方法。In a fourth aspect, embodiments of the present application provide a data configuration apparatus for use in a network device, the apparatus comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to execute the instructions When implementing the data configuration method provided by the first aspect or any one of the possible implementation manners of the first aspect.
第五方面,本申请的实施例提供了一种数据配置装置,用于本地安全网关中,该装置包括:处理器;用于存储处理器可执行指令的存储器;其中,处理器被配置为执行指令时实现上述第二方面或第二方面中的任意一种可能的实现方式所提供的数据配置方法。In a fifth aspect, embodiments of the present application provide a data configuration apparatus for use in a local security gateway, the apparatus comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to execute The data configuration method provided by the second aspect or any one of the possible implementation manners of the second aspect is implemented when the instruction is executed.
第六方面,本申请的实施例提供了一种数据配置装置,该装置包括至少一个单元,至少一个单元用于实现上述第一方面或第一方面中的任意一种可能的实现方式所提供的数据配置方法。In a sixth aspect, an embodiment of the present application provides a data configuration apparatus, the apparatus includes at least one unit, and the at least one unit is configured to implement the first aspect or any one of the possible implementations of the first aspect. Data configuration method.
第七方面,本申请的实施例提供了一种数据配置装置,该装置包括至少一个单元,至少一个单元用于实现上述第二方面或第二方面中的任意一种可能的实现方式所提供的数据配置方法。In a seventh aspect, an embodiment of the present application provides a data configuration apparatus, the apparatus includes at least one unit, and the at least one unit is configured to implement the second aspect or any one of the possible implementations of the second aspect. Data configuration method.
第八方面,本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当计算机可读代码在电子设备中运行时,电子设备中的处理器执行上述第一方面或第一方面中的任意一种可 能的实现方式所提供的数据配置方法。In an eighth aspect, embodiments of the present application provide a computer program product, comprising computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in an electronic device When running, the processor in the electronic device executes the data configuration method provided by the first aspect or any one of the possible implementation manners of the first aspect.
第九方面,本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当计算机可读代码在电子设备中运行时,电子设备中的处理器执行上述第二方面或第二方面中的任意一种可能的实现方式所提供的数据配置方法。In a ninth aspect, embodiments of the present application provide a computer program product, comprising computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are stored in an electronic device When running, the processor in the electronic device executes the data configuration method provided by the second aspect or any one of the possible implementation manners of the second aspect.
第十方面,本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,计算机程序指令被处理器执行时实现上述第一方面或第一方面中的任意一种可能的实现方式所提供的数据配置方法。In a tenth aspect, embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the first aspect or the first aspect is implemented. The data configuration method provided by any possible implementation.
第十一方面,本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,计算机程序指令被处理器执行时实现上述第二方面或第二方面中的任意一种可能的实现方式所提供的数据配置方法。In an eleventh aspect, embodiments of the present application provide a non-volatile computer-readable storage medium, on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the second aspect or the second aspect is implemented The data configuration method provided by any of the possible implementations.
第十二方面,本申请的实施例提供了一种数据配置系统,该数据配置系统包括本地安全网关和与本地安全网关建立有通信连接的网络设备:In a twelfth aspect, an embodiment of the present application provides a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway:
该网络设备包括如上述第四方面的数据配置装置,该本地安全网关包括如上述第五方面的数据配置装置;或者,该网络设备包括如上述第六方面的数据配置装置,该本地安全网关包括如上述第七方面的数据配置装置。The network device includes the data configuration device according to the fourth aspect, the local security gateway includes the data configuration device according to the fifth aspect; or, the network device includes the data configuration device according to the sixth aspect, and the local security gateway includes The data configuration apparatus according to the above seventh aspect.
图1示出了IPSec协议体系的结构示意图。FIG. 1 shows a schematic structural diagram of an IPSec protocol system.
图2示出了在UPF设备和DN之间部署安全网关的网关架构的示意图。Figure 2 shows a schematic diagram of a gateway architecture deploying a security gateway between a UPF device and a DN.
图3示出了相关技术中AF对业务路由的影响过程的流程图。FIG. 3 shows a flowchart of a process of AF influencing service routing in the related art.
图4示出了相关技术中ULCL插入过程的流程图。FIG. 4 shows a flowchart of a ULCL insertion process in the related art.
图5示出了相关技术中AF设备通知过程的流程图。FIG. 5 shows a flowchart of an AF device notification process in the related art.
图6示出了本申请一个示例性实施例提供的数据配置系统的结构示意图。FIG. 6 shows a schematic structural diagram of a data configuration system provided by an exemplary embodiment of the present application.
图7示出了本申请一个示例性实施例提供的数据配置方法的流程图。FIG. 7 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.
图8示出了本申请一个示例性实施例提供的集中式安全网关场景的结构示意图。FIG. 8 shows a schematic structural diagram of a centralized security gateway scenario provided by an exemplary embodiment of the present application.
图9示出了本申请一个示例性实施例提供的分布式安全网关场景的结构示意图。FIG. 9 shows a schematic structural diagram of a distributed security gateway scenario provided by an exemplary embodiment of the present application.
图10示出了本申请一个示例性实施例提供的数据配置方法的流程图。FIG. 10 shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application.
图11示出了本申请另一个示例性实施例提供的数据配置方法的流程图。FIG. 11 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
图12示出了本申请另一个示例性实施例提供的数据配置方法的原理示意图。FIG. 12 shows a schematic diagram of the principle of a data configuration method provided by another exemplary embodiment of the present application.
图13示出了本申请另一个示例性实施例提供的数据配置方法的流程图。FIG. 13 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
图14示出了本申请另一个示例性实施例提供的数据配置方法的流程图。FIG. 14 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
图15示出了本申请另一个示例性实施例提供的数据配置方法的流程图。FIG. 15 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
图16示出了本申请另一个示例性实施例提供的数据配置方法的流程图。FIG. 16 shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application.
图17示出了本申请另一个示例性实施例提供的数据配置方法的原理示意图。FIG. 17 shows a schematic diagram of the principle of a data configuration method provided by another exemplary embodiment of the present application.
图18示出了本申请一个示例性实施例提供的数据配置装置的框图。FIG. 18 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.
图19示出了本申请一个示例性实施例提供的数据配置装置的框图。FIG. 19 shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application.
图20示出了本申请一个示例性实施例提供的网络设备的结构示意图。FIG. 20 shows a schematic structural diagram of a network device provided by an exemplary embodiment of the present application.
图21示出了本申请一个示例性实施例提供的本地安全网关的结构示意图。FIG. 21 shows a schematic structural diagram of a local security gateway provided by an exemplary embodiment of the present application.
以下将参考附图详细说明本申请的各种示例性实施例、特征和方面。附图中相同的附图标记表示功能相同或相似的元件。尽管在附图中示出了实施例的各种方面,但是除非特别指出,不必按比例绘制附图。Various exemplary embodiments, features and aspects of the present application will be described in detail below with reference to the accompanying drawings. The same reference numbers in the figures denote elements that have the same or similar functions. While various aspects of the embodiments are shown in the drawings, the drawings are not necessarily drawn to scale unless otherwise indicated.
在本申请实施例中,“/”可以表示前后关联的对象是一种“或”的关系,例如,A/B可以表示A或B;“和/或”可以用于描述关联对象存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。为了便于描述本申请实施例的技术方案,在本申请实施例中,可以采用“第一”、“第二”等字样对功能相同或相似的技术特征进行区分。该“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。在本申请实施例中,“示例性的”或者“例如”等词用于表示例子、例证或说明,被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念,便于理解。In this embodiment of the present application, "/" may indicate that the objects associated before and after are an "or" relationship, for example, A/B may indicate A or B; "and/or" may be used to describe that there are three types of associated objects A relationship, for example, A and/or B, can mean that A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. In order to facilitate the description of the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" may be used to distinguish technical features with the same or similar functions. The words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like do not limit the difference. In the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations, and any embodiment or design solution described as "exemplary" or "for example" should not be construed are preferred or advantageous over other embodiments or designs. The use of words such as "exemplary" or "such as" is intended to present the relevant concepts in a specific manner to facilitate understanding.
在本申请实施例中,对于一种技术特征,通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征,该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。In the embodiments of the present application, for a technical feature, the technical feature is distinguished by "first", "second", "third", "A", "B", "C" and "D", etc. The technical features described in the "first", "second", "third", "A", "B", "C" and "D" described technical features in no order or order of magnitude.
另外,为了更好的说明本申请,在下文的具体实施方式中给出了众多的具体细节。本领域技术人员应当理解,没有某些具体细节,本申请同样可以实施。在一些实例中,对于本领域技术人员熟知的方法、手段、元件和电路未作详细描述,以便于凸显本申请的主旨。In addition, in order to better illustrate the present application, numerous specific details are given in the following detailed description. It should be understood by those skilled in the art that the present application may be practiced without certain specific details. In some instances, methods, means, components and circuits well known to those skilled in the art have not been described in detail so as not to obscure the subject matter of the present application.
首先,对本申请实施例涉及的部分名词进行介绍。First, some terms involved in the embodiments of the present application are introduced.
1、第五代移动通信技术(5th Generation Mobile Networks,5G)系统架构:包括接入网和核心网。1. 5th Generation Mobile Networks (5G) system architecture: including access network and core network.
其中,接入网用于实现无线接入有关的功能。核心网包括但不限于以下几个逻辑网元:无线接入网络(Radio Access Network,(R)AN)、接入和移动管理功能(Access and Mobility Management Function,AMF)设备、会话管理功能(Session Management Function,SMF)设备、用户面功能(User Plane Function,UPF)设备、策略控制功能(Policy Control Function)设备、统一数据管理(Unified Data Management,UDM)设备。The access network is used to implement functions related to wireless access. The core network includes but is not limited to the following logical network elements: radio access network (Radio Access Network, (R)AN), access and mobility management function (Access and Mobility Management Function, AMF) equipment, session management function (Session Management Function, SMF) equipment, User Plane Function (UPF) equipment, Policy Control Function (Policy Control Function) equipment, Unified Data Management (Unified Data Management, UDM) equipment.
用户设备(User Equipment,UE)为网络终端设备,如手机、物联网终端设备等。基站(Radio Access Network,RAN)设备为UE提供无线接入的设备,包括但不限于eNodeB、WiFi AP、WiMAX BS等。AMF设备用于负责移动网络中的移动性管理,如用户位置更新、用户注册网络、用户切换等。SMF设备用于负责移动网络中的会话管理,如会话建立、修改、释放。具体功能如为用户分配IP地址、选择提供报文转发功能的UPF设备等。PCF设备用于负责向AMF设备、SMF设备提供策略,如QoS策略、 切片选择策略等。UDM设备用于存储用户数据,如签约信息、鉴权/授权信息。AF设备用于负责向3GPP网络提供业务,如影响业务路由、与PCF设备之间交互以进行策略控制等。UPF设备用于负责对用户报文进行处理,如转发、计费等。数据网络(DN,Data Network)用于为用户提供数据传输服务的网络,如IP多媒体业务(IP Multi-media Service,IMS)、Internet等。UE通过建立UE到RAN到UPF设备到DN之间的会话(PDU session),来访问DN。User Equipment (UE) is a network terminal device, such as a mobile phone, an Internet of Things terminal device, and the like. Base station (Radio Access Network, RAN) equipment provides wireless access equipment for UE, including but not limited to eNodeB, WiFi AP, WiMAX BS, etc. The AMF device is used for mobility management in the mobile network, such as user location update, user registration network, user handover, etc. The SMF device is used for session management in the mobile network, such as session establishment, modification, and release. Specific functions include assigning IP addresses to users and selecting UPF devices that provide packet forwarding functions. The PCF device is responsible for providing policies, such as QoS policies, slice selection policies, and the like, to the AMF device and the SMF device. The UDM device is used to store user data, such as subscription information and authentication/authorization information. The AF device is responsible for providing services to the 3GPP network, such as affecting service routing, interacting with the PCF device for policy control, and the like. The UPF device is used to process user packets, such as forwarding and accounting. A data network (DN, Data Network) is a network used to provide users with data transmission services, such as IP Multi-media Service (IMS), Internet, and so on. The UE accesses the DN by establishing a session (PDU session) between the UE to the RAN to the UPF device to the DN.
2、因特网协议安全协议(Internet Protocol Security,IPSec)协议:在IP层实现安全保护,提供在不安全的网络环境中传输敏感数据的保护。通信双方在IP层执行加密及数据源认证来确保网络传输时数据包的机密性,数据一致性,数据源认证及抗重放。2. Internet Protocol Security (IPSec) protocol: realizes security protection at the IP layer and provides protection for the transmission of sensitive data in an insecure network environment. The two communicating parties perform encryption and data source authentication at the IP layer to ensure the confidentiality of data packets, data consistency, data source authentication and anti-replay during network transmission.
IPSec提供的安全服务包括:(1)、数据源认证:对端身份认证,不可抵赖;(2)、完整性保护:保证数据在传输过程中不被篡改;(3)、机密性:对传输的用户敏感数据进行加密保护;(4)、重放保护:拒绝接收旧的或者重复的报文。The security services provided by IPSec include: (1) Data source authentication: peer-to-peer identity authentication, non-repudiation; (2) Integrity protection: to ensure that data is not tampered with during transmission; (3) Confidentiality: for transmission (4) Replay protection: refuse to receive old or duplicate messages.
安全关联(Security Association,SA):是两个通信实体经协商建立起来的一种协定,为安全目的创建一个单向逻辑连接,所有经过同一SA的数据流会得到相同安全服务,其决定了用来保护数据包安全的IPSec协议、密钥以及密钥的有效存在时间等。SA是构成IPSec的基础。SA是单向的(inbound和outbound),且“与协议相关”,每个安全协议(AH和ESP)各需要一个SA。Security Association (SA): It is an agreement established by two communication entities through negotiation to create a one-way logical connection for security purposes. All data flows passing through the same SA will receive the same security service, which determines the use of IPSec protocol to protect data packet security, key and key validity time, etc. SA is the foundation that constitutes IPSec. SAs are unidirectional (inbound and outbound) and "protocol dependent", requiring one SA for each security protocol (AH and ESP).
安全关联数据库(Security Association Database,SAD):用于存放与SA关联的所有状态数据的存储结构。Security Association Database (SAD): A storage structure for storing all state data associated with SA.
安全参数索引(Security Parameter Index,SPI):一个32bit的数值,用于查找SA。SPI、IP目的地址、安全协议号三者结合起来共同构成三元组,用来唯一标识一个特定的SA。Security Parameter Index (SPI): A 32-bit value used to find SA. SPI, IP destination address, and security protocol number are combined to form a triplet, which is used to uniquely identify a specific SA.
安全策略(security policy,SP):由用户配置,决定对IP数据包提供何种保护,并以何种方式实施保护。SP属性包括保护的数据流(ACL)、安全提议(封装模式、安全协议、加密认证算法)、密钥配置方式、安全隧道本端/对端IP地址、IKE Peer等。Security policy (security policy, SP): Configured by the user, it decides what kind of protection to provide for IP data packets, and in what way to implement the protection. SP attributes include protected data flow (ACL), security proposal (encapsulation mode, security protocol, encryption and authentication algorithm), key configuration method, local/peer IP address of the secure tunnel, IKE peer, etc.
安全策略数据库(security policy database,SPD):通常是一个有序的结构,用访问控制列表来描述数据流特性。定义数据流和安全服务方式的接口与具体实现相关。当接收或将要发出IP包时,首先要查找SPD来决定如何进行处理。存在3种可能的处理方式:丢弃、不用IPSec和使用IPSec。Security policy database (SPD): Usually an ordered structure that uses access control lists to describe data flow characteristics. The interfaces that define the way data flows and security services are implementation-dependent. When an IP packet is received or is about to be sent, the first thing to do is to look up the SPD to decide what to do with it. There are 3 possible processing methods: drop, not use IPSec and use IPSec.
IPSec工作原理:IPSec提供安全服务是基于SPD定义的策略规则,而这些规则是由管理员或应用程序添加的,数据包经过IPSec实体时有三种处理方式:IPSec保护、丢弃或旁路。协议做处理决策的判断依据被称为选择符(Selectors),它包括数据包的IP和下一层头信息。SPD中的每个策略都定义好选择符。How IPSec works: IPSec provides security services based on policy rules defined by SPD, and these rules are added by administrators or applications. There are three processing methods when data packets pass through IPSec entities: IPSec protection, discarding or bypassing. The judgment basis for the protocol to make processing decisions is called Selectors, which includes the IP of the data packet and the header information of the next layer. Selectors are defined for each policy in SPD.
3、IPSec协议体系:包括两个安全处理协议和一个密钥交换协议。3. IPSec protocol system: including two security processing protocols and a key exchange protocol.
如图1所示,IPSec协议体系10包括认证协议头(Authentication Header,AH) 协议11、封装载荷安全(Encapsulating Security Payload,ESP)协议12和IKE协议13。AH协议11用于提供数据源认证、数据完整性校验、防重放攻击等功能;不支持数据加密。ESP协议12用于提供数据源认证、数据完整性校验、防重放攻击、数据加密等功能。AH协议11和ESP协议12可以单独使用,也可以嵌套使用。通过这些组合方式,可以在两台主机、两台安全网关(防火墙和路由器),或者主机与安全网关之间使用。IKE协议13用于负责密钥管理,定义了通信实体间进行身份认证、协商加密算法以及生成共享的会话密钥的方法,其中,数字对象唯一标识符(Digital Object Unique Identifier,DOI)为使用IKE协议13进行协商SA的协议统一分配标识符。IKE协议13将密钥协商的结果保留在SA中,供AH协议11和ESP协议12以后使用。As shown in FIG. 1 , the IPSec protocol system 10 includes an Authentication Header (Authentication Header, AH) protocol 11 , an Encapsulating Security Payload (Encapsulating Security Payload, ESP) protocol 12 and an IKE protocol 13 . AH protocol 11 is used to provide functions such as data source authentication, data integrity verification, and anti-replay attack; it does not support data encryption. ESP protocol 12 is used to provide functions such as data source authentication, data integrity verification, anti-replay attack, and data encryption. AH protocol 11 and ESP protocol 12 can be used alone or nested. These combinations can be used between two hosts, two security gateways (firewall and router), or between a host and a security gateway. The IKE protocol 13 is used for key management, and defines the methods for performing identity authentication, negotiating encryption algorithms and generating shared session keys between communicating entities. Protocol 13 negotiates the protocol uniform allocation identifier of the SA. The IKE protocol 13 keeps the result of the key negotiation in the SA for later use by the AH protocol 11 and the ESP protocol 12.
IPSec封装模式包括传输模式和隧道模式。其中,在传输模式下,不产生新的IP包头,AH报文或ESP报文头部被插入到原始数据包的IP头之后但在所有传输层协议之前,通常用于主机与主机之间(数据传输点等于加密点)的IPSec场景。在隧道模式下,AH或ESP报文头部插在原始IP头之前,另外生成一个新的IP头放到AH或ESP之前。通常用于私网与私网之间通过公网进行通信的场景。IPSec encapsulation modes include transport mode and tunnel mode. Among them, in the transmission mode, no new IP header is generated, and the AH packet or ESP packet header is inserted after the IP header of the original data packet but before all transport layer protocols, usually used between the host and the host ( IPSec scenarios where the data transmission point is equal to the encryption point). In tunnel mode, the AH or ESP header is inserted before the original IP header, and a new IP header is generated and placed before the AH or ESP. It is usually used in the scenario where the private network communicates with the private network through the public network.
4、通过IPSec网关进行端到端加密4. End-to-end encryption via IPSec gateway
目前存在UE到CN进行加密传输的需求,一种无需更改目前网络架构的方案为在UPF设备和DN之间部署安全网关,网关架构如图2所示。在UPF设备与DN的接口之间建立新的安全网关20,UE22与安全网关20间通信实现IP层的E2E加密,加密密钥来源于UE22与安全网关20间的基于IPsec协议的协商密钥,加密策略由安全网关20和UE22协商管理。Currently, there is a requirement for encrypted transmission from UE to CN. A solution without changing the current network architecture is to deploy a security gateway between the UPF device and the DN. The gateway architecture is shown in Figure 2. A new security gateway 20 is established between the interface between the UPF device and the DN, and the communication between the UE22 and the security gateway 20 implements E2E encryption at the IP layer, and the encryption key is derived from the negotiated key based on the IPsec protocol between the UE22 and the security gateway 20, The encryption policy is managed by the security gateway 20 and the UE 22 through negotiation.
相关技术中,MEC场景下的数据网络访问标识符(Data Network Access Identifier,DNAI)变换主要由下述三个流程实现。In the related art, the data network access identifier (Data Network Access Identifier, DNAI) transformation in the MEC scenario is mainly implemented by the following three processes.
在一种可能的实现方式中,AF对业务路由的影响过程的流程图如图3所示,由AF设备将支持MEC业务的DNAI与相应的位置区域以及业务流等信息通过PCF通知给SMF设备。In a possible implementation manner, the flowchart of the process of AF's influence on service routing is shown in Figure 3. The AF device notifies the SMF device of the information such as the DNAI supporting the MEC service, the corresponding location area, and service flow through the PCF. .
步骤301,AF设备生成AF请求,其中AF请求包括AF业务标识以及AF通知接收方式(若需要接收AF通知)。AF请求还可以包括AF设备标识,对应的DNAI列表以及对应业务的应用标识和业务流信息(traffic filtering information),业务流信息用于识别应用业务流,AF请求还可以包含N6路由信息,N6路由信息用于建立与UPF设备的N6连接的端口信息。 Step 301, the AF device generates an AF request, where the AF request includes an AF service identifier and an AF notification receiving method (if the AF notification needs to be received). The AF request may also include the AF device identifier, the corresponding DNAI list, the application identifier of the corresponding service, and the traffic filtering information. The traffic filtering information is used to identify the application service flow. The AF request may also include N6 routing information, N6 routing information. The information is used to establish the port information of the N6 connection with the UPF device.
步骤302,AF设备将生成的AF请求发送给网络呈现功能(Network Exposure Function,NEF)设备。Step 302, the AF device sends the generated AF request to a Network Exposure Function (NEF) device.
步骤303a,NEF设备将AF请求中的信息存储在统一数据仓库功能(Unified Data Repository,UDR)设备中。 Step 303a, the NEF device stores the information in the AF request in a Unified Data Repository (Unified Data Repository, UDR) device.
步骤303b,NEF设备通知AF设备该信息的存储/更新/删除情况。Step 303b, the NEF device notifies the AF device of the storage/update/deletion of the information.
步骤304,若PCF设备已订阅AF请求的通知,则UDR设备会通知PCF设备相应的AF请求修改情况。Step 304, if the PCF device has subscribed to the notification of the AF request, the UDR device will notify the PCF device of the modification of the corresponding AF request.
步骤305,PCF设备根据AF请求的信息决定要修改目前的PDU会话,根据AF请求生成策略与计费控制规则(Policy and Charging Control Rule-PCC Rule,PCC规则),并与SMF设备进行交互。其中可以包括AF通知的订阅事件。Step 305, the PCF device decides to modify the current PDU session according to the information requested by the AF, generates a policy and charging control rule (Policy and Charging Control Rule-PCC Rule, PCC rule) according to the AF request, and interacts with the SMF device. This can include subscription events for AF notifications.
步骤306,SMF设备收到PCF设备发送的PCC规则,根据PCC规则对当前的PDU会话进行调整。 Step 306, the SMF device receives the PCC rule sent by the PCF device, and adjusts the current PDU session according to the PCC rule.
在一种可能的实现方式中,ULCL插入过程的流程图如图4所示。SMF通过区域的变化或检测到对应的业务流,决定执行由图1过程下发的规则,插入ULCL。该流程中,SMF需要分别调整PSA1,PSA2,ULCL的转发规则,确保对应的上下行数据包从正确的用户面网元传输。ULCL插入过程包括但不限于如下步骤:In a possible implementation manner, the flowchart of the ULCL insertion process is shown in FIG. 4 . The SMF decides to execute the rules issued by the process of Figure 1 and inserts the ULCL by detecting the corresponding service flow through the change of the area. In this process, the SMF needs to adjust the forwarding rules of PSA1, PSA2, and ULCL respectively to ensure that the corresponding uplink and downlink data packets are transmitted from the correct user plane network element. The ULCL insertion process includes but is not limited to the following steps:
步骤401,UE与PSA1建立PDU会话。此时SMF设备本地存储有该会话PSA1用于与RAN设备连接的上行端口信息,RAN设备用于与PSA1连接的下行端口信息。 Step 401, the UE establishes a PDU session with PSA1. At this time, the SMF device locally stores the uplink port information used by the session PSA1 to connect with the RAN device, and the RAN device uses the downlink port information to connect to the PSA1.
步骤402,SMF设备选取并配置PSA2,包括配置PSA2的N6端口,以及获取PSA2的上行端口。 Step 402, the SMF device selects and configures the PSA2, including configuring the N6 port of the PSA2, and acquiring the uplink port of the PSA2.
步骤403,SMF设备选取并配置ULCL/分流点(Branching Point,BP)。该BP为用于IPv6的分流点,也可表示为BP(IPv6)。SMF设备选取并配置ULCL/BP包括:根据PSA1和PSA2的上行端口信息配置ULCL到PSA1和PSA2的上行隧道,以及根据RAN的下行端口信息配置ULCL到RAN的下行隧道。并获取ULCL用于PSA1和PSA2的下行端口信息以及ULCL用于RAN的上行端口信息。同时还需要配置各端口相关的转发规则。 Step 403, the SMF device selects and configures the ULCL/Branching Point (Branching Point, BP). The BP is a distribution point for IPv6, and can also be expressed as BP(IPv6). Selecting and configuring ULCL/BP by the SMF device includes: configuring the uplink tunnel from ULCL to PSA1 and PSA2 according to the uplink port information of PSA1 and PSA2, and configuring the downlink tunnel from ULCL to RAN according to the downlink port information of RAN. And obtain the downlink port information that ULCL uses for PSA1 and PSA2 and the uplink port information that ULCL uses for RAN. At the same time, you also need to configure the forwarding rules related to each port.
步骤404,SMF设备更新PSA1的下行数据转发规则。可选地根据ULCL用于PSA1的下行端口信息配置PSA1到ULCL的下行隧道。 Step 404, the SMF device updates the downlink data forwarding rule of PSA1. Optionally, the downlink tunnel from PSA1 to ULCL is configured according to the downlink port information of ULCL for PSA1.
步骤405,SMF设备更新PSA2的转发规则。可选地根据ULCL用于PSA2的下行端口信息配置PSA2的下行隧道。 Step 405, the SMF device updates the forwarding rule of PSA2. Optionally, the downlink tunnel of PSA2 is configured according to the downlink port information of ULCL for PSA2.
步骤406,SMF设备更新RAN上行数据的转发规则。可选地根据ULCL用于RAN的上行端口信息建立RAN到ULCL的上行隧道。 Step 406, the SMF device updates the forwarding rules of the RAN uplink data. Optionally, an uplink tunnel from the RAN to the ULCL is established according to the uplink port information used by the ULCL for the RAN.
步骤407,SMF设备通知UE PSA2的新IP前缀列表(IP-prefix),也可表示为IPv6 prefix或者IP-prefix(IPv6)。Step 407, the SMF device notifies the UE of the new IP prefix list (IP-prefix) of PSA2, which can also be expressed as IPv6 prefix or IP-prefix (IPv6).
步骤408,SMF设备更新PSA1的IP前缀列表,也可表示为IPv6 prefix或者IP-prefix(IPv6)。Step 408, the SMF device updates the IP prefix list of PSA1, which can also be expressed as IPv6 prefix or IP-prefix (IPv6).
上述的步骤407和步骤408为IPv6的地址传输机制更新各自的IPv6地址。插入BP后,路由路径发生改变,会将BP的信息加入到PSA1和PSA2的IPv6地址中。The above steps 407 and 408 update the respective IPv6 addresses for the IPv6 address transmission mechanism. After the BP is inserted, the routing path is changed, and the information of the BP will be added to the IPv6 addresses of PSA1 and PSA2.
在一种可能的实现方式中,AF设备通知过程的流程图如图5所示。通知信息包括早通知(early notification)和晚通知(late notification)中的一种。AF设备通知过程包括但不限于如下步骤:In a possible implementation manner, the flowchart of the notification process of the AF device is shown in FIG. 5 . The notification information includes one of an early notification and a late notification. The AF device notification process includes but is not limited to the following steps:
步骤501,SMF设备通过AF设备订阅的AF通知的条件触发。Step 501, the SMF device is triggered by the condition of the AF notification subscribed by the AF device.
需要说明的是,若AF设备订阅的是通过NEF设备的早通知,则执行步骤502a;若AF订阅的是通过NEF设备的晚通知,则执行步骤504a。It should be noted that, if the AF device subscribes to the early notification through the NEF device, step 502a is performed; if the AF device subscribes to the late notification through the NEF device, step 504a is performed.
步骤502a,若AF设备订阅的是通过NEF设备的早通知,则SMF设备通知NEF设备当前PDU会话的目标DNAI。Step 502a, if the AF device subscribes to the early notification through the NEF device, the SMF device notifies the NEF device of the target DNAI of the current PDU session.
步骤502b,NEF设备将业务影响通知发送至AF设备。Step 502b, the NEF device sends a service impact notification to the AF device.
NEF设备收到早通知后,NEF设备进行消息映射,选取对应的AF事务标识符(transaction ID)等,并通过业务影响通知发送给订阅的AF设备。需要说明的是,此种情况下不执行步骤502c。After the NEF device receives the early notification, the NEF device performs message mapping, selects the corresponding AF transaction identifier (transaction ID), etc., and sends the service impact notification to the subscribed AF device. It should be noted that in this case, step 502c is not executed.
步骤502c,SMF设备通知AF设备当前PDU会话的目标DNAI。Step 502c, the SMF device notifies the AF device of the target DNAI of the current PDU session.
若AF设备订阅的是直接通知的早通知,则SMF设备直接通知AF设备当前PDU会话的目标DNAI。If the AF device subscribes to the early notification of direct notification, the SMF device directly notifies the AF device of the target DNAI of the current PDU session.
步骤502d,AF设备向NEF设备发送回复信息。Step 502d, the AF device sends reply information to the NEF device.
AF设备立刻向NEF设备回复或经过对目标DNAI的应用重部署之后向NEF设备进行回复。AF设备会在回复信息中携带对应目标DNAI的N6路由信息。The AF device responds to the NEF device immediately or after redeploying the application of the target DNAI to the NEF device. The AF device will carry the N6 routing information corresponding to the target DNAI in the reply message.
步骤502e,NEF设备通知SMF设备应用的重部署信息。Step 502e, the NEF device notifies the SMF device of application redeployment information.
NEF设备收到AF设备的回复信息后,NEF设备触发相匹配的通知消息通知SMF设备应用的重部署信息,重部署信息包括应用重部署的目标DNAI的N6路由信息。After the NEF device receives the reply information from the AF device, the NEF device triggers a matching notification message to notify the SMF device of the redeployment information of the application, where the redeployment information includes the N6 routing information of the target DNAI of the application redeployment.
步骤502f,AF设备向SMF设备发送回复信息。Step 502f, the AF device sends reply information to the SMF device.
AF设备直接立刻向SMF设备回复或经过对目标DNAI的应用重部署之后向SMF设备进行回复。AF设备会在回复信息中携带对目标DNAI的详细的N6路由信息。The AF device directly replies to the SMF device immediately or replies to the SMF device after redeploying the application of the target DNAI. The AF device will carry detailed N6 routing information to the target DNAI in the reply message.
步骤503,SMF设备执行DNAI变化或UPF设备的添加/修改/移除。 Step 503, the SMF device performs DNAI change or addition/modification/removal of the UPF device.
若AF向SMF设备的订阅中包含了等待AF回复(AF acknowledgment to be expected)指示,则SMF设备可能在步骤503之前一直等待AF设备的回复信息,在接收到AF设备的回复信息后再进行步骤503。If the AF's subscription to the SMF device includes an AF acknowledgment to be expected indication, the SMF device may wait for the AF device's reply information before step 503, and then proceed to the step after receiving the AF device's reply information. 503.
步骤504a,若AF设备订阅的是通过NEF设备的晚通知,则SMF设备通知NEF设备当前PDU会话的目标DNAI。Step 504a, if the AF device subscribes to the late notification through the NEF device, the SMF device notifies the NEF device of the target DNAI of the current PDU session.
若AF设备向SMF设备的订阅中包含了等待AF回复指示,则SMF设备可能在此步骤之前一直等待AF的回复信息,在接收到AF设备的回复信息后再激活新的用户面传输路径。If the subscription of the AF device to the SMF device includes an indication of waiting for the AF reply, the SMF device may have been waiting for the reply information from the AF before this step, and then activate the new user plane transmission path after receiving the reply information from the AF device.
步骤504b,NEF设备将业务影响通知发送至AF设备。Step 504b, the NEF device sends a service impact notification to the AF device.
NEF设备收到晚通知后,NEF设备进行消息映射,选取对应的AF事务标识符等,并通过业务影响通知发送给订阅的AF设备。需要说明的是,此种情况下不执行步骤504c。After the NEF device receives the late notification, the NEF device performs message mapping, selects the corresponding AF transaction identifier, etc., and sends it to the subscribed AF device through the service impact notification. It should be noted that in this case, step 504c is not executed.
步骤504c,SMF设备通知AF设备当前PDU会话的目标DNAI。Step 504c, the SMF device notifies the AF device of the target DNAI of the current PDU session.
若AF设备订阅的是直接通知的晚通知,则SMF设备直接通知AF设备当前PDU会话的目标DNAI。If the AF device subscribes to the late notification of direct notification, the SMF device directly notifies the AF device of the target DNAI of the current PDU session.
步骤504d,AF设备收到NEF设备或SMF设备的通知消息后,AF设备检测自身是否可以服务目标DNAI。 Step 504d, after the AF device receives the notification message from the NEF device or the SMF device, the AF device detects whether it can serve the target DNAI.
若需要更换AF设备,则AF设备选取用于目标DNAI的目标AF设备并进行AF设备迁移。If the AF device needs to be replaced, the AF device selects the target AF device for the target DNAI and performs AF device migration.
步骤504e,AF设备向NEF设备发送回复信息。Step 504e, the AF device sends reply information to the NEF device.
AF设备立刻向NEF设备回复或经过对目标DNAI的应用重部署之后向NEF设备进行回复。AF设备会在回复信息中携带对应目标DNAI的N6路由信息。若AF设备 发生变换,则AF设备会在回复信息中包含AF设备切换的指示,包含目标AF设备标识并通知目标AF设备的目标地址。The AF device responds to the NEF device immediately or after redeploying the application of the target DNAI to the NEF device. The AF device will carry the N6 routing information corresponding to the target DNAI in the reply message. If the AF device is changed, the AF device will include an AF device switching instruction in the reply message, including the target AF device identifier and notify the target AF device of the target address.
步骤504f,NEF设备通知SMF设备应用的重部署信息。Step 504f, the NEF device notifies the SMF device of application redeployment information.
NEF设备收到AF设备的回复信息后,NEF设备触发相匹配的通知消息通知SMF设备应用的重部署信息,重部署信息包括应用重部署的目标DNAI的N6路由信息。After the NEF device receives the reply information from the AF device, the NEF device triggers a matching notification message to notify the SMF device of the redeployment information of the application, where the redeployment information includes the N6 routing information of the target DNAI of the application redeployment.
步骤504g,AF设备向SMF设备发送回复信息。Step 504g, the AF device sends reply information to the SMF device.
AF设备直接立刻向SMF设备回复或经过对目标DNAI的应用重部署之后向SMF设备进行回复。AF设备会在回复信息中携带对目标DNAI的详细的N6路由信息。若AF设备发生变换,则AF设备会在回复消息中包含AF设备切换的指示,包含目标AF设备标识并通知目标AF设备的目标地址。The AF device directly replies to the SMF device immediately or replies to the SMF device after redeploying the application of the target DNAI. The AF device will carry detailed N6 routing information to the target DNAI in the reply message. If the AF device is changed, the AF device will include an AF device switching instruction in the reply message, including the target AF device identifier and notify the target AF device of the target address.
基于相关技术中的方法,在MEC场景下,MEC服务器的连接和路径调整主要由AF对业务路由的影响(AF influence traffic routing)的相关流程实现,先由AF设备通过PCF设备向SMF设备提供相关应用可用的DNAI(即MEC服务器所在的接入网实体),SMF设备因UE移动或检测到对应的数据流后,触发新PSA/ULCL插入流程,在选择完对应的PSA/ULCL后,向AF设备通知DNAI变化,并通过AF设备的回复信息获取PSA/ULCL所需的N6配置选项和相关路由规则,再对新PSA/ULCL进行配置。Based on the methods in related technologies, in the MEC scenario, the connection and path adjustment of the MEC server are mainly realized by the related processes of AF influence on service routing (AF influence traffic routing). Applying the available DNAI (that is, the access network entity where the MEC server is located), the SMF device triggers the new PSA/ULCL insertion process due to UE movement or detection of the corresponding data flow. The device notifies the DNAI change, and obtains the N6 configuration options and related routing rules required by the PSA/ULCL through the reply information of the AF device, and then configures the new PSA/ULCL.
在相关技术中的场景下,添加了额外的安全网关后,需要与MEC服务器以及与更新后的PSA建立连接的设备修改为了安全网关,导致目前的AF对业务路由的影响的相关流程无法正常完成的问题。相关技术中尚未提供一种合理且有效的技术方案。In the scenario in the related art, after adding an additional security gateway, the device that needs to establish a connection with the MEC server and the updated PSA is changed to a security gateway, so that the current process related to the impact of AF on service routing cannot be completed normally. The problem. A reasonable and effective technical solution has not been provided in the related art.
本申请实施例提供了一种数据配置方法,在DNAI变化的流程中,设计了本地安全网关与网络设备的信息交互流程,实现了插入ULCL流程中的相关配置,从而使得在引入本地安全网关后后续的插入ULCL流程能够正常完成,保证了数据传输的可靠性。The embodiment of the present application provides a data configuration method. In the DNAI change process, the information exchange process between the local security gateway and the network device is designed, and the relevant configuration inserted into the ULCL process is implemented, so that after the local security gateway is introduced The subsequent inserting ULCL process can be completed normally, which ensures the reliability of data transmission.
请参考图6,其示出了本申请一个示例性实施例提供的数据配置系统60的结构示意图。该数据配置系统60包括:本地安全网关62、MEC服务器64和PSA66。Please refer to FIG. 6 , which shows a schematic structural diagram of a data configuration system 60 provided by an exemplary embodiment of the present application. The data configuration system 60 includes a local security gateway 62 , a MEC server 64 and a PSA 66 .
本地安全网关62为在UPF设备与DN的接口之间建立的安全网关。The local security gateway 62 is a security gateway established between the interface of the UPF device and the DN.
MEC服务器64包括边缘应用服务器(Edge Application Server,EAS)。The MEC server 64 includes an edge application server (Edge Application Server, EAS).
PSA66为UPF设备。在本申请实施例中,PSA66包括第一PSA和第二PSA,第一PSA为更新后的PSA即“new PSA”,第二PSA为更新前的PSA即“old PSA”。PSA66 is a UPF device. In the embodiment of the present application, PSA66 includes a first PSA and a second PSA, the first PSA is the updated PSA, that is, "new PSA", and the second PSA is the PSA before updating, that is, "old PSA".
在本申请实施例中,本地安全网关62用于接收第一信息,第一信息用于获取本地安全网关62的地址信息;本地安全网关62还用于发送本地安全网关62的地址信息,本地安全网关62的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。In the embodiment of the present application, the local security gateway 62 is used to receive the first information, and the first information is used to obtain the address information of the local security gateway 62; the local security gateway 62 is also used to send the address information of the local security gateway 62, and the local security gateway 62 The address information of the gateway 62 is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is the PSA after the UE has undergone a DNAI change.
下面采用几个示例性地例子对本申请实施例提供的数据配置方法进行介绍。The following describes the data configuration method provided by the embodiments of the present application by using several exemplary examples.
请参考图7,其示出了本申请一个示例性实施例提供的数据配置方法的流程图,该方法用于图1所示的数据配置系统中。该方法包括以下几个步骤。Please refer to FIG. 7 , which shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application, and the method is used in the data configuration system shown in FIG. 1 . The method includes the following steps.
步骤701,网络设备向本地安全网关发送第一信息,第一信息用于获取本地安全网关的地址信息。Step 701: The network device sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway.
可选地,网络设备可以是集中式安全网关,也可以是核心网网元,比如SMF设备。本申请实施例对此不加以限定。需要说明的是,对集中式安全网关和SMF设备的介绍可参考下述实施例中的相关描述,在此先不介绍。Optionally, the network device may be a centralized security gateway, or a core network element, such as an SMF device. This embodiment of the present application does not limit this. It should be noted that, for the introduction of the centralized security gateway and the SMF device, reference may be made to the relevant descriptions in the following embodiments, which will not be introduced here.
网络设备向本地安全网关发送第一信息,第一信息用于指示本地安全网关反馈该本地安全网关的地址信息。The network device sends first information to the local security gateway, where the first information is used to instruct the local security gateway to feed back the address information of the local security gateway.
步骤702,本地安全网关接收到第一信息后,发送本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。Step 702, after receiving the first information, the local security gateway sends the address information of the local security gateway. The address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE. The first PSA PSA after DNAI changes in UE.
本地安全网关接收网络设备发送的第一信息。在接收到该第一信息后,向网络设备发送本地安全网关的地址信息。The local security gateway receives the first information sent by the network device. After receiving the first information, the address information of the local security gateway is sent to the network device.
其中,本地安全网关的地址信息是为第一PSA即UE发生DNAI变化后的PSA所配置的,该地址信息用于传输来自UE的数据,该地址信息为该数据对应的本地安全网关的路由目的地址信息。The address information of the local security gateway is configured for the first PSA, that is, the PSA after the UE has undergone DNAI changes, the address information is used to transmit data from the UE, and the address information is the routing purpose of the local security gateway corresponding to the data Address information.
本地安全网关接收到第一信息后,向网络设备发送第一信息对应的第一响应信息,第一响应信息包括本地安全网关的地址信息。After receiving the first information, the local security gateway sends first response information corresponding to the first information to the network device, where the first response information includes address information of the local security gateway.
其中,本地安全网关的地址信息用于标识本地安全网关。The address information of the local security gateway is used to identify the local security gateway.
可选地,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。本地安全网关根据第一信息建立本地安全网关与MEC服务器之间的连接。Optionally, the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server. The local security gateway establishes a connection between the local security gateway and the MEC server according to the first information.
可选地,在本地安全网关与MEC服务器之间的连接建立完成后,本地安全网关反馈第一信息对应的第一响应信息。即本地安全网关向网络设备发送第一响应信息,第一响应信息也称为反馈完成信息。第一响应信息用于指示本地安全网关与MEC服务器之间的连接建立情况。Optionally, after the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information. That is, the local security gateway sends the first response information to the network device, and the first response information is also called feedback completion information. The first response information is used to indicate the connection establishment situation between the local security gateway and the MEC server.
第一响应信息包括本地安全网关的地址信息。可选地,第一响应信息还包括本地安全网关的上行隧道信息。本地安全网关的上行隧道信息为本地安全网关用于接收上行数据的上行隧道的信息。The first response information includes address information of the local security gateway. Optionally, the first response information further includes uplink tunnel information of the local security gateway. The uplink tunnel information of the local security gateway is information of the uplink tunnel used by the local security gateway to receive uplink data.
步骤703,网络设备接收本地安全网关的地址信息。 Step 703, the network device receives the address information of the local security gateway.
网络设备接收本地安全网关发送的本地安全网关的地址信息。其中,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。The network device receives the address information of the local security gateway sent by the local security gateway. Wherein, the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.
综上所述,本申请实施例提供了一种数据配置方法,网络设备向本地安全网关发送用于获取本地安全网关的地址信息的第一信息后,接收本地安全网关的地址信息,该本地安全网关的地址信息是为第一PSA即UE发生DNAI变化后的PSA配置的,提供了用于传输来自UE的数据的路由目的地址信息;即在DNAI变化的流程中,设计了本地安全网关与网络设备的信息交互流程,实现了插入ULCL流程中的相关配置, 从而使得在引入本地安全网关后后续的插入ULCL流程能够正常完成,保证了数据传输的可靠性。To sum up, the embodiment of the present application provides a data configuration method. After the network device sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway. The address information of the gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway and network are designed. The information exchange process of the device realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.
本申请实施例涉及的应用场景可以包括集中式安全网关场景和分布式安全网关场景这两种应用场景,为ULCL插入流程中添加了与本地安全网关的互动,可以在插入ULCL的流程中与本地安全网关的正常交互,从而为UE建立与本地安全网关的SA。下面对着两种应用场景分别进行介绍。The application scenarios involved in the embodiments of the present application may include two application scenarios, a centralized security gateway scenario and a distributed security gateway scenario. The interaction with the local security gateway is added to the ULCL insertion process, and the ULCL insertion process can interact with the local security gateway. The normal interaction of the security gateway, thereby establishing the SA with the local security gateway for the UE. The two application scenarios are described below.
请参考图8,其示出了本申请一个示例性实施例提供的集中式安全网关场景的结构示意图。该集中式安全网关场景包括IKE网关801、IPSec网关802、UE803、gNB804、UPF设备805、应用服务器806、AMF设备807、SMF设备808、NEF设备809、AF设备810、PCF设备811。Please refer to FIG. 8 , which shows a schematic structural diagram of a centralized security gateway scenario provided by an exemplary embodiment of the present application. The centralized security gateway scenario includes IKE gateway 801 , IPSec gateway 802 , UE 803 , gNB 804 , UPF device 805 , application server 806 , AMF device 807 , SMF device 808 , NEF device 809 , AF device 810 , and PCF device 811 .
其中,IKE网关801为集中式安全网关,集中式安全网关为集中化部署的网关。IPSec网关802为分布式安全网关即本地安全网关,本地安全网关为分布式部署的用于用户面数据传输的网关。支持IPSec封装模式中的传输模式。The IKE gateway 801 is a centralized security gateway, and the centralized security gateway is a centralized deployment gateway. The IPSec gateway 802 is a distributed security gateway, that is, a local security gateway, and the local security gateway is a distributed deployment gateway for user plane data transmission. Supports transport mode in IPSec encapsulation mode.
IKE网关801用于通过PCF设备811进行订阅与SMF设备808建立连接。IKE网关801还用于在与SMF设备808建立连接完成后,与SMF设备808以通知和响应的形式进行直接通信。The IKE gateway 801 is configured to establish a connection with the SMF device 808 by subscribing to the PCF device 811 . The IKE gateway 801 is further configured to directly communicate with the SMF device 808 in the form of notification and response after the connection is established with the SMF device 808 .
IKE网关801还用于对IPSec网关802进行选择、配置和管理。可选地,IKE网关801还用于控制IPSec网关802的密钥和证书的分发,以及SA的建立。即IPSec网关802的子SA由IKE网关801代为建立,并由IKE网关801进行本地安全上下文和N6转发规则的配置。The IKE gateway 801 is also used to select, configure and manage the IPSec gateway 802 . Optionally, the IKE gateway 801 is also used to control the distribution of keys and certificates of the IPSec gateway 802 and the establishment of the SA. That is, the sub-SA of the IPSec gateway 802 is established by the IKE gateway 801, and the IKE gateway 801 configures the local security context and N6 forwarding rules.
可选地,IKE网关801用于在建立子SA时,配置其他网元的IP地址。在建立子SA时可额外携带目标IP地址。IKE网关801还用于为其他IP地址配置用户面子SA。Optionally, the IKE gateway 801 is configured to configure IP addresses of other network elements when establishing a sub-SA. The target IP address can be additionally carried when the sub-SA is established. The IKE gateway 801 is also used to configure user-face SA for other IP addresses.
IPSec网关802用于与UE803进行用户面子SA的建立和数据的加密以及完整性保护。The IPSec gateway 802 is used for establishing a user face SA with the UE 803, encrypting data and protecting integrity.
UPF设备805与IKE网关801之间存在用户面转发通道,UPF设备805用于通过用户面转发通道将UE803的用户面IPSec信令转发至IKE网关801。A user plane forwarding channel exists between the UPF device 805 and the IKE gateway 801 , and the UPF device 805 is configured to forward the user plane IPSec signaling of the UE 803 to the IKE gateway 801 through the user plane forwarding channel.
IPSec网关802与UPF设备805之间通过N6隧道进行连接,下行数据包通过IPSec网关802进行加密再发送至UE803,上行数据包通过IPSec网关802进行解密后再发送至应用服务器806。其中,应用服务器806为EMC服务器即EAS。The IPSec gateway 802 and the UPF device 805 are connected through the N6 tunnel, the downlink data packets are encrypted by the IPSec gateway 802 and then sent to the UE 803 , and the uplink data packets are decrypted by the IPSec gateway 802 and then sent to the application server 806 . The application server 806 is an EMC server, ie EAS.
请参考图9,其示出了本申请一个示例性实施例提供的分布式安全网关场景的结构示意图。该分布式安全网关场景包括IPSec网关901、UE902、gNB903、UPF设备904、应用服务器905、AMF设备906、SMF设备907、NEF设备908、AF设备909。Please refer to FIG. 9 , which shows a schematic structural diagram of a distributed security gateway scenario provided by an exemplary embodiment of the present application. The distributed security gateway scenario includes IPSec gateway 901 , UE 902 , gNB 903 , UPF device 904 , application server 905 , AMF device 906 , SMF device 907 , NEF device 908 , and AF device 909 .
其中IPSec网关901为分布式安全网关即本地安全网关,本地安全网关为分布式部署的用于用户面数据传输的网关。The IPSec gateway 901 is a distributed security gateway, that is, a local security gateway, and the local security gateway is a gateway deployed in a distributed manner for user plane data transmission.
该分布式安全网关场景不存在集中式安全网关,每个(组)UPF设备后有各自独立的IPSec网关901,SMF设备可获取IPSec网关901的地址,并对IPSec网关901进行配置。即每个(组)UPF设备904与特定的IPSec网关901联合部署,UPF设备 904与IPSec网关901存在关联关系,每个IPSec网关901均有完整的IKE和用户面功能。UE902每次更换UPF设备904或与新的UPF设备904建立连接,均需与对应的IPSec网关901重新建立新的SA(包括IKE和用户面子SA)。In this distributed security gateway scenario, there is no centralized security gateway. Each (group) of UPF devices has its own independent IPSec gateway 901 . The SMF device can obtain the address of the IPSec gateway 901 and configure the IPSec gateway 901 . That is, each (group) UPF device 904 is jointly deployed with a specific IPSec gateway 901, the UPF device 904 is associated with the IPSec gateway 901, and each IPSec gateway 901 has complete IKE and user plane functions. Every time the UE 902 replaces the UPF device 904 or establishes a connection with the new UPF device 904, it needs to re-establish a new SA (including IKE and user face SA) with the corresponding IPSec gateway 901.
在该分布式安全网关场景下,IPSec网关901由SMF设备907进行控制和配置,支持IPSec封装模式中的隧道模式和传输模式。In this distributed security gateway scenario, the IPSec gateway 901 is controlled and configured by the SMF device 907, and supports the tunnel mode and the transmission mode in the IPSec encapsulation mode.
IPSec网关901与UPF设备904之间通过N6隧道进行连接,下行数据包通过IPSec网关901进行加密再发送至UE902,上行数据包通过IPSec网关901进行解密后再发送至应用服务器905。其中,UPF设备904为PSA,应用服务器905为EMC服务器即EAS。The IPSec gateway 901 and the UPF device 904 are connected through the N6 tunnel, the downlink data packets are encrypted by the IPSec gateway 901 and sent to the UE 902, and the uplink data packets are decrypted by the IPSec gateway 901 and then sent to the application server 905. The UPF device 904 is a PSA, and the application server 905 is an EMC server, ie, EAS.
请参考图10,其示出了本申请另一个示例性实施例提供的数据配置方法的流程图,该方法用于图8所示的集中式安全网关场景中。该方法包括以下几个步骤。Please refer to FIG. 10 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the centralized security gateway scenario shown in FIG. 8 . The method includes the following steps.
步骤1001,集中式安全网关向本地安全网关发送第一信息,第一信息用于获取本地安全网关的地址信息。Step 1001: The centralized security gateway sends first information to the local security gateway, where the first information is used to obtain address information of the local security gateway.
集中式安全网关与本地安全网关建立有通信连接,集中式安全网关向本地安全网关发送第一信息。The centralized security gateway establishes a communication connection with the local security gateway, and the centralized security gateway sends the first information to the local security gateway.
可选地,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。Optionally, the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server.
可选地,集中式安全网关为IKE网关,本地安全网关为IPSec网关。Optionally, the centralized security gateway is an IKE gateway, and the local security gateway is an IPSec gateway.
需要说明的是,对集中式安全网关、分布式安全网关、第一信息和路由路径信息的介绍可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the introduction of the centralized security gateway, the distributed security gateway, the first information, and the routing path information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1002,本地安全网关接收到集中式安全网关发送的第一信息后,反馈本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息。Step 1002, after receiving the first information sent by the centralized security gateway, the local security gateway feeds back the address information of the local security gateway, and the address information of the local security gateway is configured for the first PSA for the routing purpose of transmitting data from the UE Address information.
其中,第一PSA为UE发生DNAI变化后的PSA。The first PSA is the PSA after the UE undergoes DNAI changes.
本地安全网关接收到集中式安全网关发送的第一信息后,获取本地安全网关的地址信息,向集中式安全网关反馈本地安全网关的地址信息。After receiving the first information sent by the centralized security gateway, the local security gateway obtains the address information of the local security gateway, and feeds back the address information of the local security gateway to the centralized security gateway.
可选地,第一信息包括MEC服务器的路由路径信息。本地安全网关接收到集中式安全网关发送的第一信息后,建立本地安全网关与MEC服务器之间的连接。在本地安全网关与MEC服务器之间的连接建立完成后,本地安全网关向集中式安全网关反馈第一信息对应的第一响应信息。其中,第一响应信息包括本地安全网关的上行隧道信息。Optionally, the first information includes routing path information of the MEC server. After receiving the first information sent by the centralized security gateway, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway. The first response information includes uplink tunnel information of the local security gateway.
需要说明的一点是,本地安全网关与MEC服务器之间的连接,可以在集中式安全网关向本地安全网关发送第一信息前已经建立完成,也可以通过集中式安全网关向本地安全网关发送的第一信息进行配置。本申请实施例对此不加以限定。下面为了方便说明,仅以第一信息中包括MEC服务器的路由路径信息为例进行说明。It should be noted that the connection between the local security gateway and the MEC server can be established before the centralized security gateway sends the first information to the local security gateway, or the first information sent by the centralized security gateway to the local security gateway can be completed. information to configure. This embodiment of the present application does not limit this. For convenience of description below, only the first information includes routing path information of the MEC server as an example for description.
需要说明的另一点是,对第一响应信息、上行隧道信息的介绍可参考上述实施例中的相关描述,在此不再赘述。Another point that needs to be explained is that, for the introduction of the first response information and the uplink tunnel information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1003,集中式安全网关接收本地安全网关的地址信息。Step 1003, the centralized security gateway receives the address information of the local security gateway.
对应的,集中式安全网关接收本地安全网关发送的本地安全网关的地址信息。其中,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。Correspondingly, the centralized security gateway receives the address information of the local security gateway sent by the local security gateway. Wherein, the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.
综上所述,本申请实施例提供了一种数据配置方法,集中式安全网关向本地安全网关发送用于获取本地安全网关的地址信息的第一信息后,接收本地安全网关的地址信息,该本地安全网关的地址信息是为第一PSA即UE发生DNAI变化后的PSA配置的,提供了用于传输来自UE的数据的路由目的地址信息;即在DNAI变化的流程中,设计了本地安全网关与集中式安全网关的信息交互流程,实现了插入ULCL流程中的相关配置,从而使得在引入本地安全网关后后续的插入ULCL流程能够正常完成,保证了数据传输的可靠性。To sum up, the embodiments of the present application provide a data configuration method. After the centralized security gateway sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway. The address information of the local security gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway is designed. The information exchange process with the centralized security gateway implements the relevant configuration of the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, ensuring the reliability of data transmission.
请参考图11,其示出了本申请另一个示例性实施例提供的数据配置方法的流程图,该方法用于图8所示的集中式安全网关场景中。该方法包括以下几个步骤。Please refer to FIG. 11 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the centralized security gateway scenario shown in FIG. 8 . The method includes the following steps.
步骤1100,集中式安全网关通过IKEv2协议与UE建立IKE SA。Step 1100, the centralized security gateway establishes an IKE SA with the UE through the IKEv2 protocol.
可选地,在会话建立过程中集中式安全网关通过IKEv2协议与UE建立IKE SA。Optionally, during the session establishment process, the centralized security gateway establishes an IKE SA with the UE through the IKEv2 protocol.
集中式安全网关与本地安全网关建立有通信连接。可选地,集中式安全网关为IKE网关,本地安全网关为IPSec网关。The centralized security gateway establishes a communication connection with the local security gateway. Optionally, the centralized security gateway is an IKE gateway, and the local security gateway is an IPSec gateway.
步骤1101,AF设备通过集中式安全网关代理,经过PCF设备向SMF设备订阅DNAI变化通知事件。Step 1101, the AF device subscribes the DNAI change notification event to the SMF device through the centralized security gateway proxy through the PCF device.
AF设备向集中式安全网关发送AF请求,IKE网关对AF请求进行汇总,根据预设映射关系将每个AF请求映射为对应的SA,将映射后的SA提供给SMF设备。The AF device sends an AF request to the centralized security gateway, and the IKE gateway summarizes the AF request, maps each AF request to a corresponding SA according to a preset mapping relationship, and provides the mapped SA to the SMF device.
步骤1102,SMF设备触发DNAI变化通知事件,选择更新后的第一PSA。Step 1102, the SMF device triggers a DNAI change notification event, and selects the updated first PSA.
SMF设备触发DNAI变化通知事件,选择对应区域的本地UPF设备作为更新后的第一PSA。The SMF device triggers the DNAI change notification event, and selects the local UPF device in the corresponding area as the updated first PSA.
步骤1103,SMF设备向集中式安全网关发送第一DNAI变化通知。Step 1103, the SMF device sends the first DNAI change notification to the centralized security gateway.
SMF设备向集中式安全网关发送第一DNAI变化通知,第一DNAI变化通知用于指示DNAI变化通知事件。第一DNAI变化通知包括变化的DNAI和待改变路径的SA。The SMF device sends a first DNAI change notification to the centralized security gateway, where the first DNAI change notification is used to indicate a DNAI change notification event. The first DNAI change notification includes the changed DNAI and the SA of the path to be changed.
步骤1104,集中式安全网关选取本地安全网关。 Step 1104, the centralized security gateway selects the local security gateway.
集中式安全网关在接收到第一DNAI变化通知时,选取本地安全网关。The centralized security gateway selects the local security gateway when receiving the first DNAI change notification.
集中式安全网关接收SMF设备发送的DNAI变化通知,DNAI变化通知包括变化的DNAI和对应的SA。集中式安全网关根据变化的DNAI和待改变路径的SA,查询待改变路径的应用。可选地,集中式安全网关将提供的DNAI和SA映射为应用标识,该应用标识为待改变路径的应用的标识,根据DNAI和应用标识选取本地安全网关。The centralized security gateway receives the DNAI change notification sent by the SMF device, and the DNAI change notification includes the changed DNAI and the corresponding SA. The centralized security gateway queries the application to be changed in the route according to the changed DNAI and the SA of the route to be changed. Optionally, the centralized security gateway maps the provided DNAI and SA to an application identifier, where the application identifier is the identifier of the application whose path is to be changed, and selects the local security gateway according to the DNAI and the application identifier.
步骤1105,集中式安全网关根据查询到的应用,向对应的AF设备发送AF通知。Step 1105, the centralized security gateway sends an AF notification to the corresponding AF device according to the queried application.
集中式安全网关根据查询到的应用,向对应的AF设备发送AF通知,AF通知用于指示DNAI变化。The centralized security gateway sends an AF notification to the corresponding AF device according to the queried application, and the AF notification is used to indicate DNAI changes.
可选地,集中式安全网关根据查询到的应用标识确定对应的AF事务标识符,向AF事务标识符对应的AF设备反馈AF通知。Optionally, the centralized security gateway determines the corresponding AF transaction identifier according to the queried application identifier, and feeds back the AF notification to the AF device corresponding to the AF transaction identifier.
步骤1106,AF设备将MEC服务器的路由路径信息反馈至集中式安全网关。Step 1106, the AF device feeds back the routing path information of the MEC server to the centralized security gateway.
AF设备收到AF通知后,选取对应的MEC服务器进行调整,并将MEC服务器的路由路径信息反馈至集中式安全网关。其中,调整包括业务激活、用户信息传递等。After receiving the AF notification, the AF device selects the corresponding MEC server for adjustment, and feeds back the routing path information of the MEC server to the centralized security gateway. The adjustment includes service activation, user information transfer, and the like.
步骤1107,集中式安全网关向本地安全网关发送第一信息。Step 1107, the centralized security gateway sends the first information to the local security gateway.
其中,第一信息用于获取本地安全网关的地址信息。The first information is used to obtain address information of the local security gateway.
可选地,集中式安全网关接收AF设备反馈的MEC服务器的路由路径信息。集中式安全网关收到MEC服务器的路由路径信息后,向本地安全网关发送第一信息,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。Optionally, the centralized security gateway receives the routing path information of the MEC server fed back by the AF device. After receiving the routing path information of the MEC server, the centralized security gateway sends first information to the local security gateway, where the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server .
需要说明的是,对第一信息和路由路径信息的介绍可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the introduction of the first information and the routing path information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1108,本地安全网关向集中式安全网关反馈第一信息对应的第一响应信息。Step 1108, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway.
其中,该第一响应信息包括本地安全网关的地址信息。Wherein, the first response information includes address information of the local security gateway.
在本地安全网关配置完成后,本地安全网关向集中式安全网关反馈第一信息对应的第一响应信息。After the configuration of the local security gateway is completed, the local security gateway feeds back the first response information corresponding to the first information to the centralized security gateway.
本地安全网关接收到集中式安全网关发送的第一信息后,建立本地安全网关与MEC服务器之间的连接。在本地安全网关与MEC服务器之间的连接建立完成即本地安全网关配置完成后,本地安全网关向集中式安全网关反馈第一信息对应的第一响应信息。其中,第一响应信息还包括本地安全网关的上行隧道信息。After receiving the first information sent by the centralized security gateway, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, that is, after the configuration of the local security gateway is completed, the local security gateway feeds back first response information corresponding to the first information to the centralized security gateway. The first response information further includes uplink tunnel information of the local security gateway.
需要说明的是,对第一响应信息、本地安全网关的地址信息、上行隧道信息的介绍可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the introduction of the first response information, the address information of the local security gateway, and the uplink tunnel information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1109,集中式安全网关向SMF设备反馈第一DNAI变化通知对应的第四响应信息。Step 1109, the centralized security gateway feeds back fourth response information corresponding to the first DNAI change notification to the SMF device.
集中式安全网关收到第一响应信息后,向SMF设备反馈第一DNAI变化通知对应的第四响应信息。After receiving the first response information, the centralized security gateway feeds back the fourth response information corresponding to the first DNAI change notification to the SMF device.
集中式安全网关接收本地安全网关反馈的第一信息对应的第一响应信息后,向SMF设备反馈第一DNAI变化通知对应的第四响应信息,第四响应消息包括本地安全网关的上行隧道信息。其中,第一响应信息和第四响应消息均用于指示本地安全网关与MEC服务器之间的连接建立完成。After receiving the first response information corresponding to the first information fed back by the local security gateway, the centralized security gateway feeds back fourth response information corresponding to the first DNAI change notification to the SMF device, where the fourth response message includes uplink tunnel information of the local security gateway. Wherein, the first response information and the fourth response message are both used to indicate that the connection establishment between the local security gateway and the MEC server is completed.
步骤1110,SMF设备与选取的第一PSA建立N4会话。Step 1110, the SMF device establishes an N4 session with the selected first PSA.
SMF设备向选取的第一PSA发起N4会话建立流程,配置N4上下文,并将N4第一信息发送至第一PSA,N4第一信息包括本地安全网关的上行隧道信息,本地安全网关的上行隧道信息用于建立第一PSA到本地安全网关的上行隧道。第一PSA收到N4第一信息后,将第一PSA的下行隧道信息发送至SMF设备。The SMF device initiates the N4 session establishment process to the selected first PSA, configures the N4 context, and sends the N4 first information to the first PSA. The N4 first information includes the upstream tunnel information of the local security gateway and the upstream tunnel information of the local security gateway. Used to establish an upstream tunnel from the first PSA to the local security gateway. After receiving the N4 first information, the first PSA sends the downlink tunnel information of the first PSA to the SMF device.
步骤1111,SMF设备向集中式安全网关发送第二DNAI变化通知,第二DNAI变化通知包括第一PSA的下行隧道信息。Step 1111, the SMF device sends a second DNAI change notification to the centralized security gateway, where the second DNAI change notification includes downlink tunnel information of the first PSA.
即SMF设备通过第二DNAI变化通知将第一PSA的下行隧道信息发送至集中式安全网关。That is, the SMF device sends the downlink tunnel information of the first PSA to the centralized security gateway through the second DNAI change notification.
步骤1112,集中式安全网关向本地安全网关发送更新信息。 Step 1112, the centralized security gateway sends update information to the local security gateway.
集中式安全网关向本地安全网关发送更新信息,更新信息用于指示PSA从第二 PSA更新为第一PSA。The centralized security gateway sends update information to the local security gateway, the update information is used to instruct the PSA to be updated from the second PSA to the first PSA.
其中,更新信息包括更新后的第一PSA的下行隧道信息,下行隧道信息用于配置本地安全网关与第一PSA之间的下行隧道。第一PSA的下行隧道信息为第一PSA用于接收下行数据的下行隧道的信息。The update information includes the updated downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure the downlink tunnel between the local security gateway and the first PSA. The downlink tunnel information of the first PSA is information of the downlink tunnel used by the first PSA to receive downlink data.
步骤1113,本地安全网关向集中式安全网关反馈更新信息对应的第二响应信息。Step 1113, the local security gateway feeds back the second response information corresponding to the update information to the centralized security gateway.
在本地安全网关与第一PSA之间的下行隧道建立完成后,本地安全网关反馈更新信息对应的第二响应信息。第二响应信息用于指示本地安全网关与第一PSA之间的下行隧道建立情况。After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the local security gateway feeds back second response information corresponding to the update information. The second response information is used to indicate the establishment of the downlink tunnel between the local security gateway and the first PSA.
可选地,本地安全网关接收到集中式安全网关发送的更新信息后,建立本地安全网关与第一PSA之间的下行隧道。在本地安全网关与第一PSA之间的下行隧道建立完成后,反馈更新信息对应的第二响应信息。Optionally, after receiving the update information sent by the centralized security gateway, the local security gateway establishes a downlink tunnel between the local security gateway and the first PSA. After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
需要说明的是,对第二响应信息的介绍可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the introduction of the second response information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1114,集中式安全网关向SMF设备反馈第二DNAI变化通知对应的第五响应信息。Step 1114, the centralized security gateway feeds back fifth response information corresponding to the second DNAI change notification to the SMF device.
集中式安全网关接收本地安全网关反馈的更新信息对应的第二响应信息;向SMF设备反馈第二DNAI变化通知对应的第五响应信息;其中,第二响应信息和第五响应信息均用于指示本地安全网关与第一PSA之间的下行隧道建立完成。The centralized security gateway receives the second response information corresponding to the update information fed back by the local security gateway; and feeds back the fifth response information corresponding to the second DNAI change notification to the SMF device; wherein the second response information and the fifth response information are both used to indicate The establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
集中式安全网关向SMF设备反馈第五响应信息,通知SMF设备,第一PSA到本地安全网关到MEC服务器这三者之间的连接已建立完成。The centralized security gateway feeds back the fifth response information to the SMF device, notifying the SMF device that the connection between the first PSA, the local security gateway and the MEC server has been established.
步骤1115,SMF设备选取并配置ULCL。 Step 1115, the SMF device selects and configures the ULCL.
SMF设备选取并配置ULCL,为ULCL建立N4上下文,并配置ULCL与RAN的N3连接、ULCL到第一PSA的上行隧道、ULCL到第二PSA的上行隧道以及上行数据包的转发规则。The SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.
步骤1116,SMF设备通过N4会话修改流程,配置第二PSA到ULCL的下行隧道。Step 1116, the SMF device configures the downlink tunnel from the second PSA to the ULCL through the N4 session modification process.
步骤1117,SMF设备通过N4会话修改流程,配置第一PSA到ULCL的下行隧道。Step 1117, the SMF device configures the downlink tunnel from the first PSA to the ULCL through the N4 session modification process.
步骤1118,SMF设备向集中式安全网关发送第三DNAI变化通知,第三DNAI变化通知用于指示ULCL插入完成。Step 1118, the SMF device sends a third DNAI change notification to the centralized security gateway, where the third DNAI change notification is used to indicate that the ULCL insertion is completed.
步骤1119,集中式安全网关向本地安全网关发送第一子SA建立请求。Step 1119, the centralized security gateway sends a first sub-SA establishment request to the local security gateway.
集中式安全网关向本地安全网关发送第一子SA建立请求。The centralized security gateway sends the first sub-SA establishment request to the local security gateway.
可选地,第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA,第一SA包括加密算法以及安全参数索引(security parameter index,SPI)。Optionally, the first sub-SA establishment request includes a first data feature of the data to be encrypted and transmitted and a corresponding first SA, and the first SA includes an encryption algorithm and a security parameter index (security parameter index, SPI).
比如,第一数据特征为TS1,第一SA为SA1。For example, the first data feature is TS1, and the first SA is SA1.
步骤1120,本地安全网关向集中式安全网关反馈第一子SA建立响应。Step 1120, the local security gateway feeds back the first sub-SA establishment response to the centralized security gateway.
本地安全网关在接收到集中式安全网关发送的第一SA建立请求后,向集中式安全网关反馈第一子SA建立响应。After receiving the first SA establishment request sent by the centralized security gateway, the local security gateway feeds back a first sub-SA establishment response to the centralized security gateway.
可选地,第一子SA建立响应包括本地安全网关接受的第二数据特征、对应的第 二SA、本地安全网关的密钥生成材料和本地安全网关的随机数。该随机数用于生成密钥。Optionally, the first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway. This random number is used to generate the key.
比如,第二数据特征为TS1*,第二SA为SA1*,本地安全网关的密钥生成材料为Ke1,本地安全网关的随机数为N1。For example, the second data feature is TS1*, the second SA is SA1*, the key generation material of the local security gateway is Ke1, and the random number of the local security gateway is N1.
步骤1121,集中式安全网关向UE发送第二子SA建立请求。Step 1121, the centralized security gateway sends a second sub-SA establishment request to the UE.
集中式安全网关向UE发起子SA的建立流程,以便UE与本地安全网关通过传输模式建立用于用户面数据传输的子SA。The centralized security gateway initiates a procedure for establishing a sub-SA to the UE, so that the UE and the local security gateway establish a sub-SA for user plane data transmission through the transmission mode.
集中式安全网关向UE发送第二子SA建立请求。可选地,第二子SA建立请求包括第二数据特征、第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数;The centralized security gateway sends a second sub-SA establishment request to the UE. Optionally, the second sub-SA establishment request includes the second data feature, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
步骤1122,UE向集中式安全网关反馈第二子SA建立响应。Step 1122, the UE feeds back the second sub-SA establishment response to the centralized security gateway.
UE向集中式安全网关反馈第二子SA建立响应。可选地,第二子SA建立响应包括确认的第三数据特征、对应的第三SA、UE的密钥生成材料和UE的随机数。The UE feeds back the second sub-SA establishment response to the centralized security gateway. Optionally, the second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
比如,确认的第三数据特征、对应的第三SA为经过UE确认的TS2和对应的SA2。UE的密钥生成材料和UE的随机数为UE侧的Ke2和N2。For example, the confirmed third data feature and the corresponding third SA are the TS2 and the corresponding SA2 confirmed by the UE. The key generation material of the UE and the random number of the UE are Ke2 and N2 on the UE side.
需要注意的是,上述的第一数据特征、第二数据特征、第三数据特征都是双向的数据流特征信息,即既包含向外发送的数据包的筛选规则,也包含向内接收的数据包的筛选规则,但由于需要本地安全网关和UE分别进行确认,所以可能发生变化。It should be noted that the above-mentioned first data feature, second data feature, and third data feature are all bidirectional data flow feature information, that is, it includes not only the filtering rules of data packets sent out, but also the data received inward. The filtering rules for packets may change due to the need for confirmation by the local security gateway and the UE respectively.
步骤1123,集中式安全网关向本地安全网关发送的子SA的上下文信息。Step 1123, the centralized security gateway sends the context information of the sub-SA to the local security gateway.
集中式安全网关向本地安全网关发送的子SA的上下文信息,子SA的上下文信息用于配置UE与本地安全网关之间用于传输用户面数据的子SA。The context information of the sub-SA sent by the centralized security gateway to the local security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the UE and the local security gateway.
其中,子SA的上下文信息包括SPI、双向的数据流特征信息、加密算法、加密密钥或加密材料和用于生成加密密钥的随机数。可选地,该子SA的上下文信息还包括安全证书和用于验证用户身份的鉴权信息。Wherein, the context information of the sub-SA includes SPI, bidirectional data flow characteristic information, encryption algorithm, encryption key or encryption material, and random number used to generate the encryption key. Optionally, the context information of the sub-SA further includes a security certificate and authentication information for verifying the user's identity.
步骤1124,本地安全网关向集中式安全网关反馈子SA的上下文信息对应的第三响应信息。Step 1124, the local security gateway feeds back the third response information corresponding to the context information of the sub-SA to the centralized security gateway.
本地安全网关接收集中式安全网关发送的子SA的上下文信息;在子SA建立完成后,向集中式安全网关反馈子SA的上下文信息对应的第三响应信息。集中式安全网关接收本地安全网关反馈的子SA的上下文信息对应的第三响应信息,第三响应消息用于指示子SA建立完成。The local security gateway receives the context information of the sub-SA sent by the centralized security gateway; after the establishment of the sub-SA is completed, it feeds back the third response information corresponding to the context information of the sub-SA to the centralized security gateway. The centralized security gateway receives third response information corresponding to the context information of the sub-SA fed back by the local security gateway, and the third response message is used to indicate that the establishment of the sub-SA is completed.
步骤1125,集中式安全网关向SMF设备发送第三通知信息,第三通知信息包括数据流特征信息对应的数据包检测规则(Packet Detection Rule,PDR)和转发动作规则(Forwarding action rule,FAR)。Step 1125, the centralized security gateway sends the third notification information to the SMF device, and the third notification information includes the packet detection rule (Packet Detection Rule, PDR) and the forwarding action rule (Forwarding action rule, FAR) corresponding to the data flow feature information.
由于UE与本地安全网关是通过传输模式建立的子SA,所以在子SA建立完成后,需要由集中式安全网关向SMF设备发送从本地安全网关发送的第三通知信息,该第三通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。Since the UE and the local security gateway are sub-SAs established in the transmission mode, after the sub-SA is established, the centralized security gateway needs to send the third notification information sent from the local security gateway to the SMF device. The third notification information includes Data packet detection rules and forwarding action rules corresponding to data flow feature information.
其中,数据流特征信息为本地安全网关的数据流特征信息。即数据包检测规则和转发动作规则为本地安全网关的数据包检测规则和转发动作规则。The data flow characteristic information is the data flow characteristic information of the local security gateway. That is, the data packet detection rules and the forwarding action rules are the data packet detection rules and the forwarding action rules of the local security gateway.
可选地,本地安全网关向集中式安全网关发送数据流特征信息对应的数据包检测规则和转发动作规则,集中式安全网关收到后,将包括该数据包检测规则和转发动作 规则的第三通知信息发送至SMF设备。Optionally, the local security gateway sends the data packet detection rules and forwarding action rules corresponding to the data flow feature information to the centralized security gateway, and after the centralized security gateway receives it, it will include the data packet detection rules and forwarding action rules. Notification messages are sent to the SMF device.
步骤1126,SMF设备根据第三通知信息更新ULCL的第一信息。 Step 1126, the SMF device updates the first information of the ULCL according to the third notification information.
SMF设备接收集中式安全网关发送的第三通知信息后,根据第三通知信息中的数据包检测规则和转发动作规则,更新ULCL的第一信息,以使得通过本地安全网关的子SA保护的数据包都通过本地安全网关转发。After receiving the third notification information sent by the centralized security gateway, the SMF device updates the first information of the ULCL according to the packet detection rules and forwarding action rules in the third notification information, so that the data protected by the sub-SA of the local security gateway Packets are forwarded through the local security gateway.
在一个示意性的例子中,如图12所示,集中式安全网关为IKE网关,本地安全网关为IPSec网关2,应用于集中式安全网关场景中的数据配置方法包括但不限于如下步骤:In an illustrative example, as shown in Figure 12, the centralized security gateway is the IKE gateway, and the local security gateway is the IPSec gateway 2. The data configuration method applied in the centralized security gateway scenario includes but is not limited to the following steps:
步骤120,IKE网关通过IKEv2协议与UE建立IKE SA;Step 120, the IKE gateway establishes an IKE SA with the UE through the IKEv2 protocol;
步骤121,AMF/SMF/PCF设备执行上述的ULCL/BP插入流程;Step 121, the AMF/SMF/PCF device executes the above-mentioned ULCL/BP insertion process;
步骤122,IKE网关与AMF/SMF/PCF设备之间执行上述的DNAI变化流程;Step 122, the above-mentioned DNAI change process is performed between the IKE gateway and the AMF/SMF/PCF device;
步骤123a,IKE网关向IPSec网关2分发密钥;Step 123a, the IKE gateway distributes the key to the IPSec gateway 2;
步骤123b,IKE网关向UE发起子SA的建立流程,以便UE与IPSec网关2通过传输模式建立用于用户面数据传输的子SA;Step 123b, the IKE gateway initiates the establishment process of the sub-SA to the UE, so that the UE and the IPSec gateway 2 establish the sub-SA for user plane data transmission through the transmission mode;
步骤124,IKE网关通知应用服务器2DNAI变化或路由规则。Step 124, the IKE gateway notifies the application server of 2DNAI changes or routing rules.
综上所述,本申请实施例提供了一种数据配置方法,该数据配置方法应用于集中式安全网关场景中,集中式安全网关作为代理网元,承担了与AF设备进行交互,并进行MEC服务器连接配置的功能。集中式IKE网关还在DNAI变化,插入ULCL的流程中,配合SMF设备构建ULCL到第一PSA到本地安全网关到MEC服务器的通路。建立完成通路后,由集中式安全网关代理本地安全网关与UE建立用于用户面数据传输的子SA,并将相应的安全上下文等信息发送至本地安全网关,从而使得在集中式安全网关场景下,SMF设备触发DNAI变化时完成ULCL的插入以及建立UE与本地安全网关之间的传输模式SA通路。To sum up, an embodiment of the present application provides a data configuration method, which is applied in a centralized security gateway scenario. The centralized security gateway, as a proxy network element, undertakes to interact with AF devices and perform MEC Functions for server connection configuration. The centralized IKE gateway is still changing in the DNAI, inserted into the ULCL process, and cooperates with the SMF device to build a path from the ULCL to the first PSA to the local security gateway to the MEC server. After the path is established, the centralized security gateway acts as a proxy for the local security gateway and the UE to establish a sub-SA for user plane data transmission, and sends the corresponding security context and other information to the local security gateway, so that in the centralized security gateway scenario , when the SMF device triggers the DNAI change, the insertion of the ULCL is completed and the transmission mode SA path between the UE and the local security gateway is established.
本申请实施例将安全网关拆分为集中式安全网关和本地安全网关,并设计这两个网关之间的消息传输,增强集中式安全网关的功能,实现MEC场景下ULCL插入流程中安全网关的相关配置,对UE几乎无改动。In this embodiment of the present application, the security gateway is divided into a centralized security gateway and a local security gateway, and the message transmission between the two gateways is designed to enhance the function of the centralized security gateway, and realize the ULCL insertion process of the security gateway in the MEC scenario. The relevant configuration is almost unchanged to the UE.
并且,由于使用传输模式,上行数据包的目的IP地址和下行数据包的源IP地址均不是本地安全网关,所以需要由集中式安全网关向SMF设备上报本地安全网关的子SA上的数据包检测规则和转发动作规则,并重新配置ULCL,从而确保对应数据包通过本地安全网关正常的转发。In addition, due to the use of the transmission mode, the destination IP address of the uplink data packet and the source IP address of the downlink data packet are not the local security gateway, so the centralized security gateway needs to report the data packet detection on the sub-SA of the local security gateway to the SMF device. rules and forwarding action rules, and reconfigure the ULCL to ensure that the corresponding data packets are forwarded normally through the local security gateway.
请参考图13,其示出了本申请另一个示例性实施例提供的数据配置方法的流程图,该方法用于图9所示的分布式安全网关场景中。该方法包括以下几个步骤。Please refer to FIG. 13 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application, and the method is used in the distributed security gateway scenario shown in FIG. 9 . The method includes the following steps.
步骤1301,SMF设备向本地安全网关发送第一信息,第一信息用于获取本地安全网关的地址信息。Step 1301, the SMF device sends first information to the local security gateway, where the first information is used to acquire address information of the local security gateway.
SMF设备与本地安全网关建立有通信连接,SMF设备向本地安全网关发送第一信息。A communication connection is established between the SMF device and the local security gateway, and the SMF device sends the first information to the local security gateway.
可选地,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。Optionally, the first information includes routing path information of the MEC server, where the routing path information is used to configure the connection between the local security gateway and the MEC server.
需要说明的是,对SMF设备、分布式安全网关、第一信息和路由路径信息的介绍可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the introduction of the SMF device, the distributed security gateway, the first information, and the routing path information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1302,本地安全网关接收到SMF设备发送的第一信息后,反馈本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息。Step 1302, after receiving the first information sent by the SMF device, the local security gateway feeds back address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE .
其中,第一PSA为UE发生DNAI变化后的PSA。The first PSA is the PSA after the UE undergoes DNAI changes.
本地安全网关接收到SMF设备发送的第一信息后,获取本地安全网关的地址信息,向SMF设备反馈本地安全网关的地址信息。After receiving the first information sent by the SMF device, the local security gateway acquires address information of the local security gateway, and feeds back the address information of the local security gateway to the SMF device.
可选地,第一信息包括MEC服务器的路由路径信息。本地安全网关接收到SMF设备发送的第一信息后,建立本地安全网关与MEC服务器之间的连接。在本地安全网关与MEC服务器之间的连接建立完成后,本地安全网关向SMF设备反馈第一信息对应的第一响应信息。其中,第一响应信息包括本地安全网关的上行隧道信息。Optionally, the first information includes routing path information of the MEC server. After receiving the first information sent by the SMF device, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the SMF device. The first response information includes uplink tunnel information of the local security gateway.
需要说明的一点是,本地安全网关与MEC服务器之间的连接,可以在SMF设备向本地安全网关发送第一信息前已经建立完成,也可以通过SMF设备向本地安全网关发送的第一信息进行配置。本申请实施例对此不加以限定。下面为了方便说明,仅以第一信息中包括MEC服务器的路由路径信息为例进行说明。It should be noted that the connection between the local security gateway and the MEC server can be established before the SMF device sends the first information to the local security gateway, or it can be configured through the first information sent by the SMF device to the local security gateway. . This embodiment of the present application does not limit this. For convenience of description below, only the first information includes routing path information of the MEC server as an example for description.
需要说明的另一点是,对第一响应信息、上行隧道信息的介绍可参考上述实施例中的相关描述,在此不再赘述。Another point that needs to be explained is that, for the introduction of the first response information and the uplink tunnel information, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1303,SMF设备接收本地安全网关的地址信息。 Step 1303, the SMF device receives the address information of the local security gateway.
对应的,SMF设备接收本地安全网关发送的本地安全网关的地址信息。其中,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。Correspondingly, the SMF device receives the address information of the local security gateway sent by the local security gateway. Wherein, the address information of the local security gateway is the routing destination address information configured for the first PSA and used for transmitting data from the UE, and the first PSA is the PSA after the DNAI changes of the UE.
综上所述,本申请实施例提供了一种数据配置方法,SMF设备向本地安全网关发送用于获取本地安全网关的地址信息的第一信息后,接收本地安全网关的地址信息,该本地安全网关的地址信息是为第一PSA即UE发生DNAI变化后的PSA配置的,提供了用于传输来自UE的数据的路由目的地址信息;即在DNAI变化的流程中,设计了本地安全网关与SMF设备的信息交互流程,实现了插入ULCL流程中的相关配置,从而使得在引入本地安全网关后后续的插入ULCL流程能够正常完成,保证了数据传输的可靠性。To sum up, the embodiment of the present application provides a data configuration method. After the SMF device sends the first information for obtaining the address information of the local security gateway to the local security gateway, it receives the address information of the local security gateway. The address information of the gateway is configured for the first PSA, that is, the PSA after the DNAI changes of the UE, and provides the routing destination address information for transmitting data from the UE; that is, in the process of DNAI change, the local security gateway and SMF are designed. The information exchange process of the device realizes the relevant configuration in the insertion ULCL process, so that the subsequent insertion ULCL process can be completed normally after the introduction of the local security gateway, and the reliability of data transmission is ensured.
请参考图14,其示出了本申请一个示例性实施例提供的数据配置方法的流程图,该方法用于图9所示的分布式安全网关场景中,SMF设备与本地安全网关建立有通信连接。该方法包括以下几个步骤。Please refer to FIG. 14 , which shows a flowchart of a data configuration method provided by an exemplary embodiment of the present application. The method is used in the distributed security gateway scenario shown in FIG. 9 , and the SMF device establishes communication with the local security gateway. connect. The method includes the following steps.
步骤1400,SMF设备执行MEC服务器的发现与第一PSA和ULCL的选取流程。 Step 1400, the SMF device performs the discovery of the MEC server and the selection process of the first PSA and the ULCL.
可选地,SMF设备因UE移动或检测到对应的UE业务后,触发执行MEC服务器的发现与第一PSA和ULCL的选取流程。SMF设备选取并配置ULCL,为ULCL建立N4上下文,并配置ULCL与RAN的N3连接、ULCL到第一PSA的上行隧道、ULCL到第二PSA的上行隧道以及上行数据包的转发规则。相关细节可类比参考上述实施例中的相关描述,在此不再赘述。Optionally, after the UE moves or detects the corresponding UE service, the SMF device triggers and executes the discovery of the MEC server and the selection process of the first PSA and ULCL. The SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets. For related details, reference can be made to the related descriptions in the foregoing embodiments by analogy, and details are not repeated here.
SMF设备选取第一PSA。由于在分布式安全网关场景中PSA与本地安全网关存在关联关系,所以选取第一PSA的同时,也可以确定第一PSA对应的本地安全网关。The SMF device selects the first PSA. Since the PSA is associated with the local security gateway in the distributed security gateway scenario, when the first PSA is selected, the local security gateway corresponding to the first PSA can also be determined.
步骤1401,SMF设备向AF设备发送AF通知。Step 1401, the SMF device sends an AF notification to the AF device.
SMF设备向AF设备发送AF通知,AF通知用于指示DNAI变化。AF设备在收到AF通知后反馈AF通知响应。The SMF device sends an AF notification to the AF device, and the AF notification is used to indicate DNAI changes. The AF device feeds back the AF notification response after receiving the AF notification.
SMF设备向AF设备发送AF通知,并从AF设备获取MEC服务器的路由路径信息。其中,MEC服务器为EAS。The SMF device sends an AF notification to the AF device, and obtains the routing path information of the MEC server from the AF device. The MEC server is EAS.
MEC服务器的路由路径信息包括MEC服务器用于建立N6连接的端口信息。The routing path information of the MEC server includes port information used by the MEC server to establish an N6 connection.
步骤1402,SMF设备向本地安全网关发送第一信息。Step 1402, the SMF device sends the first information to the local security gateway.
其中,第一信息用于获取本地安全网关的地址信息。The first information is used to obtain address information of the local security gateway.
可选地,第一信息包括MEC服务器的路由路径信息。其中,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。SMF设备通过第一信息将MEC服务器的路由路径信息发送至本地安全网关,用于配置本地安全网关与MEC服务器之间的连接。Optionally, the first information includes routing path information of the MEC server. The routing path information is used to configure the connection between the local security gateway and the MEC server. The SMF device sends the routing path information of the MEC server to the local security gateway through the first information, so as to configure the connection between the local security gateway and the MEC server.
步骤1403,本地安全网关向SMF设备反馈第一信息对应的第一响应信息。Step 1403, the local security gateway feeds back the first response information corresponding to the first information to the SMF device.
其中,该第一响应信息包括本地安全网关的地址信息。Wherein, the first response information includes address information of the local security gateway.
可选地,本地安全网关接收到SMF设备发送的第一信息后,建立本地安全网关与MEC服务器之间的连接。在本地安全网关与MEC服务器之间的连接建立完成后,本地安全网关向SMF设备反馈第一信息对应的第一响应信息。其中,第一响应信息包括本地安全网关的上行隧道信息。Optionally, after receiving the first information sent by the SMF device, the local security gateway establishes a connection between the local security gateway and the MEC server. After the connection between the local security gateway and the MEC server is established, the local security gateway feeds back first response information corresponding to the first information to the SMF device. The first response information includes uplink tunnel information of the local security gateway.
需要说明的是,SMF设备向本地安全网关发送第一信息、本地安全网关向SMF设备反馈第一信息对应的第一响应信息的过程的相关细节,可参考上述实施例中的相关描述,在此不再赘述。It should be noted that the relevant details of the process in which the SMF device sends the first information to the local security gateway and the local security gateway feeds back the first response information corresponding to the first information to the SMF device can refer to the relevant descriptions in the above embodiments, here No longer.
步骤1404,SMF设备与第一PSA建立N4会话。Step 1404, the SMF device establishes an N4 session with the first PSA.
SMF设备向第一PSA发起N4会话建立流程,即SMF设备向第一PSA发送本地安全网关的上行隧道信息,并从第一PSA获取其用于从本地安全网关接收下行数据的下行隧道信息。The SMF device initiates an N4 session establishment process to the first PSA, that is, the SMF device sends the upstream tunnel information of the local security gateway to the first PSA, and obtains the downlink tunnel information for receiving downlink data from the local security gateway from the first PSA.
步骤1405,SMF设备向本地安全网关发送更新信息,更新信息包括更新后的第一PSA的下行隧道信息。Step 1405, the SMF device sends update information to the local security gateway, where the update information includes the updated downlink tunnel information of the first PSA.
其中,下行隧道信息用于配置本地安全网关与第一PSA之间的下行隧道。The downlink tunnel information is used to configure the downlink tunnel between the local security gateway and the first PSA.
步骤1406,本地安全网关向SMF设备反馈更新信息对应的第二响应信息。Step 1406, the local security gateway feeds back the second response information corresponding to the update information to the SMF device.
本地安全网关接收到SMF设备发送的更新信息后,建立本地安全网关与第一PSA之间的下行隧道。在本地安全网关与第一PSA之间的下行隧道建立完成后,反馈更新信息对应的第二响应信息。After receiving the update information sent by the SMF device, the local security gateway establishes a downlink tunnel between the local security gateway and the first PSA. After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
需要说明的是,SMF设备向本地安全网关发送更新信息、本地安全网关向SMF设备反馈更新信息对应的第二响应信息的过程的相关细节,可参考上述实施例中的相关描述,在此不再赘述。It should be noted that the relevant details of the process in which the SMF device sends the update information to the local security gateway and the local security gateway feeds back the second response information corresponding to the update information to the SMF device can refer to the relevant descriptions in the above embodiments, which are not repeated here. Repeat.
步骤1407,SMF设备选取并配置ULCL。 Step 1407, the SMF device selects and configures the ULCL.
SMF设备选取并配置ULCL,为ULCL建立N4上下文,并配置ULCL与RAN的 N3连接、ULCL到第一PSA的上行隧道、ULCL到第二PSA的上行隧道以及上行数据包的转发规则。The SMF device selects and configures the ULCL, establishes an N4 context for the ULCL, and configures the N3 connection between the ULCL and the RAN, the uplink tunnel from the ULCL to the first PSA, the uplink tunnel from the ULCL to the second PSA, and the forwarding rules for uplink data packets.
步骤1408,SMF设备通过N4会话修改流程,配置第二PSA到ULCL的下行隧道。Step 1408, the SMF device configures the downlink tunnel from the second PSA to the ULCL through the N4 session modification process.
步骤1409,SMF设备通过N4会话修改流程,配置第一PSA到ULCL的下行隧道。Step 1409, the SMF device configures the downlink tunnel from the first PSA to the ULCL through the N4 session modification process.
综上所述,本申请实施例提供了一种数据配置方法,该数据配置方法应用于分布式安全网关场景下,通过本地安全网关与SMF设备、AF设备等核心网网元之间的信息交互过程,实现了在ULCL插入过程中建立ULCL到第一PSA到本地安全网关到MEC服务器的通路。其中SMF设备可对本地安全网关进行控制,对其连接建立相关上下文进行配置,从而使得在分布式安全网关的场景下,进行ULCL插入的同时配置好对应的数据通路。To sum up, the embodiments of the present application provide a data configuration method, which is applied to a distributed security gateway scenario, through the information exchange between the local security gateway and core network elements such as SMF devices and AF devices. The process implements establishing a path from the ULCL to the first PSA to the local security gateway to the MEC server during the ULCL insertion process. The SMF device can control the local security gateway, and configure the context related to its connection establishment, so that in the scenario of the distributed security gateway, the corresponding data path is configured while ULCL insertion is performed.
请参考图15,其示出了本申请另一个示例性实施例提供的数据配置方法的流程图,该方法用于图9所示的分布式安全网关场景中,SMF设备与本地安全网关建立有通信连接。该方法包括以下几个步骤。Please refer to FIG. 15 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application. The method is used in the distributed security gateway scenario shown in FIG. 9 , where the SMF device and the local security gateway establish a communication connection. The method includes the following steps.
步骤1500,SMF设备执行MEC服务器的发现与ULCL/BP插入的流程。 Step 1500, the SMF device performs the process of MEC server discovery and ULCL/BP insertion.
需要说明的是,SMF设备执行MEC服务器的发现与ULCL/BP插入的流程可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the process of the discovery of the MEC server and the insertion of the ULCL/BP performed by the SMF device, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1501,SMF设备向AMF设备发送N1消息,N1消息包括本地安全网关的地址。Step 1501, the SMF device sends an N1 message to the AMF device, where the N1 message includes the address of the local security gateway.
SMF设备在插入ULCL/BP后查询本地安全网关的地址,将该本地安全网关的地址封装在N1消息中发送至AMF设备。The SMF device queries the address of the local security gateway after inserting the ULCL/BP, and encapsulates the address of the local security gateway in an N1 message and sends it to the AMF device.
步骤1502,AMF设备将NAS消息发送至UE,NAS消息包括本地安全网关的地址。Step 1502, the AMF device sends a NAS message to the UE, where the NAS message includes the address of the local security gateway.
AMF设备在收到SMF设备发送的N1消息后,将增强的NAS消息发送至UE,After receiving the N1 message sent by the SMF device, the AMF device sends the enhanced NAS message to the UE,
NAS消息包括本地安全网关的地址。其中,NAS消息用于指示UE建立与本地安全网关之间的IKE SA。The NAS message includes the address of the local security gateway. The NAS message is used to instruct the UE to establish an IKE SA with the local security gateway.
步骤1503,UE与本地安全网关建立IKE SA。Step 1503, the UE establishes an IKE SA with the local security gateway.
UE接收AMF设备发送的增强的NAS消息,该增强的NAS消息包括本地安全网关的地址。UE在接收到增强的NAS消息后,UE发起与本地安全网关的IKE SA建立流程。The UE receives an enhanced NAS message sent by the AMF device, where the enhanced NAS message includes the address of the local security gateway. After the UE receives the enhanced NAS message, the UE initiates the IKE SA establishment process with the local security gateway.
步骤1504,本地安全网关向SMF设备发送第一通知信息,第一通知信息用于指示UE与本地安全网关之间的IKE SA建立完成。Step 1504, the local security gateway sends first notification information to the SMF device, where the first notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed.
SMF设备接收本地安全网关发送的第一通知信息。The SMF device receives the first notification information sent by the local security gateway.
步骤1505,SMF设备向本地安全网关发送用户面SA建立请求。Step 1505, the SMF device sends a user plane SA establishment request to the local security gateway.
SMF设备向本地安全网关发送用户面SA建立请求,用户面SA建立请求包括业务检测规则。可选地,该业务检测规则包括需要通过本地安全网关进行加解密的数据包检测规则The SMF device sends a user plane SA establishment request to the local security gateway, and the user plane SA establishment request includes service detection rules. Optionally, the service detection rule includes a data packet detection rule that needs to be encrypted and decrypted through the local security gateway
该业务检测规则的发送形式可以是PDR的形式,也可以是数据流特征信息的形式。此处的PDR和数据流特征信息均为双向的。The sending form of the service detection rule may be in the form of PDR, or may be in the form of data flow characteristic information. Both PDR and data flow feature information here are bidirectional.
步骤1506,本地安全网关根据业务检测规则,生成对应的数据流特征信息,建立UE与本地安全网关之间用于用户面数据传输的子SA。 Step 1506, the local security gateway generates corresponding data flow feature information according to the service detection rule, and establishes a sub-SA between the UE and the local security gateway for user plane data transmission.
本地安全网关接收SMF设备发送的用户面SA建立请求,用户面SA建立请求包括业务检测规则;根据业务检测规则,生成对应的数据流特征信息,建立UE与本地安全网关之间用于用户面数据传输的子SA。The local security gateway receives the user plane SA establishment request sent by the SMF device, and the user plane SA establishment request includes service detection rules; according to the service detection rules, the corresponding data flow feature information is generated, and the connection between the UE and the local security gateway is used for user plane data. Transported child SA.
步骤1507,本地安全网关向SMF设备反馈第二通知信息,第二通知信息用于指示UE与本地安全网关之间用于用户面数据传输的子SA建立完成。Step 1507, the local security gateway feeds back second notification information to the SMF device, where the second notification information is used to indicate that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is completed.
可选地,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。Optionally, the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.
步骤1508,SMF设备向ULCL更新路由转发规则。Step 1508, the SMF device updates the routing and forwarding rules to the ULCL.
SMF设备根据本地安全网关反馈的数据包检测规则和转发动作规则向ULCL更新路由转发规则。The SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
可选地,在传输模式下,SMF设备根据本地安全网关反馈的数据包检测规则和转发动作规则向ULCL更新路由转发规则。Optionally, in the transmission mode, the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
综上所述,本申请实施例提供了一种数据配置方法,该数据配置方法应用于分布式安全网关场景下,实现了插入ULCL并建立相关数据传输隧道后对SA的配置,并实现了在ULCL插入过程完成后建立UE与本地安全网关之间的SA。其中SMF设备可对本地安全网关进行控制,向其发送需要从本地安全网关发送的数据包检测规则和转发动作规则。本申请实施例还通过对NAS消息进行了增强,SMF设备可以通过NAS消息通知UE,指示UE建立与本地安全网关之间的IKE SA。此外,SMF设备通过向本地安全网关提供业务检测规则,指示本地安全网关与UE建立用于用户面传输的子SA,从而节省了发送给UE的NAS信令开销,保证了本地安全网关与UE建立子SA的效率。To sum up, the embodiments of the present application provide a data configuration method, which is applied to a distributed security gateway scenario, realizes the configuration of SA after inserting ULCL and establishing a relevant data transmission tunnel, and realizes the After the ULCL insertion procedure is completed, the SA between the UE and the local security gateway is established. The SMF device can control the local security gateway, and send to it the data packet detection rules and forwarding action rules that need to be sent from the local security gateway. The embodiment of the present application further enhances the NAS message, and the SMF device can notify the UE through the NAS message, instructing the UE to establish an IKE SA with the local security gateway. In addition, by providing service detection rules to the local security gateway, the SMF device instructs the local security gateway and the UE to establish a sub-SA for user plane transmission, thereby saving the NAS signaling overhead sent to the UE and ensuring the establishment of the local security gateway and the UE. The efficiency of the sub-SA.
请参考图16,其示出了本申请另一个示例性实施例提供的数据配置方法的流程图,该方法用于图9所示的分布式安全网关场景中,SMF设备与本地安全网关建立有通信连接。该方法包括以下几个步骤。Please refer to FIG. 16 , which shows a flowchart of a data configuration method provided by another exemplary embodiment of the present application. The method is used in the distributed security gateway scenario shown in FIG. 9 , where the SMF device and the local security gateway establish a communication connection. The method includes the following steps.
步骤1600,SMF设备执行MEC服务器的发现与ULCL/BP插入的流程。 Step 1600, the SMF device performs the process of MEC server discovery and ULCL/BP insertion.
需要说明的是,SMF设备执行MEC服务器的发现与ULCL/BP插入的流程可参考上述实施例中的相关描述,在此不再赘述。It should be noted that, for the process of the discovery of the MEC server and the insertion of the ULCL/BP performed by the SMF device, reference may be made to the relevant descriptions in the foregoing embodiments, and details are not repeated here.
步骤1601,SMF设备向AMF设备发送N1消息,N1消息包括本地安全网关的地址。Step 1601, the SMF device sends an N1 message to the AMF device, where the N1 message includes the address of the local security gateway.
SMF设备在插入ULCL/BP后查询本地安全网关的地址,将该本地安全网关的地址封装在N1消息中发送至AMF设备。The SMF device queries the address of the local security gateway after inserting the ULCL/BP, and encapsulates the address of the local security gateway in an N1 message and sends it to the AMF device.
步骤1602,AMF设备将NAS消息发送至UE,NAS消息包括本地安全网关的地址和本地安全网关的业务检测规则。Step 1602, the AMF device sends a NAS message to the UE, where the NAS message includes the address of the local security gateway and the service detection rule of the local security gateway.
AMF设备在收到SMF设备发送的N1消息后,将增强的NAS消息发送至UE, NAS消息包括本地安全网关的地址。其中,NAS消息用于指示UE建立与安全网关之间的IKE SA。After receiving the N1 message sent by the SMF device, the AMF device sends the enhanced NAS message to the UE, where the NAS message includes the address of the local security gateway. The NAS message is used to instruct the UE to establish an IKE SA with the security gateway.
本地安全网关的业务检测规则为需要从本地安全网关进行传输的业务数据包的业务检测规则。其中,业务数据包的检测规则可以是PDR的形式,也可以是数据流特征信息的形式。The service detection rules of the local security gateway are service detection rules of service data packets that need to be transmitted from the local security gateway. Wherein, the detection rule of the service data packet may be in the form of PDR, or may be in the form of data flow characteristic information.
步骤1603,UE与本地安全网关建立IKE SA。Step 1603, the UE establishes an IKE SA with the local security gateway.
UE接收AMF设备发送的增强的NAS消息,该增强的NAS消息包括本地安全网关的地址。UE在接收到增强的NAS消息后,UE发起与本地安全网关的IKE SA建立流程。The UE receives an enhanced NAS message sent by the AMF device, where the enhanced NAS message includes the address of the local security gateway. After the UE receives the enhanced NAS message, the UE initiates the IKE SA establishment process with the local security gateway.
步骤1604,UE根据AMF设备下发的业务检测规则,建立与本地安全网关之间用于用户面数据传输的子SA。Step 1604, the UE establishes a sub-SA for user plane data transmission with the local security gateway according to the service detection rule issued by the AMF device.
步骤1605,本地安全网关向SMF设备反馈通知信息,通知信息用于指示IKE SA和用于用户面数据传输的子SA建立完成。Step 1605, the local security gateway feeds back notification information to the SMF device, where the notification information is used to indicate that the IKE SA and the sub-SA for user plane data transmission are established.
其中,通知信息用于指示UE与本地安全网关之间的IKE SA建立完成,并且UE与本地安全网关之间用于用户面数据传输的子SA建立完成。Wherein, the notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed, and the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed.
可选地,通知信息包括第一通知信息和第二通知信息。第一通知信息用于指示UE与本地安全网关之间的IKE SA建立完成。第二通知信息用于指示UE与本地安全网关之间用于用户面数据传输的子SA建立完成。Optionally, the notification information includes first notification information and second notification information. The first notification information is used to indicate that the establishment of the IKE SA between the UE and the local security gateway is completed. The second notification information is used to indicate that the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed.
可选地,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。Optionally, the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.
对应的,SMF设备接收本地安全网关反馈的通知信息。Correspondingly, the SMF device receives notification information fed back by the local security gateway.
步骤1606,SMF设备向ULCL更新路由转发规则。Step 1606, the SMF device updates the routing and forwarding rules to the ULCL.
SMF设备根据本地安全网关反馈的数据包检测规则和转发动作规则向ULCL更新路由转发规则。The SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
可选地,在传输模式下,SMF设备根据本地安全网关反馈的数据包检测规则和转发动作规则向ULCL更新路由转发规则。Optionally, in the transmission mode, the SMF device updates the routing and forwarding rules to the ULCL according to the packet detection rules and forwarding action rules fed back by the local security gateway.
综上所述,本申请实施例提供了一种数据配置方法,该数据配置方法应用于分布式安全网关场景下,实现了插入ULCL并建立相关数据传输隧道后对SA的配置,SMF设备通过AMF设备将NAS消息发送至UE,NAS消息包括本地安全网关的地址和本地安全网关的业务检测规则,从而使得UE与本地安全网关之间用于用户面数据传输的子SA的建立由UE发起,节省了SMF设备与本地安全网关之间的信令交互。To sum up, the embodiments of the present application provide a data configuration method, which is applied in a distributed security gateway scenario, and realizes the configuration of SA after inserting ULCL and establishing a related data transmission tunnel. The device sends a NAS message to the UE, and the NAS message includes the address of the local security gateway and the service detection rules of the local security gateway, so that the establishment of the sub-SA between the UE and the local security gateway for user plane data transmission is initiated by the UE, saving energy The signaling interaction between the SMF device and the local security gateway is implemented.
在一个示意性的例子中,如图17所示,本地安全网关为IPSec网关2,应用于分布式安全网关场景中的数据配置方法包括但不限于如下步骤:In an illustrative example, as shown in Figure 17, the local security gateway is IPSec gateway 2, and the data configuration method applied in the distributed security gateway scenario includes but is not limited to the following steps:
步骤171,AMF/SMF/PCF设备执行ULCL/BP插入流程;Step 171, the AMF/SMF/PCF device executes the ULCL/BP insertion process;
步骤172,AMF/SMF/PCF设备执行会话修改(IPSec网关2的地址);Step 172, the AMF/SMF/PCF device performs session modification (address of IPSec gateway 2);
步骤173,建立UE与IPSec网关2之间的IKE SA和IPSec SA;Step 173, establish IKE SA and IPSec SA between UE and IPSec gateway 2;
步骤174,IPSec网关2通知应用服务器2DNAI变化或路由规则。Step 174, the IPSec gateway 2 notifies the application server 2 of DNAI changes or routing rules.
请参考图18,其示出了本申请一个示例性实施例提供的数据配置装置的框图。该 数据配置装置可以通过软件、硬件或者两者的结合实现成为网络设备的全部或者一部分。该数据配置装置可以包括:发送单元1810和接收单元1820。Please refer to FIG. 18 , which shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application. The data configuration apparatus can be implemented as a whole or a part of the network device through software, hardware or a combination of the two. The data configuration apparatus may include: a sending unit 1810 and a receiving unit 1820 .
发送单元1810,用于向本地安全网关发送第一信息,第一信息用于获取本地安全网关的地址信息;a sending unit 1810, configured to send first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;
接收单元1820,用于接收本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自用户设备UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。The receiving unit 1820 is configured to receive address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the user equipment UE, and the first PSA is a DNAI change for the UE Post PSA.
在一种可能的实现方式中,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。In a possible implementation manner, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1820,还用于接收本地安全网关反馈的第一信息对应的第一响应信息,第一响应信息用于指示本地安全网关与MEC服务器之间的连接建立完成,第一响应信息包括本地安全网关的上行隧道信息。The receiving unit 1820 is further configured to receive first response information corresponding to the first information fed back by the local security gateway, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information includes the local security gateway. Gateway's uplink tunnel information.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1810,还用于向本地安全网关发送更新信息,更新信息包括第一PSA的下行隧道信息,下行隧道信息用于配置本地安全网关与第一PSA之间的下行隧道。The sending unit 1810 is further configured to send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1820,还用于接收本地安全网关反馈的更新信息对应的第二响应信息,第二响应信息用于指示本地安全网关与第一PSA之间的下行隧道建立完成。The receiving unit 1820 is further configured to receive second response information corresponding to the update information fed back by the local security gateway, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
在另一种可能的实现方式中,网络设备包括与本地安全网关建立有通信连接的集中式安全网关。In another possible implementation manner, the network device includes a centralized security gateway that establishes a communication connection with the local security gateway.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1810,还用于向SMF设备订阅DNAI变化通知事件;The sending unit 1810 is further configured to subscribe the DNAI change notification event to the SMF device;
处理单元,还用于在接收到SMF设备的第一DNAI变化通知时,选取本地安全网关。The processing unit is further configured to select the local security gateway when receiving the first DNAI change notification of the SMF device.
在另一种可能的实现方式中,第一DNAI变化通知包括变化的DNAI和待改变路径的安全联结SA,该装置还包括:In another possible implementation manner, the first DNAI change notification includes the changed DNAI and the safety link SA of the path to be changed, and the apparatus further includes:
处理单元,还用于根据变化的DNAI和待改变路径的SA,查询待改变路径的应用;The processing unit is further configured to query the application of the path to be changed according to the changed DNAI and the SA of the path to be changed;
发送单元1810,还用于根据查询到的应用,向对应的应用功能AF设备发送AF通知,AF通知用于指示DNAI变化;The sending unit 1810 is further configured to send an AF notification to the corresponding application function AF device according to the queried application, where the AF notification is used to indicate DNAI changes;
接收单元1820,还用于接收AF设备反馈的MEC服务器的路由路径信息。The receiving unit 1820 is further configured to receive the routing path information of the MEC server fed back by the AF device.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1810,还用于在接收到本地安全网关反馈的第一信息对应的第一响应信息后,向SMF设备反馈第一DNAI变化通知对应的第四响应信息;The sending unit 1810 is further configured to feed back the fourth response information corresponding to the first DNAI change notification to the SMF device after receiving the first response information corresponding to the first information fed back by the local security gateway;
其中,第一响应信息和第四响应消息均包括本地安全网关的上行隧道信息,第一响应信息和第四响应消息均用于指示本地安全网关与MEC服务器之间的连接建立完成。Wherein, both the first response information and the fourth response message include uplink tunnel information of the local security gateway, and both the first response information and the fourth response message are used to indicate that the connection establishment between the local security gateway and the MEC server is completed.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1820,还用于接收SMF设备的第二DNAI变化通知,第二DNAI变化 通知包括第一PSA的下行隧道信息。The receiving unit 1820 is further configured to receive a second DNAI change notification from the SMF device, where the second DNAI change notification includes downlink tunnel information of the first PSA.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1810,还用于在接收到本地安全网关反馈的更新信息对应的第二响应信息后,向SMF设备反馈第二DNAI变化通知对应的第五响应信息;The sending unit 1810 is further configured to, after receiving the second response information corresponding to the update information fed back by the local security gateway, feed back the fifth response information corresponding to the second DNAI change notification to the SMF device;
其中,第二响应信息和第五响应信息均用于指示本地安全网关与第一PSA之间的下行隧道建立完成。The second response information and the fifth response information are both used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
在另一种可能的实现方式中,集中式安全网关与UE建立有IKE SA,该装置还包括:In another possible implementation manner, the centralized security gateway establishes an IKE SA with the UE, and the apparatus further includes:
接收单元1820,还用于在向本地安全网关发送第一子SA建立请求后,接收本地安全网关反馈的第一子SA建立响应;The receiving unit 1820 is further configured to, after sending the first sub-SA establishment request to the local security gateway, receive the first sub-SA establishment response fed back by the local security gateway;
接收单元1820,还用于在向UE发送第二子SA建立请求后,接收UE反馈的第二子SA建立响应;向本地安全网关发送的子SA的上下文信息,子SA的上下文信息用于配置UE与本地安全网关之间用于传输用户面数据的子SA;The receiving unit 1820 is further configured to, after sending the second sub-SA establishment request to the UE, receive the second sub-SA establishment response fed back by the UE; the context information of the sub-SA sent to the local security gateway, the context information of the sub-SA is used for configuration A sub-SA for transmitting user plane data between the UE and the local security gateway;
接收单元1820,还用于接收本地安全网关反馈的子SA的上下文信息对应的第三响应信息,第三响应消息用于指示子SA建立完成。The receiving unit 1820 is further configured to receive third response information corresponding to the context information of the sub-SA fed back by the local security gateway, where the third response message is used to indicate that the establishment of the sub-SA is completed.
在另一种可能的实现方式中,In another possible implementation,
第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA;The first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;
第一子SA建立响应包括本地安全网关接受的第二数据特征、对应的第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数;The first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
第二子SA建立请求包括第二数据特征、第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数;The second sub-SA establishment request includes the second data characteristic, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;
第二子SA建立响应包括确认的第三数据特征、对应的第三SA、UE的密钥生成材料和UE的随机数。The second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
在另一种可能的实现方式中,第三响应信息包括数据流特征信息对应的数据包检测规则和转发动作规则,该装置还包括:In another possible implementation manner, the third response information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information, and the device further includes:
发送单元1810,还用于向SMF设备发送第三通知信息,第三通知信息包括数据包检测规则和转发动作规则。The sending unit 1810 is further configured to send third notification information to the SMF device, where the third notification information includes data packet detection rules and forwarding action rules.
在另一种可能的实现方式中,网络设备包括与本地安全网关建立有通信连接的SMF设备。In another possible implementation manner, the network device includes an SMF device that has established a communication connection with the local security gateway.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1820,还用于接收本地安全网关发送的第一通知信息,第一通知信息用于指示UE与本地安全网关之间的因特网密钥交换协议IKE SA建立完成。The receiving unit 1820 is further configured to receive the first notification information sent by the local security gateway, where the first notification information is used to indicate that the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1810,还用于向本地安全网关发送用户面SA建立请求,用户面SA建立请求包括业务检测规则;The sending unit 1810 is further configured to send a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes a service detection rule;
接收单元1820,还用于接收本地安全网关反馈的第二通知信息,第二通知信息用于指示UE与本地安全网关之间用于用户面数据传输的子SA建立完成,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。The receiving unit 1820 is further configured to receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data Packet detection rules and forwarding action rules corresponding to flow feature information.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1820,还用于接收本地安全网关反馈的第二通知信息,第二通知信息用于指示UE与本地安全网关之间用于用户面数据传输的子SA建立完成,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。The receiving unit 1820 is further configured to receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is completed, and the second notification information includes data Packet detection rules and forwarding action rules corresponding to flow feature information.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1810,还用于在插入ULCL或BP后,通过AMF设备向UE发送NAS消息,NAS消息包括本地安全网关的地址。The sending unit 1810 is further configured to send a NAS message to the UE through the AMF device after inserting the ULCL or BP, where the NAS message includes the address of the local security gateway.
在另一种可能的实现方式中,NAS消息包括需要从本地安全网关进行传输的业务数据包的业务检测规则。In another possible implementation manner, the NAS message includes service detection rules for service data packets that need to be transmitted from the local security gateway.
需要说明的是,上述实施例提供的装置在实现其功能时,仅以上述各个单元的划分进行举例说明,实际应用中,可以根据实际需要而将上述功能分配由不同的单元完成,即将设备的内容结构划分成不同的单元,以完成以上描述的全部或者部分功能。It should be noted that when the device provided in the above-mentioned embodiment realizes its functions, only the division of the above-mentioned units is used as an example. The content structure is divided into different units to accomplish all or part of the functions described above.
关于上述实施例中的装置,其中各个单元执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,相关细节可结合参考上述的方法实施例,此处将不做详细阐述说明。Regarding the apparatus in the above-mentioned embodiments, the specific manner in which each unit performs operations has been described in detail in the embodiments of the method, and the relevant details can be combined with reference to the above-mentioned method embodiments, which will not be described in detail here.
请参考图19,其示出了本申请一个示例性实施例提供的数据配置装置的框图。该数据配置装置可以通过软件、硬件或者两者的结合实现成为本地安全网关的全部或者一部分。该数据配置装置可以包括:接收单元1910和发送单元1920。Please refer to FIG. 19 , which shows a block diagram of a data configuration apparatus provided by an exemplary embodiment of the present application. The data configuration device can be implemented as all or a part of the local security gateway through software, hardware or a combination of the two. The data configuration apparatus may include: a receiving unit 1910 and a sending unit 1920 .
接收单元1910,用于接收第一信息,第一信息用于获取本地安全网关的地址信息;a receiving unit 1910, configured to receive first information, where the first information is used to obtain address information of the local security gateway;
发送单元1920,用于发送本地安全网关的地址信息,本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,第一PSA为UE发生DNAI变化后的PSA。The sending unit 1920 is configured to send the address information of the local security gateway, where the address information of the local security gateway is the routing destination address information configured for the first PSA and used to transmit data from the UE, and the first PSA is after the UE has a DNAI change. PSA.
在一种可能的实现方式中,第一信息包括MEC服务器的路由路径信息,路由路径信息用于配置本地安全网关与MEC服务器之间的连接。In a possible implementation manner, the first information includes routing path information of the MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1920,还用于在本地安全网关与MEC服务器之间的连接建立完成后,反馈第一信息对应的第一响应信息,第一响应信息包括本地安全网关的上行隧道信息。The sending unit 1920 is further configured to feed back first response information corresponding to the first information after the connection between the local security gateway and the MEC server is established, where the first response information includes uplink tunnel information of the local security gateway.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1910,还用于接收更新信息,更新信息包括第一PSA的下行隧道信息,下行隧道信息用于配置本地安全网关与第一PSA之间的下行隧道。The receiving unit 1910 is further configured to receive update information, where the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
发送单元1920,还用于在本地安全网关与第一PSA之间的下行隧道建立完成后,反馈更新信息对应的第二响应信息。The sending unit 1920 is further configured to feed back second response information corresponding to the update information after the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
在另一种可能的实现方式中,本地安全网关与集中式安全网关建立有通信连接,该装置还包括:In another possible implementation manner, the local security gateway establishes a communication connection with the centralized security gateway, and the apparatus further includes:
发送单元1920,还用于在接收到集中式安全网关发送的第一子SA建立请求后,向集中式安全网关反馈第一子SA建立响应;The sending unit 1920 is further configured to, after receiving the first sub-SA establishment request sent by the centralized security gateway, feed back the first sub-SA establishment response to the centralized security gateway;
接收单元1910,还用于接收集中式安全网关发送的子SA的上下文信息,子SA的上下文信息用于配置用户设备UE与本地安全网关之间用于传输用户面数据的子SA;The receiving unit 1910 is further configured to receive the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA for transmitting user plane data between the user equipment UE and the local security gateway;
发送单元1920,还用于在子SA建立完成后,向集中式安全网关反馈子SA的上下文信息对应的第三响应信息。The sending unit 1920 is further configured to feed back the third response information corresponding to the context information of the sub-SA to the centralized security gateway after the sub-SA is established.
在另一种可能的实现方式中,第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA,第一子SA建立响应包括本地安全网关接受的第二数据特征、对应的第二SA、本地安全网关的密钥生成材料和本地安全网关的随机数。In another possible implementation manner, the first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA, and the first sub-SA establishment response includes the second data characteristic accepted by the local security gateway , the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.
在另一种可能的实现方式中,本地安全网关与会话管理功能SMF设备建立有通信连接,该装置还包括:In another possible implementation manner, the local security gateway establishes a communication connection with the session management function SMF device, and the apparatus further includes:
发送单元1920,还用于在UE与本地安全网关之间的IKE SA建立完成后,向SMF设备发送第一通知信息。The sending unit 1920 is further configured to send the first notification information to the SMF device after the establishment of the IKE SA between the UE and the local security gateway is completed.
在另一种可能的实现方式中,该装置还包括:In another possible implementation manner, the device further includes:
接收单元1910,还用于接收SMF设备发送的用户面SA建立请求,用户面SA建立请求包括业务检测规则;The receiving unit 1910 is further configured to receive a user plane SA establishment request sent by the SMF device, where the user plane SA establishment request includes a service detection rule;
处理单元,用于根据业务检测规则,生成对应的数据流特征信息,建立UE与本地安全网关之间用于用户面数据传输的子SA;a processing unit, configured to generate corresponding data flow feature information according to the service detection rule, and establish a sub-SA for user plane data transmission between the UE and the local security gateway;
发送单元1920,还用于在子SA建立完成后向SMF设备反馈第二通知信息,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。The sending unit 1920 is further configured to feed back second notification information to the SMF device after the establishment of the sub-SA is completed, where the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow feature information.
在另一种可能的实现方式中,该装置还包括:In another possible implementation, the device further includes:
发送单元1920,还用于在UE与本地安全网关之间用于用户面数据传输的子SA建立完成后,向SMF设备反馈第二通知信息,第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。The sending unit 1920 is further configured to feed back second notification information to the SMF device after the sub-SA for user plane data transmission between the UE and the local security gateway is established, where the second notification information includes data packets corresponding to the data flow feature information Detection rules and forwarding action rules.
需要说明的是,上述实施例提供的装置在实现其功能时,仅以上述各个单元的划分进行举例说明,实际应用中,可以根据实际需要而将上述功能分配由不同的单元完成,即将设备的内容结构划分成不同的单元,以完成以上描述的全部或者部分功能。It should be noted that when the device provided in the above-mentioned embodiment realizes its functions, only the division of the above-mentioned units is used as an example. The content structure is divided into different units to accomplish all or part of the functions described above.
关于上述实施例中的装置,其中各个单元执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,相关细节可结合参考上述的方法实施例,此处将不做详细阐述说明。Regarding the apparatus in the above-mentioned embodiments, the specific manner in which each unit performs operations has been described in detail in the embodiments of the method, and the relevant details can be combined with reference to the above-mentioned method embodiments, which will not be described in detail here.
请参考图20,其示出了本申请一个示例性实施例提供的网络设备的结构示意图,该网络设备可以是上述的集中式安全网关或SMF设备。该网络设备包括:处理器201、接收器202、发射器203、存储器204和总线205。Please refer to FIG. 20 , which shows a schematic structural diagram of a network device provided by an exemplary embodiment of the present application, where the network device may be the above-mentioned centralized security gateway or SMF device. The network device includes: a processor 201 , a receiver 202 , a transmitter 203 , a memory 204 and a bus 205 .
处理器201包括一个或者一个以上处理核心,处理器201通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 201 includes one or more processing cores, and the processor 201 executes various functional applications and information processing by running software programs and modules.
接收器202和发射器203可以实现为一个通信组件,该通信组件可以是一块通信芯片,通信芯片中可以包括接收模块、发射模块和调制解调模块等,用于对信息进行调制和/或解调,并通过无线信号接收或发送该信息。The receiver 202 and the transmitter 203 may be implemented as a communication component, which may be a communication chip, and the communication chip may include a receiving module, a transmitting module, a modulation and demodulation module, etc., for modulating and/or demodulating information. tune and receive or transmit that information via wireless signals.
存储器204通过总线205与处理器201相连。存储器204存储有网络设备必要的程序指令和数据。The memory 204 is connected to the processor 201 through the bus 205 . The memory 204 stores program instructions and data necessary for the network device.
处理器201用于执行存储器204中的程序指令和数据以实现本申请各个方法实施例中由网络设备执行的各个步骤的功能。The processor 201 is configured to execute program instructions and data in the memory 204 to implement the functions of each step performed by the network device in each method embodiment of the present application.
处理器201通过运行存储器204中的至少一个程序指令,控制接收器202来实现上述各个步骤中被叫网络设备侧的接收功能;处理器201通过运行存储器204中的至少一个程序指令,控制发射器203来实现上述各个步骤中被叫网络设备侧的发送功能。The processor 201 controls the receiver 202 to implement the receiving function on the called network device side in the above steps by running at least one program instruction in the memory 204; the processor 201 controls the transmitter by running at least one program instruction in the memory 204 203 to implement the sending function on the called network device side in each of the above steps.
此外,存储器204可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随时存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。Additionally, memory 204 may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static anytime access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable Except programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
可以理解的是,图20仅仅示出了网络设备的简化设计。在其他的实施例中,网络设备可以包含任意数量的发射器,接收器,处理器,控制器,存储器,通信单元等,而所有可以实现本申请的网络设备都在本申请的保护范围之内。It will be appreciated that Figure 20 only shows a simplified design of the network device. In other embodiments, the network device may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all network devices that can implement the present application are within the protection scope of the present application .
请参考图21,其示出了本申请一个示例性实施例提供的本地安全网关的结构示意图。该本地安全网关包括:处理器211、接收器212、发射器213、存储器214和总线215。Please refer to FIG. 21 , which shows a schematic structural diagram of a local security gateway provided by an exemplary embodiment of the present application. The local security gateway includes: a processor 211 , a receiver 212 , a transmitter 213 , a memory 214 and a bus 215 .
处理器211包括一个或者一个以上处理核心,处理器211通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 211 includes one or more processing cores, and the processor 211 executes various functional applications and information processing by running software programs and modules.
接收器212和发射器213可以实现为一个通信组件,该通信组件可以是一块通信芯片,通信芯片中可以包括接收模块、发射模块和调制解调模块等,用于对信息进行调制和/或解调,并通过无线信号接收或发送该信息。The receiver 212 and the transmitter 213 may be implemented as a communication component, which may be a communication chip, and the communication chip may include a receiving module, a transmitting module, a modulation and demodulation module, etc., for modulating and/or demodulating information. tune and receive or transmit that information via wireless signals.
存储器214通过总线215与处理器211相连。存储器214存储有本地安全网关必要的程序指令和数据。The memory 214 is connected to the processor 211 through the bus 215 . The memory 214 stores necessary program instructions and data for the local security gateway.
处理器211用于执行存储器214中的程序指令和数据以实现本申请各个方法实施例中由本地安全网关执行的各个步骤的功能。The processor 211 is configured to execute program instructions and data in the memory 214 to implement the functions of each step performed by the local security gateway in each method embodiment of the present application.
处理器211通过运行存储器214中的至少一个程序指令,控制接收器212来实现上述各个步骤中被叫本地安全网关侧的接收功能;处理器211通过运行存储器214中的至少一个程序指令,控制发射器213来实现上述各个步骤中被叫本地安全网关侧的发送功能。The processor 211 controls the receiver 212 to implement the receiving function on the called local security gateway side in the above steps by running at least one program instruction in the memory 214; the processor 211 controls the transmission by running at least one program instruction in the memory 214. The device 213 is used to implement the sending function on the called local security gateway side in the above steps.
此外,存储器214可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随时存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。Additionally, memory 214 may be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static anytime access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable Except programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk.
可以理解的是,图21仅仅示出了本地安全网关的简化设计。在其他的实施例中,本地安全网关可以包含任意数量的发射器,接收器,处理器,控制器,存储器,通信单元等,而所有可以实现本申请的本地安全网关都在本申请的保护范围之内。It will be appreciated that Figure 21 only shows a simplified design of the local security gateway. In other embodiments, the local security gateway may include any number of transmitters, receivers, processors, controllers, memories, communication units, etc., and all local security gateways that can implement the present application are within the protection scope of the present application within.
本申请的实施例提供了一种数据配置装置,该装置包括:处理器;用于存储处理器可执行指令的存储器;其中,处理器被配置为执行指令时实现上述由网络设备执行的方法。An embodiment of the present application provides a data configuration apparatus, the apparatus includes: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the above method executed by a network device when the processor is configured to execute the instructions.
本申请的实施例提供了一种数据配置装置,该装置包括:处理器;用于存储处理 器可执行指令的存储器;其中,处理器被配置为执行指令时实现上述由本地安全网关执行的方法。An embodiment of the present application provides a data configuration device, the device includes: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the above method executed by the local security gateway when the processor is configured to execute the instructions .
本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当计算机可读代码在电子设备的处理器中运行时,电子设备中的处理器执行上述由网络设备执行的方法。Embodiments of the present application provide a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are executed in a processor of an electronic device , the processor in the electronic device executes the above method executed by the network device.
本申请的实施例提供了一种计算机程序产品,包括计算机可读代码,或者承载有计算机可读代码的非易失性计算机可读存储介质,当计算机可读代码在电子设备的处理器中运行时,电子设备中的处理器执行上述由本地安全网关执行的方法。Embodiments of the present application provide a computer program product, including computer-readable codes, or a non-volatile computer-readable storage medium carrying computer-readable codes, when the computer-readable codes are executed in a processor of an electronic device , the processor in the electronic device executes the above method executed by the local security gateway.
本申请的实施例提供了一种数据配置系统,该数据配置系统包括本地安全网关和与本地安全网关建立有通信连接的网络设备,该网络设备包括如图18所示的数据配置装置,该本地安全网关包括如图19所示的数据配置装置;或者,该网络设备包括如图20所示的网络设备,该本地安全网关包括如图21所示的本地安全网关。An embodiment of the present application provides a data configuration system, where the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway. The network device includes a data configuration device as shown in FIG. 18 . The security gateway includes the data configuration apparatus shown in FIG. 19 ; or, the network device includes the network device shown in FIG. 20 , and the local security gateway includes the local security gateway shown in FIG. 21 .
本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,计算机程序指令被处理器执行时实现上述由网络设备执行的方法。Embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the foregoing method executed by a network device is implemented.
本申请的实施例提供了一种非易失性计算机可读存储介质,其上存储有计算机程序指令,计算机程序指令被处理器执行时实现上述由本地安全网关执行的方法。Embodiments of the present application provide a non-volatile computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, implement the above method executed by the local security gateway.
计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是――但不限于――电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(Random Access Memory,RAM)、只读存储器(Read Only Memory,ROM)、可擦式可编程只读存储器(Electrically Programmable Read-Only-Memory,EPROM或闪存)、静态随机存取存储器(Static Random-Access Memory,SRAM)、便携式压缩盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、数字多功能盘(Digital Video Disc,DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。A computer-readable storage medium may be a tangible device that can hold and store instructions for use by the instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (Electrically Programmable Read-Only-Memory, EPROM or flash memory), static random access memory (Static Random-Access Memory, SRAM), portable compact disk read-only memory (Compact Disc Read-Only Memory, CD - ROM), Digital Video Disc (DVD), memory sticks, floppy disks, mechanically encoded devices, such as punch cards or raised structures in grooves on which instructions are stored, and any suitable combination of the foregoing .
这里所描述的计算机可读程序指令或代码可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。Computer readable program instructions or code described herein may be downloaded to various computing/processing devices from a computer readable storage medium, or to an external computer or external storage device over a network such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from a network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in each computing/processing device .
用于执行本申请操作的计算机程序指令可以是汇编指令、指令集架构(Instruction Set Architecture,ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码,所述编程语言包括面向对象的编程语言—诸如Smalltalk、C++等,以及常规的过程式编程语言—诸如“C”语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机 上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络—包括局域网(Local Area Network,LAN)或广域网(Wide Area Network,WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或可编程逻辑阵列(Programmable Logic Array,PLA),该电子电路可以执行计算机可读程序指令,从而实现本申请的各个方面。The computer program instructions used to perform the operations of the present application may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more source or object code written in any combination of programming languages, including object-oriented programming languages such as Smalltalk, C++, etc., and conventional procedural programming languages such as the "C" language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or, may be connected to an external computer (eg, use an internet service provider to connect via the internet). In some embodiments, electronic circuits, such as programmable logic circuits, Field-Programmable Gate Arrays (FPGA), or Programmable Logic Arrays (Programmable Logic Arrays), are personalized by utilizing state information of computer-readable program instructions. Logic Array, PLA), the electronic circuit can execute computer readable program instructions to implement various aspects of the present application.
这里参照根据本申请实施例的方法、装置(系统)和计算机程序产品的流程图和/或框图描述了本申请的各个方面。应当理解,流程图和/或框图的每个方框以及流程图和/或框图中各方框的组合,都可以由计算机可读程序指令实现。Aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the present application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
这些计算机可读程序指令可以提供给通用计算机、专用计算机或其它可编程数据处理装置的处理器,从而生产出一种机器,使得这些指令在通过计算机或其它可编程数据处理装置的处理器执行时,产生了实现流程图和/或框图中的一个或多个方框中规定的功能/动作的装置。也可以把这些计算机可读程序指令存储在计算机可读存储介质中,这些指令使得计算机、可编程数据处理装置和/或其他设备以特定方式工作,从而,存储有指令的计算机可读介质则包括一个制造品,其包括实现流程图和/或框图中的一个或多个方框中规定的功能/动作的各个方面的指令。These computer readable program instructions may be provided to the processor of a general purpose computer, special purpose computer or other programmable data processing apparatus to produce a machine that causes the instructions when executed by the processor of the computer or other programmable data processing apparatus , resulting in means for implementing the functions/acts specified in one or more blocks of the flowchart and/or block diagrams. These computer readable program instructions can also be stored in a computer readable storage medium, these instructions cause a computer, programmable data processing apparatus and/or other equipment to operate in a specific manner, so that the computer readable medium on which the instructions are stored includes An article of manufacture comprising instructions for implementing various aspects of the functions/acts specified in one or more blocks of the flowchart and/or block diagrams.
也可以把计算机可读程序指令加载到计算机、其它可编程数据处理装置、或其它设备上,使得在计算机、其它可编程数据处理装置或其它设备上执行一系列操作步骤,以产生计算机实现的过程,从而使得在计算机、其它可编程数据处理装置、或其它设备上执行的指令实现流程图和/或框图中的一个或多个方框中规定的功能/动作。Computer readable program instructions can also be loaded onto a computer, other programmable data processing apparatus, or other equipment to cause a series of operational steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process , thereby causing instructions executing on a computer, other programmable data processing apparatus, or other device to implement the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.
附图中的流程图和框图显示了根据本申请的多个实施例的装置、系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或指令的一部分,所述模块、程序段或指令的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of apparatuses, systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more functions for implementing the specified logical function(s) executable instructions. In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行相应的功能或动作的硬件(例如电路或ASIC(Application Specific Integrated Circuit,专用集成电路))来实现,或者可以用硬件和软件的组合,如固件等来实现。It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in hardware (eg, circuits or ASICs (Application) that perform the corresponding functions or actions. Specific Integrated Circuit, application-specific integrated circuit)), or can be implemented by a combination of hardware and software, such as firmware.
尽管在此结合各实施例对本申请进行了描述,然而,在实施所要求保护的本申请过程中,本领域技术人员通过查看所述附图、公开内容、以及所附权利要求书,可理解并实现所述公开实施例的其它变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其它单元可 以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。Although the application is described herein in conjunction with the various embodiments, those skilled in the art will understand and understand from a review of the drawings, the disclosure, and the appended claims in practicing the claimed application. Other variations of the disclosed embodiments are implemented. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that these measures cannot be combined to advantage.
以上已经描述了本申请的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实施例的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。Various embodiments of the present application have been described above, and the foregoing descriptions are exemplary, not exhaustive, and not limiting of the disclosed embodiments. Numerous modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the various embodiments, the practical application or improvement over the technology in the marketplace, or to enable others of ordinary skill in the art to understand the various embodiments disclosed herein.
Claims (36)
- 一种数据配置方法,其特征在于,用于网络设备中,所述方法包括:A data configuration method, characterized in that it is used in a network device, the method comprising:向本地安全网关发送第一信息,所述第一信息用于获取所述本地安全网关的地址信息;sending first information to the local security gateway, where the first information is used to obtain address information of the local security gateway;接收所述本地安全网关的地址信息,所述本地安全网关的地址信息是为第一协议数据单元会话锚点PSA配置的用于传输来自用户设备UE的数据的路由目的地址信息,所述第一PSA为所述UE发生数据网络访问标识符DNAI变化后的PSA。receiving address information of the local security gateway, where the address information of the local security gateway is routing destination address information configured for the first protocol data unit session anchor PSA for transmitting data from the user equipment UE, the first The PSA is the PSA after the data network access identifier DNAI of the UE is changed.
- 根据权利要求1所述的方法,其特征在于,所述第一信息包括多址边缘计算MEC服务器的路由路径信息,所述路由路径信息用于配置所述本地安全网关与所述MEC服务器之间的连接。The method according to claim 1, wherein the first information comprises routing path information of a multi-access edge computing MEC server, and the routing path information is used to configure the connection between the local security gateway and the MEC server Connection.
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method according to claim 2, wherein the method further comprises:接收所述本地安全网关反馈的所述第一信息对应的第一响应信息,所述第一响应信息用于指示所述本地安全网关与所述MEC服务器之间的连接建立完成,所述第一响应信息包括所述本地安全网关的上行隧道信息。Receive first response information corresponding to the first information fed back by the local security gateway, where the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed, and the first response information is used to indicate that the connection establishment between the local security gateway and the MEC server is completed. The response information includes uplink tunnel information of the local security gateway.
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, wherein the method further comprises:向所述本地安全网关发送更新信息,所述更新信息包括所述第一PSA的下行隧道信息,所述下行隧道信息用于配置所述本地安全网关与所述第一PSA之间的下行隧道。Send update information to the local security gateway, where the update information includes downlink tunnel information of the first PSA, where the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
- 根据权利要求4所述的方法,其特征在于,所述方法还包括:The method according to claim 4, wherein the method further comprises:接收所述本地安全网关反馈的所述更新信息对应的第二响应信息,所述第二响应信息用于指示所述本地安全网关与所述第一PSA之间的下行隧道建立完成。Second response information corresponding to the update information fed back by the local security gateway is received, where the second response information is used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- 根据权利要求1至5任一所述的方法,其特征在于,所述网络设备包括与所述本地安全网关建立有通信连接的集中式安全网关。The method according to any one of claims 1 to 5, wherein the network device comprises a centralized security gateway that establishes a communication connection with the local security gateway.
- 根据权利要求6所述的方法,其特征在于,所述向所述本地安全网关发送第一信息之前,还包括:The method according to claim 6, wherein before the sending the first information to the local security gateway, the method further comprises:向会话管理功能SMF设备订阅DNAI变化通知事件;Subscribe the DNAI change notification event to the session management function SMF device;在接收到所述SMF设备的第一DNAI变化通知时,选取所述本地安全网关。The local security gateway is selected when the first DNAI change notification of the SMF device is received.
- 根据权利要求7所述的方法,其特征在于,所述第一DNAI变化通知包括变化的DNAI和待改变路径的安全联结SA,所述方法还包括:The method according to claim 7, wherein the first DNAI change notification includes the changed DNAI and the safety link SA of the path to be changed, and the method further comprises:根据变化的所述DNAI和待改变路径的所述SA,查询待改变路径的应用;According to the changed DNAI and the SA of the path to be changed, query the application of the path to be changed;根据查询到的所述应用,向对应的应用功能AF设备发送AF通知,所述AF通知 用于指示所述DNAI变化;According to the queried application, send an AF notification to the corresponding application function AF device, where the AF notification is used to indicate the DNAI change;接收所述AF设备反馈的所述MEC服务器的路由路径信息。Receive the routing path information of the MEC server fed back by the AF device.
- 根据权利要求7所述的方法,其特征在于,所述方法还包括:The method according to claim 7, wherein the method further comprises:在接收到所述本地安全网关反馈的所述第一信息对应的第一响应信息后,向所述SMF设备反馈所述第一DNAI变化通知对应的第四响应信息;After receiving the first response information corresponding to the first information fed back by the local security gateway, feeding back the fourth response information corresponding to the first DNAI change notification to the SMF device;其中,所述第一响应信息和所述第四响应消息均包括所述本地安全网关的上行隧道信息,所述第一响应信息和所述第四响应消息均用于指示所述本地安全网关与所述MEC服务器之间的连接建立完成。Wherein, both the first response information and the fourth response message include uplink tunnel information of the local security gateway, and both the first response information and the fourth response message are used to indicate that the local security gateway communicates with The connection establishment between the MEC servers is completed.
- 根据权利要求7所述的方法,其特征在于,所述向所述本地安全网关发送更新信息之前,还包括:The method according to claim 7, wherein before the sending the update information to the local security gateway, the method further comprises:接收所述SMF设备的第二DNAI变化通知,所述第二DNAI变化通知包括所述第一PSA的下行隧道信息。A second DNAI change notification from the SMF device is received, where the second DNAI change notification includes downlink tunnel information of the first PSA.
- 根据权利要求10所述的方法,其特征在于,所述方法还包括:The method of claim 10, wherein the method further comprises:在接收到所述本地安全网关反馈的所述更新信息对应的第二响应信息后,向所述SMF设备反馈所述第二DNAI变化通知对应的第五响应信息;After receiving the second response information corresponding to the update information fed back by the local security gateway, feeding back fifth response information corresponding to the second DNAI change notification to the SMF device;其中,所述第二响应信息和所述第五响应信息均用于指示所述本地安全网关与所述第一PSA之间的下行隧道建立完成。Wherein, the second response information and the fifth response information are both used to indicate that the establishment of the downlink tunnel between the local security gateway and the first PSA is completed.
- 根据权利要求7至11任一所述的方法,其特征在于,所述集中式安全网关与所述UE建立有IKE SA,所述方法还包括:The method according to any one of claims 7 to 11, wherein the centralized security gateway establishes an IKE SA with the UE, and the method further comprises:在向所述本地安全网关发送第一子SA建立请求后,接收所述本地安全网关反馈的第一子SA建立响应;After sending the first sub-SA establishment request to the local security gateway, receiving a first sub-SA establishment response fed back by the local security gateway;在向所述UE发送第二子SA建立请求后,接收所述UE反馈的第二子SA建立响应;向所述本地安全网关发送的子SA的上下文信息,所述子SA的上下文信息用于配置所述UE与所述本地安全网关之间用于传输用户面数据的子SA;After sending a second sub-SA establishment request to the UE, receive a second sub-SA establishment response fed back by the UE; and send the context information of the sub-SA to the local security gateway, where the context information of the sub-SA is used for configuring a sub-SA between the UE and the local security gateway for transmitting user plane data;接收所述本地安全网关反馈的所述子SA的上下文信息对应的第三响应信息,所述第三响应消息用于指示所述子SA建立完成。Third response information corresponding to the context information of the sub-SA fed back by the local security gateway is received, where the third response message is used to indicate that the establishment of the sub-SA is completed.
- 根据权利要求12所述的方法,其特征在于,The method of claim 12, wherein:所述第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA;The first sub-SA establishment request includes the first data characteristic of the data to be encrypted and transmitted and the corresponding first SA;所述第一子SA建立响应包括所述本地安全网关接受的第二数据特征、对应的第二SA、所述本地安全网关的密钥生成材料和所述本地安全网关的随机数;The first sub-SA establishment response includes the second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway;所述第二子SA建立请求包括所述第二数据特征、所述第二SA、所述本地安全网关的密钥生成材料和所述本地安全网关的随机数;The second sub-SA establishment request includes the second data feature, the second SA, the key generation material of the local security gateway, and the random number of the local security gateway;所述第二子SA建立响应包括确认的第三数据特征、对应的第三SA、所述UE的密钥生成材料和所述UE的随机数。The second sub-SA establishment response includes the confirmed third data feature, the corresponding third SA, the key generation material of the UE, and the random number of the UE.
- 根据权利要求12所述的方法,其特征在于,所述第三响应信息包括数据流特征信息对应的数据包检测规则和转发动作规则,所述方法还包括:The method according to claim 12, wherein the third response information includes a data packet detection rule and a forwarding action rule corresponding to the data flow characteristic information, and the method further comprises:向所述SMF设备发送第三通知信息,所述第三通知信息包括所述数据包检测规则和转发动作规则。Send third notification information to the SMF device, where the third notification information includes the data packet detection rule and the forwarding action rule.
- 根据权利要求1至5任一所述的方法,其特征在于,所述网络设备包括与所述本地安全网关建立有通信连接的SMF设备。The method according to any one of claims 1 to 5, wherein the network device comprises an SMF device that has established a communication connection with the local security gateway.
- 根据权利要求15所述的方法,其特征在于,所述方法还包括:The method of claim 15, wherein the method further comprises:接收所述本地安全网关发送的第一通知信息,所述第一通知信息用于指示UE与所述本地安全网关之间的因特网密钥交换协议IKE SA建立完成。Receive the first notification information sent by the local security gateway, where the first notification information is used to indicate that the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed.
- 根据权利要求16所述的方法,其特征在于,所述方法还包括:The method of claim 16, wherein the method further comprises:向所述本地安全网关发送用户面SA建立请求,所述用户面SA建立请求包括业务检测规则;sending a user plane SA establishment request to the local security gateway, where the user plane SA establishment request includes a service detection rule;接收所述本地安全网关反馈的第二通知信息,所述第二通知信息用于指示所述UE与所述本地安全网关之间用于用户面数据传输的子SA建立完成,所述第二通知信息包括所述数据流特征信息对应的数据包检测规则和转发动作规则。Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is complete, and the second notification information The information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information.
- 根据权利要求16所述的方法,其特征在于,所述方法还包括:The method of claim 16, wherein the method further comprises:接收所述本地安全网关反馈的第二通知信息,所述第二通知信息用于指示所述UE与所述本地安全网关之间用于用户面数据传输的子SA建立完成,所述第二通知信息包括所述数据流特征信息对应的数据包检测规则和转发动作规则。Receive second notification information fed back by the local security gateway, where the second notification information is used to indicate that the establishment of a sub-SA for user plane data transmission between the UE and the local security gateway is complete, and the second notification information The information includes data packet detection rules and forwarding action rules corresponding to the data flow feature information.
- 根据权利要求16所述的方法,其特征在于,所述方法还包括:The method of claim 16, wherein the method further comprises:在插入上行分类器ULCL或分支点BP后,通过AMF设备向所述UE发送NAS消息,所述NAS消息包括所述本地安全网关的地址。After inserting the uplink classifier ULCL or the branch point BP, a NAS message is sent to the UE through the AMF device, and the NAS message includes the address of the local security gateway.
- 根据权利要求16所述的方法,其特征在于,所述NAS消息包括需要从所述本地安全网关进行传输的业务数据包的业务检测规则。The method of claim 16, wherein the NAS message includes a service detection rule for a service data packet that needs to be transmitted from the local security gateway.
- 一种数据配置方法,其特征在于,用于本地安全网关中,所述方法包括:A data configuration method, characterized in that it is used in a local security gateway, the method comprising:接收第一信息,所述第一信息用于获取所述本地安全网关的地址信息;receiving first information, where the first information is used to obtain address information of the local security gateway;发送所述本地安全网关的地址信息,所述本地安全网关的地址信息是为第一PSA配置的用于传输来自用户设备UE的数据的路由目的地址信息,所述第一PSA为所述UE发生DNAI变化后的PSA。Sending address information of the local security gateway, where the address information of the local security gateway is routing destination address information configured for a first PSA for transmitting data from a user equipment UE, and the first PSA occurs for the UE PSA after DNAI changes.
- 根据权利要求21所述的方法,其特征在于,所述第一信息包括MEC服务器 的路由路径信息,所述路由路径信息用于配置所述本地安全网关与所述MEC服务器之间的连接。The method according to claim 21, wherein the first information comprises routing path information of an MEC server, and the routing path information is used to configure a connection between the local security gateway and the MEC server.
- 根据权利要求22所述的方法,其特征在于,所述方法还包括:The method of claim 22, wherein the method further comprises:在所述本地安全网关与所述MEC服务器之间的连接建立完成后,反馈所述第一信息对应的第一响应信息,所述第一响应信息包括所述本地安全网关的上行隧道信息。After the connection between the local security gateway and the MEC server is established, first response information corresponding to the first information is fed back, where the first response information includes uplink tunnel information of the local security gateway.
- 根据权利要求21所述的方法,其特征在于,所述方法还包括:The method of claim 21, wherein the method further comprises:接收更新信息,所述更新信息包括所述第一PSA的下行隧道信息,所述下行隧道信息用于配置所述本地安全网关与所述第一PSA之间的下行隧道。Update information is received, the update information includes downlink tunnel information of the first PSA, and the downlink tunnel information is used to configure a downlink tunnel between the local security gateway and the first PSA.
- 根据权利要求24所述的方法,其特征在于,所述方法还包括:The method of claim 24, wherein the method further comprises:在所述本地安全网关与所述第一PSA之间的下行隧道建立完成后,反馈所述更新信息对应的第二响应信息。After the establishment of the downlink tunnel between the local security gateway and the first PSA is completed, the second response information corresponding to the update information is fed back.
- 根据权利要求21至25任一所述的方法,其特征在于,所述本地安全网关与集中式安全网关建立有通信连接,所述方法还包括:The method according to any one of claims 21 to 25, wherein a communication connection is established between the local security gateway and the centralized security gateway, and the method further comprises:在接收到所述集中式安全网关发送的第一子SA建立请求后,向所述集中式安全网关反馈第一子SA建立响应;After receiving the first sub-SA establishment request sent by the centralized security gateway, feeding back a first sub-SA establishment response to the centralized security gateway;接收所述集中式安全网关发送的所述子SA的上下文信息,所述子SA的上下文信息用于配置用户设备UE与所述本地安全网关之间用于传输用户面数据的子SA;receiving the context information of the sub-SA sent by the centralized security gateway, where the context information of the sub-SA is used to configure the sub-SA used for transmitting user plane data between the user equipment UE and the local security gateway;在所述子SA建立完成后,向所述集中式安全网关反馈所述子SA的上下文信息对应的第三响应信息。After the establishment of the sub-SA is completed, the third response information corresponding to the context information of the sub-SA is fed back to the centralized security gateway.
- 根据权利要求26所述的方法,其特征在于,所述第一子SA建立请求包括待加密传输的数据的第一数据特征和对应的第一SA,所述第一子SA建立响应包括所述本地安全网关接受的第二数据特征、对应的第二SA、所述本地安全网关的密钥生成材料和所述本地安全网关的随机数。The method according to claim 26, wherein the first sub-SA establishment request includes a first data characteristic of data to be encrypted and transmitted and a corresponding first SA, and the first sub-SA establishment response includes the The second data feature accepted by the local security gateway, the corresponding second SA, the key generation material of the local security gateway, and the random number of the local security gateway.
- 根据权利要求21至25任一所述的方法,其特征在于,所述本地安全网关与会话管理功能SMF设备建立有通信连接,所述方法还包括:The method according to any one of claims 21 to 25, wherein the local security gateway establishes a communication connection with a session management function SMF device, and the method further comprises:在UE与所述本地安全网关之间的因特网密钥交换协议IKE SA建立完成后,向所述SMF设备发送第一通知信息。After the establishment of the Internet Key Exchange Protocol IKE SA between the UE and the local security gateway is completed, first notification information is sent to the SMF device.
- 根据权利要求28所述的方法,其特征在于,所述方法还包括:The method of claim 28, wherein the method further comprises:接收所述SMF设备发送的用户面SA建立请求,所述用户面SA建立请求包括业务检测规则;receiving a user plane SA establishment request sent by the SMF device, where the user plane SA establishment request includes a service detection rule;根据所述业务检测规则,生成对应的数据流特征信息,建立所述UE与所述本地安全网关之间用于用户面数据传输的子SA;generating corresponding data flow feature information according to the service detection rule, and establishing a sub-SA between the UE and the local security gateway for user plane data transmission;在所述子SA建立完成后向所述SMF设备反馈第二通知信息,所述第二通知信息包括所述数据流特征信息对应的数据包检测规则和转发动作规则。After the establishment of the sub-SA is completed, second notification information is fed back to the SMF device, where the second notification information includes a data packet detection rule and a forwarding action rule corresponding to the data flow characteristic information.
- 根据权利要求28所述的方法,其特征在于,所述方法还包括:The method of claim 28, wherein the method further comprises:在所述UE与所述本地安全网关之间用于用户面数据传输的子SA建立完成后,向所述SMF设备反馈第二通知信息,所述第二通知信息包括数据流特征信息对应的数据包检测规则和转发动作规则。After the establishment of the sub-SA for user plane data transmission between the UE and the local security gateway is completed, second notification information is fed back to the SMF device, where the second notification information includes data corresponding to data flow feature information Packet inspection rules and forwarding action rules.
- 一种数据配置方法,其特征在于,用于数据配置系统中,所述数据配置系统包括本地安全网关和与所述本地安全网关建立有通信连接的网络设备,所述方法包括:A data configuration method, characterized in that it is used in a data configuration system, wherein the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway, and the method includes:所述网络设备向所述本地安全网关发送第一信息,所述第一信息用于获取所述本地安全网关的地址信息;sending, by the network device, first information to the local security gateway, where the first information is used to acquire address information of the local security gateway;所述本地安全网关接收到所述第一信息后,发送所述本地安全网关的地址信息,所述本地安全网关的地址信息是为第一PSA配置的用于传输来自UE的数据的路由目的地址信息,所述第一PSA为所述UE发生DNAI变化后的PSA;After receiving the first information, the local security gateway sends address information of the local security gateway, where the address information of the local security gateway is a routing destination address configured for the first PSA for transmitting data from the UE information, the first PSA is the PSA after the UE has undergone DNAI changes;所述网络设备接收所述本地安全网关的地址信息。The network device receives the address information of the local security gateway.
- 一种数据配置装置,其特征在于,用于网络设备中,所述装置包括:A data configuration apparatus, characterized in that it is used in network equipment, the apparatus comprising:处理器;processor;用于存储处理器可执行指令的存储器;memory for storing processor-executable instructions;其中,所述处理器被配置为执行所述指令时实现权利要求1-20任意一项所述的方法。Wherein, the processor is configured to implement the method of any one of claims 1-20 when executing the instructions.
- 一种数据配置装置,其特征在于,用于本地安全网关中,所述装置包括:A data configuration device, characterized in that it is used in a local security gateway, the device comprising:处理器;processor;用于存储处理器可执行指令的存储器;memory for storing processor-executable instructions;其中,所述处理器被配置为执行所述指令时实现权利要求21-30任意一项所述的方法。Wherein, the processor is configured to implement the method of any one of claims 21-30 when executing the instructions.
- 一种数据配置系统,其特征在于,所述数据配置系统包括本地安全网关和与所述本地安全网关建立有通信连接的网络设备:A data configuration system, characterized in that the data configuration system includes a local security gateway and a network device that establishes a communication connection with the local security gateway:所述网络设备,用于执行权利要求1-20任意一项所述的方法;the network device, configured to execute the method of any one of claims 1-20;所述本地安全网关,用于执行权利要求21-30任意一项所述的方法。The local security gateway is configured to execute the method of any one of claims 21-30.
- 一种非易失性计算机可读存储介质,其上存储有计算机程序指令,其特征在于,所述计算机程序指令被处理器执行时实现权利要求1-20任意一项所述的方法。A non-volatile computer-readable storage medium on which computer program instructions are stored, characterized in that, when the computer program instructions are executed by a processor, the method described in any one of claims 1-20 is implemented.
- 一种非易失性计算机可读存储介质,其上存储有计算机程序指令,其特征在于,所述计算机程序指令被处理器执行时实现权利要求21-30任意一项所述的方法。A non-volatile computer-readable storage medium on which computer program instructions are stored, characterized in that, when the computer program instructions are executed by a processor, the method described in any one of claims 21-30 is implemented.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/075493 WO2022165745A1 (en) | 2021-02-05 | 2021-02-05 | Data configuration method and apparatus, system, and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/075493 WO2022165745A1 (en) | 2021-02-05 | 2021-02-05 | Data configuration method and apparatus, system, and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022165745A1 true WO2022165745A1 (en) | 2022-08-11 |
Family
ID=82740794
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/075493 WO2022165745A1 (en) | 2021-02-05 | 2021-02-05 | Data configuration method and apparatus, system, and storage medium |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2022165745A1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110048873A (en) * | 2018-01-16 | 2019-07-23 | 华为技术有限公司 | The method and communication device of the policy control of more anchor point protocol Data Unit sessions |
CN111586670A (en) * | 2020-04-30 | 2020-08-25 | 腾讯科技(深圳)有限公司 | Method for realizing service continuity and related equipment |
-
2021
- 2021-02-05 WO PCT/CN2021/075493 patent/WO2022165745A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110048873A (en) * | 2018-01-16 | 2019-07-23 | 华为技术有限公司 | The method and communication device of the policy control of more anchor point protocol Data Unit sessions |
CN111586670A (en) * | 2020-04-30 | 2020-08-25 | 腾讯科技(深圳)有限公司 | Method for realizing service continuity and related equipment |
Non-Patent Citations (3)
Title |
---|
CATT, HUAWEI, HISILICON: "Update to Solution 6.13", 3GPP DRAFT; S2-1811387_WAS_10535_UPDATE TO SOLUTION 6.13, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Dongguan, China; 20181015 - 20181019, 17 October 2018 (2018-10-17), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051540196 * |
ORANGE: "PDU session anchor terminology clarification", 3GPP DRAFT; S2-1910902, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Reno, Nevada, United States; 20191118 - 20191122, 8 November 2019 (2019-11-08), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051821032 * |
SAMSUNG: "KI#2, New Sol: IP preserving PSA relocation with two simultaneous PDU Sessions", 3GPP DRAFT; S2-2004419, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. E (e-meeting); 20200601 - 20200612, 8 June 2020 (2020-06-08), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051894503 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230092015A1 (en) | Securing communication of devices in the internet of things | |
CN110786031B (en) | Method and system for privacy protection of 5G slice identifiers | |
US8627064B2 (en) | Flexible system and method to manage digital certificates in a wireless network | |
EP1774750B1 (en) | Method, apparatuses and computer readable medium for establishing secure end-to-end connections by binding IPSec Security Associations | |
US10455414B2 (en) | User-plane security for next generation cellular networks | |
EP3262856B1 (en) | Systems and methods for secure roll-over of device ownership | |
WO2018013925A1 (en) | Adaptive authorization framework for communication networks | |
JP2019146196A (en) | End-to-end service layer authentication | |
TWI713614B (en) | Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts | |
EP3284276B1 (en) | Security improvements in a cellular network | |
US11388145B2 (en) | Tunneling data traffic and signaling over secure etls over wireless local area networks | |
WO2021244509A1 (en) | Data transmission method and system, electronic device, and computer readable storage medium | |
WO2020065130A1 (en) | Security management between edge proxy and internetwork exchange node in a communication system | |
US11006346B2 (en) | X2 service transmission method and network device | |
WO2022166878A1 (en) | Core network system | |
WO2022165745A1 (en) | Data configuration method and apparatus, system, and storage medium | |
WO2023185558A1 (en) | Communication method and apparatus | |
WO2023011158A1 (en) | Certificate management method and apparatus | |
US20240146702A1 (en) | Traffic management with asymmetric traffic encryption in 5g networks | |
US12028747B2 (en) | Methods and apparatus for reducing communications delay | |
Singh et al. | Unified heterogeneous networking design | |
WO2022178888A1 (en) | Communication method and apparatus | |
WO2024001524A1 (en) | Communication method and apparatus | |
WO2024208302A1 (en) | Information interaction method and apparatus, and device and storage medium | |
WO2024171084A1 (en) | Method and apparatus for generating qos (quality of service) rules for packet communication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21923762 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21923762 Country of ref document: EP Kind code of ref document: A1 |