CN116033377A - Method, system and medium for 5G SA network Internet of things terminal access and access restriction - Google Patents
Method, system and medium for 5G SA network Internet of things terminal access and access restriction Download PDFInfo
- Publication number
- CN116033377A CN116033377A CN202211722173.5A CN202211722173A CN116033377A CN 116033377 A CN116033377 A CN 116033377A CN 202211722173 A CN202211722173 A CN 202211722173A CN 116033377 A CN116033377 A CN 116033377A
- Authority
- CN
- China
- Prior art keywords
- access
- network
- management module
- slice
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/02—Traffic management, e.g. flow control or congestion control
- H04W28/06—Optimizing the usage of the radio link, e.g. header compression, information sizing, discarding information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W28/00—Network traffic management; Network resource management
- H04W28/02—Traffic management, e.g. flow control or congestion control
- H04W28/08—Load balancing or load distribution
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明涉及物联网的技术领域,公开了5GSA网络物联网终端接入和访问限制的方法、系统及介质。该方法包括若网络管理器接收到物联网终端的附着请求,控制用户终端发送接入网络消息;网络管理器接收接入网络消息,无线电接入网确定接入管理模块;获取用户签约网络切片;判断接入管理模块是否能处理用户签约网络切片;若无法处理,网络切片选择模块获取允许切片及目标接入管理模块;网络切片选择模块将允许切片发至目标接入管理模块;目标接入管理模块获取用户签约策略;将用户签约策略发至物联网终端,物联网终端接入目标接入管理模块。本发明控制用户仅在某一可控的较小的园区范围访问内网,漫出这一范围禁止访问业务,保证更高的可靠性和安全性。
The invention relates to the technical field of the Internet of Things, and discloses a method, a system and a medium for accessing and restricting access to terminals of the Internet of Things in a 5GSA network. The method includes: if the network manager receives an attachment request from an Internet of Things terminal, controlling the user terminal to send an access network message; the network manager receives the access network message, and the radio access network determines the access management module; and obtains the user subscription network slice; Judging whether the access management module can handle user-subscribed network slices; if not, the network slice selection module obtains the allowed slices and the target access management module; the network slice selection module sends the allowed slices to the target access management module; target access management The module obtains the user's subscription strategy; sends the user's subscription strategy to the IoT terminal, and the IoT terminal accesses the target access management module. The present invention controls users to only access the intranet within a certain controllable small park range, and prohibits access to services outside this range, thereby ensuring higher reliability and security.
Description
技术领域technical field
本发明涉及物联网的技术领域,尤其是涉及一种5G SA网络物联网终端接入和访问限制的方法、系统及介质。The present invention relates to the technical field of the Internet of Things, and in particular to a method, system and medium for accessing and restricting access to a 5G SA network Internet of Things terminal.
背景技术Background technique
在5G定制网场景下,出于低时延、高可靠的考虑,很多用户会选择接入面和控制面复用运营商建设的网元设备,如AMF、SMF,数据传输面选择轻量型的UPF下沉至所在园区,采用特定的DNN访问内务业务。In the 5G customized network scenario, due to the consideration of low latency and high reliability, many users will choose to reuse the network element equipment built by operators on the access plane and control plane, such as AMF and SMF, and choose lightweight equipment for the data transmission plane. The UPF sinks to the park where it is located, and uses a specific DNN to access internal affairs.
现有5G物联网终端接入限制的技术中,较常见的是根据用户上报的AMF ID或者MME主机名,判断是否为用户允许访问的列表内,从而实现省份级的区域限制。而策略控制模块基于跟踪区编码进行用户接入控制的方案中,跟踪区编码覆盖范围比较大,较难实现精确控制园区范围,且无线侧需要对跟踪区编码进行重新规划和调整。对于运营商来说,对已经规划好的跟踪区编码进行调整难度较大。若策略控制模块基于基站或小区级别进行用户会话策略控制,用户移动情况下频繁上报位置更新,将带来大量的信令交互,造成信令面拥塞,影响业务使用。Among the existing 5G Internet of Things terminal access restriction technologies, it is more common to judge whether the AMF ID or MME host name reported by the user is in the list that the user is allowed to access, so as to realize regional restrictions at the provincial level. In the scheme where the policy control module controls user access based on tracking area codes, the coverage of tracking area codes is relatively large, making it difficult to accurately control the campus area, and the wireless side needs to re-plan and adjust the tracking area codes. For operators, it is difficult to adjust the planned tracking area codes. If the policy control module performs user session policy control based on the base station or cell level, frequently reporting location updates when users move will bring a lot of signaling interaction, causing congestion on the signaling plane and affecting service usage.
因此,如何简单实时地对物联网终端进行接入控制,以控制用户仅在某一可控的较小的园区范围内访问内网,漫出这一范围禁止访问业务,从而保证更高的可靠性和安全性亟待解决。Therefore, how to control the access of IoT terminals in a simple and real-time manner, so that users can only access the intranet within a small controllable campus area, and prohibit access to services outside this area, so as to ensure higher reliability. Safety and security need to be addressed urgently.
发明内容Contents of the invention
本发明所要解决的技术问题是控制用户仅在某一可控的较小的园区范围内访问内网,漫出这一范围禁止访问业务,从而保证更高的可靠性和安全性。The technical problem to be solved by the present invention is to control users to only access the intranet within a small controllable park area, and prohibit access to services outside this area, thereby ensuring higher reliability and security.
第一方面,本发明实施例提供了一种5G SA网络物联网终端接入和访问限制的方法,该方法应用于SA网络物联网系统,所述系统包括物联网终端、网络管理器及用户终端,所述网络管理器分别与所述物联网终端及所述用户终端建立网络连接以实现数据信息的传输,所述网络管理器设有无线电接入网、接入管理模块、网络切片选择模块及策略控制模块,所述方法包括:In the first aspect, an embodiment of the present invention provides a method for accessing and restricting access to a 5G SA network IoT terminal, the method is applied to an SA network IoT system, and the system includes an IoT terminal, a network manager, and a user terminal , the network manager respectively establishes a network connection with the IoT terminal and the user terminal to realize the transmission of data information, and the network manager is provided with a radio access network, an access management module, a network slice selection module and A policy control module, the method comprising:
若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;If the network manager receives an attachment request from the IoT terminal, controlling the user terminal to send a network access message;
所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;The network manager receives the access network message, and the radio access network determines an access management module corresponding to the access network message;
所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;The determined access management module obtains the user subscription network slice corresponding to the access network message from a preset slice database;
判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;judging whether the determined access management module can process the user-subscribed network slice;
若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;If the determined access management module cannot process the user-subscribed network slice, the network slice selection module acquires an allowed slice and a target access management module corresponding to the user-subscribed network slice;
所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;The network slice selection module resends the allowed slice to the target access management module;
所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;The target access management module acquires a pre-stored user subscription policy corresponding to the permitted slice from the policy control module;
将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。Sending the user subscription policy to the IoT terminal, so that the IoT terminal accesses the target access management module.
优选的,所述无线电接入网确定与所述接入网络消息对应的接入管理模块,包括:Preferably, the radio access network determines the access management module corresponding to the access network message, including:
对所述接入网络消息进行解析以获取对应的GUAMI信息;Analyzing the access network message to obtain corresponding GUAMI information;
判断是否能够根据所述GUAMI信息获取相匹配的接入管理模块;Judging whether a matching access management module can be obtained according to the GUAMI information;
若能够根据所述GUAMI信息获取匹配的接入管理模块,获取相匹配的一个所述接入管理模块为确定的接入管理模块;If a matching access management module can be obtained according to the GUAMI information, the obtained matching one of the access management modules is a determined access management module;
若无法根据所述GUAMI信息获取匹配的接入管理模块,根据所述接入网络消息中的请求切片确定对应的接入管理模块。If the matching access management module cannot be obtained according to the GUAMI information, the corresponding access management module is determined according to the request slice in the access network message.
优选的,所述根据所述接入网络消息中的请求切片确定对应的接入管理模块之前,还包括:Preferably, before determining the corresponding access management module according to the request slice in the access network message, the method further includes:
判断所述接入网络消息中是否包含请求切片;judging whether the access network message includes a request slice;
若所述接入网络消息中包含请求切片,则执行所述根据所述接入网络消息中的请求切片确定对应的接入管理模块的步骤;If the access network message includes a request slice, perform the step of determining a corresponding access management module according to the request slice in the access network message;
若所述接入网络消息中不包含请求切片,则发送注册请求至缺省接入管理模块。If the access network message does not include the request slice, then send the registration request to the default access management module.
优选的,所述目标接入管理模块向所述策略控制模块获取预存的用户签约策略,包括:Preferably, the target access management module acquires a pre-stored user subscription policy from the policy control module, including:
所述策略控制模块基于预设的跟踪区编码对单个用户进行跟踪区之间的切换订阅,以获取所述用户签约策略。The policy control module performs switching subscription between tracking areas for a single user based on a preset tracking area code, so as to obtain the user subscription policy.
优选的,所述网络管理器还设有会话管理模块,所述策略控制模块基于预设的跟踪区编码对用户进行会话策略控制;所述策略控制模块针对单用户进行跟踪区之间的切换订阅,以获取所述用户签约策略,包括:Preferably, the network manager is also provided with a session management module, the policy control module performs session policy control on users based on preset tracking area codes; the policy control module performs switching subscription between tracking areas for a single user , to obtain the user subscription policy, including:
若接收到所述用户终端发出所述跟踪区切换的信号,主动上报位置以更新所述接入网络消息;If receiving a signal from the user terminal to switch the tracking area, actively report the location to update the access network message;
所述无线电接入网重新确定与更新后的所述接入网络消息新对应的所述接入管理模块;The radio access network re-determines the access management module corresponding to the updated access network message;
新对应的所述接入管理模块通过预设接口将更新后的所述接入网络消息上报至所述策略控制模块;The newly corresponding access management module reports the updated access network information to the policy control module through a preset interface;
所述策略控制模块对所述会话管理模块中携带的所述跟踪区编码进行会话策略控制。The policy control module performs session policy control on the tracking area code carried in the session management module.
优选的,所述策略控制模块对所述会话管理模块中携带的所述跟踪区编码进行策略控制,包括:Preferably, the policy control module performs policy control on the tracking area code carried in the session management module, including:
若所述跟踪区编码在所述会话管理模块的允许列表,下发动态策略,以保证输出第一策略;所述第一策略为更高的服务质量策略;If the tracking area is coded in the allowed list of the session management module, issue a dynamic policy to ensure that the first policy is output; the first policy is a higher quality of service policy;
若所述跟踪区编码不在所述会话管理模块的允许列表,下发阻塞指令,以保证输出第二策略,进而阻塞用户所有流量,从而实现用户流量不出园区;所述第二策略为对应的业务规则全局优先级最高。If the tracking area code is not in the allowed list of the session management module, issue a blocking command to ensure that the second policy is output, and then block all traffic of the user, so that the traffic of the user does not go out of the park; the second policy is the corresponding Business rules have the highest global priority.
优选的,所述所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片,还包括:Preferably, the determined access management module obtains the user subscription network slice corresponding to the access network message from a preset slice database, further comprising:
若所述目标接入管理模块获取到所述用户签约策略,判断所述请求切片、所述用户签约网络切片及所述允许切片是否能够组合形成交集切片;If the target access management module obtains the user subscription policy, judge whether the request slice, the user subscription network slice, and the allowed slice can be combined to form an intersection slice;
若能够形成交集切片,则允许所述用户终端接入;If an intersection slice can be formed, allow the user terminal to access;
若不能够形成交集切片,则拒绝所述用户终端接入。If the intersection slice cannot be formed, deny the access of the user terminal.
第二方面,本发明实施例提供了一种5G SA网络物联网终端接入和访问限制的系统,所述系统包括物联网终端、网络管理器及用户终端,所述网络管理器分别与所述物联网终端及所述用户终端建立网络连接以实现数据信息的传输;In the second aspect, an embodiment of the present invention provides a system for accessing and restricting access to IoT terminals in a 5G SA network. The system includes IoT terminals, a network manager, and a user terminal, and the network manager communicates with the The Internet of Things terminal and the user terminal establish a network connection to realize the transmission of data information;
所述系统包括配置于所述物联网终端内的附着请求单元,配置于所述用户终端的第一发送单元,配置于所述网络管理器内的接收单元、第一获取单元、判断单元、第二获取单元、第二发送单元、第三获取单元及第三发送单元;The system includes an attachment request unit configured in the Internet of Things terminal, a first sending unit configured in the user terminal, a receiving unit, a first obtaining unit, a judging unit, and a second receiving unit configured in the network manager. Two acquiring unit, second sending unit, third acquiring unit and third sending unit;
附着请求单元,用于所述网络管理器接收到来自所述物联网终端的附着请求;an attach request unit, configured for the network manager to receive an attach request from the IoT terminal;
第一发送单元,用于若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;A first sending unit, configured to control the user terminal to send an access network message if the network manager receives an attachment request from the IoT terminal;
接收单元,用于所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;a receiving unit, configured for the network manager to receive the access network message, and the radio access network determines an access management module corresponding to the access network message;
第一获取单元,用于所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;The first obtaining unit is used for the determined access management module to obtain the user subscription network slice corresponding to the access network message from a preset slice database;
判断单元,用于判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;A judging unit, configured to judge whether the determined access management module can process the user subscription network slice;
第二获取单元,用于若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;The second obtaining unit is configured to: if the determined access management module cannot process the user subscription network slice, the network slice selection module obtains the allowed slice and target access corresponding to the user subscription network slice into the management module;
第二发送单元,用于所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;a second sending unit, configured for the network slice selection module to resend the allowed slice to the target access management module;
第三获取单元,用于所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;A third obtaining unit, configured for the target access management module to obtain a pre-stored user subscription policy corresponding to the permitted slice from the policy control module;
第三发送单元,用于将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。A third sending unit, configured to send the user subscription policy to the IoT terminal, so that the IoT terminal accesses the target access management module.
第三方面,本发明实施例又提供了5G SA网络物联网终端接入和访问限制的系统,所述系统包括物联网终端、网络管理器及用户终端,所述物联网终端包括第一存储器、第一处理器及存储在所述第一存储器上并可在所述第一处理器上运行的第一计算机程序,所述网络管理器包括第二存储器、第二处理器及存储在所述第二存储器上并可在所述第二处理器上运行的第二计算机程序,所述用户终端包括第三存储器、第三处理器及存储在所述第三存储器上并可在所述第三处理器上运行的第三计算机程序,其特征在于,所述第一处理器执行所述第一计算机程序、所述第二处理器执行所述第二计算机程序以及所述第三处理器执行所述第三计算机程序时共同实现如上述第一方面所述的5G SA网络物联网终端接入和访问限制的方法。In a third aspect, the embodiment of the present invention provides a system for accessing and restricting access to IoT terminals on a 5G SA network, the system includes an IoT terminal, a network manager, and a user terminal, and the IoT terminal includes a first memory, A first processor and a first computer program stored on the first memory and operable on the first processor, the network manager includes a second memory, a second processor, and a computer program stored on the first memory A second computer program on the second memory and operable on the second processor, the user terminal includes a third memory, a third processor, and a second computer program stored on the third memory and executable on the third processor A third computer program running on a computer, wherein the first processor executes the first computer program, the second processor executes the second computer program, and the third processor executes the The third computer program jointly implements the method for accessing and restricting access to 5G SA network IoT terminals as described in the first aspect above.
第四方面,本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有第一计算机程序、第二计算机程序及第三计算机程序,当所述第一计算机程序被第一处理器执行、所述第二计算机程序被第二处理器执行以及所述第三计算机程序被第三处理器执行时共同实现如上述第一方面所述的5G SA网络物联网终端接入和访问限制的方法。In a fourth aspect, an embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a first computer program, a second computer program, and a third computer program, when the first computer program When executed by the first processor, the second computer program is executed by the second processor, and the third computer program is executed by the third processor, the 5G SA network Internet of Things terminal interface as described in the first aspect above is jointly implemented. methods of entry and access restrictions.
与现有技术相比,本发明包括以下至少一种有益技术效果:Compared with the prior art, the present invention includes at least one of the following beneficial technical effects:
若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。If the network manager receives the attachment request from the IoT terminal, it controls the user terminal to send an access network message; the network manager receives the access network message, and the radio access network determines the connection with The access management module corresponding to the access network message; the determined access management module obtains the user subscription network slice corresponding to the access network message from a preset slice database; whether the access management module can process the user subscription network slice; if the determined access management module cannot process the user subscription network slice, the network slice selection module obtains the Allowed slices and target access management modules corresponding to the slices; the network slice selection module resends the allowed slices to the target access management module; the target access management module obtains the pre-stored A user subscription policy corresponding to the allowed slice; sending the user subscription policy to the IoT terminal, so that the IoT terminal accesses the target access management module.
由策略控制模块针对单用户进行跟踪区间切换订阅,当用户终端发生跟踪区间的切换时,主动上报位置更新消息,由策略控制模块对会话管理模块的会话消息中携带的跟踪区编码进行策略控制:当跟踪区编码在允许的列表中时,下发动态的控制策略,如服务质量保障等;当跟踪区编码不在允许的列表中时,阻塞用户所有流量,从而实现用户流量不出园区。The policy control module performs tracking interval switch subscription for a single user. When the user terminal switches the tracking interval, it actively reports a location update message, and the policy control module performs policy control on the tracking area code carried in the session message of the session management module: When the tracking area code is in the allowed list, dynamic control policies, such as service quality assurance, etc. are issued; when the tracking area code is not in the allowed list, all user traffic is blocked, so that user traffic does not leave the campus.
附图说明Description of drawings
为了更清楚地说明本发明实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are some embodiments of the present invention. Ordinary technicians can also obtain other drawings based on these drawings on the premise of not paying creative work.
图1为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的流程示意图。FIG. 1 is a schematic flow diagram of a method for accessing and restricting access to a 5G SA network IoT terminal provided by an embodiment of the present invention.
图2为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的场景示意图。FIG. 2 is a schematic diagram of a scenario of a method for accessing and restricting access to a 5G SA network IoT terminal provided by an embodiment of the present invention.
图3为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的另一流程示意图。Fig. 3 is another schematic flowchart of a method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图4为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的子流程示意图。Fig. 4 is a schematic sub-flow diagram of a method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图5为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的另一子流程示意图。FIG. 5 is a schematic diagram of another sub-flow of the method for accessing and restricting access of IoT terminals in a 5G SA network provided by an embodiment of the present invention.
图6为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的又一子流程示意图。Fig. 6 is a schematic diagram of another sub-flow of the method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图7为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的再一子流程示意图。Fig. 7 is a schematic diagram of another sub-flow of the method for accessing and restricting access of IoT terminals in the 5G SA network provided by the embodiment of the present invention.
图8为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的又一子流程示意图。Fig. 8 is a schematic diagram of another sub-flow of the method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图9为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的另一应用场景示意图。FIG. 9 is a schematic diagram of another application scenario of a method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图10为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的又一应用场景示意图。FIG. 10 is a schematic diagram of another application scenario of a method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图11为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的再一应用场景示意图。Fig. 11 is a schematic diagram of another application scenario of a method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention.
图12为本发明实施例提供的5G SA网络物联网终端接入和访问限制的系统的示意性框图。FIG. 12 is a schematic block diagram of a system for accessing and restricting access of IoT terminals in a 5G SA network provided by an embodiment of the present invention.
图13为本发明实施例提供的计算机设备的示意性框图。Fig. 13 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "comprising" and "comprises" indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude one or Presence or addition of multiple other features, integers, steps, operations, elements, components and/or collections thereof.
还应当理解,在本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terminology used in the description of the present invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the present invention. As used in this specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural referents unless the context clearly dictates otherwise.
还应当进一步理解,在本发明说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。It should also be further understood that the term "and/or" used in the description of the present invention and the appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes these combinations .
请参阅图1及图2,图1为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的流程示意图,图2为本发明实施例提供的5G SA网络物联网终端接入和访问限制的方法的应用场景示意图;该5G SA网络物联网终端接入和访问限制的方法应用于SA网络物联网系统10中,该系统10包括物联网终端11、网络管理器12及用户终端13,该5G SA网络物联网终端接入和访问限制的方法通过安装于物联网终端11、网络管理器12及用户终端13中的应用软件进行执行,其中,用户终端13即是基于SIM卡与网络管理器12进行无线通信连接的终端设备,如智能手表、智能音响、智能手机等智能设备,网络管理器12也即是用于进行网络桥接及管理的网关服务器,网络管理器12可用于对网络访问请求进行传输管理,物联网终端11即是用于为用户终端13提供网络信息服务的平台服务器。网络管理器12分别与物联网终端11及用户终端13建立网络连接以实现数据信息的传输,用户终端13可发送网络访问请求至网络管理器12,物联网终端11可根据网络管理器12处理的网络访问请求为用户终端13提供相应的网络服务,网络管理器12内设有无线电接入网RAN、接入管理模块AMF、网络切片选择模块及策略控制模块PCF。如图1所示,该方法包括步骤S110~S180。。Please refer to Fig. 1 and Fig. 2, Fig. 1 is a schematic flowchart of a method for accessing and restricting access of a 5G SA network IoT terminal provided by an embodiment of the present invention, Fig. 2 is a schematic flow diagram of a 5G SA network IoT terminal access provided by an embodiment of the present invention Schematic diagram of the application scenario of the method for entry and access restriction; the method for 5G SA network Internet of Things terminal access and access restriction is applied in the SA network Internet of
S110、若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端13发送接入网络消息。S110. If the network manager receives the attachment request from the IoT terminal, control the
网络管理器可接收来自物联网终端的附着请求,若网络管理器接收到附着请求,则发送反馈信号至用户终端13,用户终端13接收到反馈信号后发送接入网络消息至网络管理器。The network manager can receive an attachment request from an IoT terminal, and if the network manager receives the attachment request, it will send a feedback signal to the
S120、所述网络管理器接收所述接入网络消息,所述无线电接入网RAN确定与所述接入网络消息对应的接入管理模块AMF。S120. The network manager receives the access network message, and the radio access network RAN determines an access management module AMF corresponding to the access network message.
如图3所示,在一具体实施例中,步骤S120之前还包括子步骤S111、S112和S113。As shown in FIG. 3 , in a specific embodiment, sub-steps S111 , S112 and S113 are also included before step S120 .
S111、判断所述接入网络消息中是否包含请求切片R;S112、若所述接入网络消息中包含请求切片R,则执行所述根据所述接入网络消息中的请求切片R确定对应的接入管理模块AMF的步骤;S113、若所述接入网络消息中不包含请求切片R,则发送注册请求至缺省接入管理模块AMF。S111. Determine whether the request slice R is included in the access network message; S112. If the request slice R is included in the access network message, perform the determination of the corresponding slice R according to the request slice R in the access network message. Steps of the access management module AMF; S113, if the request slice R is not included in the access network message, send a registration request to the default access management module AMF.
如图4所示,在一具体实施例中,步骤S120包括子步骤S121、S122、S123和S124。As shown in FIG. 4 , in a specific embodiment, step S120 includes sub-steps S121 , S122 , S123 and S124 .
S121、对所述接入网络消息进行解析以获取对应的GUAMI信息;S122、判断是否能够根据所述GUAMI信息获取相匹配的接入管理模块AMF;在另一实施例中,相匹配的接入管理模块AMF可以替换为系统默认的接入管理模块AMF;S123、若能够根据所述GUAMI信息获取匹配的接入管理模块AMF,获取相匹配的一个所述接入管理模块AMF为确定的接入管理模块AMF;S124、若无法根据所述GUAMI信息获取匹配的接入管理模块AMF,根据所述接入网络消息中的请求切片R确定对应的接入管理模块AMF。S121. Analyze the access network message to obtain the corresponding GUAMI information; S122. Determine whether the matching access management module AMF can be obtained according to the GUAMI information; in another embodiment, the matching access management module AMF The management module AMF can be replaced with the default access management module AMF of the system; S123, if a matching access management module AMF can be obtained according to the GUAMI information, obtaining a matching access management module AMF is a determined access Management module AMF; S124. If the matching access management module AMF cannot be obtained according to the GUAMI information, determine the corresponding access management module AMF according to the request slice R in the access network message.
其中,接入管理模块AMF是5G(第五代移动通信技术)核心网的主要功能单元,用于完成终端用户的接入和移动性管理;GUAMI信息为接入管理模块AMF的唯一标识。其中,在5G接入的情况下,接入网络消息中AN参数(接入网络参数)包括GUAMI信息、请求切片R等。Among them, the access management module AMF is the main functional unit of the 5G (fifth generation mobile communication technology) core network, which is used to complete the access and mobility management of end users; the GUAMI information is the unique identifier of the access management module AMF. Wherein, in the case of 5G access, the AN parameter (access network parameter) in the access network message includes GUAMI information, request slice R, and the like.
S130、所确定的所述接入管理模块AMF从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片S。S130. The determined access management module AMF obtains the user subscription network slice S corresponding to the access network message from a preset slice database.
其中,网络管理器还设有统一数据管理模块UDM,通过提供可以统一管理网络、安全、存储等基础IT设施的管理架构,统一数据管理模块UDM为IT系统打造统一管理中枢,帮助用户实现对数据资产更有效的管理、利用和保护。预置的切片数据库位于统一数据管理模块UDM内,切片数据库包含三种类型:请求切片R(可选)、签约网络切片S、允许切片A。Among them, the network manager is also equipped with a unified data management module UDM. By providing a management structure that can manage basic IT facilities such as network, security, and storage in a unified manner, the unified data management module UDM creates a unified management center for the IT system and helps users realize data management. More effective management, utilization and protection of assets. The preset slice database is located in the unified data management module UDM, and the slice database includes three types: request slice R (optional), contract network slice S, and allow slice A.
如图5所示,在一具体实施例中,步骤S130之后包括步骤S131、S132和S133。As shown in FIG. 5 , in a specific embodiment, steps S131 , S132 and S133 are included after step S130 .
S131、若所述目标接入管理模块AMF获取到所述用户签约策略,判断所述请求切片R、所述用户签约网络切片S及所述允许切片A是否能够组合形成交集切片;S132、若能够形成交集切片,则允许所述用户终端13接入;S133、若不能够形成交集切片,则拒绝所述用户终端13接入。最终用户终端13接入的切片为请求切片R(若有)、签约网络切片S和允许切片A三个切片的交集,如果三者交集后无结果,则拒绝用户终端13接入,该接入流程失败。S131. If the target access management module AMF obtains the user subscription policy, judge whether the request slice R, the user subscription network slice S, and the allowed slice A can be combined to form an intersection slice; S132. If yes If the intersection slice is formed, the
S140、判断所确定的所述接入管理模块AMF是否能对所述用户签约网络切片S进行处理。S140. Determine whether the determined access management module AMF can process the user subscription network slice S.
若所确定的接入管理模块AMF能对用户签约网络切片S进行处理,则目标接入管理模块AMF从策略控制模块PCF获取预存的与允许切片A相对应的用户签约策略,并将用户签约策略发送至物联网终端,以使物联网终端接入目标接入管理模块AMF。策略控制模块PCF类似4G网元中的PCRF(策略和计费规则功能),主要用于计费、动态策略控制等。If the determined access management module AMF can process the user subscription network slice S, the target access management module AMF obtains the pre-stored user subscription policy corresponding to the allowed slice A from the policy control module PCF, and uses the user subscription policy Send to the IoT terminal, so that the IoT terminal accesses the target access management module AMF. The policy control module PCF is similar to the PCRF (policy and charging rule function) in 4G network elements, and is mainly used for charging and dynamic policy control.
S150、若所确定的接入管理模块AMF无法对用户签约网络切片S进行处理,则网络切片选择模块获取与用户签约网络切片S对应的允许切片A及目标接入管理模块AMF。S150. If the determined access management module AMF cannot process the user-subscribed network slice S, the network slice selection module acquires the allowed slice A corresponding to the user-subscribed network slice S and the target access management module AMF.
S160、所述网络切片选择模块将所述允许切片A重新发送至所述目标接入管理模块AMF。S160. The network slice selection module resends the allowed slice A to the target access management module AMF.
S170、所述目标接入管理模块AMF从所述策略控制模块PCF获取预存的与所述允许切片A对应的用户签约策略。S170. The target access management module AMF acquires a pre-stored user subscription policy corresponding to the permitted slice A from the policy control module PCF.
如图6所示,在一具体实施例中,步骤S170具体为步骤171:所述策略控制模块PCF基于预设的跟踪区编码TAC对单个用户进行跟踪区TA之间的切换订阅,以获取所述用户签约策略。更具体的,策略控制模块PCF基于预设的跟踪区编码TAC对用户进行会话策略控制;会话策略控制为策略控制模块PCF针对单用户进行跟踪区TA之间的切换订阅,以获取用户签约策略。As shown in Figure 6, in a specific embodiment, step S170 is specifically step 171: the policy control module PCF performs switching subscription between tracking areas TA for a single user based on the preset tracking area code TAC, so as to obtain the Describe the user subscription policy. More specifically, the policy control module PCF performs session policy control on users based on the preset tracking area code TAC; the session policy control is that the policy control module PCF performs switching subscription between tracking areas TA for a single user to obtain user subscription policies.
其中,跟踪区编码TAC是用来进行寻呼和位置更新的区域。其规化要确保寻呼信道容量不受限,同时对于区域边界的位置更新开销最小,而且要求易于管理。跟踪区编码TAC的合理规划,能够均衡寻呼负荷和位置更新信令流程,有效控制系统信令负荷。Among them, the tracking area code TAC is an area used for paging and location update. Its planning should ensure that the capacity of the paging channel is not limited, and at the same time, the location update overhead for the area border is minimal, and it is required to be easy to manage. The reasonable planning of the tracking area code TAC can balance the paging load and location update signaling process, and effectively control the system signaling load.
如图7所示,网络管理器内还设有会话管理模块SMF,会话管理模块SMF主要负责与分离的数据面交互,创建、更新和删除PDU会话,并管理与用户面功能UPF的会话环境。其中,一个PDU会话是指一个用户终端13与数据网络DN之间进行通讯的过程;用户面功能UPF是3GPP(第三代合作伙伴计划)定义的5G核心网基础设施系统架构的基本组成部分,运营商可以根据用户面功能UPF对用户数据传输进行速率限制、计费以及合法拦截,记录流量的使用情况,5G的用户面功能UPF可以按需下沉,降低网络时延,提高传输速率,接入用户内网,流量不出园区,满足用户不同层次的需求。用户面功能UPF能下沉是5G控制面和用户面分离的结果,是5G技术相比4G技术的巨大进步的体现。As shown in Figure 7, there is also a session management module SMF in the network manager. The session management module SMF is mainly responsible for interacting with the separated data plane, creating, updating and deleting PDU sessions, and managing the session environment with the user plane function UPF. Among them, a PDU session refers to a communication process between a
在一具体实施例中,步骤S171包括子步骤S1711、S1712、S1713和S1714。In a specific embodiment, step S171 includes sub-steps S1711, S1712, S1713 and S1714.
S1711、若接收到所述用户终端13发出所述跟踪区TA切换的信号,主动上报位置以更新所述接入网络消息;S1712、所述无线电接入网RAN重新确定与更新后的所述接入网络消息新对应的所述接入管理模块AMF;S1713、新对应的所述接入管理模块AMF通过预设接口将更新后的所述接入网络消息上报至所述策略控制模块PCF;S1714、所述策略控制模块PCF对所述会话管理模块SMF中携带的所述跟踪区编码TAC进行会话策略控制。S1711. If receiving a signal from the
如图8所示,在一具体实施例中,步骤S1714包括子步骤S1715和S1716。As shown in FIG. 8, in a specific embodiment, step S1714 includes sub-steps S1715 and S1716.
S1715、若所述跟踪区编码TAC在所述会话管理模块SMF的允许列表,下发动态策略,以保证输出第一策略;所述第一策略为更高的服务质量策略;S1716、若所述跟踪区编码TAC不在所述会话管理模块SMF的允许列表,下发阻塞指令,以保证输出第二策略,进而阻塞用户所有流量,从而实现用户流量不出园区;所述第二策略为对应的业务规则全局优先级最高。S1715. If the tracking area code TAC is in the allowed list of the session management module SMF, issue a dynamic policy to ensure that the first policy is output; the first policy is a higher quality of service policy; S1716. If the The tracking area code TAC is not in the allowed list of the session management module SMF, and a blocking command is issued to ensure that the second policy is output, and then all traffic of the user is blocked, so that the user traffic does not leave the park; the second policy is the corresponding business The rule has the highest global priority.
S180、将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块AMF。S180. Send the user subscription policy to the IoT terminal, so that the IoT terminal accesses the target access management module AMF.
由于5G核心网和无线基站可配置的切片数量有限,无法做到每个客户一个切片进行接入控制。因此,在本发明中,选用较少数量的公共切片用于接入限制,并在园区相关的基站、核心网网元增加允许切片A。通过网络切片选择模块配置每个跟踪区编码TAC支持的切片,接入管理模块AMF通过网络切片选择模块订阅跟踪区编码TAC与切片的信息,获得该跟踪区编码TAC下配置的切片。由于跟踪区编码TAC的范围一般很大,较少的公共切片即可满足大多数用户需求。Due to the limited number of configurable slices in the 5G core network and wireless base stations, access control cannot be performed on one slice for each customer. Therefore, in the present invention, a small number of public slices are selected for access restriction, and allowed slices A are added to base stations and core network elements related to the campus. The network slice selection module configures slices supported by each tracking area code TAC, and the access management module AMF subscribes to the tracking area code TAC and slice information through the network slice selection module, and obtains the slice configured under the tracking area code TAC. Since the range of the tracking area coding TAC is generally large, fewer common slices can meet the needs of most users.
由策略控制模块PCF针对单用户进行跟踪区TA间切换订阅,当用户终端13发生跟踪区TA间的切换时,主动上报位置更新消息,由策略控制模块PCF对会话管理模块SMF的会话消息中携带的跟踪区编码TAC进行策略控制:当跟踪区编码TAC在允许的列表中时,下发动态的控制策略,如服务质量保障等;当跟踪区编码TAC不在允许的列表中时,阻塞用户所有流量,从而实现用户流量不出园区。The policy control module PCF performs switching subscription between tracking areas TA for a single user. When the
对涉及的主要场景例举如下:Examples of the main scenarios involved are as follows:
如图9所示,场景一:园区1定义为基站3覆盖范围,且基站1、基站2与基站3均同处于同一跟踪区编码TAC下。As shown in Figure 9, Scenario 1: Campus 1 is defined as the coverage area of base station 3, and base station 1, base station 2, and base station 3 are all under the same tracking area code TAC.
此种场景下,仅采用策略控制模块PCF配置进行跟踪区编码TAC级别的接入限制将精确控制其仅访问园区1。因此,基站1或基站2配置默认切片A0,基站3配置园区公共切片A1,同时策略控制模块PCF上根据跟踪区编码TAC1配置相应的会话控制策略。In this scenario, only using the PCF configuration of the policy control module to perform tracking area encoding and TAC-level access restrictions will precisely control its access to campus 1 only. Therefore, base station 1 or base station 2 configures the default slice A0, and base station 3 configures the campus public slice A1, and the policy control module PCF configures the corresponding session control policy according to the tracking area code TAC1.
针对本园区的用户,签约网络切片为S1,本场景中S1=A1,且用户终端13请求切片R默认为空。因此,本场景中最终允许切片为A1,签约S1的用户可正常完成注册接入流程。会话建立后,策略控制模块PCF判断跟踪区编码TAC1在允许的列表中时,下发更高优先级的业务策略。当用户移动到基站3以外的区域时,最终允许切片A1为空,拒绝用户接入。For users in the park, the network slice is S1. In this scenario, S1=A1, and the slice R requested by the
针对非本园区的用户,签约网络切片为S2,用户终端13请求切片R为空,最终允许切片A1为空,拒绝用户接入,注册失败。For users outside the local park, the contracted network slice is S2, the
根据以上分析结果,此场景下可保证非园区的用户无论出于何处均无法接入用户内网,园区内的用户位于园区内时可接入内网,且享受更高的服务质量,移出园区外时,拒绝接入,从而实现双向的安全接入限制。According to the above analysis results, in this scenario, it can be guaranteed that non-campus users cannot access the user intranet no matter where they come from. Campus users can access the intranet when they are in the campus and enjoy higher service quality. When outside the campus, access is denied, thereby implementing two-way security access restrictions.
不同客户若都配置同一切片,可能造成终端通过园区外其他基站接入。此种场景需要叠加跟踪区编码TAC的位置限制,即通过策略控制模块PCF下发跟踪区编码TAC位置控制策略以实现同一切片下不同园区的区域限制(无需重新调整跟踪区编码TAC)。If different customers configure the same slice, terminals may access through other base stations outside the campus. In this scenario, it is necessary to superimpose the position restriction of the tracking area code TAC, that is, through the policy control module PCF to issue the tracking area code TAC position control policy to realize the area restriction of different campuses under the same slice (no need to readjust the tracking area code TAC).
如图10所示,场景二:园区1定义为基站3覆盖范围,园区2定义为基站4覆盖范围,且基站1、基站2与基站3同处于同一跟踪区编码TAC下。As shown in Figure 10, Scenario 2: Park 1 is defined as the coverage of base station 3, and park 2 is defined as the coverage of base station 4, and base station 1, base station 2, and base station 3 are all under the same tracking area code TAC.
基站1、基站2配置默认切片A0,基站3、基站4配置园区公共切片A1,同时策略控制模块PCF上根据跟踪区编码TAC1、跟踪区编码TAC2分别配置相应的会话控制策略,配置园区1用户允许访问的跟踪区编码TAC为跟踪区编码TAC1,园区2用户允许访问的跟踪区编码TAC为跟踪区编码TAC2。Base station 1 and base station 2 are configured with default slice A0, and base station 3 and base station 4 are configured with park public slice A1. At the same time, the policy control module PCF configures corresponding session control policies according to tracking area code TAC1 and tracking area code TAC2, and configures park 1 users to allow The access tracking area code TAC is tracking area code TAC1, and the tracking area code TAC that park 2 users are allowed to access is tracking area code TAC2.
针对园区1和园区2的用户,签约网络切片为S1,本场景中S1=A1,且用户终端13请求切片R默认为空。因此,本场景中园区1和园区2最终允许切片为A1,签约S1的用户可正常完成注册接入流程。For users in Park 1 and Park 2, the subscribed network slice is S1. In this scenario, S1=A1, and the slice R requested by the
此种场景下,园区1在跟踪区编码TAC1下的接入限制同场景1中相一致。若园区1的用户移动至园区2,触发位置上报事件。由于其园区公共切片相同,园区1的用户仍可正常接入园区2,进入会话建立流程后,策略控制模块PCF判断其上报的跟踪区编码TAC2不在允许访问的列表中,下发流量阻塞策略,表现为接入正常,但无法访问园区1的内网。移动回园区1,上报位置更新给策略控制模块PCF,实时恢复其业务正常使用。In this scenario, the access restrictions under the tracking area code TAC1 of Campus 1 are the same as those in Scenario 1. If a user in Park 1 moves to Park 2, a location reporting event is triggered. Because the public slices in the parks are the same, users in Park 1 can still access Park 2 normally. After entering the session establishment process, the policy control module PCF judges that the tracking area code TAC2 reported by it is not in the access-allowed list, and issues a traffic blocking policy. It shows that the access is normal, but the intranet of campus 1 cannot be accessed. Move back to campus 1, report the location update to the policy control module PCF, and restore its normal service in real time.
针对园区2的用户,只能在基站4覆盖范围内正常访问业务,其余情况的阻塞原因同园区1的情况。Users in Campus 2 can only access services normally within the coverage of Base Station 4, and the reasons for congestion in other cases are the same as those in Campus 1.
根据以上分析结果,此场景下可保证本园区的用户移动至同一切片下的不同园区时,无法访问接入访问,仅在用户位于园区内时可接入内网,享受更高的服务质量。According to the above analysis results, in this scenario, it can be ensured that when users in this campus move to different campuses under the same slice, they will not be able to access and access. Users can only access the intranet when they are in the campus, enjoying a higher quality of service.
如图11所示,场景三:园区1定义为基站3覆盖范围,园区2定义为基站4和基站5覆盖范围,且基站1、基站2、基站3、基站4、基站5均同处于同一跟踪区编码TAC下。As shown in Figure 11, Scenario 3: Park 1 is defined as the coverage area of base station 3, and park 2 is defined as the coverage area of base station 4 and base station 5, and base station 1, base station 2, base station 3, base station 4, and base station 5 are all in the same tracking Region coded under TAC.
基站1、2配置默认切片A0,基站3配置园区公共切片A1,基站4、5配置园区公共切片A2,同时策略控制模块PCF上根据跟踪区编码TAC1配置相应的会话控制策略,配置园区1和园区2用户允许访问的跟踪区编码TAC均为跟踪区编码TAC1。Base stations 1 and 2 are configured with the default slice A0, base station 3 is configured with the campus public slice A1, and base stations 4 and 5 are configured with the campus public slice A2. 2 The tracking area codes TAC that users are allowed to access are all tracking area codes TAC1.
针对园区1的用户,签约网络切片为S1,本场景中S1=A1,且终端请求切片R默认为空。针对园区2的用户,签约网络切片为S2,本场景中S1=A2,且终端请求切片R默认为空。因此,本场景中最终园区1允许切片为A1,园区2允许切片为A2。For users in campus 1, the subscribed network slice is S1. In this scenario, S1=A1, and the terminal request slice R is empty by default. For users in campus 2, the subscribed network slice is S2. In this scenario, S1=A2, and the terminal request slice R is empty by default. Therefore, in this scenario, the slice A1 is allowed in Park 1, and the slice A2 is allowed in Park 2.
此种场景下,若园区1的用户移动至园区2,由于其切片不同,园区1的用户无法正常接入。同理,若园区1的用户移动至园区2,由于其切片不同,园区2的用户无法正常接入。In this scenario, if a user in Park 1 moves to Park 2, the user in Park 1 cannot access the network because the slices are different. Similarly, if a user in Park 1 moves to Park 2, the user in Park 2 cannot access it normally because the slices are different.
园区1和园区2访问跟踪区编码TAC1以外区域的分析同场景一,此处不再赘述。The analysis of Park 1 and Park 2’s access to areas other than TAC1 is the same as Scenario 1, and will not be repeated here.
根据以上分析结果,此场景下可保证同一跟踪区编码TAC下不同园区的用户移动至同一跟踪区编码TAC下的不同园区时,无法访问内网,仅在用户位于本园区内时可接入内网,享受更高的服务质量。According to the above analysis results, in this scenario, users in different campuses under the same tracking area code TAC can be guaranteed that when they move to different campuses under the same tracking area code TAC, they cannot access the intranet and can only access the intranet when they are in the same campus. Network, enjoy a higher quality of service.
本发明实施例还提供一种5G SA网络物联网终端接入和访问限制的系统,该5G SA网络物联网终端接入和访问限制的系统用于执行前述的5G SA网络物联网终端接入和访问限制的方法的任一实施例。具体地,请参阅图12,图12为本发明实施例提供的5G SA网络物联网终端接入和访问限制的系统的示意性框图。The embodiment of the present invention also provides a 5G SA network Internet of Things terminal access and access restriction system, the 5G SA network Internet of Things terminal access and access restriction system is used to perform the aforementioned 5G SA network Internet of Things terminal access and access restriction Any embodiment of the method of access restriction. Specifically, please refer to FIG. 12. FIG. 12 is a schematic block diagram of a system for accessing and restricting access to IoT terminals in a 5G SA network provided by an embodiment of the present invention.
如图12所示,该系统包括物联网终端11、网络管理器12及用户终端13,网络管理器12分别与物联网终端11及用户终端13建立网络连接以实现数据信息的传输。其中,该系统包括配置于物联网终端11内的附着请求单元111,配置于用户终端13的第一发送单元131,配置于网络管理器12内的接收单元121、第一获取单元122、判断单元123、第二获取单元124、第二发送单元125、第三获取单元126及第三发送单元127。As shown in FIG. 12 , the system includes an
附着请求单元111,用于网络管理器12接收到来自物联网终端11的附着请求。The attach
第一发送单元131,用于若网络管理器12接收到来自物联网终端11的附着请求,控制用户终端13发送接入网络消息。The
接收单元121,用于网络管理器12接收接入网络消息,无线电接入网RAN确定与接入网络消息对应的接入管理模块AMF。The receiving
第一获取单元122,用于所确定的接入管理模块AMF从预置的切片数据库获取与接入网络消息对应的用户签约网络切片S。The first obtaining
判断单元123,用于判断所确定的接入管理模块AMF是否能对用户签约网络切片S进行处理。The judging
第二获取单元124,用于若所确定的接入管理模块AMF无法对用户签约网络切片S进行处理,则网络切片选择模块获取与用户签约网络切片S对应的允许切片A及目标接入管理模块AMF。The
第二发送单元125,用于网络切片选择模块将允许切片A重新发送至目标接入管理模块AMF。The
第三获取单元126,用于目标接入管理模块AMF从策略控制模块PCF获取预存的与允许切片A对应的用户签约策略。The third obtaining
第三发送单元127,用于将用户签约策略发送至物联网终端11,以使物联网终端11接入目标接入管理模块AMF。The
上述5G SA网络物联网终端接入和访问限制的方法可以实现为计算机程序的形式,5G SA网络物联网终端接入和访问限制的系统中的物联网终端11及网络管理器12均可实现为计算机设备,该计算机程序可以在如图13所示的计算机设备上运行。The above-mentioned method for accessing and restricting access to IoT terminals in the 5G SA network can be implemented in the form of a computer program, and the
在此,物联网终端11包括第一存储器、第一处理器及存储在第一存储器上并可在第一处理器上运行的第一计算机程序,网络管理器12包括第二存储器、第二处理器及存储在第二存储器上并可在第二处理器上运行的第二计算机程序,用户终端13包括第三存储器、第三处理器及存储在第三存储器上并可在第三处理器上运行的第三计算机程序,第一处理器执行第一计算机程序、第二处理器执行第二计算机程序以及第三处理器执行第三计算机程序时共同实现如上述的5G SA网络物联网终端接入和访问限制的方法。Here, the
请参阅图13,图13是本发明实施例提供的计算机设备的示意性框图。该计算机设备可以是用于执行5G SA网络物联网终端接入和访问限制的方法以实现网络管理器根据物联网终端的附着请求和用户终端发送的接入网络消息判断用户终端能否接入内网。Please refer to FIG. 13 . FIG. 13 is a schematic block diagram of a computer device provided by an embodiment of the present invention. The computer device may be a method for implementing 5G SA network Internet of Things terminal access and access restrictions, so that the network manager can judge whether the user terminal can access the Internet according to the attachment request of the Internet of Things terminal and the access network message sent by the user terminal. net.
参阅图13,该计算机设备500包括通过系统总线501连接的处理器502、存储器和网络接口505,其中,存储器可以包括存储介质503和内存储器504。Referring to FIG. 13 , the
该存储介质503可存储操作系统5031和计算机程序5032。该计算机程序5032被执行时,可使得处理器502执行5G SA网络物联网终端接入和访问限制的方法,其中,存储介质503可以为易失性的存储介质或非易失性的存储介质。The
该处理器502用于提供计算和控制能力,支撑整个计算机设备500的运行。The processor 502 is used to provide calculation and control capabilities and support the operation of the
该内存储器504为存储介质503中的计算机程序5032的运行提供环境,该计算机程序5032被处理器502执行时,可使得处理器502执行5G SA网络物联网终端接入和访问限制的方法。The
该网络接口505用于进行网络通信以提供数据信息的传输,网络通信为有线网络通信和/或无线网络通信。本领域技术人员可以理解,图10中示出的结构,仅仅是与本发明方案相关的部分结构的框图,并不构成对本发明方案所应用于其上的计算机设备500的限定,具体的计算机设备500可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。The
其中,所述处理器502用于运行存储在存储器中的计算机程序5032,以实现上述的5G SA网络物联网终端接入和访问限制的方法中对应的功能。Wherein, the processor 502 is configured to run the
本领域技术人员可以理解,图13中示出的计算机设备的实施例并不构成对计算机设备具体构成的限定,在其他实施例中,计算机设备可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。例如,在一些实施例中,计算机设备可以仅包括存储器及处理器,在这样的实施例中,存储器及处理器的结构及功能与图13所示实施例一致,在此不再赘述。Those skilled in the art can understand that the embodiment of the computer device shown in FIG. 13 does not constitute a limitation on the specific composition of the computer device. In other embodiments, the computer device may include more or less components than those shown in the illustration. Or combine certain components, or different component arrangements. For example, in some embodiments, the computer device may only include a memory and a processor. In such an embodiment, the structures and functions of the memory and the processor are consistent with those of the embodiment shown in FIG. 13 , and will not be repeated here.
应当理解,在本发明实施例中,处理器502可以是中央处理单元(CentralProcessing Unit,CPU),该处理器502还可以是其他通用处理器、数字信号处理器(DigitalSignal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable GateArray,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。其中,通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 502 may be a central processing unit (Central Processing Unit, CPU), and the processor 502 may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), dedicated integrated Circuit (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate array (Field-Programmable GateArray, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Wherein, the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
在本发明的另一实施例中提供计算机可读存储介质。该计算机可读存储介质可以为易失性或非易失性的计算机可读存储介质。该计算机可读存储介质存储有第一计算机程序、第二计算机程序或第三计算机程序,当所述第一计算机程序被第一处理器执行、所述第二计算机程序被第二处理器执行且所述第三计算机程序被第三处理器执行时共同实现上述的基于SIM卡的物联网定向流量管理方法中所包含的步骤。In another embodiment of the invention a computer readable storage medium is provided. The computer-readable storage medium may be a volatile or non-volatile computer-readable storage medium. The computer-readable storage medium stores a first computer program, a second computer program or a third computer program, when the first computer program is executed by the first processor, the second computer program is executed by the second processor, and When the third computer program is executed by the third processor, the above-mentioned steps included in the SIM card-based Internet of Things directional traffic management method are implemented together.
在本发明所提供的几个实施例中,应该理解到,所揭露的系统、设备和单元,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为逻辑功能划分,实际实现时可以有另外的划分方式,也可以将具有相同功能的单元集合成一个单元,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices and units can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only logical function division. In actual implementation, there may be other division methods, and units with the same function may also be combined into one Units such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may also be electrical, mechanical or other forms of connection.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个计算机可读存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的计算机可读存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of software products, and the computer software products are stored in a computer. The readable storage medium includes several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned computer-readable storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), magnetic disk or optical disk and other media that can store program codes.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any person familiar with the technical field can easily think of various equivalents within the technical scope disclosed in the present invention. Modifications or replacements shall all fall within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.
Claims (10)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211722173.5A CN116033377A (en) | 2022-12-30 | 2022-12-30 | Method, system and medium for 5G SA network Internet of things terminal access and access restriction |
| PCT/CN2023/135829 WO2024140021A1 (en) | 2022-12-30 | 2023-12-01 | 5g sa network internet of things terminal connection and access restriction method and system, and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211722173.5A CN116033377A (en) | 2022-12-30 | 2022-12-30 | Method, system and medium for 5G SA network Internet of things terminal access and access restriction |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116033377A true CN116033377A (en) | 2023-04-28 |
Family
ID=86070153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211722173.5A Pending CN116033377A (en) | 2022-12-30 | 2022-12-30 | Method, system and medium for 5G SA network Internet of things terminal access and access restriction |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN116033377A (en) |
| WO (1) | WO2024140021A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095986A (en) * | 2021-11-03 | 2022-02-25 | 中国联合网络通信集团有限公司 | A communication method, apparatus, device and storage medium |
| CN116546616A (en) * | 2023-05-17 | 2023-08-04 | 中国电信股份有限公司广东研究院 | Network slice registration method, device, communication equipment, storage medium and product |
| CN117896710A (en) * | 2023-12-22 | 2024-04-16 | 天翼物联科技有限公司 | Private network access control method and device, electronic equipment and storage medium |
| WO2024140021A1 (en) * | 2022-12-30 | 2024-07-04 | 天翼物联科技有限公司 | 5g sa network internet of things terminal connection and access restriction method and system, and medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107580360A (en) * | 2016-07-04 | 2018-01-12 | 中国移动通信有限公司研究院 | Method, device and network architecture for network slice selection |
| WO2021087910A1 (en) * | 2019-11-07 | 2021-05-14 | Oppo广东移动通信有限公司 | Method and device for connecting to network |
| CN116033377A (en) * | 2022-12-30 | 2023-04-28 | 天翼物联科技有限公司 | Method, system and medium for 5G SA network Internet of things terminal access and access restriction |
-
2022
- 2022-12-30 CN CN202211722173.5A patent/CN116033377A/en active Pending
-
2023
- 2023-12-01 WO PCT/CN2023/135829 patent/WO2024140021A1/en not_active Ceased
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095986A (en) * | 2021-11-03 | 2022-02-25 | 中国联合网络通信集团有限公司 | A communication method, apparatus, device and storage medium |
| CN114095986B (en) * | 2021-11-03 | 2024-02-13 | 中国联合网络通信集团有限公司 | A communication method, device, equipment and storage medium |
| WO2024140021A1 (en) * | 2022-12-30 | 2024-07-04 | 天翼物联科技有限公司 | 5g sa network internet of things terminal connection and access restriction method and system, and medium |
| CN116546616A (en) * | 2023-05-17 | 2023-08-04 | 中国电信股份有限公司广东研究院 | Network slice registration method, device, communication equipment, storage medium and product |
| CN117896710A (en) * | 2023-12-22 | 2024-04-16 | 天翼物联科技有限公司 | Private network access control method and device, electronic equipment and storage medium |
| CN117896710B (en) * | 2023-12-22 | 2025-02-11 | 天翼物联科技有限公司 | A private network access control method, device, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2024140021A1 (en) | 2024-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116033377A (en) | Method, system and medium for 5G SA network Internet of things terminal access and access restriction | |
| CN113708947B (en) | Slice access method, device and system | |
| US12317122B2 (en) | Method of authorization for network slicing | |
| JP7104206B2 (en) | A method for granting access to a communication service and a method for requesting a configuration that allows access to a communication service. | |
| US11778476B2 (en) | Systems and methods for application access control | |
| US11616372B2 (en) | Charging method, apparatus, and system | |
| WO2020186387A1 (en) | Supporting a public network integrated non-public network | |
| CN114245381B (en) | Controlling device access to slices in a 5G network | |
| US12395830B2 (en) | Method and system for improving PLMN selection based on required services/ slices for roaming subscribers | |
| CN113841429B (en) | Communication network components and methods for initiating slice-specific authentication and authorization | |
| CN113747371A (en) | Management method and device for local area network communication | |
| KR20210104540A (en) | Apparatus and method for providing edge computing service according to wireless communication network type | |
| EP1273188B1 (en) | Versatile system for functional distribution of location registers | |
| KR20010078799A (en) | Relay service control feature to enable mobile subscribers to access services in 3g wireless networks | |
| JP2012503348A (en) | Signal transmission traffic minimization for home base stations | |
| US20240291682A1 (en) | Systems and methods for optimized network device communications | |
| KR20210055417A (en) | Method and apparatus for transmitting and performing user equipment policy using subscription information | |
| CN120456171A (en) | Access management method and network element | |
| WO2024212793A1 (en) | Communication method and communication apparatus | |
| KR20170053130A (en) | Methods for controlling contact in Machine to Machine communication secure element and Apparatuses thereof | |
| WO2025008881A1 (en) | Method and system for assigning a slice to user equipment in a communication network | |
| CN116782320A (en) | Network connection switching method, network data analysis network element and access network element | |
| KR20110118043A (en) | Subscriber management server, mobile communication system, and location registration method | |
| CN118055458A (en) | Control method and system for QoS of satellite private network user in satellite 5G network | |
| WO2022077497A1 (en) | Communication method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |