[go: up one dir, main page]

WO2023160390A1 - Procédé et appareil de communication - Google Patents

Procédé et appareil de communication Download PDF

Info

Publication number
WO2023160390A1
WO2023160390A1 PCT/CN2023/074957 CN2023074957W WO2023160390A1 WO 2023160390 A1 WO2023160390 A1 WO 2023160390A1 CN 2023074957 W CN2023074957 W CN 2023074957W WO 2023160390 A1 WO2023160390 A1 WO 2023160390A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
interface
identifier
functional entity
indication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/074957
Other languages
English (en)
Chinese (zh)
Inventor
赵鹏涛
李岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2023160390A1 publication Critical patent/WO2023160390A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements

Definitions

  • the present application relates to the communication field, and more specifically, to a communication method and device.
  • Edge computing refers to an open platform that integrates network, computing, storage, and application core capabilities on the side close to the source of objects or data, and provides the nearest end services. With edge computing, a differentiated service network can be provided from the center to the edge.
  • the edge computing platform or edge computing server
  • the user plane functional network elements such as user plane function (UPF) entities
  • UPF user plane function
  • the present application provides a communication method and device, which can improve the security of the communication system.
  • a communication method including: determining whether the first user plane function UPF entity is attacked; in the case that the first UPF entity is attacked, sending abnormal indication information to the first session management function SMF entity , the abnormality indication information is used to indicate that the first UPF entity is attacked, and the first SMF entity is connected to the first UPF entity.
  • the first SMF entity connected to the first UPF entity may indicate abnormal information to indicate that the first UPF entity is attacked, so that the first SMF entity may be related to the first UPF entity session reestablishment or user plane path adjustment to improve the security of the communication system.
  • the method further includes: acquiring connection information, where the connection information is used to indicate at least one UPF entity connected to each SMF entity in the at least one SMF entity, and the at least one The SMF entity includes the first SMF entity.
  • connection information is obtained, so as to determine the first SMF entity connected to the first UPF entity according to the connection information, so that the determination of the first SMF entity is easier.
  • the determining whether the first user plane function UPF entity is attacked includes: determining whether the first interface of the first UPF entity is abnormal, where the first interface is abnormal In case the first UPF entity is attacked.
  • the interface of the first UPF entity is abnormal, it is determined that the first UPF entity is attacked, so that the first UPF entity It is easier to judge that the entity is attacked.
  • connection information further includes an identifier of each interface in the at least one interface of the first UPF entity, and the at least one interface of the first UPF entity includes the an interface.
  • the connection information includes the identifier of each interface in the first UPF entity, so that the first UPF to which the abnormal interface belongs can be determined according to the identifier of the abnormal interface entity.
  • the acquiring connection information includes: receiving connection indication information sent by the first SMF entity, where the connection indication information is used to indicate the connection status of the first SMF entity. at least one said UPF entity.
  • connection information can be determined according to the connection indication information sent by each SMF entity. This makes it easier to obtain connection information.
  • the connection indication information includes the identifier of the second interface of the first SMF entity; the sending the abnormal indication information to the session management function SMF entity includes: according to the An identifier of the second interface, and sending the abnormal indication information.
  • the second interface of the first SMF entity may be an interface used by the first SMF entity to communicate with the device implementing the communication method of the first aspect. Therefore, the device implementing the communication method of the first aspect can address according to the identifier of the second interface of the first SMF entity, and send the abnormal indication information to the address of the addressing result, so that the abnormal indication information is sent to the first SMF entity .
  • connection indication information further includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for the connection between the first UPF entity and the first UPF entity.
  • An SMF entity connection where the abnormality indication information includes the identifier of the fourth interface.
  • the abnormal indication information includes the identification of the fourth interface used by the first UPF entity to connect with the first SMF entity, so as to facilitate subsequent processing by the first SMF entity.
  • the first SMF entity may disconnect from the first UPF entity according to the identifier of the fourth interface in the abnormal indication information.
  • the connection information includes an identifier of a third interface of the first SMF entity, and the third interface is used for the first SMF entity and the first UPF Entity connection
  • the method further includes: when the first UPF entity is abnormal, sending first request information to the network storage function NRF entity, where the first request information includes the identifier of the third interface; receiving The NRF entity sends first response information, and the first response information includes the identifier of the second interface of the first SMF entity; sending the abnormal indication information to the first session management function SMF entity includes: according to the An identifier of the second interface, and sending the abnormal indication information.
  • the identifier of the second interface of the first SMF entity may be requested to the NRF entity. Afterwards, abnormal indication information is sent to the first SMF entity according to the identifier of the second interface.
  • connection information is determined according to interaction information between the at least one UPF entity and the at least one SMF entity, where the first UPF entity and the at least one SMF entity
  • the first interaction information between the first SMF entities includes an identifier of the third interface and an identifier of each interface in at least one interface of the first UPF entity.
  • the identifier of the third interface of the first SMF may be determined according to the connection information and the identifier of the first interface.
  • the identification of the second interface of the first SMF may be requested from the NRF entity.
  • At least one interface of the first UPF entity includes a fourth interface, and the fourth interface is used to connect the first UPF entity to the first SMF entity,
  • the abnormal indication information includes the identifier of the fourth interface.
  • the abnormal indication information includes the identification of the fourth interface used by the first UPF entity to connect with the first SMF entity, so as to facilitate subsequent processing by the first SMF entity.
  • the method further includes: when the first UPF entity is abnormal, sending second request information to the unified database UDR entity, where the second request information includes the An identifier of the first UPF entity; receiving second response information sent by the UDR entity, where the second response information includes the identifier of the first SMF entity.
  • the identifier of the first SMF entity connected to the first UPF entity to which the abnormal interface belongs is obtained, so as to send abnormality indication information to the first SMF entity without storing the connection relationship between the UPF entity and the SMF entity.
  • the determining whether the first user plane function UPF entity is attacked includes: determining whether the first interface of the first UPF entity is abnormal, where the first interface is abnormal In the case where the first UPF entity is attacked; the identifier of the first UPF entity includes an identifier of an abnormal first interface in the first UPF entity.
  • the interface of the first UPF entity is abnormal, it is determined that the first UPF entity is attacked, so that it is easier to judge that the first UPF entity is attacked.
  • the identifier of the first interface is used as the identifier of the first UPF entity, and there is no need to carry out the UPF entity to which the first interface belongs. Judging, the UDR entity can determine the first SMF entity connected to the first UPF entity according to the identifier of the first interface. Therefore, the manner of determining the first SMF entity is simplified.
  • the identifier of the first SMF entity includes an identifier of a second interface of the first SMF entity, and sending the exception indication information to the first session management function SMF entity,
  • the method includes: sending the abnormal indication information according to the identifier of the second interface.
  • the UDR entity may determine the second interface of the first SMF entity connected to the first UPF entity according to the identifier of the first interface in the first UPF entity.
  • the second interface of the first SMF entity may be an interface used by the first SMF entity to communicate with the device implementing the communication method of the first aspect. Therefore, the device implementing the communication method of the first aspect can address according to the identifier of the second interface of the first SMF entity, and send the abnormal indication information to the address of the addressing result, so that the abnormal indication information is sent to the first SMF entity .
  • the second response information further includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for the first UPF entity to communicate with the The first SMF entity is connected, and the abnormal indication information includes the identifier of the fourth interface.
  • the abnormal indication information includes the identification of the fourth interface used by the first UPF entity to connect with the first SMF entity, so as to facilitate subsequent processing by the first SMF entity.
  • a communication device including: a processing module and a transceiver module; the processing module is used to determine Determine whether the first user plane function UPF entity is attacked; the transceiver module is configured to, in the case that the first UPF entity is attacked, send abnormal indication information to the first session management function SMF entity, and the abnormal indication information It is used to indicate that the first UPF entity is attacked, and the first SMF entity is connected to the first UPF entity.
  • the apparatus further includes an acquisition module, configured to acquire connection information, where the connection information is used to indicate the connection of each SMF entity in the at least one SMF entity.
  • the connection information is used to indicate the connection of each SMF entity in the at least one SMF entity.
  • At least one UPF entity the at least one SMF entity includes the first SMF entity.
  • the processing module is specifically configured to determine whether the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF Entity is attacked.
  • connection information further includes an identifier of each interface in the at least one interface of the first UPF entity, and the at least one interface of the first UPF entity includes the an interface.
  • the obtaining module is specifically configured to receive connection indication information sent by the first SMF entity, where the connection indication information is used to indicate the connection information of the first SMF entity. at least one said UPF entity.
  • connection indication information includes an identifier of a second interface of the first SMF entity; the transceiver module is specifically configured to, according to the identifier of the second interface, send The abnormal indication information.
  • connection indication information further includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for the connection between the first UPF entity and the first UPF entity.
  • An SMF entity connection where the abnormality indication information includes the identifier of the fourth interface.
  • the connection information includes an identifier of a third interface of the first SMF entity, and the third interface is used for the first SMF entity and the first UPF
  • the transceiver module is further configured to, when the first UPF entity is abnormal, send first request information to the network storage function NRF entity, where the first request information includes the identifier of the third interface
  • the transceiver module is also used to receive the first response information sent by the NRF entity, and the first response information includes the identifier of the second interface of the first SMF entity; the transceiver module is specifically used to, according to the The identifier of the second interface is used to send the abnormal indication information.
  • connection information is determined according to interaction information between the at least one UPF entity and the at least one SMF entity, where the first UPF entity and the The first interaction information between the first SMF entities includes an identifier of the third interface and an identifier of each interface in at least one interface of the first UPF entity.
  • the transceiver module is further configured to, when the first UPF entity is abnormal, send second request information to the unified database UDR entity, and the second request information Including the identifier of the first UPF entity; the transceiver module is further configured to receive second response information sent by the UDR entity, where the second response information includes the identifier of the first SMF entity.
  • the processing module is specifically configured to determine whether the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF The entity is attacked; the identifier of the first UPF entity includes an identifier of an abnormal first interface in the first UPF entity.
  • the identifier of the first SMF entity includes an identifier of a second interface of the first SMF entity, and the transceiver module is specifically configured to, according to the identifier of the second interface identify, send The abnormal indication information.
  • a communication method is provided, which is applied to a session management function SMF entity, and the method includes: receiving abnormal indication information sent by a security policy control function SPCF entity, and the abnormal indication information is used to indicate that the first UPF entity is attacked ; Disconnect from the first UPF entity.
  • the session management function SMF entity When the session management function SMF entity receives the abnormal indication information sent by the SPCF entity, it disconnects the connection with the first UPF entity, so as to provide the security of the communication system.
  • the method further includes: sending interface indication information to a network storage function NRF entity, where the interface indication information includes the identifier of the second interface of the SMF entity and the SMF The identifier of the third interface of the entity, the third interface is used for the connection between the SMF entity and the first UPF entity;
  • the abnormal indication information is the first response information sent by the SPCF entity according to the NRF entity sent, the first response information includes the identifier of the third interface, the first response information is sent by the NRF entity according to the first request information, and the first request information includes the identifier of the second interface ID, the first request information is sent by the SPCF entity when it is determined that the first UPF entity is attacked.
  • the SMF entity registers the identifier of the second interface of the SMF entity and the identifier of the third interface of the SMF entity in the NRF entity by sending interface indication information to the NRF entity. Therefore, when it is determined that the first UPF entity is abnormal, the SPCF entity may request the NRF entity for the second interface of the SMF entity according to the identifier of the third interface of the first SMF entity after determining the SMF entity connected to the first UPF entity. The ID of the interface. Afterwards, the SPCF entity may send abnormal indication information to the SMF entity according to the identifier of the second interface.
  • the method further includes: sending first connection indication information to the SPCF entity, where the first connection indication information is used to indicate at least one UPF connected to the SMF entity entities, the at least one UPF entity includes the first UPF entity.
  • the SPCF entity can determine the SMF entity connected to the attacked first UPF entity according to the first connection indication information.
  • the first connection indication information includes an identifier of a second interface of the first SMF entity, and the abnormal indication information is sent with the ID.
  • the second interface of the SMF entity may be an interface used by the SMF entity to communicate with the SPCF entity. Therefore, the SPCF entity can address according to the identifier of the second interface, and send the abnormality indication information to the address of the addressing result, so that the abnormality indication information is sent to the SMF entity.
  • the method further includes: sending second connection indication information to the unified database UDR entity, where the second connection indication information is used to indicate at least one UPF connected to the SMF entity entity, the at least one UPF entity includes the first UPF entity; the abnormal indication information is sent by the SPCF entity according to the second response information, and the second response information includes the identifier of the SMF entity, the The second response information is sent by the UDR entity according to the second request information, and the second request information includes the identifier of the first UPF entity; the second request information is that the SPCF entity determines that the first Sent when the UPF entity is attacked.
  • the SMF entity registers in the UDR entity at least one UPF entity connected to the SMF entity by sending the second connection indication information to the UDR entity.
  • the second connection indication information may include the identifier of the SMF entity and the identifier of each UPF entity in the at least one UPF entity.
  • the SPCF entity can send request information to the unified database UDR entity, acquire the identifier of the SMF entity connected to the first UPF entity to which the abnormal interface belongs, and send abnormal indication information to the SMF entity according to the identifier of the SMF entity.
  • the second connection indication information includes an identifier of the SMF entity, and the identifier of the SMF entity includes an identifier of a second interface of the SMF entity, and the abnormality indication The information is sent by the SPCF entity according to the identifier of the second interface.
  • the second connection indication information includes the identifier of the second interface of the SMF entity, so that the UDR entity can determine the second interface of the first SMF entity connected to the first UPF entity according to the identifier of the first interface in the first UPF entity .
  • the second interface of the SMF entity may be the interface used by the first SMF entity to communicate with the device implementing the communication method of the first aspect. Therefore, the SPCF entity can perform addressing according to the identifier of the second interface of the SMF entity, and send the abnormal indication information to the address of the addressing result, so that the abnormal indication information is sent to the SMF entity.
  • the second connection indication information includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for the connection between the first UPF entity and the SMF entity connection, the second response information further includes the identifier of the fourth interface, and the abnormal indication information includes the identifier of the fourth interface.
  • the second connection indication information includes the identification of the fourth interface used by the first UPF entity to connect with the first SMF entity, so that the abnormal indication information may include the identification of the fourth interface, so that the first SMF entity can perform subsequent processing.
  • a communication method including: receiving interface indication information sent by a first SMF entity, where the interface indication information includes an identifier of a second interface of the first SMF entity and a second interface identifier of the first SMF entity.
  • the identification of three interfaces is used for the connection between the first SMF entity and the first UPF entity; receiving the first request information sent by the SPCF entity, the first request information includes the second interface The first request information is sent by the SPCF entity when it is determined that the first UPF entity is attacked; the first response information is sent to the SPCF entity, and the first response information includes the An identifier of a third interface, where the identifier of the third interface is used for the first SMF entity to send abnormal indication information to the first SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • a communication method including: receiving second connection indication information sent by a first SMF entity, where the second connection indication information is used to indicate at least one UPF entity connected to the first SMF entity, the At least one UPF entity includes the first UPF entity; receiving second request information sent by the SPCF entity, where the second request information is sent by the SPCF entity when it is determined that the first UPF entity is attacked, and the The second request information includes the identifier of the first UPF entity; the second response information is sent to the SPCF entity, the second response information includes the identifier of the first SMF entity, and the identifier of the first SMF entity It is used for the first SMF entity to send abnormal indication information to the first SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the second connection indication information includes an identifier of the SMF entity, and the identifier of the SMF entity includes an identifier of a second interface of the SMF entity, and the abnormality indication The information is sent by the SPCF entity according to the identifier of the second interface.
  • the second connection indication information includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for the connection between the first UPF entity and the SMF entity connection, the second response information further includes the identifier of the fourth interface, and the abnormal indication information includes the identifier of the fourth interface.
  • a communication device including an implementation for implementing any one of the fourth aspect to the sixth aspect The individual modules of the method in the method.
  • a communication device including a processor and a communication interface, the communication interface is used for the communication device to exchange information with other communication devices, and when the program instructions are executed in the at least one processor, so that The communication device executes the method in any one implementation manner of the first aspect, the fourth aspect to the sixth aspect.
  • a computer-readable medium stores program code for execution by a device, and the program code includes an implementation for executing any one of the first aspect, the fourth aspect to the sixth aspect methods in methods.
  • a computer program product containing instructions, and when the computer program product is run on a computer, it causes the computer to execute the method in any one of the implementation manners of the first aspect, the fourth aspect to the sixth aspect above .
  • a chip in a tenth aspect, includes a processor and a data interface, the processor reads instructions stored on the memory through the data interface, and executes the above-mentioned first aspect, the fourth aspect to the sixth aspect A method in any implementation of .
  • the chip may further include a memory, the memory stores instructions, the processor is configured to execute the instructions stored in the memory, and when the instructions are executed, the The processor is configured to execute the method in the first aspect or any one implementation manner of the fourth aspect to the sixth aspect.
  • the aforementioned chip may specifically be a field-programmable gate array (field-programmable gate array, FPGA) or an application-specific integrated circuit (application-specific integrated circuit, ASIC).
  • FPGA field-programmable gate array
  • ASIC application-specific integrated circuit
  • the method in the first aspect may specifically refer to the first aspect and the method in any of the various implementation manners in the first aspect.
  • FIG. 1 is a schematic diagram of a possible network architecture of an embodiment of the present application.
  • Fig. 2 is a schematic diagram of another possible network architecture of the embodiment of the present application.
  • Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • Fig. 4 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 6 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 7 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 8 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • FIG. 9 is a schematic flowchart of another communication method provided by an embodiment of the present application.
  • Fig. 10 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • Fig. 11 is a schematic structural diagram of another communication device provided by an embodiment of the present application.
  • the technical solution of the embodiment of the present application can be applied to various communication systems, such as: global system for mobile communications (global system for mobile communications, GSM) system, code division multiple access (code division multiple access, CDMA) system, wideband code division multiple access (wideband code division multiple access, WCDMA) system, general packet radio service (general packet radio service, GPRS), long term evolution (long term evolution, LTE) system, LTE frequency division duplex (frequency division duplex, FDD) system, LTE Time division duplex (time division duplex, TDD), universal mobile telecommunications system (universal mobile telecommunications system, UMTS), global interconnection microwave access (worldwide interoperability for microwave access, WiMAX) communication system, the future fifth generation (5th generation, 5G) system or new radio (new radio, NR), etc.
  • GSM global system for mobile communications
  • CDMA code division multiple access
  • WCDMA wideband code division multiple access
  • general packet radio service general packet radio service
  • GPRS general packet radio service
  • long term evolution long
  • FIG. 1 is a schematic diagram of a network architecture applicable to the communication method provided by the embodiment of the present application.
  • the network architecture 100 shown in FIG. 1 may specifically include one or more of the following network elements:
  • User equipment can be called terminal equipment, terminal, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, wireless communication equipment, User Agent or User Device.
  • the UE can also be a cellular phone, a cordless phone, a session initiation protocol (session initiation protocol, SIP) phone, a wireless local loop (wireless local loop, WLL) station, a personal digital assistant (personal digital assistant, PDA), having a wireless communication function Handheld devices, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in future 5G networks or terminals in future evolved public land mobile network (PLMN) Devices, etc., can also be end devices, logical entities, smart devices, such as mobile phones, smart terminals and other terminal devices, or communication devices such as servers, gateways, base stations, and controllers, or Internet of Things devices, such as sensors, electricity meters, water meters, etc. Internet of things (IoT) devices.
  • the UE may also be a
  • Access network Provides network access functions for authorized users in a specific area, and can use transmission tunnels of different qualities according to user levels and business requirements.
  • the access network may be an access network using different access technologies.
  • 3GPP 3rd Generation Partnership Project
  • non-3GPP non-3G partnership Partnership project
  • 3GPP access technology refers to the access technology that conforms to the 3GPP standard specifications.
  • the access network using the 3GPP access technology is called a radio access network (Radio Access Network, RAN).
  • RAN radio access network
  • gNB Next generation Node Base station
  • a non-3GPP access technology refers to an access technology that does not comply with 3GPP standard specifications, for example, an air interface technology represented by an access point (access point, AP) in wifi.
  • An access network that implements access network functions based on wired communication technologies may be called a wired access network.
  • An access network that implements a network access function based on a wireless communication technology may be referred to as a radio access network (radio access network, RAN).
  • the wireless access network can manage wireless resources, provide access services for terminals, and complete the forwarding of control signals and user data between terminals and the core network.
  • the wireless access network can be, for example, a base station (NodeB), an evolved base station (evolved NodeB, eNB or eNodeB), a base station (gNB) in a 5G mobile communication system, a base station in a future mobile communication system, or an AP in a WiFi system, etc. It can also be a wireless controller in a cloud radio access network (cloud radio access network, CRAN) scenario, or the access network device can be a relay station, an access point, a vehicle device, a wearable device, or a network in a future 5G network. network equipment or network equipment in the future evolved PLMN network.
  • the embodiment of the present application does not limit the specific technology and specific equipment form adopted by the radio access network equipment.
  • Access and mobility management function (access and mobility management function, AMF) entity mainly used for mobility management and access management, such as user location update, user registration network, user switching, etc.; can also be used to implement Functions other than session management in mobility management entity (mobility management entity, MME) functions, for example, functions such as lawful interception or access authorization (or authentication). In the embodiment of the present application, it can be used to implement functions of access and mobility management network elements.
  • AMF access and mobility management function
  • MME mobility management entity
  • Session management function session management function, SMF
  • Session management function entity: mainly used for session management (such as session establishment, modification, release, etc.), UE's Internet Protocol (internet protocol, IP) address allocation and management, and selection of manageable user planes function, policy control, or endpoint of charging function interface and downlink data notification, etc.
  • SMF session management function
  • IP Internet Protocol
  • a user plane function (UPF) entity namely, a data plane gateway. It can be used for packet routing and forwarding, or quality of service (QoS) processing of user plane data, etc.
  • User data can be accessed to a data network (data network, DN) through this network element. In the embodiment of this application, it can be used to realize the function of the user plane gateway.
  • Data network A network used to provide data transmission.
  • DN A network used to provide data transmission.
  • an operator's service network an Internet (Internet) network, a third-party service network, an Internet protocol address (internet protocol address, IP) multimedia service (IP Multi-media Service, IMS) network, and the like.
  • IP Internet protocol address
  • IMS IP Multi-media Service
  • a DN can be identified by a data network name (DNN) in a 5G network.
  • Authentication server function authentication server function, AUSF
  • AUSF authentication server function
  • Network exposure function network exposure function, NEF
  • NEF network exposure function
  • Network function (network function (NF) repository function, NRF) entity used to store the description information of the network function entity and the services it provides, and support service discovery, network element entity discovery and registration, etc.
  • Policy control function Policy control function
  • PCF Policy control function
  • Unified data management (UDM) entity used to handle user identification, access authentication, registration, or mobility management.
  • Application function Application function, AF entity: It is used for data routing affected by applications, accessing network elements with open functions, or interacting with policy frameworks for policy control, etc.
  • Unified data repository (UDR) entity Provides storage capabilities for contract data, policy data, and capability opening-related data.
  • Nausf is the service-based interface presented by AUSF
  • Namf is the service-based interface presented by AMF
  • Nsmf is the service-based interface presented by SMF
  • Nnef is the service-based interface presented by NEF
  • Nnrf is the service-based interface presented by NRF
  • Nudm is the service-based interface presented by UDM
  • Nudr is the service-based interface presented by UDR.
  • the N1 interface is the reference point between the terminal and the AMF entity; the N2 interface is the reference point between the AN and the AMF entity, and is used for sending non-access stratum (non-access stratum, NAS) messages, etc.; the N3 interface is (R)AN The reference point between the UPF entity and the UPF entity, used to transmit the data of the user plane N4 interface is the reference point between the SMF entity and the UPF entity, and is used to transmit information such as the tunnel identification information of the N3 connection, data cache indication information, and downlink data notification messages; N6 interface is between the UPF entity and the DN The reference point for transmitting user plane data, etc.
  • the name of the interface between network elements in FIG. 1 is just an example, and the name of the interface in a specific implementation may be another name, which is not specifically limited in this application.
  • the name of the message (or signaling) transmitted between the above network elements is only an example, and does not constitute any limitation on the function of the message itself.
  • the above-mentioned network architecture applied to the embodiment of the present application is only an example of a network architecture described from the perspective of a traditional point-to-point architecture and a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited thereto. Any network architecture capable of implementing the functions of the foregoing network elements is applicable to this embodiment of the present application.
  • Fig. 2 is a schematic diagram of a network architecture applicable to the communication method provided by the embodiment of the present application.
  • the network architecture 200 is based on a point-to-point interface.
  • the N13 interface is the reference point between the UDM entity and the AUSF entity
  • the N35 interface is the reference point between the UDM entity and the UDR entity
  • the N12 interface is the reference point between the AUSF and AMF entities
  • the N8 interface is between the UDM entity and the AMF entity Reference point
  • the N10 interface is the reference point between the UDM entity and the SMF entity
  • the N36 interface is the reference point between the UDR entity and the PCF entity
  • the N5 interface is the reference point between the PCF entity and the AF entity
  • the N15 interface is the PCF entity and the reference point between AMF entities.
  • the AMF network elements, SMF network elements, UPF network elements, UDR network elements, NEF network elements, AUSF network elements, NRF network elements, PCF network elements, and UDM network elements shown in Figure 1 and Figure 2 can all be understood as core Network elements used to implement different functions in the network, for example, can be combined into network slices on demand.
  • These network elements of the core network may be independent devices, or may be integrated into the same device to implement different functions, which is not limited in this application.
  • a device that performs the function of a network element of the core network may also be called a core network device or a network device.
  • Edge computing provides a differentiated service network from the center to the edge.
  • the migration of content, applications, and computing to the edge drives the development of edge computing.
  • the centralized deployment of the core network cannot meet the needs of new services.
  • the migration of the network to the edge along with the business flow is an industry trend.
  • the combination of edge computing and intelligent parks enables rapid deployment and realizes a closed-loop local business. With a more optimized network, it saves transmission for park users and ensures user experience.
  • the edge computing platform or edge computing server
  • the user plane functional network elements such as UPF
  • the security management capabilities of the internal computer rooms in the campus are weak, and there are risk of breach.
  • Attackers can attack the user plane and control plane of the mobile communication network by hijacking the UPF (for example, physically sneaking into the corresponding computer room), causing risks in the communication network.
  • an embodiment of the present application provides a communication method.
  • Fig. 3 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the method 300 may be executed by a security policy control function (security policy control function, SPCF) entity or other network elements.
  • the method 300 includes S310 to S320.
  • the first SMF entity connected to the first UPF entity can be abnormally indicated to indicate that the first UPF entity is attacked, so that the first SMF entity can communicate with the first UPF entity.
  • Sessions related to UPF entities perform session reestablishment or user plane path adjustment to improve the security of the communication system.
  • connection information before performing S310, connection information may be obtained, where the connection information is used to indicate at least one UPF entity connected to each SMF entity in the at least one SMF entity, and the at least one SMF entity includes the first SMF entity.
  • the first SMF entity connected to the first UPF entity may be determined according to the connection information, so that abnormality indication information can be sent to the first SMF entity at S320.
  • the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF entity is attacked.
  • connection information may further include an identifier of each interface in the at least one interface of the first UPF entity, and the at least one interface of the first UPF entity includes the first interface.
  • first interface may be any interface in the first UPF entity.
  • an identifier of each interface in at least one interface of the first UPF entity may also be acquired.
  • the first interface of the first UPF entity is abnormal, it may be determined that the first UPF entity is attacked according to the identifier of the first interface.
  • connection information may be determined according to the connection indication information sent by each SMF entity, or the connection information may be determined according to the interaction information between each UPF entity and the connected SMF entity.
  • the connection indication information sent by the first SMF entity may be received, and the connection indication information sent by the first SMF entity is used to indicate that the first SMF entity is connected At least one UPF entity of the .
  • the connection information After receiving the connection indication information sent by each SMF entity, the connection information can be determined according to the connection indication information sent by at least one SMF entity.
  • the connection indication information sent by the first SMF entity also includes the identifier of the second interface of the first SMF entity.
  • the abnormality indication information may be sent to the first SMF entity according to the identifier of the second interface.
  • the second interface of the first SMF entity may be an interface used by the first SMF entity to communicate with the SPCF entity. Therefore, at S320, the abnormality indication information may be sent according to the identifier of the second interface of the first SMF entity.
  • the connection indication information sent by the first SMF entity may also include the identifier of the fourth interface of the first UPF entity.
  • the fourth interface of the first UPF entity may be, for example, an N4 interface, which is used for connecting the first UPF entity to the first SMF entity.
  • the abnormal indication information may include the identifier of the fourth interface of the first UPF entity.
  • the abnormal indication information includes the identification of the fourth interface used by the first UPF entity to connect with the first SMF entity, so as to facilitate subsequent processing by the first SMF entity.
  • the first SMF entity may, according to the fourth connection in the abnormal indication information The identifier of the port, and the connection with the first UPF entity is disconnected.
  • the connection information may include the identifier of the third interface of the first SMF entity, and the third interface of the first SMF entity is used for the first SMF An entity's connection to a first UPF entity.
  • the first request information may be sent to the NRF entity.
  • the first request information includes the identifier of the third interface.
  • the first response information sent by the NRF entity may be received.
  • the first response information includes the identifier of the second interface of the first SMF entity.
  • abnormality indication information may be sent according to the identifier of the second interface.
  • the third interface used by the first SMF entity for connection with the first UPF entity may be the N4 interface of the first SMF entity.
  • the second interface of the first SMF entity may be an interface used by the first SMF entity to connect with the SPCF entity, for example, may be a service interface of the first SMF entity.
  • the NRF entity may be requested for the identifier of the second interface of the first SMF entity. Afterwards, abnormal indication information is sent to the first SMF entity according to the identifier of the second interface.
  • connection information may be determined according to interaction information between the at least one UPF entity and the at least one SMF entity.
  • the first interaction information between the first UPF entity of the at least one UPF entity and the first SMF entity of the at least one SMF entity may include the identifier of the third interface, and may include at least one of the first UPF entity An ID for each of the interfaces.
  • the identifier of the third interface of the first SMF may be determined according to the connection information and the identifier of the first interface.
  • the identification of the second interface of the first SMF may be requested from the NRF entity.
  • a security policy enhancement function may acquire information received or sent by at least one UPF entity.
  • the interaction information between the UPF entity and the SMF entity may include the identifier of each interface in the UPF entity, and the identifier of the interface used by the SMF entity to connect with the UPF entity.
  • the SPEF entity may send the identifier of the interface used by the SMF entity to connect with the UPF entity and the identifiers of the interfaces of the UPF entity connected to the SMF entity to the SPCF according to the interaction information between the UPF entity and the SMF entity.
  • the SPEF may acquire the first interaction information, and send the identifier of the third interface and the identifier of each interface in at least one interface of the first UPF entity to the SPCF entity.
  • the SPCF entity can determine the connection information according to the information sent by the SPEF.
  • At least one interface of the first UPF entity includes a fourth interface, the fourth interface is used to connect the first UPF entity to the first SMF entity, and the abnormal indication information includes an identifier of the fourth interface.
  • the first interaction information between the first UPF entity and the first SMF entity may include an identifier of the third interface and an identifier of the fourth interface. Therefore, the abnormality indication information may include the identifier of the fourth interface.
  • the fourth interface of the first UPF entity is used to connect the first UPF entity to the first SMF entity, for example, may be an N4 interface of the first UPF entity.
  • the identifier of the fourth interface in the abnormal indication information may be used to indicate the first UPF entity.
  • the abnormal indication information includes the identification of the fourth interface used by the first UPF entity to connect with the first SMF entity, so as to facilitate subsequent processing by the first SMF entity.
  • the first SMF entity may disconnect from the first UPF entity according to the identifier of the fourth interface in the abnormal indication information. That is to say, the first SMF entity is disconnected from the identification indication of the fourth interface connection of the fourth interface, that is, the connection with the first UPF entity is disconnected.
  • the second request information may be sent to the UDR entity.
  • the second request information includes the identifier of the first UPF entity.
  • the second response information sent by the UDR entity may be received.
  • the second response information includes the identifier of the first SMF entity.
  • the UDR entity may send the second request information after receiving the second response information.
  • the second response information may be understood as response information of the second request information.
  • the first interface of the first UPF entity is abnormal.
  • the first interface of the first UPF entity is abnormal, which may be understood as the first UPF entity being attacked.
  • the identifier of the first UPF entity includes the identifier of the abnormal first interface in the first UPF entity.
  • the second request information may include the identifier of the first interface in the first UPF entity.
  • the UDR entity may determine the first SMF entity connected to the first UPF entity according to the identifier of the first interface.
  • the identifier of the first SMF entity may include the identifier of the second interface of the first SMF entity.
  • abnormality indication information may be sent according to the identifier of the second interface of the first SMF entity.
  • the UDR entity may determine the second interface of the first SMF entity connected to the first UPF entity according to the identifier of the first interface in the first UPF entity.
  • the second interface of the first SMF entity is used to connect the first SMF entity with the SPCF entity, for example, the second interface of the first SMF entity may be a service interface of the first SMF entity.
  • the second response information sent by the UDR entity may include the identifier of the second interface of the first SMF entity. Therefore, at S320, sending the abnormality indication information according to the identifier of the second interface of the first SMF entity may cause the abnormality indication information to be sent to the first SMF entity.
  • the second response information may also include the identifier of the fourth interface of the first UPF entity.
  • the fourth interface of the first UPF entity is used to connect the first UPF entity to the first SMF entity, and the abnormal indication information includes an identifier of the fourth interface of the first UPF entity.
  • the fourth interface of the first UPF entity is used to connect the first UPF entity to the first SMF entity, for example, may be an N4 interface of the first UPF entity.
  • the identifier of the fourth interface in the abnormal indication information may be used to indicate the first UPF entity.
  • the abnormal indication information includes the identifier of the fourth interface of the first UPF entity, which is convenient for the first SMF entity to perform subsequent processing.
  • the first SMF entity may disconnect from the first UPF entity according to the identifier of the fourth interface in the abnormal indication information. That is to say, the first SMF entity disconnects from the fourth interface indicated by the identifier of the fourth interface, that is, disconnects from the first UPF entity.
  • the abnormality indication information may include the identifier of the fourth interface. In the case that the abnormal first interface in the first UPF entity is the fourth interface of the first UPF entity, the abnormality indication information may include or not include the identifier of the fourth interface.
  • Fig. 4 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the method 400 includes S401 to S413.
  • the first SMF entity sends network function registration information to the NRF entity.
  • the network function registration information may include the network function (network function, NF) type (NF type) of the first SMF entity, the NF instance (instance) identification (identification, ID) of the first SMF entity, the first SMF The identifier of the service interface of the entity and the identifier of the N4 interface of the first SMF entity.
  • NF network function
  • ID identification
  • the network function registration information may include a network function (network function, NF) type (NF type), an NF instance (instance) identification (identification, ID), an identification of the N4 interface of the SMF entity, and an SMF entity used to communicate with An identifier of an interface through which other network elements in the network architecture 200 communicate.
  • NF network function
  • ID NF instance
  • ID an identification of the N4 interface of the SMF entity
  • SMF entity's The identifier of the N4 interface may be the same as or different from the identifiers of other interfaces.
  • the NF type of the first SMF entity is used to indicate the type of the network element that sends the network function registration information, that is, indicates that the type of the first SMF entity is SMF.
  • the NF instance ID of the first SMF entity is used to indicate the first SMF entity.
  • the service interface identifier of the first SMF entity may be a fully qualified domain name (fully qualified domain name, FQDN) or IP address of the service interface of the first SMF entity, which is used to indicate the service interface of the first SMF entity.
  • the identifier of the N4 interface of the first SMF entity may be the FQDN or IP address of the N4 interface of the first SMF entity, and is used to indicate the N4 interface of the first SMF entity.
  • the method 400 is described by taking the network architecture 100 as an example.
  • the NRF entity sends registration response information to the first SMF entity.
  • the registration response information is used to indicate that the registration of the network function is successful.
  • the SPEF entity detects information related to establishing the N4 coupling between the first SMF entity and the first UPF entity.
  • the SPEF entity may acquire the interaction information of each UPF entity in at least one UPF entity interacting with the SMF entity.
  • the at least one UPF entity includes a first UPF entity.
  • the SMF entity that establishes N4 coupling with the first UPF entity is the first SMF entity.
  • the first UPF entity may be any one of the at least one UPF entity.
  • the message exchanged between the UPF entity and the SMF entity contains the identification of the N4 interface of the SMF entity and the N4 interface of the UPF entity. logo.
  • the SPEF entity may determine the correspondence information 1 according to the information exchanged between each UPF entity and the SMF entity in at least one UPF entity.
  • the identifier of the N4 interface of each SMF entity corresponds to the identifier of the N4 interface of at least one UPF entity, and there is an N4 coupling between the UPF entity and the SMF entity, that is, the N4 interface of the UPF entity and the SMF entity Physical N4 interface connection.
  • the SPEF entity sends correspondence information 1 to the SPCF.
  • the SPEF entity detects information related to session establishment and session modification between the first SMF entity and the first UPF entity.
  • the interaction information between the SMF entity and the UPF entity carries the N3 interface identifier and the N9 interface identifier of the UPF entity, which are used to identify Configure the N3 interface and N9 interface of the UPF entity.
  • the SPEF entity may determine the correspondence information 2 according to the information exchanged between each UPF entity and the SMF entity in at least one UPF entity.
  • Correspondence information 2 is used to indicate the correspondence between the identifier of the N4 interface of each UPF entity and the identifier of the N3 interface and the identifier of the N9 interface of the UPF.
  • the SPEF entity sends correspondence information 2 to the SPCF.
  • the SPEF entity judges whether the interface of the first UPF entity is abnormal.
  • the SPEF entity may detect each interface of each UPF entity in at least one UPF entity, so as to determine whether there is an abnormal interface.
  • S407 may be performed multiple times. Exemplarily, S407 may be performed periodically.
  • the first UPF entity may be any one of the at least one UPF entity.
  • the SPEF entity sends the abnormal interface information to the SPCF entity.
  • the abnormal interface information includes the identifier of the abnormal interface in the first UPF entity.
  • the SPCF entity may determine that the first UPF entity is untrustworthy, that is, the first UPF entity is attacked.
  • the SPCF entity can determine the identification of the N4 interface of the SMF entity corresponding to the identification of the abnormal interface in the UPF entity according to the correspondence information 1 .
  • the SPCF entity can determine the identifier of the N4 interface of the first UPF entity according to the correspondence information 2, and according to the correspondence information 1 Determine the identifier of the N4 interface of the first SMF entity connected to the N4 interface of the first UPF entity.
  • the SPCF entity sends interface query information to the NRF entity.
  • the interface query information may include the identifier of the N4 interface of the first SMF entity.
  • the NRF entity sends interface response information to the SPCF entity.
  • the interface response information includes the identifier of the service interface of the first SMF entity.
  • Each SMF entity may send network function registration information to the NRF entity after being powered on. According to the network function registration information sent by each SMF entity, the NRF entity can determine the corresponding relationship between the identifier of the N4 interface and the identifier of the service interface in the SMF entity.
  • the SPCF entity sends abnormal indication information according to the identifier of the service interface of the first SMF entity.
  • the SPCF entity may address the identifier of the service-oriented interface of the first SMF entity, and send abnormal indication information to the address indicated by the addressing result. Therefore, the abnormality indication information can be sent to the first SMF entity.
  • the abnormal indication information is used to indicate that the interface of the first UPF entity is abnormal.
  • the first SMF entity may process services related to the first UPF entity according to the abnormal indication information.
  • the first SMF entity may perform S412 and S413.
  • the first SMF entity disconnects the N4 coupling with the N4 interface of the first UPF entity.
  • the abnormal indication information may also include the identifier of the N4 interface in the first UPF entity.
  • the first SMF entity may disconnect the connection indicated by the identifier of the abnormal indication information, thereby disconnecting the N4association with the first UPF entity.
  • the first SMF entity may perform session reestablishment or session user plane path adjustment under the condition that a session exists with the first UPF entity.
  • the first SMF entity may perform session re-establishment under the condition that the N4 coupling with the N4 interface of the first UPF entity is disconnected. Alternatively, when the first SMF entity disconnects the N4 coupling with the N4 interface of the first UPF entity, it may determine whether to perform session reestablishment according to the role of the first UPF entity in the session. It should be understood that the session may be a protocol data unit (protocol data unit, PDU) session.
  • PDU protocol data unit
  • the first SMF entity When the first SMF entity determines that the first UPF entity is the relay UPF (intermediate UPF, I-UPF) of the session, it may perform user plane path adjustment of the session, thereby using other UPF entities other than the first UPF entity as I-UPF.
  • I-UPF intermediate UPF
  • the first SMF entity determines that the first UPF entity is the PDU session anchor point UPF (UPF of PDU session Anchor, PSA-UPF) of the session, it can perform session re-establishment, so that other UPFs other than the first UPF entity Entity as PSA-UPF.
  • UPF PDU session anchor point UPF of PDU session Anchor
  • the NRF entity provides network function registration and query services
  • the SPEF entity detects the corresponding The relationship information 1 and the corresponding relationship information 2 are reported to the SPCF entity, wherein the corresponding relationship information 1 is used to indicate the corresponding relationship between the UPF entity with N4 coupling and the N4 interface of the SMF entity, and the corresponding relationship information 2 is used to indicate the UPF entity The corresponding relationship between the N4 interface, the N3 interface, and the N9 interface in .
  • the SPCF entity determines the identifier of the N4 interface of the first SMF entity that has N4 coupling with the first UPF entity according to the correspondence information 1 and the correspondence information 2, And use the identifier of the N4 interface of the first SMF entity to query the NRF entity to obtain the identifier of the service interface of the first SMF. Afterwards, the SPCF entity may send abnormal indication information according to the identifier of the service interface of the first SMF, so as to indicate to the first SMF entity that the first UPF entity is attacked. Therefore, the first SMF entity can perform corresponding processing to ensure communication security.
  • the SPEF entity may detect disconnection-related interaction information between the first SMF entity and the first UPF entity.
  • the SPEF entity may send connection disconnection indication information to the SPCF.
  • the disconnection indication information is used to indicate that the identifier of the N4 interface of the first SMF entity does not have a corresponding relationship with the identifier of the N4 interface of the first UPF entity, that is, the N4 interface of the first SMF entity and the N4 interface of the first UPF entity have been disconnected. Open the connection.
  • the connection disconnection indication information may include the identifier of the N4 interface of the first SMF entity and the identifier of the N4 interface of the first UPF entity. Therefore, the SPCF entity can update the correspondence information 1 .
  • the SPCF entity may update the corresponding relationship information 1 .
  • the identifier of the N4 interface of the first SMF entity in the updated correspondence information 1 does not have a corresponding relationship with the identifier of the N4 interface of the first UPF entity.
  • the SPCF entity may mark the correspondence information 1 to indicate that the abnormality indication information has been sent to the first SMF entity.
  • Fig. 5 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the method 500 includes S501 to S509.
  • the first SMF entity establishes an N4 coupling with the first UPF entity.
  • the N4 interface of the first SMF entity establishes a connection with the N4 interface of the first UPF entity.
  • the information of the interaction between the first SMF entity and the first UPF entity carries the identifier of the N4 interface of the first UPF entity.
  • the first SMF entity sends association information 1 to the SPCF entity.
  • the association information 1 includes the identifier of the service interface of the first SMF entity, the identifier of the N4 interface of the first SMF entity, and the identifier of the N4 interface of the first UPF entity.
  • the first SMF entity establishes or modifies a session with the first UPF entity.
  • the information that the first UPF entity interacts with the first SMF entity carries the identifier of the N3 interface of the first UPF entity and/or the identifier of the N9 interface.
  • the identifier is used to configure the N3 interface and/or the N9 interface of the first UPF entity.
  • the first SMF entity sends association information 2 to the SPCF entity.
  • the association information 2 includes the identifier of the N4 interface of the first UPF entity, and the identifier of the N3 interface and/or the identifier of the N9 interface of the first UPF entity.
  • the SPCF entity may receive association information 1 and association information 2 sent by at least one SMF entity.
  • the at least one SMF entity includes a first SMF entity.
  • the SPEF entity may determine whether the interface of the first UPF entity is abnormal.
  • the SPEF entity can detect the interface of at least one UPF entity. Specifically, the SPEF entity may acquire information about communication between each interface in each UPF entity in at least one UPF entity and other network elements. And determine whether each interface is abnormal according to the information.
  • the information that any interface in each UPF entity communicates with other network elements may include the identifier of the interface.
  • the at least one UPF entity includes a first UPF entity.
  • S505 can be performed multiple times. Exemplarily, S505 may be performed periodically.
  • S506 may be performed.
  • the SPEF entity may send the abnormal interface information to the SPCF entity.
  • the SPCF entity may determine the service interface of the SMF associated with the abnormal interface in the first UPF entity according to the association information 1 .
  • the abnormal interface information includes the identifier of the abnormal interface in the first UPF entity.
  • the SPCF entity may determine the identity of the service interface of the first SMF that has N4 coupling with the first UPF entity according to the association information 1.
  • the SPCF entity can determine the first SMF that has N4 coupling with the first UPF entity according to the association information 1 and association information 2 Identification of the N4 interface.
  • the SPCF entity can determine the identifier of the N4 interface of the first UPF entity according to the association information 2; the SPCF entity can determine the identity of the service interface of the first SMF that has N4 coupling with the first UPF entity according to the association information 1 logo.
  • the SPCF entity sends abnormal indication information according to the identifier of the service interface of the first SMF entity.
  • the first SMF entity disconnects the N4 coupling with the N4 interface of the first UPF entity.
  • the first SMF entity may perform session reestablishment or session user plane path adjustment under the condition that a session exists with the first UPF entity.
  • S507 to S509 may be similar to S411 to S413, and for details, refer to the description of S411 to S413 in FIG. 4 .
  • the first SMF entity sends association information 1 and association information 2 to the SPCF entity
  • association information 1 is used to indicate the association relationship between the service interface of the first SMF entity and the N4 interface of the first UPF entity
  • association information 2 is used for Indicates the association relationship between the N4 interface of the first UPF entity, the N3 interface and the N9 interface of the first UPF entity.
  • the SPCF entity determines that there is a service interface of the first SMF entity N4 coupled to the first UPF entity to which the abnormal interface reported by the SPEF entity belongs.
  • the SPCF entity sends abnormal indication information according to the service interface, so as to notify the first SMF entity that the first UPF entity is attacked and cannot be trusted.
  • the first SMF entity can perform corresponding processing to ensure communication security.
  • the first SMF entity may release the N4 coupling with the first UPF entity according to the abnormal indication information, and may perform session reestablishment or user plane path adjustment according to session requirements.
  • the SPEF entity may detect that the first SMF entity and the first UPF entity are related to the disconnection interactive information.
  • the SPEF entity may send connection disconnection indication information to the SPCF.
  • the disconnection indication information is used to indicate that the identifier of the N4 interface of the first SMF entity does not have a corresponding relationship with the identifier of the N4 interface of the first UPF entity, that is, the first SMF
  • the N4 interface of the entity has been disconnected from the N4 interface of the first UPF entity.
  • the connection disconnection indication information may include the identifier of the N4 interface of the first SMF entity and the identifier of the N4 interface of the first UPF entity. Therefore, the SPCF entity can update the correspondence information 1 .
  • the first SMF entity may send connection disconnection indication information to the SPCF entity.
  • the disconnection indication information is used to indicate that the identifier of the N4 interface of the first SMF entity does not have a corresponding relationship with the identifier of the N4 interface of the first UPF entity, that is, the N4 interface of the first SMF entity and the N4 interface of the first UPF entity have been disconnected. Open the connection. Therefore, the SPCF entity can update the correspondence information 1 .
  • the SPCF entity may update the corresponding relationship information 1 .
  • the identifier of the N4 interface of the first SMF entity in the updated correspondence information 1 does not have a corresponding relationship with the identifier of the N4 interface of the first UPF entity.
  • the SPCF entity may mark the correspondence information 1 to indicate that the abnormal indication information has been sent to the first SMF entity.
  • Fig. 6 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the method 600 includes S601 to S611.
  • the first SMF entity establishes an N4 coupling with the first UPF entity.
  • the information of the interaction between the first SMF entity and the first UPF entity carries the identifier of the N4 interface of the first UPF entity.
  • the first SMF entity sends association information 1 to the UDR entity.
  • the association information 1 includes the identifier of the service interface of the first SMF entity, the identifier of the N4 interface of the first SMF entity, and the identifier of the N4 interface of the first UPF entity.
  • the first SMF entity establishes or modifies a session with the first UPF entity.
  • the information that the first UPF entity interacts with the first SMF entity carries the identifier of the N3 interface of the first UPF entity and/or the identifier of the N9 interface. logo.
  • the first SMF entity sends association information 2 to the UDR entity.
  • the association information 2 includes the identifier of the N4 interface of the first UPF entity, and the identifier of the N3 interface and/or the identifier of the N9 interface of the first UPF entity.
  • the SPCF entity may receive association information 1 and association information 2 sent by at least one SMF entity.
  • the at least one SMF entity includes a first SMF entity.
  • the SPEF entity may determine whether the interface of the first UPF entity is abnormal.
  • the SPEF entity can detect the interface of at least one UPF entity. Specifically, the SPEF entity may acquire information about communication between each interface in each UPF entity in at least one UPF entity and other network elements. And determine whether each interface is abnormal according to the information.
  • the information that any interface in each UPF entity communicates with other network elements may include the identifier of the interface.
  • the at least one UPF entity includes a first UPF entity.
  • S605 can be performed multiple times. Exemplarily, S605 may be performed periodically.
  • S606 may be performed.
  • the SPEF entity may send the abnormal interface information to the SPCF entity.
  • the abnormal interface information includes the identifier of the abnormal interface in the first UPF entity.
  • the SPCF entity sends network element query information to the UDR entity.
  • the network element query information includes the identifier of the abnormal interface in the first UPF entity.
  • the network element query information may also include a target entity type identifier, where the target entity type identifier is used to indicate that the type of the queried entity is SMF.
  • the UDR entity may determine the service interface of the SMF associated with the abnormal interface in the first UPF entity according to the association information 1 .
  • the SPCF entity may determine the identifier of the service interface of the first SMF that has N4 coupling with the first UPF entity according to the association information 1.
  • the SPCF entity can determine the first SMF that has N4 coupling with the first UPF entity according to the association information 1 and association information 2 Identification of the N4 interface.
  • the SPCF entity can determine the identifier of the N4 interface of the first UPF entity according to the association information 2; the SPCF entity can determine the identity of the service interface of the first SMF that has N4 coupling with the first UPF entity according to the association information 1 logo.
  • the UDR entity sends the network element response information to the SPCF entity.
  • the network element response information includes the identifier of the service interface of the first SMF.
  • the network element response information may also include the identifier of the N4 interface of the first UPF entity.
  • the network element response information sent by the UDR entity includes the identifier of the N4 interface of the first UPF entity; the UDR entity determines that the received network element query information
  • the network element response information sent by the UDR entity may or may not include the identifier of the N4 interface of the first UPF entity.
  • the SPCF entity sends abnormal indication information according to the identifier of the service interface of the first SMF entity.
  • the first SMF entity disconnects the N4 coupling with the N4 interface of the first UPF entity.
  • the first SMF entity may perform session re-establishment or user plane path adjustment of the session when there is a session with the first UPF entity.
  • S609 to S611 may be similar to S411 to S413, and for details, refer to the description of S411 to S413 in FIG. 4 .
  • the first SMF entity registers association information 1 and association information 2 in the UDR entity.
  • Association information 1 is used to indicate the association relationship between the service interface of the first SMF entity and the N4 interface of the first UPF entity
  • association information 2 is used to indicate the N4 interface of the first UPF entity and the N3 interface and N9 interface of the first UPF entity relationship.
  • the SPCF entity sends the identifier of the abnormal interface reported by the SPEF entity to the UDR entity.
  • the UDR entity sends to the SPCF entity the identifier of the service interface of the first SMF entity N4 coupled with the first UPF entity to which the abnormal interface belongs.
  • the SPCF entity sends abnormal indication information according to the identifier of the service interface, so as to notify the first SMF entity that the first UPF entity is under attack and cannot be trusted. Therefore, the first SMF entity can perform corresponding processing to ensure communication security.
  • the entity may send connection disconnection indication information to the UDR entity.
  • the disconnection indication information may include the identifier of the N4 interface of the first SMF entity and the identifier of the N4 interface of the first UPF entity, and the disconnection indication information is used to instruct the first SMF entity to disconnect the N4 coupling with the first UPF entity.
  • the UDR entity may delete the associated information 1 according to the connection disconnection indication information.
  • the SPCF entity may send the connection disconnection indication information to the UDR entity to instruct the UDR entity to delete the association information 1 .
  • the SPCF entity may send notification indication information to the UDR entity, and the notification indication information is used to indicate that the SPCF entity has sent the abnormality indication information to the first SMF entity Instructions.
  • Fig. 7 is a schematic flowchart of a communication method provided by the embodiment of the application.
  • the method 700 includes S710 to S720.
  • Method 700 may be performed by a first SMF entity.
  • At S710 receive abnormal indication information sent by the security policy control function SPCF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the first SMF entity When receiving the abnormal indication information sent by the SPCF entity, the first SMF entity disconnects the connection with the first UPF entity, so as to provide the security of the communication system.
  • connection between the first SMF entity and the first UPF entity may be an N4 association (N4association) between the first SMF entity and the first UPF entity.
  • the first SMF entity may send interface indication information to the NRF entity.
  • the interface indication information includes the identifier of the second interface of the first SMF entity and the identifier of the third interface of the first SMF entity.
  • the third interface is used for the connection between the first SMF entity and the first UPF entity.
  • the abnormal indication information is sent by the SPCF entity according to the first response information sent by the NRF entity, the first response information includes the identifier of the third interface, and the first response information is the NRF entity
  • the first request information is sent according to the first request information, where the first request information includes the identifier of the second interface, and the first request information is sent by the SPCF entity when the first UPF entity is attacked.
  • the SPCF entity may determine the third interface of the first SMF entity connected to the first UPF entity when the first UPF entity is attacked. Afterwards, the SPCF entity may send first request information to the NRF entity, where the first request information includes the identifier of the third interface. The SPCF entity may receive the first response information sent by the NRF entity, where the first response information includes the identifier of the second interface of the first SMF entity. Therefore, the SPCF entity may send the abnormal indication information according to the identifier of the second interface, so that the abnormal indication information is sent to the first SMF entity.
  • the interface indication information may be carried in the network function registration information in FIG. 4 .
  • the first request information may be the interface query information in FIG. 4 .
  • the second response information may be the query response information in FIG. 4 .
  • the first SMF entity may send first connection indication information to the SPCF entity, where the first connection indication information is used to indicate at least one UPF entity connected to the first SMF entity, and the at least one UPF entity A first UPF entity is included.
  • the SPCF entity may receive first connection indication information sent by at least one SMF entity.
  • the at least one SMF entity includes a first SMF entity. Therefore, the SPCF entity may determine that the SMF entity connected to the first UPF entity is the first SMF entity.
  • the first connection indication information may include the identifier of the second interface of the first SMF entity, and the abnormality indication information is sent by the SPCF entity according to the identifier of the second interface.
  • the first connection indication information may include association information 1 and association information 2 shown in FIG. 5 .
  • the first SMF entity may send second connection indication information to the UDR entity, where the second connection indication information is used to indicate at least one UPF entity connected to the first SMF entity, and the at least one UPF entity Including the first UPF entity.
  • the abnormal indication information is sent by the SPCF entity according to the second response information, the second response information includes the identifier of the first SMF entity, and the second response information is sent by the UDR entity according to the second request information , the second request information includes the identifier of the first UPF entity; the second request information is sent by the SPCF entity when it is determined that the first UPF entity is attacked.
  • the SPCF entity may send the second request information to the UDR entity, where the second request information includes the identifier of the first UPF entity.
  • the SPCF entity may receive the second response information sent by the UDR entity, where the second response information includes the identifier of the first SMF entity. Therefore, the SPCF entity may send abnormality indication information to the first SMF entity.
  • the second connection indication information may include the identifier of the first SMF entity, and the identifier of the first SMF entity includes the identifier of the second interface of the first SMF entity.
  • the abnormal indication information may be sent by the SPCF entity according to the identifier of the second interface.
  • the second connection indication information may include an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for connecting the first UPF entity to the first SMF entity.
  • the second response information may further include an identifier of the fourth interface, and the abnormality indication information includes the identifier of the fourth interface.
  • the identifier of the first UPF entity may include an identifier of the first interface in the first UPF entity.
  • the first interface may be an abnormal interface in the first UPF entity.
  • the second connection indication information may include an identifier of each interface of each UPF entity connected to the first SMF entity.
  • the SPCF entity may determine that the first UPF entity is attacked in a case where an abnormal interface exists in the first UPF entity.
  • the second connection indication information may include association information 1 and association information 2 shown in FIG. 6 .
  • the second request information may be the network element query information in FIG. 6 .
  • the second response information may be the network element response information in FIG. 6 .
  • Fig. 8 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the method 800 includes S810 to S830.
  • Method 800 may be performed by an NRF entity.
  • At S810 receive interface indication information sent by the first SMF entity, where the interface indication information includes an identifier of a second interface of the first SMF entity and an identifier of a third interface of the first SMF entity, the third interface The interface is used for the connection between the first SMF entity and the first UPF entity.
  • the first request information sent by the SPCF entity includes the identifier of the second interface, and the first request information is that the SPCF entity determines that the first UPF entity is attacked sent under the circumstances.
  • the entity sends first response information to the SPCF entity, where the first response information includes the identifier of the third interface, and the identifier of the third interface is used for sending the first SMF entity to the first SMF
  • the entity sends an exception indication information, where the abnormality indication information is used to indicate that the first UPF entity is attacked.
  • a query function may be provided to the SPCF entity, and in the case of receiving the identification of the second interface of the first SMF entity sent by the SPCF entity, the identification of the third interface of the first SMF entity is sent to the SPCF entity, so that the SPCF When the entity determines that the first UPF entity is attacked, it sends abnormal indication information to the first SMF entity connected to the first UPF entity, thereby improving the security of the communication system.
  • FIG. 9 is a schematic flowchart of a communication method provided by an embodiment of the present application.
  • the method 900 includes S910 to S930.
  • Method 900 may be performed by a UDR entity.
  • the second connection indication information is used to indicate at least one UPF entity connected to the first SMF entity, and the at least one UPF entity includes the first UPF entity.
  • the second request information is sent by the SPCF entity when it is determined that the first UPF entity is attacked, and the second request information includes the first UPF entity The identifier of a UPF entity.
  • An SMF entity sends abnormal indication information, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • a query function can be provided to the SPCF entity, and in the case of receiving the identifier of the first UPF entity sent by the SPCF entity, the identifier of the first SMF entity connected to the first UPF entity is sent to the SPCF entity, so that the SPCF entity When it is determined that the first UPF entity is attacked, abnormality indication information can be sent to the first SMF entity, thereby improving the security of the communication system.
  • the second connection indication information may include the identifier of the first SMF entity
  • the identifier of the first SMF entity may include the identifier of the second interface of the first SMF entity
  • the abnormal indication information is the SPCF entity according to The identifier of the second interface is sent.
  • the second connection indication information may include an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for connecting the first UPF entity to the SMF entity.
  • the second response information may also include an identifier of the fourth interface.
  • the abnormal indication information may include the identifier of the fourth interface.
  • the second connection indication information may include an identifier of at least one interface in each connected UPF entity.
  • the second request information may include the identifier of the first interface in the first UPF entity.
  • the identifier of at least one interface in the first UPF entity includes the identifier of the first interface.
  • the first interface may be an abnormal interface in the first UPF entity.
  • Fig. 10 is a schematic structural diagram of a data processing device provided by an embodiment of the present application.
  • the communication device 2000 includes a processing module 2010 and a transceiver module 2020 .
  • the communication device 2000 may be used to realize the function of the SPCF entity mentioned above.
  • the processing module 2010 is configured to determine whether the first user plane function UPF entity is attacked.
  • the transceiver module 2020 is configured to, when the first UPF entity is attacked, send abnormal indication information to the first session management function SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked, so The first SMF entity is connected to the first UPF entity.
  • the communication device 2000 further includes an acquisition module.
  • the obtaining module is used to obtain connection information
  • the connection information is used to indicate at least one UPF entity connected to each SMF entity in at least one SMF entity, and the at least one SMF entity includes the first SMF entity.
  • the processing module 2010 is specifically configured to determine whether the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF entity is attacked.
  • connection information further includes an identifier of each interface in the at least one interface of the first UPF entity, and the at least one interface of the first UPF entity includes the first interface.
  • the obtaining module is configured to receive connection indication information sent by the first SMF entity, where the connection indication information is used to indicate at least one UPF entity to which the first SMF entity is connected.
  • connection indication information includes the identifier of the second interface of the first SMF entity.
  • the transceiver module 2020 is specifically configured to send the abnormal indication information according to the identifier of the second interface.
  • connection indication information further includes an identifier of a fourth interface of the first UPF entity, the fourth interface is used to connect the first UPF entity to the first SMF entity, and the abnormality indication The information includes an identifier of the fourth interface.
  • connection information includes an identifier of a third interface of the first SMF entity, and the third interface is used for the connection between the first SMF entity and the first UPF entity.
  • the transceiver module 2020 is further configured to, when the first UPF entity is abnormal, send first request information to the network storage function NRF entity, where the first request information includes the identifier of the third interface.
  • the transceiver module 2020 is also configured to receive first response information sent by the NRF entity, where the first response information includes the identifier of the second interface of the first SMF entity;
  • the transceiver module 2020 is specifically configured to send the abnormal indication information according to the identifier of the second interface.
  • connection information is determined according to interaction information between the at least one UPF entity and the at least one SMF entity, where the first UPF entity and the first SMF entity
  • the interaction information includes the identifier of the third interface and the identifier of each interface in the at least one interface of the first UPF entity.
  • At least one interface of the first UPF entity includes a fourth interface
  • the fourth interface is used to connect the first UPF entity to the first SMF entity
  • the abnormality indication information includes the fourth interface. Identification of four interfaces.
  • the transceiving module 2020 is further configured to, when the first UPF entity is abnormal, send second request information to the unified database UDR entity, where the second request information includes the identifier of the first UPF entity.
  • the transceiver module 2020 is further configured to receive second response information sent by the UDR entity, where the second response information includes the identifier of the first SMF entity.
  • the processing module 2010 is specifically configured to determine whether the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF entity is attacked.
  • the identifier of the first UPF entity includes an identifier of an abnormal first interface in the first UPF entity.
  • the identifier of the first SMF entity includes an identifier of a second interface of the first SMF entity.
  • the transceiver module 2020 is specifically configured to send the abnormal indication information according to the identifier of the second interface.
  • the second response information further includes an identifier of a fourth interface of the first UPF entity, and the fourth The interface is used to connect the first UPF entity to the first SMF entity.
  • the abnormal indication information includes the identifier of the fourth interface.
  • the communication device 2000 may be used to realize the function of the first SMF entity mentioned above.
  • the transceiver module 2020 is configured to receive abnormal indication information sent by the security policy control function entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the processing module 2010 is configured to disconnect the connection with the first UPF entity.
  • the transceiver module 2020 is further configured to send interface indication information to the NRF entity, where the interface indication information includes the identifier of the second interface of the device 2000 and the identifier of the third interface of the device 2000, the first Three interfaces are used to connect the device 2000 with the first UPF entity.
  • the abnormal indication information is sent by the security policy control function entity according to the first response information sent by the NRF entity, and the first response information includes the identifier of the third interface.
  • the first response information is sent by the NRF entity according to the first request information, the first request information includes the identifier of the second interface, and the first request information is the sent when the first UPF entity is attacked.
  • the transceiver module 2020 is further configured to send first connection indication information to the security policy control function entity, where the first connection indication information is used to indicate at least one UPF entity connected to the apparatus 2000, the at least One UPF entity includes the first UPF entity.
  • the first connection indication information includes the identifier of the second interface of the apparatus 2000, and the abnormality indication information is sent by the security policy control function entity according to the identifier of the second interface.
  • the transceiver module 2020 is further configured to send second connection indication information to the UDR entity, where the second connection indication information is used to indicate at least one UPF entity connected to the device 2000, and the at least one UPF entity includes the first UPF entity.
  • the transceiver module 2020 is further configured to send second connection indication information to the UDR entity, where the second connection indication information is used to indicate at least one UPF entity connected to the device 2000, and the at least one UPF entity includes the first UPF entity. A UPF entity.
  • the abnormality indication information is sent by the security policy control function entity according to the second response information, and the second response information includes the identifier of the device 2000 .
  • the second response information is sent by the UDR entity according to the second request information, and the second request information includes the identifier of the first UPF entity.
  • the second request information is sent by the security policy control function entity when the first UPF entity is attacked.
  • the second connection indication information includes an identifier of the device 2000, and the identifier of the device 2000 includes an identifier of a second interface of the device 2000, and the abnormality indication information is that the security policy control functional entity follows the second interface sent with the ID.
  • the second connection indication information includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for connecting the first UPF entity to the apparatus 2000 .
  • the second response information further includes the identifier of the fourth interface, and the abnormality indication information includes the identifier of the fourth interface.
  • the communication device 2000 may be used to realize the function of the NRF entity mentioned above.
  • the transceiver module 2020 is further configured to receive interface indication information sent by the first SMF entity, where the interface indication information includes the identifier of the second interface of the first SMF entity and the identifier of the third interface of the first SMF entity,
  • the third interface is used for the connection between the first SMF entity and the first UPF entity;
  • the transceiver module 2020 is further configured to receive first request information sent by the security policy control functional entity, where the first request information includes the identifier of the second interface, and the first request information is that the security policy control functional entity Sent when the first UPF entity is attacked;
  • the transceiver module 2020 is further configured to send first response information to the security policy control functional entity, where the first response information includes the identifier of the third interface, and the identifier of the third interface is used by the first SMF
  • the entity sends abnormal indication information to the first SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the processing module 2010 may be used to control the transceiver module 2020, so that the transceiver module 2020 realizes the above functions.
  • the communication device 2000 may be a UDR entity, or be configured to implement the functions of the UDR entity mentioned above.
  • the transceiver module 2020 is configured to receive second connection indication information sent by the first SMF entity, where the second connection indication information is used to indicate at least one UPF entity connected to the first SMF entity, and the at least one UPF entity includes the Describe the first UPF entity.
  • the transceiver module 2020 is further configured to receive second request information sent by the security policy control functional entity, where the second request information is sent by the security policy control functional entity when the first UPF entity is attacked, and the The second request information includes the identifier of the first UPF entity.
  • the transceiver module 2020 is further configured to send second response information to the security policy control function entity, where the second response information includes the identifier of the first SMF entity, and the identifier of the first SMF entity is used for the first SMF entity.
  • An SMF entity sends abnormal indication information to the first SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the second connection indication information includes the identifier of the first SMF entity
  • the identifier of the first SMF entity includes the identifier of the second interface of the first SMF entity
  • the abnormality indication information is the sent by the security policy control function entity according to the identifier of the second interface.
  • the second connection indication information includes an identifier of a fourth interface of the first UPF entity, the fourth interface is used to connect the first UPF entity to the SMF entity, and the second response The information further includes an identifier of the fourth interface, and the abnormality indication information includes the identifier of the fourth interface.
  • the processing module 2010 may be used to control the transceiver module 2020, so that the transceiver module 2020 realizes the above functions.
  • Fig. 8 is a schematic structural diagram of a data processing device provided by an embodiment of the present application.
  • the communication device 3000 includes at least one processor 3010 and a communication interface 3020 .
  • the communication interface 3020 is used for the communication device 3000 to exchange information with other communication devices.
  • the at least one processor 3010 When the program instructions are executed in the at least one processor 3010, the at least one processor 3010 is used to execute the method described above.
  • the communication device 3000 may be used to realize the function of the SPCF entity mentioned above.
  • the processor 3010 is configured to determine whether the first user plane function UPF entity is attacked.
  • the communication interface 3020 is configured to, when the first UPF entity is attacked, send abnormal indication information to the first session management function SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked, so The first SMF entity is connected to the first UPF entity.
  • the communication interface 3020 is further configured to obtain connection information, the connection information is used to indicate at least one UPF entity connected to each SMF entity in at least one SMF entity, and the at least one SMF entity includes the first SMF entity.
  • the processor 3010 is specifically configured to determine whether the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF entity is attacked.
  • connection information further includes an identifier of each interface in the at least one interface of the first UPF entity, and the at least one interface of the first UPF entity includes the first interface.
  • the communication interface 3020 is further configured to receive connection indication information sent by the first SMF entity, where the connection indication information is used to indicate at least one UPF entity to which the first SMF entity is connected.
  • connection indication information includes the identifier of the second interface of the first SMF entity.
  • the communication interface 3020 is further configured to send the abnormality indication information according to the identifier of the second interface.
  • connection indication information further includes an identifier of a fourth interface of the first UPF entity, the fourth interface is used to connect the first UPF entity to the first SMF entity, and the abnormality indication The information includes an identifier of the fourth interface.
  • connection information includes an identifier of a third interface of the first SMF entity, and the third interface is used for the connection between the first SMF entity and the first UPF entity.
  • the communication interface 3020 is further configured to, when the first UPF entity is abnormal, send first request information to the network storage function NRF entity, where the first request information includes the identifier of the third interface.
  • the communication interface 3020 is further configured to receive first response information sent by the NRF entity, where the first response information includes the identifier of the second interface of the first SMF entity.
  • the communication interface 3020 is further configured to send the abnormality indication information according to the identifier of the second interface.
  • connection information is determined according to interaction information between the at least one UPF entity and the at least one SMF entity, where the first UPF entity and the first SMF entity
  • the interaction information includes the identifier of the third interface and the identifier of each interface in the at least one interface of the first UPF entity.
  • At least one interface of the first UPF entity includes a fourth interface
  • the fourth interface is used to connect the first UPF entity to the first SMF entity
  • the abnormality indication information includes the fourth interface. Identification of four interfaces.
  • the communication interface 3020 is further configured to, when the first UPF entity is abnormal, send second request information to the unified database UDR entity, where the second request information includes the identifier of the first UPF entity.
  • the communication interface 3020 is further configured to receive second response information sent by the UDR entity, where the second response information includes the identifier of the first SMF entity.
  • the processor 3010 is specifically configured to determine whether the first interface of the first UPF entity is abnormal, and if the first interface is abnormal, the first UPF entity is attacked.
  • the identifier of the first UPF entity includes an identifier of an abnormal first interface in the first UPF entity.
  • the identifier of the first SMF entity includes an identifier of a second interface of the first SMF entity.
  • the communication interface 3020 is further configured to send the abnormality indication information according to the identifier of the second interface.
  • the second response information further includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for connecting the first UPF entity to the first SMF entity.
  • the abnormal indication information includes the identifier of the fourth interface.
  • the communication device 3000 may be used to realize the function of the first SMF entity mentioned above.
  • the communication interface 3020 is configured to receive abnormal indication information sent by the security policy control function entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the processor 3010 is configured to disconnect the connection with the first UPF entity.
  • the communication interface 3020 is further configured to send interface indication information to the NRF entity, where the interface indication information includes an identifier of a second interface of the device 3000 and an identifier of a third interface of the device 3000, and the first Three interfaces are used to connect the device 3000 with the first UPF entity.
  • the abnormal indication information is sent by the security policy control function entity according to the first response information sent by the NRF entity, and the first response information includes the identifier of the third interface.
  • the first response information is sent by the NRF entity according to the first request information, the first request information includes the identifier of the second interface, and the first request information is the sent when the first UPF entity is attacked.
  • the communication interface 3020 is further configured to send first connection indication information to the security policy control function entity, where the first connection indication information is used to indicate at least one UPF entity connected to the apparatus 3000, the at least One UPF entity includes the first UPF entity.
  • the first connection indication information includes the identifier of the second interface of the apparatus 3000, and the abnormality indication information is sent by the security policy control function entity according to the identifier of the second interface.
  • the communication interface 3020 is further configured to send second connection indication information to the UDR entity, where the second connection indication information is used to indicate at least one UPF entity connected to the device 3000, and the at least one UPF entity includes the first UPF entity.
  • the communication interface 3020 is further configured to send second connection indication information to the UDR entity, where the second connection indication information is used to indicate at least one UPF entity connected to the device 3000, and the at least one UPF entity includes the first UPF entity. A UPF entity.
  • the abnormal indication information is sent by the security policy control function entity according to the second response information, and the second response information includes the identifier of the device 3000 .
  • the second response information is sent by the UDR entity according to the second request information, and the second request information includes the identifier of the first UPF entity.
  • the second request information is sent by the security policy control function entity when the first UPF entity is attacked.
  • the second connection indication information includes an identifier of the device 3000, and the identifier of the device 3000 includes an identifier of a second interface of the device 3000, and the abnormality indication information is that the security policy control functional entity follows the second interface sent with the ID.
  • the second connection indication information includes an identifier of a fourth interface of the first UPF entity, and the fourth interface is used for connecting the first UPF entity to the apparatus 3000 .
  • the second response information further includes the identifier of the fourth interface, and the abnormality indication information includes the identifier of the fourth interface.
  • the communication device 3000 may be used to realize the function of the NRF entity mentioned above.
  • the communication interface 3020 is further configured to receive interface indication information sent by the first SMF entity, where the interface indication information includes the identifier of the second interface of the first SMF entity and the identifier of the third interface of the first SMF entity,
  • the third interface is used for the connection between the first SMF entity and the first UPF entity;
  • the communication interface 3020 is further configured to receive first request information sent by the security policy control functional entity, where the first request information includes the identifier of the second interface, and the first request information is the Sent when the first UPF entity is attacked;
  • the communication interface 3020 is further configured to send first response information to the security policy control function entity, where the first response information includes the identifier of the third interface, and the identifier of the third interface is used by the first SMF
  • the entity sends abnormal indication information to the first SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the processor 3010 may be used to control the communication interface 3020, so that the communication interface 3020 realizes the above functions.
  • the communication device 3000 may be a UDR entity, or be configured to implement the functions of the UDR entity mentioned above.
  • the communication interface 3020 is configured to receive second connection indication information sent by the first SMF entity, where the second connection indication information is used to indicate at least one UPF entity connected to the first SMF entity, and the at least one UPF entity includes the Describe the first UPF entity.
  • the communication interface 3020 is further configured to receive second request information sent by the security policy control function entity, where the second request information is sent by the security policy control function entity when the first UPF entity is attacked, and the The second request information includes the identifier of the first UPF entity.
  • the communication interface 3020 is further configured to send second response information to the security policy control function entity, where the second response information includes the identifier of the first SMF entity, and the identifier of the first SMF entity is used for the first SMF entity.
  • An SMF entity sends abnormal indication information to the first SMF entity, where the abnormal indication information is used to indicate that the first UPF entity is attacked.
  • the second connection indication information includes the identifier of the first SMF entity
  • the identifier of the first SMF entity includes the identifier of the second interface of the first SMF entity
  • the abnormality indication information is the sent by the security policy control function entity according to the identifier of the second interface.
  • the second connection indication information includes an identifier of a fourth interface of the first UPF entity, the fourth interface is used to connect the first UPF entity to the SMF entity, and the second response The information further includes an identifier of the fourth interface, and the abnormality indication information includes the identifier of the fourth interface.
  • the processor 3010 may be used to control the communication interface 3020, so that the communication interface 3020 realizes the above functions.
  • SOC system-on-a-chip
  • the SOC may include at least one processor for implementing any of the above methods or realizing the functions of each unit of the device.
  • the at least one processor may be of different types, such as including CPU and FPGA, CPU and artificial intelligence processor, CPU and graphics processing unit (graphics processing unit, GPU), etc.
  • An embodiment of the present application further provides a computer program storage medium, wherein the computer program storage medium has program instructions, and when the program instructions are executed, the foregoing method is executed.
  • An embodiment of the present application further provides a system-on-a-chip, wherein the system-on-a-chip includes at least one processor, and when program instructions are executed on the at least one processor, the foregoing method is executed.
  • An embodiment of the present application further provides a program product, where the computer program product includes program instructions, and when the program instructions are executed in a computer device, the foregoing data processing method is executed.
  • the embodiment of the present application also provides a communication system, including at least one SMF entity, at least one UPF entity, and the aforementioned communication device. At least one SMF entity includes the first SMF entity, and at least one UPF entity includes the first SMF entity.
  • the communication system may also include NRF entities or UDR entities.
  • the processor in the embodiment of the present application may be a central processing unit (central processing unit, CPU), and the processor may also be other general processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate array (field programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
  • the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory can be random access memory (RAM), which acts as external cache memory.
  • RAM random access memory
  • static random access memory static random access memory
  • DRAM dynamic random access memory
  • DRAM synchronous dynamic random access memory Access memory
  • SDRAM synchronous dynamic random access memory
  • double data rate synchronous dynamic random access memory double data rate SDRAM, DDR SDRAM
  • enhanced synchronous dynamic random access memory enhanced SDRAM, ESDRAM
  • serial link DRAM SLDRAM
  • direct memory bus random access memory direct rambus RAM, DR RAM
  • the above-mentioned embodiments may be implemented in whole or in part by software, hardware, firmware or other arbitrary combinations.
  • the above-described embodiments may be implemented in whole or in part in the form of computer program products.
  • the computer program product comprises one or more computer instructions or computer programs.
  • the processes or functions according to the embodiments of the present application will be generated in whole or in part.
  • the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server or data center by wired (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center that includes one or more sets of available media.
  • the available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media.
  • the semiconductor medium may be a solid state drive.
  • At least one means one or more, and “multiple” means two or more.
  • At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items.
  • at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices and methods may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande divulgue un procédé et un appareil de communication, capables d'améliorer la sécurité d'un système de communication. Le procédé de communication comprend : le fait de déterminer si une première entité de fonction de plan d'utilisateur (UPF) est attaquée ; et avec la condition que la première entité UPF est attaquée, l'envoi d'informations d'indication d'exception à une première entité de fonction de gestion de session (SMF), la première entité SMF étant reliée à la première entité UPF et les informations d'indication d'exception étant utilisées pour indiquer que la première entité UPF est attaquée.
PCT/CN2023/074957 2022-02-28 2023-02-08 Procédé et appareil de communication Ceased WO2023160390A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210190092.9A CN116709337A (zh) 2022-02-28 2022-02-28 通信方法与装置
CN202210190092.9 2022-02-28

Publications (1)

Publication Number Publication Date
WO2023160390A1 true WO2023160390A1 (fr) 2023-08-31

Family

ID=87764800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/074957 Ceased WO2023160390A1 (fr) 2022-02-28 2023-02-08 Procédé et appareil de communication

Country Status (2)

Country Link
CN (1) CN116709337A (fr)
WO (1) WO2023160390A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190254083A1 (en) * 2018-02-12 2019-08-15 Cisco Technology, Inc. Methods and apparatus for selecting network slice, session management and user plane functions
CN110557791A (zh) * 2018-05-31 2019-12-10 华为技术有限公司 会话管理方法、设备及系统
CN112492573A (zh) * 2017-02-21 2021-03-12 华为技术有限公司 一种选择会话管理功能实体的方法、装置和系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112492573A (zh) * 2017-02-21 2021-03-12 华为技术有限公司 一种选择会话管理功能实体的方法、装置和系统
US20190254083A1 (en) * 2018-02-12 2019-08-15 Cisco Technology, Inc. Methods and apparatus for selecting network slice, session management and user plane functions
CN110557791A (zh) * 2018-05-31 2019-12-10 华为技术有限公司 会话管理方法、设备及系统

Also Published As

Publication number Publication date
CN116709337A (zh) 2023-09-05

Similar Documents

Publication Publication Date Title
US11778459B2 (en) Secure session method and apparatus
CN113630749B (zh) 一种获取边缘服务的方法和装置
US12445837B2 (en) Key obtaining method and communication apparatus
CN113055879B (zh) 一种用户标识接入方法及通信装置
EP4406208A1 (fr) Restriction de trafic embarqué
CN116193431B (zh) 切片认证方法及装置
EP3681182B1 (fr) Procédé, appareil et dispositif de détermination d'état de dispositif terminal
WO2022199451A1 (fr) Procédé et appareil de commutation de session
CN110050436B (zh) 数据传输方法、用户设备和控制面节点
CN116709168A (zh) 一种通信方法及装置
WO2022237857A1 (fr) Procédé de détermination de mode d'activation de protection de sécurité, procédé de communication et appareil de communication
US20240380730A1 (en) Enabling distributed non-access stratum terminations
WO2023051427A1 (fr) Procédé et appareil de communication
WO2023160394A1 (fr) Procédé et appareil de communication
US20240267433A1 (en) Communication method, apparatus, and system
EP4376461A1 (fr) Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil
WO2023016160A1 (fr) Procédé d'établissement de session et appareil associé
WO2023143212A1 (fr) Procédé et appareil de communication
WO2023116556A1 (fr) Procédé et appareil de commutation de session
US20250184863A1 (en) Message routing method and apparatus
WO2023160390A1 (fr) Procédé et appareil de communication
CN117098129A (zh) 通信方法和装置
WO2022174729A1 (fr) Procédé de protection de la confidentialité d'identification d'identité, et appareil de communication
WO2022067736A1 (fr) Procédé et appareil de communication
US20250338123A1 (en) Communication method and communication apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23759015

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 23759015

Country of ref document: EP

Kind code of ref document: A1