[go: up one dir, main page]

WO2024140021A1 - 5g sa network internet of things terminal connection and access restriction method and system, and medium - Google Patents

5g sa network internet of things terminal connection and access restriction method and system, and medium Download PDF

Info

Publication number
WO2024140021A1
WO2024140021A1 PCT/CN2023/135829 CN2023135829W WO2024140021A1 WO 2024140021 A1 WO2024140021 A1 WO 2024140021A1 CN 2023135829 W CN2023135829 W CN 2023135829W WO 2024140021 A1 WO2024140021 A1 WO 2024140021A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
network
management module
slice
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/135829
Other languages
French (fr)
Chinese (zh)
Inventor
兰卓睿
唐燕
王程
陈杨
赵建军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
E Surfing IoT Co Ltd
Original Assignee
E Surfing IoT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by E Surfing IoT Co Ltd filed Critical E Surfing IoT Co Ltd
Publication of WO2024140021A1 publication Critical patent/WO2024140021A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/06Optimizing the usage of the radio link, e.g. header compression, information sizing, discarding information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/08Load balancing or load distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes

Definitions

  • the present application relates to the technical field of the Internet of Things, and in particular, to a method, system and medium for 5G SA network Internet of Things terminal access and access restriction.
  • the technical problem to be solved by this application is to control users to access the intranet only within a certain controllable smaller campus area, and prohibit access to services outside this area, thereby ensuring higher reliability and security.
  • the network manager receives the access network message, and the radio access network determines an access management module corresponding to the access network message;
  • the determined access management module obtains the user subscribed network slice corresponding to the access network message from a preset slice database
  • the target access management module obtains a pre-stored user subscription policy corresponding to the allowed slice from the policy control module;
  • the user subscription policy is sent to the Internet of Things terminal so that the Internet of Things terminal can access the target access management module.
  • the radio access network determines the access management module corresponding to the access network message, comprising:
  • a matching access management module can be obtained according to the GUAMI information, obtaining a matching access management module as the determined access management module;
  • the matching access management module cannot be obtained according to the GUAMI information, the corresponding access management module is determined according to the request slice in the access network message.
  • the method before determining the corresponding access management module according to the request slice in the access network message, the method further includes:
  • a registration request is sent to the default access management module.
  • the target access management module obtains a pre-stored user subscription policy from the policy control module, including:
  • the policy control module performs switching subscription between tracking areas for a single user based on a preset tracking area code to obtain the user subscription policy.
  • the radio access network redetermines the access management module newly corresponding to the updated access network message
  • the newly corresponding access management module reports the updated access network message to the policy control module through a preset interface
  • a dynamic policy is issued to ensure the output of a first policy; the first policy is a higher quality of service policy;
  • a blocking instruction is issued to Ensure the output of the second strategy, thereby blocking all user traffic, so that user traffic does not leave the campus; the second strategy has the highest global priority for the corresponding business rules.
  • the determined access management module obtains the user subscribed network slice corresponding to the access network message from a preset slice database, further comprising:
  • Figure 12 is a schematic block diagram of the system for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.
  • step S120 further includes sub-steps S111 , S112 and S113 .
  • a session management module SMF is also provided in the network manager.
  • the session management module SMF is mainly responsible for interacting with the separated data plane, creating, updating and deleting PDU sessions, and managing the session environment with the user plane function UPF.
  • a PDU session refers to the process of communication between a user terminal 13 and a data network DN;
  • the user plane function UPF is a basic component of the 5G core network infrastructure system architecture defined by 3GPP (the Third Generation Partnership Project). Operators can rate limit, charge and legally intercept user data transmission based on the user plane function UPF, and record the traffic usage.
  • the terminal may access through other base stations outside the park.
  • the location restriction of the tracking area code TAC needs to be superimposed, that is, the tracking area code TAC location control policy is issued through the policy control module PCF to achieve regional restrictions in different parks under the same slice (without re-adjusting the tracking area code TAC).
  • scenario three Park 1 is defined as the coverage range of base station 3, and Park 2 is defined as the coverage range of base station 4 and base station 5, and base station 1, base station 2, base station 3, base station 4, and base station 5 are all under the same tracking area code TAC.
  • the embodiment of the present application also provides a system for 5G SA network IoT terminal access and access restriction, which is used to execute any embodiment of the aforementioned 5G SA network IoT terminal access and access restriction method.
  • Figure 12 is a schematic block diagram of the system for 5G SA network IoT terminal access and access restriction provided in the embodiment of the present application.
  • the system includes an Internet of Things terminal 11, a network manager 12 and a user terminal 13.
  • the network manager 12 establishes network connections with the Internet of Things terminal 11 and the user terminal 13 to achieve data information transmission.
  • the system includes an attachment request unit 111 configured in the Internet of Things terminal 11, a first sending unit 131 configured in the user terminal 13, a receiving unit 121, a first obtaining unit 122, a judging unit 123, a second obtaining unit 124, a second sending unit 125, a third obtaining unit 126 and a third sending unit 127 configured in the network manager 12.
  • the attachment request unit 111 is used for the network manager 12 to receive an attachment request from the Internet of Things terminal 11.
  • the first sending unit 131 is configured to control the user terminal 13 to send a network access message if the network manager 12 receives an attachment request from the IoT terminal 11 .
  • the judgment unit 123 is used to determine whether the determined access management module AMF can process the user's contracted network slice S.
  • the second acquisition unit 124 is used for the network slice selection module to obtain the allowed slice A and the target access management module AMF corresponding to the user-contracted network slice S if the determined access management module AMF cannot process the user-contracted network slice S.
  • the third acquisition unit 126 is used for the target access management module AMF to obtain the pre-stored user subscription policy corresponding to the allowed slice A from the policy control module PCF.
  • the third sending unit 127 is used to send the user subscription policy to the Internet of Things terminal 11, so that the Internet of Things terminal 11 accesses the target access management module AMF.
  • the above-mentioned method for 5G SA network IoT terminal access and access restriction can be implemented in the form of a computer program.
  • the IoT terminal 11 and the network manager 12 in the system for 5G SA network IoT terminal access and access restriction can be implemented as computer devices.
  • the computer program can be implemented in the computer shown in FIG. Run on the machine device.
  • the Internet of Things terminal 11 includes a first memory, a first processor, and a first computer program stored in the first memory and executable on the first processor
  • the network manager 12 includes a second memory, a second processor, and a second computer program stored in the second memory and executable on the second processor
  • the user terminal 13 includes a third memory, a third processor, and a third computer program stored in the third memory and executable on the third processor
  • the first processor executes the first computer program
  • the second processor executes the second computer program
  • the third processor executes the third computer program, they jointly implement the method for 5G SA network Internet of Things terminal access and access restriction as described above.
  • FIG 13 is a schematic block diagram of a computer device provided in an embodiment of the present application.
  • the computer device can be a method for executing 5G SA network IoT terminal access and access restriction to enable the network manager to determine whether the user terminal can access the intranet based on the attachment request of the IoT terminal and the access network message sent by the user terminal.
  • the computer device 500 includes a processor 502 , a memory, and a network interface 505 connected via a system bus 501 , wherein the memory may include a storage medium 503 and an internal memory 504 .
  • the storage medium 503 can store an operating system 5031 and a computer program 5032.
  • the processor 502 can execute a method for accessing and restricting access to a 5G SA network IoT terminal, wherein the storage medium 503 can be a volatile storage medium or a non-volatile storage medium.
  • the processor 502 is used to provide computing and control capabilities to support the operation of the entire computer device 500 .
  • the network interface 505 is used for network communication to provide data information transmission, and the network communication is wired network communication and/or wireless network communication. It can be understood by those skilled in the art that the structure shown in FIG. 10 is only a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation on the computer device 500 to which the solution of the present application is applied.
  • the specific computer device 500 may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
  • the processor 502 is used to run the computer program 5032 stored in the memory to implement the corresponding functions in the above-mentioned 5G SA network IoT terminal access and access restriction method.
  • the embodiment of the computer device shown in FIG13 does not constitute a limitation on the specific composition of the computer device.
  • the computer device may include more or fewer components than shown, or combine certain components, or arrange the components differently.
  • the computer device may only include a memory and a processor. In such an embodiment, the structure and function of the memory and the processor are consistent with the embodiment shown in FIG13, and will not be described in detail here.
  • the processor 502 may be a central processing unit (CPU), and the processor 502 may also be other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.
  • a computer readable storage medium may be volatile or non-volatile.
  • the computer-readable storage medium stores a first computer program, a second computer program, or a third computer program, which together implements the steps included in the above-mentioned SIM card-based Internet of Things directional traffic management method when the first computer program is executed by the first processor, the second computer program is executed by the second processor, and the third computer program is executed by the third processor.
  • the disclosed systems, devices and units can be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the units is only a logical function division. There may be other division methods in actual implementation, and units with the same function may be combined into one unit. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interfaces, devices or units, or may be electrical, mechanical or other forms of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiments of the present application.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or partly contributed to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a computer-readable storage medium, including a number of instructions for a computer device (which can be a personal computer, server, or network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned computer-readable storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), disk or CD-ROM and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application relates to the technical field of Internet of things, and discloses a 5G SA network Internet of things terminal connection and access restriction method and system, and a medium. The method comprises: if a network manager receives an attachment request from an Internet of things terminal, controlling a user terminal to send a network access message; the network manager receiving the network access message, and a radio access network determining an access management module; acquiring a user subscription network slice; determining whether the access management module can process the user subscription network slice; if not, a network slice selection module acquiring an allowed slice and a target access management module; the network slice selection module sending the allowed slice to the target access management module; the target access management module acquiring a user subscription policy; and sending the user subscription policy to the Internet of things terminal, such that the Internet of things terminal accesses the target access management module. According to the present application, users are controlled to access an intranet only within a certain controllable small park range, and are prohibited from accessing services when outside this range, so that higher reliability and security are ensured.

Description

5G SA网络物联网终端接入和访问限制的方法、系统及介质Method, system and medium for 5G SA network IoT terminal access and access restriction

本申请是以申请号为202211722173.5、申请日为2022年12月30日的中国专利申请为基础,并主张其优先权,该申请的全部内容在此作为整体引入本申请中。This application is based on the Chinese patent application with application number 202211722173.5 and application date December 30, 2022, and claims its priority. The entire content of the application is hereby introduced as a whole into this application.

技术领域Technical Field

本申请涉及物联网的技术领域,尤其是涉及一种5G SA网络物联网终端接入和访问限制的方法、系统及介质。The present application relates to the technical field of the Internet of Things, and in particular, to a method, system and medium for 5G SA network Internet of Things terminal access and access restriction.

背景技术Background technique

在5G定制网场景下,出于低时延、高可靠的考虑,很多用户会选择接入面和控制面复用运营商建设的网元设备,如AMF、SMF,数据传输面选择轻量型的UPF下沉至所在园区,采用特定的DNN访问内务业务。In the 5G customized network scenario, for the sake of low latency and high reliability, many users will choose to reuse the network element equipment built by the operator on the access and control planes, such as AMF and SMF. On the data transmission plane, they will choose a lightweight UPF that is deployed to the campus and use a specific DNN to access internal services.

现有5G物联网终端接入限制的技术中,较常见的是根据用户上报的AMF ID或者MME主机名,判断是否为用户允许访问的列表内,从而实现省份级的区域限制。而策略控制模块基于跟踪区编码进行用户接入控制的方案中,跟踪区编码覆盖范围比较大,较难实现精确控制园区范围,且无线侧需要对跟踪区编码进行重新规划和调整。对于运营商来说,对已经规划好的跟踪区编码进行调整难度较大。若策略控制模块基于基站或小区级别进行用户会话策略控制,用户移动情况下频繁上报位置更新,将带来大量的信令交互,造成信令面拥塞,影响业务使用。Among the existing technologies for restricting access to 5G IoT terminals, the most common one is to determine whether the user is in the list allowed to access based on the AMF ID or MME host name reported by the user, thereby implementing provincial-level regional restrictions. In the solution where the policy control module performs user access control based on the tracking area code, the tracking area code has a relatively large coverage area, making it difficult to accurately control the campus range, and the wireless side needs to re-plan and adjust the tracking area code. For operators, it is difficult to adjust the already planned tracking area codes. If the policy control module performs user session policy control based on the base station or cell level, and the user frequently reports location updates when moving, it will bring a large amount of signaling interaction, causing signaling congestion and affecting service use.

因此,如何简单实时地对物联网终端进行接入控制,以控制用户仅在某一可控的较小的园区范围内访问内网,漫出这一范围禁止访问业务,从而保证更高的可靠性和安全性亟待解决。Therefore, how to simply and in real time control the access of IoT terminals so that users can only access the intranet within a small controllable campus range and are prohibited from accessing services outside this range, thereby ensuring higher reliability and security, needs to be solved urgently.

申请内容Application Contents

本申请所要解决的技术问题是控制用户仅在某一可控的较小的园区范围内访问内网,漫出这一范围禁止访问业务,从而保证更高的可靠性和安全性。The technical problem to be solved by this application is to control users to access the intranet only within a certain controllable smaller campus area, and prohibit access to services outside this area, thereby ensuring higher reliability and security.

第一方面,本申请实施例提供了一种5G SA网络物联网终端接入和访问限制的方法,该方法应用于SA网络物联网系统,所述系统包括物联网终端、网络管理器及用户终端,所述网络管理器分别与所述物联网终端及所述用户终端建立网络连接以实现数据信息的传输,所述网络管理器设有无线电接入网、接入管理模块、网络切片选择模块及策略控制模块,所述方法包括:In a first aspect, an embodiment of the present application provides a method for access and access restriction of a 5G SA network IoT terminal, which is applied to a SA network IoT system, wherein the system includes an IoT terminal, a network manager, and a user terminal, wherein the network manager establishes a network connection with the IoT terminal and the user terminal respectively to realize the transmission of data information, and the network manager is provided with a radio access network, an access management module, a network slice selection module, and a policy control module, wherein the method includes:

若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;If the network manager receives an attachment request from the IoT terminal, it controls the user terminal to send a network access message;

所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;The network manager receives the access network message, and the radio access network determines an access management module corresponding to the access network message;

所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;The determined access management module obtains the user subscribed network slice corresponding to the access network message from a preset slice database;

判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;Determining whether the determined access management module can process the user-subscribed network slice;

若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块; If the determined access management module cannot process the user-subscribed network slice, the network slice selection module obtains the allowed slice and the target access management module corresponding to the user-subscribed network slice;

所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;The network slice selection module resends the allowed slice to the target access management module;

所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;The target access management module obtains a pre-stored user subscription policy corresponding to the allowed slice from the policy control module;

将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。The user subscription policy is sent to the Internet of Things terminal so that the Internet of Things terminal can access the target access management module.

优选的,所述无线电接入网确定与所述接入网络消息对应的接入管理模块,包括:Preferably, the radio access network determines the access management module corresponding to the access network message, comprising:

对所述接入网络消息进行解析以获取对应的GUAMI信息;Parsing the access network message to obtain corresponding GUAMI information;

判断是否能够根据所述GUAMI信息获取相匹配的接入管理模块;Determining whether a matching access management module can be obtained according to the GUAMI information;

若能够根据所述GUAMI信息获取匹配的接入管理模块,获取相匹配的一个所述接入管理模块为确定的接入管理模块;If a matching access management module can be obtained according to the GUAMI information, obtaining a matching access management module as the determined access management module;

若无法根据所述GUAMI信息获取匹配的接入管理模块,根据所述接入网络消息中的请求切片确定对应的接入管理模块。If the matching access management module cannot be obtained according to the GUAMI information, the corresponding access management module is determined according to the request slice in the access network message.

优选的,所述根据所述接入网络消息中的请求切片确定对应的接入管理模块之前,还包括:Preferably, before determining the corresponding access management module according to the request slice in the access network message, the method further includes:

判断所述接入网络消息中是否包含请求切片;Determining whether the access network message includes a request slice;

若所述接入网络消息中包含请求切片,则执行所述根据所述接入网络消息中的请求切片确定对应的接入管理模块的步骤;If the access network message includes a request slice, executing the step of determining the corresponding access management module according to the request slice in the access network message;

若所述接入网络消息中不包含请求切片,则发送注册请求至缺省接入管理模块。If the access network message does not contain a requested slice, a registration request is sent to the default access management module.

优选的,所述目标接入管理模块向所述策略控制模块获取预存的用户签约策略,包括:Preferably, the target access management module obtains a pre-stored user subscription policy from the policy control module, including:

所述策略控制模块基于预设的跟踪区编码对单个用户进行跟踪区之间的切换订阅,以获取所述用户签约策略。The policy control module performs switching subscription between tracking areas for a single user based on a preset tracking area code to obtain the user subscription policy.

优选的,所述网络管理器还设有会话管理模块,所述策略控制模块基于预设的跟踪区编码对用户进行会话策略控制;所述策略控制模块针对单用户进行跟踪区之间的切换订阅,以获取所述用户签约策略,包括:Preferably, the network manager is further provided with a session management module, and the policy control module performs session policy control on the user based on a preset tracking area code; the policy control module performs switching subscription between tracking areas for a single user to obtain the user subscription policy, including:

若接收到所述用户终端发出所述跟踪区切换的信号,主动上报位置以更新所述接入网络消息;If a signal of the tracking area switching sent by the user terminal is received, actively reporting the location to update the access network message;

所述无线电接入网重新确定与更新后的所述接入网络消息新对应的所述接入管理模块;The radio access network redetermines the access management module newly corresponding to the updated access network message;

新对应的所述接入管理模块通过预设接口将更新后的所述接入网络消息上报至所述策略控制模块;The newly corresponding access management module reports the updated access network message to the policy control module through a preset interface;

所述策略控制模块对所述会话管理模块中携带的所述跟踪区编码进行会话策略控制。The policy control module performs session policy control on the tracking area code carried in the session management module.

优选的,所述策略控制模块对所述会话管理模块中携带的所述跟踪区编码进行策略控制,包括:Preferably, the policy control module performs policy control on the tracking area code carried in the session management module, including:

若所述跟踪区编码在所述会话管理模块的允许列表,下发动态策略,以保证输出第一策略;所述第一策略为更高的服务质量策略;If the tracking area code is in the allowed list of the session management module, a dynamic policy is issued to ensure the output of a first policy; the first policy is a higher quality of service policy;

若所述跟踪区编码不在所述会话管理模块的允许列表,下发阻塞指令,以 保证输出第二策略,进而阻塞用户所有流量,从而实现用户流量不出园区;所述第二策略为对应的业务规则全局优先级最高。If the tracking area code is not in the allowed list of the session management module, a blocking instruction is issued to Ensure the output of the second strategy, thereby blocking all user traffic, so that user traffic does not leave the campus; the second strategy has the highest global priority for the corresponding business rules.

优选的,所述所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片,还包括:Preferably, the determined access management module obtains the user subscribed network slice corresponding to the access network message from a preset slice database, further comprising:

若所述目标接入管理模块获取到所述用户签约策略,判断所述请求切片、所述用户签约网络切片及所述允许切片是否能够组合形成交集切片;If the target access management module obtains the user contract policy, it determines whether the requested slice, the user contracted network slice and the allowed slice can be combined to form an intersection slice;

若能够形成交集切片,则允许所述用户终端接入;If an intersection slice can be formed, allowing the user terminal to access;

若不能够形成交集切片,则拒绝所述用户终端接入。If the intersection slice cannot be formed, the user terminal is denied access.

第二方面,本申请实施例提供了一种5G SA网络物联网终端接入和访问限制的系统,所述系统包括物联网终端、网络管理器及用户终端,所述网络管理器分别与所述物联网终端及所述用户终端建立网络连接以实现数据信息的传输;In a second aspect, an embodiment of the present application provides a system for access and access restriction of an IoT terminal in a 5G SA network, the system comprising an IoT terminal, a network manager and a user terminal, the network manager respectively establishing a network connection with the IoT terminal and the user terminal to realize the transmission of data information;

所述系统包括配置于所述物联网终端内的附着请求单元,配置于所述用户终端的第一发送单元,配置于所述网络管理器内的接收单元、第一获取单元、判断单元、第二获取单元、第二发送单元、第三获取单元及第三发送单元;The system includes an attachment request unit configured in the Internet of Things terminal, a first sending unit configured in the user terminal, a receiving unit, a first acquiring unit, a judging unit, a second acquiring unit, a second sending unit, a third acquiring unit and a third sending unit configured in the network manager;

附着请求单元,用于所述网络管理器接收到来自所述物联网终端的附着请求;An attachment request unit, used for the network manager to receive an attachment request from the Internet of Things terminal;

第一发送单元,用于若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;A first sending unit, configured to control the user terminal to send a network access message if the network manager receives an attachment request from the Internet of Things terminal;

接收单元,用于所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;A receiving unit, configured for the network manager to receive the access network message, and the radio access network to determine an access management module corresponding to the access network message;

第一获取单元,用于所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;A first acquisition unit, configured for the determined access management module to acquire a user subscribed network slice corresponding to the access network message from a preset slice database;

判断单元,用于判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;A judging unit, used to judge whether the determined access management module can process the user-subscribed network slice;

第二获取单元,用于若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;A second acquisition unit is configured to, if the determined access management module cannot process the user-subscribed network slice, cause the network slice selection module to acquire an allowed slice and a target access management module corresponding to the user-subscribed network slice;

第二发送单元,用于所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;A second sending unit, configured for the network slice selection module to resend the allowed slice to the target access management module;

第三获取单元,用于所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;A third acquisition unit is used for the target access management module to acquire a pre-stored user subscription policy corresponding to the allowed slice from the policy control module;

第三发送单元,用于将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。The third sending unit is used to send the user subscription policy to the Internet of Things terminal, so that the Internet of Things terminal can access the target access management module.

第三方面,本申请实施例又提供了5G SA网络物联网终端接入和访问限制的系统,所述系统包括物联网终端、网络管理器及用户终端,所述物联网终端包括第一存储器、第一处理器及存储在所述第一存储器上并可在所述第一处理器上运行的第一计算机程序,所述网络管理器包括第二存储器、第二处理器及存储在所述第二存储器上并可在所述第二处理器上运行的第二计算机程序,所述用户终端包括第三存储器、第三处理器及存储在所述第三存储器上并可在所述第三处理器上运行的第三计算机程序,其特征在于,所述第一处理器执行所 述第一计算机程序、所述第二处理器执行所述第二计算机程序以及所述第三处理器执行所述第三计算机程序时共同实现如上述第一方面所述的5G SA网络物联网终端接入和访问限制的方法。In the third aspect, an embodiment of the present application further provides a system for 5G SA network IoT terminal access and access restriction, the system comprising an IoT terminal, a network manager and a user terminal, the IoT terminal comprising a first memory, a first processor and a first computer program stored on the first memory and executable on the first processor, the network manager comprising a second memory, a second processor and a second computer program stored on the second memory and executable on the second processor, the user terminal comprising a third memory, a third processor and a third computer program stored on the third memory and executable on the third processor, characterized in that the first processor executes the The first computer program, the second processor executing the second computer program, and the third processor executing the third computer program jointly implement the method for 5G SA network IoT terminal access and access restriction as described in the first aspect above.

第四方面,本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有第一计算机程序、第二计算机程序及第三计算机程序,当所述第一计算机程序被第一处理器执行、所述第二计算机程序被第二处理器执行以及所述第三计算机程序被第三处理器执行时共同实现如上述第一方面所述的5G SA网络物联网终端接入和访问限制的方法。In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, wherein the computer-readable storage medium stores a first computer program, a second computer program, and a third computer program. When the first computer program is executed by a first processor, the second computer program is executed by a second processor, and the third computer program is executed by a third processor, the method for 5G SA network IoT terminal access and access restriction as described in the first aspect above is jointly implemented.

与现有技术相比,本申请包括以下至少一种有益技术效果:Compared with the prior art, the present invention has at least one of the following beneficial technical effects:

若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。If the network manager receives an attachment request from the Internet of Things terminal, it controls the user terminal to send an access network message; the network manager receives the access network message, and the radio access network determines the access management module corresponding to the access network message; the determined access management module obtains the user contracted network slice corresponding to the access network message from the preset slice database; it is judged whether the determined access management module can process the user contracted network slice; if the determined access management module cannot process the user contracted network slice, the network slice selection module obtains the allowed slice and the target access management module corresponding to the user contracted network slice; the network slice selection module resends the allowed slice to the target access management module; the target access management module obtains the pre-stored user contract policy corresponding to the allowed slice from the policy control module; and the user contract policy is sent to the Internet of Things terminal to enable the Internet of Things terminal to access the target access management module.

由策略控制模块针对单用户进行跟踪区间切换订阅,当用户终端发生跟踪区间的切换时,主动上报位置更新消息,由策略控制模块对会话管理模块的会话消息中携带的跟踪区编码进行策略控制:当跟踪区编码在允许的列表中时,下发动态的控制策略,如服务质量保障等;当跟踪区编码不在允许的列表中时,阻塞用户所有流量,从而实现用户流量不出园区。The policy control module performs tracking interval switching subscription for a single user. When the user terminal switches the tracking interval, it actively reports the location update message. The policy control module performs policy control on the tracking area code carried in the session message of the session management module: when the tracking area code is in the allowed list, dynamic control policies are issued, such as service quality assurance; when the tracking area code is not in the allowed list, all user traffic is blocked, so that the user traffic does not leave the park.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的流程示意图。Figure 1 is a flow chart of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图2为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的场景示意图。Figure 2 is a scenario diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图3为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的另一流程示意图。Figure 3 is another flow chart of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图4为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的子流程示意图。Figure 4 is a sub-process diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图5为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的另一子流程示意图。 Figure 5 is another sub-process diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图6为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的又一子流程示意图。Figure 6 is another sub-process diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图7为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的再一子流程示意图。Figure 7 is another sub-process diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图8为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的又一子流程示意图。Figure 8 is another sub-process diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图9为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的另一应用场景示意图。Figure 9 is a schematic diagram of another application scenario of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图10为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的又一应用场景示意图。Figure 10 is another application scenario schematic diagram of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图11为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的再一应用场景示意图。Figure 11 is a schematic diagram of another application scenario of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图12为本申请实施例提供的5G SA网络物联网终端接入和访问限制的系统的示意性框图。Figure 12 is a schematic block diagram of the system for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application.

图13为本申请实施例提供的计算机设备的示意性框图。FIG. 13 is a schematic block diagram of a computer device provided in an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "include" and "comprises" indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or combinations thereof.

还应当理解,在本申请说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本申请。如在本申请说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terms used in this application specification are only for the purpose of describing specific embodiments and are not intended to limit the present application. As used in this application specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural forms unless the context clearly indicates otherwise.

还应当进一步理解,在本申请说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。It should be further understood that the term “and/or” used in the specification and appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes these combinations.

请参阅图1及图2,图1为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的流程示意图,图2为本申请实施例提供的5G SA网络物联网终端接入和访问限制的方法的应用场景示意图;该5G SA网络物联网终端接入和访问限制的方法应用于SA网络物联网系统10中,该系统10包括物联网终端11、网络管理器12及用户终端13,该5G SA网络物联网终端接入和访问限制的方法通过安装于物联网终端11、网络管理器12及用户终端13中的应用软件进行执行,其中,用户终端13即是基于SIM卡与网络管理器12进行无线通信连接的终端设备,如智能手表、智能音响、智能手机等智能设备,网络管理器12也即是用于进行网络桥接及管理的网关服务器,网络管理器12可用于对网络访问请求进行传输管理,物联网终端11即是用于为用户终端13提供网 络信息服务的平台服务器。网络管理器12分别与物联网终端11及用户终端13建立网络连接以实现数据信息的传输,用户终端13可发送网络访问请求至网络管理器12,物联网终端11可根据网络管理器12处理的网络访问请求为用户终端13提供相应的网络服务,网络管理器12内设有无线电接入网RAN、接入管理模块AMF、网络切片选择模块及策略控制模块PCF。如图1所示,该方法包括步骤S110~S180。。Please refer to Figures 1 and 2, Figure 1 is a flow chart of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application, and Figure 2 is a schematic diagram of an application scenario of the method for 5G SA network IoT terminal access and access restriction provided in an embodiment of the present application; the method for 5G SA network IoT terminal access and access restriction is applied to an SA network IoT system 10, and the system 10 includes an IoT terminal 11, a network manager 12 and a user terminal 13, and the method for 5G SA network IoT terminal access and access restriction is executed by application software installed in the IoT terminal 11, the network manager 12 and the user terminal 13, wherein the user terminal 13 is a terminal device that is connected to the network manager 12 for wireless communication based on a SIM card, such as smart watches, smart speakers, smart phones and other smart devices, the network manager 12 is a gateway server for network bridging and management, the network manager 12 can be used to manage the transmission of network access requests, and the IoT terminal 11 is used to provide network access for the user terminal 13. The network manager 12 establishes network connections with the IoT terminal 11 and the user terminal 13 to realize the transmission of data information. The user terminal 13 can send a network access request to the network manager 12. The IoT terminal 11 can provide corresponding network services to the user terminal 13 according to the network access request processed by the network manager 12. The network manager 12 is equipped with a radio access network RAN, an access management module AMF, a network slice selection module and a policy control module PCF. As shown in Figure 1, the method includes steps S110 to S180.

S110、若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端13发送接入网络消息。S110: If the network manager receives an attachment request from the IoT terminal, it controls the user terminal 13 to send a network access message.

网络管理器可接收来自物联网终端的附着请求,若网络管理器接收到附着请求,则发送反馈信号至用户终端13,用户终端13接收到反馈信号后发送接入网络消息至网络管理器。The network manager can receive an attachment request from an IoT terminal. If the network manager receives the attachment request, it sends a feedback signal to the user terminal 13. After receiving the feedback signal, the user terminal 13 sends a network access message to the network manager.

S120、所述网络管理器接收所述接入网络消息,所述无线电接入网RAN确定与所述接入网络消息对应的接入管理模块AMF。S120. The network manager receives the access network message, and the radio access network RAN determines an access management module AMF corresponding to the access network message.

如图3所示,在一具体实施例中,步骤S120之前还包括子步骤S111、S112和S113。As shown in FIG. 3 , in a specific embodiment, step S120 further includes sub-steps S111 , S112 and S113 .

S111、判断所述接入网络消息中是否包含请求切片R;S112、若所述接入网络消息中包含请求切片R,则执行所述根据所述接入网络消息中的请求切片R确定对应的接入管理模块AMF的步骤;S113、若所述接入网络消息中不包含请求切片R,则发送注册请求至缺省接入管理模块AMF。S111. Determine whether the access network message contains the request slice R; S112. If the access network message contains the request slice R, execute the step of determining the corresponding access management module AMF according to the request slice R in the access network message; S113. If the access network message does not contain the request slice R, send a registration request to the default access management module AMF.

如图4所示,在一具体实施例中,步骤S120包括子步骤S121、S122、S123和S124。As shown in FIG. 4 , in a specific embodiment, step S120 includes sub-steps S121 , S122 , S123 , and S124 .

S121、对所述接入网络消息进行解析以获取对应的GUAMI信息;S122、判断是否能够根据所述GUAMI信息获取相匹配的接入管理模块AMF;在另一实施例中,相匹配的接入管理模块AMF可以替换为系统默认的接入管理模块AMF;S123、若能够根据所述GUAMI信息获取匹配的接入管理模块AMF,获取相匹配的一个所述接入管理模块AMF为确定的接入管理模块AMF;S124、若无法根据所述GUAMI信息获取匹配的接入管理模块AMF,根据所述接入网络消息中的请求切片R确定对应的接入管理模块AMF。S121. Parse the access network message to obtain the corresponding GUAMI information; S122. Determine whether a matching access management module AMF can be obtained according to the GUAMI information; in another embodiment, the matching access management module AMF can be replaced with the system default access management module AMF; S123. If a matching access management module AMF can be obtained according to the GUAMI information, obtain a matching access management module AMF as the determined access management module AMF; S124. If a matching access management module AMF cannot be obtained according to the GUAMI information, determine the corresponding access management module AMF according to the request slice R in the access network message.

其中,接入管理模块AMF是5G(第五代移动通信技术)核心网的主要功能单元,用于完成终端用户的接入和移动性管理;GUAMI信息为接入管理模块AMF的唯一标识。其中,在5G接入的情况下,接入网络消息中AN参数(接入网络参数)包括GUAMI信息、请求切片R等。Among them, the access management module AMF is the main functional unit of the 5G (fifth generation mobile communication technology) core network, which is used to complete the access and mobility management of terminal users; GUAMI information is the unique identifier of the access management module AMF. Among them, in the case of 5G access, the AN parameters (access network parameters) in the access network message include GUAMI information, request slice R, etc.

S130、所确定的所述接入管理模块AMF从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片S。S130. The determined access management module AMF obtains the user subscribed network slice S corresponding to the access network message from a preset slice database.

其中,网络管理器还设有统一数据管理模块UDM,通过提供可以统一管理网络、安全、存储等基础IT设施的管理架构,统一数据管理模块UDM为IT系统打造统一管理中枢,帮助用户实现对数据资产更有效的管理、利用和保护。预置的切片数据库位于统一数据管理模块UDM内,切片数据库包含三种类型:请求切片R(可选)、签约网络切片S、允许切片A。The network manager also has a unified data management module (UDM). By providing a management framework that can uniformly manage basic IT facilities such as network, security, and storage, the unified data management module (UDM) creates a unified management center for the IT system, helping users to more effectively manage, utilize, and protect data assets. The preset slice database is located in the unified data management module (UDM). The slice database contains three types: request slice R (optional), contract network slice S, and allowed slice A.

如图5所示,在一具体实施例中,步骤S130之后包括步骤S131、S132和 S133。As shown in FIG. 5 , in a specific embodiment, step S130 includes steps S131, S132, and S133.

S131、若所述目标接入管理模块AMF获取到所述用户签约策略,判断所述请求切片R、所述用户签约网络切片S及所述允许切片A是否能够组合形成交集切片;S132、若能够形成交集切片,则允许所述用户终端13接入;S133、若不能够形成交集切片,则拒绝所述用户终端13接入。最终用户终端13接入的切片为请求切片R(若有)、签约网络切片S和允许切片A三个切片的交集,如果三者交集后无结果,则拒绝用户终端13接入,该接入流程失败。S131. If the target access management module AMF obtains the user contract policy, it determines whether the requested slice R, the user contracted network slice S and the allowed slice A can be combined to form an intersection slice; S132. If an intersection slice can be formed, the user terminal 13 is allowed to access; S133. If an intersection slice cannot be formed, the user terminal 13 is denied access. The slice accessed by the final user terminal 13 is the intersection of the requested slice R (if any), the contracted network slice S and the allowed slice A. If there is no result after the intersection of the three, the user terminal 13 is denied access and the access process fails.

S140、判断所确定的所述接入管理模块AMF是否能对所述用户签约网络切片S进行处理。S140. Determine whether the determined access management module AMF can process the user-subscribed network slice S.

若所确定的接入管理模块AMF能对用户签约网络切片S进行处理,则目标接入管理模块AMF从策略控制模块PCF获取预存的与允许切片A相对应的用户签约策略,并将用户签约策略发送至物联网终端,以使物联网终端接入目标接入管理模块AMF。策略控制模块PCF类似4G网元中的PCRF(策略和计费规则功能),主要用于计费、动态策略控制等。If the determined access management module AMF can process the user's contracted network slice S, the target access management module AMF obtains the pre-stored user contract policy corresponding to the allowed slice A from the policy control module PCF, and sends the user contract policy to the IoT terminal, so that the IoT terminal can access the target access management module AMF. The policy control module PCF is similar to the PCRF (Policy and Charging Rules Function) in the 4G network element, and is mainly used for billing, dynamic policy control, etc.

S150、若所确定的接入管理模块AMF无法对用户签约网络切片S进行处理,则网络切片选择模块获取与用户签约网络切片S对应的允许切片A及目标接入管理模块AMF。S150. If the determined access management module AMF cannot process the network slice S contracted by the user, the network slice selection module obtains the allowed slice A and the target access management module AMF corresponding to the network slice S contracted by the user.

S160、所述网络切片选择模块将所述允许切片A重新发送至所述目标接入管理模块AMF。S160. The network slice selection module resends the allowed slice A to the target access management module AMF.

S170、所述目标接入管理模块AMF从所述策略控制模块PCF获取预存的与所述允许切片A对应的用户签约策略。S170. The target access management module AMF obtains the pre-stored user subscription policy corresponding to the allowed slice A from the policy control module PCF.

如图6所示,在一具体实施例中,步骤S170具体为步骤171:所述策略控制模块PCF基于预设的跟踪区编码TAC对单个用户进行跟踪区TA之间的切换订阅,以获取所述用户签约策略。更具体的,策略控制模块PCF基于预设的跟踪区编码TAC对用户进行会话策略控制;会话策略控制为策略控制模块PCF针对单用户进行跟踪区TA之间的切换订阅,以获取用户签约策略。As shown in FIG6 , in a specific embodiment, step S170 is specifically step 171: the policy control module PCF performs switching subscription between tracking areas TA for a single user based on a preset tracking area code TAC to obtain the user subscription policy. More specifically, the policy control module PCF performs session policy control on the user based on the preset tracking area code TAC; the session policy control is that the policy control module PCF performs switching subscription between tracking areas TA for a single user to obtain the user subscription policy.

其中,跟踪区编码TAC是用来进行寻呼和位置更新的区域。其规化要确保寻呼信道容量不受限,同时对于区域边界的位置更新开销最小,而且要求易于管理。跟踪区编码TAC的合理规划,能够均衡寻呼负荷和位置更新信令流程,有效控制系统信令负荷。Among them, the Tracking Area Code (TAC) is the area used for paging and location update. Its regulation should ensure that the paging channel capacity is not limited, while the location update overhead at the area boundary is minimized and easy to manage. Reasonable planning of the Tracking Area Code (TAC) can balance the paging load and location update signaling process and effectively control the system signaling load.

如图7所示,网络管理器内还设有会话管理模块SMF,会话管理模块SMF主要负责与分离的数据面交互,创建、更新和删除PDU会话,并管理与用户面功能UPF的会话环境。其中,一个PDU会话是指一个用户终端13与数据网络DN之间进行通讯的过程;用户面功能UPF是3GPP(第三代合作伙伴计划)定义的5G核心网基础设施系统架构的基本组成部分,运营商可以根据用户面功能UPF对用户数据传输进行速率限制、计费以及合法拦截,记录流量的使用情况,5G的用户面功能UPF可以按需下沉,降低网络时延,提高传输速率,接入用户内网,流量不出园区,满足用户不同层次的需求。用户面功能UPF能下沉是5G控制面和用户面分离的结果,是5G技术相比4G技术的巨大进步的体现。As shown in FIG7 , a session management module SMF is also provided in the network manager. The session management module SMF is mainly responsible for interacting with the separated data plane, creating, updating and deleting PDU sessions, and managing the session environment with the user plane function UPF. Among them, a PDU session refers to the process of communication between a user terminal 13 and a data network DN; the user plane function UPF is a basic component of the 5G core network infrastructure system architecture defined by 3GPP (the Third Generation Partnership Project). Operators can rate limit, charge and legally intercept user data transmission based on the user plane function UPF, and record the traffic usage. The 5G user plane function UPF can sink on demand, reduce network latency, increase transmission rate, access the user intranet, and the traffic does not leave the park, meeting the needs of users at different levels. The user plane function UPF can sink as a result of the separation of the 5G control plane and the user plane, and is a reflection of the great progress of 5G technology compared to 4G technology.

在一具体实施例中,步骤S171包括子步骤S1711、S1712、S1713和S1714。 In a specific embodiment, step S171 includes sub-steps S1711, S1712, S1713 and S1714.

S1711、若接收到所述用户终端13发出所述跟踪区TA切换的信号,主动上报位置以更新所述接入网络消息;S1712、所述无线电接入网RAN重新确定与更新后的所述接入网络消息新对应的所述接入管理模块AMF;S1713、新对应的所述接入管理模块AMF通过预设接口将更新后的所述接入网络消息上报至所述策略控制模块PCF;S1714、所述策略控制模块PCF对所述会话管理模块SMF中携带的所述跟踪区编码TAC进行会话策略控制。S1711. If a signal indicating that the user terminal 13 switches the tracking area TA is received, the location is actively reported to update the access network message; S1712. The radio access network RAN redetermines the access management module AMF that newly corresponds to the updated access network message; S1713. The newly corresponding access management module AMF reports the updated access network message to the policy control module PCF through a preset interface; S1714. The policy control module PCF performs session policy control on the tracking area code TAC carried in the session management module SMF.

如图8所示,在一具体实施例中,步骤S1714包括子步骤S1715和S1716。As shown in FIG. 8 , in a specific embodiment, step S1714 includes sub-steps S1715 and S1716 .

S1715、若所述跟踪区编码TAC在所述会话管理模块SMF的允许列表,下发动态策略,以保证输出第一策略;所述第一策略为更高的服务质量策略;S1716、若所述跟踪区编码TAC不在所述会话管理模块SMF的允许列表,下发阻塞指令,以保证输出第二策略,进而阻塞用户所有流量,从而实现用户流量不出园区;所述第二策略为对应的业务规则全局优先级最高。S1715. If the tracking area code TAC is in the allowed list of the session management module SMF, a dynamic policy is issued to ensure the output of the first policy; the first policy is a higher quality of service policy; S1716. If the tracking area code TAC is not in the allowed list of the session management module SMF, a blocking instruction is issued to ensure the output of the second policy, thereby blocking all user traffic, so that user traffic does not leave the campus; the second policy has the highest global priority for the corresponding business rules.

S180、将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块AMF。S180. Send the user subscription policy to the Internet of Things terminal so that the Internet of Things terminal accesses the target access management module AMF.

由于5G核心网和无线基站可配置的切片数量有限,无法做到每个客户一个切片进行接入控制。因此,在本申请中,选用较少数量的公共切片用于接入限制,并在园区相关的基站、核心网网元增加允许切片A。通过网络切片选择模块配置每个跟踪区编码TAC支持的切片,接入管理模块AMF通过网络切片选择模块订阅跟踪区编码TAC与切片的信息,获得该跟踪区编码TAC下配置的切片。由于跟踪区编码TAC的范围一般很大,较少的公共切片即可满足大多数用户需求。Since the number of slices that can be configured in the 5G core network and wireless base stations is limited, it is impossible to control access to one slice for each customer. Therefore, in this application, a smaller number of public slices are selected for access restriction, and allowed slices A are added to the base stations and core network elements related to the campus. The slices supported by each tracking area code TAC are configured through the network slice selection module, and the access management module AMF subscribes to the information of the tracking area code TAC and the slices through the network slice selection module to obtain the slices configured under the tracking area code TAC. Since the range of the tracking area code TAC is generally large, fewer public slices can meet the needs of most users.

由策略控制模块PCF针对单用户进行跟踪区TA间切换订阅,当用户终端13发生跟踪区TA间的切换时,主动上报位置更新消息,由策略控制模块PCF对会话管理模块SMF的会话消息中携带的跟踪区编码TAC进行策略控制:当跟踪区编码TAC在允许的列表中时,下发动态的控制策略,如服务质量保障等;当跟踪区编码TAC不在允许的列表中时,阻塞用户所有流量,从而实现用户流量不出园区。The policy control module PCF performs switching subscription between tracking areas TA for a single user. When the user terminal 13 switches between tracking areas TA, it actively reports a location update message. The policy control module PCF performs policy control on the tracking area code TAC carried in the session message of the session management module SMF: when the tracking area code TAC is in the allowed list, dynamic control policies are issued, such as service quality assurance; when the tracking area code TAC is not in the allowed list, all user traffic is blocked, so that the user traffic does not leave the campus.

对涉及的主要场景例举如下:The main scenarios involved are listed below:

如图9所示,场景一:园区1定义为基站3覆盖范围,且基站1、基站2与基站3均同处于同一跟踪区编码TAC下。As shown in Figure 9, scenario 1: Park 1 is defined as the coverage area of base station 3, and base station 1, base station 2 and base station 3 are all in the same tracking area code TAC.

此种场景下,仅采用策略控制模块PCF配置进行跟踪区编码TAC级别的接入限制将精确控制其仅访问园区1。因此,基站1或基站2配置默认切片A0,基站3配置园区公共切片A1,同时策略控制模块PCF上根据跟踪区编码TAC1配置相应的会话控制策略。In this scenario, only the access restriction at the tracking area code TAC level configured by the policy control module PCF will accurately control access to only campus 1. Therefore, base station 1 or base station 2 configures the default slice A0, base station 3 configures the campus public slice A1, and the policy control module PCF configures the corresponding session control policy according to the tracking area code TAC1.

针对本园区的用户,签约网络切片为S1,本场景中S1=A1,且用户终端13请求切片R默认为空。因此,本场景中最终允许切片为A1,签约S1的用户可正常完成注册接入流程。会话建立后,策略控制模块PCF判断跟踪区编码TAC1在允许的列表中时,下发更高优先级的业务策略。当用户移动到基站3以外的区域时,最终允许切片A1为空,拒绝用户接入。For users in this park, the contracted network slice is S1. In this scenario, S1=A1, and the slice R requested by user terminal 13 is empty by default. Therefore, in this scenario, the slice A1 is finally allowed, and users who have signed up for S1 can complete the registration and access process normally. After the session is established, when the policy control module PCF determines that the tracking area code TAC1 is in the allowed list, it issues a higher priority service policy. When the user moves to an area outside the base station 3, the slice A1 is finally allowed to be empty, and the user access is denied.

针对非本园区的用户,签约网络切片为S2,用户终端13请求切片R为空, 最终允许切片A1为空,拒绝用户接入,注册失败。For users outside the park, the contracted network slice is S2, and the user terminal 13 requests that the slice R is empty. Finally, slice A1 is allowed to be empty, user access is denied, and registration fails.

根据以上分析结果,此场景下可保证非园区的用户无论出于何处均无法接入用户内网,园区内的用户位于园区内时可接入内网,且享受更高的服务质量,移出园区外时,拒绝接入,从而实现双向的安全接入限制。According to the above analysis results, in this scenario, it can be ensured that non-campus users cannot access the user intranet no matter where they are. Users in the campus can access the intranet when they are in the campus and enjoy higher service quality. When they move out of the campus, access is denied, thereby achieving two-way secure access restriction.

不同客户若都配置同一切片,可能造成终端通过园区外其他基站接入。此种场景需要叠加跟踪区编码TAC的位置限制,即通过策略控制模块PCF下发跟踪区编码TAC位置控制策略以实现同一切片下不同园区的区域限制(无需重新调整跟踪区编码TAC)。If different customers configure the same slice, the terminal may access through other base stations outside the park. In this scenario, the location restriction of the tracking area code TAC needs to be superimposed, that is, the tracking area code TAC location control policy is issued through the policy control module PCF to achieve regional restrictions in different parks under the same slice (without re-adjusting the tracking area code TAC).

如图10所示,场景二:园区1定义为基站3覆盖范围,园区2定义为基站4覆盖范围,且基站1、基站2与基站3同处于同一跟踪区编码TAC下。As shown in Figure 10, scenario 2: Park 1 is defined as the coverage area of base station 3, park 2 is defined as the coverage area of base station 4, and base station 1, base station 2 and base station 3 are all in the same tracking area code TAC.

基站1、基站2配置默认切片A0,基站3、基站4配置园区公共切片A1,同时策略控制模块PCF上根据跟踪区编码TAC1、跟踪区编码TAC2分别配置相应的会话控制策略,配置园区1用户允许访问的跟踪区编码TAC为跟踪区编码TAC1,园区2用户允许访问的跟踪区编码TAC为跟踪区编码TAC2。Base station 1 and base station 2 are configured with the default slice A0, base station 3 and base station 4 are configured with the campus public slice A1, and at the same time, the policy control module PCF configures corresponding session control policies according to the tracking area code TAC1 and the tracking area code TAC2, and configures the tracking area code TAC that users in campus 1 are allowed to access to be tracking area code TAC1, and the tracking area code TAC that users in campus 2 are allowed to access to be tracking area code TAC2.

针对园区1和园区2的用户,签约网络切片为S1,本场景中S1=A1,且用户终端13请求切片R默认为空。因此,本场景中园区1和园区2最终允许切片为A1,签约S1的用户可正常完成注册接入流程。For users in Park 1 and Park 2, the network slice they have signed up for is S1. In this scenario, S1 = A1, and the slice R requested by the user terminal 13 is empty by default. Therefore, in this scenario, Park 1 and Park 2 finally allow the slice to be A1, and users who have signed up for S1 can complete the registration and access process normally.

此种场景下,园区1在跟踪区编码TAC1下的接入限制同场景1中相一致。若园区1的用户移动至园区2,触发位置上报事件。由于其园区公共切片相同,园区1的用户仍可正常接入园区2,进入会话建立流程后,策略控制模块PCF判断其上报的跟踪区编码TAC2不在允许访问的列表中,下发流量阻塞策略,表现为接入正常,但无法访问园区1的内网。移动回园区1,上报位置更新给策略控制模块PCF,实时恢复其业务正常使用。In this scenario, the access restrictions of Park 1 under the tracking area code TAC1 are consistent with those in Scenario 1. If the user of Park 1 moves to Park 2, a location reporting event is triggered. Since their park public slices are the same, the user of Park 1 can still access Park 2 normally. After entering the session establishment process, the policy control module PCF determines that the tracking area code TAC2 reported by it is not in the list of allowed access, and sends a traffic blocking policy, which shows that the access is normal, but the intranet of Park 1 cannot be accessed. Move back to Park 1, report the location update to the policy control module PCF, and restore its normal service use in real time.

针对园区2的用户,只能在基站4覆盖范围内正常访问业务,其余情况的阻塞原因同园区1的情况。For users in Park 2, they can only access services normally within the coverage area of Base Station 4. The blocking reasons in other situations are the same as those in Park 1.

根据以上分析结果,此场景下可保证本园区的用户移动至同一切片下的不同园区时,无法访问接入访问,仅在用户位于园区内时可接入内网,享受更高的服务质量。According to the above analysis results, in this scenario, it can be ensured that when users of this park move to different parks under the same slice, they cannot access the intranet. They can only access the intranet when they are within the park and enjoy higher service quality.

如图11所示,场景三:园区1定义为基站3覆盖范围,园区2定义为基站4和基站5覆盖范围,且基站1、基站2、基站3、基站4、基站5均同处于同一跟踪区编码TAC下。As shown in Figure 11, scenario three: Park 1 is defined as the coverage range of base station 3, and Park 2 is defined as the coverage range of base station 4 and base station 5, and base station 1, base station 2, base station 3, base station 4, and base station 5 are all under the same tracking area code TAC.

基站1、2配置默认切片A0,基站3配置园区公共切片A1,基站4、5配置园区公共切片A2,同时策略控制模块PCF上根据跟踪区编码TAC1配置相应的会话控制策略,配置园区1和园区2用户允许访问的跟踪区编码TAC均为跟踪区编码TAC1。Base stations 1 and 2 are configured with the default slice A0, base station 3 is configured with the campus public slice A1, and base stations 4 and 5 are configured with the campus public slice A2. At the same time, the policy control module PCF configures the corresponding session control policy according to the tracking area code TAC1, and configures the tracking area code TAC allowed to be accessed by users in campus 1 and campus 2 to be tracking area code TAC1.

针对园区1的用户,签约网络切片为S1,本场景中S1=A1,且终端请求切片R默认为空。针对园区2的用户,签约网络切片为S2,本场景中S1=A2,且终端请求切片R默认为空。因此,本场景中最终园区1允许切片为A1,园区2允许切片为A2。For users in Park 1, the contracted network slice is S1. In this scenario, S1 = A1, and the terminal request slice R is empty by default. For users in Park 2, the contracted network slice is S2. In this scenario, S1 = A2, and the terminal request slice R is empty by default. Therefore, in this scenario, the slice allowed in Park 1 is A1, and the slice allowed in Park 2 is A2.

此种场景下,若园区1的用户移动至园区2,由于其切片不同,园区1的用 户无法正常接入。同理,若园区1的用户移动至园区2,由于其切片不同,园区2的用户无法正常接入。In this scenario, if users in Park 1 move to Park 2, the users in Park 1 will Similarly, if users in Park 1 move to Park 2, users in Park 2 cannot access the network normally because their slices are different.

园区1和园区2访问跟踪区编码TAC1以外区域的分析同场景一,此处不再赘述。The analysis of campus 1 and campus 2 accessing areas outside tracking area code TAC1 is the same as scenario 1 and is not repeated here.

根据以上分析结果,此场景下可保证同一跟踪区编码TAC下不同园区的用户移动至同一跟踪区编码TAC下的不同园区时,无法访问内网,仅在用户位于本园区内时可接入内网,享受更高的服务质量。According to the above analysis results, in this scenario, it can be ensured that users in different parks under the same tracking area code TAC cannot access the intranet when they move to different parks under the same tracking area code TAC. They can only access the intranet when they are in the same park and enjoy higher service quality.

本申请实施例还提供一种5G SA网络物联网终端接入和访问限制的系统,该5G SA网络物联网终端接入和访问限制的系统用于执行前述的5G SA网络物联网终端接入和访问限制的方法的任一实施例。具体地,请参阅图12,图12为本申请实施例提供的5G SA网络物联网终端接入和访问限制的系统的示意性框图。The embodiment of the present application also provides a system for 5G SA network IoT terminal access and access restriction, which is used to execute any embodiment of the aforementioned 5G SA network IoT terminal access and access restriction method. Specifically, please refer to Figure 12, which is a schematic block diagram of the system for 5G SA network IoT terminal access and access restriction provided in the embodiment of the present application.

如图12所示,该系统包括物联网终端11、网络管理器12及用户终端13,网络管理器12分别与物联网终端11及用户终端13建立网络连接以实现数据信息的传输。其中,该系统包括配置于物联网终端11内的附着请求单元111,配置于用户终端13的第一发送单元131,配置于网络管理器12内的接收单元121、第一获取单元122、判断单元123、第二获取单元124、第二发送单元125、第三获取单元126及第三发送单元127。As shown in FIG12 , the system includes an Internet of Things terminal 11, a network manager 12 and a user terminal 13. The network manager 12 establishes network connections with the Internet of Things terminal 11 and the user terminal 13 to achieve data information transmission. The system includes an attachment request unit 111 configured in the Internet of Things terminal 11, a first sending unit 131 configured in the user terminal 13, a receiving unit 121, a first obtaining unit 122, a judging unit 123, a second obtaining unit 124, a second sending unit 125, a third obtaining unit 126 and a third sending unit 127 configured in the network manager 12.

附着请求单元111,用于网络管理器12接收到来自物联网终端11的附着请求。The attachment request unit 111 is used for the network manager 12 to receive an attachment request from the Internet of Things terminal 11.

第一发送单元131,用于若网络管理器12接收到来自物联网终端11的附着请求,控制用户终端13发送接入网络消息。The first sending unit 131 is configured to control the user terminal 13 to send a network access message if the network manager 12 receives an attachment request from the IoT terminal 11 .

接收单元121,用于网络管理器12接收接入网络消息,无线电接入网RAN确定与接入网络消息对应的接入管理模块AMF。The receiving unit 121 is used for the network manager 12 to receive an access network message, and the radio access network RAN determines an access management module AMF corresponding to the access network message.

第一获取单元122,用于所确定的接入管理模块AMF从预置的切片数据库获取与接入网络消息对应的用户签约网络切片S。The first acquisition unit 122 is used for the determined access management module AMF to obtain the user contracted network slice S corresponding to the access network message from a preset slice database.

判断单元123,用于判断所确定的接入管理模块AMF是否能对用户签约网络切片S进行处理。The judgment unit 123 is used to determine whether the determined access management module AMF can process the user's contracted network slice S.

第二获取单元124,用于若所确定的接入管理模块AMF无法对用户签约网络切片S进行处理,则网络切片选择模块获取与用户签约网络切片S对应的允许切片A及目标接入管理模块AMF。The second acquisition unit 124 is used for the network slice selection module to obtain the allowed slice A and the target access management module AMF corresponding to the user-contracted network slice S if the determined access management module AMF cannot process the user-contracted network slice S.

第二发送单元125,用于网络切片选择模块将允许切片A重新发送至目标接入管理模块AMF。The second sending unit 125 is used for the network slice selection module to allow slice A to be resent to the target access management module AMF.

第三获取单元126,用于目标接入管理模块AMF从策略控制模块PCF获取预存的与允许切片A对应的用户签约策略。The third acquisition unit 126 is used for the target access management module AMF to obtain the pre-stored user subscription policy corresponding to the allowed slice A from the policy control module PCF.

第三发送单元127,用于将用户签约策略发送至物联网终端11,以使物联网终端11接入目标接入管理模块AMF。The third sending unit 127 is used to send the user subscription policy to the Internet of Things terminal 11, so that the Internet of Things terminal 11 accesses the target access management module AMF.

上述5G SA网络物联网终端接入和访问限制的方法可以实现为计算机程序的形式,5G SA网络物联网终端接入和访问限制的系统中的物联网终端11及网络管理器12均可实现为计算机设备,该计算机程序可以在如图13所示的计算 机设备上运行。The above-mentioned method for 5G SA network IoT terminal access and access restriction can be implemented in the form of a computer program. The IoT terminal 11 and the network manager 12 in the system for 5G SA network IoT terminal access and access restriction can be implemented as computer devices. The computer program can be implemented in the computer shown in FIG. Run on the machine device.

在此,物联网终端11包括第一存储器、第一处理器及存储在第一存储器上并可在第一处理器上运行的第一计算机程序,网络管理器12包括第二存储器、第二处理器及存储在第二存储器上并可在第二处理器上运行的第二计算机程序,用户终端13包括第三存储器、第三处理器及存储在第三存储器上并可在第三处理器上运行的第三计算机程序,第一处理器执行第一计算机程序、第二处理器执行第二计算机程序以及第三处理器执行第三计算机程序时共同实现如上述的5G SA网络物联网终端接入和访问限制的方法。Here, the Internet of Things terminal 11 includes a first memory, a first processor, and a first computer program stored in the first memory and executable on the first processor, the network manager 12 includes a second memory, a second processor, and a second computer program stored in the second memory and executable on the second processor, the user terminal 13 includes a third memory, a third processor, and a third computer program stored in the third memory and executable on the third processor, and when the first processor executes the first computer program, the second processor executes the second computer program, and the third processor executes the third computer program, they jointly implement the method for 5G SA network Internet of Things terminal access and access restriction as described above.

请参阅图13,图13是本申请实施例提供的计算机设备的示意性框图。该计算机设备可以是用于执行5G SA网络物联网终端接入和访问限制的方法以实现网络管理器根据物联网终端的附着请求和用户终端发送的接入网络消息判断用户终端能否接入内网。Please refer to Figure 13, which is a schematic block diagram of a computer device provided in an embodiment of the present application. The computer device can be a method for executing 5G SA network IoT terminal access and access restriction to enable the network manager to determine whether the user terminal can access the intranet based on the attachment request of the IoT terminal and the access network message sent by the user terminal.

参阅图13,该计算机设备500包括通过系统总线501连接的处理器502、存储器和网络接口505,其中,存储器可以包括存储介质503和内存储器504。13 , the computer device 500 includes a processor 502 , a memory, and a network interface 505 connected via a system bus 501 , wherein the memory may include a storage medium 503 and an internal memory 504 .

该存储介质503可存储操作系统5031和计算机程序5032。该计算机程序5032被执行时,可使得处理器502执行5G SA网络物联网终端接入和访问限制的方法,其中,存储介质503可以为易失性的存储介质或非易失性的存储介质。The storage medium 503 can store an operating system 5031 and a computer program 5032. When the computer program 5032 is executed, the processor 502 can execute a method for accessing and restricting access to a 5G SA network IoT terminal, wherein the storage medium 503 can be a volatile storage medium or a non-volatile storage medium.

该处理器502用于提供计算和控制能力,支撑整个计算机设备500的运行。The processor 502 is used to provide computing and control capabilities to support the operation of the entire computer device 500 .

该内存储器504为存储介质503中的计算机程序5032的运行提供环境,该计算机程序5032被处理器502执行时,可使得处理器502执行5G SA网络物联网终端接入和访问限制的方法。The internal memory 504 provides an environment for the operation of the computer program 5032 in the storage medium 503. When the computer program 5032 is executed by the processor 502, the processor 502 can execute the method of 5G SA network IoT terminal access and access restriction.

该网络接口505用于进行网络通信以提供数据信息的传输,网络通信为有线网络通信和/或无线网络通信。本领域技术人员可以理解,图10中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备500的限定,具体的计算机设备500可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。The network interface 505 is used for network communication to provide data information transmission, and the network communication is wired network communication and/or wireless network communication. It can be understood by those skilled in the art that the structure shown in FIG. 10 is only a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation on the computer device 500 to which the solution of the present application is applied. The specific computer device 500 may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

其中,所述处理器502用于运行存储在存储器中的计算机程序5032,以实现上述的5G SA网络物联网终端接入和访问限制的方法中对应的功能。Among them, the processor 502 is used to run the computer program 5032 stored in the memory to implement the corresponding functions in the above-mentioned 5G SA network IoT terminal access and access restriction method.

本领域技术人员可以理解,图13中示出的计算机设备的实施例并不构成对计算机设备具体构成的限定,在其他实施例中,计算机设备可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。例如,在一些实施例中,计算机设备可以仅包括存储器及处理器,在这样的实施例中,存储器及处理器的结构及功能与图13所示实施例一致,在此不再赘述。Those skilled in the art will appreciate that the embodiment of the computer device shown in FIG13 does not constitute a limitation on the specific composition of the computer device. In other embodiments, the computer device may include more or fewer components than shown, or combine certain components, or arrange the components differently. For example, in some embodiments, the computer device may only include a memory and a processor. In such an embodiment, the structure and function of the memory and the processor are consistent with the embodiment shown in FIG13, and will not be described in detail here.

应当理解,在本申请实施例中,处理器502可以是中央处理单元(Central Processing Unit,CPU),该处理器502还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。其中,通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that in the embodiment of the present application, the processor 502 may be a central processing unit (CPU), and the processor 502 may also be other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Among them, the general-purpose processor may be a microprocessor or the processor may also be any conventional processor, etc.

在本申请的另一实施例中提供计算机可读存储介质。该计算机可读存储介 质可以为易失性或非易失性的计算机可读存储介质。该计算机可读存储介质存储有第一计算机程序、第二计算机程序或第三计算机程序,当所述第一计算机程序被第一处理器执行、所述第二计算机程序被第二处理器执行且所述第三计算机程序被第三处理器执行时共同实现上述的基于SIM卡的物联网定向流量管理方法中所包含的步骤。In another embodiment of the present application, a computer readable storage medium is provided. The computer-readable storage medium may be volatile or non-volatile. The computer-readable storage medium stores a first computer program, a second computer program, or a third computer program, which together implements the steps included in the above-mentioned SIM card-based Internet of Things directional traffic management method when the first computer program is executed by the first processor, the second computer program is executed by the second processor, and the third computer program is executed by the third processor.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、设备和单元,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为逻辑功能划分,实际实现时可以有另外的划分方式,也可以将具有相同功能的单元集合成一个单元,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and units can be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, and units with the same function may be combined into one unit. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interfaces, devices or units, or may be electrical, mechanical or other forms of connection.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本申请实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiments of the present application.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个计算机可读存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的计算机可读存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or partly contributed to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a computer-readable storage medium, including a number of instructions for a computer device (which can be a personal computer, server, or network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned computer-readable storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), disk or CD-ROM and other media that can store program codes.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。 The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any technician familiar with the technical field can easily think of various equivalent modifications or replacements within the technical scope disclosed in the present application, and these modifications or replacements should be included in the protection scope of the present application. Therefore, the protection scope of the present application shall be based on the protection scope of the claims.

Claims (10)

一种5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述方法应用于SA网络物联网系统,所述系统包括物联网终端、网络管理器及用户终端,所述网络管理器分别与所述物联网终端及所述用户终端建立网络连接以实现数据信息的传输,所述网络管理器设有无线电接入网、接入管理模块、网络切片选择模块及策略控制模块,所述方法包括:A method for access and access restriction of a 5G SA network Internet of Things terminal, characterized in that the method is applied to an SA network Internet of Things system, the system comprising an Internet of Things terminal, a network manager and a user terminal, the network manager respectively establishing a network connection with the Internet of Things terminal and the user terminal to realize the transmission of data information, the network manager is provided with a radio access network, an access management module, a network slice selection module and a policy control module, the method comprising: 若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;If the network manager receives an attachment request from the IoT terminal, it controls the user terminal to send a network access message; 所述网络管理器接收所述接入网络消息,所述无线电接入网确定与所述接入网络消息对应的接入管理模块;The network manager receives the access network message, and the radio access network determines an access management module corresponding to the access network message; 所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;The determined access management module obtains the user subscribed network slice corresponding to the access network message from a preset slice database; 判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;Determining whether the determined access management module can process the user-subscribed network slice; 若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;If the determined access management module cannot process the user-subscribed network slice, the network slice selection module obtains the allowed slice and the target access management module corresponding to the user-subscribed network slice; 所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;The network slice selection module resends the allowed slice to the target access management module; 所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;The target access management module obtains a pre-stored user subscription policy corresponding to the allowed slice from the policy control module; 将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。The user subscription policy is sent to the Internet of Things terminal so that the Internet of Things terminal can access the target access management module. 根据权利要求1所述的5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述无线电接入网确定与所述接入网络消息对应的接入管理模块,包括:The method for 5G SA network IoT terminal access and access restriction according to claim 1 is characterized in that the radio access network determines the access management module corresponding to the access network message, including: 对所述接入网络消息进行解析以获取对应的GUAMI信息;Parsing the access network message to obtain corresponding GUAMI information; 判断是否能够根据所述GUAMI信息获取相匹配的接入管理模块;Determining whether a matching access management module can be obtained according to the GUAMI information; 若能够根据所述GUAMI信息获取匹配的接入管理模块,获取相匹配的一个所述接入管理模块为确定的接入管理模块;If a matching access management module can be obtained according to the GUAMI information, obtaining a matching access management module as the determined access management module; 若无法根据所述GUAMI信息获取匹配的接入管理模块,根据所述接入网络消息中的请求切片确定对应的接入管理模块。If the matching access management module cannot be obtained according to the GUAMI information, the corresponding access management module is determined according to the request slice in the access network message. 根据权利要求2所述的5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述根据所述接入网络消息中的请求切片确定对应的接入管理模块之前,还包括:The method for 5G SA network IoT terminal access and access restriction according to claim 2 is characterized in that before determining the corresponding access management module according to the request slice in the access network message, it also includes: 判断所述接入网络消息中是否包含请求切片;Determining whether the access network message includes a requested slice; 若所述接入网络消息中包含请求切片,则执行所述根据所述接入网络消息中的请求切片确定对应的接入管理模块的步骤;If the access network message includes a request slice, executing the step of determining the corresponding access management module according to the request slice in the access network message; 若所述接入网络消息中不包含请求切片,则发送注册请求至缺省接入管理模块。If the access network message does not contain a requested slice, a registration request is sent to the default access management module. 根据权利要求1所述的5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述目标接入管理模块向所述策略控制模块获取预存的用户签约策略,包括: The method for 5G SA network IoT terminal access and access restriction according to claim 1 is characterized in that the target access management module obtains a pre-stored user subscription policy from the policy control module, comprising: 所述策略控制模块基于预设的跟踪区编码对单个用户进行跟踪区之间的切换订阅,以获取所述用户签约策略。The policy control module performs switching subscription between tracking areas for a single user based on a preset tracking area code to obtain the user subscription policy. 根据权利要求4所述的5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述网络管理器还设有会话管理模块,所述策略控制模块基于预设的跟踪区编码对用户进行会话策略控制;所述策略控制模块针对单用户进行跟踪区之间的切换订阅,以获取所述用户签约策略,包括:According to the method for 5G SA network IoT terminal access and access restriction according to claim 4, it is characterized in that the network manager is also provided with a session management module, and the policy control module performs session policy control on the user based on the preset tracking area code; the policy control module performs switching subscription between tracking areas for a single user to obtain the user signing policy, including: 若接收到所述用户终端发出所述跟踪区切换的信号,主动上报位置以更新所述接入网络消息;If a signal of the tracking area switching sent by the user terminal is received, actively reporting the location to update the access network message; 所述无线电接入网重新确定与更新后的所述接入网络消息新对应的所述接入管理模块;The radio access network redetermines the access management module newly corresponding to the updated access network message; 新对应的所述接入管理模块通过预设接口将更新后的所述接入网络消息上报至所述策略控制模块;The newly corresponding access management module reports the updated access network message to the policy control module through a preset interface; 所述策略控制模块对所述会话管理模块中携带的所述跟踪区编码进行会话策略控制。The policy control module performs session policy control on the tracking area code carried in the session management module. 根据权利要求5所述的5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述策略控制模块对所述会话管理模块中携带的所述跟踪区编码进行策略控制,包括:The method for 5G SA network IoT terminal access and access restriction according to claim 5 is characterized in that the policy control module performs policy control on the tracking area code carried in the session management module, including: 若所述跟踪区编码在所述会话管理模块的允许列表,下发动态策略,以保证输出第一策略;所述第一策略为更高的服务质量策略;If the tracking area code is in the allowed list of the session management module, a dynamic policy is issued to ensure the output of a first policy; the first policy is a higher quality of service policy; 若所述跟踪区编码不在所述会话管理模块的允许列表,下发阻塞指令,以保证输出第二策略,进而阻塞用户所有流量,从而实现用户流量不出园区;所述第二策略为对应的业务规则全局优先级最高。If the tracking area code is not in the allowed list of the session management module, a blocking instruction is issued to ensure the output of the second policy, thereby blocking all user traffic, so that the user traffic does not leave the campus; the second policy has the highest global priority for the corresponding business rules. 根据权利要求2所述的5G SA网络物联网终端接入和访问限制的方法,其特征在于,所述所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片,还包括:The method for 5G SA network IoT terminal access and access restriction according to claim 2 is characterized in that the determined access management module obtains the user contracted network slice corresponding to the access network message from a preset slice database, and further includes: 若所述目标接入管理模块获取到所述用户签约策略,判断所述请求切片、所述用户签约网络切片及所述允许切片是否能够组合形成交集切片;If the target access management module obtains the user contract policy, it determines whether the requested slice, the user contracted network slice and the allowed slice can be combined to form an intersection slice; 若能够形成交集切片,则允许所述用户终端接入;If an intersection slice can be formed, allowing the user terminal to access; 若不能够形成交集切片,则拒绝所述用户终端接入。If the intersection slice cannot be formed, the user terminal is denied access. 一种5G SA网络物联网终端接入和访问限制的系统,其特征在于,所述系统包括物联网终端、网络管理器及用户终端,所述网络管理器分别与所述物联网终端及所述用户终端建立网络连接以实现数据信息的传输;A system for access and access restriction of 5G SA network Internet of Things terminals, characterized in that the system comprises an Internet of Things terminal, a network manager and a user terminal, and the network manager establishes a network connection with the Internet of Things terminal and the user terminal respectively to realize the transmission of data information; 所述系统包括配置于所述物联网终端内的附着请求单元,配置于所述用户终端的第一发送单元,配置于所述网络管理器内的接收单元、第一获取单元、判断单元、第二获取单元、第二发送单元、第三获取单元及第三发送单元;The system includes an attachment request unit configured in the Internet of Things terminal, a first sending unit configured in the user terminal, a receiving unit, a first acquiring unit, a judging unit, a second acquiring unit, a second sending unit, a third acquiring unit and a third sending unit configured in the network manager; 附着请求单元,用于所述网络管理器接收到来自所述物联网终端的附着请求;An attachment request unit, used for the network manager to receive an attachment request from the Internet of Things terminal; 第一发送单元,用于若所述网络管理器接收到来自所述物联网终端的附着请求,控制所述用户终端发送接入网络消息;A first sending unit, configured to control the user terminal to send a network access message if the network manager receives an attachment request from the Internet of Things terminal; 接收单元,用于所述网络管理器接收所述接入网络消息,所述无线电接入 网确定与所述接入网络消息对应的接入管理模块;A receiving unit is used for the network manager to receive the access network message, the radio access The network determines an access management module corresponding to the access network message; 第一获取单元,用于所确定的所述接入管理模块从预置的切片数据库获取与所述接入网络消息对应的用户签约网络切片;A first acquisition unit, configured for the determined access management module to acquire a user subscribed network slice corresponding to the access network message from a preset slice database; 判断单元,用于判断所确定的所述接入管理模块是否能对所述用户签约网络切片进行处理;A judging unit, used to judge whether the determined access management module can process the user-subscribed network slice; 第二获取单元,用于若所确定的所述接入管理模块无法对所述用户签约网络切片进行处理,则所述网络切片选择模块获取与所述用户签约网络切片对应的允许切片及目标接入管理模块;A second acquisition unit is configured to, if the determined access management module cannot process the user-subscribed network slice, cause the network slice selection module to acquire an allowed slice and a target access management module corresponding to the user-subscribed network slice; 第二发送单元,用于所述网络切片选择模块将所述允许切片重新发送至所述目标接入管理模块;A second sending unit, configured for the network slice selection module to resend the allowed slice to the target access management module; 第三获取单元,用于所述目标接入管理模块从所述策略控制模块获取预存的与所述允许切片对应的用户签约策略;A third acquisition unit is used for the target access management module to acquire a pre-stored user subscription policy corresponding to the allowed slice from the policy control module; 第三发送单元,用于将所述用户签约策略发送至所述物联网终端,以使所述物联网终端接入所述目标接入管理模块。The third sending unit is used to send the user subscription policy to the Internet of Things terminal, so that the Internet of Things terminal can access the target access management module. 一种5G SA网络物联网终端接入和访问限制的系统,其特征在于,所述系统包括物联网终端、网络管理器及用户终端,所述物联网终端包括第一存储器、第一处理器及存储在所述第一存储器上并可在所述第一处理器上运行的第一计算机程序,所述网络管理器包括第二存储器、第二处理器及存储在所述第二存储器上并可在所述第二处理器上运行的第二计算机程序,所述用户终端包括第三存储器、第三处理器及存储在所述第三存储器上并可在所述第三处理器上运行的第三计算机程序,其特征在于,所述第一处理器执行所述第一计算机程序、所述第二处理器执行所述第二计算机程序以及所述第三处理器执行所述第三计算机程序时共同实现如权利要求1至7中任一项所述的5G SA网络物联网终端接入和访问限制的方法。A system for 5G SA network IoT terminal access and access restriction, characterized in that the system includes an IoT terminal, a network manager and a user terminal, the IoT terminal includes a first memory, a first processor and a first computer program stored in the first memory and executable on the first processor, the network manager includes a second memory, a second processor and a second computer program stored in the second memory and executable on the second processor, the user terminal includes a third memory, a third processor and a third computer program stored in the third memory and executable on the third processor, characterized in that when the first processor executes the first computer program, the second processor executes the second computer program and the third processor executes the third computer program, they jointly implement the method for 5G SA network IoT terminal access and access restriction as described in any one of claims 1 to 7. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有第一计算机程序、第二计算机程序及第三计算机程序,当所述第一计算机程序被第一处理器执行、所述第二计算机程序被第二处理器执行以及所述第三计算机程序被第三处理器执行时共同实现如权利要求1至7任一项所述的5G SA网络物联网终端接入和访问限制的方法。 A computer-readable storage medium, characterized in that the computer-readable storage medium stores a first computer program, a second computer program and a third computer program, which, when the first computer program is executed by a first processor, the second computer program is executed by a second processor and the third computer program is executed by a third processor, jointly implement the method for 5G SA network Internet of Things terminal access and access restriction as described in any one of claims 1 to 7.
PCT/CN2023/135829 2022-12-30 2023-12-01 5g sa network internet of things terminal connection and access restriction method and system, and medium Ceased WO2024140021A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211722173.5 2022-12-30
CN202211722173.5A CN116033377A (en) 2022-12-30 2022-12-30 Method, system and medium for 5G SA network Internet of things terminal access and access restriction

Publications (1)

Publication Number Publication Date
WO2024140021A1 true WO2024140021A1 (en) 2024-07-04

Family

ID=86070153

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/135829 Ceased WO2024140021A1 (en) 2022-12-30 2023-12-01 5g sa network internet of things terminal connection and access restriction method and system, and medium

Country Status (2)

Country Link
CN (1) CN116033377A (en)
WO (1) WO2024140021A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095986B (en) * 2021-11-03 2024-02-13 中国联合网络通信集团有限公司 A communication method, device, equipment and storage medium
CN116033377A (en) * 2022-12-30 2023-04-28 天翼物联科技有限公司 Method, system and medium for 5G SA network Internet of things terminal access and access restriction
CN116546616A (en) * 2023-05-17 2023-08-04 中国电信股份有限公司广东研究院 Network slice registration method, device, communication equipment, storage medium and product
CN117896710B (en) * 2023-12-22 2025-02-11 天翼物联科技有限公司 A private network access control method, device, electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580360A (en) * 2016-07-04 2018-01-12 中国移动通信有限公司研究院 Method, device and network architecture for network slice selection
WO2021087910A1 (en) * 2019-11-07 2021-05-14 Oppo广东移动通信有限公司 Method and device for connecting to network
CN116033377A (en) * 2022-12-30 2023-04-28 天翼物联科技有限公司 Method, system and medium for 5G SA network Internet of things terminal access and access restriction

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580360A (en) * 2016-07-04 2018-01-12 中国移动通信有限公司研究院 Method, device and network architecture for network slice selection
WO2021087910A1 (en) * 2019-11-07 2021-05-14 Oppo广东移动通信有限公司 Method and device for connecting to network
CN116033377A (en) * 2022-12-30 2023-04-28 天翼物联科技有限公司 Method, system and medium for 5G SA network Internet of things terminal access and access restriction

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHINA MOBILE: "UE specific subscription proposal for AAA Server", 3GPP DRAFT; S2-2106219, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Elbonia; 20210816 - 20210827, 10 August 2021 (2021-08-10), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP052053948 *

Also Published As

Publication number Publication date
CN116033377A (en) 2023-04-28

Similar Documents

Publication Publication Date Title
US12219356B2 (en) Systems and methods of supporting device triggered re-authentication of slice-specific secondary authentication and authorization
WO2024140021A1 (en) 5g sa network internet of things terminal connection and access restriction method and system, and medium
JP7104206B2 (en) A method for granting access to a communication service and a method for requesting a configuration that allows access to a communication service.
US12369110B2 (en) Frequency range driven network slicing
CN111586674B (en) Communication method, device and system
US12317122B2 (en) Method of authorization for network slicing
US11778476B2 (en) Systems and methods for application access control
US8131459B2 (en) Method for the determination of a receiver for location information
WO2021095655A1 (en) System and method to enable charging and policies for a ue with one or more user identities
CN113841429B (en) Communication network components and methods for initiating slice-specific authentication and authorization
KR20190088878A (en) Apparatus and method for network function profile management
EP1574027A2 (en) System and method for handshaking between wireless devices and servers
US7254387B2 (en) Management and control of telecommunication services delivery
KR20210104522A (en) Apparatus and method for providing edge computing service according to wireless communication network type
JP7265640B2 (en) COMMUNICATION NETWORK COMPONENTS AND METHODS FOR PROCESSING SERVICE REQUESTS
WO2022021155A1 (en) Method and apparatus for managing access control information
EP1853083B1 (en) System and method for controlling network access
EP4537562A1 (en) Non-homogeneous network slice
CN117322043A (en) Method, apparatus and computer program product for wireless communication
CN116846522A (en) Information transmission methods, devices, related equipment and storage media
CN113825179A (en) An information processing method, device and core network element

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23909951

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE