This application provides a group handover method. The method includes: A first terminal device receives first information from a first network device, where the first information indicates a first resource, the first resource is for carrying fourth information, the fourth information is cell handover information of a plurality of terminal devices, and the first terminal device is one of the plurality of terminal devices; and the first terminal device receives the fourth information on the first resource. This can reduce signaling overheads caused by cell handover of a plurality of users and improve resource utilization.

A communication method and a communications apparatus, the method including receiving, by an access and mobility management function (AMF) entity, a first message from a first access network device, where the first message comprises information for indicating to hand over a voice service of a terminal from a packet switched (PS) domain to a circuit switched (CS) domain, the first message further comprises identification information of a target device, and the target device is a second access network device in a 3G network, and sending, by the AMF entity, through a mobility management entity (MME) a request message to a mobile switching center (MSC) entity, where the request message comprises information indicating a source of the first message.

The present disclosure relates to a communication method and system for converging a 5.sup.th-Generation (5G) communication system for supporting higher data rates beyond a 4.sup.th-Generation (4G) system with a technology for Internet of Things (IoT). The present disclosure may be applied to intelligent services based on the 5G communication technology and the IoT-related technology, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services. Embodiments herein provide a method for authentication by dynamically generating security credentials in plug and play scenarios without a pre-configuration of F1 security credentials at an integrated access and backhaul (IAB) relay device in a wireless network. The method includes generating, by the IAB relay device, a stratum security key for one of an access stratums (AS) security establishment and a non-access stratums (NAS) security establishment with an IAB donor device in the wireless network. Further, the method includes generating, by the IAB relay device, a pre-shared key (PSK) based on the stratum security key. Further, the method includes generating an Internet Key Exchange (IKE) value using the PSK for establishing an F1 interface security with the IAB donor device.

A wireless terminal comprises processor circuitry and receiver circuitry. The processor circuitry is configured to establish a first radio connection with a master access node. The receiver circuitry is configured to receive a re-configuration message comprising one or more conditional secondary cell configurations. Each of the conditional secondary cell configurations may comprise an identity of a candidate primary secondary cell, each of the conditional secondary cell configurations being associated with at least one triggering condition, the candidate primary secondary cell being used for Dual-Connectivity. The processor circuitry is further configured in accordance with the conditional secondary cell configurations to establish a second radio connection with a secondary access node serving the candidate primary secondary cell included in the each of the conditional secondary cell configurations in a case that the at least one triggering condition associated with the each of the one or more conditional secondary cell configurations is met.

Systems and methods for a user equipment (UE) operating in a multi-radio dual connectivity (MR-DC) mode with a master node (MN) and a secondary node (SN) are described herein. A UE receives master cell group (MCG) configuration information for an MCG link with the MN and secondary cell group (SCG) configuration information for an SCG link with the SN, attendant to an attempted MR-DC transition. The UE validates the MCG configuration information and determines that the SCG configuration cannot be applied. The UE applies the MCG configuration information and sends the MN a message indicating that the MCG configuration information and the SCG configuration information were each applied (thereby avoiding a determination of overall MR-DC transition failure due to the unusable SCG configuration information). The UE later sends the MN a message indicating that the SCG configuration information cannot be applied, allowing the network to appropriately react.

Systems, methods, and computer-readable media for preserving source host context when firewall policies are applied to traffic in an enterprise network fabric. A data packet to a destination host from a source host can be received at a first border node instance in an enterprise network fabric as part of network traffic. The data packet can include a context associated with the source host. Further, the data packet can be sent to a firewall of the enterprise network fabric and can be received at a second border node instance after the firewall applies a firewall policy to the data packet. The data packet can then be selectively encapsulated with the context associated with the source host at the second border node instance for applying one or more policies to control transmission of the network traffic through the enterprise network fabric.

Example data security processing methods and apparatus are described. One example method includes setting up a first PDU session. A first base station derives a first user plane key based on a received base key and performs security processing on user plane data in the first PDU session by using the first user plane key and a security algorithm. A second PDU session is set up. The first base station derives a second user plane key based on the base key and performs security processing on user plane data in the second PDU session by using the second user plane key and the security algorithm. The user plane key includes a user plane encryption key and/or a user plane integrity protection key.

Aspects of the disclosure include a method and associated network device. The method includes authenticating an identity of a user of a client device after the client device is associated with an access network provider. Authenticating the identity of the user comprises receiving, from an identity provider, a credential associated with the identity, and receiving, from the identity provider, information identifying a network-based service to be applied to network traffic with the client device. The method further includes establishing, using the credential and the received information, a secure connection between the access network provider and a service provider that is capable of providing the network-based service. The method further includes receiving network traffic from the service provider. Packets of the network traffic include an assurance value that enables the client device to determine that the network-based service is being provided by the service provider.

This application relates to the field of wireless communications technologies. Embodiments of this application provide a security protection method, an apparatus, and a system, to resolve a problem of low efficiency in handing over a terminal between serving base stations. The method in this application includes: receiving, by a target access network device, a correspondence between user plane information and a security policy from a source access network device; and determining, by the target access network device based on the correspondence between user plane information and a security policy, a first user plane protection algorithm corresponding to the user plane information, where the first user plane protection algorithm includes one or both of a user plane encryption algorithm and a user plane integrity protection algorithm. This application is applicable to a procedure in which the terminal is handed over between serving base stations.

Aspects disclosed herein facilitate security handling of 5GS to EPC reselection are disclosed herein. An example method at a UE includes transmitting a first TAU request, the first TAU request encoded using a first security context associated with a first RAT, the first TAU request being integrity protected using a first uplink count based on the first security context, and the first TAU request including a first set of information including an identifier mapped to a second RAT associated with the first network entity. The example method also includes transmitting a second TAU request, the second TAU request including the first set of information, the second TAU request being integrity protected using a second uplink count. The example method also includes communicating based on a mapped security context based on the first security context and at least one of the first uplink count or the second uplink count.