Method for managing session

Abstract

A disclosure of the present specification provides a method for processing a NAS request message by an MMF node. The method may comprise the steps of: when it is identified that an NAS request message has been received through a second access network, checking whether a first MM context and a first security context are included therein; and acquiring a second security context from an authentication CP node, and generating a second MM context.

Claims

1. A method for processing a non-access-stratum (NAS) request message performed at a mobility management function (MMF) node, the method comprising: receiving the NAS request message from a terminal; checking which access network the NAS request message from the terminal has been received via; checking, when the NAS request message from the terminal is confirmed to have been received via a second access network, whether there are a first mobility management (MM) context and a first security context which have been generated during a previous registration process through a first access network, based on information included in the NAS request message; obtaining a second security context, generated during an authentication procedure for the second access network, from an authentication control plane (CP) node; generating a second MM context based on at least one of the first MM context and the first security context, and the second security context obtained through the second access network; and transmitting a response message to the NAS request message to the terminal through a packet data gateway (PDG), wherein the terminal creates a plurality of sessions through the first and second access networks, wherein the MMF node recognizes the first and second security contexts based on an identifier (ID) of the authentication CP node, wherein the terminal is identified by the information contained in the NAS request message, which is a Global Unique Temporary Identity (GUTI), wherein the NAS request message further includes information on the authentication CP, wherein, if the first MM context is updated based on the second security context, the second security context present in the authentication CP node is released, and wherein, the first MM context and the second MM context are created and managed in access units.

2. The method of claim 1, wherein the NAS request message is received from a PDG (Packet Data Gateway) or received from the authentication CP.

3. The method of claim 1, wherein the terminal communicates with at least one of a mobile device, a network and a self-driving car other than the terminal.

4. A mobility management function (MMF) node comprising: a transceiver configured to receive a non-access-stratum (NAS) request message from a terminal; and a processor configured to check which access network the NAS request message has received via, wherein the processor further configured to: check, when the NAS request message from the terminal has been received through a second access network, whether there are a first mobility management (MM) context and a first security context which have been generated during a previous registration process through a first access network, based on information included in the NAS request message; obtain a second security context, generated during an authentication procedure for the second access network, from an authentication control plane (CP) node; and generate a second MM context based on at least one of the first MM context and the first security context, and the second security context obtained through the second access network, and wherein the transceiver transmits a response message to the NAS request message to the terminal through a packet data gateway (PDG), wherein the terminal creates a plurality of sessions through the first and second access networks, wherein the MMF node recognizes the first and second security contexts based on an identifier (ID) of the authentication CP node, wherein the terminal is identified by the information contained in the NAS request message, which is a Global Unique Temporary Identity (GUTI), wherein the NAS request message further includes information on the authentication CP, wherein, if the first MM context is updated based on the second security context, the second security context present in the authentication CP node is released, and wherein, the first MM context and the second MM context are created and managed in access units.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 shows the configuration of an evolved mobile communication network.

(2) FIG. 2A illustrates an expected structure of the next-generation mobile communication from the viewpoint of a node.

(3) FIG. 2B illustrates an expected structure of the next-generation mobile communication from the viewpoint of a session.

(4) FIGS. 3A to 3C are exemplary diagrams showing examples of sessions generated through a plurality of accesses.

(5) FIGS. 4A to 4C show architecture for managing sessions generated through a plurality of accesses.

(6) FIG. 5 shows a protocol stack between a UE and an N3ASF and a CP function.

(7) FIG. 6 shows an example in which the UE performs an attach procedure through a non-3GPP access the environment shown in FIG. 4C.

(8) FIG. 7 shows an example of the stack of an NG1 protocol while a UE performs an attach procedure.

(9) FIG. 8 shows a transfer process of IKEv2 between the UE and the N3ASF when the UE performs an attach procedure through a non-3GPP access in the environment shown in FIG. 4C.

(10) FIG. 9 shows a method of attaching to a non-3GPP access network and accessing a common CP after attachment to a 3GPP access network in accordance with an embodiment of the present invention.

(11) FIG. 10 shows a method of attaching to a non-3GPP access network and accessing a common CP after attachment to a 3GPP access network in accordance with another embodiment of the present invention.

(12) FIG. 11 is a configuration block diagram of a UE and a network node according to an embodiment of the present invention.

DESCRIPTION OF EXEMPLARY EMBODIMENTS

(13) The present invention is described in light of UMTS (Universal Mobile Telecommunication System) and EPC (Evolved Packet Core), but not limited to such communication systems, and may be rather applicable to all communication systems and methods to which the technical spirit of the present invention may apply. The technical terms used herein are used to merely describe specific embodiments and should not be construed as limiting the present invention. Further, the technical terms used herein should be, unless defined otherwise, interpreted as having meanings generally understood by those skilled in the art but not too broadly or too narrowly. Further, the technical terms used herein, which are determined not to exactly represent the spirit of the invention, should be replaced by or understood by such technical terms as being able to be exactly understood by those skilled in the art. Further, the general terms used herein should be interpreted in the context as defined in the dictionary, but not in an excessively narrowed manner.

(14) The expression of the singular number in the specification includes the meaning of the plural number unless the meaning of the singular number is definitely different from that of the plural number in the context. In the following description, the term ‘include’ or ‘have’ may represent the existence of a feature, a number, a step, an operation, a component, a part or the combination thereof described in the specification, and may not exclude the existence or addition of another feature, another number, another step, another operation, another component, another part or the combination thereof.

(15) The terms ‘first’ and ‘second’ are used for the purpose of explanation about various components, and the components are not limited to the terms ‘first’ and ‘second’. The terms ‘first’ and ‘second’ are only used to distinguish one component from another component. For example, a first component may be named as a second component without deviating from the scope of the present invention.

(16) It will be understood that when an element or layer is referred to as being “connected to” or “coupled to” another element or layer, it can be directly connected or coupled to the other element or layer or intervening elements or layers may be present. In contrast, when an element is referred to as being “directly connected to” or “directly coupled to” another element or layer, there are no intervening elements or layers present.

(17) Hereinafter, exemplary embodiments of the present invention will be described in greater detail with reference to the accompanying drawings. In describing the present invention, for ease of understanding, the same reference numerals are used to denote the same components throughout the drawings, and repetitive description on the same components will be omitted. Detailed description on well-known arts which are determined to make the gist of the invention unclear will be omitted. The accompanying drawings are provided to merely make the spirit of the invention readily understood, but not should be intended to be limiting of the invention. It should be understood that the spirit of the invention may be expanded to its modifications, replacements or equivalents in addition to what is shown in the drawings.

(18) In the drawings, user equipments (UEs) are shown for example. The UE may also be denoted a terminal or mobile equipment (ME). The UE may be a laptop computer, a mobile phone, a PDA, a smartphone, a multimedia device, or other portable device, or may be a stationary device such as a PC or a car mounted device.

Definition of Terms

(19) For a better understanding, the terms used herein are briefly defined before going to the detailed description of the invention with reference to the accompanying drawings.

(20) UE/MS is an abbreviation of User Equipment/Mobile Station, and it refers to a terminal device.

(21) An EPS is an abbreviation of an Evolved Packet System, and it refers to a core network supporting a Long Term Evolution (LTE) network and to a network evolved from an UMTS.

(22) A PDN is an abbreviation of a Public Data Network, and it refers to an independent network where a service for providing service is placed.

(23) A PDN-GW is an abbreviation of a Packet Data Network Gateway, and it refers to a network node of an EPS network which performs functions, such as the allocation of a UE IP address, packet screening & filtering, and the collection of charging data.

(24) A Serving gateway (Serving GW) is a network node of an EPS network which performs functions, such as mobility anchor, packet routing, idle mode packet buffering, and triggering an MME to page UE.

(25) An eNodeB is an eNodeB of an Evolved Packet System (EPS) and is installed outdoors. The cell coverage of the eNodeB corresponds to a macro cell.

(26) An MME is an abbreviation of a Mobility Management Entity, and it functions to control each entity within an EPS in order to provide a session and mobility for UE.

(27) A session is a passage for data transmission, and a unit thereof may be a PDN, a bearer, or an IP flow unit. The units may be classified into a unit of the entire target network (i.e., an APN or PDN unit) as defined in 3GPP, a unit (i.e., a bearer unit) classified based on QoS within the entire target network, and a destination IP address unit.

(28) An Access Point Name (APN) is the name of an access point that is managed in a network and provides to UE. That is, an APN is a character string that denotes or identifies a PDN. Requested service or a network (PDN) is accessed via P-GW. An APN is a name (a character string, e.g., ‘internet.mnc012.mcc345.gprs’) previously defined within a network so that the P-GW can be searched for.

(29) APDN connection is a connection from UE to a PDN, that is, an association (or connection) between UE represented by an IP address and a PDN represented by an APN. It means a connection between entities (i.e., UE-PDN GW) within a core network so that a session can be formed.

(30) UE context is information about the situation of UE which is used to manage the UE in a network, that is, situation information including an UE ID, mobility (e.g., a current location), and the attributes of a session (e.g., QoS and priority)

(31) NAS (Non-Access-Stratum): A higher stratum of a control plane between a UE and an MME. The NAS supports mobility management, session management, IP address management, etc., between the UE and the network.

(32) PLMN: as an abbreviation of Public Land Mobile Network, means a network identification number of a mobile communication provider. In roaming case of the UE, the PLMN is divided into a home PLMN (HPLMN) and a visited PLMN (VPLMN).

(33) Next generation (NG) radio access network (RAN): means a radio access network including a base station in next-generation mobile communication defined by 3GPP.

(34) <Network Slice>

(35) The following describes the slicing of the network to be introduced in the next generation mobile communication.

(36) Next-generation mobile communication introduces the concept of network slicing in order to provide various services through a single network. In this connection, slicing a network refers to a combination of network nodes with the functions needed to provide a specific service. The network node that constitutes the slice instance may be a hardware independent node, or it may be a logically independent node.

(37) Each slice instance may consist of a combination of all the nodes needed to construct the entire network. In this case, one slice instance alone may provide service to the UE.

(38) Alternatively, the slice instance may consist of a combination of some of the nodes that make up the network. In this case, the slice instance may provide service to the UE in association with other existing network nodes without the slice instance alone providing the service to the UE. In addition, a plurality of slice instances may cooperate with each other to provide the service to the UE.

(39) The slice instance may differ from a dedicated core network in that all network nodes, including the core network (CN) node and the RAN may be separated from each other. Further, the slice instance differs from the dedicated core network in that the network nodes may be logically separated.

(40) <Management of Session in Next-Generation Mobile Communication>

(41) In next-generation mobile communication, a UE may establish one or more protocol data unit (PDU) sessions through several accesses (i.e., several radio access technology (RAT)).

(42) Specifically, the UE may generate a plurality of PDU sessions toward several data networks through a plurality of accesses.

(43) Alternatively, the UE may generate a plurality of PDU sessions toward one identical data network through a plurality of accesses.

(44) Alternatively, the UE may generate one PDU session toward one identical data network through a plurality of accesses.

(45) This is described below with reference to the drawings.

(46) FIGS. 3A to 3C are exemplary diagrams showing examples of sessions generated through a plurality of accesses.

(47) As may be seen with reference to FIG. 3A, a UE may have a plurality of sessions toward several data networks (e.g., shown DN 1 and DN 2) through several accesses (e.g., 3GPP accesses, for example, shown NG RAN and non-3GPP access). In this case, the non-3GPP access may mean an access not defined by 3GPP, for example, a wireless local area network (WLAN) access point (AP).

(48) Alternatively, as may be seen with reference to FIG. 3B, a UE may have a plurality of sessions toward one data network (e.g., shown DN 1) through several accesses (e.g., 3GPP accesses, for example, shown NG RAN and non-3GPP access). In this case, in FIG. 3B, a session through a first access (shown 3GPP access, for example, shown NG RAN) is directed toward the data network via an IP anchor 1, and a session through a second access (shown non-3GPP access) is directed toward the same data network via an IP anchor 2.

(49) In FIG. 3C, both a first session through a first access (shown 3GPP access, for example, shown NG RAN) and a second session through a second access (shown non-3GPP access) have been illustrated as being directed toward the same data network through one identical anchor 1.

(50) The generation and release of the first session through the first access (shown 3GPP access, for example, shown NG RAN) may be performed through NG1 signaling. The generation and release of the second session through the second access (shown non-3GPP access) may also be performed through the NG1 signaling.

(51) Accordingly, in next-generation mobile communication, session management (SM) context must have information on an access network type.

(52) FIGS. 4A to 4C show architecture for managing sessions generated through a plurality of accesses.

(53) The architecture shown in FIG. 4A shows an example in which only a 3GPP access is used.

(54) The architecture shown in FIG. 4B is for a case where a non-3GPP access is installed within coverage of a 3GPP access. Furthermore, the architecture shown in FIG. 4C is for a case where a non-3GPP access is solely installed.

(55) As shown, a core network for next-generation mobile communication may be divided into a CP function node and an UP function node.

(56) Shown interfaces are as follows.

(57) Y1: an interface between a UE and a non-3GPP access (e.g., WLAN)

(58) Y2: an interface between the UE and a non-3GPP access layer function (N3ASF). A protocol used through Y2 may be called a non-3GPP access stratum (N3-AS) protocol.

(59) Y3: an interface between a controlling 3GPP access and a non-3GPP access.

(60) Y4: an interface between the N3ASF and the non-3GPP access.

(61) Meanwhile, in FIGS. 5b and 5c, all the interfaces NG1, NG2, and NG3 are exposed to the core network.

(62) However, in FIG. 4C, the interfaces NG2 and NG3 are connected to the non-3GPP access layer function (N3ASF). Furthermore, in the architecture shown in FIG. 4C, a non-3GPP access stratum (N3-AS) protocol is used between the UE and the N3ASF.

(63) FIG. 5 shows a protocol stack between a UE and an N3ASF and a CP function.

(64) An N3-AS protocol of protocol stacks shown in FIG. 5 is used between a UE and an N3ASF. The N3-AS may be compared with RRC in terms of the location of the protocol stack. When compared with RRC, the N3-AS protocol has a simpler radio resource control function. The N3-AS protocol includes security information, and is chiefly used to exchange information on the bearer of a user plane between the UE and the N3ASF and to transparently transmit NAS messages between the UE and a core network (CN).

(65) FIG. 6 an example in which the UE performs an attach procedure through a non-3GPP access the environment shown in FIG. 4C.

(66) In the example shown in FIG. 6, it is assumed that the following protocols and the following assumptions are used. an EAP-over-EAPoL protocol is used between a UE and a WLAN. an EAP is used within a protocol between the WLAN and an N3ASF. The EAP is improved and extended to transmit an NAS message for an attach procedure.

(67) This is specifically as follows.

(68) 1) Before a UE attempts a connection configuration, the UE may find the attributes/performance of the WLAN (e.g., using new parameters of an ANQP procedure or 802.11 beacon/probe request/probe response message). In this manner, the UE may find that a cellular NAS attach request message must be included as part of WLAN access authentication.

(69) 3-4). An NAS attach request message is delivered through an EAP-RSP message.

(70) 10-11). An NAS authentication request message is delivered through an EAP-REQ message.

(71) 12) The UE induces a key material for protecting an N3-AS connection.

(72) 13-14). An NAS authentication response message is delivered through an EAP-RSP message.

(73) 17) In order to derive a keying material for protecting the N3-AS connection, access-independent security context used by the N3ASF is provided.

(74) 18-19) An NAS attach accept message is delivered through an EAP-REQ message. Furthermore, information for the bootstrap of an N3-AS protocol connection is also provided. The type of bootstrap information may be different depending on an N3-AS protocol stack. For example, the bootstrap information may include the IP address and UDP port number of the N3ASF.

(75) 20-21) An NAS attach complete message is delivered through an EAP-RSP message.

(76) When the attach procedure is completed, the UE and the N3ASF use an N3-AS protocol for an additional message exchange (e.g., session management or mobility management procedure).

(77) FIG. 7 shows an example of the stack of an NG1 protocol while a UE performs an attach procedure.

(78) The shown NG1 protocol is used after the bootstrap of the N3-AS connection shown in FIG. 6.

(79) Meanwhile, in FIGS. 1A, 4A, 4B, 4C, 5A, 5B, 5C, 6, 7, etc., the interface has been named NGx (e.g., NG1, NG2, NG3, . . . ), but the interface may be named Nx (e.g., N1, N1, N3, . . . ).

(80) FIG. 8 shows a transfer process of IKEv2 between the UE and the N3ASF when the UE performs an attach procedure through a non-3GPP access in the environment shown in FIG. 4c.

(81) In the example shown in FIG. 8, it is assumed that the following protocols and the following assumptions are used. An EAP is used within a protocol between the UE and the N3ASF. The EAP is improved and extended to transmit an NAS message for an attach procedure

(82) This is described specifically as follows.

(83) 1) Before the UE attempts an IKEv2 connection configuration, the UE may discover the N3ASF. In this case, one of the followings is configured within the UE. The IP address (or IP address set) of an N3ASF node. An FQDN (or FQDN set) which may be identified as the IP address of the N3ASF. A DHCP configuration is used.

(84) 3-14) In the shown procedure, in order to minimize a change in the IKEv2 protocol, an NAS message is included in EAP payload and delivered. Alternatively, the NAS message may be directly transmitted through an IKEv2 parameter (e.g., within 3GPP-related IKEv2 configuration payload) or using IPsec transmission.

(85) 15) In order to derive a keying material for protecting an N3-AS connection, access-independent security context used by the N3ASF is provided.

(86) When the attach procedure is completed, the UE and the N3ASF use the N3-AS protocol for an additional message exchange (e.g., session management or mobility management procedure).

(87) As described so far, in next-generation mobile communication, it is expected that a UE may generate a plurality of sessions over different access networks.

(88) At this time, if there is no connection (or attach) to another access network (e.g., a non-3GPP access network) after connection to any one access network (e.g., 3GPP access network), a serving MMF (Mobility Management Function) registered in an access network (for example, a 3GPP access network) may transmit information necessary for accessing a common MMF such as an ID/address of a common MMF to a home subscriber server (HSS) or a third network node, and the HSS (or the third network node) may store information necessary for accessing the common MMF.

(89) In the present specification, a common MMF may also be referred to as a MMF.

(90) Also, if there is no connection (or attachment) to another access network (e.g., a non-3GPP access network) after connection to any one access network (e.g., 3GPP access network), when the serving MMF registered in any one access network (e.g., 3GPP access network) sends an attach accept message, the serving MMF can recognize itself as a common MMF and send information necessary for accessing a common MMF such as an ID/address of the common MMF to the UE.

(91) When attaching to another access network (for example, a non-3GPP network) after connecting to any one access network (for example, a 3GPP access network), a CP (control plane) used for authentication and a CP processing the attach NAS message may be different from each other. That is, when the UE is unable to send a message including the additional information through the IETF IKE protocol as shown in step 4 of FIG. 8, even if the UE receives information about the serving MMF (common MMF) after the attachment to the 3GPP access network, the UE cannot send information about the serving MMF (common MMF) to the network system. Therefore, the authentication CP may be the common MMF, or may be a separate network CP separated from the common MMF.

(92) During the authentication procedure, the authentication CP can transmit its ID and address information to the UE. Also, during the authentication procedure, the routing information stored in the Non-3GPP Packet Data Gateway (ngPDG) can be configured based on the common CP information acquired through the interaction with the HSS (or the third network node).

(93) In the present specification, PDG may also be referred to as ngPDG for convenience.

(94) Depending on the embodiment, information on the common CP may be transmitted using a separate signaling between the CP function node and the N3ASF (or ngPDG), or information on the common CP may also be transmitted in step 9 or step 15 of FIG. 8. Based on the routing information, the N3ASF (or ngPDG) can forward a message received through an IPsec (Internet Protocol Security) tunnel to a common CP. In addition, when the message to be transmitted in step 4 of FIG. 8 includes information of the common CP, the PDG can select the authentication CP based on the received NAS information so that the authentication CP and the CP processing the NAS attach message become the same.

Disclosure of the Present Invention

(95) The present disclosure proposes a method for efficiently managing a session when an authentication CP used for authentication and a CP processing an attach NAS message are different when a UE creates a plurality of sessions through different access networks.

(96) FIG. 9 shows a method of attaching to a non-3GPP access network and accessing a common CP after attachment to a 3GPP access network.

(97) Referring to FIG. 9, the UE can access the network system through the 3GPP access network (S900). The UE can acquire information on the common MMF. Information on the common MMF may be stored in the HSS. The UE transmits a registration request message (attach request message) to the network system, and the registration request message (attach request message) may include the ID information of the UE. For example, the registration request message (attach request message) may include an International Mobile Subscriber Identity (IMSI) or a Globally Unique Temporary Identifier (GUTI).

(98) When the registration procedure through the 3GPP access network has been successfully completed, a context for the UE may be generated in the common MMF. The context for the UE can be configured/managed on a per-access basis. When registering in the network system through the 3GPP access network, a mobility management (MM) context for 3GPP access can be created. When a packet data network (PDN) connection is created at the same time as registration (attachment) such as EPS (Evolved Packet System), that is, when a PDU session is created simultaneously with registration in the 5G system, a session management (SM) connection can be additionally generated.

(99) The UE may attempt to connect to the network via the non-3GPP access network after accessing the network system with the 3GPP access network. The UE may perform an authentication procedure to create an IPsec tunnel between the terminal and the ngPDG (S910). The UE may perform an IKEv2 tunnel establishment procedure. At this time, according to the operation of the IETF protocol, the ID information of the UE may be included in the establishment of the IKEv2 tunnel. For example, an NAI (Network Access Identifier) may be included in the ID information of the UE.

(100) The ngPDG may configure the routing information based on information on the common MMF obtained from the HSS (or the third network node) during the authentication procedure. The ngPDG may store information on the authentication CP in the routing table. If information on the common MMF is included in the information obtained from the HSS (or the third network node), the ngPDG should update the information on the authentication CP stored in the routing table with the information on the common MMF. Further, based on the information on the common MMF obtained from the HSS (or the third network node), the authentication CP can recognize that the UE should be connected to the common MMF and can store the information indicating that the UE should be connected to the common MMF.

(101) When the IPsec tunnel is completed, a security context for the UE may be generated in the authentication CP.

(102) After the authentication procedure is completed, an IPsec tunnel is created between the UE and the ngPDG, and the UE transmits a NAS (non-access stratum) registration message (NAS attach message) to the common MMF through the IPsec tunnel via the ngPDG (S920). The ngPDG may transmit the NAS message to the common MMF based on the routing information. The NAS message may include information indicating that the authentication procedure through the non-3GPP access network has been completed, and information on the authentication CP. Depending on the embodiment, the information indicating that the authentication procedure is completed may directly indicate the completion of the authentication procedure, and it may be recognized that the authentication procedure is completed through the information on the authentication CP. The NAS registration message (NAS attach message) may include the ID of the UE. The ID of the UE may include the GUTI.

(103) The ngPDG may not be able to recognize what information is included in the NAS message. Therefore, the ngPDG does not transmit the NAS registration message (NAS attach message) to the common MMF based on the GUTI, but can forward the NAS registration message (NAS attach message) to the common MMF based on the routing information.

(104) Based on the information about the authentication CP included in the NAS message, the common MMF can access the authentication CP, and the common MMF can request the transmission of the authentication context and the security context (S930). Upon receiving the authentication context information and the authentication context information from the common MMF, the authentication CP can transmit the authentication context and the security context to the common MMF based on the information indicating that the authentication CP should be connected to the stored common MMF.

(105) The detailed operation of the common MMF in the above process is as follows.

(106) 1) First, the common MMF can receive NAS messages.

(107) 2) The common MMF can confirm whether the access network, via which the NAS message has passed, is a 3GPP access network or a non-3GPP access network.

(108) 3) The common MMF can check whether there is a generated context by registering in the network system through the 3GPP access network based on the GUTI, and receive a context (e.g., the MM context of the UE) which is generated by registration in the network system through the 3GPP access network. The MM context of the UE can be configured/managed for each access, and the MM context for 3GPP access can be generated/updated through the above process.

(109) 4) Based on the ID of the authentication CP received separately from the GUTI, the common MMF can recognize that the security context of the UE generated through the non-3GPP access network exists, and the common MMF can transmit the security context from the authentication CP. The context of the UE can be configured/managed for each access, and an MM context for non-3GPP access can be generated through the above process. When the processing for the NAS message is successfully completed, an MM context for the non-3GPP access network may exist.

(110) The common MMF may transmit a NAS attach accept message to the UE (S940). The common MMF may send information, which indicates that the context update has been successfully completed, to the ngPDG and the UE.

(111) FIG. 10 shows a method of attaching to a non-3GPP access network and accessing a common CP after attachment to a 3GPP access network in accordance with another embodiment of the present invention.

(112) Referring to FIG. 10, the UE can access the network system through the 3GPP access network (S1000). The UE can acquire information on the common MMF. Information on the common MMF may be stored in the HSS.

(113) The UE may attempt to connect to the network via the non-3GPP access network after accessing the network system with the 3GPP access network. The UE may perform an authentication procedure to create an IPsec tunnel between the terminal and the ngPDG (S1010). The ngPDG may configure routing information based on the information on the authentication CP. The authentication CP can recognize that the UE should be connected to the common MMF based on the information about the common CP obtained from the HSS (or the third network node), and can store the information indicating that the UE should be connected to the common MMF. The authentication CP may store the security context of the UE.

(114) After the authentication procedure is completed, an IPsec tunnel may be created between the terminal and the ngPDG. The UE can transmit a NAS (non-access stratum) registration message (NAS attach message) to the authentication CP via the ngPDG through the IPsec tunnel (S1020). The ngPDG may transmit the NAS message to the authentication CP based on the routing information. The NAS message may include information on a common MMF.

(115) Depending on the embodiment, if the NAS message does not contain information for the common MMF, the ngPDG may obtain information about the common MMF through interaction with the HSS (or a third network node).

(116) When the NAS message is received, the authentication CP can determine whether to perform NAS attachment (i.e., whether to handle NAS). The authentication CP can determine whether to perform a NAS attachment based on information indicating that the UE should be connected to the common MMF. That is, if there is information indicating that the UE should be connected to the common MMF, the authentication CP can request NAS handling to the common CP.

(117) The authentication CP may recognize that CP re-allocation to the common MMF is required based on information indicating that the UE should be connected to the common MMF. Then, the authentication CP can perform the CP re-allocation procedure to the common MMF (S1030). The context stored in the authentication CP can be transmitted to the common MMF. The common MMF can recognize that the authentication procedure has been successfully completed based on the received context. The context transmitted to the common MMF may include the security context of the UE. The common CP may create an MM context for the non-3GPP access network.

(118) Depending on the embodiment, if there is a direct interface between the authentication CP and the common MMF (common CP), the authentication CP can forward the NAS message to the common CP. At this time, the authentication CP can forward the security context together. When the CP reallocation is completed, the authentication CP can transmit a notification to the ngPDG to update the routing table of the ngPDG.

(119) According to another embodiment, if there is no direct interface between the authentication CP and the common MMF (common CP), the authentication CP may request the ngPDG to forward the NAS message to the common CP. At this time, the authentication CP can transmit the security context to the common MMF. After CP reallocation is completed, the ngPDG can update the routing table.

(120) The common MMF may transmit a NAS attach acknowledgment message to the UE (S1040). The common MMF may send information, which indicates that the context update has been successfully completed, to the ngPDG and the UE.

(121) What has been described so far can be implemented in hardware. This will be described with reference to the drawings.

(122) FIG. 11 is a configuration block diagram of a UE and a network node according to an embodiment of the present invention.

(123) As shown in FIG. 11, the UE 100 includes a storage unit 101, a controller 102, and a transmission/reception unit 103. And the network node may be an access network (AN), a radio access network (RAN), an AMF, a CP function node, an SMF. The network node includes a storage unit 511, a controller 512, and a transmission/reception unit 513.

(124) The storage means stores the above-described method.

(125) The controllers control the storage means and the transmission/reception units. Specifically, the controllers each execute the methods stored in the storage means. And the controllers transmit the above-described signals through the transmission/reception units.

(126) While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, can be modified, changed, or improved in various forms within the idea of the present invention and the scope of claims.