Network connection method, method for determining security node, and apparatus

Abstract

Embodiments of this application relate to the field of communications technologies, and provide a network connection method and an apparatus. The method carried out by a network control element includes: sending a first connection parameter to a terminal, and sending a second connection parameter to a security node, so that a network connection between the terminal and the security node is established by using the first connection parameter and the second connection parameter, where the first connection parameter is used for decrypting data encrypted by using the second connection parameter, correspondingly, the second connection parameter is used for decrypting data encrypted by using the first connection parameter, and the first connection parameter and the second connection parameter each include a security parameter used when the terminal and the security node establish the network connection.

Claims

1. A network connection method, comprising: sending, by a network control element, a first connection parameter to a terminal; sending, by the network control element, a second connection parameter to a security node; obtaining, by the network control element, subscription data corresponding to the terminal; sending, by the network control element, a first connection request comprising a part or all of content of the subscription data to the security node; and sending, by the security node, a second connection request comprising the part or all of content of the subscription data to a gateway device, enabling a connection to be established between the security node and the gateway device, wherein the first connection parameter is configured for decrypting data encrypted by using the second connection parameter, the second connection parameter is configured for decrypting data encrypted by using the first connection parameter, and the first connection parameter and the second connection parameter each comprise a security parameter used by the terminal and the security node to establish a network connection.

2. The method according to claim 1, wherein: the first connection parameter comprises at least one of the following: a first security key, a security encryption algorithm, a randomizer, or a security index; the second connection parameter comprises at least one of the following: a second security key, the security encryption algorithm, the randomizer, or the security index; the first security key enables the terminal to encrypt sent data or decrypt received data, or enables the generation of a new security key of the terminal; the security encryption algorithm is an algorithm that enables the terminal or the security node to encrypt or decrypt data; the randomizer enables generation of a new security key; the security index enables identification of a secure connection corresponding to a data packet; and the second security key enables the security node to encrypt sent data or decrypt received data, or enables generation of a new security key of the security node.

3. The method according to claim 1, wherein the security node is an independent network element, and the security node directly sends the second connection request to the gateway device.

4. The method according to claim 3, further comprising: receiving, by the network control element, a first response message sent by the security node, wherein the first response message comprises an IP address assigned by the gateway device to the terminal; and sending, by the network control element, the IP address of the terminal to the terminal.

5. The method according to claim 1, wherein the security node is an independent network element, and the second connection request is sent by the security node to the gateway device through the network control element.

6. The method according to claim 5, further comprising: receiving a third response message sent by the gateway device to the security node through the network control element; and sending, by the network control element, a second response message to the security node, wherein the second response message comprises the part or all of content of the subscription data.

7. The method according to claim 1, wherein before sending, by the network control element, the first connection parameter to the terminal, the method further comprises: determining, by the network control element, a node identifier of the security node; and sending, by the network control element, the node identifier of the security node to the terminal.

8. The method according to claim 1, wherein before sending, by the network control element, the first connection parameter to the terminal, the method further comprises: receiving, by the network control element, an attach request or a connection request sent by the terminal, wherein the attach request or the connection request is used for requesting to establish a PDN connection, and the attach request or the connection request comprises home domain information of the terminal and/or location information of the terminal.

9. A network control element, comprising a memory and a processor, wherein the memory stores code and data, and the processor runs the code in the memory to enable the network control element to perform the following operations: sending a first connection parameter to a terminal; sending a second connection parameter to a security node; obtaining subscription data corresponding to the terminal; sending a first connection request comprising a part or all of content of the subscription data to the security node for enabling the security node to send a second connection request comprising the part or all of content of the subscription data to a gateway device, enabling a connection to be established between the security node and the gateway device, wherein the first connection parameter is configured for decrypting data encrypted by using the second connection parameter, the second connection parameter is configured for decrypting data encrypted by using the first connection parameter, and the first connection parameter and the second connection parameter each comprise a security parameter used by the terminal and the security node to establish a network connection.

10. The network control element according to claim 9, wherein: the first connection parameter comprises at least one of the following: a first security key, a security encryption algorithm, a randomizer, or a security index; the second connection parameter comprises at least one of the following: a second security key, the security encryption algorithm, the randomizer, or the security index; the first security key enables the terminal to encrypt sent data or decrypt received data, or enables the generation of a new security key of the terminal; the security encryption algorithm is an algorithm that enables the terminal or the security node to encrypt or decrypt data; the randomizer enables generation of a new security key; the security index enables identification of a secure connection corresponding to a data packet; and the second security key enables the security node to encrypt sent data or decrypt received data, or enables generation of a new security key of the security node.

11. The network control element according to claim 9, wherein the security node is an independent network element, and the first connection request enables the security node to directly send the second connection request to the gateway device.

12. The network control element according to claim 11, wherein the operations further comprise: receiving a first response message sent by the security node, wherein the first response message comprises an IP address assigned by the gateway device to the terminal; and sending the IP address of the terminal to the terminal.

13. The network control element according to claim 9, wherein the security node is an independent network element, and the operations further comprise: facilitating sending of the second connection request sent by the security node to the gateway device by: receiving a third connection request from the security node comprising the part or all of content of the subscription data; and sending a fourth connection request to the gateway device, wherein the fourth connection request comprises the part or all of content of the subscription data.

14. The network control element according to claim 13, wherein the operations further comprise: sending a second response message to the security node, wherein the second response message comprises the part or all of content of the subscription data based on a third response message received from the gateway device.

15. The network control element according to claim 9, wherein before sending the first connection parameter to the terminal, the operations further comprise: determining a node identifier of the security node; and sending the node identifier of the security node to the terminal.

16. The network control element according to claim 9, wherein before sending the first connection parameter to the terminal, the operations further comprise: receiving an attach request or a connection request sent by the terminal, wherein the attach request or the connection request is used for requesting to establish a PDN connection, and the attach request or the connection request comprises home domain information of the terminal and/or location information of the terminal.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) To describe the technical solutions in the embodiments of this application more clearly, the following briefly describes the accompanying drawings required in the embodiments. Apparently, the accompanying drawings in the following description show merely some embodiments of this application, and persons of ordinary skill in the art may derive other drawings from these accompanying drawings without creative efforts.

(2) FIG. 1 is a schematic structural diagram of a network architecture according to an embodiment of this application;

(3) FIG. 1a is a schematic structural diagram of another network architecture according to an embodiment of this application;

(4) FIG. 1b is a schematic structural diagram of still another network architecture according to an embodiment of this application;

(5) FIG. 2 is a schematic flowchart of a first network connection method according to an embodiment of this application;

(6) FIG. 3 is a schematic flowchart of a second network connection method according to an embodiment of this application;

(7) FIG. 4 is a schematic flowchart of a third network connection method according to an embodiment of this application;

(8) FIG. 5 is a schematic flowchart of a method for determining a security node according to an embodiment of this application; and

(9) FIG. 6 is a schematic structural diagram of a network element according to an embodiment of this application.

DETAILED DESCRIPTION

(10) The following clearly describes the technical solutions in the embodiments of this application with reference to the accompanying drawings in the embodiments of this application. Apparently, the described embodiments are merely some but not all of the embodiments of this application. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of this application without creative efforts shall fall within the protection scope of this application.

(11) FIG. 1 is a schematic structural diagram of a network architecture according to an embodiment of this application. As shown in FIG. 1, the network architecture includes a terminal 101, a security node 102, and a network control element 103. The terminal 101 may be a mobile phone, a tablet computer, a notebook computer, a computer, a netbook, or the like. This figure is described by using an example in which the terminal 101 is a mobile phone. Data may be transmitted between the terminal 101 and the security node 102. In this embodiment of this application, the security node 102 is configured to establish a secure network connection to the terminal 101. Data that is transmitted by using the secure network connection is invisible to an intermediate node, thereby ensuring security of user data. The network control element 103 is configured to manage and control another network element deployed in a network. For example, the network control element 103 may be configured to manage or control the terminal 101 and the security node 102. In addition, the network control element 103 may be different network element devices in different types of networks.

(12) The network architecture used in this application is described in detail below by using a mobile network as an example.

(13) Specifically, FIG. 1a shows a network architecture of Second Access Long Term Evolution (SALTE) in a mobile network. Referring to FIG. 1a, the network architecture mainly includes three parts, which are a terminal 101, a network element 11 of a local network, and a network element 12 of a public network. The network element 11 of the local network is a locally deployed network element device, may be deployed by an enterprise, a third-party organization, or an operator, and mainly includes a local base station 111, a local gateway (On-site Gateway, On-site GW) 112 and an local mobility management entity (on-site Mobility Management Entity, on-site MME) 113. The local GW 112 and the local MME 113 are core network parts included in the local network. The network element 12 of the public network is a network element device deployed by an operator, and mainly includes a security node 102, an authentication, authorization, and accounting server or mobility management entity (AAA/MME) 1031, a gateway device 121, and a home subscriber server (HSS) 122.

(14) In the network architecture in FIG. 1a, the local base station 111 is an access device, that is, a device for the terminal 101 to access the local network. The local GW 112 is a gateway device, and is configured to transmit user data. The local MME 113 is mainly responsible for access management, session management, mobility management, and the like inside the local network. The AAA/MME 1031 is a network control element 103 in the network architecture. In addition to management and control of a network element in a network, the AAA/MME 1031 is further mainly responsible for authentication, service authorization, and the like for a user. The HHS 122 is mainly responsible for storing subscription data of a user. The gateway 121 is a gateway of the mobile network, and is an anchor of data transmission of a user. Optionally, the gateway 121 and the security node 102 are integrated and deployed into a network element.

(15) FIG. 1b is a schematic structural diagram of a network architecture of another mobile network according to an embodiment of this application. Referring to FIG. 1b, a difference between the network architecture and the network architecture shown in FIG. 1a is that a network element 11 of a local network does not include a network element of an local MME 113. An AAA/MME 1031 in a network element 12 of a public network replaces the local MME and is responsible for completing access management, session management, mobility management, and the like inside the local network.

(16) Persons of ordinary skills in the art may understand that the structures shown in FIG. 1a and FIG. 1b are merely schematic, and do not constitute any limitation to the structure of the network architecture. For example, the network architecture may further include more or less network elements than those shown in FIG. 1a and FIG. 1b, or have a configuration different from those shown in FIG. 1a and FIG. 1b.

(17) It should be noted that the network architectures shown in FIG. 1a and FIG. 1b are merely examples. In addition to the SALTE in the foregoing mobile network, the network architecture used in this embodiment of this application may alternatively be a Long Term Evolution LTE network, a non-3GPP network (for example, a mobile network accessed by using Wi-Fi), a Home NodeB network, a Global System for Mobile Communications GSM network, a Wideband Code Division Multiple Access WCDMA network, a network architecture in a future mobile network, a MulteFire network, or the like. For another network architecture having a structure similar to that in FIG. 1 is applicable to this embodiment of this application, and the used network architecture is not specifically limited in this embodiment of this application.

(18) FIG. 2 is a schematic flowchart of a network connection method according to an embodiment of this application. Referring to FIG. 2, the method includes the following steps.

(19) Step 201: A network control element sends a first connection parameter to a terminal, and sends a second connection parameter to a security node, so that the terminal and the security node establish a network connection by using the first connection parameter and the second connection parameter. The first connection parameter is used for decrypting data encrypted by using the second connection parameter. Correspondingly, the second connection parameter is used for decrypting data encrypted by using the first connection parameter. The first connection parameter and the second connection parameter each include a security parameter used when the terminal and the security node establish the network connection.

(20) In this embodiment of this application, the network control element may send the first connection parameter to the terminal and send the second connection parameter to the security node in an attach process or a connection establishment process. That is, the network connection can be established between the terminal and the security node in both the attach process and the connection establishment process. During actual application, the attach process not only includes a process of establishing the network connection, and but also may include a process of authentication and authorization between the terminal and a network device. In addition, the process of authentication and authorization between the terminal and the network device is consistent with that in the prior art. For details, refer to related technologies. Details are not described in this embodiment of this application.

(21) It should be noted that when the network control element sends the first connection parameter to the terminal and sends the second connection parameter to the security node, there is no sequential order. That is, the network control element may first send the first connection parameter to the terminal and then send the second connection parameter to the security node, or may first send the second connection parameter to the security node and then send the first connection parameter to the terminal, certainly, or may simultaneous send the first connection parameter to the terminal and send the second connection parameter to the security node. This is not limited in this embodiment of this application.

(22) Optionally, the network control element may be a mobility management entity MME, or an authentication, authorization, and accounting server AAA server, and may be briefly referred to as an AAA/MME. Certainly, during actual application, the network control element may alternatively be another network element. This is not limited in this embodiment of this application.

(23) When the network control element is a mobility management entity, a local network has a more close relationship with a carrier network, and an operator can control operation of the local network better. When the network control element is an authentication, authorization, and accounting server, a local network has a less close relationship with a carrier network, and deployment of the local network is more flexible.

(24) Optionally, in a network architecture, the security node may be an independent network element, or may be a network element integrated and deployed with a gateway device, or a network element integrated and deployed with a mobile edge computing (MEC) device, or may be integrated and deployed with a network element of another core network. This is not limited in this embodiment of this application.

(25) When the security node is an independent network element, network device functions are more modularized, and a structure is clearer, but transport signaling between devices is increased. On the contrary, when the security node and the gateway device are integrated and deployed, network device functions are complex and diversified, but transport signaling between devices is reduced.

(26) Further, optionally, before step 201, the network control element may further determine a node identifier of the security node based on home domain information of the terminal, and/or location information of the terminal, and/or location information of a local network in which the terminal is located, and send the node identifier of the security node to the terminal, so that the terminal determines the security node by using the identifier of the security node, and establishes the network connection to the security node by using the first connection parameter.

(27) Specifically, when selecting, from a plurality of security nodes based on the home domain information of the terminal, and/or the location information of the terminal, and/or the location information of the local network in which the terminal is located, and the like, one security node that is relatively close to a user of the terminal, the network control element may send a node identifier of the selected security node to the terminal, so that the terminal determines the security node based on the node identifier, and establishes the network connection to the security node.

(28) Step 202: The terminal receives the first connection parameter sent by the network control element. The first connection parameter is used for decrypting data encrypted by using the second connection parameter, and the first connection parameter includes the security parameter used when the terminal establishes the network connection to the security node.

(29) The first connection parameter includes at least one of the following: a first security key, a security encryption algorithm, a randomizer, and a security index. That is, the first connection parameter may include one or more of the first security key, the security encryption algorithm, the randomizer, and the security index; and the security encryption algorithm, the randomizer, and the security index in the first connection parameter are consistent with those in the second connection parameter.

(30) Specifically, the first security key is used by the terminal to encrypt sent data or decrypt received data, or is used for generating a new security key of the terminal. The security encryption algorithm is an algorithm used by the terminal to encrypt or decrypt data. The randomizer is used for generating a new security key. That is, the terminal may generate a new security key by using the randomizer, then the terminal may encrypt the sent data or decrypt the received by using the new security key. The security index is used for identifying one secure connection corresponding to a data packet. That is, the terminal may have a plurality of secure connections, and the terminal needs to determine, by using the security index, one secure connection corresponding to the security node, to send and receive the data packet by using the secure connection.

(31) Step 203: The security node receives the second connection parameter sent by the network control element. The second connection parameter is used for decrypting data encrypted by using the first connection parameter, and the second connection parameter includes the security parameter used when the security node establishes the network connection to the terminal.

(32) The second connection parameter includes at least one of the following: a second security key, a security encryption algorithm, a randomizer, and a security index. That is, the second connection parameter may include one or more of the second security key, the security encryption algorithm, the randomizer, and the security index; and the security encryption algorithm, the randomizer, and the security index in the second connection parameter are consistent with those in the first connection parameter.

(33) Specifically, the second security key is used by the security node to encrypt sent data or decrypt received data, or is used for generating a new security key of the security node. The security encryption algorithm is an algorithm used by the security node to encrypt or decrypt data. The randomizer is used for generating a new security key. That is, the security node may generate a new security key by using the randomizer, and then the security node may encrypt the sent data or decrypt the received by using the new security key. The security index is used for identifying one secure connection corresponding to a data packet. That is, the security node may have a plurality of secure connections, and the security node needs to determine, by using the security index, one secure connection corresponding to the security node, to send and receive the data packet by using the secure connection.

(34) Step 204: The terminal and the security node establish the network connection by using the first connection parameter and the second connection parameter.

(35) In the attach process or connection establishment process, after the terminal receives the first connection parameter and the security node receives the second connection parameter, the terminal may encrypt the sent data by using the first security key, or the new security key generated by using the first security key, or the new security key generated by using the randomizer, and the security encryption algorithm, to obtain an encrypted data packet. The terminal identifies a secure connection corresponding to the data packet by using the security index, and sends the data packet to the security node by using the secure connection. When receiving a data packet sent by the security node, the terminal may identify a corresponding secure connection by using the security index, receive, by using the secure connection, the data packet sent by the security node, and decrypt the received data packet by using the first security key, or the new security key generated by using the first security key, or the new security key generated by using the randomizer, and the security encryption algorithm, to obtain data sent by the security node. Similarly, the security node may encrypt sent data or decrypt received data by using at least one of the second security key, the security encryption algorithm, the randomizer, and the security index that are included in the second connection parameter. A specific process is consistent with that of the terminal. Details are not described in this embodiment of this application again.

(36) In this embodiment of this application, the terminal and the security node establish a secure network connection by using the first connection parameter and the second connection parameter. This can ensure that data is invisible to an intermediate node in a transmission process, thereby ensuring security of the data in the transmission process.

(37) It should be noted that when sending and receiving data, the terminal and the security node usually need to use the security key, the security encryption algorithm, and the security index to perform encryption or decryption. The security key may be a first security key, or a second security key, or a new key generated by using the security key, or may be a security key generated by using the randomizer.

(38) During specific implementation, the first connection parameter and the second connection parameter may include all parameters of the security key, the security encryption algorithm, and the security index, or include some parameters of the security key, the security encryption algorithm, and the security index.

(39) When the first connection parameter includes all the parameters, the terminal may directly encrypt or decrypt data based on all the parameters. When the first connection parameter includes only some parameters, a parameter missing in the first connection parameter may be configured or specified in advance. The terminal can also obtain all the parameters, and encrypt or decrypt data based on all the parameters. A specific implementation is not limited in this embodiment of this application.

(40) Similarly, when the second connection parameter includes all the parameters, the security node may directly encrypt or decrypt data based on all the parameters. When the second connection parameter includes only some parameters, a parameter missing in the second connection parameter may be configured or specified in advance. The security node can also obtain all the parameters, and encrypt or decrypt data based on all the parameters. A specific implementation is not limited in this embodiment of this application.

(41) Optionally, before step 201, the method further includes step 205 and step 206.

(42) Step 205: The terminal sends an attach request or a connection request to the network control element. The attach request or the connection request is used for requesting to establish a PDN (Public Data Network) connection.

(43) Before the network control element sends, to the terminal and the security node, the security parameter used for establishing the network connection, the terminal may send, to the network control element, the attach request or the connection request used for requesting to establish the PDN connection. After receiving the attach request or the connection request, the network control element establishes the network connection between the terminal and the security node. The PDN connection is a default bearer established between the terminal and a packet data network.

(44) A process in which the terminal sends the attach request or the connection request to the network control element is related to a structure of the network architecture. Using a network architecture of a mobile network as an example, if the network architecture is shown in FIG. 1a and FIG. 1b, the terminal may first send the attach request or the connection request to a network element of a local network, and then the network element of the local network forwards the attach request or the connection request to the network control element.

(45) Specifically, in the network architecture shown in FIG. 1a, the terminal sends the attach request or the connection request to a local base station. When receiving the attach request or the connection request, the local base station sends the attach request or the connection request to an local MME. The local MME sends the attach request or the connection request to the network control element.

(46) In the network architecture shown in FIG. 1b, the terminal sends the attach request or the connection request to a local base station. When receiving the attach request or the connection request, the local base station directly sends the attach request or the connection request to the network control element.

(47) In this embodiment of this application, the attach request or the connection request both can be used for requesting to establish the PDN connection. During actual application, the attach request is used not only for requesting to establish the PDN connection, and but also for requesting a process of authentication and authorization between the terminal and a network deice. In addition, the process of authentication and authorization between the terminal and the network deice is consistent with that in the prior art. For details, refer to related technologies. Details are not described in this embodiment of this application.

(48) Step 206: The network control element receives the attach request or the connection request sent by the terminal.

(49) Specifically, the network control element receives the attach request or the connection request sent by the terminal. In the network architecture shown in FIG. 1a, this means that the network control element receives the attach request or the connection request forwarded by the local MME; and in the network architecture shown in FIG. 1b, this means that the network control element receives the attach request or the connection request forwarded by the local base station.

(50) Further, after the network connection is established between the terminal and the security node, if the security node an independently deployed network element, a connection may further be established between the security node and the gateway device. In addition, depending on whether control plane communication can be directly performed between the security node and the gateway device, there are several different establishment methods. Details are as follows.

(51) A first method: Control plane communication can be directly performed between the security node and the gateway device. After step 203, the method further includes step 207a to step 210a.

(52) Step 207a: The network control element obtains subscription data corresponding to the terminal.

(53) When obtaining the subscription data corresponding to the terminal, the network control element may send a subscription data request to an HSS. The subscription data request includes an identifier of the terminal. When receiving the subscription data request, the HSS may send the subscription data corresponding to the identifier of the terminal to the network control element.

(54) The subscription data includes a service parameter of the terminal in the network. For example, the subscription data may include a charging characteristic, a QoS file of EPS (evolved packet system) subscription, and the like. Details are not described in this embodiment of this application.

(55) Step 208a: The network control element sends a first connection request including a part or all of content of the subscription data to the security node.

(56) When obtaining the subscription data corresponding to the terminal, the network control element may send the first connection request including a part or all of content of the subscription data to the security node. Certainly, the first connection request may further include the identifier of the terminal, and the identifier of the terminal is used for indicating that the subscription data is the subscription data corresponding to the terminal.

(57) Step 209a: When receiving the first connection request, the security node sends a second connection request including a part or all of content of the subscription data to the gateway device. The second connection request is used for requesting to establish the connection between the security node and the gateway device.

(58) When the security node receives the first connection request, that is, the security node receives a part or all of content of the subscription data, the security node may send the second connection request including a part or all of content of the subscription data to the gateway device. Certainly, during actual application, the second connection request may further include information such as the identifier of the terminal, for example, an IMSI and a GUTI, and an address of the security node. This is not limited in this embodiment of this application.

(59) Step 210a: The security node receives a second response message sent by the gateway device, to establish the connection between the security node and the gateway device.

(60) After the security node sends the second connection request to the gateway device, the gateway device may return the second response message to the security node, to establish the connection between the security node and the gateway device. This may alternatively be described as establishing a tunnel between the security node and the gateway device. During actual application, the second response message may include information such as an address of the gateway device and a QoS application parameter.

(61) Further, the second response message further includes an IP address assigned by the gateway device to the terminal. Correspondingly, the method further includes step 211a and step 212a.

(62) Step 211a: The network control element receives a first response message sent by the security node. The first response message includes an IP address of the terminal.

(63) Step 212a: The network control element sends the IP address of the terminal to the terminal.

(64) Specifically, when receiving the second response message including the IP address of the terminal, the security node sends the first response message including the IP address of the terminal to the network control element, so that the network control element sends the IP address of the terminal to the terminal. The terminal receives the IP address, so that the gateway device configures the IP address for the terminal.

(65) A second method: Control plane communication cannot be directly performed between the security node and the gateway device. Referring to FIG. 3, after step 203, the method further includes step 207b to step 210b.

(66) Step 207b: The network control element obtains subscription data corresponding to the terminal.

(67) Step 207b is consistent with step 207a. For details, refer to the description of step 207a. Details are not described in this embodiment of this application again.

(68) Step 208b: The security node sends a third connection request to the network control element. The third connection request is used for establishing the connection between the security node and the gateway device.

(69) Because the security node cannot directly perform control plane communication with the gateway device, when the security node requests to establish the connection between the security node and the gateway device, the security node may send the third connection request to the network control element, so that the network control element sends a fourth connection request to the gateway device. The third connection request and the fourth connection request may include information such as an identifier of the terminal, for example, an IMSI and a GUTI, and an address of the security node.

(70) Step 209b: When receiving the third connection request, the network control element sends a fourth connection request to the gateway device. The fourth connection request includes a part or all of content of the subscription data, and the third connection request and the fourth connection request are used for establishing the connection between the security node and the gateway device.

(71) Step 210b: The network control element receives a fourth response message sent by the gateway device, and sends a third response message to the security node. The third response message includes a part or all of content of the subscription data.

(72) When receiving the fourth connection request used for establishing the connection between the security node and the gateway device, the gateway device may send the fourth response message to the network control element. When receiving the fourth response message, the network control element may send the third response message to the security node, to establish the connection between the security node and the gateway device, where the third response message includes a part or all of content of the subscription data. During actual application, the fourth response message sent by the gateway device may further include information such as an address of the gateway device and a QoS application parameter.

(73) Further, the fourth response message further includes an IP address assigned by the gateway device to the terminal. Correspondingly, the method further includes step 211b.

(74) Step 211b: The network control element sends the IP address of the terminal to the terminal.

(75) Specifically, when receiving the fourth response message that is sent by the gateway device and that includes the IP address of the terminal, the network control element obtains the IP address of the terminal from the fourth response message, and sends the IP address of the terminal to the terminal. The terminal receives the IP address.

(76) A third method: Control plane communication cannot be directly performed between the security node and the gateway device. Referring to FIG. 4, after step 203, the method further includes step 207c to step 209c.

(77) Step 207c: The network control element obtains subscription data corresponding to the terminal.

(78) Step 207c is consistent with step 207a. For details, refer to the description of step 207a. Details are not described in this embodiment of this application again.

(79) Step 208c: The network control element sends a fifth connection request including a part or all of content of the subscription data to the gateway device, so that the gateway device returns a fifth response message when receiving the fifth connection request.

(80) The fifth connection request is used for requesting to establish the connection between the security node and the gateway device. When receiving the fifth connection request sent by the network control element, the gateway device may send the fifth response message to the network control element, to notify the network control element that the fifth connection request is successfully received. During actual application, the fifth connection request may further include an address of the security node, and the fifth response message may further include information such as an address of the gateway device and a QoS application parameter.

(81) Step 209c: The network control element sends a sixth connection request including a part or all of content of the subscription data to the security node, to establish the connection between the security node and the gateway device.

(82) After receiving the fifth response message sent by the gateway device, the network control element may send the sixth connection request including a part or all of content of the subscription data to the security node, to establish the connection between the security node and the gateway device. During actual application, the sixth connection request may further include information such as the address of the gateway device and the QoS application parameter.

(83) Further, referring to FIG. 4, the fifth response message includes an IP address assigned by the gateway device to the terminal. Correspondingly, the method further includes step 210c.

(84) Step 210c: The network control element sends the IP address of the terminal to the terminal.

(85) Specifically, when receiving the fifth response message that is sent by the gateway device and that includes the IP address of the terminal, the network control element may obtain the IP address of the terminal from the fifth response message, and send the IP address of the terminal to the terminal. The terminal receives the IP address.

(86) Correspondingly, if the fifth response message includes the IP address of the terminal, the network control element may further add the IP address of the terminal to the sixth connection request, to send the IP address of the terminal also to the security node.

(87) It should be noted that a difference between the second method and the third method is that in the second method, the second connection request used for establishing the connection between the security node and the gateway device is sent by the security node, and is forwarded by the network control element to the gateway device; however, in the third method, the third connection request used for establishing the connection between the security node and the gateway device is directly sent by the network control element to the gateway device, and the security node does not need to send a connection request to the network control element, so that signaling interaction between the security node and the network control element is reduced by one time.

(88) According to the network connection method provided in this embodiment of this application, the network control element assigns a pair of security parameters to the terminal and the security node to mutually encrypt and decrypt data, so that the terminal and the security node establish the network connection by using the assigned security parameters and perform data transmission. Therefore, the terminal and the security node do not need to determine the security parameters through negotiation by performing complex signaling interaction. In addition, to establish the connection between the security node and the gateway device, several different connection methods are provided. Meanwhile, the gateway device has configured the IP address for the terminal in the connection process, thereby simplifying a network connection process, and increasing a speed of network connection establishment.

(89) It should be noted that in a method for establishing a secure network connection in the prior art, the security node is selected by the terminal. Because the terminal has no sufficient information, a security node selected by the terminal may not be an optimal security node. Consequently, a delay of data transmission is relatively long. For this problem, this application further provides a method for determining a security node.

(90) FIG. 5 shows a method for determining a security node according to an embodiment of this application. Referring to FIG. 5, the method includes the following steps.

(91) Step 301: A network control element determines a node identifier of a security node based on home domain information of a terminal, and/or location information of the terminal, and/or location information of a local network in which the terminal is located.

(92) Optionally, the network control element selects one security node from a plurality of security nodes based on the home domain information of the terminal, and/or the location information of the terminal, and/or the location information of the local network in which the terminal is located, and determines an identifier of the selected security node as the node identifier of the security node. That is, the network control element may select one security node from a plurality of security nodes included in a network based on any one, two, or all pieces of the home domain information of the terminal, the location information of the terminal, and the location information of the local network in which the terminal is located, and determines an identifier of the selected security node as the node identifier of the security node.

(93) Specifically, when selecting one security node from a plurality of the security nodes, the network control element usually may select, based on at least one piece of the home domain information, the location information of the terminal, and the location information of the local network in which the terminal is located, one security node that is relatively close to the terminal, and determine an identifier of the selected security node as the node identifier of the security node. In this way, paths for control plane signaling and user plane transmission can be reduced, thereby reducing a transmission delay.

(94) The home domain information of the terminal may be determined by using a home domain identity of the terminal. If a home domain of the terminal is a home domain identity of an operator, the home domain identity may be an international mobile subscriber identity IMSI or a globally unique temporary identity GUTI. If a home domain of the terminal is not a home domain identity of an operator, the home domain identity may be a subscriber identity SI (Subscriber Identifier). Certainly, during actual application, the home domain identity may some other identities, so that the network control element may determine the home domain information of the terminal based on the home domain identity of the terminal.

(95) The location information of the terminal may be longitude and latitude information of the terminal, or coordinate information, or an identifier and/or location information of an access network of the terminal. For example, in a mobile network, the access network may be a base station. When the location information of the terminal is an identifier of the base station in the access network, the network control element may determine location information of the base station based on the identifier of the base station.

(96) The location information of the local network may be an identifier and/or location information of a management network element in the local network or an identifier and/or location information of an access network. For example, in the mobile network, the management network element may be an local MME, and the access network may be a base station. When the location information of the local network is the identifier of the management network element or the identifier of the access network, the network control element may determine the location information of the local network based on the identifier.

(97) Further, when obtaining the home domain information of the terminal, the network control element may determine the home domain information of the terminal by receiving the home domain identity of the terminal; or first determine the home domain identity of the terminal based on a received identifier of the terminal in the local network, and then determine the home domain information of the terminal based on the home domain identity. When obtaining the location information of the terminal, the network control element may receive location information reported by the terminal, or determine the location information of the terminal based on a received message of the access network, for example, a message of the base station. When obtaining the location information of the local network, the network control element may receive location information reported by a network element in the local network, or determine the location information of the local network based on a received message of the local network.

(98) Optionally, the terminal sends an attach request or a connection request to the network control element. The attach request or the connection request includes the home domain identity of the terminal and/or the location information of the terminal. In addition, when the attach request or the connection request passes through the access network and the network element in the local network, the access network and the network element in the local network may add the identifier or the location information of the access network and the identifier or the location information of the local network to the attach request or the connection request. For example, in the network architecture shown in FIG. 1a, the attach request or the connection request passes through the local base station and the local MME in the network and arrives at the network control element. The local base station and the local MME may add identifiers or location information thereof to the attach request or the connection request and send the attach request or the connection request to the network control element. In the network architecture shown in FIG. 1b, the attach request or the connection request passes through only the local base station, the local base station may add an identifier or location information of the base station to the attach request or the connection request and send the attach request or the connection request to the network control element, so that the network control element may obtain the location information of the terminal and the location information of the local network.

(99) Step 302: The network control element sends the node identifier of the security node to the terminal.

(100) Step 303: The terminal receives the node identifier of the security node sent by the network control element, and determines the security node based on the node identifier of the security node.

(101) Specifically, when determining the node identifier of the security node, the network control element may send the node identifier of the security node to the terminal. When receiving the node identifier of the security node, the terminal determines the security node based on the node identifier of the security node, so that a network connection is established between the terminal and the security node based on the foregoing network connection method.

(102) According to the method for determining a security node provided in this embodiment of this application, the network control element selects, based on the home domain information of the terminal, the location information of the terminal, and/or the location information of the local network, and the like, a security node that is relatively close to the terminal, and sends a node identifier of the security node to the terminal, so that the terminal establishes the network connection to the security node. In this way, when the terminal and the security node perform data transmission, paths for control plane signaling and user plane transmission may be reduced, thereby reducing a transmission delay.

(103) FIG. 6 shows a network element according to an embodiment of this application. The network element may be a network control element, or may be a terminal, or may be a security node. The network element includes a memory 401, a processor 402, a power supply component 403, an input/output interface 404, a communications component 405, and the like. Persons of ordinary skills in the art may understand that a structure shown in FIG. 6 is merely schematic, and does not constitute any limitation to the structure of the network element. For example, the network element may further include more or less components than those shown in FIG. 6, or have a configuration different from that shown in FIG. 6.

(104) Each component in the network element is described in detail below:

(105) The memory 401 may be configured to store data, and a software program and module, and mainly include a program storage area and a data storage area. The program storage area may store an operating system, an application program required by at least one function, and the like. The data storage area may store data created based on use of a model parameter fusion apparatus. In addition, the memory may include a high-speed random access memory, and may further include a non-volatile memory such as at least one magnetic disk storage component, a flash memory component, or another volatile solid-state storage component.

(106) The processor 402 is a control center of the network element, connects all parts of the entire network element through various interfaces and lines, and performs various functions and processes data by running or executing the software program and/or module stored in the memory 401 and by invoking the data stored in the memory 401, to monitor the entire network element. Optionally, the processor 402 may include one or more processing units. Preferably, the processor 402 may integrate an application processor and a modem processor. The application processor mainly processes an operating system, a user interface, an application program, and the like. The modem processor mainly processes wireless communication. It may be understood that the modem processor may alternatively not be integrated into the processor 402.

(107) The power supply component 403 is configured to supply power to each component of the network element. The power supply component 403 may include a power management system, one or more power supplies, and another component related to generation, management, and power distribution of the network element.

(108) The input output interface 404 provides an interface between the processor 402 and a peripheral interface module. For example, the peripheral interface may be a keyboard, a mouse, or the like.

(109) The communications component 405 is configured to facilitate communication between the network element and another device in a wired or wireless manner. The network element may access a communication standard-based wireless network such as Wi-Fi, 2G, or 3G, or a combination thereof.

(110) Although not shown in the figure, the network element may further include an audio component, a multimedia component, and the like. Details are not described in this embodiment of this application.

(111) Optionally, when the processor 402 runs code in the memory 401, to enable the network element to perform steps of a network control element in the network connection methods shown in FIG. 2 to FIG. 4, the network control element is configured to:

(112) send a first connection parameter to a terminal; and

(113) send a second connection parameter to a security node, where

(114) the first connection parameter is used for decrypting data encrypted by using the second connection parameter; correspondingly, the second connection parameter is used for decrypting data encrypted by using the first connection parameter; and the first connection parameter and the second connection parameter each include a security parameter used when the terminal and the security node establish a network connection.

(115) Optionally, when the processor 402 runs code in the memory 401, to enable the network element to perform steps of a terminal in the network connection methods shown in FIG. 2 to FIG. 4, the terminal is configured to:

(116) receive a first connection parameter sent by a network control element, where the first connection parameter is used for decrypting data encrypted by using a second connection parameter, and the first connection parameter includes a security parameter used when the terminal establishes a network connection to a security node; and

(117) establish, by using the first connection parameter, the network connection to the security node receiving the second connection parameter.

(118) Optionally, when the processor 402 runs code in the memory 401, to enable the network element to perform steps of a security node in the network connection methods shown in FIG. 2 to FIG. 4, the security node is configured to:

(119) receive a second connection parameter sent by a network control element, where the second connection parameter is used for decrypting data encrypted by using a first connection parameter, and the second connection parameter includes a security parameter used when the security node establishes a network connection to a terminal; and

(120) establish, by using the second connection parameter, the network connection to the terminal receiving the first connection parameter.

(121) Specifically, when the network control element, the terminal, and the security node are configured to perform the network connection methods shown in FIG. 2 to FIG. 4, refer to the descriptions in the embodiments corresponding to FIG. 2 to FIG. 4 for details of the network connection methods. Details are not described in this embodiment of this application again.

(122) According to the network element provided in this embodiment of this application, when the network element is configured to perform steps of the network control element in the network connection methods shown in FIG. 2 to FIG. 4, the network control element sends the first connection parameter to the terminal, and sends the second connection parameter to the security node, where the first connection parameter is used for decrypting data encrypted by using the second connection parameter, and the second connection parameter is used for decrypting data encrypted by using the first connection parameter, so that the terminal and the security node may directly establish the network connection by using the first connection parameter and the second connection parameter, and the terminal and the security node do not need to determine the security parameter through negotiation by performing complex signaling interaction, thereby simplifying a network connection process.

(123) Optionally, when the processor 402 runs code in the memory 401, to enable the network element to perform steps of a network control element in the method for determining a security node shown in FIG. 5, the network control element is configured to:

(124) determine a node identifier of a security node based on home domain information of a terminal, and/or location information of the terminal, and/or location information of a local network in which the terminal is located; and

(125) send the node identifier of the security node to the terminal, so that the terminal determines the security node by using the node identifier of the security node.

(126) Optionally, when the processor 402 runs code in the memory 401, to enable the network element to perform steps of a terminal in the method for determining a security node shown in FIG. 5, the terminal is configured to:

(127) receive the node identifier of the security node sent by the network control element; and

(128) determine the security node based on the node identifier of the security node.

(129) Specifically, when the network control element and the terminal are configured to perform the method for determining a security node shown in FIG. 5, refer to the descriptions in the embodiment corresponding to FIG. 5 for details of the method for determining a security node. Details are not described in this embodiment of this application again.

(130) According to the network element provided in this embodiment of this application, when the network element is configured to perform steps of the network control element in the method for determining a security node shown in FIG. 5, the network control element selects, based on the home domain information of the terminal, the location information of the terminal, the location information of the local network, and the like, a security node that is relatively close to the terminal, and sends a node identifier of the security node to the terminal, so that when the terminal and the security node perform data transmission, paths for control plane signaling and user plane transmission may be reduced, thereby reducing a transmission delay.

(131) Finally, it should be noted that the foregoing embodiments are merely intended for describing the technical solutions of this application, but not for limiting this application. Although this application is described in detail with reference to the foregoing embodiments, persons of ordinary skills in the art should understand that they may still make modifications to the technical solutions described in the foregoing embodiments or make equivalent replacements to some technical features thereof, and such modifications or replacements do not cause the essence of corresponding technical solutions to depart from the scope of the technical solutions in the embodiments of this application.

Network connection method, method for determining security node, and apparatus

Assignee

Inventors

Cpc classification

Classification Explorer

H04L63/0428

ELECTRICITY

Classification Explorer

H04L61/503

ELECTRICITY

Classification Explorer

H04W12/043

ELECTRICITY

Classification Explorer

H04L9/088

ELECTRICITY

Classification Explorer

H04W12/03

ELECTRICITY

Classification Explorer

H04W12/037

ELECTRICITY

Classification Explorer

H04W36/0038

ELECTRICITY

Classification Explorer

H04W36/0011

ELECTRICITY

Classification Explorer

H04W4/023

ELECTRICITY

Classification Explorer

H04W36/0019

ELECTRICITY

Classification Explorer

H04L63/062

ELECTRICITY

Classification Explorer

H04L63/0892

ELECTRICITY

Classification Explorer

H04W12/02

ELECTRICITY

Classification Explorer

H04W60/00

ELECTRICITY

Classification Explorer

H04W12/033

ELECTRICITY

Classification Explorer

H04W76/10

ELECTRICITY

International classification

Classification Explorer

H04W12/02

ELECTRICITY

Classification Explorer

H04W4/02

ELECTRICITY

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

H04W12/00

ELECTRICITY

Classification Explorer

H04W60/00

ELECTRICITY

Classification Explorer

H04W12/04

ELECTRICITY

Classification Explorer

H04L29/06

ELECTRICITY

Classification Explorer

H04L29/12

ELECTRICITY

Classification Explorer

H04W36/00

ELECTRICITY