Session management method and SMF node

Abstract

One disclosure in the present specification provides a session management method performed by a session management function (SMF) node. The session management method may comprise: a step of transmitting, to a user plane function (UPF) node, a request message for discarding traffic buffering, when a notification of the detection of particular traffic associated with a wireless device has been received, and if additional authentication is required for the particular traffic; and a step of transmitting a message for triggering the wireless device to establish a new packet data unit (PDU) session, to an access and mobility management function (AMF) node.

Claims

1. A session management method performed by a session management function (SMF) node, the method comprising: establishing a first protocol data unit (PDU) session with a wireless device; receiving a notification related to a traffic transmitted by the wireless device based on the first PDU session, wherein the notification includes request for additional authentication for the traffic; determining to establish a second PDU session with the wireless device for the traffic based on i) the request for additional authentication for the traffic and ii) subscription information of the wireless device; transmitting, to a user plane function (UPF) node, a request message for discarding the traffic, based on determining to establish a second PDU session with the wireless device for the traffic; transmitting a message for triggering the wireless device to establish the second PDU session, to an access and mobility management function (AMF) node; receiving a PDU session establishment request message for the second PDU session from the wireless device; performing a secondary authentication procedure; and transmitting a PDU session establishment accept message for the second PDU session to the wireless device in response to the PDU session establishment request message.

2. The session management method of claim 1, further comprising: checking the subscription information of the wireless device based on the notification.

3. The session management method of claim 1, further comprising: determining whether the secondary authentication procedure is required for the traffic based on the subscription information of the wireless device.

4. A session management function (SMF) node comprising: a transmission/reception unit; and a processor configured to control the transmission/reception unit, wherein the processor is configured to establish a first protocol data unit (PDU) session with a wireless device, wherein the processor is configured to control the transmission/reception unit to receive a notification related to a traffic transmitted by the wireless device based on the first PDU session, wherein the notification includes request for additional authentication for the traffic, wherein the processor is configured to determine to establish a second PDU session with the wireless device for the traffic based on i) the request for additional authentication for the traffic and ii) subscription information of the wireless device, wherein the processor is configured to control the transmission/reception unit to transmit, to a user plane function (UPF) node, a request message for discarding the traffic, based on determining to establish a second PDU session with the wireless device for the traffic, wherein the processor is configured to control the transmission/reception unit to transmit a message for triggering the wireless device to establish the second PDU session, to an access and mobility management function (AMF) node, wherein the processor is configured to control the transmission/reception unit to receive a PDU session establishment request message for the second PDU session from the wireless device, wherein the processor is configured to perform a secondary authentication procedure, wherein the processor is configured to control the transmission/reception unit to transmit a PDU session establishment accept message for the second PDU session to the wireless device in response to the PDU session establishment request message.

5. The SMF node of claim 4, wherein the processor is configured to check the subscription information of the wireless device based on the notification.

6. The SMF node of claim 4, wherein the processor is configured to determine whether the secondary authentication is required for the traffic based on the subscription information of the wireless device.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 shows the configuration of an evolved mobile communication network.

(2) FIG. 2 is an exemplary diagram illustrating a predicted structure of a next generation mobile communication in terms of a node.

(3) FIG. 3A is an exemplary diagram illustrating an architecture to which a local breakout (LBO) scheme is applied when roaming.

(4) FIG. 3B is an exemplary diagram illustrating an architecture to which an HR (home routed) scheme is applied when roaming.

(5) FIG. 4A is an exemplary view illustrating an example of an architecture for implementing the concept of network slicing.

(6) FIG. 4B is an exemplary diagram illustrating another example of an architecture for implementing the concept of network slicing.

(7) FIG. 5A shows an architecture for interworking when a UE does not roam, and FIG. 5B shows an architecture for interworking when a UE is roaming.

(8) FIG. 6 is an exemplary diagram illustrating a protocol stack of a UE having a plurality of network interfaces.

(9) FIG. 7 illustrates an example of performing additional authentication when specific traffic is detected according to the disclosure of the present specification.

(10) FIG. 8 is an exemplary view conceptually illustrating a first disclosure of the present specification.

(11) FIG. 9 is a signal flow diagram according to a first scheme of the second disclosure of the present specification.

(12) FIG. 10 is a signal flow diagram according to a second scheme of the second disclosure of the present specification.

(13) FIG. 11 is a signal flow diagram according to a third scheme of the second disclosure of the present specification.

(14) FIG. 12 is a configuration block diagram of a UE and a network node according to an embodiment of the present invention.

DESCRIPTION OF EXEMPLARY EMBODIMENTS

(15) The present invention is described in light of UMTS (Universal Mobile Telecommunication System) and EPC (Evolved Packet Core), but not limited to such communication systems, and may be rather applicable to all communication systems and methods to which the technical spirit of the present invention may apply.

(16) The technical terms used herein are used to merely describe specific embodiments and should not be construed as limiting the present invention. Further, the technical terms used herein should be, unless defined otherwise, interpreted as having meanings generally understood by those skilled in the art but not too broadly or too narrowly. Further, the technical terms used herein, which are determined not to exactly represent the spirit of the invention, should be replaced by or understood by such technical terms as being able to be exactly understood by those skilled in the art. Further, the general terms used herein should be interpreted in the context as defined in the dictionary, but not in an excessively narrowed manner.

(17) The expression of the singular number in the specification includes the meaning of the plural number unless the meaning of the singular number is definitely different from that of the plural number in the context. In the following description, the term ‘include’ or ‘have’ may represent the existence of a feature, a number, a step, an operation, a component, a part or the combination thereof described in the specification, and may not exclude the existence or addition of another feature, another number, another step, another operation, another component, another part or the combination thereof.

(18) The terms ‘first’ and ‘second’ are used for the purpose of explanation about various components, and the components are not limited to the terms ‘first’ and ‘second’. The terms ‘first’ and ‘second’ are only used to distinguish one component from another component. For example, a first component may be named as a second component without deviating from the scope of the present invention.

(19) It will be understood that when an element or layer is referred to as being “connected to” or “coupled to” another element or layer, it can be directly connected or coupled to the other element or layer or intervening elements or layers may be present. In contrast, when an element is referred to as being “directly connected to” or “directly coupled to” another element or layer, there are no intervening elements or layers present.

(20) Hereinafter, exemplary embodiments of the present invention will be described in greater detail with reference to the accompanying drawings. In describing the present invention, for ease of understanding, the same reference numerals are used to denote the same components throughout the drawings, and repetitive description on the same components will be omitted. Detailed description on well-known arts which are determined to make the gist of the invention unclear will be omitted. The accompanying drawings are provided to merely make the spirit of the invention readily understood, but not should be intended to be limiting of the invention. It should be understood that the spirit of the invention may be expanded to its modifications, replacements or equivalents in addition to what is shown in the drawings.

(21) In the drawings, user equipments (UEs) are shown for example. The UE may also be denoted a terminal or mobile equipment (ME). The UE may be a laptop computer, a mobile phone, a PDA, a smartphone, a multimedia device, or other portable device, or may be a stationary device such as a PC or a car mounted device.

(22) Definition of Terms

(23) UE or an MS is an abbreviation of User Equipment or a Mobile Station, and it refers to a terminal device.

(24) An EPS is an abbreviation of an Evolved Packet System, and it refers to a core network supporting a Long Term Evolution (LTE) network and to a network evolved from an UMTS.

(25) A PDN is an abbreviation of a Public Data Network, and it refers to an independent network where a service for providing service is placed.

(26) A PDN-GW is an abbreviation of a Packet Data Network Gateway, and it refers to a network node of an EPS network which performs functions, such as the allocation of a UE IP address, packet screening & filtering, and the collection of charging data.

(27) A Serving gateway (Serving GW) is a network node of an EPS network which performs functions, such as mobility anchor, packet routing, idle mode packet buffering, and triggering an MME to page UE.

(28) An eNodeB is an eNodeB of an Evolved Packet System (EPS) and is installed outdoors. The cell coverage of the eNodeB corresponds to a macro cell.

(29) An MME is an abbreviation of a Mobility Management Entity, and it functions to control each entity within an EPS in order to provide a session and mobility for UE.

(30) A session is a passage for data transmission, and a unit thereof may be a PDN, a bearer, or an IP flow unit. The units may be classified into a unit of the entire target network (i.e., an APN or PDN unit) as defined in 3GPP, a unit (i.e., a bearer unit) classified based on QoS within the entire target network, and a destination IP address unit.

(31) An Access Point Name (APN) is the name of an access point that is managed in a network and provides to UE. That is, an APN is a character string that denotes or identifies a PDN. Requested service or a network (PDN) is accessed via a P-GW. An APN is a name (character string, e.g., ‘internet.mnc012.mcc345.gprs’) previously defined within a network so that the P-GW can be searched for.

(32) A PDN connection refers to a connection from UE to a PDN, that is, an association (or connection) between UE represented by an IP address and a PDN represented by an APN.

(33) UE context is information about the situation of UE which is used to manage the UE in a network, that is, situation information including an UE ID, mobility (e.g., a current location), and the attributes of a session (e.g., QoS and priority)

(34) A Non-Access-Stratum (NAS) is a higher stratum of a control plane between UE and an MME. The NAS supports mobility management and session management between UE and a network, IP address maintenance, and so on.

(35) PLMN: as an abbreviation of Public Land Mobile Network, means a network identification number of a mobile communication provider. In roaming case of the UE, the PLMN is classified into a home PLMN (HPLMN) and a visited PLMN (VPLMN).

(36) <Policy Information Delivered to UE>

(37) In a next generation mobile communication system, a policy control function (PCF) node may deliver policy information to a UE. The policy information may include the following information.

(38) 1) Routing Selection Policy: This information can be used to determine how the UE should route outgoing traffic. Traffic may be routed to an established Packet Data Unit (PDU) session, or may be routed to a non-3GPP access without going through the established PDU session. Or the traffic may trigger the establishment of a new PDU session. The following policy information can be used for routing selection.

(39) Session and Service Continuity Mode Selection (SSCMS): This information can be used by the UE to associate its application with the Session and Service Continuity (SSC) mode, and to determine the PDU sessions to which traffic should be routed. This information can also be used to determine when to create a new PDU session using the new SSC mode.

(40) Network Slice Selection (NSS): This information can be used by the UE to associate its application with the SM-NSSAI, and to determine the PDU sessions to which traffic should be routed. This information can also be used to determine when to create a new PDU session using the new SM-NSSAI.

(41) Data Network Name (DNN) Selection Information: This information may be used by the UE to associate its application with one or more DNNs, and may be used to determine the PDU sessions to which traffic should be routed. This information can also be used to determine when to create a new PDU session using the new DNN.

(42) Non-seamless Offload Policy: This information can be used to determine which traffic the UE should bypass to non-3GPP based access. If traffic is bypassed to non-3GPP based access, the sending and receiving of traffic may be temporarily interrupted.

(43) Access type preference: This information can be used to determine which access the UE should establish a PDU session through, or which traffic should be routed to 3GPP based access or non-3GPP based access.

(44) 2) Access network discovery & selection policy (hereinafter referred to as ANDSP): This information can be used by the UE to select non-3GPP based access (e.g., Wi-Fi access). This information can also be used to detect and select non-3GPP based access so that the UE can determine its use.

(45) The ANDSP may group several policies into one policy, for example, a UE Route Selection Policy (USRP). The URSP may include a list of URSP rules sorted according to priority. Each URSP rule may include the following components. Traffic Filter: This filter can be used to inspect data traffic. This information may include other information than the application identifier. Traffic matched with the USRP's traffic filter may be referred to as “matched traffic”. Non-seamless bypass: It indicates whether the bypass of the matched traffic to the non-3GPP should be prohibited, preferred or allowed (i.e. not preferred but allowed). Slice Info: This information may include the S-NSSAI required for matching traffic. In addition, the information may include, in priority order, several S-NSSAIs arranged in priority order when the matching traffic is delivered to a PDU session supporting one of several S-NSSAIs. Continuity Type: This contains information about the SSC mode. In addition, this information may include several SSC modes arranged in priority order when the matching traffic is delivered to a PDU session supporting one of several SSC modes. DNN: This information may include the DNN needed for matching traffic. In addition, the information may include several DNNs arranged in priority order when the matching traffic is delivered to a PDU session supporting one of several DNNs. Access type: If the UE needs to establish a PDU session for matching traffic, this information may indicate the type of access for which the PDU session should be established (e.g., 3GPP based access or non-3GPP based access). <Traffic Routing for Multi-Home UE>

(46) The next generation UE may have a plurality of network interfaces. Each network interface can have a separate IP address.

(47) FIG. 6 is an exemplary diagram illustrating a protocol stack of a UE having a plurality of network interfaces.

(48) As can be seen with reference to FIG. 6, the network interface may have a PDU session. In this case, the UE should decide how to route outbound traffic.

(49) However, there has been a problem that a specific scheme has not been presented.

(50) <Disclosures of the Present Invention>

(51) Meanwhile, according to the present disclosure, in the next generation mobile communication system, for a specific traffic transmitted by the UE, the network may perform an additional (i.e., secondary) authentication/authorization procedure. For example, when the UE transmits vehicle to vehicle (V2V) or vehicle to everything (V2X) traffic as a vehicle-mounted device, the network may perform additional authentication.

(52) FIG. 7 illustrates an example of performing additional authentication when specific traffic is detected according to the disclosure of the present specification.

(53) As can be seen with reference to FIG. 7, while the UE establishes PDU session #1, specific traffic is transmitted through the PDU session #1.

(54) Then, the user plane function (UPF) detects the traffic and then analyzes the traffic. Information about the detection of the specific traffic is notified to the SMF node. The notification may include information indicating a request for further authentication.

(55) Then, after confirming the subscriber information of the UE, the SMF node performs an additional authentication procedure.

(56) And the SMF node transmits a response message to the UPF node. If additional authentication of the UE fails, the response message may include information on additional authentication failure.

(57) As such, if additional authentication required for the transmission of specific traffic fails, resources in the network may be unnecessarily wasted. In addition, a malicious user who finds such a problem may cause network overload by excessively transmitting traffic requiring additional authentication.

(58) Accordingly, a first disclosure of the present specification is intended to propose a method for enabling a UE having a plurality of network interfaces to effectively determine which interface to send outbound traffic over. In particular, the disclosure herein proposes an effective way to consider SSC mode, slice information, and the like.

(59) A second disclosure of the present specification aims to propose a method for preventing a malicious user from excessively transmitting traffic requiring additional authentication.

(60) The disclosures or embodiments described below may be implemented alone, but a plurality thereof may be implemented in combination with each other.

(61) I. First Disclosure of the Present Specification

(62) FIG. 8 is an exemplary view conceptually illustrating a first disclosure of the present specification.

(63) As can be seen with reference to FIG. 8, upon receiving traffic from the application layer, the IP routing layer determines whether to apply the rule according to the routing rule. The IP routing layer forwards the traffic to a network interface that already has a mapping relationship according to each routing rule. Meanwhile, when there is a PDU session or traffic flow to be newly created according to the routing rule, the IP routing layer creates a new mapping relationship to the corresponding network interface, sets a corresponding buffer, and then transmits the traffic.

(64) The policies and components included in each routing rule are as follows.

(65) A. USRP for Multiple PDU Sessions to the Same DNN

(66) Individual PDU Policy: This policy is used to determine when the UE should request each PDU session to the same DNN. This policy can also be used to determine when to request PDU sessions to the same DNN using different access types. This policy can be added as a component named “Individual PDU” as shown below.

(67) Individual PDU: This indicates whether an individual PDU session toward the same DDN should be established for the matching traffic, or establishment of an individual PDU session is not permitted.

(68) TABLE-US-00002 TABLE 2 Traffic filter: App = App1, App2 This URSP rule associates the traffic of applications Individual PDU: shall “App1” and “App2” with S-NSSAI-a. Slice Info: S-NSSAI-a It enforces the following routing policy: DNNs: Internet The traffic of application App1 and the traffic of Access Type: 3GPP Access application App2 should be transferred on each PDU session supporting S-NSSAI-a. If the PDU session for each traffic filter is not established, the UE shall attempt to establish each PDU session (i.e. one for App1, and another for App2) over Access Type = 3GPP access.

(69) B. USRP for Multi-Home PDU Sessions

(70) Multi-Home PDU Policy: This policy may be used by the UE to associate its applications with the existing PDU session. In addition, this policy can be used to determine the IP address that the UE should use for specific traffic among the various IP addresses assigned for the PDU session. This policy can be added as a component named “multi-home” as shown below.

(71) Multi-Home: This indicates whether matching traffic should be established with a multi-home PDU session. It may also indicate a traffic filter of associated traffic.

(72) TABLE-US-00003 TABLE 3 Traffic Filter: App = App1 This URSP rule associates the traffic of applications Multi-Home: YES, Traffic filter “App1” with S-NSSAI-a, SSC Mode 1 and the (App = App2) “internet” DNN. In addition, it associated the traffic of Slice Information: S-NSSAI-a applications “App2” for a multi-homed PDU session. DNNs: Internet It enforces the following routing policy: Access Type: 3GPP access The traffic of application “App1” should be Continuity Type: SSC Mode 1 transferred on a multi-homed PDU session supporting S-NSSAI-a, SSC Mode 1 and DNN = internet using the first IP address of this PDU session. The traffic of application “App2” should be transferred on a multi- homed PDU session supporting S-NSSAI-a, SSC Mode 1 and DNN = internet using the second IP address of this PDU session. If the first prefix traffic of this PDU session is not established, the UE shall attempt to establish the PDU session over Access Type = 3GPP access.

(73) Meanwhile, priorities may be determined between components as follows.

(74) Each URSP rule may include a traffic filter and a plurality of components arranged according to priority.

(75) TABLE-US-00004 TABLE 4 Traffic Filter: App = DummyApp This URSP rule associates the traffic of application Direct Bypass: Permitted (WLAN “DummyApp” with SSC Mode 3. SSID-a) It enforces the following routing policy: Continuity Type: SSC Mode 3 The traffic of application “DummyApp” should be transferred on a PDU session supporting SSC Mode 3. If this PDU session is not established, the traffic can be directly offloaded if the UE is connected to WLAN with SSID-a. If the direct offloaded is not possible, the UE shall attempt to establish the PDU session over any access type. Traffic Filter: App = DummyApp This URSP rule associates the traffic of application Continuity Type: SSC Mode 3 “DummyApp” with SSC Mode 3. Direct Bypass: Permitted (WLAN It enforces the following routing policy: SSID-a) The traffic of application “DummyApp” should be transferred on a PDU session supporting SSC Mode 3. If this PDU session is not established, the UE shall attempt to establish the PDU session over any access type. If the PDU session cannot be established, the traffic can be directly offloaded if the UE is connected to WLAN with SSID-a.

(76) Meanwhile, in addition to the SSCMSP, NSSP, DNN selection policy, and non-seamless bypass policy as described above, the routing selection policy among the policy information delivered to the UE may additionally include newly proposed individual PDU policy and multi-home PDU policy according to the disclosure of the present specification.

(77) Similarly, among the policy information delivered to the UE, the ANDSF may additionally include a newly proposed individual PDU policy and a multi-home PDU policy in addition to the traffic filter, seamless bypass, slice information, continuity type, DNN, and access type as described above.

(78) II. Second Disclosure of the Present Specification

(79) As mentioned above, the second disclosure of this specification proposes measures to prevent a malicious user from excessively transmitting traffic requiring additional authentication.

(80) FIG. 9 is a signal flow diagram according to a first scheme of the second disclosure of the present specification.

(81) According to the first scheme of the second disclosure, when additional authentication fails, the SMF node may request the UPF node to delete the traffic and transmit a trigger message of establishing a PDU session, which includes a request for additional authentication, to the UE. Specifically, it will be described with reference to FIG. 9.

(82) 1-2) The UE transmits specific traffic through the PDU session #1 in a state that the PDU session #1 has been established.

(83) 3-6) Then, after detecting the traffic, the UPF node analyzes whether the traffic is traffic requiring additional authentication. More specifically, the UPF node analyzes whether the corresponding traffic is traffic requiring additional authentication, based on preset information or policy information provided from the PCF/SMF node. The UPF node then notifies the SMF node of the detection of the specific traffic. The notification may include information indicating a request for further authentication. Then, after confirming the subscriber information of the UE, the SMF node performs an additional authentication procedure. If the additional authentication fails, the SMF node may instruct the UPF node to discard the corresponding traffic.

(84) Alternatively, the UPF node may immediately discard the traffic as soon as it detects the traffic requiring further authentication.

(85) Alternatively, when the UPF node detects traffic, the UPF node may transmit a notification including information on the type of the traffic to the SMF node. The SMF node may determine whether additional authentication is required based on the information on the traffic type included in the notification. If additional authentication is required, after performing additional authentication, the discarding instruction or buffering instruction of the corresponding traffic may be transmitted to the UPF node according to the execution result.

(86) 5) The SMF node checks the subscriber information and the completion record for the additional authentication, and decides whether to request the establishment of a new PDU session to the UE.

(87) 7) The SMF node requests an Access and Mobility Management Function (AMF) node to send a message for triggering the establishment of a new PDU session, to the UE.

(88) 8) The AMF node sends a message to trigger an establishment of a new PDU session to the UE. The message may include information indicating that an additional authentication/authorization procedure is required for specific traffic.

(89) 9) The UE stops transmitting the corresponding traffic through the PDU session #1. The UE also updates routing rules related to the transmission of the traffic. That is, the routing rule is updated so that specific traffic is sent through a new PDU session #2.

(90) 10) The UE sends an establishment request message to the SMF node in order to establish a new PDU session #2. The PDU session establishment request message may include information necessary for additional authentication.

(91) 11-13) The SMF node performs an additional authentication procedure. If the additional authentication procedure is successful, the SMF node and the UPF node record information about the success of the authentication procedure. In addition, the SMF node transmits a message indicating that the establishment of the PDU session #2 is accepted, to the UE.

(92) 14) Then, the UE transmits specific traffic through the established PDU session #2.

(93) FIG. 10 is a signal flow diagram according to a second scheme of the second disclosure of the present specification.

(94) According to a second scheme of the second disclosure, if a data network (DN) or application function (AF) node detects traffic, it notifies the PCF node, and the PCF node forwards a notification to the SMF node, to thereby allow an additional authentication procedure to be performed. Specifically, it is as follows.

(95) 1-2) The UE transmits specific traffic through the PDU session #1 in a state that the PDU session #1 has been established.

(96) 3-6) Then, the data network (DN) or application function (AF) node detects the traffic and then analyzes whether the traffic is traffic requiring further authentication. More specifically, the data network (DN) or application function (AF) node analyzes whether the corresponding traffic is traffic requiring additional authentication, based on preset information or policy information provided from the PCF node. The notification message for detecting the specific traffic is directly transmitted to the PCF node or transmitted to the PCF node through a network exposure function (NEF). The notification may include information indicating a request for further authentication. The PCF node forwards the notification to the SMF node. The PCF node then sends a response message to the notification to the data network (DN) or application function (AF) node.

(97) 6-7) The SMF node sends a response message to the PCF node. After checking the subscriber information of the UE, the SMF node determines whether establishment of a new PDU session is required for an additional authentication procedure.

(98) 8) The SMF node interacts with the UPF node to set the user plane UP. At this time, since the establishment of a new PDU session has not yet been completed for the additional authentication procedure for a specific traffic, the SMF node may instruct the UPF node to discard the traffic.

(99) 9) The SMF node requests the AMF node to send a message for triggering the establishment of a new PDU session, to the UE. The AMF node sends a message for triggering an establishment of a new PDU session, to the UE. The message may include information indicating that an additional authentication/authorization procedure is required for specific traffic.

(100) 10) The UE stops transmitting the corresponding traffic through the PDU session #1. The UE also updates routing rules related to the transmission of the traffic. That is, the routing rule is updated so that specific traffic is sent through a new PDU session #2.

(101) 11) The UE sends an establishment request message to the SMF node in order to establish a new PDU session #2. The PDU session establishment request message may include information necessary for additional authentication.

(102) 12-14) The SMF node delivers information necessary for additional authentication, and performs an authentication/authorization procedure. If the additional authentication procedure is successful, the SMF node records information about the success of the authentication procedure. In addition, the SMF node transmits a message indicating that the establishment of the PDU session #2 is accepted, to the UE.

(103) 14-15) Then, the UE transmits specific traffic through the established PDU session #2.

(104) FIG. 11 is a signal flow diagram according to a third scheme of the second disclosure of the present specification.

(105) According to the third scheme of the second disclosure, when the data network (DN) or application function (AF) node detects traffic, it sends a trigger request to the network exposure function (NEF) node. The trigger request causes the application of the UE to stop sending traffic and to request the creation of a new PDU session for further authentication.

(106) 1-2) The UE transmits specific traffic through the PDU session #1 in a state that the PDU session #1 has been established.

(107) 3) Then, the data network (DN) or application function (AF) node detects the traffic and then analyzes whether the traffic is traffic requiring further authentication. More specifically, the data network (DN) or application function (AF) node analyzes whether the corresponding traffic is traffic requiring additional authentication, based on preset information or policy information provided from the PCF node.

(108) 4) The data network (DN) or application function (AF) node sends an application trigger request message to the NEF node when the additional authentication is required. The trigger request message may implicitly/directly include information indicating that additional authentication is required for the traffic.

(109) 5) The NEF node confirms subscriber information. To this end, the NEF node performs interaction with the UDM.

(110) 6) The NEF node sends an application trigger request message to the AMF node. In this case, the message may implicitly or directly include information indicating that the additional authentication is required for the traffic.

(111) 7) The AMF node sends an application trigger request message to the UE. In this case, the message may implicitly or directly include information indicating that the additional authentication is required for the traffic.

(112) 8) The UE stops transmitting the corresponding traffic through the PDU session #1. The UE also updates routing rules related to the transmission of the traffic. That is, the routing rule is updated so that specific traffic is sent through a new PDU session #2.

(113) 9-11) The UE sends an application trigger response message to the data network (DN) or application function (AF) node via an AMF node and an NEF node.

(114) 12) The UE sends an establishment request message to the SMF node in order to establish a new PDU session #2. The PDU session establishment request message may include information necessary for additional authentication.

(115) 13-14) The SMF node delivers information necessary for additional authentication, and performs an authentication/authorization procedure. If the additional authentication procedure is successful, the SMF node records information about the success of the authentication procedure. In addition, the SMF node transmits a message indicating that the establishment of the PDU session #2 is accepted, to the UE.

(116) 15) Then, the UE transmits specific traffic through the established PDU session #2.

(117) What has been described so far can be implemented in hardware. This will be described with reference to the drawings.

(118) FIG. 12 is a configuration block diagram of a UE and a network node according to an embodiment of the present invention.

(119) As shown in FIG. 12, the UE 100 includes a storage unit 101, a controller 102, and a transmission/reception unit 103. The network node may be any one of AMF, SMF, NEF, and AF. The network node includes a storage unit 511, a controller 512, and a transmission/reception unit 513.

(120) The storage means stores the above-described method.

(121) The controllers control the storage means and the transmission/reception units. Specifically, the controllers each execute the methods stored in the storage means. And the controllers transmit the above-described signals through the transmission/reception units.

(122) While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, can be modified, changed, or improved in various forms within the idea of the present invention and the scope of claims.