CN117354868A - Private network system, private network data processing method, private network access method and device - Google Patents

Abstract

This application provides a private network system, a private network data processing method, a private network access method and a device, which relate to the field of communication technology and are used to improve the flexibility and security of private network data transmission. The system includes: base station equipment, core network equipment, edge nodes and relay equipment. Among them, the communication connection between the base station equipment and the edge node; the communication connection between the edge node and the relay equipment; the communication connection between the core network equipment and the base station equipment; the communication connection between the core network equipment and the relay equipment; the base station equipment, with It is used to receive the data sent by the terminal equipment and determine the computing resources required for the data; the edge node is used to receive the data sent by the base station equipment and process the data to obtain the processed data; the core network equipment is used to receive the base station The data sent by the device is processed and the processed data is obtained; the relay device is used to transmit the processed data to the data center.

Description

Private network system, private network data processing method, private network access method and device

Technical field

The present application relates to the field of communication technology, and in particular to a private network system, a private network data processing method, a private network access method and a device.

Background technique

As the fifth generation mobile communications technology (5th generation mobile networks, 5G) private network application scenarios become more and more widespread, smart factories, smart cities, smart medical care, smart cultural tourism, mobile office and other fields will benefit from 5G private networks. development of.

For private network data processing, when the private network data volume is large and the 5G private network cannot process it, the relevant technology needs to switch from the private network to the public network for processing. However, during the switching process, data transmission may be delayed. interrupted or stolen, posing a security risk. In addition, when switching, users need to re-establish the connection, which may reduce the flexibility of the service.

To sum up, the 5G private network provided by related technologies has certain flexibility and security issues in configuration and use.

Contents of the invention

This application provides a private network system, a private network data processing method, a private network access method and a device to improve the flexibility and security of private network data transmission.

In the first aspect, this application provides a private network system, including: base station equipment, core network equipment, edge nodes and relay equipment. Among them, the communication connection between the base station equipment and the edge node; the communication connection between the edge node and the relay equipment; the communication connection between the core network equipment and the base station equipment; the communication connection between the core network equipment and the relay equipment; the base station equipment, with It is used to receive the data sent by the terminal device and determine the computing resources required for the data; when the computing resources required for the data are greater than the preset threshold, the data is sent to the edge node; when the computing resources required for the data are less than Or equal to the preset threshold, the data is sent to the core network equipment; the edge node is used to receive the data sent by the base station equipment, and processes the data to obtain the processed data; the core network equipment is used to receive the base station equipment The data is sent, and the data is processed to obtain the processed data; the relay device is used to transmit the processed data to the data center.

The private network system provided by the embodiments of this application at least brings the following beneficial effects: This application provides a private network system composed of base station equipment, core network equipment, edge nodes and relay equipment. Among them, during the data transmission process of the private network system, the transmission path can be automatically selected according to the size of the computing power resources required to transmit the data. For example, when the computing power resources required for the data are greater than the preset threshold, Data is transmitted through edge nodes; when the computing power resources required for the data are less than or equal to the computing power resources, the data is transmitted through the core network equipment. It can be understood that the private network system provided by this application can dynamically decide whether to send data to edge nodes or core network equipment based on the computing resources required for the data, thereby utilizing network resources more effectively. Secondly, when the computing resources required for the data are greater than the preset threshold, the data is sent to the edge node, which can reduce the burden on the core network equipment, optimize the use of computing resources, and eliminate the need to switch between public and private networks. Provides greater flexibility and improves user experience. Furthermore, because edge nodes have stronger security protection capabilities, data security can be better protected.

As a possible implementation method, relay equipment is also used to amplify the signal carried by the data.

As a possible implementation method, relay equipment is specifically used to transmit processed data to the data center through the 5G public network.

As a possible implementation method, relay equipment is specifically used to transmit processed data to the data center through satellites.

In a second aspect, this application provides a private network data processing method, which is applied to the private network system provided in the first aspect; the method includes: a base station device receives data sent by a terminal device, and determines the computing resources required for the data. ; When the computing power resources required for the data are greater than the preset threshold, the base station device sends the data to the edge node, so that the edge node processes the data and obtains the processed data; when the computing power resources required for the data are less than or equal to the preset threshold, the base station device sends the data to the core network device, so that the core network device processes the data and obtains the processed data.

The technical solutions provided by the embodiments of this application at least bring the following beneficial effects: This application first receives the data sent by the terminal equipment through the base station equipment, and determines the computing power resources required for the data; then, when the computing power resources required for the data are greater than the preset In the case of a threshold, the base station equipment sends the data to the edge node, so that the edge node processes the data and obtains the processed data; when the computing power resources required for the data are less than or equal to the preset threshold, the base station equipment will The data is sent to the core network device, so that the core network device processes the data and obtains processed data. It can be understood that the private network data processing method provided by this application can dynamically decide whether to send the data to the edge node or the core network device based on the computing resources required for the data, thereby making more effective use of network resources. Secondly, when the computing resources required for the data are greater than the preset threshold, the data is sent to the edge node, which can reduce the burden on the core network equipment, optimize the use of computing resources, and eliminate the need to switch between public and private networks. Provides greater flexibility and improves user experience. Furthermore, because edge nodes have stronger security protection capabilities, data security can be better protected.

In a third aspect, this application provides a private network access method, which is applied to the private network system provided in the first aspect; the method includes: the base station device receives an access authentication request sent by the terminal device, and performs the authentication based on the access authentication request. Perform access authentication; where access authentication includes at least one of the following: primary authentication, secondary authentication, and end-to-end authentication.

The technical solution provided by the embodiments of this application at least brings the following beneficial effects: This application receives the access authentication request sent by the terminal device through the base station equipment, and performs access authentication based on the access authentication request, which can ensure that only authenticated users can Using network services to prevent unauthorized terminal devices from accessing the network can reduce network security risks and improve network security.

In the fourth aspect, this application provides a private network data processing device, which is applied to base station equipment; the device includes: a determination module, used to receive data sent by the terminal equipment and determine the computing resources required for the data; a sending module, It is used to send the data to the edge node when the computing power resources required by the data are greater than the preset threshold, so that the edge node processes the data and obtains the processed data; the sending module is also used to send the data when the data is required. When the computing power resources are less than or equal to the preset threshold, the data is sent to the core network device, so that the core network device processes the data and obtains the processed data.

In the fifth aspect, this application provides a private network access device, which is applied to base station equipment; the device includes: an authentication module, used to receive an access authentication request sent by a terminal device, and perform access authentication based on the access authentication request. ; Among them, access authentication includes at least one of the following: primary authentication, secondary authentication and end-to-end authentication.

In a sixth aspect, the present application provides an electronic device, including a processor and a memory. The processor is coupled to the memory; the memory is used to store computer instructions, and the computer instructions are loaded and executed by the processor to enable the computer device to implement the second aspect and Methods of any of the third aspects.

In a seventh aspect, the present application provides a computer-readable storage medium. The computer-readable storage medium includes computer-executable instructions. When the computer-executable instructions are run on a computer, they cause the computer to execute any one of the second aspect and the third aspect. Methods.

For descriptions of the fourth to seventh aspects in this application, reference may be made to the detailed descriptions of the first to third aspects; and for the beneficial effects of the descriptions of the fourth to seventh aspects, reference may be made to the first to third aspects. The analysis of beneficial effects will not be repeated here.

Description of drawings

Figure 1 is a schematic diagram of a private network system architecture according to some embodiments;

Figure 2 is a schematic diagram 1 of a private network data transmission architecture according to some embodiments;

Figure 3 is a schematic diagram 2 of a private network data transmission architecture according to some embodiments;

Figure 4 is a flow chart of private network data processing according to some embodiments;

Figure 5 is a flow chart of a private network access method according to some embodiments;

Figure 6 is a schematic diagram of a security authentication architecture according to some embodiments;

Figure 7 is a schematic diagram of a primary authentication security architecture according to some embodiments;

Figure 8 is a schematic diagram of a 3GPP access and non-3GPP access form according to some embodiments;

Figure 9 is an architectural schematic diagram of a secondary authentication according to some embodiments;

Figure 10 is a schematic diagram 1 of an end-to-end authentication scenario according to some embodiments;

Figure 11 is a schematic diagram 2 of an end-to-end authentication scenario according to some embodiments;

Figure 12 is a schematic diagram 3 of an end-to-end authentication scenario according to some embodiments;

Figure 13 is a schematic diagram 4 of an end-to-end authentication scenario according to some embodiments;

Figure 14 is a schematic structural diagram of a private network data processing device according to some embodiments;

Figure 15 is a schematic structural diagram of a private network access device according to some embodiments;

Figure 16 is a schematic structural diagram of private network data processing and private network access according to some embodiments.

Detailed ways

A private network system provided by this application will be described in detail below with reference to the accompanying drawings.

The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.

The terms “first” and “second” in the description of this application and the drawings are used to distinguish different objects, or to distinguish different processes on the same object, rather than to describe a specific order of objects.

Furthermore, references to the terms "including" and "having" and any variations thereof in the description of this application are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device that includes a series of steps or units is not limited to the listed steps or units, but optionally includes other unlisted steps or units, or optionally also includes Includes other steps or units that are inherent to such processes, methods, products, or devices.

It should be noted that in the embodiments of this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the present application is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "exemplary" or "such as" is intended to present the concept in a concrete manner.

In the description of this application, unless otherwise stated, the meaning of "plurality" means two or more.

As mentioned in the background technology, as the application scenarios of 5G private networks become more and more extensive, fields such as smart factories, smart cities, smart medical care, smart cultural tourism, and mobile office will all benefit from the development of 5G private networks. Under such circumstances, among related technologies, 5G private network provides comprehensive solutions for the needs of different scenarios.

In some embodiments, users can seamlessly switch between the public network and the private network without changing their mobile phone number and subscriber identity module (SIM). At the same time, China Unicom's 5G private network also provides virtual private network (VPN)-free access to internal and external networks, enabling wide-area roaming access. In terms of data security, the 5G private network uses the local offloading technology of user plane function (UPF) to ensure that corporate intranet traffic does not pass through the Internet, thereby ensuring data security and reliability. In addition, the 5G private network also provides the function of collaborative management of human and Internet of Things services, achieving more efficient and intelligent management. At the same time, the 5G private network also provides advantageous services such as centralized operation and maintenance, timely response, and 24-hour on-site maintenance, providing enterprises with more comprehensive and professional service support.

The existing research on 5G private network architecture mainly focuses on the configuration of the private network. For example, the configuration device of the 5G private network first obtains the network performance requirements of multiple terminal devices in the target area for the 5G private network, thereby determining the network performance requirements of the 5G private network in the target area. The number of base station equipment to be built, and then the configuration device determines the configuration information of the base station equipment to be built based on the network performance requirements of multiple terminal equipment for the 5G private network. It can be seen that the existing research on 5G private network architecture only focuses on the configuration of the private network and lacks overall research and innovation.

For private network data processing, when the private network data volume is large and the 5G private network cannot process it, the relevant technology needs to be switched from the private network to the public network for processing. However, during the switching process, data transmission may be interrupted or stolen, posing security risks. In addition, during the switching process, users need to re-establish connections, which may reduce the flexibility of the service.

To sum up, the 5G private network provided by related technologies has certain flexibility and security issues in configuration and use.

In response to the above technical problems, embodiments of the present application provide a private network system, which specifically includes: This application provides a private network system composed of base station equipment, core network equipment, edge nodes, and relay equipment. Among them, during the data transmission process of the private network system, the transmission path can be automatically selected according to the size of the computing power resources required to transmit the data. For example, when the computing power resources required for the data are greater than the preset threshold, Data is transmitted through edge nodes; when the computing power resources required for the data are less than or equal to the computing power resources, the data is transmitted through the core network equipment. It can be understood that the private network system provided by this application can dynamically decide whether to send data to edge nodes or core network equipment based on the computing resources required for the data, thereby utilizing network resources more effectively. Secondly, when the computing resources required for the data are greater than the preset threshold, the data is sent to the edge node, which can reduce the burden on the core network equipment, optimize the use of computing resources, and eliminate the need to switch between public and private networks. Provides greater flexibility and improves user experience. Furthermore, because edge nodes have stronger security protection capabilities, data security can be better protected.

The embodiments provided in this application will be specifically introduced below in conjunction with the accompanying drawings of the description.

As shown in Figure 1, it is a schematic diagram of a private network system architecture provided by an embodiment of the present application. As shown in Figure 1, the private network architecture includes: base station equipment 100, core network equipment 200, edge nodes 300 and relay equipment 400. Among them, the communication connection between the base station equipment 100 and the edge node 300, the communication connection between the edge node 300 and the relay equipment 400, the communication connection between the core network equipment 200 and the base station equipment 100, and the communication between the core network equipment 200 and the relay equipment 400 connect.

Base station equipment 100 is used for sending and receiving wireless signals.

In this embodiment of the present application, the base station device 100 is configured to receive data sent by the terminal device, and send the received data to the core network device 200 or the edge node 300.

Among them, the terminal device is a device that performs human-computer interaction with the user, and the user generates user behavior data during the human-computer interaction with the terminal device. For example, the terminal device may be a mobile phone, a tablet computer, a desktop, a laptop, a handheld computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, as well as a cellular phone, a personal digital assistant ( personal digital assistant (PDA), augmented reality (AR)\virtual reality (VR) equipment, etc. The embodiment of the present application places no special restrictions on the specific form of the terminal device. It can interact with users through one or more methods such as keyboard, touch pad, touch screen, remote control, voice interaction or handwriting device.

In some embodiments, the base station device 100 is specifically configured to determine a data transmission path based on the size of the computing resources required for the data. When the computing power resources required for the data are greater than the preset threshold, the base station device 100 sends the data to the edge node 300; when the computing power resources required for the data are less than or equal to the preset threshold, the base station device 100 Send the data to the core network device 200.

In some embodiments, the radio access network is carried by base station equipment. For example, in this embodiment of the present application, the radio access network equipment is a miniaturized 5G base station equipment (gnodeb, gNB). Miniaturized 5G base station equipment provides new radio (NR) user plane and control plane protocols to terminal equipment for encrypting data, controlling and allocating wireless resources, and scheduling information. In addition, the miniaturized 5G base station equipment is also linked to the network elements of the core network to achieve communication and control with the core network.

The core network device 200 is configured to receive data sent by the base station device, process the data, and obtain the processed data.

In some embodiments, the core network device 200 includes multiple core network elements (or network function (NF) elements). Exemplarily, as shown in Figure 2, the core network equipment includes: session management function (SMF) network element, user plane function (UPF) network element, access and mobility management (access and mobility management) network element. Mobility management function (AMF) network element, authentication server function (AUSF) network element and unified data management (UDM) network element. In addition, the core network may also include some other network elements (not shown), such as policy control function (PCF) network elements, multi-access edge computing (MEC) network elements, etc. This application implements The example will not be repeated here.

Among them, the AMF network element is used to receive and process connection and session information sent by the terminal device, and send session management-related information to the SMF.

The SMF network element is used to interact with the separated data plane, create and update the protocol data unit (protocol data unit session, PDU) session, and manage the session environment with UPF. The SMF network element is also used to control UPF routing and data notification.

The UPF network element is the connection point between the mobile network and the data network and is responsible for routing and forwarding of 5G core network user plane data packets, data and service identification, and action and policy execution.

The AUSF network element is used to provide terminal device authentication and protection control information lists.

UDN network elements are used to manage user identification, subscription data, authentication data and registration of users' service network elements.

In some embodiments, the core network device 200 may be connected to a third-party application function (AF) network element through a network exposure function (NEF) network element. Among them, the NEF network element is responsible for managing externally open network data, for example, providing internal data of the core network to third-party applications. NEF network elements are also used to provide corresponding security guarantees to ensure the security of external applications to the 3rd generation partnership project (3GPP) network, and to provide external application quality of service (QOS) customization capabilities for openness and mobile Functions such as sexual status event subscription and AF request distribution.

In some embodiments, as shown in Figure 2, user equipment (UE) can access the core network through the AMF network element; radio network access (RNA) equipment (for example, base station equipment) can access the core network through the AMF network element. The AMF network element is connected to the core network; the RNA device can also communicate with the UPF network element through the interface of the UPF network element (for example, the core network service and transport network (n3 interface, N3) interface); in addition, the UPF network element serves as a mobile infrastructure The interconnection point between (for example, base station equipment) and the data center (DN) can also communicate with the DN through the network tonetwork interface (N6) interface.

In some embodiments, the core network device 200 may use a general-purpose server, but the specific hardware selection may vary depending on different deployment scenarios and requirements. For example, in the central computer room, servers with high performance, high reliability, and high scalability can be used to meet the high throughput and low latency requirements of core network equipment.

The edge node 300 is configured to receive data sent by the base station equipment, process the data, and obtain the processed data. The edge node 300 is also used to control and protect data and traffic, and transmit data to the relay device 400.

The edge node 300 may be a server or a communication base station. The server may be a single server, or it may be a server cluster composed of multiple servers. In some implementations, the server cluster may also be a distributed cluster.

The relay device 400 is used to resend or forward the data signal to expand the network transmission distance, thereby compensating for signal attenuation and supporting long-distance communication.

For example, the relay device 400 may be a hub, a bridge, a switch, or other device used for forwarding data or signals, which is not specifically limited here.

In some embodiments, the private network system of the embodiments of the present application can utilize multi-access edge computing (MEC) edge computing technology, combined with value-added capabilities or industry applications such as positioning and disaster recovery, and be applied to In different application scenarios, to meet the different needs of various scenarios.

It can be understood that, on the basis of satisfying the 5G private network functions, the private network system of this application can also perform customized output of "5G public network" according to the different business needs of users, and also deploy core network and base station equipment in Similar locations (such as communication vehicles), and then move part of the core network functions to the network edge servers to better improve the communication capabilities of the 5G private network. The private network in this application is a self-built network, and there is no trust mechanism for network ownership and network division.

In addition, compared with the existing 5G private network equipment and network element functions that can be customized according to business needs, this application can use NEF to analyze the capacity, quantity and energy consumption of base station equipment, as well as the access network and Flexible access capabilities of the core network are developed.

Refer to Figure 3, which is a private network data transmission architecture provided by an embodiment of the present application. As shown in Figure 3, the private network data transmission architecture may include: relay equipment, satellites, 5G public networks, firewalls, and data centers; or, the data transmission architecture may include: relay equipment, satellites, firewalls, and data centers.

In some embodiments, when the transmission distance between the relay device and the data center is close or the network coverage is wide, the data is transmitted to the data center through the 5G public network; when the transmission distance between the relay device and the data center is long or the network coverage is not good, At this time, the data is transmitted to the data center via satellite signals.

In some embodiments, during the process of data transmission from the relay device to the data center, security settings are performed through the firewall before the data enters the data center.

In some embodiments, after the data reaches the data center, the data can be transmitted remotely through the transmission network. Among them, remote transmission usually involves data transmission between data centers to achieve data sharing and synchronization.

It should be noted that the system architecture described in the embodiments of the present application is to more clearly explain the technical solutions of the embodiments of the present application, and does not constitute a limitation on the technical solutions provided by the embodiments of the present application. Those of ordinary skill in the art will know that as With the evolution of system architecture, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.

Refer to Figure 4, which is a flow chart of private network data processing provided by an embodiment of the present application. As shown in Figure 4, an embodiment of the present application provides a private network data processing method, which is applied to the private network system provided in the first aspect; the method includes:

S101. The base station device receives the data sent by the terminal device and determines the computing resources required for the data.

In some embodiments, for a computing power network, computing power resources refer to each network node in the computing power network and the computing power of each network node; for a single device, computing power resources include the hardware resources of the device, software resources and the computing power of the device.

S102. When the computing power resources required for the data are greater than the preset threshold, the base station device sends the data to the edge node, so that the edge node processes the data and obtains the processed data.

S103. When the computing power resources required for the data are less than or equal to the preset threshold, the base station device sends the data to the core network device, so that the core network device processes the data and obtains the processed data.

Exemplarily, based on the system architecture shown in Figure 1, the private network data processing flow includes the following steps:

Step a1: The base station equipment receives data or signals generated by various terminal equipment.

Step a2. When the computing power resources of the data are less than or equal to the preset threshold, the base station device sends the data to the relay device through the core network device; when the computing power resources of the data are greater than the preset threshold, the base station device will The data is sent to the relay device through the edge node.

Step a3: The core network device or edge node processes the received data and forwards it to the relay device.

Step a4: The relay device receives the data and forwards it to the data center.

It can be understood that the method provided by the embodiments of the present application can dynamically decide whether to send the data to the edge node or the core network device based on the computing resources required for the data, thereby utilizing network resources more effectively. Secondly, when the computing resources required for the data are greater than the preset threshold, the data is sent to the edge node, which can reduce the burden on the core network equipment, optimize the use of computing resources, and eliminate the need to switch between public and private networks. Provides greater flexibility and improves user experience. Furthermore, because edge nodes have stronger security protection capabilities, data security can be better protected.

As shown in Figure 5, this application provides a private network access method, which is applied to the private network system shown in Figure 1; the method includes:

S201. The base station device receives the access authentication request sent by the terminal device.

S202. The base station device performs access authentication based on the access authentication request. Among them, access authentication includes at least one of the following: primary authentication, secondary authentication, and end-to-end authentication.

Refer to Figure 6, which is a schematic diagram of the security authentication architecture in the embodiment of the present application. As shown in Figure 6, the authentication architecture includes: terminal equipment 1, terminal equipment 2, base station equipment 1, base station equipment 2, 5G private network core network, and authorization and accounting (authentication authorization and accounting, AAA) equipment. Among them, terminal equipment 1 and terminal equipment 2 perform primary authentication through 5G private network core network equipment, terminal equipment 1 and terminal equipment 2 perform secondary authentication through AAA equipment, and terminal equipment 1 and terminal equipment 2 perform end-to-end authentication. Certification.

Below, the three access authentication methods are introduced respectively.

1. Main certification.

The authentication process of main authentication is fast and has high security requirements. It is a session process in which the terminal device connects to the core network of the 5G private network through the 5G base station equipment and establishes the PDU of the terminal device.

As shown in Figure 7, it is a schematic diagram of the main authentication security architecture, in which the security architecture includes: terminal equipment, access network, and core network. This application protects the confidentiality of data on the control plane and user plane of the access network, core network.

It can be understood that in the security architecture of the access network, unified access and network access authentication for terminal devices in various application scenarios can ensure that terminal devices can safely connect to the network and obtain required network services. Among them, on the control plane, unified network access authentication is performed through the access network, security anchor point and authentication server to ensure that only authorized terminal devices can access the network and obtain required network services. Furthermore, on the control plane and user plane, unified data and signaling protection is performed on the terminal equipment and core network control plane by generating relevant keys, which can ensure the confidentiality and integrity of data and signaling and improve communication efficiency. reliability.

In some embodiments, the main authentication process includes: first, when the terminal device accesses the access network, the base station device provides network access authentication for the terminal device, and then uses the AMF network element and the security anchor function (security anchor function, SEAF) and AUSF network elements cooperate to complete the security authentication process from the access network to the core network.

In some embodiments, as shown in Figure 8, during the UE access process, two situations may occur: 3GPP access and non-3GPP access. After access, it is connected to the core network through AMF. During the access process, a forward secure access authentication mechanism is adopted, which can keep the data confidential.

As an example, the main authentication process can be implemented as the following steps:

Step b1: The terminal device sends access request information to the 5G base station device.

Step b2: After receiving the access request information, the 5G base station equipment completes the AMF selection, generates air interface signaling information and air interface signaling protection information, and sends the air interface signaling and air interface signaling protection information to the UDM.

Among them, the air interface signaling information is used to carry relevant data of the terminal equipment and the base station equipment; the air interface signaling protection information is used to protect the network element of the air interface signaling information.

Step b3: After receiving the air interface signaling information, the UDM network element sends it to the AUSF network element to complete information storage, and then sends it to the AMF network element.

Step b4: The AMF receives the air interface signaling information sent by the UDM network element to generate a response signal, and combines the response signal and the random number generator (RAND) key identifier (next-generation key service) included in the air interface signaling information. identifier, ngKSI) and other parameter information are sent to the terminal device, so that the terminal device initiates the authentication behavior of the terminal device.

Step b5: The terminal device generates an authentication result (authentication and key agreement, AND) and sends parameter information such as AND and ngKSI to the user identification module (universal subscriber identity module, USIM).

Step b6: USIM responds to the parameter information sent by the terminal and sends the response information to the 5G base station equipment.

Step b7: The 5G base station equipment receives the response information and sends it to the AUSF network element for authentication operation.

2. Secondary certification.

The certification level of secondary certification is higher than that of primary certification. Secondary certification is a second certification process conducted through a third-party AAA certification system on the premise of completing primary certification. Secondary authentication uses network slicing authentication to ensure data security.

In some embodiments, secondary authentication requires establishing authentication with the user through a customized extensible authentication protocol (EAP) process. As shown in Figure 9, it is a schematic diagram of the architecture of secondary authentication. The architecture includes: UE, RNA, core network elements and DN.

Exemplarily, based on the architecture shown in Figure 9, the secondary authentication process in the embodiment of this application can be implemented as the following steps:

Step c1: The terminal device sends request information to the extensible authentication protocol server (EAP Server), so that the EAP Server starts the response system, generates random numbers, and sends the encrypted shared key to the terminal device.

Step c2: When the terminal device verifies that the key is complete, the terminal device generates another set of random numbers as the key and sends it to the EAP Server.

Step c3: When the EAP Server verifies that the key has not been changed, the terminal device receives feedback information sent by the EAP Server, where the feedback information is used to indicate whether the key has been changed.

In some embodiments, during the process of primary authentication and secondary authentication, the terminal device will access the 5G network in the form of 5G authentication and key agreement (5G-AKA). Later, external attacks will be prevented through distributed denial of service (DDos) or denial of service (denial of service, DoS).

It should be noted that primary authentication and secondary authentication are access authentication between terminal equipment and the core network. During the access authentication process, data integrity and confidentiality are ensured through the integrity and security protection functions of the control plane.

In addition, the access authentication provided by this application can also include end-to-end authentication. Among them, end-to-end authentication involves encryption technology and identity authentication technology, which can ensure the establishment of secure communication services end-to-end.

3. End-to-end authentication.

End-to-end authentication is an authentication process completed through base station equipment. End-to-end authentication does not need to be completed through the core network. In this case, the core network can be moved down to the access network to simplify the functions. When the base station equipment cannot cover it, the terminal equipment exchanges information in the form of broadcast, thereby establishing end-to-end communication.

See Figure 10, which is a schematic diagram of the end-to-end authentication scenario. As shown in Figure 10, this scenario includes: terminal equipment 1, 5G core network, and terminal equipment 2. Among them, the 5G core network can be deployed on communication vehicles, base station equipment or some enhanced equipment. It is understandable that this communication process can reduce the pressure on the core network and increase communication capacity.

In some embodiments, when communication from terminal device to terminal device is applicable in the same base station device, the authentication of the terminal device is performed through the base station device. Specifically, the terminal equipment first obtains key authentication through authentication, and then exchanges information between the terminal equipment through the base station equipment. During this process, identity and key authentication are completed simultaneously.

For ease of understanding, the end-to-end authentication provided by the embodiments of the present application is described below in conjunction with application scenarios in the form of examples.

Refer to Figure 11, which is a schematic diagram of the end-to-end authentication scenario according to this embodiment of the present application. The scenario shown in Figure 11 includes three devices: terminal equipment 1, terminal equipment 2, and base station equipment. Among them, terminal equipment 1 and terminal equipment 2 are both within the coverage of the base station equipment.

For example, in the scenario shown in Figure 11, the end-to-end authentication method includes:

Step d1: Terminal equipment 1 and terminal equipment 2 send authentication requests to the base station equipment.

Step d2: The base station device forwards the authentication request to the authentication server for identity verification.

Step d3: After the identity verification is successful, terminal equipment 1 and terminal equipment 2 exchange information through the base station equipment.

In some embodiments, when communication from terminal equipment to terminal equipment is applicable to different base station equipment, authentication between terminal equipment and terminal equipment is completed through the base station equipment. Specifically, terminal equipment and terminal equipment exchange information through the base station equipment between them, and terminal equipment exchanges authentication information and obtains keys through 5G-AKA.

For ease of understanding, the end-to-end authentication provided by the embodiments of the present application is described below in conjunction with application scenarios in the form of examples.

Refer to Figure 12, which is a schematic diagram of the end-to-end authentication scenario according to this embodiment of the present application. The scene shown in Figure 12 includes four devices: terminal equipment 1, terminal equipment 2, base station equipment 1 and base station equipment 2. Among them, terminal equipment 1 is within the coverage area of base station equipment 1, and terminal equipment 2 is within the coverage area of base station equipment 2. .

For example, in the scenario shown in Figure 12, the end-to-end authentication method includes:

Step e1: The terminal device 1 sends an authentication request to the base station device 1, and the terminal device 2 sends an authentication request to the base station device 2.

Step e2: Base station device 1 and base station device 2 forward the authentication request to the relevant authentication server for identity verification.

Step e3. After the identity verification is successful, the authentication server will interact with terminal device 1 and terminal device 2 through the 5G-AKA protocol, and negotiate to generate a key for information exchange.

Step e4: After receiving the key, terminal device 1 and terminal device 2 will verify it.

Step e5: After the key verification is successful, the terminal device 1 and the terminal device 2 exchange information through the base station device 1 and the base station device 2.

In some embodiments, when two terminal devices are not within the coverage of the same base station, and one terminal device is not covered by any base station, the key verification process of the terminal device does not require verification by the base station device. Specifically, the terminal device connects to the core network through the base station device to complete identity and key verification, and obtains specific information about the key.

For ease of understanding, the end-to-end authentication provided by the embodiments of the present application is described below in conjunction with application scenarios in the form of examples.

Refer to Figure 13, which is a schematic diagram of the end-to-end authentication scenario according to this embodiment of the present application. The scenario shown in Figure 13 includes three devices: terminal equipment 1, terminal equipment 2, and base station equipment. Among them, terminal equipment 1 is within the coverage of the base station equipment, and terminal equipment 2 is not within the coverage of the base station equipment.

For example, in the scenario shown in Figure 13, the end-to-end authentication method includes:

Step f1: Terminal device 1 and terminal device 2 send authentication requests to the core network.

Step f2: The core network verifies the identity of the terminal device according to a certain authentication mechanism.

Step f3. After the identity authentication is successful, the core network will interact with terminal device 1 and terminal device 2 through the 5G-AKA protocol or other related protocols, and negotiate to generate a key for information exchange.

In step f4, after receiving the key, terminal device 1 and terminal device 2 will verify it.

In step f5, after the key verification is successful, terminal device 1 and terminal device 2 can use the key to exchange secure information.

It can be understood that this application receives the access authentication request sent by the terminal device through the base station device, and performs access authentication based on the access authentication request, which can ensure that only authenticated users can use network services, thereby improving network security. . Secondly, by implementing access authentication, unauthorized terminal devices can be prevented from accessing the network, thereby reducing network security risks. The embodiments of the present application also solve some security problems caused by the openness of the network. For example, when terminal equipment is connected to the network through a wireless network, it is vulnerable to network attacks, leading to information leakage. The 5G network of related technologies is in the private network. During the access process, there are hidden dangers in the information in the communication link from the terminal device to the access network and then to the core network.

It can be seen that the above mainly introduces the solutions provided by the embodiments of the present application from the perspective of methods. In order to realize the above functions, embodiments of the present application provide corresponding hardware structures and/or software modules to perform each function. Those skilled in the art should easily realize that, in conjunction with the modules and algorithm steps of each example described in the embodiments disclosed herein, the embodiments of the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or by computer software driving the hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered to be beyond the scope of the present invention.

Embodiments of the present application can divide network nodes into functional modules according to the above method examples. For example, functional modules can be divided into corresponding functional modules, or two or more functions can be integrated into one processing module. The above integrated modules can be implemented in the form of hardware or software function modules. Optionally, the division of modules in the embodiment of this application is schematic and is only a logical function division. There may be other division methods in actual implementation.

As shown in Figure 14, it is a schematic structural diagram of a private network data processing device provided by an embodiment of the present application. The private network data processing device 1400 can be applied to the above private network data processing method. The private network data processing device 1400 includes: a determination module 1401, used for the base station equipment to receive data sent by the terminal equipment, and to determine the computing power resources required for the data; a sending module 1402, used for when the computing power resources required for the data are greater than the predetermined When a threshold is set, the data is sent to the edge node so that the edge node processes the data. The base station device sends the data to the edge node so that the edge node processes the data and obtains the processed data; the sending module 1402, It is also used when the computing power resources required for the data are less than or equal to the preset threshold, the base station equipment sends the data to the core network equipment, so that the core network equipment processes the data and obtains the processed data.

As shown in Figure 15, it is a schematic structural diagram of a private network access device provided by an embodiment of the present application. The private network access device 1500 can be applied in the above private network access method. The private network access device 1500 includes: an authentication module 1501, used for the base station equipment to receive the access authentication request sent by the terminal equipment, and to perform access authentication based on the access authentication request; wherein the access authentication includes at least one of the following: Authentication, secondary authentication and end-to-end authentication.

When the functions of the above integrated modules are implemented in the form of hardware, the embodiment of the present invention provides another possible structural schematic diagram of the private network data processing device and the private network access device involved in the above embodiment. As shown in Figure 16, another possible structure of the private network data processing device and the private network access device includes: a processor 1602, a communication interface 1603, and a bus 1604. Optionally, the private network device may also include a memory 1601.

Processor 1602 may implement or execute various exemplary logical blocks, modules and circuits described in connection with the disclosure of this application. The processor 1602 may be a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field-programmable gate array or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with this disclosure. The processor 1602 may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, etc.

Communication interface 1603, used to connect with other devices through a communication network. The communication network may be an Ethernet, a wireless access network, a wireless local area network (WLAN), etc.

Memory 1601 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (random access memory, RAM) or other types of static storage devices that can store information and instructions. type of dynamic storage device, which can also be electrically erasable programmable read-only memory (EEPROM), disk storage media or other magnetic storage devices, or can be used to carry or store instructions or data structures Without limitation, any other medium in the form of the desired program code and capable of being accessed by a computer.

As a possible implementation, the memory 1601 may exist independently of the processor 1602. The memory 1601 may be connected to the processor 1602 through the bus 1604 for storing instructions or program codes. When the processor 1602 calls and executes the instructions or program codes stored in the memory 1601, it can implement the private network data processing method and private network access method provided by the embodiment of the present invention.

In another possible implementation, the memory 1601 can also be integrated with the processor 1602.

The bus 1604 may be an extended industry standard architecture (EISA) bus or the like. The bus 1604 can be divided into an address bus, a data bus, a control bus, etc. For ease of presentation, only one thick line is used in Figure 16, but it does not mean that there is only one bus or one type of bus.

Through the above description of the embodiments, those skilled in the art can clearly understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In actual applications, the above functions can be allocated as needed. It is completed by different functional modules, that is, the internal structure of the private network device is divided into different functional modules to complete all or part of the functions described above.

An embodiment of the present application also provides a computer-readable storage medium. All or part of the processes in the above method embodiments can be completed by computer instructions to instruct relevant hardware. The program can be stored in the above computer-readable storage medium. When executed, the program can include the processes of the above method embodiments. . The computer-readable storage medium may be the memory of any of the aforementioned embodiments. The computer-readable storage medium may also be an external storage device of the private network device, such as a plug-in hard drive, a smart media card (SMC), or a secure digital (SD) equipped on the private network device. card, flash card, etc. Furthermore, the computer-readable storage medium may also include both an internal storage unit of the private network device and an external storage device. The above computer-readable storage medium is used to store the above computer program and other programs and data required by the above private network device. The above-mentioned computer-readable storage media can also be used to temporarily store data that has been output or is to be output.

Embodiments of the present application also provide a computer program product. The computer product includes a computer program. When the computer program product is run on a computer, it causes the computer to execute any one of the private network data processing methods and methods provided in the above embodiments. Private network access method.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the present application shall be covered by the protection scope of the present application. . Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (10)

1. A private network system, characterized in that it includes: base station equipment, core network equipment, edge nodes and relay equipment; communication connection between the base station equipment and the edge node; the edge node and the central Communication connection between relay devices; communication connection between the core network device and the base station device; communication connection between the core network device and the relay device; The base station equipment is used to receive data sent by the terminal equipment and determine the computing power resources required by the data; when the computing power resources required by the data are greater than a preset threshold, send the data to The edge node; when the computing power resources required for the data are less than or equal to a preset threshold, send the data to the core network device; The edge node is used to receive data sent by the base station equipment, process the data, and obtain the processed data; The core network equipment is used to receive data sent by the base station equipment, process the data, and obtain the processed data; The relay device is used to transmit the processed data to the data center. 2. The private network system according to claim 1, wherein the relay device is also used to amplify the signal carried by the data. 3. The private network system according to claim 1, characterized in that the relay device is specifically used to transmit the processed data to the data center through the fifth generation mobile communication technology 5G public network. 4. The private network system according to claim 1, wherein the relay device is specifically configured to transmit the processed data to the data center through satellite. 5. A private network data processing method, characterized in that it is applied to the private network system according to any one of claims 1 to 4; the method includes: The base station equipment receives the data sent by the terminal equipment and determines the computing resources required for the data; When the computing resources required for the data are greater than the preset threshold, the base station device sends the data to the edge node, so that the edge node processes the data and obtains the processed data; When the computing resources required for the data are less than or equal to the preset threshold, the base station device sends the data to the core network device, so that the core network device processes the data and obtains the processing the following data. 6. A private network access method, characterized in that it is applied to the private network system according to any one of claims 1 to 4; the method includes: The base station device receives the access authentication request sent by the terminal device, and performs access authentication based on the access authentication request; wherein the access authentication includes at least one of the following: primary authentication, secondary authentication, and end-to-end authentication. 7. A private network data processing device, characterized in that it is applied to base station equipment; the device includes: Determining module, used to receive data sent by the terminal device and determine the computing resources required for the data; A sending module, configured to send the data to an edge node when the computing resources required for the data are greater than a preset threshold, so that the edge node processes the data and obtains the processed data. Describe data; The sending module is also configured to send the data to the core network device when the computing resources required for the data are less than or equal to a preset threshold, so that the core network device performs processing on the data. Process to obtain the processed data. 8. A private network access device, characterized in that it is applied to base station equipment; the device includes: An authentication module, configured to receive an access authentication request sent by a terminal device, and perform access authentication based on the access authentication request; wherein the access authentication includes at least one of the following: primary authentication, secondary authentication, and end-to-end authentication. end authentication. 9. An electronic device, characterized in that it includes a processor and a memory, the processor is coupled to the memory; the memory is used to store computer instructions, and the computer instructions are loaded and executed by the processor to cause The computer device implements the method as claimed in any one of claims 5 and 6. 10. A computer-readable storage medium, characterized in that the computer-readable storage medium includes computer-executable instructions, which when the computer-executable instructions are run on a computer, cause the computer to execute claims 5 and 6 any one of the methods.