Method and apparatus for limiting user terminal access to upf, storage medium and electronic device
By setting a whitelist in the edge UPF, the problem of increased maintenance difficulty for user terminal access UPF control logic in the 5G core network is solved. Access control at the edge UPF is realized, reducing the transformation cost and maintenance difficulty of SMF, and is suitable for segmented access in enterprise private networks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD
- Filing Date
- 2021-12-24
- Publication Date
- 2026-06-09
AI Technical Summary
In existing 5G core networks, the control logic for user terminal access to the UPF is located within the large network elements, which increases the difficulty of network element implementation and operation and maintenance. Furthermore, it requires maintaining a large mapping table between user terminals and private UPFs in the SMF, further increasing the difficulty of operation and maintenance.
By setting a whitelist in the edge UPF, user terminal access can be restricted. The control point is moved down to the edge UPF, and access control is only performed by setting a whitelist in the edge UPF. This is suitable for SMFs located in the large network in the neighbor mode, avoiding the need to modify the SMF.
It reduces the transformation cost and operation and maintenance difficulty of SMF, realizes the practicality of user terminal access control in the current network, and is suitable for the segmented access restrictions of enterprise private networks.
Smart Images

Figure CN116346380B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of mobile communication technology, and in particular to a method, apparatus, storage medium, and electronic device for restricting user terminal access to a UPF. Background Technology
[0002] In the current 5G core network, after a user equipment (UE) successfully registers, the Session Management Function (SMF) entity selects a User Plane Function (UPF) for the UE based on various information (such as deep neural networks, network slicing, application identifiers, etc.), thereby enabling enterprise private networks to distinguish access to different UPFs. However, these methods fail to provide segmented access restrictions for user terminals within a specific enterprise private network.
[0003] Existing technology provides a method for segmenting user terminal access to UPFs. The method involves storing the identification information of a private UPF and the specific user terminals supported by that UPF in the SMF. When a private UPF registers with the SMF, it sends the identification information of that specific user. The SMF stores the identification information of the specific user terminal and establishes a mapping table from the identification information to the corresponding UPF. The user terminal sends a PDU session establishment request to the core network through the base station. The AMF forwards the request to the SMF, carrying the user terminal identification information. The SMF receives the PDU session request and stores the user terminal identification information. The SMF selects a UPF group from the UPFs under its management according to existing UPF selection methods. It then determines whether there is a private UPF in the UPF group. If so, it determines whether the private UPF can provide services to the current user terminal. If it can, the private UPF is used as the anchor point for the current user terminal to apply for PDU session establishment. If it cannot provide services or there is no private UPF, a non-private UPF is selected from the UPF group as the anchor point. This existing technology requires the SMF to maintain a massive mapping table between user terminals and private UPFs, elevating configurations originally confined to the enterprise private network to the SMF at the large network level. This blurs the boundaries of division of labor and increases operational complexity. Furthermore, the first point, regarding the UPF reporting specific user information to the SMF, requires modifications to both the SMF and UPF, increasing implementation costs. The limitation of this existing technology lies in the SMF, and the need to maintain the association between user terminals and dedicated UPFs within the SMF makes this approach unsuitable for SMFs located in the large network in a neighboring mode. This is because it introduces the control logic of edge services into the large network elements, increasing the implementation and operational complexity of the large network elements.
[0004] It should be noted that the information disclosed in the background section above is only used to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention
[0005] This disclosure provides a method, apparatus, storage medium, and electronic device for restricting user terminal access to UPF, which at least to some extent overcomes the problem that the control logic for restricting user terminal access to UPF provided in related technologies increases the implementation and maintenance difficulty of large network elements.
[0006] Other features and advantages of this disclosure will become apparent from the following detailed description, or may be learned in part from practice of this disclosure.
[0007] According to one aspect of this disclosure, a method for restricting a user terminal's access to a UPF is provided, applied to the UPF, comprising: receiving a session establishment request forwarded by an SMF, wherein the session establishment request includes: an identifier of the user terminal; querying whether the identifier of the user terminal exists in a whitelist of the UPF according to the session establishment request, wherein the whitelist includes: identifiers of multiple user terminals stored in advance; and if it exists, establishing a session between the UPF and the user terminal.
[0008] In one embodiment of this disclosure, the method further includes: if the session between the UPF and the user terminal fails to be established, returning a second response message to the SMF, wherein the second response message is used to notify the SMF that the session between the UPF and the user terminal has failed.
[0009] In one embodiment of this disclosure, after establishing a session between the UPF and the user terminal, the method further includes: sending a first response message to the SMF, the first response message being used to notify the SMF that the session between the UPF and the user terminal has been successfully established.
[0010] In one embodiment of this disclosure, before receiving a session establishment request forwarded by SMF, the method further includes configuring a whitelist, which contains identifiers of multiple user terminals.
[0011] According to another aspect of this disclosure, a method for restricting a user terminal's access to a UPF is provided, applied to an SMF, comprising: selecting a UPF to be accessed by the user terminal based on a session establishment request initiated by the user terminal, wherein the session establishment request includes an identifier of the user terminal; forwarding the session establishment request to the selected UPF, so that the UPF queries whether the identifier of the user terminal exists in the whitelist of the UPF based on the session establishment request, and establishing a session between the UPF and the user terminal when the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist includes identifiers of a plurality of pre-configured user terminals.
[0012] In one embodiment of this disclosure, the method further includes: when the identifier of the user terminal does not exist in the whitelist of the UPF, not establishing a session between the UPF and the user terminal, wherein the whitelist includes: identifiers of a plurality of pre-configured user terminals.
[0013] According to one aspect of this disclosure, an apparatus for restricting a user terminal's access to a UPF is provided, applied to the UPF, comprising: a receiving module for receiving a session establishment request forwarded by an SMF, wherein the session establishment request includes an identifier of a user terminal; a query module for querying whether the identifier of the user terminal exists in a whitelist of the UPF according to the session establishment request, wherein the whitelist includes: identifiers of multiple pre-stored user terminals; and a session establishment module for establishing a session between the UPF and the user terminal if the identifier exists.
[0014] According to one aspect of this disclosure, an apparatus for restricting a user terminal's access to a UPF is provided, applied to a SMF, comprising: a selection module, configured to select a UPF to be accessed for the user terminal based on a session establishment request initiated by the user terminal, wherein the session establishment request includes an identifier of the user terminal; and a forwarding module, configured to forward the session establishment request to the selected UPF, so that the UPF queries whether the identifier of the user terminal exists in the whitelist of the UPF based on the session establishment request, and establishes a session between the UPF and the user terminal when the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist includes identifiers of a plurality of pre-configured user terminals.
[0015] According to another aspect of this disclosure, an electronic device is provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the above-described method for restricting user terminal access to UPF by executing the executable instructions.
[0016] According to another aspect of this disclosure, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the above-described method for restricting user terminal access to the UPF.
[0017] The embodiments of this disclosure provide a method, apparatus, storage medium, and electronic device for restricting user terminal access to a UPF. The method includes receiving a session establishment request forwarded by an SMF, wherein the session establishment request includes an identifier of the user terminal; querying whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, wherein the whitelist includes pre-stored identifiers of multiple user terminals; and establishing a session between the UPF and the user terminal if the identifier exists. This disclosure pushes the control point for user access down to the edge UPF, which is dedicated to enterprise private networks. By setting a whitelist in the edge UPF to restrict user access, it achieves the goal of restricting user terminal access to the UPF while also being applicable to SMFs located in the main network in a neighbor-to-neighbor mode.
[0018] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description
[0019] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.
[0020] Figure 1 This diagram illustrates a system architecture for restricting user terminal access to a UPF according to an embodiment of the present disclosure.
[0021] Figure 2 This invention discloses a flowchart illustrating a method for restricting user terminal access to a UPF, as described in an embodiment of the present disclosure.
[0022] Figure 3 A flowchart illustrating a specific example of a method for restricting user terminal access to a UPF as described in this disclosure embodiment;
[0023] Figure 4 This invention discloses a flowchart illustrating a method for restricting user terminal access to UPF applied to SMF in an embodiment of the present disclosure.
[0024] Figure 5 This illustration shows a schematic diagram of a device for restricting user terminal access to a UPF, applied in an embodiment of this disclosure.
[0025] Figure 6 This illustration shows a schematic diagram of an apparatus for restricting user terminal access to UPF applied to SMF in an embodiment of this disclosure;
[0026] Figure 7 This diagram illustrates a flowchart of a system operation method for restricting user terminal access to the UPF according to an embodiment of this disclosure;
[0027] Figure 8 This diagram illustrates a structural block diagram of an electronic device according to an embodiment of the present disclosure;
[0028] Figure 9 A schematic diagram of a computer-readable storage medium according to an embodiment of the present disclosure is shown. Detailed Implementation
[0029] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, they are provided so that this disclosure will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
[0030] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.
[0031] To facilitate understanding, the following is an explanation of several terms used in this disclosure:
[0032] Proximity Mode: Local Processing, Cloud-Edge Collaboration. In proximity mode, through technologies such as multi-frequency collaboration, carrier aggregation, super uplink, edge nodes, and wireless resource reservation, we provide dedicated network services with enhanced bandwidth, low latency, and local data offloading to latency-sensitive government and enterprise customers. Combined with edge computing technology and China Telecom Cloud, we maximize the advantages of cloud-edge collaboration and empower the digital applications of industry customers.
[0033] Mobile Edge Computing (MEC) is a technology proposed by the European Telecommunications Standards Institute (ETSI). Based on the 5G evolution architecture, MEC deeply integrates mobile access networks with internet services. It leverages the radio access network to provide telecommunications users with the IT services and cloud computing capabilities they need, creating a high-performance, low-latency, and high-bandwidth carrier-grade service environment. This accelerates the download of various content, services, and applications on the network, allowing consumers to enjoy an uninterrupted, high-quality network experience. MEC improves user experience and saves bandwidth resources. Furthermore, by pushing computing power down to mobile edge nodes, it provides third-party application integration, offering limitless possibilities for service innovation at the mobile edge.
[0034] AMF: Access and Mobility Management Function.
[0035] PDU stands for Protocol Data Unit. It refers to the unit of data transmitted between peer layers. The Physical Layer PDU is a bit, the Data Link Layer PDU is a frame, the Network Layer PDU is a packet, the Transport Layer PDU is a segment, and other higher-level PDUs are messages. A PDU is the basic unit of data transmission for a particular protocol, and each protocol has its own format.
[0036] DNN: Data Network Name. The DNN under 5GS is the same as the APN under 4G. DNN and APN are equivalent. It consists of two parts: network ID and carrier ID.
[0037] S-NSSAI: Single Network Slice Selection Assistance Information, identifies a network slice. In 5G wireless networks, network slicing mainly involves admission control, network selection, and resource separation. The standard primarily uses the S-NSSAI parameter for identification.
[0038] NSSAI: A Configured NSSAI, a Requested NSSAI, or an Allowed NSSAI. An NSSAI is a collection of S-NSSAIs. An NSSAI can be a configured NSSAI, a requested NSSAI, or an allowed NSSAI.
[0039] APP: application, mobile software.
[0040] ID: Identity document. Also known as a serial number or account number, it is a relatively unique code within a system, equivalent to an "identity card". In a specific thing, the identity document number is generally unchanged, and what is used to identify that thing is determined by the rules set by the designer.
[0041] PUD: Protocol Data Unit. In a layered network architecture, such as the Open Systems Interconnection model, protocol data units are established at each layer of the transport system for exchange between management processes and agents.
[0042] Network ID: Represents an external network. This part is required in DNN. The network ID must contain at least one label and its length is no more than 63 bytes.
[0043] The carrier ID indicates which carrier the DNN belongs to; this part is optional in the DNN.
[0044] The following detailed description of this exemplary implementation method is provided in conjunction with the accompanying drawings and embodiments.
[0045] Figure 1 A schematic diagram of an exemplary system architecture for a method or apparatus for restricting user terminal access to a UPF that can be applied to embodiments of this disclosure is shown.
[0046] like Figure 1 As shown, the system architecture 100 may include UPF101, SMF102, AMF103 and network 104.
[0047] Network 104 is a medium used to provide a communication link between UPF101, SMF102, and AMF103, and can be a wired network or a wireless network.
[0048] Optionally, the aforementioned wireless or wired networks use standard communication technologies and / or protocols. The network is typically the Internet, but can also be any network, including but not limited to Local Area Networks (LANs), Metropolitan Area Networks (MANs), Wide Area Networks (WANs), mobile, wired or wireless networks, private networks, or any combination of virtual private networks. In some embodiments, technologies and / or formats including Hyper Text Markup Language (HTML), Extensible Markup Language (XML), etc., are used to represent data exchanged over the network. Furthermore, conventional encryption technologies such as Secure Socket Layer (SSL), Transport Layer Security (TLS), Virtual Private Networks (VPNs), and Internet Protocol Security (IPsec) can be used to encrypt all or some links. In other embodiments, customized and / or dedicated data communication technologies can be used to replace or supplement the aforementioned data communication technologies.
[0049] Those skilled in the art will know that Figure 1 The number of UPF, SMF, and AMF shown is merely illustrative; any number of UPF, SMF, and AMF can be used depending on actual needs. This disclosure does not limit this.
[0050] Secondly, this disclosure provides a method for restricting user terminals from accessing the UPF, which can be applied to, but is not limited to, edge network element UPFs. In principle, this method can be executed by any electronic device with computing capabilities.
[0051] Figure 2 This disclosure illustrates a flowchart of a method for restricting user terminal access to a UPF, as shown in an embodiment of the present disclosure. Figure 2 As shown in the embodiments of this disclosure, the method for restricting user terminals from accessing the UPF may include the following steps:
[0052] S202, Receive a session establishment request forwarded by SMF, wherein the session establishment request includes: the identifier of the user terminal;
[0053] S204, based on the session establishment request, query whether the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist contains: the identifiers of multiple user terminals stored in advance;
[0054] S206, if it exists, then establish a session between the UPF and the user terminal.
[0055] This disclosure pushes the user access control point down to the edge UPF, which is dedicated to enterprise private networks. By setting a whitelist in the edge UPF, user access is restricted. While restricting user terminal access to the UPF, this method only exists at the core network edge and does not propagate to the main network. It is applicable to SMFs located in the main network in a neighbor-to-neighbor mode. No modification to the SMF is required, reducing SMF modification and maintenance costs, and demonstrating excellent practicality for deployment in existing networks.
[0056] Regarding S202, in one embodiment, it may be: the user terminal initiates a session establishment request containing the identifier of the user terminal, the SMF selects a UPF to be accessed for the user terminal based on the session establishment request initiated by the user terminal, and the SMF forwards the session establishment request to the UPF.
[0057] For example, when a user terminal initiates a session establishment request containing the user terminal's MSISDN (mobile number), SUPI / IMSI (user identification code), and IMEI (terminal identification code), the SMF selects a UPF to be accessed for the user terminal based on information such as DNN, NSSAI (slice ID), and APP ID, and then the SMF forwards the session establishment request to the UPF.
[0058] Regarding S204, in one embodiment, it could be that the UPF stores a whitelist containing identifiers of multiple pre-stored user terminals. The UPF queries whether the identifier of the user terminal included in the session establishment request exists in the UPF's whitelist.
[0059] For example, a whitelist can be pre-stored in the UPF. Each line of the whitelist can consist of the identifiers of one or more user terminals. The identifiers of user terminals can include: MSISDN (phone number), SUPI / IMSI (user identification code), and IMEI (terminal identification code).
[0060] Regarding S206, in one embodiment, it can be: if the identifier of the user terminal included in the session establishment request exists in the whitelist of the UPF, then a session between the UPF and the user terminal is established.
[0061] For example, if the user terminal MSISDN in the request is MSISDN_1, and the MSISDNs in the UPF whitelist include MSISDN_1, MSISDN_4, MSISDN_5, and MSISDN_7, and the user terminal MSISDN exists in the UPF whitelist, then a session between the UPF and the user terminal is established.
[0062] For example, if the user terminal SUPI / IMSI in the request is SUPI_2 / IMSI_2, and the SUPI / IMSI in the UPF whitelist includes SUPI_2 / IMSI_2, SUPI_4 / IMSI_4, SUPI_6 / IMSI_6, and SUPI_4 / IMSI_7, and the user terminal SUPI / IMSI exists in the UPF whitelist, then a session between the UPF and the user terminal is established.
[0063] For example, if the user terminal IMEI in the request is IMEI_6, and the IMEIs in the UPF whitelist include IMEI_3, IMEI_5, IMEI_6, and IMEI_7, and the user terminal IMEI exists in the UPF whitelist, then a session between the UPF and the user terminal is established.
[0064] In one embodiment, the method for restricting a user terminal's access to the UPF may further include: after establishing a session between the UPF and the user terminal, sending a first response message to the SMF, the first response message being used to notify the SMF that the session between the UPF and the user terminal has been successfully established.
[0065] The first response message can be indicated by information elements (IEs), flags, cause values, etc., to indicate that the request has been accepted.
[0066] For example, after establishing a session between the UPF and the user terminal, the first response message sent to the SMF carries a Cause value of 1, indicating that the session between the UPF and the user terminal has been successfully established.
[0067] In one embodiment, the method for restricting user terminals from accessing the UPF may further include: before receiving a session establishment request forwarded by the SMF, the UPF maintains a whitelist containing identifiers of multiple user terminals.
[0068] For example, before a user terminal initiates a session establishment request containing the user terminal's identifier, a whitelist has been configured and saved in the UPF, which stores the identifiers of multiple user terminals.
[0069] Figure 3 A flowchart illustrating a specific example of a method for restricting user terminal access to a UPF as described in this disclosure embodiment is shown below. Figure 3 As shown in the embodiments of this disclosure, the method for restricting user terminals from accessing the UPF may further include the following steps:
[0070] S302, if not, return a second response message to the SMF. The second response message is used to notify the SMF that the session between the UPF and the user terminal failed to be established.
[0071] Regarding S302, in one embodiment, it can be: if the identifier of the user terminal included in the session establishment request does not exist in the whitelist of the UPF, then the UPF returns a second response message to the SMF, which is used to notify the SMF that the session establishment between the UPF and the user terminal has failed.
[0072] The second response message can be indicated by information elements, flags, reason values, etc., to indicate that the request has been received.
[0073] For example, if the user terminal MSISDN in the session establishment request is MSISDN_2, and the MSISDN in the UPF whitelist includes MSISDN_1, MSISDN_4, MSISDN_5, and MSISDN_7 but not MSISDN_2, then the identifier of the user terminal in the session establishment request does not exist in the UPF whitelist. The second response message returned by the UPF to the SMF carries a Cause value of 76, indicating that the session establishment between the UPF and the user terminal failed, and notifies the SMF that the session between the UPF and the user terminal was not successfully established.
[0074] For example, if the user terminal SUPI / IMSI in the session establishment request is SUPI_1 / IMSI_2, and the SUPI / IMSI in the UPF whitelist includes SUPI_2 / IMSI_2, SUPI_4 / IMSI_4, SUPI_6 / IMSI_6, and SUPI_4 / IMSI_7, but not SUPI_1 / IMSI_2, then the identifier of the user terminal in the session establishment request does not exist in the UPF whitelist. The second response message returned by the UPF to the SMF carries a Cause value of 76, indicating that the session establishment between the UPF and the user terminal failed, and notifies the SMF that the session between the UPF and the user terminal was not successfully established.
[0075] For example, if the user terminal IMEI in the session establishment request is IMEI_2, and the IMEIs in the UPF whitelist include IMEI_3, IMEI_5, IMEI_6, and IMEI_7 but not IMEI_2, then the identifier of the user terminal in the session establishment request does not exist in the UPF whitelist. The second response message returned by the UPF to the SMF carries a Cause value of 76, indicating that the session establishment between the UPF and the user terminal failed, and notifies the SMF that the session between the UPF and the user terminal was not successfully established.
[0076] Figure 4This disclosure illustrates a flowchart of a method for restricting user terminal access to UPF applied to SMF in an embodiment of the present disclosure, such as... Figure 4 As shown in the embodiments of this disclosure, the method for restricting user terminals from accessing the UPF may include the following steps:
[0077] S402, based on the session establishment request initiated by the user terminal, select a UPF to be accessed for the user terminal, wherein the session establishment request includes: the identifier of the user terminal;
[0078] S404, forward the session establishment request to the selected UPF so that the UPF can query whether the user terminal's identifier exists in the UPF's whitelist according to the session establishment request, and establish a session between the UPF and the user terminal when the user terminal's identifier exists in the UPF's whitelist. The whitelist contains: the identifiers of multiple pre-configured user terminals.
[0079] Regarding S402, in one embodiment, it may be: selecting a UPF to be accessed for the user terminal based on a session establishment request initiated by the user terminal, wherein the session establishment request includes: the identifier of the user terminal;
[0080] Regarding S404, in one embodiment, it may be: forwarding a session establishment request to the selected UPF, so that the UPF queries whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, and when the identifier of the user terminal exists in the whitelist of the UPF, establishing a session between the UPF and the user terminal, wherein the whitelist contains: identifiers of multiple pre-configured user terminals.
[0081] This disclosure does not place the access restriction point at the SMF, but rather at the edge UPF. This allows the SMF located in the main network to be decoupled from the dedicated configuration within the enterprise private network. User terminal access restrictions can be implemented without upgrading or modifying the main network SMF, which greatly reduces implementation costs and maintenance difficulty.
[0082] Based on the same inventive concept, this disclosure also provides a device for restricting user terminal access to a UPF, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the method embodiment described above, the implementation of this device embodiment can refer to the implementation of the method embodiment described above, and repeated details will not be elaborated further.
[0083] Figure 5 This illustration shows a schematic diagram of a device for restricting user terminal access to a UPF, as described in an embodiment of this disclosure. Figure 5 As shown, the device includes:
[0084] The receiving module 501 is used to receive the session establishment request forwarded by SMF, wherein the session establishment request includes: the identifier of the user terminal;
[0085] The query module 502 is used to query whether the identifier of the user terminal exists in the whitelist of the UPF based on the session establishment request. The whitelist contains: the identifiers of multiple user terminals stored in advance.
[0086] Session establishment module 503 is used to establish a session between the UPF and the user terminal if one exists.
[0087] In one embodiment, the method further includes:
[0088] If it does not exist, return a second response message to the SMF. The second response message is used to notify the SMF that the session establishment request failed to be sent.
[0089] In one embodiment, after establishing a session between the UPF and the user terminal, the method further includes:
[0090] Send a first response message to the SMF. The first response message is used to notify the SMF that the session between the UPF and the user terminal has been successfully established.
[0091] In one embodiment, before receiving the session establishment request forwarded by SMF, the method further includes:
[0092] Configure a whitelist, which includes identifiers of multiple user terminals.
[0093] Figure 6 This illustration shows a schematic diagram of an apparatus for restricting user terminal access to a UPF applied to an SMF, as shown in an embodiment of the present disclosure. Figure 6 As shown, the device includes:
[0094] Selection module 601 is used to select a UPF to be accessed for the user terminal based on the session establishment request initiated by the user terminal. The session establishment request includes the identifier of the user terminal.
[0095] The forwarding module 602 is used to forward the session establishment request to the selected UPF, so that the UPF can query whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, and establish a session between the UPF and the user terminal when the identifier of the user terminal exists in the whitelist of the UPF. The whitelist contains: the identifiers of multiple pre-configured user terminals.
[0096] In one embodiment, the forwarding module 602 can also be used to: not establish a session between the UPF and the user terminal when the identifier of the user terminal does not exist in the whitelist of the UPF, wherein the whitelist contains: the identifiers of multiple pre-configured user terminals.
[0097] Figure 7 This disclosure illustrates a flowchart of a system operation method for restricting user terminal access to the UPF, as shown in an embodiment of the present disclosure. Figure 7 As shown, the system's operation process includes:
[0098] S701. Configure the whitelist through the user terminal whitelist management module in the UPF. Each line of the whitelist can consist of one or more user terminal identifiers. User identifiers include: MSISDN (mobile phone number), SUPI / IMSI (user identification code), and IMEI (terminal identification code).
[0099] S702, AMF, and SMF complete the establishment of the PDU Session according to the standard 3GPP process.
[0100] S703 and SMF, using existing methods, select a UPF for the user terminal based on information such as DNN, NSSAI (slice ID), and APP ID. This process essentially achieves the effect of selecting a dedicated UPF for enterprise private networks.
[0101] S704 and SMF send a standard N4 / PFCP SessionEstablishment Request message to UPF. The message carries the IE information element USER ID, which carries one or more user terminal identification fields, including: MSISDN, SUPI / IMSI or IMEI.
[0102] The S705 and the N4 / PFCP session management module within the UPF extract the user terminal identifier field from the USER ID information element in the request message. Based on this, they query the user terminal whitelist within the UPF. If the identifier field is in the whitelist, the establishment of an N4 / PFCP session is approved; otherwise, session establishment is denied. This process achieves the effect of finely segmenting and restricting user terminal access within a dedicated UPF.
[0103] S706. The UPF replies to the SMF with a standard N4 / PFCP (N4 / PFCP Session EstablishmentResponse) session establishment response message, carrying the IE element Cause. If step five agrees to session establishment, the message carries an IE element Cause value of 1 (equivalent to the first response message above), indicating acceptance of the request; if it disagrees with session establishment, the message carries an IE element Cause value of 76 (equivalent to the second response message above), indicating that the service does not support it and session establishment is rejected.
[0104] S707, AMF, and SMF completed the process of subsequent 3GPP (3rd Generation Partnership Project) standards.
[0105] This disclosure uses all 3GPP standard procedures and standard IE information elements, eliminating the need to introduce non-standard procedures and non-standard information elements between the SMF and UPF. User access control policies originally falling within the scope of enterprise private networks are maintained within edge network elements (such as edge-dedicated UPFs), making the SMF, located in the main network, easier to maintain. A user terminal whitelist consisting of MSISDN, SUPI / IMSI, and IMEI is set within the edge UPF; only user terminals meeting the criteria are allowed to access the UPF. When the UPF receives an N4 / PFCP session establishment request from the SMF, it matches the USER ID information element in the request against the whitelist. Only if a match is found will the UPF reply to the SMF accepting the establishment request; otherwise, it replies rejecting the establishment request. This can be applied to 5G customized network neighbor mode, restricting access at the user terminal level in enterprise private networks, allowing only designated user terminals within the enterprise to access the edge-dedicated UPF, and is suitable for segmented user terminal access restrictions within enterprise private networks.
[0106] Those skilled in the art will understand that various aspects of this disclosure can be implemented as a system, method, or program product. Therefore, various aspects of this disclosure can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, collectively referred to herein as a "circuit," "module," or "system."
[0107] The following reference Figure 8 To describe an electronic device 800 according to such an embodiment of the present disclosure. Figure 8 The electronic device 800 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.
[0108] like Figure 8 As shown, the electronic device 800 is manifested in the form of a general-purpose computing device. The components of the electronic device 800 may include, but are not limited to: at least one processing unit 810, at least one storage unit 820, and a bus 830 connecting different system components (including storage unit 820 and processing unit 810).
[0109] The storage unit stores program code that can be executed by the processing unit 810, causing the processing unit 810 to perform the steps described in the "Exemplary Methods" section above according to various exemplary embodiments of this disclosure.
[0110] For example, the processing unit 810 can perform the following steps in the above method embodiment: receiving a session establishment request forwarded by the SMF, wherein the session establishment request includes: the identifier of the user terminal; according to the session establishment request, querying whether the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist includes: the identifiers of multiple user terminals stored in advance; if it exists, then establishing a session between the UPF and the user terminal.
[0111] In one embodiment, the processing unit 810 may further include the following steps: if the session establishment request fails to be sent, return a second response message to the SMF.
[0112] In one embodiment, after establishing a session between the UPF and the user terminal, the processing unit 810 may further include the following steps: sending a first response message to the SMF, wherein the first response message is used to notify the SMF that the session between the UPF and the user terminal has been successfully established.
[0113] In one embodiment, before receiving a session establishment request forwarded by SMF, the processing unit 810 may further perform the following steps: configuring a whitelist, the whitelist containing identifiers of multiple user terminals.
[0114] For example, the processing unit 810 may also perform the following steps in the above method embodiment: select a UPF to be accessed for the user terminal according to the session establishment request initiated by the user terminal, wherein the session establishment request includes: the identifier of the user terminal; forward the session establishment request to the selected UPF so that the UPF queries whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, and establishes a session between the UPF and the user terminal when the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist includes: the identifiers of multiple pre-configured user terminals.
[0115] In one embodiment, the processing unit 810 may further include the following steps: when the identifier of the user terminal does not exist in the whitelist of the UPF, a session between the UPF and the user terminal is not established, wherein the whitelist contains: identifiers of multiple pre-configured user terminals.
[0116] Storage unit 820 may include a readable medium in the form of a volatile storage unit, such as random access memory (RAM) 8201 and / or cache memory 8202, and may further include a read-only memory (ROM) 8203.
[0117] The storage unit 820 may also include a program / utility 8204 having a set (at least one) of program modules 8205, including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include an implementation of a network environment.
[0118] Bus 830 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.
[0119] Electronic device 800 can also communicate with one or more external devices 840 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 800, and / or with any device that enables electronic device 800 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 850. Furthermore, electronic device 800 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 860. As shown, network adapter 860 communicates with other modules of electronic device 800 via bus 830. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
[0120] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0121] In exemplary embodiments of this disclosure, a computer-readable storage medium is also provided, which may be a readable signal medium or a readable storage medium. Figure 9 This diagram illustrates a computer-readable storage medium according to an embodiment of the present disclosure, such as... Figure 9As shown, the computer-readable storage medium 900 stores a program product capable of implementing the methods described above. In some possible embodiments, various aspects of this disclosure may also be implemented as a program product comprising program code that, when run on a terminal device, causes the terminal device to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of this disclosure.
[0122] For example, when the program product in this embodiment is executed by the processor, it implements the following steps: receiving a session establishment request forwarded by the SMF, wherein the session establishment request includes: the identifier of the user terminal; according to the session establishment request, querying whether the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist includes: the identifiers of multiple user terminals stored in advance; if it exists, then establishing a session between the UPF and the user terminal.
[0123] In some embodiments, when the program product in this disclosure is executed by a processor, it may also implement the following steps: if it does not exist, return a second response message to the SMF, the second response message being used to notify the SMF that the session establishment request failed to be sent.
[0124] In some embodiments, when the program product in this disclosure is executed by a processor, it may also implement the following steps: sending a first response message to the SMF, wherein the first response message is used to notify the SMF that a session between the UPF and the user terminal has been successfully established.
[0125] In some embodiments, when the program product of this disclosure is executed by a processor, it may also implement the following steps: configuring a whitelist, wherein the whitelist includes: identifiers of multiple user terminals.
[0126] For example, when the program product in this embodiment is executed by the processor, it implements the following steps: according to the session establishment request initiated by the user terminal, a UPF to be accessed is selected for the user terminal, wherein the session establishment request includes: the identifier of the user terminal; the session establishment request is forwarded to the selected UPF, so that the UPF queries whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, and when the identifier of the user terminal exists in the whitelist of the UPF, a session is established between the UPF and the user terminal, wherein the whitelist includes: the identifiers of multiple pre-configured user terminals.
[0127] In some embodiments, when the program product in this disclosure is executed by a processor, it may also implement the following steps: when the identifier of the user terminal does not exist in the whitelist of the UPF, a session between the UPF and the user terminal is not established, wherein the whitelist contains: a plurality of pre-configured identifiers of user terminals.
[0128] More specific examples of computer-readable storage media in this disclosure may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0129] In this disclosure, a computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting a program for use by or in connection with an instruction execution system, apparatus, or device.
[0130] Optionally, the program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.
[0131] In practical implementation, program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0132] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0133] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.
[0134] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0135] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the appended claims.
Claims
1. A method for restricting user terminals from accessing a UPF, characterized in that, Applied to UPF, including: Receive a session establishment request forwarded by SMF, wherein the session establishment request includes: the identifier of the user terminal; Based on the session establishment request, query whether the identifier of the user terminal exists in the whitelist of the UPF, wherein the whitelist contains: the identifiers of multiple user terminals stored in advance; If it exists, then establish a session between the UPF and the user terminal.
2. The method for restricting user terminal access to UPF according to claim 1, characterized in that, The method further includes: If it does not exist, a second response message is returned to the SMF, which is used to notify the SMF that the session between the UPF and the user terminal failed to be established.
3. The method for restricting user terminal access to UPF according to claim 1, characterized in that, After establishing a session between the UPF and the user terminal, the method further includes: Send a first response message to the SMF, which is used to notify the SMF that the session between the UPF and the user terminal has been successfully established.
4. The method for restricting user terminal access to UPF according to claim 1, characterized in that, Before receiving the session establishment request forwarded by SMF, the following is also included: Configure a whitelist, which includes identifiers of multiple user terminals.
5. A method for restricting user terminals from accessing a UPF, characterized in that, Applied to SMF, including: Based on the session establishment request initiated by the user terminal, a UPF to be accessed is selected for the user terminal, wherein the session establishment request includes: the identifier of the user terminal; The session establishment request is forwarded to the selected UPF, so that the UPF queries whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, and establishes a session between the UPF and the user terminal when the identifier of the user terminal exists in the whitelist of the UPF. The whitelist contains: the identifiers of multiple pre-configured user terminals.
6. The method for restricting user terminal access to UPF according to claim 5, characterized in that, The method further includes: When the identifier of the user terminal does not exist in the whitelist of the UPF, a session between the UPF and the user terminal is not established. The whitelist contains identifiers of multiple pre-configured user terminals.
7. A device for restricting user terminals from accessing a UPF, characterized in that, Applied to UPF, including: The receiving module is used to receive a session establishment request forwarded by SMF, wherein the session establishment request includes: the identifier of the user terminal; The query module is used to query whether the identifier of the user terminal exists in the whitelist of the UPF based on the session establishment request, wherein the whitelist contains: the identifiers of multiple user terminals stored in advance; The session establishment module is used to establish a session between the UPF and the user terminal if one exists.
8. A device for restricting user terminals from accessing a UPF, characterized in that, Applied to SMF, including: The selection module is used to select a UPF to be accessed for the user terminal based on the session establishment request initiated by the user terminal, wherein the session establishment request includes: the identifier of the user terminal; The forwarding module is used to forward the session establishment request to the selected UPF, so that the UPF can query whether the identifier of the user terminal exists in the whitelist of the UPF according to the session establishment request, and establish a session between the UPF and the user terminal when the identifier of the user terminal exists in the whitelist of the UPF. The whitelist contains: the identifiers of multiple pre-configured user terminals.
9. An electronic device, characterized in that, include: processor; as well as Memory for storing the executable instructions of the processor; The processor is configured to execute the method for restricting user terminal access to UPF as described in any one of claims 1 to 6 by executing the executable instructions.
10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the method for restricting user terminal access to UPF as described in any one of claims 1 to 6.