System and method for limiting access of user equipment in 5g core network

By configuring UE access policies in the AMF and utilizing IMSI/MSISDN random numbers and number segment lists, a blacklist/whitelist mechanism is supported, which solves the problems of flexibility and simplicity in UE access control in the 5G core network and achieves flexible access control and system stability.

CN116546503BActive Publication Date: 2026-06-09EASTERN COMM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
EASTERN COMM
Filing Date
2022-12-27
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies lack flexibility and simplicity when restricting user equipment access in 5G core networks, making it difficult to meet access control needs under temporary or specific conditions.

Method used

Configure the data module and service process module in AMF, and support blacklist and whitelist mechanisms through UE access restriction mode, IMSI random number list, MSISDN random number list and number segment list. Allow configuration updates to take effect immediately or during the next registration, simplifying the access control process.

Benefits of technology

It achieves flexible and simple UE access control, supports different application requirements, avoids system impact, and meets access restrictions under temporary or specific conditions.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure BDA0004018810460000051
    Figure BDA0004018810460000051
  • Figure BDA0004018810460000061
    Figure BDA0004018810460000061
  • Figure BDA0004018810460000062
    Figure BDA0004018810460000062
Patent Text Reader

Abstract

The application belongs to the field of communication, and discloses a system for limiting user equipment access in a 5G core network, characterized by comprising a configuration data module and a service flow module; the configuration data module is used for configuring UE access policy in AMF, and the policy is shared in the same set of AMF; the service flow module is used for AMF to execute access restriction according to the configuration data when UE initial registration, periodic registration update and mobile registration update are performed. The application proposes a way for limiting UE access on AMF, which is a supplement to UE subscription data for realizing UE access restriction. The configuration mode adopted by the application can be IMSI / MSISDN random number or IMSI / MSISDN number segment, supports black / white list, and is simple and flexible in configuration mode, so that different application requirements can be met. When the configuration data changes, whether to take effect immediately can be selected flexibly according to the business application requirements, so that the impact on the system can be avoided.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of communication technology, and in particular relates to a system and method for restricting user equipment access in a 5G core network. Background Technology

[0002] 5GC (5G Core) is the core network of fifth-generation mobile communication technology, composed of multiple NFs (Network Functions). AMF (Access and Mobility Management Function) is the NF in 5GC responsible for UE access and mobility management. During UE network access, AMF authorizes services to the UE based on the UE's (User Equipment) subscription data. This subscription data includes roaming restrictions, access type, RAT type restrictions, restricted areas restrictions, and service area restrictions.

[0003] In practical applications, there are often flexible requirements, such as temporarily restricting which UEs (or UE number ranges) are allowed to access a certain AMF (Advanced Management Function) for a certain period of time, or restricting which UEs (or UE number ranges) are not allowed to access a certain AMF. This can also be achieved by modifying the UE's subscription data, but it is relatively complex overall. To simplify implementation, this invention proposes a system and method for restricting UE access on an AMF. Summary of the Invention

[0004] The purpose of this invention is to provide a system and method for restricting user equipment access in a 5G core network, so as to solve the above-mentioned technical problems.

[0005] To address the aforementioned technical problems, the specific technical solution of a system and method for restricting user equipment access in a 5G core network according to the present invention is as follows:

[0006] A system for restricting user equipment access in a 5G core network includes a configuration data module and a service process module. The configuration data module is used to configure UE access policies in the AMF (Application Management Function), and the policies are shared among AMFs in the same set. The service process module is used by the AMF to execute access restrictions based on the configuration data during UE initial registration, periodic registration update, and mobile registration update.

[0007] Furthermore, the configuration data module contains five parts of information, namely UE access restriction mode, IMSI random number, etc.

[0008] List, MSISDN random number list, number segment list, and configuration update immediate effect flag;

[0009] The UE access restriction mode is used to indicate the type of whitelist and blacklist, with values ​​of whitelist and blacklist, and the default is blacklist;

[0010] The IMSI random number list is a collection of numbers composed of random numbers in IMSI format; the IMSI format is composed of the mobile country code, mobile network code, and mobile subscription identification number connected in sequence, with a total length of 6 to 15 bytes;

[0011] The MSISDN random number list is a collection of numbers in MSIDSN format. The MSISDN format consists of the country code, domestic destination code, and user number, concatenated sequentially, with a total length of 5 to 15 decimal digits. The number segment list indicates a list of number ranges. Each number segment consists of a number type, a starting number, and an ending number. The number type is used to distinguish the number type of the number segment, and its values ​​are IMSI and MSISDN. When the number type is IMSI, both the starting and ending numbers are in IMSI format. When the number type is MSISDN, both the starting and ending numbers are in MSIDSN format.

[0012] The configuration update takes effect immediately flag, which can be either yes or no, with the default being no; it is used to indicate whether the update of the UE access restriction mode, IMSI random number list, MSISDN random number list, and number segment list affects the UE currently in the registered state.

[0013] Furthermore, the UE access restriction mode affects the scope of the configuration list; when the UE access restriction mode is a whitelist, only UE numbers appearing in the configuration list are allowed to access 5GC; when the UE access restriction mode is a blacklist, UE numbers appearing in the configuration list are not allowed to access 5GC, while UE numbers not appearing in the configuration list are allowed to access 5GC.

[0014] Furthermore, the configuration list is a collection of configurations of the same number type, including an IMSI configuration list and an MSISDN configuration list. The IMSI configuration list is formed by merging the IMSI random number list and the IMSI format number segment elements in the number segment list; the MSISDN configuration list is formed by merging the MSISDN random number list and the MSISDN format number segment elements in the number segment list.

[0015] Furthermore, the IMSI random number list, MSISDN random number list, and number segment list can be selectively configured as needed, and the numbers in the IMSI random number list, MSISDN random number list, and number segment list are not mutually exclusive. That is, the same IMSI number can appear in the IMSI random number list and also in the number segment list of the number type IMSI, and the same MSISDN number can appear in the MSISDN random number list and also in the number segment list of the number type MSISDN.

[0016] The present invention also discloses a method for restricting user equipment access in the system, comprising the following steps:

[0017] Step 1: After AMF starts, it first reads the configuration information, and then makes access restriction decisions based on the configuration information when the UE accesses the network.

[0018] Step 2: UE access involves two scenarios: initial registration initiated by the UE and periodic registration update or mobile registration update initiated by the UE.

[0019] Further, when the UE initiates initial registration, the AMF performs the following steps to determine whether the UE access is permitted: SA.1, the AMF checks the identity identifier type in the registration request. If it is SUCI, SA.2 is performed. If it is 5G-GUTI, the AMF first requests an identity identifier in SUCI format from the UE.

[0020] SA.2, AMF initiates AUSF selection based on UE's SUCI;

[0021] SA.3, AMF and the selected AUSF together perform UE access authentication. The authentication algorithm is 5G AKA or EAP-AKA'. After successful authentication, the UE's SUPI is obtained and SA.4 is executed; otherwise, SA.6 is executed.

[0022] SA.4: Based on the UE's SUPI obtained in SA.3, first traverse the IMSI scattered number list. If a matching record is found, the generated matching result is "TRUE" and proceed to SA.5. Otherwise, continue traversing the number segment list for records with IMSI number type. If the SUPI number exists between the start and end numbers of the corresponding record, the generated matching result is "TRUE" and proceed to SA.5. Otherwise, the generated matching result is "FALSE".

[0023] SA.5: Obtain the UE access restriction mode configuration. If it is a whitelist, combine the matching results generated in SA.4. If the result is "TRUE", proceed to SA.7; if it is "FALSE", proceed to SA.6. If it is a blacklist, combine the matching results generated in SA.4. If the result is "TRUE", proceed to SA.6; if it is "FALSE", proceed to SA.7.

[0024] SA.6: The AMF determines that the UE's access is not allowed, that is, the IMSI access restriction is in effect, and sends a registration rejection message to it, and no longer executes subsequent steps;

[0025] SA.7: The AMF initiates a UDM selection based on the UE's SUCI and SUPI;

[0026] SA.8: The AMF initiates service registration with the selected UDM and obtains the UE's subscription data, including the list of GPSIs subscribed to by the UE;

[0027] SA.9: Based on the UE's GPSI list obtained in SA.8, intersect it with the MSISDN scattered number list. If a matching record is found, the generated matching result is "TRUE" and proceed to SA.10. Otherwise, continue to traverse the records of number type MSISDN in the number segment list. If the number in the GPSI list exists between the start number and end number of the corresponding record, the generated matching result is "TRUE" and proceed to SA.10. Otherwise, the generated matching result is "FALSE".

[0028] SA.10: Obtain the UE access restriction mode configuration. If it is in the whitelist, combine it with the matching result generated in SA.9. If the result is "TRUE", proceed to SA.12; if it is "FALSE", proceed to SA.11. If it is in the blacklist, combine it with the matching result generated in SA.9. If the result is "TRUE", proceed to SA.11; if it is "FALSE", proceed to SA.12. SA.11: The AMF determines that the UE's access is not allowed, that is, the MSISDN access restriction is effective. It initiates service deregistration to the UDM, sends a registration rejection message to the UE, and does not execute subsequent steps.

[0029] SA.12: AMF initiates a UE subscription to UDM;

[0030] SA.13: Optional, the AMF initiates PCF selection and establishes a policy association with the selected PCF;

[0031] SA.14: The AMF completes service authorization, allowing the UE to access the network and sending it a registration acceptance message.

[0032] Furthermore, when the UE initiates a periodic registration update or mobile registration update, the AMF performs the following steps to determine whether the UE's access is permitted;

[0033] SB.1: The AMF extracts the identity type from the registration request and checks whether its value is 5G-GUTI or 5G-S-TMSI. It then obtains the UE's context, including the SUPI and GPSI lists, from the local machine or from the old AMF.

[0034] SB.2: Based on the SUPI in the UE context, first traverse the IMSI scattered number list. If a matching record is found, generate a matching result of "TRUE" and go to SB.4. Otherwise, traverse the number segment list for records with IMSI number type. If the SUPI number exists between the start and end numbers of the corresponding record, generate a matching result of "TRUE" and go to SB.4. Otherwise, continue to execute the subsequent steps.

[0035] SB.3: Based on the GPSI in the UE context, first traverse the MSISDN scattered number list. If a matching record is found, generate a matching result of "TRUE" and go to SB.4. Otherwise, traverse the number segment list for records of number type MSISDN. If the GPSI number exists between the start and end numbers of the corresponding record, generate a matching result of "TRUE" and go to SB.4. Otherwise, generate a matching result of "FALSE".

[0036] SB.4: Obtain the UE access restriction mode configuration. If it is a whitelist, combine the matching results generated in SB.2 and SB.3. If the result is "TRUE", proceed to SB.6; if the result is "FALSE", proceed to SB.5. If it is a blacklist, combine the matching results generated in SB.2 and SB.3. If the result is "TRUE", proceed to SB.5; if the result is "FALSE", proceed to SB.6. SB.5: The AMF determines that the UE's access is not allowed and triggers the AN release procedure. Then, it sends a registration rejection message to the UE and does not execute subsequent steps.

[0037] SB.6: The AMF completes service authorization, allows the UE to access the network, and sends a registration acceptance message to it.

[0038] Furthermore, during operation, AMF modifies the configuration data as needed, including the following steps: SC.1: When the UE access restriction mode, IMSI random number list, MSISDN random number list, and number segment list in the configuration data change, different processing is required depending on the value of the flag indicating whether the configuration update takes effect immediately. When the value is no, execute SC.2; when the value is yes, execute SC.3.

[0039] SC.2: The AMF only updates the configuration data and does not affect UEs in the registered state. It only takes effect when the UE registers again. SC.3: The AMF not only updates the configuration data, but also needs to explicitly deregister UEs that have already been connected but no longer meet the current access conditions due to the configuration data update.

[0040] The system and method for restricting user equipment access in a 5G core network, as proposed in this invention, have the following advantages: This invention proposes a method for restricting UE access on the AMF (Advanced Feature Frame), which is a supplement to implementing UE access restrictions based on UE subscription data. The configuration method used in this invention can be either a random IMSI / MSISDN number or an IMSI / MSISDN number range, and it supports blacklists / whitelists. The configuration method is simple and flexible, and can meet different application needs. When the configuration data changes, it can be flexibly selected whether to take effect immediately according to the requirements of the business application, avoiding impact on the system. Attached Figure Description

[0041] none. Detailed Implementation

[0042] To better understand the purpose, structure, and function of this invention, the following detailed description, in conjunction with the accompanying drawings, provides an explanation of a system and method for restricting user equipment access in a 5G core network.

[0043] The key technology in this invention is implemented in the AMF (Application Function) within the 5G core network (5GC). The AMF is the NF (Application Function) responsible for UE access and mobility management. To control UE access at the AMF, a system for restricting user equipment access in a 5G core network includes a configuration data module and a service process module. The configuration data module is used to configure UE access policies in the AMF, and this policy is shared among AMFs in the same set. The service process module is used by the AMF to execute access restrictions based on the configuration data during UE initial registration, periodic registration updates, and mobility registration updates.

[0044] In this invention, the configuration data module contains five parts of information, namely, UE access restriction mode, IMSI (International Mobile Subscription Identity) random number list, MSISDN (Structure of Mobile Subscriber ISDN number) random number list, number segment list, and configuration update immediately effective flag, as shown in Tables 1, 2, 3, 4, and 5.

[0045] The UE access restriction mode, namely ueAccessRestrictionMode in Table 1, is used to indicate the type of blacklist and whitelist. The value can be 0 or 1; 0 indicates whitelist and 1 indicates blacklist. The default value is 1.

[0046] Table 1 UE Access Restriction Modes:

[0047]

[0048] The IMSI random number list is shown in Table 2. imsiList is a collection of numbers composed of random numbers in IMSI format. The IMSI format is composed of the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Subscription Identification Number (MSIN) connected in sequence, with a total length of 6 to 15 bytes. Among them, the MCC consists of 3 decimal digits, occupying 3 bytes; the MNC consists of 2 to 3 decimal digits, occupying 2 to 3 bytes; and the MSIN consists of 1 to 10 decimal digits, occupying 1 to 10 bytes.

[0049] Table 2 IMSI Loose Number List:

[0050]

[0051] The list of MSISDN numbers is shown in Table 3. msisdnList is a collection of numbers composed of MSISDN (Structure of Mobile Subscriber ISDN number) format numbers. The MSISDN format is composed of country code (CC), domestic destination code (NDC), and subscriber number (SN) connected in sequence, with a total length of 5 to 15 decimal digits.

[0052] Table 3 MSISDN Loose Number List:

[0053]

[0054] The number range list is a list of number ranges. Each range consists of a number type, a starting number, and an ending number, as shown in Table 4: ueNumType, ueStartNum, and ueEndNum. ueNumType distinguishes the number type of the range, taking values ​​of 0 and 1, where 0 represents IMSI and 1 represents MSISDN. ueStartNum and ueEndNum correspond to the starting and ending numbers of the number range, respectively. When ueNumType is IMSI, both the starting and ending numbers are in IMSI format; when the number type is MSISDN, both the starting and ending numbers are in MSIDSN format.

[0055] Table 4 list:

[0056]

[0057] The "inUseImmediately" flag, as shown in Table 5, indicates whether the updates to the UE access restriction mode, IMSI random number list, MSISDN random number list, and number segment list will affect the UE currently in the registered state. The value can be 0 or 1; 0 indicates no, and 1 indicates yes. The default value is 0.

[0058] Table 5: Flags indicating that configuration updates take effect immediately:

[0059]

[0060] In this invention, the UE access restriction mode affects the scope of the configuration list. When the UE access restriction mode is a whitelist, only UE numbers appearing in the configuration list are allowed to access 5GC; when the UE access restriction mode is a blacklist, UE numbers appearing in the configuration list are not allowed to access 5GC, while UE numbers not appearing in the configuration list are allowed to access 5GC. The configuration list is a collection of configurations of the same number type. The IMSI configuration list is formed by merging the IMSI random number list and the IMSI format number segment elements in the number segment list; similarly, the MSISDN configuration list is formed by merging the MSISDN random number list and the MSISDN format number segment elements in the number segment list.

[0061] In this invention, the IMSI random number list, the MSISDN random number list, and the number segment list can be selectively configured as needed. The numbers in the IMSI random number list, the MSISDN random number list, and the number segment list are not mutually exclusive. That is, the same IMSI number can appear in both the IMSI list and the number segment list with ueNumType as IMSI, and the same MSISDN number can appear in both the MSISDN list and the number segment list with ueNumType as MSISDN.

[0062] In this invention, a method for restricting user equipment access in a 5G core network is provided. After the AMF is started, it first reads the information of the above configuration data, and then performs access restriction decision judgment when the UE accesses the network. UE access involves two scenarios, namely the initial registration initiated by the UE and the periodic registration update or mobile registration update initiated by the UE. The following describes the different scenarios respectively.

[0063] Scenario 1: The UE initiates the initial registration process. The AMF receives the registration request and checks that the 5GS registration type it carries is "initial registration". The AMF then performs the following steps to restrict the UE's access.

[0064] Step 1: The AMF checks the identity type (5GS identity type) in the registration request. If it is SUCI (Subscription Concealed Identifier), proceed to Step 2. If it is 5G-GUTI (5G Globally Unique Temporary Identifier), request an identity in SUCI format from the UE first.

[0065] Step 2: The AMF initiates the selection of AUSF (Authentication Server Function) based on the UE's SUCI;

[0066] Step 3: The AMF and the selected AUSF perform UE access authentication together. The authentication algorithm is 5G AKA or EAP-AKA. If the authentication is successful, the UE's SUPI (Subscription Permanent Identifier) ​​is obtained, and step 4 is executed; otherwise, step 6 is executed.

[0067] Step 4: Based on the UE's SUPI obtained in Step 3, first traverse the IMSI scattered number list. If a matching record is found, the generated matching result is "TRUE" and proceed to Step 5. Otherwise, continue traversing the number segment list where ueNumType is IMSI. If the SUPI number exists between ueStartNum and ueEndNum of the corresponding record, the generated matching result is "TRUE" and proceed to Step 5. Otherwise, the generated matching result is "FALSE".

[0068] Step 5: Obtain the UE access restriction mode configuration. If ueAccessRestrictionMode is 0, and the matching result generated in Step 4 is "TRUE", proceed to Step 7; if the matching result generated in Step 4 is "FALSE", proceed to Step 6. If ueAccessRestrictionMode is 1, and the matching result generated in Step 4 is "TRUE", proceed to Step 6; if the matching result generated in Step 4 is "FALSE", proceed to Step 7.

[0069] Step 6: The AMF determines that the UE's access is not allowed (IMSI access restriction is in effect) and sends a registration reject message to the UE, and does not perform subsequent steps;

[0070] Step 7: The AMF initiates the UDM (Unified Data Management) selection based on the UE's SUCI and SUPI;

[0071] Step 8: The AMF initiates service registration with the selected UDM and obtains the UE's subscription data, including the list of GPSIs subscribed to by the UE;

[0072] Step 9: Based on the GPSI list of the UE obtained in Step 8, intersect it with the MSISDN scattered number list. If a matching record is found, the generated matching result is "TRUE" and proceed to Step 10. Otherwise, continue to traverse the records in the number segment list where ueNumType is MSISDN. If the number in the GPSI list exists between ueStartNum and ueEndNum of the corresponding record, the generated matching result is "TRUE" and proceed to Step 10. Otherwise, the generated matching result is "FALSE".

[0073] Step 10: Obtain the UE access restriction mode configuration. If the value of ueAccessRestrictionMode is 0, and the matching result generated in Step 9 is "TRUE", proceed to Step 12; if the matching result generated in Step 9 is "FALSE", proceed to Step 11. If the value of ueAccessRestrictionMode is 1, and the matching result generated in Step 9 is "TRUE", proceed to Step 11; if the matching result generated in Step 9 is "FALSE", proceed to Step 12.

[0074] Step 11: The AMF determines that the UE's access is not allowed (MSISDN access restriction is in effect), initiates service deregistration to the UDM, sends a registration rejection message to the UE, and does not execute subsequent steps;

[0075] Step 12: AMF initiates a UE subscription for data from UDM;

[0076] Step 13: Optionally, the AMF initiates PCF selection and establishes a policy association with the selected PCF;

[0077] Step 14: The AMF completes service authorization, allows the UE to access the network, and sends a Registration Accept message to it.

[0078] Scenario 2: When a UE initiates a periodic registration update or a mobile registration update, the AMF receives the registration request and checks that the 5GS registration type it carries is "periodic registration update" or "mobility registration update". The AMF then performs the following steps to restrict the UE's access.

[0079] Step 1: The AMF extracts the identity type from the registration request and checks whether its value is 5G-GUTI or 5G-S-TMSI. It then obtains the UE's context, including the SUPI and GPSI lists, from the local machine or from the old AMF.

[0080] Step 2: Based on the SUPI in the UE context, first traverse the IMSI scattered number list. If a matching record is found, generate a matching result of "TRUE" and go to step 4. Otherwise, traverse the number segment list where ueNumType is IMSI. If the SUPI number exists between ueStartNum and ueEndNum of the corresponding record, generate a matching result of "TRUE" and go to step 4. Otherwise, continue to execute the subsequent steps.

[0081] Step 3: Based on the GPSI in the UE context, first traverse the MSISDN scattered number list. If a matching record is found, generate a matching result of "TRUE" and go to step 4. Otherwise, traverse the number segment list where ueNumType is MSISDN. If the GPSI number exists between ueStartNum and ueEndNum of the corresponding record, generate a matching result of "TRUE" and go to step 4. Otherwise, generate a matching result of "FALSE".

[0082] Step 4: Obtain the UE access restriction mode configuration. If the value of ueAccessRestrictionMode is 0, combine it with the matching results generated in Step 2 and Step 3. If it is "TRUE", proceed to Step 6; if it is "FALSE", proceed to Step 5. If the value of ueAccessRestrictionMode is 1, combine it with the matching results generated in Step 2 and Step 3. If it is "TRUE", proceed to Step 5; if it is "FALSE", proceed to Step 6.

[0083] Step 5: The AMF determines that the UE's access is not allowed and triggers the AN release procedure. Then, it sends a registration reject message to the UE and does not execute subsequent steps.

[0084] Step 6: The AMF completes service authorization, allows the UE to access the network, and sends a registration acceptance message to it.

[0085] In this invention, the AMF can modify configuration data as needed during operation. When the access restriction mode, IMSI random number list, MSISDN random number list, or number segment list changes, it needs to obtain a flag indicating whether the configuration update takes effect immediately, i.e., `inUseImmediately`, and perform different processing based on its value. When `inUseImmediately` is 0, the AMF only updates the configuration data and does not affect UEs in the registered state; it only takes effect during the UE's next registration (including periodic registration updates and mobile registration updates). When `inUseImmediately` is 1, the AMF not only updates the configuration data but also needs to explicitly deregister UEs that have already accessed the network but no longer meet the current access conditions due to the configuration data update.

[0086] It is understood that the present invention has been described through some embodiments, and those skilled in the art will recognize that various changes or equivalent substitutions can be made to these features and embodiments without departing from the spirit and scope of the invention. Furthermore, under the teachings of the present invention, these features and embodiments can be modified to adapt to specific situations and materials without departing from the spirit and scope of the invention. Therefore, the present invention is not limited to the specific embodiments disclosed herein, and all embodiments falling within the scope of the claims of this application are within the protection scope of the present invention.

Claims

1. A system for restricting user equipment access in a 5G core network, characterized in that, It includes a configuration data module and a service process module; the configuration data module is used to configure UE access policies in the AMF, and the policy is shared among AMFs in the same set; the service process module is used by the AMF to execute access restrictions based on the configuration data during UE initial registration, periodic registration update and mobile registration update; the configuration data module contains five parts of information, namely UE access restriction mode, IMSI random number list, MSISDN random number list, number segment list and a flag indicating that the configuration update takes effect immediately; The UE access restriction mode is used to indicate the type of whitelist and blacklist, with values ​​of whitelist and blacklist, and the default is blacklist; The IMSI random number list is a collection of numbers composed of random numbers in IMSI format; the IMSI format is composed of the mobile country code, mobile network code, and mobile subscription identification number connected in sequence, with a total length of 6 to 15 bytes; The MSISDN random number list is a set of numbers composed of random numbers in MSIDSN format. The MSISDN format is composed of country code, domestic destination code, and user number connected in sequence, with a total length of 5 to 15 decimal digits. The number segment list indicates a list of number ranges. Each number segment consists of a number type, a starting number, and an ending number. The number type is used to distinguish the number type of the number segment, and its values ​​are IMSI and MSISDN. When the number type is IMSI, both the starting and ending numbers are in IMSI format. When the number type is MSISDN, both the starting and ending numbers are in MSIDSN format. The configuration update takes effect immediately flag, which can be either yes or no, with the default being no; This is used to indicate whether updates to the UE access restriction mode, IMSI random number list, MSISDN random number list, and number segment list affect UEs currently in the registered state.

2. The system for restricting user equipment access in a 5G core network according to claim 1, characterized in that, The UE access restriction mode affects the scope of the configuration list; when the UE access restriction mode is a whitelist, only UE numbers that appear in the configuration list are allowed to access 5GC; when the UE access restriction mode is a blacklist, UE numbers that appear in the configuration list are not allowed to access 5GC, while UE numbers that do not appear in the configuration list are allowed to access 5GC.

3. The system for restricting user equipment access in a 5G core network according to claim 2, characterized in that, The configuration list is a collection of configurations of the same number type, including an IMSI configuration list and an MSISDN configuration list. The IMSI configuration list is formed by merging the IMSI random number list and the IMSI format number segment elements in the number segment list; the MSISDN configuration list is formed by merging the MSISDN random number list and the MSISDN format number segment elements in the number segment list.

4. The system for restricting user equipment access in a 5G core network according to claim 3, characterized in that, The IMSI random number list, MSISDN random number list, and number segment list can be selectively configured as needed. The numbers in the IMSI random number list, MSISDN random number list, and number segment list are not mutually exclusive. That is, the same IMSI number can appear in the IMSI random number list and also in the number segment list of the number type IMSI. Similarly, the same MSISDN number can appear in the MSISDN random number list and also in the number segment list of the number type MSISDN.

5. A method for restricting user equipment access using the system as described in any one of claims 1-4, characterized in that, Includes the following steps: Step 1: After AMF starts, it first reads the configuration information, and then makes access restriction decisions based on the configuration information when the UE accesses the network. Step 2: UE access involves two scenarios: initial registration initiated by the UE and periodic registration update or mobile registration update initiated by the UE.

6. The method for restricting user equipment access according to claim 5, characterized in that, When the UE initiates initial registration, the AMF performs the following steps to determine whether the UE's access is permitted; SA.1, AMF checks the identity type in the registration request. If it is SUCI, SA.2 is executed. If it is 5G-GUTI, AMF first requests an identity in SUCI format from the UE. SA.2, AMF initiates AUSF selection based on UE's SUCI; SA.3, AMF and the selected AUSF together perform UE access authentication. The authentication algorithm is 5G AKA or EAP-AKA'. After successful authentication, the UE's SUPI is obtained and SA.4 is executed; otherwise, SA.6 is executed. SA.4: Based on the UE's SUPI obtained in SA.3, first traverse the IMSI scattered number list. If a matching record is found, the generated matching result is "TRUE" and proceed to SA.

5. Otherwise, continue traversing the number segment list for records with IMSI number type. If the SUPI number exists between the start and end numbers of the corresponding record, the generated matching result is "TRUE" and proceed to SA.

5. Otherwise, the generated matching result is "FALSE". SA.5: Obtain the UE access restriction mode configuration. If it is a whitelist, combine the matching results generated in SA.

4. If the result is "TRUE", proceed to SA.7; if it is "FALSE", proceed to SA.

6. If it is a blacklist, combine the matching results generated in SA.

4. If the result is "TRUE", proceed to SA.6; if it is "FALSE", proceed to SA.

7. SA.6: The AMF determines that the UE's access is not allowed, that is, the IMSI access restriction takes effect, and sends a registration rejection message to it, and no longer executes subsequent steps; SA.7: The AMF initiates a UDM selection based on the UE's SUCI and SUPI; SA.8: The AMF initiates service registration with the selected UDM and obtains the UE's subscription data, including the list of GPSIs subscribed to by the UE; SA.9: Based on the UE's GPSI list obtained in SA.8, intersect it with the MSISDN scattered number list. If a matching record is found, the generated matching result is "TRUE" and proceed to SA.

10. Otherwise, continue to traverse the records of number type MSISDN in the number segment list. If the number in the GPSI list exists between the start number and end number of the corresponding record, the generated matching result is "TRUE" and proceed to SA.

10. Otherwise, the generated matching result is "FALSE". SA.10: Obtain the UE access restriction mode configuration. If it is a whitelist, combine it with the matching result generated in SA.

9. If the result is "TRUE", proceed to SA.12; if the result is "FALSE", proceed to SA.

11. If it is a blacklist, combine it with the matching result generated in SA.

9. If the result is "TRUE", proceed to SA.11; if the result is "FALSE", proceed to SA.

12. SA.11: The AMF determines that the UE's access is not allowed, that is, the MSISDN access restriction takes effect, initiates service deregistration to the UDM, sends a registration rejection message to the UE, and no longer executes subsequent steps; SA.12: AMF initiates a UE subscription to UDM; SA.13: The AMF initiates the PCF selection and establishes a policy association with the selected PCF; SA.14: The AMF completes service authorization, allowing the UE to access the network and sending it a registration acceptance message.

7. The method for restricting user equipment access according to claim 5, characterized in that, When the UE initiates a periodic registration update or mobile registration update, the AMF performs the following steps to determine whether the UE's access is permitted; SB.1: The AMF extracts the identity type from the registration request and checks whether its value is 5G-GUTI or 5G-S-TMSI. It then obtains the UE's context, including the SUPI and GPSI lists, from the local machine or from the old AMF. SB.2: Based on the SUPI in the UE context, first traverse the IMSI scattered number list. If a matching record is found, generate a matching result of "TRUE" and go to SB.

4. Otherwise, traverse the number segment list for records with IMSI number type. If the SUPI number exists between the start and end numbers of the corresponding record, generate a matching result of "TRUE" and go to SB.

4. Otherwise, continue to execute the subsequent steps. SB.3: Based on the GPSI in the UE context, first traverse the MSISDN scattered number list. If a matching record is found, generate a matching result of "TRUE" and go to SB.

4. Otherwise, traverse the number segment list for records of number type MSISDN. If the GPSI number exists between the start and end numbers of the corresponding record, generate a matching result of "TRUE" and go to SB.

4. Otherwise, generate a matching result of "FALSE". SB.4: Obtain the UE access restriction mode configuration. If it is a whitelist, combine the matching results generated in SB.2 and SB.

3. If the result is "TRUE", proceed to SB.6; if the result is "FALSE", proceed to SB.

5. If it is a blacklist, combine the matching results generated in SB.2 and SB.

3. If the result is "TRUE", proceed to SB.5; if the result is "FALSE", proceed to execute SB.

6. SB.5: The AMF determines that the UE's access is not allowed and triggers the AN release procedure. After that, it sends a registration rejection message to the UE and does not perform any further steps. SB.6: The AMF completes service authorization, allows the UE to access the network, and sends a registration acceptance message to it.

8. The method for restricting user equipment access according to claim 7, characterized in that, AMF modifies configuration data as needed during operation, including the following steps: SC.1: When the UE access restriction mode, IMSI random number list, MSISDN random number list, and number segment list in the configuration data change, different processing is required depending on the value of the flag indicating whether the configuration update takes effect immediately. If the value is no, execute SC.2; if the value is yes, execute SC.

3. SC.2: AMF only updates configuration data and does not affect UEs in the registered state. It only takes effect when the UE registers again. SC.3: The AMF not only needs to update the configuration data, but also needs to explicitly deregister UEs that have already been connected but no longer meet the current access conditions due to the configuration data update.