Roaming access control method, apparatus and signaling gateway

By centrally processing roaming access control on the signaling gateway, the problems of complexity and high cost in edge node management are solved, achieving efficient roaming access control and reducing maintenance costs.

CN119729446BActive Publication Date: 2026-06-23CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
Filing Date
2024-12-31
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In existing technologies, the large number and wide distribution of edge nodes result in high management costs and low efficiency. The decentralized management model increases the complexity and error risk of network maintenance.

Method used

By centrally processing roaming access control on the signaling gateway, the process for new operators to activate roaming access is simplified, reducing repetitive work and configuration errors, and lowering maintenance and management costs.

Benefits of technology

It simplifies the roaming access control process, reduces maintenance costs and workload, improves management efficiency, and reduces the risk of configuration errors.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN119729446B_ABST
    Figure CN119729446B_ABST
Patent Text Reader

Abstract

The application relates to the technical field of communication networks, in particular to a roaming access control method, device and signaling gateway. The roaming access control method is applied to the signaling gateway, the signaling gateway is arranged between a home public land mobile network (HPLMN) and a visited public land mobile network (VPLMN), and is connected with a roaming access control node arranged in the VPLMN, and the method comprises the following steps: in response to an access request initiated by a target terminal through a roaming access control node corresponding to the target terminal, determining the access right of the target terminal to the HPLMN according to a terminal identifier of the target terminal carried in the access request; and according to the access right, accessing the HPLMN or limiting the access of the target terminal to the HPLMN.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication network technology, and in particular to a roaming access control method, apparatus and signaling gateway. Background Technology

[0002] In current standard network architectures, the edge nodes of the core network bear the important task of enabling roaming access from foreign operators. As bridges connecting the network to the outside world, the stability and efficiency of these edge nodes directly affect the quality of cross-border communication services and user experience.

[0003] However, with the continuous development of communication technology and the increasing scale of networks, the number of edge nodes in the existing network has increased dramatically, which has brought unprecedented challenges to network management and maintenance.

[0004] Due to the large number and wide distribution of edge nodes, the number of departments responsible for maintenance and management has to increase accordingly. Each department needs to be responsible for a portion of the daily operation and maintenance work of the edge nodes, including equipment inspection, troubleshooting, and performance optimization. This decentralized management model not only increases management costs but also reduces management efficiency. Summary of the Invention

[0005] Therefore, it is necessary to provide a roaming access control method, device, and signaling gateway that can simplify roaming access control in response to the above-mentioned technical problems.

[0006] Firstly, this application provides a roaming access control method applied to a signaling gateway. The signaling gateway is deployed between the Home Public Land Mobile Network (HPLMN) and the Access Public Land Mobile Network (VPLMN), and its connection to a roaming access control node already deployed within the VPLMN includes:

[0007] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the HPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0008] Depending on access permissions, the target terminal can be connected to the HPLMN or its access can be restricted.

[0009] In one embodiment, determining the target terminal's access rights to the HPLMN based on the target terminal's terminal identifier carried in the access request includes:

[0010] The terminal identifier of the target terminal carried in the access request is matched with the terminal identifiers of each authorized terminal in the locally stored whitelist.

[0011] If the terminal identifier of the target terminal is consistent with the terminal identifier of any authorized terminal in the whitelist, then the target terminal's access permission to HPLMN is determined to be allowed.

[0012] If the terminal identifier of the target terminal does not match the terminal identifiers of any of the authorized terminals in the whitelist, then the target terminal's access permission to HPLMN is determined to be restricted.

[0013] In one embodiment, depending on access permissions, allowing a target terminal to access the HPLMN or restricting the target terminal's access to the HPLMN includes:

[0014] If the access permission is allowed, the access request will be forwarded to the HPLMN so that the HPLMN can establish communication with the target terminal.

[0015] If the access permission is restricted, a restricted access instruction is generated and sent to the target terminal through the roaming access control node corresponding to the target terminal to restrict the target terminal's access to the HPLMN.

[0016] In one embodiment, generating a restricted access instruction includes:

[0017] Based on the target network type of the communication network to which the roaming access control node corresponding to the target terminal belongs, generate a restricted access instruction corresponding to the target network type.

[0018] Accordingly, the access restriction instruction is sent to the target terminal through the roaming access control node corresponding to the target terminal, including:

[0019] The access restriction instruction is sent to the roaming access control node corresponding to the target terminal, instructing the roaming access control node to convert the access restriction instruction into a format according to the network standard corresponding to the target network type, and then send the format-converted access restriction instruction to the target terminal.

[0020] In one embodiment, the roaming access control node deployed within the VPLMN includes at least one of the following: a Mobile Switching Center (MSC) in a 2G network, a Mobile Switching Center (MSC) in a 3G network, a Mobility Management Entity (MME) in a 4G network, and an Access and Mobility Management Function (AMF) network element in a 5G network.

[0021] In one embodiment, the signaling gateway is equipped with a signaling transfer point (STR) network element, a routing agent node (DRA) network element, and a network warehousing function (NRF) network element.

[0022] Secondly, this application also provides a roaming access control device configured in a signaling gateway, which is deployed between the Home Public Land Mobile Network (HPLMN) and the Access Public Land Mobile Network (VPLMN) and connected to a roaming access control node already deployed within the VPLMN, including:

[0023] The response module is used to respond to the access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, and to determine the target terminal's access permissions to the HPLMN based on the terminal identifier of the target terminal carried in the access request.

[0024] The access control module is used to allow or restrict the target terminal from accessing the HPLMN based on access permissions.

[0025] Thirdly, this application also provides a signaling gateway, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0026] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the HPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0027] Depending on access permissions, the target terminal can be connected to the HPLMN or its access can be restricted.

[0028] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:

[0029] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the HPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0030] Depending on access permissions, the target terminal can be connected to the HPLMN or its access can be restricted.

[0031] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:

[0032] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the HPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0033] Depending on access permissions, the target terminal can be connected to the HPLMN or its access can be restricted.

[0034] The aforementioned roaming access control method, apparatus, and signaling gateway, by centralizing roaming access control on the signaling gateway, avoids the need for complex network configuration at each roaming access control node. This significantly simplifies the process for new operators to activate roaming access, reducing repetitive work and the risk of configuration errors. Because roaming access control is centralized on the signaling gateway, rather than distributed across various roaming access control nodes, the number of nodes requiring maintenance and management is significantly reduced, lowering maintenance costs and workload. Attached Figure Description

[0035] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0036] Figure 1 This is an application environment diagram of the roaming access control method in one embodiment;

[0037] Figure 2 This is a flowchart illustrating a roaming access control method in one embodiment;

[0038] Figure 3 This is a flowchart illustrating the steps for determining the access rights of a target terminal to an HPLMN in one embodiment.

[0039] Figure 4 This is a flowchart illustrating the steps of connecting a target terminal to a VPLMN or restricting a target terminal's access to a VPLMN in one embodiment.

[0040] Figure 5 This is an interactive schematic diagram of the roaming access control method in another embodiment;

[0041] Figure 6 This is a structural block diagram of a roaming access control device in one embodiment;

[0042] Figure 7 This is an internal structure diagram of a signaling gateway in one embodiment. Detailed Implementation

[0043] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0044] The roaming access control method provided in this application embodiment can be applied to, for example... Figure 1The application environment shown includes a signaling gateway, a Home Public Land Mobile Network (HPLMN), a Visited Public Land Mobile Network (VPLMN), and a roaming access control node deployed within the VPLMN. The signaling gateway is deployed between the Home Public Land Mobile Network (HPLMN) and the Visited Public Land Mobile Network (VPLMN) and is connected to the roaming access control node deployed within the VPLMN.

[0045] VPLMN refers to a network that a mobile user accesses and uses when roaming outside the coverage area of ​​their home network. Roaming agreements between operators enable users to seamlessly access services while traveling domestically or internationally.

[0046] HPLMN refers to the network registered to a user's SIM card, also known as the user's "home" or primary service provider, typically the operator the user has a contract with. When a user leaves the coverage area of ​​their HPLMN and enters the network area of ​​another operator, the network they connect to is called the VPLMN, or access network. During international roaming, the user's device (such as a mobile phone) attempts to connect to the VPLMN network of the accessing country or region. The VPLMN network communicates with the user's HPLMN network to verify the user's identity, subscription status, roaming permissions, and other information. Once verification is successful, the VPLMN network allows the user to access its network and provides corresponding services (such as voice calls, SMS, and data traffic). HPLMN stores important user information, such as user identity, subscription status, and roaming permissions. When a user roams internationally, the VPLMN needs to access the HPLMN to obtain this information to verify the user's legitimacy and roaming permissions. HPLMN is also responsible for handling the user's billing and other related matters, ensuring that the user can use roaming services normally.

[0047] The roaming access control nodes deployed within the VPLMN include at least one of the following: the Mobile Switching Center (MSC) in 2G networks, the Mobile Switching Center (MSC) in 3G networks, the Mobility Management Entity (MME) in 4G networks, and the Access and Mobility Management Function (AMF) network element in 5G networks.

[0048] Understandably, the MSC is the most important core network device in the 2G network architecture, responsible for handling call establishment, maintenance, and release, as well as managing user mobility within the network. It provides switching functions and connects mobile users with fixed network users, and mobile users with each other, to entities such as base station sub-units, home location registers, access location registers, authentication centers, mobile device identifier registers, operations and maintenance centers, and fixed networks. In roaming access control, the MSC is primarily responsible for call routing and switching. Based on the destination of the call request, it communicates with other switching devices through the core network and routes the call to the location of the target user. Simultaneously, the MSC is also responsible for user data storage and management, including user authentication and billing, functions that play a crucial role in roaming access control.

[0049] The 3G MSC is functionally similar to the 2G MSC, but it is optimized and enhanced for 3G networks. It is responsible for processing and switching calls and data services between mobile users, providing location information for mobile users, and communicating with other networks. Regarding roaming access control, the 3G MSC is also responsible for call routing and switching, routing calls to the correct base station or network based on the user's current location information. Furthermore, it is responsible for authentication and verification, ensuring that only authorized users can access network resources, which is a crucial step in ensuring network security and protecting user privacy.

[0050] The Management Entity (MME) is a network element in the control plane of the 4G core network, responsible for mobility management, including user terminal attachment and detachment, tracking area updates, and authentication. It is one of the most important entities in the 4G core network. In terms of roaming access control, the MME is primarily responsible for user access control and mobility management. It ensures that only legitimate users can access the network by processing user access requests and communicating with the HSS (Core Network User Database) for user authentication. Furthermore, the MME supports network slicing, which can allocate appropriate network resources to users according to the needs of different application scenarios.

[0051] The Access Controller (AMF) is a key network element in the 5G core network, responsible for handling user equipment (UE) access requests, mobility management, and radio resource allocation. The AMF interacts with UEs via signaling to identify their location and mobility needs and allocates corresponding radio resources. Furthermore, it maintains the connection status between UEs and the network, ensuring the continuity and stability of data transmission. In roaming access control, the AMF is also responsible for user access and mobility management. It ensures that only authorized users can access the network by processing user access requests and interacting with network elements such as the User Data Management (UDM). In addition, the AMF supports network slicing, allowing it to allocate appropriate network resources to users according to the needs of different application scenarios. In roaming scenarios, the AMF also interacts with AMFs in other networks via signaling to enable access and mobility management for roaming users.

[0052] The signaling gateway in this embodiment is an international signaling gateway, and it has the functions of MSC in second-generation communication network (2G), MSC in third-generation communication network (3G), MME in fourth-generation communication network (4G), and access and roaming access control in AMF network element in fifth-generation communication network (5G).

[0053] Specifically, the signaling gateway possesses the functions of the MSC in 2G networks and also supports the MSC functions in 3G networks. It can handle call control, mobility management, and data services in 3G networks, ensuring smooth communication and data exchange for 3G users. In 4G networks, the signaling gateway integrates the functions of the MME. The MME is a core control plane element in 4G networks, responsible for user mobility management, session management, and security control, and is crucial for providing efficient data services. For 5G networks, the signaling gateway possesses the roaming access control function from the AMF element. The AMF is one of the core control plane elements in 5G networks, responsible for user access authentication, mobility management, and session management. By integrating the roaming access control function of the AMF, the signaling gateway can support access and mobility management for 5G users in roaming scenarios, ensuring users can enjoy seamless communication services globally.

[0054] Optionally, the signaling gateway may be equipped with signaling transfer point (STP) network elements, diameter routing agent (DRA) network elements, and network repository function (NRF) network elements.

[0055] As is understandable, an STP (Signaling Point) is a signaling point that has the function of transferring signaling messages from one signaling link to another. It is a core device of the SS7 signaling network, responsible for forwarding signaling messages in the signaling network and ensuring that signaling messages can reach their destination accurately and in a timely manner.

[0056] In communication networks, the DRA (Direct Routing Adapter) element acts as a routing agent, responsible for forwarding signaling messages in the signaling network and selecting the optimal transmission path according to a predetermined routing strategy. DRA can optimize the transmission path of signaling messages, improving the transmission efficiency and reliability of the signaling network.

[0057] The NRF (Network Functions Request) element is one of the network functions in the 5G core network. It is responsible for managing all Network Functions (NFs) that support service-oriented interfaces in the 5G network. The NRF supports service discovery, receiving service discovery requests from NF instances and providing the requester with relevant NF instance information. Furthermore, the NRF maintains NF configuration files for available NF instances and their supporting services, ensuring the correct registration, updating, and deregistration of network functions.

[0058] In one exemplary embodiment, such as Figure 2 As shown, a roaming access control method is provided, which is applied to... Figure 1 This will be explained using the signaling gateway as an example.

[0059] S201, in response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, determine the target terminal's access rights to the VPLMN based on the terminal identifier of the target terminal carried in the access request.

[0060] In this embodiment, the target terminal is a registered overseas user. The HPLMN, as the user's home network, stores important user information such as user identity, subscription status, and roaming permissions. When a user roams internationally, the access network (VPLMN) needs to communicate with the HPLMN to verify the user's legitimacy and roaming permissions.

[0061] Optionally, the target terminal initiates an access request through its corresponding roaming access control node. The roaming access control node is a Mobile Switching Center (MSC) in 2G / 3G, a Mobility Management Entity (MME) in 4G, or an Access and Mobility Management Function (AMF) network element in 5G.

[0062] Optionally, the signaling gateway determines the target terminal's access rights to the VPLMN based on the terminal identifier carried in the access request. The terminal identifier includes IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity). Determining access rights involves querying the Home Location Register (HLR), Access Location Register (VLR), or the corresponding user database to verify the terminal's legitimacy, subscription status, roaming agreement, etc.

[0063] S202, based on access permissions, connect the target terminal to the VPLMN or restrict the target terminal's access to the VPLMN.

[0064] Understandably, by querying user information in the HPLMN, such as user identity, subscription status, and roaming permissions, the target terminal's access permissions to the VPLMN are determined.

[0065] If the target terminal has legitimate access rights and meets all necessary roaming conditions (such as a roaming agreement being reached, and the user account status being normal), the VPLMN will allow the target terminal to access its network. After access, the target terminal can enjoy services provided by the VPLMN, such as voice calls, SMS, and data traffic. If the target terminal does not have legitimate access rights, or if other restrictive factors exist (such as user arrears, a failed roaming agreement, or the terminal being blacklisted), the VPLMN will restrict the target terminal's access to its network. This restriction may manifest as refusing access requests, providing limited services (such as allowing only emergency calls), or completely interrupting service.

[0066] The roaming access control node (such as the MSC in 2G / 3G, MME in 4G, or AMF in 5G) is responsible for receiving and forwarding access requests from target terminals. The signaling gateway participates in the access request processing and determines access permissions based on the terminal identifier (such as IMSI or IMEI). The signaling gateway communicates with the Home Location Register (HLR), Access Location Register (VLR), or the corresponding user database to verify the terminal's legitimacy, subscription status, and roaming protocol.

[0067] In the aforementioned roaming access control method, this application centralizes roaming access control on the signaling gateway, avoiding complex network configurations on each roaming access control node. This significantly simplifies the process for new operators to activate roaming access, reducing repetitive work and the risk of configuration errors. Because roaming access control is centralized on the signaling gateway, rather than distributed across various roaming access control nodes, the number of nodes requiring maintenance and management is significantly reduced, lowering maintenance costs and workload.

[0068] In one exemplary embodiment, such as Figure 3As shown, based on the terminal identifier of the target terminal carried in the access request, the access permissions of the target terminal to the HPLMN are determined, including:

[0069] S301 performs a consistency match between the terminal identifier of the target terminal carried in the access request and the terminal identifiers of each authorized terminal in the locally stored whitelist.

[0070] Understandably, the terminal identifier is the International Mobile Subscriber Identity (IMSI) or International Mobile Equipment Identity (IMEI), used to uniquely identify a terminal device. The whitelist is a predefined list containing all terminal identifiers authorized to access the VPLMN (Home Public Land Mobile Network). The terminal identifier in the access request is compared one by one with the identifiers in the whitelist to check for consistency.

[0071] S302, if the terminal identifier of the target terminal is consistent with the terminal identifier of any authorized terminal in the whitelist, then the target terminal's access permission to the VPLMN is determined to be allowed.

[0072] Understandably, if the target terminal's terminal identifier matches the terminal identifier of any authorized terminal in the whitelist, then the target terminal's access permission to the VPLMN is determined to be permitted. If the match is successful, it means that the target terminal is authorized and therefore allowed to access the VPLMN. This means that the target terminal can continue with the subsequent roaming access process and enjoy the various services provided by the VPLMN.

[0073] S303, if the terminal identifier of the target terminal is inconsistent with the terminal identifiers of all authorized terminals in the whitelist, then the target terminal's access permission to the VPLMN is determined to be restricted access.

[0074] If the target terminal's terminal identifier does not match any of the authorized terminals in the whitelist, then the target terminal's access to the VPLMN is determined to be restricted. If the match fails, it means the target terminal is not authorized, and therefore its access to the VPLMN is restricted. This means the target terminal's access request will be rejected, or it can only enjoy limited services (such as emergency calls).

[0075] In this embodiment, a whitelist-based access permission verification mechanism is used to determine the target terminal's access permission to the VPLMN in international roaming scenarios, thereby ensuring network security.

[0076] In one exemplary embodiment, such as Figure 4 As shown, depending on access permissions, the following methods can be used to connect the target terminal to the VPLMN or restrict the target terminal's access to the VPLMN:

[0077] S401, if the access permission is allowed, the access request is forwarded to HPLMNA so that HPLMNA can complete the access registration process for the target terminal to access VPLMNA.

[0078] Understandably, the purpose of forwarding the access request to the HPLMN is to verify the terminal's identity, subscription status, roaming protocol, etc., and to ensure that all necessary information and permissions have been correctly set. It also instructs the HPLMN to perform necessary signaling interactions with the VPLMN to instruct the VPLMN to allocate necessary network resources to the terminal, such as temporary mobile user identity and location area information.

[0079] Once the registration process is complete, the target terminal can use the services provided by the VPLMN, such as voice calls, SMS, and data traffic. Simultaneously, both the HPLMN and VPLMN will update their respective records to reflect the target terminal's current status and location.

[0080] S402, if the access permission is restricted access, a restricted access instruction is generated and sent to the target terminal through the roaming access control node corresponding to the target terminal to restrict the target terminal from accessing the VPLMN.

[0081] Access restriction instructions can be denial codes. Access restriction instructions inform the target terminal that its access permissions are restricted and include the reason for the denial or suggested follow-up actions. A denial code is a common type of access restriction instruction; it is typically a standard code or message indicating the reason for the access denial. For example, a denial code might indicate "Terminal unauthorized," "Roaming agreement not reached," or "Terminal blacklisted."

[0082] Optionally, the roaming access control node (such as MSC, MME, or AMF) corresponding to the target terminal can send an access restriction instruction (such as a rejection code) to the target terminal. The roaming access control node is responsible for transmitting the instruction to the target terminal.

[0083] Upon receiving an access restriction instruction, the target terminal parses the instruction and takes appropriate action. For example, if a denial code is received, the terminal will display an error message informing the user of the reason for the access denial. The target terminal is restricted from accessing the VPLMN and cannot enjoy its services such as voice calls, SMS, and data traffic.

[0084] Furthermore, in mobile communication networks, different network types (such as 2G, 3G, 4G, and 5G) use different technical standards and protocols. Therefore, when it is necessary to restrict a target terminal's access to a network (VPLMN), the generated access restriction instruction needs to be customized according to the network type. In an exemplary embodiment, generating the access restriction instruction includes: generating an access restriction instruction corresponding to the target network type based on the target network type of the communication network to which the roaming access control node corresponding to the target terminal belongs.

[0085] Optionally, based on the determined target network type, a restricted access instruction corresponding to that network type is selected. For example, a specific rejection code is used for 2G networks; a different rejection code or message format is used for 5G networks. A specific restricted access instruction is generated based on the selected restricted access instruction template or rule. The generated restricted access instruction is then sent to the target terminal via the roaming access control node.

[0086] It is understandable that different network standards (such as 2G, 3G, 4G, and 5G) use different technical standards, frequency bands, and protocols. By adjusting the network standard, it can be ensured that the target terminal can communicate smoothly with its communication network, avoiding communication failures caused by standard incompatibility.

[0087] Accordingly, the roaming access control node corresponding to the target terminal sends the access restriction instruction to the target terminal, including: sending the access restriction instruction to the roaming access control node corresponding to the target terminal to instruct the roaming access control node to convert the access restriction instruction to a format according to the network standard corresponding to the target network type, and then sending the format-converted access restriction instruction to the target terminal.

[0088] Specifically, after receiving an access restriction instruction, the roaming access control node converts the instruction's format according to the network type (e.g., 2G, 3G, 4G, 5G) of the target terminal's network. Different network types use different signaling protocols, message formats, or encoding methods, thus requiring format conversion to ensure the instruction can be correctly understood by the target terminal. After completing the format conversion, the roaming access control node sends the converted access restriction instruction to the target terminal. Upon receiving the instruction, the target terminal parses its content and takes corresponding actions, such as displaying error messages or restricting certain functions.

[0089] In this embodiment, by converting the format, it can be ensured that the access restriction command is compatible with the network standard of the network where the target terminal is located, thus avoiding communication failures or commands that cannot be correctly understood due to standard incompatibility.

[0090] In one exemplary embodiment, such as Figure 5As shown, a schematic diagram of the interaction flow corresponding to a roaming access method is provided, which specifically includes:

[0091] 1. The target terminal UE initiates an access request to the roaming access control node corresponding to the target terminal.

[0092] An access request is used to request access to the VPLMN network.

[0093] 2. The roaming access control node corresponding to the target terminal forwards the access request to the signaling gateway.

[0094] 3. The signaling gateway determines the target terminal's access permissions to the VPLMN.

[0095] 4. If the access permission is set to Allow, the access request will be forwarded to HPLMN.

[0096] 5. If the access permission is restricted, a restricted access instruction is generated and sent to the roaming access control node corresponding to the target terminal.

[0097] 6. The roaming access control node corresponding to the target terminal will send an access restriction instruction to the target terminal.

[0098] To restrict the target terminal's access to the VPLMN.

[0099] It should be understood that although the steps in the flowcharts of the above embodiments are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the above embodiments may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.

[0100] Based on the same inventive concept, this application also provides a roaming access control device for implementing the roaming access control method described above. The solution provided by this device is similar to the solution described in the above method; therefore, the specific limitations in one or more roaming access control device embodiments provided below can be found in the limitations of the roaming access control method described above, and will not be repeated here.

[0101] In one exemplary embodiment, such as Figure 6As shown, a roaming access control device is provided, configured in a signaling gateway. The signaling gateway is deployed between the home public land mobile network (VPLMN) and the access public land mobile network (VPLMN), and is connected to roaming access control nodes already deployed within the VPLMN, including:

[0102] The response module 11 is used to respond to the access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, and determine the access rights of the target terminal to the VPLMN based on the terminal identifier of the target terminal carried in the access request.

[0103] Access control module 12 is used to connect the target terminal to the VPLMN or restrict the target terminal's access to the VPLMN according to access permissions.

[0104] In one embodiment, the access control module 12 is further configured to: perform consistency matching between the terminal identifier of the target terminal carried in the access request and the terminal identifiers of each authorized terminal in the locally stored whitelist;

[0105] If the terminal identifier of the target terminal matches the terminal identifier of any authorized terminal in the whitelist, then the target terminal's access permission to VPLMN is determined to be allowed.

[0106] If the terminal identifier of the target terminal does not match the terminal identifiers of any of the authorized terminals in the whitelist, then the target terminal's access permission to the VPLMN is determined to be restricted.

[0107] In one embodiment, the access control module 12 is further configured to: if the access permission is allowed, forward the access request to the VPLMN so that the HPLMNA can complete the access registration process for the target terminal to access the VPLMN;

[0108] If the access permission is restricted, a restricted access instruction is generated and sent to the target terminal through the roaming access control node corresponding to the target terminal to restrict the target terminal's access to the VPLMN.

[0109] In one embodiment, the access control module 12 is further configured to: generate a restricted access instruction corresponding to the target network type based on the target network type of the communication network to which the roaming access control node corresponding to the target terminal belongs;

[0110] Accordingly, the access restriction instruction is sent to the target terminal through the roaming access control node corresponding to the target terminal, including:

[0111] The access restriction instruction is sent to the roaming access control node corresponding to the target terminal, instructing the roaming access control node to convert the access restriction instruction into a format according to the network standard corresponding to the target network type, and then send the format-converted access restriction instruction to the target terminal.

[0112] In one embodiment, the roaming access control node deployed within the VPLMN includes at least one of the following: a Mobile Switching Center (MSC) in a 2G network, a Mobile Switching Center (MSC) in a 3G network, a Mobility Management Entity (MME) in a 4G network, and an Access and Mobility Management Function (AMF) network element in a 5G network.

[0113] In one embodiment, the signaling gateway is equipped with a signaling transfer point (STR) network element, a routing agent node (DRA) network element, and a network warehousing function (NRF) network element.

[0114] Each module in the aforementioned roaming access control device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in the processor of the signaling gateway in hardware form or independent of it, or stored in the memory of the signaling gateway in software form, so that the processor can call and execute the corresponding operations of each module.

[0115] In one exemplary embodiment, a signaling gateway is provided, which may be a server, and its internal structure diagram may be as follows. Figure 7 As shown, the signaling gateway includes a processor, memory, input / output interfaces (I / O), and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores data for roaming access control methods. The I / O interfaces are used for information exchange between the processor and external devices. The communication interface is used for communication with external terminals via a network connection. When the computer program is executed by the processor, it implements a roaming access control method.

[0116] Those skilled in the art will understand that Figure 7The structure shown is merely a block diagram of a portion of the structure related to the solution of this application and does not constitute a limitation on the signaling gateway to which the solution of this application is applied. A specific signaling gateway may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0117] In one exemplary embodiment, a signaling gateway is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:

[0118] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the VPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0119] Depending on access permissions, the target terminal can be connected to the VPLMN or its access to the VPLMN can be restricted.

[0120] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:

[0121] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the VPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0122] Depending on access permissions, the target terminal can be connected to the VPLMN or its access to the VPLMN can be restricted.

[0123] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:

[0124] In response to an access request initiated by the target terminal through the roaming access control node corresponding to the target terminal, the access permissions of the target terminal to the VPLMN are determined based on the terminal identifier of the target terminal carried in the access request.

[0125] Depending on access permissions, the target terminal can be connected to the VPLMN or its access to the VPLMN can be restricted.

[0126] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.

[0127] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.

[0128] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.

[0129] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.

Claims

1. A roaming access control method, characterized in that, The method, applied to a signaling gateway deployed between a Home Public Land Mobile Network (HPLMN) and an Access Public Land Mobile Network (VPLMN) and connected to a roaming access control node already deployed within the VPLMN, includes: In response to an access request initiated by a target terminal through the roaming access control node corresponding to the target terminal, the terminal identifier of the target terminal carried in the access request is matched against the terminal identifiers of each authorized terminal in the locally stored whitelist; the terminal identifier is the International Mobile Equipment Identity (IMEI); if the terminal identifier of the target terminal matches the terminal identifier of any authorized terminal in the whitelist, the target terminal's access permission to the VPLMN is determined to be allowed; if the terminal identifier of the target terminal does not match the terminal identifiers of any authorized terminal in the whitelist, the target terminal's access permission to the VPLMN is determined to be restricted. Based on the access permissions, the target terminal may be connected to the VPLMN or its access to the VPLMN may be restricted.

2. The method according to claim 1, characterized in that, The step of connecting the target terminal to the VPLMN or restricting the target terminal's access to the VPLMN according to the access permissions includes: If the access permission is allowed, the access request is forwarded to the VPLMN so that the HPLMNA can complete the access registration process for the target terminal to access the VPLMN. If the access permission is restricted, a restricted access instruction is generated and sent to the target terminal through the roaming access control node corresponding to the target terminal, so as to restrict the target terminal from accessing the VPLMN.

3. The method according to claim 2, characterized in that, The generation of restricted access instructions includes: Based on the target network type of the communication network to which the roaming access control node corresponding to the target terminal belongs, generate a restricted access instruction corresponding to the target network type; Accordingly, sending the access restriction instruction to the target terminal through the roaming access control node corresponding to the target terminal includes: The access restriction instruction is sent to the roaming access control node corresponding to the target terminal, so that the roaming access control node can convert the access restriction instruction according to the network standard corresponding to the target network type, and send the format-converted access restriction instruction to the target terminal.

4. The method according to claim 3, characterized in that, The step of generating a restricted access instruction corresponding to the target network type based on the target network type of the communication network to which the roaming access control node corresponding to the target terminal belongs includes: Based on the target network type of the communication network to which the roaming access control node corresponding to the target terminal belongs, select the restricted access instruction template corresponding to the target network type; Based on the selected restricted access instruction template, generate the restricted access instruction corresponding to the target network type.

5. The method according to any one of claims 1-4, characterized in that, The roaming access control nodes deployed within the VPLMN include at least one of the following: a Mobile Switching Center (MSC) in a 2G network, a Mobile Switching Center (MSC) in a 3G network, a Mobility Management Entity (MME) in a 4G network, and an Access and Mobility Management Function (AMF) network element in a 5G network.

6. The method according to any one of claims 1-4, characterized in that, The signaling gateway is equipped with a signaling transfer point (STR) network element, a routing agent node (DRA) network element, and a network warehousing function (NRF) network element.

7. A roaming access control device, characterized in that, The device is configured in a signaling gateway, which is deployed between the home public land mobile network (VPLMN) and the access public land mobile network (VPLMN) and connected to the roaming access control node already deployed within the VPLMN. The device includes: The response module is used to respond to an access request initiated by a target terminal through the roaming access control node corresponding to the target terminal, and to perform a consistency match between the terminal identifier of the target terminal carried in the access request and the terminal identifiers of each authorized terminal in the locally stored whitelist; the terminal identifier is the International Mobile Equipment Identity (IMEI); if the terminal identifier of the target terminal matches the terminal identifier of any authorized terminal in the whitelist, then the target terminal's access permission to the VPLMN is determined to be allowed; if the terminal identifier of the target terminal does not match the terminal identifiers of any authorized terminal in the whitelist, then the target terminal's access permission to the VPLMN is determined to be restricted. An access control module is used to, based on the access permissions, allow the target terminal to access the VPLMN or restrict the target terminal from accessing the VPLMN.

8. A signaling gateway, comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.