Method performed by a node in a wireless communication system and node

By receiving and processing security configuration information, utilizing a third node to process data and optimize network operations, the increased complexity of dual-connectivity technology for user equipment in 6G communication systems is resolved, achieving more efficient data transmission and network resource management.

CN122227259APending Publication Date: 2026-06-16BEIJING SAMSUNG TELECOM R&D CENT +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING SAMSUNG TELECOM R&D CENT
Filing Date
2024-12-13
Publication Date
2026-06-16

Smart Images

  • Figure CN122227259A_ABST
    Figure CN122227259A_ABST
Patent Text Reader

Abstract

According to one aspect of the disclosure, a method performed by a user equipment in a wireless communication system is provided, comprising: receiving a first configuration message containing security configuration information of data transmitted by a first node, the data being processed and / or transmitted by a third node when the user equipment moves between nodes in which at least one cell is located, determining the security configuration information in a cell handover procedure.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to wireless communication technology, and more particularly to methods for execution by nodes in a wireless communication system and the various nodes themselves. Background Technology

[0002] Given the successive generations of wireless communication development, these technologies have primarily been developed for human-oriented services such as voice calls, multimedia services, and data services. With the commercialization of 5th-generation (5G) communication systems, the number of connected devices is expected to grow exponentially. These will increasingly connect to communication networks. Examples of the Internet of Things (IoT) can include vehicles, robots, drones, home appliances, displays, smart sensors connected to various infrastructures, construction machinery, and factory equipment. Mobile devices are expected to evolve in various forms, such as augmented reality glasses, virtual reality headsets, and holographic devices. Efforts are underway to develop improved 6G communication systems to provide a wide range of services by connecting hundreds of billions of devices and things in the sixth-generation (6G) era. For these reasons, 6G communication systems are referred to as "beyond 5G" systems.

[0003] The 6G communication system, which is expected to be commercialized around 2030, will have peak data rates in the megabit (1,000 gigabits) bps range and radio latency of less than 100 μsec. Therefore, it will be 50 times the data rate of the 5G communication system and have 1 / 10 of its radio latency.

[0004] To achieve such high data rates and ultra-low latency, 6G communication systems have been considered for implementation in the terahertz band (e.g., the 95 GHz to 3 THz band). It is anticipated that, due to more severe path loss and atmospheric absorption in the terahertz band compared to the millimeter wave (mmWave) band introduced in 5G, technologies capable of ensuring signal transmission distance (i.e., coverage) will become even more critical. As a key technology for ensuring coverage, it is necessary to develop radio frequency (RF) components, antennas, and novel waveforms with better coverage than orthogonal frequency division multiplexing (OFDM), beamforming, massive MIMO (multiple input multiple output), full dimensional multiple input multiple output (FD-MIMO), array antennas, and multi-antenna transmission technologies such as massive MIMO. In addition, new technologies for improving terahertz band signal coverage have been discussed, such as metamaterial-based lenses and antennas, orbital angular momentum (OAM), and reconfigurable intelligence surfaces (RIS).

[0005] In addition, to improve spectrum efficiency and overall network performance, the following technologies have been developed for 6G communication systems: full-duplex technology to enable uplink and downlink transmissions to use the same frequency resources simultaneously; network technologies that utilize satellites, high-altitude platform stations (HAPS), etc., in a comprehensive manner; improved network architecture to support mobile base stations, etc., and to enable network operation optimization and automation; dynamic spectrum sharing technology based on spectrum usage prediction and conflict avoidance; the use of artificial intelligence (AI) in wireless communication to improve overall network operation by utilizing AI from the design phase of 6G development and internalizing end-to-end AI support functions; and next-generation distributed computing technologies that overcome the computing power limitations of user equipment (UE) by leveraging ultra-high-performance communication and computing resources (such as mobile edge computing (MEC), cloud, etc.) achievable on the network. Furthermore, efforts are continuing to enhance connectivity between devices, optimize networks, promote the software-defined networking of network entities, and increase the openness of wireless communications by designing new protocols to be used in 6G communication systems, developing mechanisms for achieving hardware-based secure environments and secure data use, and developing technologies for maintaining privacy.

[0006] The research and development of 6G communication systems, encompassing hyper-connectivity for both person-to-machine (P2M) and machine-to-machine (M2M) interactions, is expected to deliver the next wave of hyper-connected experiences. Specifically, services such as truly immersive extended reality (XR), high-fidelity mobile holograms, and digital replicas are anticipated to be provided through 6G communication systems. Furthermore, services such as remote surgery for enhanced security and reliability, industrial automation, and emergency response will be available via 6G communication systems, enabling the technology to be applied across a wide range of sectors including industry, healthcare, automotive, and home appliances.

[0007] To improve user equipment (UE) throughput, dual connectivity technology has become a crucial approach, allowing a single UE to establish connections with two base stations simultaneously and transmit data. However, because a UE needs to maintain connections with two base stations, dual connectivity increases the complexity of UE resource management and mobility management, thus increasing UE design complexity. In future 6G systems, reducing UE complexity while simultaneously improving throughput is a pressing issue that needs to be addressed. Summary of the Invention

[0008] This disclosure provides a network node, a method for node execution, and the network node itself. The technical solution provided by this disclosure is as follows:

[0009] This disclosure provides a method executed by a user equipment in a wireless communication system, comprising: receiving a first configuration message containing security configuration information of data sent by a first node;

[0010] Based on the first configuration message, determine the security configuration required when switching to at least one of the cells;

[0011] The data belongs to at least one of the following planes: control plane, user plane, and data plane;

[0012] The data is processed and / or transmitted by a third node when the user equipment moves between the second nodes where the at least one cell is located.

[0013] According to embodiments of this disclosure, the security configuration information of the data also includes at least one of the following: information related to the security algorithm, security indication information indicating configuration information of the key, key indication information indicating the key used for key updates, and first applicable information indicating the scope of application of the security configuration information related to the data.

[0014] According to embodiments of this disclosure, the first configuration message also includes configuration information of the at least one cell, wherein the at least one cell may be at least one of a serving cell, a target cell, and a candidate cell;

[0015] The configuration information of the at least one cell includes at least one of the following: second cell identification information, configured identification information, range indication information of the cell indicated by the "second cell identification information", security configuration information used by the user equipment when accessing the cell indicated by the "second cell identification information", and at least one of auxiliary information and identification information required for generating a key when the user equipment accesses the cell indicated by the "second cell identification information".

[0016] According to embodiments of this disclosure, the third node is further included for processing at least one of control plane data, user plane data, and data plane data; and / or

[0017] The third node includes at least one of the following functions: data mapping, secure data processing, data retransmission; and / or

[0018] The third node includes at least one of the following protocol layers: Service Data Adaptation Protocol, Packet Data Convergence Protocol, and some or all of the Radio Link Control Protocol.

[0019] According to embodiments of this disclosure, the second node is a base station where the at least one cell is located, or a centralized unit of the base station, or a control plane portion of the centralized unit of the base station.

[0020] According to embodiments of this disclosure, the first configuration message is also sent by the first node after receiving at least one of the following messages:

[0021] The second configuration message sent by the third node provides auxiliary information for generating security-related configurations and / or provides security-related configuration information;

[0022] The first configuration response message sent by the third node is used to provide configuration information for the data after the third node receives the first configuration request message sent by the first node.

[0023] The second configuration response message sent by the second node is used to provide configuration information of the target cell or candidate cell at the second node after the second node receives the second configuration request message sent by the first node.

[0024] According to embodiments of this disclosure, the information related to the security algorithm also includes at least one of the following: full-plane algorithm information for indicating the security algorithm required for data in all planes of the user equipment, partial-plane algorithm information for indicating the security algorithm required for data in at least two planes of the user equipment, and single-plane algorithm information for indicating the security algorithm required for one plane of the user equipment.

[0025] The security indication information includes at least one of the following: a first key change indication information indicating whether the key for data applicable to all planes needs to be changed; a second key change indication information indicating whether the key for data applicable to at least two planes needs to be changed; a third key change indication information indicating whether the key for data applicable to one plane needs to be changed; a key separation indication information indicating whether data for different planes uses different keys; and a key update range indication information used to determine whether a key update is needed.

[0026] The key indication information includes at least one of the following: key information, key update information for updating the key, and first auxiliary information for generating the key;

[0027] The first applicable information includes at least one of the following: area identification information, cell identification information, cell set identification information, candidate configuration identification information, path identification information, and plane indication information.

[0028] According to embodiments of this disclosure, the second configuration message further includes at least one of the following: identification information of the third node, information indicating the service range of the third node, and support information indicating the functions or parameters supported by the third node;

[0029] The first configuration request message includes at least one of the following: a first data request message containing information about requesting the data to be served by the third node; a first service node message containing information about the old or current service node of the user equipment; second security configuration information generated by the first node; and a first security configuration request message for requesting the third node to provide information related to security configuration.

[0030] The first configuration response message includes at least one of the following: a first data response message containing configuration information for the third node to serve the data, and security-related configuration information generated by the third node;

[0031] The second configuration request message includes at least one of the following: first cell request information containing information about the target cell or candidate cell to be requested; second service node information containing information about the node currently serving the data of the user equipment; and cell-related information containing configuration information of at least one target cell or candidate cell configured for the user equipment.

[0032] The second configuration response message includes at least one of the following: first cell response information containing configuration information of the admitted cell, and fourth service node information indicating information about the node that serves the data after the user equipment accesses the admitted cell.

[0033] Embodiments of this disclosure also provide a method executed by a first node in a wireless communication system, comprising: receiving a first configuration response message sent by a third node, the first configuration response message being used to provide configuration information of user equipment data;

[0034] Send a first configuration message containing security configuration information of the data to the user equipment;

[0035] The data belongs to at least one of the following planes: control plane, user plane, and data plane;

[0036] The data is processed and / or transmitted by a third node when the user equipment moves between second nodes in at least one cell.

[0037] According to embodiments of this disclosure, the security configuration information of the data also includes at least one of the following: information related to the security algorithm, security indication information indicating configuration information of the key, key indication information indicating the key used for key updates, and first applicable information indicating the scope of application of the security configuration information related to the data.

[0038] According to embodiments of this disclosure, the first configuration message also includes configuration information of the at least one cell, wherein the at least one cell may be at least one of a serving cell, a target cell, and a candidate cell;

[0039] The configuration information of the at least one cell includes at least one of the following: second cell identification information, configured identification information, range indication information of the cell indicated by the "second cell identification information", security configuration information used by the user equipment when accessing the cell indicated by the "second cell identification information", and at least one of auxiliary information and identification information required for generating a key when the user equipment accesses the cell indicated by the "second cell identification information".

[0040] According to embodiments of this disclosure, the third node is further included for processing at least one of control plane data, user plane data, and data plane data; and / or

[0041] The third node includes at least one of the following functions: data mapping, secure data processing, data retransmission; and / or

[0042] The third node includes at least one of the following protocol layers: Service Data Adaptation Protocol, Packet Data Convergence Protocol, and some or all of the Radio Link Control Protocol.

[0043] According to embodiments of this disclosure, the method further includes receiving a second configuration message sent by the third node, the second configuration message providing auxiliary information for generating security-related configurations and / or providing security-related configuration information; and / or

[0044] Send a first configuration request message to the third node; and / or

[0045] Send a second configuration request message to the second node; and / or

[0046] Receive a second configuration response message sent by the second node, the second configuration response message being used to provide configuration information of the target cell or candidate cell at the second node; and / or

[0047] Send a first notification message, including the handover information of the user equipment, to the third node.

[0048] According to embodiments of this disclosure, the information related to the security algorithm also includes at least one of the following: full-plane algorithm information for indicating the security algorithm required for data in all planes of the user equipment, partial-plane algorithm information for indicating the security algorithm required for data in at least two planes of the user equipment, and single-plane algorithm information for indicating the security algorithm required for one plane of the user equipment.

[0049] The security indication information includes at least one of the following: a first key change indication information indicating whether the key for data applicable to all planes needs to be changed; a second key change indication information indicating whether the key for data applicable to at least two planes needs to be changed; a third key change indication information indicating whether the key for data applicable to one plane needs to be changed; a key separation indication information indicating whether data for different planes uses different keys; and a key update range indication information used to determine whether a key update is needed.

[0050] The key indication information includes at least one of the following: key information, key update information for updating the key, and first auxiliary information for generating the key;

[0051] The first applicable information includes at least one of the following: area identification information, cell identification information, cell set identification information, candidate configuration identification information, path identification information, and plane indication information.

[0052] According to embodiments of this disclosure, the second configuration message further includes at least one of the following: identification information of the third node, information indicating the service range of the third node, and support information indicating the functions or parameters supported by the third node;

[0053] The first configuration request message includes at least one of the following: a first data request message containing information about requesting the data to be served by the third node; a first service node message containing information about the old or current service node of the user equipment; second security configuration information generated by the first node; and a first security configuration request message for requesting the third node to provide information related to security configuration.

[0054] The first configuration response message includes at least one of the following: a first data response message containing configuration information for the third node to serve the data, and security-related configuration information generated by the third node;

[0055] The second configuration request message includes at least one of the following: first cell request information containing information about the target cell or candidate cell to be requested; second service node information containing information about the node currently serving the data of the user equipment; and cell-related information containing configuration information of at least one target cell or candidate cell configured for the user equipment.

[0056] The second configuration response message includes at least one of the following: first cell response information containing configuration information of the admitted cell, and fourth service node information indicating information about the node serving the data after the user equipment accesses the admitted cell;

[0057] The first notification message includes at least one of the following: target node information, information indicating the data transmission required.

[0058] Embodiments of this disclosure also provide a method executed by a third node in a wireless communication system, comprising: sending a first configuration response message to the first node, the first configuration response message being used to provide configuration information of user equipment data;

[0059] The user equipment processes and / or transmits the data as it moves between second nodes where at least one cell is located;

[0060] The data belongs to at least one of the following planes: control plane, user plane, and data plane;

[0061] The second node is the base station where the at least one cell is located, or the centralized unit of the base station, or the control plane portion of the centralized unit of the base station.

[0062] According to embodiments of this disclosure, it further includes receiving a first configuration request message sent by the first node; and / or

[0063] Send a second configuration message to the first node, the second configuration message providing auxiliary information for generating security-related configurations and / or providing security-related configuration information; and / or

[0064] Receive a first notification message sent by the first node, which includes the handover information of the user equipment.

[0065] According to embodiments of this disclosure, the third node is further included for processing at least one of control plane data, user plane data, and data plane data; and / or

[0066] The third node includes at least one of the following functions: data mapping, secure data processing, data retransmission; and / or

[0067] The third node includes at least one of the following protocol layers: Service Data Adaptation Protocol, Packet Data Convergence Protocol, and some or all of the Radio Link Control Protocol.

[0068] According to embodiments of this disclosure, the second configuration message further includes at least one of the following: identification information of the third node, information indicating the service range of the third node, and support information indicating the functions or parameters supported by the third node;

[0069] The first configuration request message includes at least one of the following: a first data request message containing information about requesting the data to be served by the third node; a first service node message containing information about the old or current service node of the user equipment; second security configuration information generated by the first node; and a first security configuration request message for requesting the third node to provide information related to security configuration.

[0070] The first configuration response message includes at least one of the following: a first data response message containing configuration information for the third node to serve the data, and security-related configuration information generated by the third node;

[0071] The first notification message includes at least one of the following: target node information, information indicating the data transmission required.

[0072] Embodiments of this disclosure also provide a user equipment or a first node or a second node or a third node in a wireless communication system, comprising: a transceiver for transmitting and receiving signals; and a controller coupled to the transceiver and configured to perform the methods performed by the corresponding user equipment or first node or second node as described above. Attached Figure Description

[0073] Figure 1 This is an exemplary architecture for wireless networks.

[0074] Figure 2 This is an exemplary structural diagram of a base station.

[0075] Figure 3 This is an exemplary structural diagram of a user equipment.

[0076] Figure 4 This is the first schematic diagram of the network structure.

[0077] Figure 5 This is the second schematic diagram of the network structure.

[0078] Figure 6 This is the third schematic diagram of the network structure.

[0079] Figure 7This is the first schematic diagram of the signaling process.

[0080] Figure 8 This is the second schematic diagram of the signaling process.

[0081] Figure 9 This is the third diagram of the signaling process.

[0082] Figure 10 This is the fourth diagram of the signaling process.

[0083] Figure 11 This is the fifth diagram of the signaling process.

[0084] Figure 12 This is the sixth diagram of the signaling process.

[0085] Figure 13 This is the seventh diagram of the signaling process.

[0086] Figure 14 This is the eighth diagram of the signaling process.

[0087] Figure 15 Exemplary structures applicable to the various nodes of this disclosure are shown. Detailed Implementation

[0088] The following description, with reference to the accompanying drawings, is provided to aid in a thorough understanding of the various embodiments of this disclosure as defined by the claims and their equivalents. This description includes various specific details to aid understanding but should be considered exemplary only. Therefore, those skilled in the art will recognize that various changes and modifications can be made to the various embodiments described herein without departing from the scope and spirit of this disclosure. Furthermore, for clarity and brevity, descriptions of well-known functions and structures may be omitted.

[0089] The terms and wording used in the following description and claims are not limited to their dictionary meanings, but are merely used by the inventors to enable a clear and consistent understanding of this disclosure. Therefore, it will be apparent to those skilled in the art that the following description of various embodiments of this disclosure is for illustrative purposes only and not for limiting the purpose of this disclosure as defined in the appended claims and their equivalents.

[0090] It should be understood that the singular forms of “one,” “an,” and “the” include plural references unless the context clearly indicates otherwise. Thus, for example, the reference to “component surface” includes one or more such surfaces.

[0091] The terms “comprising” or “may include” refer to the presence of a corresponding disclosed function, operation, or component that may be used in the various embodiments of this disclosure, rather than limiting the presence of one or more additional functions, operations, or features. Furthermore, the terms “comprising” or “having” may be interpreted as indicating certain characteristics, numbers, steps, operations, constituent elements, components, or combinations thereof, but should not be construed as excluding the possibility of the presence of one or more other characteristics, numbers, steps, operations, constituent elements, components, or combinations thereof.

[0092] The term "or" as used in the various embodiments of this disclosure includes any of the listed terms and all combinations thereof. For example, "A or B" may include A, may include B, or may include both A and B.

[0093] Unless otherwise defined, all terms used in this disclosure (including technical or scientific terms) have the same meaning as understood by one of those skilled in the art as described herein. Common terms as defined in dictionaries are to be interpreted as having a meaning consistent with the context in the relevant technical field and should not be interpreted ideally or overly formally unless expressly defined in this disclosure.

[0094] The accompanying drawings and various embodiments used to describe the principles of this disclosure are for illustrative purposes only and should not be construed as limiting the scope of this disclosure in any way. Those skilled in the art will understand that the principles of this disclosure can be implemented in any suitably arranged system or apparatus.

[0095] Figure 1 An example wireless network according to an embodiment of this disclosure is shown. Figure 1 The embodiments of the wireless network shown are for illustrative purposes only. Other embodiments of the wireless network 100 may be used without departing from the scope of this disclosure.

[0096] like Figure 1 As shown, the wireless network includes a base station (next generation nodeB, gNB or gNodeB) 101, gNB 102, and gNB 103. gNB 101 communicates with gNB 102 and gNB 103. gNB 101 also communicates with at least one network 130 such as the Internet, Internet Protocol (IP) networks, or other data networks.

[0097] gNB 102 provides wireless broadband access to network 130 to multiple first user equipments (UEs) within coverage area 120 of gNB 102. The multiple first UEs include UE 111, which may be located in a small business (SB); UE 112, which may be located in an enterprise (E); UE 113, which may be located in a WiFi hotspot (HS); UE 114, which may be located in a first residence (R1); UE 115, which may be located in a second residence (R2); and UE 116, which may be a mobile device (M) such as a cellular phone, wireless laptop, or wireless personal digital assistant (PDA). gNB 103 provides wireless broadband access to network 130 to multiple second UEs within coverage area 125 of gNB 103. The multiple second UEs include UE 115 and UE 116, and subscriber stations (SS, such as UEs) 117, 118, and 119. In some embodiments, one or more of gNBs 101 and 103 may communicate with each other and UE 111116 using existing wireless communication technologies, and one or more of UEs 111 and 119 may communicate directly with each other (e.g., UE 117 and 119) using other existing or proposed wireless communication technologies.

[0098] Depending on the network type, the term "base station" or "BS" can refer to any component (or set of components) configured to provide wireless access to a network, such as a transmit point (TP), transmit-receive point (TRP), enhanced (or "evolved") base station (eNodeB or eNB), 5G base station (gNB), macro cell, femtocell, wireless fidelity (WiFi) access point (AP), or other wireless-capable devices. A base station can provide wireless access according to one or more wireless communication protocols, such as 3GPP 5G new radio (NR), Long Term Evolution (LTE), LTE-Advanced (LTE A), high-speed packet access (HSPA), WiFi 802.11a / b / g / n / ac, etc. For convenience, various names for base station type devices and functions may be used interchangeably in this patent document to refer to network infrastructure components that provide wireless access to remote terminals. Furthermore, depending on the network type, the term "User Equipment" (UE) can refer to any component such as a mobile station (MS), user station (SS), remote terminal, wireless terminal, receiving point, or user device. For convenience, various names for user equipment type devices and functions may be used interchangeably in this patent document to refer to remote wireless devices that wirelessly access the BS regardless of whether the UE is a mobile device (such as a mobile phone or smartphone) or is generally considered a fixed device (such as a desktop computer or vending machine).

[0099] The dashed lines indicate the approximate extent of coverage areas 120 and 125, which are shown as roughly circular for illustrative and explanatory purposes only. It should be clearly understood that coverage areas such as 120 and 125 associated with the gNB can have other shapes, including irregular shapes, depending on the configuration of the gNB and variations in the wireless environment associated with natural and man-made obstacles.

[0100] As described in more detail below, one or more of UEs 111 and 119 include circuitry, programming, or a combination thereof. In some embodiments, one or more of gNBs 101 and 103 include circuitry, programming, or a combination thereof.

[0101] although Figure 1 An example of a wireless network is shown, but more can be found on... Figure 1Various modifications can be made. For example, wireless network 100 can include any number of gNBs and any number of UEs in any suitable arrangement. Furthermore, gNB 101 can communicate directly with any number of UEs and provide those UEs with wireless broadband access to network 130. Similarly, each gNB 102 or 103 can communicate directly with network 130 and provide UEs with direct wireless broadband access to network 130. Additionally, gNBs 101, 102, and / or 103 can provide access to other or additional external networks, such as external telephone networks or other types of data networks.

[0102] Figure 2 An example base station according to an embodiment of the present disclosure is shown. Figure 2 The embodiment of gNB 102 shown is for illustrative purposes only, and Figure 1 gNBs 101 and 103 can have the same or similar configurations. However, gNBs come in a variety of configurations, and Figure 2 This disclosure is not intended to limit the scope to any particular implementation of gNB.

[0103] like Figure 2 As shown, gNB 102 includes multiple antennas 200a 200n, multiple radio frequency (RF) transceivers 201a 201n, transmit (TX) processing circuitry 203, and receive (RX) processing circuitry 204. gNB 102 also includes a controller / processor 205, a memory 206, and a backhaul or network interface 207.

[0104] RF transceivers 201a and 201n receive incoming RF signals, such as signals transmitted by the UE in network 100, from antennas 200a and 200n. RF transceivers 201a and 201n down-convert the incoming RF signals to generate intermediate frequency (IF) or baseband signals. The IF or baseband signal is sent to RX processing circuitry 204, which generates a processed baseband signal by filtering, decoding, and / or digitizing the baseband or IF signal. RX processing circuitry 204 sends the processed baseband signal to controller / processor 205 for further processing.

[0105] TX processing circuit 203 receives analog or digital data (such as voice data, web data, email, or interactive video game data) from controller / processor 205. TX processing circuit 203 encodes, multiplexes, and / or digitizes the outgoing baseband data to generate a processed baseband or IF signal. RF transceivers 201a and 201n receive the processed baseband or IF signal from TX processing circuit 203 and up-convert the baseband or IF signal into an RF signal transmitted via antennas 201a and 201n.

[0106] The controller / processor 205 may include one or more processors or other processing devices that control the overall operation of the gNB 102. For example, the controller / processor 205 may control the reception of forward channel signals and the transmission of reverse channel signals by the RF transceivers 201a 201n, the RX processing circuit 204, and the TX processing circuit 203, according to known principles. The controller / processor 205 may also support additional functions, such as more advanced wireless communication capabilities.

[0107] For example, the controller / processor 205 can support beamforming or directional routing operations, where outgoing signals from multiple antennas 200a 200n are weighted differently to effectively redirect the outgoing signals in the desired direction. Any of a variety of other functions can be supported in the gNB 102 via the controller / processor 205.

[0108] The controller / processor 205 is also capable of executing programs and other processes located in the memory 206, such as the operating system (OS). The controller / processor 205 can move data into or out of the memory 206 as needed by the executing process.

[0109] The controller / processor 205 is also connected to a backhaul or network interface 207. The backhaul or network interface 207 allows the gNB 102 to communicate with other devices or systems via a backhaul connection or over a network. Interface 207 can support communication via any suitable wired or wireless connection(s). For example, when the gNB 102 is implemented as part of a cellular communication system (such as a cellular communication system supporting 5G, LTE, or LTE A), interface 207 can allow the gNB 102 to communicate with other gNBs via a wired or wireless backhaul connection. When the gNB 102 is implemented as an access point, interface 207 can allow the gNB 102 to communicate via a wired or wireless local area network or via a wired or wireless connection to a larger network (such as the Internet). Interface 207 includes any suitable structure that supports communication via wired or wireless connections such as Ethernet or RF transceivers.

[0110] Memory 206 is connected to controller / processor 205. A portion of memory 206 may include random access memory (RAM), and another portion of memory 206 may include flash memory or other read-only memory (ROM).

[0111] although Figure 2 An example of gNB 102 is shown, but it is possible to see more. Figure 2 Various changes can be made. For example, gNB 102 can include any number of Figure 2 Each component is shown in the diagram. As a specific example, an access point may include multiple interfaces 207, and the controller / processor 205 may support routing functionality to route data between different network addresses. As another specific example, although shown as a single instance of TX processing circuitry 203 and a single instance of RX processing circuitry 204, gNB102 may include multiple instances of each (such as one per RF transceiver). For example, Figure 2 The various components can be combined, further subdivided, or omitted, and additional components can be added as needed.

[0112] Figure 3 An example user equipment according to an embodiment of the present disclosure is shown. Figure 3 The embodiment of UE 116 shown is for illustrative purposes only, and Figure 1 UEs 111, 115, 117, and 119 can have the same or similar configurations. However, UEs appear in multiple configurations, and Figure 3 This disclosure is not intended to limit the scope to any particular implementation of the UE.

[0113] like Figure 3 As shown, UE 116 includes an antenna 301, a radio frequency (RF) transceiver 302, a TX processing circuit 303, a microphone 304, and a receive (RX) processing circuit 305. UE 116 also includes a speaker 306, a controller or processor 307, an input / output (I / O) interface (IF) 308, an input device 309, a touchscreen display 310, and memory 311. Memory 311 includes an OS 312 and one or more applications 313.

[0114] RF transceiver 302 receives incoming RF signals transmitted by gNB of network 100 from antenna 301. RF transceiver 302 down-converts the incoming RF signals to generate IF or baseband signals. The IF or baseband signals are sent to RX processing circuitry 305, which generates processed baseband signals by filtering, decoding, and / or digitizing the baseband or IF signals. RX processing circuitry 305 sends the processed baseband signals to speaker 306 (e.g., for voice data) or processor 307 for further processing (e.g., for web browsing data).

[0115] TX processing circuit 303 receives analog or digital voice data from microphone 304 or other outgoing baseband data (such as web data, email, or interactive video game data) from processor 307. TX processing circuit 303 encodes, multiplexes, and / or digitizes the outgoing baseband data to generate a processed baseband or IF signal. RF transceiver 302 receives the processed baseband or IF signal from TX processing circuit 303 and up-converts the baseband or IF signal into an RF signal transmitted via antenna 301.

[0116] Processor 307 may include one or more processors or other processing devices and executes OS 312 stored in memory 311 to control the overall operation of UE 116. For example, processor 307 may control the reception of forward channel signals and the transmission of reverse channel signals by RF transceiver 302, RX processing circuitry 305, and TX processing circuitry 303 according to known principles. In some embodiments, processor 307 includes at least one microprocessor or microcontroller.

[0117] Processor 307 is also capable of executing other processes and programs located in memory 311, such as processes for CSI reporting on the uplink channel. Processor 307 can move data into or out of memory 311 as needed for executing processes. In some embodiments, processor 307 is configured to execute application 313 based on OS 312 or in response to signals received from gNB or operator. Processor 307 is also coupled to I / O interface 308, which provides UE 116 with the ability to connect to other devices such as laptops and laptops. I / O interface 308 is the communication path between these accessories and processor 307.

[0118] The processor 307 is also connected to the touchscreen display 310. The user of the UE 116 can use the touchscreen display 310 to input data into the UE 116. The touchscreen display 310 can be a liquid crystal display, a light-emitting diode display, or other display capable of rendering text and / or at least limited graphics such as those from a website.

[0119] Memory 311 is connected to processor 307. A portion of memory 311 may include RAM, and another portion of memory 311 may include flash memory or other ROM.

[0120] although Figure 3 An example of UE 116 is shown, but it is possible to modify it. Figure 3 Make various changes. For example, Figure 3 The various components can be combined, further subdivided, or omitted, and additional components can be added as needed. As a specific example, processor 307 can be divided into multiple processors, such as one or more central processing units (CPUs) and one or more graphics processing units (GPUs). Moreover, although... Figure 3 The UE 116 is shown configured as a mobile phone or smartphone, but the UE can be configured to operate as other types of mobile or fixed devices.

[0121] The text and accompanying drawings in this disclosure are provided by way of example only to aid in understanding this disclosure. They should not be construed as limiting the scope of this disclosure in any way. Although certain embodiments and examples have been provided, it will be apparent to those skilled in the art, based on the content disclosed herein, that changes may be made to the illustrated embodiments and examples without departing from the scope of this disclosure.

[0122] In this disclosure, the message names are merely examples, and other message names may also be used.

[0123] In this disclosure, the use of terms such as "first" and "second" in message names is only used to distinguish one message from another and does not represent the order of execution or transmission.

[0124] Detailed descriptions of steps that are not relevant to this disclosure have been omitted in this disclosure.

[0125] In this disclosure, the steps in each process can be executed in combination or individually. The execution steps of each process are merely examples, and other possible execution steps and / or sequences are not excluded.

[0126] In this disclosure, the base station can be one of the following types (and other types of devices that can be used for user equipment access are not excluded):

[0127] n Long Term Evolution (LTE) base station;

[0128] n 5G base station;

[0129] n 6G base station

[0130] n RAN nodes;

[0131] n Non-Terrestrial Networks (NTN) base stations;

[0132] n High Altitude Platform Station (HAPS) base station;

[0133] n Drone base station; and

[0134] n WIFI access point.

[0135] In wireless networks, to ensure the security of user equipment (UE) data, the network configures UEs with security-related settings. Based on these settings, UEs generate security keys and encrypt data transmission. During UE movement, these security configurations may be updated, such as security keys, necessitating corresponding updates to other UE configurations. For example, the Packet Data Convergence Protocol (PDCP) layer and the Radio Link Control (RLC) layer may need to be rebuilt. These configuration updates can cause data transmission interruptions or slowdowns during UE movement, impacting user experience. Therefore, minimizing data transmission interruptions or slowdowns during UE movement is a pressing issue.

[0136] The user equipment data considered in this invention can be divided into different planes, which can be transmitted over the air interface by a radio bearer (RB). Examples of these planes include:

[0137] Control plane (CP): Control plane data mainly consists of control signaling for user equipment. An example is Radio Resource Control (RRC) signaling.

[0138] The signaling is transmitted via a Signaling Radio Bearer (SRB).

[0139] User Plane (UP): User plane data primarily consists of application layer data from user equipment. An example is data transmitted via a Data Radio Bearer (DRB). This data can be session data, packet data unit session (PDUSession) data, flow data, Quality of Service (QoS) flow data, or Internet Protocol (IP) data.

[0140] Internet Protocol (IP) stream data.

[0141] Data plane (DP): Data plane data is auxiliary data provided by the user equipment to the network side or by the network side to the user equipment. One possible use of this data is for training or inference of artificial intelligence algorithms or models. An example is data transmitted by a specific bearer (such as an AI wireless bearer), or data transmitted by a specific DRB, or data transmitted by a specific SRB.

[0142] The control plane, user plane, and data plane described above are merely examples of user data planes, and other planes are not excluded. The following description in this invention applies to data in any one or more planes.

[0143] For ease of description, the following two types of planes are defined in the description of this invention:

[0144] n First plane: This plane is at least one of the planes mentioned above.

[0145] n Second plane: This plane is at least one plane that is different from the first plane mentioned above, and can also be called a non-first plane.

[0146] In one example, the first plane is a control plane and the second plane is a non-control plane (such as a user plane or a data plane). In another example, the first plane is a user plane and the second plane is a non-user plane (such as a control plane or a data plane). In yet another example, the first plane is a data plane and the second plane is a non-data plane (such as a control plane or a user plane).

[0147] In addition to user equipment, the present invention may involve the following possible nodes:

[0148] First node: a base station, or a centralized unit of a base station, or a control plane portion of a centralized unit of a base station. In one example, the first node may be a first base station, or a centralized unit of a first base station, or a first plane portion of a centralized unit of a first base station (such as the control plane portion of a centralized unit of a first base station);

[0149] The second node: a base station, or a centralized unit of a base station, or a control plane portion of a centralized unit of a base station. This node differs from the first node. In one example, the first node could be a second base station, or a centralized unit of a second base station, or a first plane portion of a centralized unit of a second base station (such as the control plane portion of a centralized unit of a second base station).

[0150] The third node: This entity is a network-side device or a part of the functionality of a network-side device. Its main purpose is to process and / or transmit data from a portion of the plane (such as user data other than control plane data, which includes data from one or more planes, such as user plane data, data plane data, user plane and data plane data, etc.) or all planes. If this node is only used for user plane data, it can also be called a user plane entity (UP); if it is only used for data plane data, it can also be called a data plane entity (DP).

[0151] In one example, the node is a standalone node; in another example, the node is part of the functionality of a base station or core network node; in yet another example, the node is a core network device, such as a device for user plane data processing and transmission (e.g., a user plane function entity: UPF), or a device for data plane data processing and transmission (e.g., a data plane function entity: DPF).

[0152] n Fourth node: The distribution unit of the base station; in one example, the fourth node is the first distribution unit.

[0153] The fifth node: a distribution unit for the base station, distinct from the fourth node.

[0154] In one example, the fifth node is the second distribution unit;

[0155] The sixth node: The second plane portion of the centralized unit of the base station, which is used to process and transmit data of the second plane, that is, the node is used to process data of at least one plane other than the first plane among multiple plane data of the user equipment. In one example, the sixth node is the user plane portion of the first centralized unit, which is used to process user plane data of the user equipment. In another example, the sixth node is the data plane portion of the first centralized unit, which is used to process data plane data of the user equipment.

[0156] The seventh node: The second plane portion of the centralized unit of the base station. This node is distinct from the sixth node. In one example, the seventh node is the user plane portion of the second centralized unit, used to process user plane data of user equipment. In another example, the seventh node is the data plane portion of the second centralized unit, used to process data plane data of user equipment.

[0157] The nodes mentioned above can be different nodes or the same node. If they are the same node, in one example, the node can be used to process data for all planes. When the user equipment moves between different nodes, this node is always responsible for processing the data for all planes of the user equipment. For example, if the node is a centralized unit of a base station, the data for all planes of the user equipment will be processed by the centralized unit of that base station during the movement of the user equipment between different base stations. This ensures that the user equipment's key does not need to be updated and also reduces or slows down the data termination during the movement of the user equipment.

[0158] This invention includes the following types of keys:

[0159] n First key: This key is the key used for data across all planes of the user equipment, meaning that the same key is used for data across all planes. An example of the first key is a key that applies to data across all planes (such as the control plane, user plane, and data plane).

[0160] n Second key: This key is the key used for data in a portion of the user equipment planes, which are at least two of all the planes of the user equipment. An example is a key that applies to data in any two of the control plane, user plane, and data plane.

[0161] n Third key: This key is the key used for data in one plane of the user equipment. An example is a key that applies to data in any one of the control plane, user plane, and data plane.

[0162] In this invention, updating the aforementioned key may lead to the reconstruction of the PDCP layer or RLC layer of the data serving the user equipment, thereby causing interruption or slowdown in data transmission. To reduce the impact of user equipment movement on data transmission (such as interruption or slowdown), this invention proposes a method for updating user equipment keys. In this method, data on different planes of the user equipment may employ different configuration methods, resulting in different key update methods for different planes. In one example, the user equipment only needs to update the key for the control plane data during movement, without updating the key for the user plane data. Thus, the user plane data of the user equipment is unaffected, while only the control plane data is affected. Considering that the user equipment has little or no control plane data to transmit during movement, the impact of mobility on the data transmission of the user equipment can be minimized. Furthermore, to support this approach, the present invention defines new network devices and corresponding network architectures, which process and transmit data in the first or second plane, such as the third node mentioned above. One example of this node is an independent node, such as a Common Non-Control Plane Entity (Common non-CP), a Common User Plane Entity (Common UP), or a Common Data Plane Entity (Common DP). Further, this independent node can be a non-core network device (such as a device in a Radio Access Network (RAN)) or a core network device. Another example of this node is a portion of the functionality of a node in the network, such as the user plane entity of a base station / core network node or the data plane entity of a base station / core network node.

[0163] This invention provides examples of different network structures (the third node described below is a non-control plane entity, whose service plane can be data from at least one plane other than the control plane):

[0164] Example Structure 1: The third node is an independent non-core network device (such as a device on the RAN side).

[0165] In this structure, different base stations are connected to the third node. The interface between each base station and the third node is the first interface. When the base station has a discrete architecture, it includes a centralized unit or a first plane portion of the centralized unit, and a distributed unit. In one example, the interface between the centralized unit or the first plane portion of the centralized unit and the third node is the first plane (e.g., control plane) portion of the first interface (e.g., E1 interface, or enhanced E1 interface enE1, enhanced E1), and the interface between the distributed unit and the third node is the second plane (e.g., user plane, data plane, etc.) portion of the first interface (e.g., F1 interface, or F1 user plane interface). Figure 4As shown, the diagram includes two base stations (e.g., base station 1 and base station 2) and a third node. Examples of the third node are a common non-control plane entity, a common user plane entity, or a common data plane entity. Furthermore, there may be multiple third nodes. The interface between the base station and the third node is the first interface. When the base station has a discrete structure, it includes a centralized unit (or a first plane portion of the centralized unit, such as the control plane portion of the centralized unit) and at least one distributed unit. The centralized unit and the third node can be the first plane portion (control plane portion) of the first interface. The interface between the distributed unit and the third node can be the second plane portion (e.g., the user plane portion or data plane portion) of the first interface. The interface between the centralized unit and the distributed unit is the second interface (e.g., the F1 control plane interface F1-C). The interface between the two base stations is the third interface (e.g., the Xn interface, or the Xn control plane interface Xn-C, the X2 interface, or the X2 control plane interface X2-C).

[0166] Example Structure 2: The third node is a part of the functionality of another node.

[0167] In this structure, the third node can be a part of the functionality of a base station or a core network node. The interface between other base stations and this base station or core network node is a fourth interface (such as the Xn interface, or Xn control plane interface Xn-C, X2 interface, or X2 control plane interface X2-C, NG interface, or NG interface control plane interface NG-C, S1 interface, or S1 interface control plane interface S1-C). Figure 5 As shown in the diagram, there are three base stations. Base station 1 includes the functions of the aforementioned third node, while base stations 2 and 3 are connected to base station 1 via a fourth interface. In this example, when the third node can process data from all planes of the user equipment, the user equipment can move without updating the key, reducing interruptions or slowdowns in user data transmission.

[0168] Example Structure 3: The third node is a core network device, or part of a core network device. In this structure, the third node is located in the core network, and its interface with different base stations is a fifth interface (such as NG interface, or NG user plane interface, or NG data plane interface, S1 interface, or S1 user plane interface, or S1 data plane interface). Each base station can be a non-separate architecture or a separate architecture. Figure 6 As shown in the figure, there is a third node and two base stations (base station 1 and base station 2). If the base stations are in a separate architecture, each base station includes a first plane (such as the control plane) part of the base station centralized unit, a second plane (such as the user plane, data plane) part of the base station centralized unit, and a base station distribution unit; or each base station includes a base station centralized unit and a base station distribution unit.

[0169] In the above structure, when a user equipment (UE) moves between different base stations (e.g., during handover), data on certain planes of the UE (e.g., user plane data, data plane data) is always processed or transmitted by a third node. Since this third node does not change during the user's movement, the security configuration of the data on certain planes of the UE can also remain unchanged. Consequently, the UE does not need to perform security configuration update operations (e.g., PDCP reconstruction, Radio Link Control (RLC) reconstruction), thus reducing the impact on the UE's data transmission (e.g., data transmission on certain planes).

[0170] In this invention, the third node may include at least one of the following functions:

[0171] Data mapping is a function that maps received data. This received data can be data received from other nodes or data received from other protocol layers of a third node. When the third node maps data received from other nodes, in one example, if the other node is a core network device, the received data could be session data, packet data unit session data, IP data, IP flow data, QoS flow data, etc. In this case, the data mapping function maps this data to RBs, data radio bearers, or AI radio bearers. In another example, if the other node is a RAN-side node (such as a base station distribution unit), the received data could be a Protocol Data Unit (PDU) or Service Data Unit (SDU) of the data bearer.

[0172] Data Units (PDCP PDU / SDU, RLC PDU / SDU, etc.) are mapped to session data, packet data unit session data, IP data, IP flow data, QoS flow data, etc. Furthermore, this function can be implemented by specific protocols, such as Service Data Adaptation Protocol (SDAP).

[0173] Protocol), that is, the third node includes the SDAP protocol layer.

[0174] Data security involves performing security-related processing on data, such as encryption, integrity protection, or deencryption and de-integrity protection. Furthermore, this function can be implemented using specific protocols, such as PDCP, meaning the third node includes the PDCP protocol layer. Data retransmission enables data retransmission; in one example, this retransmission is based on the Automatic Repeat Request (ARQ) protocol.

[0175] Furthermore, this functionality can be implemented using specific protocols, such as wireless link control.

[0176] (RLC: Radio Link Control) means that the third node includes the RLC protocol layer. In another example, the third node only includes a portion of the RLC protocol layer functionality, such as only including the RLC protocol layer functionality excluding data fragmentation; that is, the third node includes the higher-level parts of the RLC protocol layer.

[0177] In this invention, the third node may include at least one of the following protocol layers:

[0178] The n SDAP protocol layer, further, is an SDAP layer used to serve the aforementioned first plane or second plane.

[0179] The PDCP protocol layer, further, is a PDCP layer used to serve the aforementioned first or second plane.

[0180] n RLC protocol layer or part of the RLC protocol layer, further, this protocol layer is a PDCP layer used to serve the first plane or the second plane mentioned above.

[0181] This invention includes the following process:

[0182] Process 1: User Equipment Configuration Process. One function of this process is to configure the serving cell, target cell, or candidate cell of the user equipment. Another function is to trigger cell change for the user equipment.

[0183] Process 2: Network node configuration process, which involves the exchange of configuration information between network nodes.

[0184] n Process 3: The process of configuring the configuration information required for the network side to configure the data of the serving user equipment. n Process 4: The preparation process of the user equipment's cell (such as serving cell, target cell, candidate cell).

[0185] Process 5: Notification process for user equipment movement. This process notifies the user equipment of its configuration information when a cell handover occurs.

[0186] The five processes described above can be performed independently or in combination. The details of each process are described below.

[0187] →Process 1: User Equipment Configuration Process

[0188] To support secure configuration updates for user equipment during mobile operation, this invention includes the following steps: Figure 7 As shown:

[0189] Step 1-1: The first node sends a first configuration message to the user equipment. This message contains at least one of the following functions: 1) configuring the serving cell of the user equipment, 2) configuring the target cell for handover of the user equipment, and 3) configuring at least one candidate cell for handover of the user equipment. When configuring these cells, security configuration information related to data from different planes of the user equipment is included. This message includes at least one of the following information:

[0190] The first security configuration information, used to configure the security information of the user equipment, includes security configuration information related to the data of the user equipment. This information includes at least one of the following:

[0191] n Information related to security algorithms, indicating security algorithms for data on different planes. This information includes at least one of the following:

[0192] u Full-plane algorithm information, which indicates the security algorithms required for data across all planes of the user equipment. In one example, this security algorithm applies to the control plane, user plane, and data plane. This information includes encryption (Ciphering) algorithm information and integrity protection.

[0193] At least one of the (Integrity protection) algorithm information

[0194] u Partial Plane Algorithm Information, which indicates the security algorithms required for data in a portion of the user equipment plane (e.g., at least two planes). In one example, the algorithm is applicable to data in any two of the control plane, user plane, and data plane. This information includes at least one of encryption algorithm information and integrity protection algorithm information.

[0195] The single-plane algorithm information indicates the security algorithm required for one plane of the user equipment. In one example, the algorithm is applicable to data in any one of the control plane, user plane, and data plane. This information includes at least one of encryption algorithm information and integrity protection algorithm information.

[0196] The beneficial effects of the aforementioned "full-plane algorithm information," "partial-plane algorithm information," and "single-plane algorithm information" are that different algorithms are used for data on different planes, improving the efficiency of data transmission between different planes and reducing interruptions or slowdowns in data transmission between different planes during user handover. Security indication information indicates the key configuration information of the user equipment. The beneficial effect of this information is that different keys are used for data on different planes, or the keys for data on different planes are updated differently based on the different ranges during user equipment movement, thus reducing data transmission interruptions and slowdowns caused by key updates during user movement. This information includes at least one of the following:

[0197] The first key change indication information indicates whether the first key used by the user equipment needs to be changed. An example of this first key is a key that applies to data across all planes (e.g., control plane, user plane, data plane).

[0198] The second key change indication information indicates whether the second key used by the user equipment needs to be changed. This second key is the key for data in a portion of the user equipment plane (e.g., at least two planes). An example is a key applicable to any two of the following data types: control plane data, user plane data, and data plane data.

[0199] The third key change instruction information indicates the third key change instruction applicable to the user equipment. This third key is a key for data on one plane of the user equipment; an example is a key applicable to any of the following: control plane data, user plane data, and data plane data.

[0200] The key separation instruction indicates whether different keys are required for different planes. Further, it indicates which planes the user equipment needs to use different keys for, or which plane key changes need to be performed separately. An example of these planes is any one or any two of the control plane, user plane, and data plane. In another example, when the user equipment's data involves more planes, these planes can be a combination of some of those planes (e.g., at least two planes). For example, the information indicates whether different keys are used for the control plane and / or user plane and / or data plane, or whether key changes for the control plane and / or user plane and / or data plane can be performed separately.

[0201] The user equipment (UE) provides a key update range indication information. This information is used by the UE to determine whether a key update is required, or to indicate a range within which the UE does not need (or needs) a key update. Specifically, when the UE switches within the range indicated by this information, it does not need (or needs) a key update. One example of this key is the first key mentioned above (e.g., a key shared by control plane, user plane, and data plane data); another example is the second key mentioned above (e.g., any two of control plane, user plane, and data plane keys); and yet another example is the third key mentioned above (e.g., any one of control plane, user plane, and data plane keys). Furthermore, this information can indicate ranges for different types of keys. The beneficial effect of this information is that keys for different types of data will be updated differently based on the UE's movement range, reducing data transmission interruptions or slowdowns caused by key updates during UE movement. For one type of key (one of the first, second, or third keys), this information includes at least one of the following:

[0202] The n-area identification information, or area indication information, indicates an area that requires (or does not require) a key update. In one example, the area indicated by this information may include one or more cells, or one or more base stations, etc. If the user equipment (UE) accesses a cell within the area indicated by this identification information, the UE does not need to perform a key update (or requires a key update).

[0203] The n-cell identification information indicates one or more cells that do not require a key update (or require a key update). If the user equipment (UE) accesses a cell within one of the cells indicated by this identification information, the UE does not need to perform a key update (or requires a key update).

[0204] The candidate identification information indicates the configuration of one or more candidate cells that do not require a key update. If the cell to which the user equipment is accessing uses the configuration indicated by this identification information, the user equipment does not need to perform a key update (or requires a key update).

[0205] The n-path identification information indicates one or more paths that do not require key updates. If the path of the cell accessed by the user equipment is the path indicated by this information, the user equipment does not need to perform a key update (or requires a key update). The key indication information indicates the information used by the user equipment when performing a key update. One example of this key is the first key mentioned above (such as a key shared by data from the control plane, user plane, and data plane); another example is the second key mentioned above (such as any two of the control plane key, user plane key, and data plane key); and another example is the third key mentioned above (such as any one of the control plane key, user plane key, and data plane key). Furthermore, this information can indicate different types of keys separately. The beneficial effect of this information is that data from different planes of the user equipment can use different keys, reducing data transmission interruptions or slowdowns caused by key updates. For one type of key (one of the first key, second key, and third key), this information includes at least one of the following:

[0206] uKey information, which indicates a key for the user equipment (UE) that can be used for encryption and / or integrity protection. In one example, upon receiving this information, the UE can directly use the received key for encryption and / or integrity protection. An example of this information is first key information, such as information indicating a key for data across all planes (e.g., control plane, user plane, and data plane); an example of this information is second key information, such as information indicating a key for data across at least two planes (e.g., control plane, user plane, and data plane); an example of this information is third key information, such as information indicating a key for data across one plane (e.g., control plane, user plane, and data plane).

[0207] uKey update information, which indicates the information used by the user equipment to update the key.

[0208] An example of this information is first key update information, such as information indicating key updates for data across all planes (e.g., control plane, user plane, and data plane). Another example is second key update information, such as information indicating key updates for data across at least two planes (e.g., control plane, user plane, and data plane). Yet another example is third key update information, such as information indicating key updates for data across only one plane (e.g., control plane, user plane, and data plane). For one type of key, this information includes at least one of the following:

[0209] ● Next hop information, which is used to generate the key required by the user equipment.

[0210] ● Next-hop chaining count information, which can be used to associate keys generated by the user equipment. In one example, if the NCC associated with the key the user equipment receives is different from the one associated with the key it is using, the user equipment needs to generate a new key.

[0211] The first auxiliary information contains auxiliary information needed to generate the key. In one example, this information is used as input to an encryption algorithm to generate a key for the user equipment. The generated key can be a first key (such as a key for data from all planes, like a key shared by data from the control plane / user plane / data plane), a second key (such as a key for data from at least two planes, like a key for data from at least two planes in the control plane / user plane / data plane), or a third key (such as a key for data from one plane, like a key for data from one plane in the control plane / user plane / data plane). For one type of key, this information includes at least one of the following:

[0212] ● Cell indication information, which indicates the cell information required by the user equipment when generating the key, such as the Physical Cell Identity (PCI).

[0213] ● Area indication information, which indicates the area information required by the user equipment when generating the key, such as area ID.

[0214] ● Node indication information: This information indicates the node information required by the user equipment during key generation. In one example, this information is the identifier of the aforementioned third node.

[0215] ● Candidate configuration indication information: This information indicates the candidate configurations required by the user equipment during key generation, such as the identification information of the candidate configurations.

[0216] ● Path indication information, which indicates the path required by the user equipment during key generation, such as path identification information.

[0217] ● First identification information, which indicates the key identifier required by the user equipment when generating the key.

[0218] The first applicable information indicates the scope to which the information contained in the aforementioned "first security configuration information" applies. This information may be for a first key, a second key, or a third key. For a given type of key, this information includes at least one of the following:

[0219] The area identification information, or area indication information, indicates an area that requires (or does not require) a key update. In one example, the area indicated by this information may include one or more cells, or one or more base stations, etc. If the user equipment (UE) accesses a cell within the area indicated by this identification information, the UE does not need to perform a key update (or requires a key update).

[0220] The cell identification information indicates one or more cells that do not require a key update (or require a key update). If the user equipment is accessing a cell indicated by this identification information, the user equipment does not need to perform a key update (or requires a key update).

[0221] u. Cell set identification information, which indicates a set of one or more cells that do not require key updates (or require key updates). If the cell to which the user equipment is accessing is within the cell set indicated by this identification information, the user equipment does not need to perform a key update (or requires a key update).

[0222] u Candidate configuration identification information, which indicates whether a key update is not required (or requires a key update).

[0223] The configuration of one or more candidate cells (new). If the configuration used by the cell to which the user equipment is accessing is the configuration indicated by this identification information, the user equipment does not need to perform a key update (or needs a key update).

[0224] The path identification information indicates one or more paths that require no key update (or require a key update). If the path of the cell accessed by the user equipment is the path indicated by this information, the user equipment does not need to perform a key update (or requires a key update).

[0225] u-plane indication information indicates a plane that does not require a key update (or requires a key update). The plane indicated by this information can be one or more planes supported by the user equipment, such as the control plane, user plane, data plane, etc.

[0226] The cell's configuration information, which includes the configuration information of the serving cell, target cell, or candidate cell. For a given cell, this information includes at least one of the following:

[0227] nSecond Community Identification Information

[0228] The n-configured identification information identifies the configuration of a cell. When the aforementioned first configuration message is used to configure at least one candidate cell, this identification information can be candidate configuration identification information.

[0229] The n-range indication information indicates the range to which the cell indicated by the "second cell identification information" belongs. The user equipment (UE) can use this information to determine whether a key update is needed when accessing (e.g., through handover, connection reconstruction, connection restart, connection establishment, etc.) the cell identified by the "second cell identification information." In one example, if the "range indication information" of the cell the UE is accessing is the same as the "range indication information" of a cell the UE previously accessed, then no key update is needed (or a key update is required).

[0230] If the "range indication information" differs from that of the cell previously accessed by the user equipment, a key update is required (or not required). This information includes at least one of the following:

[0231] n. Area identification information, or area indication information, which indicates that no key update is required.

[0232] (or areas requiring key updates)

[0233] n cell set identifier information, which indicates whether a key update is not required (or requires a key update).

[0234] A collection of one or more new communities

[0235] n Path identification information, which indicates one or more paths that do not require key updates (or require key updates).

[0236] The second security configuration information indicates the user equipment's access (e.g., via handover).

[0237] The security configuration used when establishing access (e.g., re-establishing access via connection, restarting access via connection, or establishing access via connection) is the cell identified by the "Second Cell Identification Information" mentioned above. A description of this information can be found in the "First Security Configuration Information" mentioned above.

[0238] The n-key association information indicates the information required for a user equipment (UE) to generate a key when accessing the cell identified by the aforementioned "second cell identifier information" (e.g., access via handover, connection reconstruction, connection restart, connection establishment, etc.). This key can be categorized as either the first key (e.g., a key shared by control plane, user plane, and data plane data), the second key (e.g., any two of the control plane key, user plane key, and data plane key), or the third key (e.g., any one of the control plane key, user plane key, and data plane key). The beneficial effect of this information is that the UE can determine whether a key update is needed during cell handover or cell change, or whether a control plane key update is required.

[0239] This information indicates whether a user plane data update or a data plane key update is needed, thereby reducing or slowing down data transmission during handover, including interruptions or slowdowns in control plane, user plane, or data plane data transmission. Furthermore, this information can be tailored to different key types. For a given key type (one of the first key, second key, or third key)...

[0240] (type), the information includes at least one of the following:

[0241] The second auxiliary information contains the auxiliary information needed to generate the key; a description of this information can be found in the "First Auxiliary Information" section above.

[0242] The second identification information indicates the key identifier required by the user equipment during key generation. Furthermore, this information can also be used by the user equipment to determine whether a key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is needed. In an example...

[0243] In the process, the user equipment will compare the "second identification information" of the serving cell with that of the target cell.

[0244] (or candidate cell) "second identifier information", if the two are the same (or different)

[0245] If the two keys are the same, then the user equipment does not need to update the key; if they are different (or similar), then the user equipment does not need to update the key.

[0246] If the key is not updated, the user equipment needs to perform a key update.

[0247] Steps 1-2: Determining the Required Security Configuration Information When User Equipment (UE) Accesses a Cell. During cell handover or access to a new cell, UE needs to determine whether a key update (or PDCP reconstruction, RLC reconstruction, etc.) is required. The updated key can be a first key, a second key, or a third key. Methods for UE to determine whether a key update is needed include:

[0248] Method 1: Determine based on the range of no-key-update configuration on the network side.

[0249] In this method, the network-side configuration includes range indication information for whether a key update is required (or not required), such as the "key update range indication information" in the first configuration message mentioned above. This information indicates the range for which a key update is required (or not required). When the cell accessed by the user equipment is within the range indicated by this information, the user equipment does not need to perform a key update (or does need to perform a key update).

[0250] Method 2: Based on the configuration information of the source cell and the target cell (or candidate cell)

[0251] In this method, the user equipment needs to compare the configuration information of the source cell and the target cell (or candidate cell) and determine whether a key update is needed based on the comparison result. For example, in the first configuration message mentioned above, the configuration information of each cell (such as source cell, target cell, candidate cell) includes the aforementioned "key association information". In one example, if the "second identification information" of the source cell and the target cell (or candidate cell) are the same (or different), no key update is required; if they are different (or the same), a key update is required. In another example, if the "second identification information" of the source cell and the target cell (or candidate cell) are the same (or different), no control plane key update is required; if they are different (or the same), a control plane key update is required. In another example, if the "second identification information" of the source cell and the target cell (or candidate cell) are the same (or different), no user plane key update is required; if they are different (or the same), a user plane key update is required. In yet another example, if the "second identification information" of the source cell and the target cell (or candidate cell) are the same (or different), no data plane key update is required; if they are different (or the same), a data plane key update is required.

[0252] Method 3: Based on instructions from the network side

[0253] In this method, the network side sends a key update indication to the user equipment (UE), and the UE updates its key according to the information contained in the indication. This key update indication may be at least one of the information contained in the "first security configuration information" included in the first configuration message. The first configuration message may be an RRC message, a Medium Access Control (MAC) control element (CE), or physical layer control information (such as downlink control information (DCI)). In another example, the indication may be based on pre-configuration on the network side. For example, the network side (first node) first sends a first configuration message to the UE via RRC signaling, which contains security-related configurations (such as the information in the first configuration message mentioned above). Then, the first node sends a second message (such as an RRC message, MAC CE, or DCI) to the UE, which contains information required for the key update (such as information not included in the first message, such as "key indication information").

[0254] Based on the above configuration, the user equipment (UE) can update the data keys for different planes differently during handover (or when accessing a new cell). For example, the UE has two keys, Key 1 and Key 2. Key 1 and Key 2 can be any two of the aforementioned first key, second key, and third key, or two different second keys, or two different third keys (such as control plane key, user plane key, and data plane key). In one implementation, Key 1 needs to be updated every time the UE hands over, while Key 2 does not need to be updated when the UE hands over between certain cells. In another implementation, when the UE hands over between cells in cell set 1, Key 1 does not need to be updated; when the UE hands over between cells in cell set 2, Key 2 does not need to be updated. The cells in cell set 1 and cell set 2 can be completely different, partially the same, or completely identical.

[0255] The beneficial effect of the above process is that user equipment can determine whether a key update (or PDCP reconstruction, RLC reconstruction, etc.) is needed based on the network configuration, thereby reducing the interruption and slowdown of data transmission for user equipment.

[0256] →Step 2: Network Node Configuration Process

[0257] Furthermore, to support the aforementioned key update method, the third node can connect to multiple different base stations. This third node can be used to process all, part, or a single plane of user data. In one example, when a user equipment switches between multiple base stations connected to the third node, the user equipment does not need to update the key for the data in the plane processed by the third node. To illustrate this approach, the invention may also include an interaction process between the third node and the aforementioned first or second node, such as... Figure 8 As shown, this process is used to exchange configuration information between the third node and the first node (or second node):

[0258] Step 2-1: The third node sends a second configuration message to the first node. This message includes at least one of the following functions: 1) providing the first node with auxiliary information for generating security-related configurations; upon receiving this message, the first node generates security-related configuration information for the user equipment; 2) providing the first node with security-related configuration information; upon receiving this message, the first node obtains the security-related configuration information required by the user equipment. In one example, the third node is responsible for processing data for all planes of the user equipment; in another example, the third node is responsible for processing data for some planes of the user equipment; and in yet another example, the third node is responsible for processing data for only one plane of the user equipment. The message includes at least one of the following information:

[0259] The n-node identification information includes the identifier of the third node.

[0260] The information indicates the service range of the third node. In one example, if a user equipment (UE) accesses a cell (e.g., through handover, connection rebuild, connection restart, connection establishment, etc.) within the range indicated by this information, a key update is not required (or is required). One example of this key is the first key mentioned above (e.g., a key shared by control plane, user plane, and data plane data); another example is the second key mentioned above (e.g., any two of control plane, user plane, and data plane keys); and yet another example is the third key mentioned above (e.g., any one of control plane, user plane, and data plane keys). Upon receiving this information, the first node can determine which nodes or cells do not require key updates, thereby configuring these serving nodes or cells for the UE as much as possible, thus reducing interruptions or slowdowns in UE data transmission. This information includes at least one of the following:

[0261] n. Area identification information, or area indication information, which indicates the area served by the third node. In one example, this information indicates the area where the user equipment does not require (or requires) a key update.

[0262] n Cell set identification information, which indicates the identification information of the cell set served by the third node. In one example, this information indicates a set of one or more cells that do not require key updates (or require key updates).

[0263] n Path identification information, which indicates the identification information of the path of the user equipment served by the third node. In one example, this information indicates one or more paths that do not require key updates (or require key updates).

[0264] The n-node's identification information identifies the node served by the third node. In one example, when a user device connects to the node indicated by this information, no key update is required (or a key update is required).

[0265] The identification information of cell n identifies the cell served by the third node. In one example, when a user equipment accesses the cell indicated by this information, no key update is required (or a key update is required).

[0266] Support information, which indicates the functions or parameters supported by the third node, allows the first node to determine whether to allow the third node to serve the user equipment. This information includes at least one of the following:

[0267] Information about the supported Public Land Mobile Network (PLMN), including the PLMN's identification information.

[0268] n contains information about the QoS parameters supported by the third node.

[0269] The QoS parameters include at least one of the following: QoS Class Identifier (QCI), Allocation and Retention (ARP).

[0270] Priority, Guaranteed Bit Rate (GBR) QoS information, 5G QoS Identifier (5QI), priority information, average window information, maximum data burst volume, and downlink / uplink core network packet delay budget.

[0271] The information provided indicates the slices supported by the third node. This information includes slice identification information, such as Single Network Slice Selection Assistance Information (S-NSSAI). Further, this information includes slice / service type (SST) and slice differential (SD).

[0272] Slice Differentiator

[0273] Information about the supported cells, indicating the cells supported by the third node, including cell identification information.

[0274] The above process can be used to establish an interface between the first node and the third node, or to update the configuration information of the third node.

[0275] The above process can be performed separately by the third node and multiple different first nodes, so that each first node obtains the configuration information of the third node. The beneficial effect of this process is that the first nodes can determine whether to configure the third node to serve the user equipment's data, thereby reducing data transmission interruptions or slowdowns. For example, the first node can configure the user equipment to access nodes or cells within the service range of the third node, thus reducing data transmission interruptions or slowdowns when the user equipment moves between these nodes or cells.

[0276] The second configuration message sent by the third node to the first node may be sent directly by the third node to the first node (e.g., when both the first node and the third node are RAN-side devices, the third node sends it directly to the first node), or it may be sent by a core network node to the first node. For example, the first core network node sends the second configuration message to the first node (e.g., when the third node is a core network node, the first core network node interacts with the third node before sending it to the first node).

[0277] →Step 3: The process of configuring the configuration information required for network-side configuration of user equipment data

[0278] When configuring user equipment, in order to generate the configuration information required to serve the user equipment, the first node and the third node will perform the following process, such as... Figure 9 As shown:

[0279] Step 3-1: The first node sends a first configuration request message to the third node. This message configures the third node to provide services to the user equipment. The message includes at least one of the following: n First data request information, which contains information about the data of the user equipment requesting services from the third node. This information may contain multiple different types of data. For one type of data, the information includes at least one of the following:

[0280] The first data identification information identifies the user equipment's data, such as bearer identification information, SRB identification information, DRB identification information, and service data plane bearer identification information.

[0281] Identification information, IP flow identification information, PDU session identification information, QoS flow identification information, and first plane indication information, which indicates the plane to which the data belongs, such as control plane, user plane, data plane, the aforementioned first plane, the aforementioned second plane, etc. In one example, this information can be explicit; in another example, it can be implicit, such as determining the plane to which the data belongs based on other information contained in the aforementioned "first data request information".

[0282] The first QoS parameter information contains the QoS parameters of the data.

[0283] n First data configuration information, such as PDCP layer configuration information

[0284] The first tunnel information indicates the tunnel information used by the third node when transmitting data (downlink data) to the user equipment. This tunnel information may contain information about one tunnel or multiple tunnels; if it contains information about multiple tunnels, each tunnel may be prepared separately for different cells or nodes. For a single tunnel, this information includes at least one of the following:

[0285] u Tunnel identification information, which identifies a tunnel

[0286] u-node identification information, which indicates the node served by the tunnel.

[0287] u. Cell identification information, which indicates the cell served by the tunnel.

[0288] u Address information, which includes tunnel address information such as IP address information and tunnel endpoint identifier information (TEID: Tunnel endpoint identifier).

[0289] The first service node information can be either an old service node or a current service node. The old service node is the node that served the user equipment before it accessed the sending node (such as the first node) (in one example, this node is the aforementioned third node; in another example, this node is a different node from the third node). The current service node is the node currently serving the user equipment. The user equipment's data can belong to at least one plane (such as the control plane, user plane, data plane, the aforementioned first plane, and the aforementioned second plane) or can belong to different types (such as different data indicated by different identification information, which could be bearer identification information, SRB identification information, DRB identification information, bearer identification information for service data plane data, IP flow identification information, PDU session identification information, or QoS flow identification information). Therefore, the first service node information can be provided separately for different types of data. Upon receiving this information, the third node can determine whether it is already serving the user equipment. In one example, if it is already serving the user equipment, the data of the user equipment it is serving does not require key updates (or PDCP reconstruction, RLC reconstruction, etc.). If it is not serving the user equipment, it may need to generate a key for serving the user equipment or security-related information, or obtain the key based on the first configuration request message. This information includes at least one of the following:

[0290] n The identification information of the first service node, which is the identification information of the first service node mentioned above.

[0291] In one example, this information is the identification information of the aforementioned third node; in another example, this information is the identification information of other nodes.

[0292] The first user identification information is the identification information of the user equipment at the aforementioned first service node. In one example, after the third node receives this information, if the third node is the aforementioned first service node, the third node can find the context of the user equipment based on this information.

[0293] The first security-related information, when the security configuration of the user equipment is generated by the first node, can be used to provide security-related configuration information to the third node; when the security configuration of the user equipment is generated by the third node, this information can be used to request security-related configuration information from the third node. This information includes at least one of the following:

[0294] The second security configuration information provides security-related configuration information about the user equipment generated by the first node. This information may be provided separately for data from different planes (such as the first plane and the second plane mentioned above). Specific descriptions of the information contained in this information can be found in the description of the "first security configuration information" above, such as "information related to security algorithms," "key information," "key update information," "first auxiliary information," "first applicable information," etc. Furthermore, this information may also include at least one of the following:

[0295] The encryption instruction message indicates whether encryption is required.

[0296] u Integrity protection information, indicating whether integrity protection is required; n First security configuration request information, used to request the third node to provide security configuration-related information, based on which the third node can generate security configuration-related information. This information includes at least one of the following:

[0297] The first information of the u node, which indicates the information of the node where the cell (such as serving cell, target cell, candidate cell, etc.) configured for the user equipment is located, includes at least one of the following:

[0298] ●Node identification information

[0299] ●Identification information for the community, such as the identification information of the service community, the target community, and the candidate communities.

[0300] The first information of the u data indicates the information of the node serving the user equipment's data when the user equipment accesses the node indicated by the aforementioned "first information of the node," and this information includes at least one of the following:

[0301] ●Identification information of the service node, which indicates that the node is a node that serves the user equipment's data (such as a third node, or a node of the same type as a third node, or a node with the same function as a third node, but this node is different from the node indicated by the "first information of the node" above).

[0302] ● Service data indication information, which indicates the data served by the node indicated by the "service node identification information" mentioned above, such as control plane data, user plane data, etc.

[0303] According to the data plane data, the aforementioned first plane data, the aforementioned second plane data, and different identification information (such as bearer identification information, SRB identification information, DRB identification information, service data plane bearer identification information, IP flow identification information), the above-mentioned first plane data, the above-mentioned second plane data, and different identification information.

[0304] Step 3-2: The third node sends a first configuration response message to the first node. This message provides configuration information at the third node and includes at least one of the following: First data response information, which contains the configuration information required for the third node to serve the user equipment's data, indicating the data of the user equipment accepted by the third node. This information includes at least one of the following:

[0305] The second data identification information identifies the user equipment's data, such as bearer identification information, SRB identification information, DRB identification information, service data plane bearer identification information, IP flow identification information, PDU session identification information, and QoS flow identification information.

[0306] n Secondary data configuration information, such as PDCP layer configuration information

[0307] The second tunnel information indicates the tunnel information used by the third node when receiving data (uplink data) from the user equipment. This tunnel information may contain information about one tunnel or multiple tunnels. If it contains information about multiple tunnels, each tunnel may be prepared for a different serving cell, target cell, or candidate cell. For a single tunnel, this information includes at least one of the following:

[0308] u Tunnel identification information, which identifies a tunnel

[0309] u-node identification information, which indicates the node served by the tunnel.

[0310] u. Cell identification information, which indicates the cell served by the tunnel.

[0311] u Address information, which includes tunnel address information such as IP address information and tunnel endpoint identifier information (TEID: Tunnel endpoint identifier).

[0312] The second piece of information relates to security. This information includes security-related configuration information generated by the third node. In one example, this information can be used by the first node to generate a security configuration for the user equipment; in another example, it can be used by the first node to configure the security configuration for the user equipment. Furthermore, this information is generated by the third node based on the information in the aforementioned first configuration request message (such as the "first security configuration request information" mentioned above). The information contained in this information can be found in the description of the "first security configuration information" mentioned above, such as "information related to the security algorithm," "key information," "key update information," and "first auxiliary information."

[0313] "First applicable information", etc.

[0314] The first configuration request message sent from the first node to the third node may be sent directly from the first node to the third node (e.g., when both the first node and the third node are RAN-side devices, the first node sends it directly to the third node), or it may be sent from the first node to a node in the core network. For example, the first node sends the first configuration request message to the first core network node (e.g., when the third node is a node in the core network, the first node sends the first configuration request message to the first core network node, and then the first core network node interacts with the third node).

[0315] The first configuration response message sent by the third node to the first node may be sent directly by the third node to the first node (e.g., when both the first node and the third node are RAN-side devices, the third node sends it directly to the first node), or it may be sent by a core network node to the first node. For example, the first core network node sends the first configuration response message to the first node (e.g., when the third node is a core network node, the first core network node interacts with the third node before sending it to the first node).

[0316] The beneficial effects of the above process are: configuring the third node to serve the user equipment's data, reducing the interruption or slowdown of data transmission during the user equipment's movement (because the third node can remain unchanged during the user's movement).

[0317] →Step 4: Preparation process for user equipment cells (e.g., serving cell, target cell, candidate cell)

[0318] To prepare the target cell or candidate cell for the user equipment, the present invention also includes an interaction process between the first node and the second node, such as... Figure 10 As shown:

[0319] Step 4-1: The first node sends a second configuration request message to the second node. This message prepares the target cell or candidate cell for the user equipment. The message includes at least one of the following: n. First cell request information, which contains information about the cell requested by the first node. The requested cell can be a target cell or a candidate cell. After receiving this message, the second node generates the configuration information for the requested cell. This information includes at least one of the following:

[0320] n. First cell identification information, which indicates the identification information of the target cell or candidate cell.

[0321] The second data request information contains information about the data of the user device requesting the second node service. This information may contain multiple different types of data. For one type of data, the information includes at least one of the following:

[0322] The second data identification information identifies the user equipment's data, such as bearer identification information, SRB identification information, DRB identification information, service data plane bearer identification information, IP flow identification information, PDU session identification information, and QoS flow identification information.

[0323] The second indication information for the u-plane indicates the plane to which the data belongs, such as the control plane, user plane, data plane, the aforementioned first plane, the aforementioned second plane, etc. In an example...

[0324] In this context, the information can be explicit, or in another example, implicit, such as determining the plane to which the data belongs based on other information contained in the aforementioned "Second Data Request Information".

[0325] The second QoS parameter information contains parameters specifying the QoS requirements for the data.

[0326] The instruction information of the u service node indicates the aforementioned "second data identifier information".

[0327] The "information" indicates the node of the data, such as the node's identification information. After receiving this information, the second node can decide whether to use the same node to serve the user device's data.

[0328] The third identifier is the key identifier required by the second node during key generation.

[0329] Furthermore, this information can also be used by the second node to determine whether a key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is required. This information is associated with the requested cell. In one example, when a user equipment switches to the requested cell, the second node can compare the third identification information with the "fourth identification information" corresponding to the source cell. If they are the same, no key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is required; if they are different, a key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is required. In one example, this information is included only when the first node can determine the node providing service data after the user equipment accesses the requested cell. Furthermore, this information can be provided separately for different types of data (e.g., separately for data belonging to the first plane and the second plane, or separately for data of different data types, which can be distinguished by different data identification information).

[0330] The third identification information specifies the range used by the second node when generating the third identification information for the requested cell. In one example, this information is included only when the first node cannot determine the node serving the user equipment after it accesses the requested cell. Upon receiving this information, the second node generates the third identification information corresponding to the requested cell and provides it in the candidate second configuration response message. Furthermore, this information can be provided separately for different types of data (e.g., separately for data belonging to the first plane and the second plane, or separately for data of different data types, which can be distinguished by different data identification information).

[0331] The second service node information refers to the node currently (i.e., when the user equipment is served by a cell under the first node) serving the user equipment's data. This user equipment data can be data from either the first or second plane. In one example, the service node is the third node. In one example, before the user equipment handover, the first and third nodes are jointly serving the user equipment's data from either the first or second plane. When preparing a new target or candidate cell, upon receiving this information, the second node can determine whether the third node will continue to serve the user equipment. For example, if the second node will continue to jointly serve the user equipment with the third node, the key for the data served by the third node does not need to be updated (or PDCP reconstruction or RLC reconstruction, etc., is not required). If the second node no longer jointly serves the user equipment with the third node (the second node jointly serves the user equipment with other nodes, or the second node serves the user equipment independently), then after the user equipment accesses the second node, the key for the data served by the third node in the source cell needs to be changed (or PDCP reconstruction or RLC reconstruction, etc., is required). This information includes at least one of the following:

[0332] The identification information of the second service node; in one example, this information is the identification information of the aforementioned third node.

[0333] The second user identification information is the identification information of the user device on the second service node (such as the third node). In one example, after receiving this information, if the second node also selects the second service node (such as the third node) to serve the user device, then the second node will include this information in the message sent to the third node (such as the first configuration request message mentioned above). The third node can then determine the context of the user device based on this information and continue to serve the user device.

[0334] The second service data indication information indicates the data served by the aforementioned second service node. This information includes data identification information, such as bearer identification information, SRB identification information, DRB identification information, service data plane data bearer identification information, IP flow identification information, PDU session identification information, QoS flow identification information, or the information includes plane indication information, indicating the plane to which the data served by the second service node belongs.

[0335] Planes, such as the control plane, user plane, data plane, the aforementioned first plane, the aforementioned second plane, etc. Information related to the configured cell, which can be a target cell or candidate cell (other than the "requested cell" mentioned above) configured for the user equipment. This information contains configuration information for at least one configured cell. For a single cell, this information includes at least one of the following:

[0336] The identification information of the second cell, which indicates the identifier of the cell configured above; the identification information of the third service node corresponding to the cell configured above; the third service node is the node that serves the user equipment's data after the user equipment accesses the cell configured above; the information includes at least one of the following:

[0337] Identification information of the third service node

[0338] The third service data indication information indicates the data served by the aforementioned third service node. This information includes data identification information, such as bearer identification information, SRB identification information, DRB identification information, and the bearer identification information of the service data plane data.

[0339] Information, such as IP flow identification information, PDU session identification information, QoS flow identification information, or information including plane indication information indicating the plane to which the data served by the third serving node belongs, such as the control plane, user plane, data plane, the aforementioned first plane, the aforementioned second plane, etc. In one example, the plane indication information may be displayed information.

[0340] In another example, the information indicated by the plane is implicit.

[0341] n. Security configuration information, which indicates the security configuration information required for a user equipment to access the cell configured above. The information contained herein can be found in the aforementioned "First Security Configuration Information".

[0342] Description in "information"

[0343] The fourth identifier is the key identifier required by the second node during key generation.

[0344] Furthermore, this information can also be used by the second node to determine whether a key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is required. In one example, when a user equipment switches from the configured cell to the requested cell, or from the requested cell to the configured cell, the second node can compare the fourth identification information with the "third identification information" corresponding to the requested cell. If they are the same, no key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is required; if they are different, a key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is required. Furthermore, this information can be provided separately for different types of data (e.g., separately for data belonging to the first plane and the second plane, or separately for data of different data types, which can be distinguished by different data identification information).

[0345] Step 4-2: The second node sends a second configuration response message to the first node. This message provides configuration information for the cell (such as the target cell or candidate cell) at the second node, and includes at least one of the following:

[0346] The first cell response information, if the second node can accept the requested cell, includes configuration information about the requested cell generated by the second node, which includes at least one of the following:

[0347] The second data response information contains data from the user equipment received by the second node. This information may contain various data types, and for one type of data...

[0348] According to reports, this information includes at least one of the following:

[0349] The third data identification information identifies the user equipment's data, such as bearer identification information, SRB identification information, DRB identification information, service data plane bearer identification information, IP flow identification information, PDU session identification information, and QoS flow identification information.

[0350] The third indication information of the u-plane indicates the plane to which the data belongs, such as the control plane, user plane, data plane, the aforementioned first plane, the aforementioned second plane, etc. In an example...

[0351] In one example, this information can be explicit; in another, it can be implicit.

[0352] The instruction information of the u service node indicates the aforementioned "third data identifier".

[0353] The node of the data indicated by "information", such as the node's identification information.

[0354] n contains information related to key updates, indicating whether the user equipment needs to update its keys (such as control plane key, user plane key, data plane key, first plane key, second plane key, etc.) after accessing the requested cell (or whether PDCP reconstruction is required).

[0355] RLC reconstruction, etc.

[0356] The third identification information is a key identifier generated by the second node during key generation. Furthermore, this information can also be used by the second node to determine whether a key update (or PDCP layer reconstruction, or RLC layer reconstruction, etc.) is needed. That is, when the user equipment switches to the requested cell, the second node can compare this third identification information with the "fourth identification information" corresponding to the source cell. If they are the same, no key update is required.

[0357] (Or PDCP layer reconstruction, or RLC layer reconstruction, etc.). If they are different, a key update is required (or PDCP layer reconstruction, or RLC layer reconstruction, etc.). In one example, this information is generated based on the "range information of the third identification information" contained in the second configuration request message mentioned above. Furthermore, this information can be given separately for different data (e.g., separately for data belonging to the first plane and the second plane mentioned above, or separately for data of different data types, which can be distinguished by different data identification information).

[0358] The configuration information of cell n, which is the configuration information of the cell requested above, such as physical layer configuration.

[0359] Configuration information, MAC layer configuration information, and PDCP / RLC / logical channel configuration information, etc. Fourth serving node information, which is the node that serves the user equipment's data after the user equipment accesses the cell served by the second node, includes at least one of the following:

[0360] Identification information of the fourth service node

[0361] The fourth service data indication information indicates the identifier of the data served by the aforementioned fourth service node, such as bearer identifier information, SRB identifier information, DRB identifier information, service data plane data bearer identifier information, IP flow identifier information, PDU session identifier information, QoS flow identifier information, or the information includes plane indication information, indicating the plane to which the data served by the fourth service node belongs, such as the control plane, user plane, etc.

[0362] The plane, the data plane, the aforementioned first plane, the aforementioned second plane, etc. In one example, the plane indication information can be explicit information; in another example, the plane indication information is implicit information.

[0363] Based on the above process, the first node can obtain the configuration information of the target cell or candidate cell configured for the user, and then send the first configuration message to the user equipment (as in process one).

[0364] The benefits of the above process are: configuring multiple cells for user equipment, helping user equipment to quickly hand over between different cells (without having to start preparing the target cell when handover is needed) and reducing signaling overhead during handover. Furthermore, since the interaction process determines whether the key needs to be updated (or PDCP reconstruction, RLC reconstruction, etc.) during handover, it can also reduce interruptions or slowdowns in data transmission for user equipment.

[0365] → Process 5: Notification process for user equipment movement

[0366] After the user equipment completes the cell handover, the process includes the following steps: Figure 11 As shown:

[0367] Step 5-1: The first node sends a first notification message to the third node. This message informs the third node of the user device's handover information, thereby helping the third node change the address for transmitting data or determine whether to delete the user device's configuration information. This message includes at least one of the following:

[0368] The target node information indicates the node information to which the user equipment (UE) is connected. Based on this information, the third node can determine that the UE's serving cell has changed, thus helping the third node change the target node for data transmission. In one example, this information can help the third node determine the tunnel information required to send data to the new node (such as the first tunnel information configured in process three above). This information includes at least one of the following:

[0369] n Node identification information

[0370] n Community identification information

[0371] n Data transmission information, which indicates the information required for data transmission by the user equipment, and includes at least one of the following:

[0372] n Data identification information, which identifies the user equipment's data, such as the carrier's identification information,

[0373] Identification information for SRBs, DRBs, service data plane bearers, IP flows, PDU sessions, and QoS flows.

[0374] The n-sequence number information indicates the starting sequence number when the third node sends data to the target node, such as the PDCP sequence number, IP sequence number, RLC sequence number, etc. Upon receiving this information, in one example, the data sent by the third node to the target node is the data after the sequence number indicated by this information (including or excluding the data packet indicated by this sequence number). In other words, the data packets before the sequence number indicated by this information have been correctly sent to the user equipment. In another example, the data packets sent by the third node to the target node will need to be numbered using the sequence numbers after the sequence number indicated by this information, or...

[0375] In this case, the data packets sent by the third node to the target node will be numbered according to the sequence number indicated by the information and the subsequent sequence numbers.

[0376] The third tunnel information indicates the tunnel used by the third node to send data from the user equipment to the target node. This information includes IP address information and tunnel endpoint identification information (TEID).

[0377] The beneficial effect of the above process is that when a user equipment cell changes, it can help the third node quickly change the target node for transmitting user data, reducing data transmission interruptions or slowdowns.

[0378] The above processes can also be combined with each other, and different implementation examples are given below.

[0379] Example 1: Configuring the serving cell for user equipment

[0380] This embodiment combines process one and process three as described above, such as Figure 12 As shown, that is, step a-1: the first node sends a first configuration request message to the third node, see the description in step 3-1 above;

[0381] Step a-2: The third node sends the first configuration response message to the first node, as described in step 3-2 above;

[0382] Step a-3: The first node sends the first configuration message to the user equipment, as described in step 1-1 above.

[0383] Example 2: Configuring the target cell or candidate cell for user equipment

[0384] This embodiment combines the above-described processes one, three, and four, as follows: Figure 13 As shown, that is, step b-1: the first node sends a second configuration request message to the second node, see the description in step 4-1 above;

[0385] Step b-2: The second node sends a first configuration request message to the third node. The description of the first configuration request message can be found in step 3-1 above (replace "first node" with "second node").

[0386] Step b-3: The third node sends a first configuration response message to the second node. The first configuration response message can be found in step 3-2 above (replace "first node" with "second node").

[0387] Step b-4: The second node sends a second configuration response message to the first node, as described in step 4-2 above;

[0388] Step b-5: The first node sends the first configuration message to the user equipment, as described in step 1-1 above.

[0389] Example 3: User Equipment Handover

[0390] This embodiment combines process one and process five described above, such as Figure 14 As shown, step c-1: The first node sends a first configuration message to the user equipment, as described in step 1-1. Step c-2: Trigger the user equipment to perform cell handover; this trigger message can be the first configuration message from step 1-1 above.

[0391] Step c-3: The first node sends a first notification message to the third node, as described in step 5-1. Examples of the messages in the above process are as follows:

[0392] n First configuration message: such as RRC Reconfiguration, RRC Reestablishment, RRC Setup, RRC Resume, or other RRC messages or other types of messages;

[0393] The second configuration message can be an interface (such as an E1 interface, an enhanced E1 interface, or other interfaces) establishment request message, an interface (such as an E1 interface, an enhanced E1 interface, or other interfaces) establishment response message, a configuration update message, a configuration update confirmation message, or other messages or other types of messages.

[0394] The first configuration request message, such as a bearer context establishment request message or a bearer context modification request message, can also be other messages or other types of messages;

[0395] The first configuration response message, such as the bearer context establishment response message, the bearer context modification response message, or other messages or other types of messages;

[0396] The second configuration request message, such as a switch request message, can also be other messages or other types of messages;

[0397] The second configuration response message can be a switch request confirmation message, or it can be other messages or other types of messages.

[0398] The first notification message can be a cell change notification message, a context modification request message, or other messages or other types of messages.

[0399] Figure 15 This is a block diagram of a node according to an exemplary embodiment of this disclosure. The structure and function of a node are illustrated here, but it should be understood that the illustrated structure and function are equally applicable to base stations, relay nodes, and user equipment. References Figure 11 Node 1500 includes a transceiver 1510, a controller 1520, and a memory 1530. Under the control of the controller 1520 (which may be implemented as one or more processors), node 1500 (including transceiver 1510 and memory 1530) is configured to perform the operations of the node described herein. Although transceiver 1510, controller 1520, and memory 1530 are shown as separate entities, they can be implemented as a single entity, such as a single chip. Transceiver 1510, controller 1520, and memory 1530 can be electrically connected or coupled to each other. Transceiver 1510 can send signals to and receive signals from other network entities, such as another node and / or UE, etc. In one embodiment, transceiver 1510 may be omitted. In this case, controller 1520 may be configured to execute instructions (including computer programs) stored in memory 1530 to control the overall operation of node 1500, thereby implementing the operations of the node described herein.

[0400] According to some embodiments, the user equipment described in this disclosure may include: cellular or other communication devices having a single-line display, a multi-line display, or a cellular or other communication device without a multi-line display; a PCS (Personal Communications Service) that may combine voice, data processing, fax, and / or data communication capabilities; a PDA (Personal Digital Assistant) that may include a radio frequency receiver, pager, Internet / intranet access, web browser, notepad, calendar, and / or GPS (Global Positioning System) receiver; and conventional laptop and / or handheld computers or other devices having and / or including a radio frequency receiver. As used herein, "terminal" or "terminal device" may be portable, transportable, installed in a means of transportation (air, sea, and / or land), or suitable and / or configured to operate locally, and / or in a distributed manner, operating in any other location on Earth and / or in space. The term "terminal" or "terminal device" used here can also refer to communication terminals, internet access terminals, or music / video playback terminals. For example, it can be a PDA, a MID (Mobile Internet Device), and / or a mobile phone with music / video playback capabilities, or a smart TV, a set-top box, or other similar devices.

[0401] Those skilled in the art will recognize that this disclosure can be implemented in other specific forms without altering the technical concept or essential features of this disclosure. Therefore, it should be understood that the above embodiments are merely examples and not limiting. The scope of this disclosure is defined by the appended claims, not by the detailed description. Therefore, it should be understood that all modifications or variations derived from the meaning and scope of the appended claims and their equivalents are within the scope of this disclosure.

[0402] In the embodiments described above, all operations and messages may be selectively performed or omitted. Furthermore, the operations in each embodiment do not need to be performed sequentially, and the order of operations can vary. Messages do not need to be transmitted in order, and the transmission order of messages may vary. Each operation and each message transmission can be performed independently.

[0403] Although this disclosure has been shown and described with reference to various embodiments thereof, those skilled in the art will understand that various changes in form and detail may be made without departing from the spirit and scope of this disclosure as defined by the appended claims and their equivalents.

Claims

1. A method performed by a user equipment in a wireless communication system, comprising: Receive a first configuration message containing security configuration information and data sent by the first node; Based on the first configuration message, determine the security configuration required when switching to at least one of the cells; The data belongs to at least one of the following planes: control plane, user plane, and data plane; The data is processed and / or transmitted by a third node when the user equipment moves between the second nodes where the at least one cell is located.

2. The method of claim 1, further comprising: The security configuration information of the data includes at least one of the following: information related to the security algorithm, security indication information indicating the configuration information of the key, key indication information indicating the key used when updating the key, and first applicable information indicating the scope of application of the security configuration information related to the data.

3. The method as described in claim 1, further comprising: The first configuration message also includes configuration information of the at least one cell, wherein the at least one cell may be at least one of a serving cell, a target cell, and a candidate cell; The configuration information of the at least one cell includes at least one of the following: second cell identification information, configured identification information, range indication information of the cell indicated by the "second cell identification information", security configuration information used by the user equipment when accessing the cell indicated by the "second cell identification information", and at least one of auxiliary information and identification information required for generating a key when the user equipment accesses the cell indicated by the "second cell identification information".

4. The method as described in claim 1, further comprising: The third node is used to process at least one of control plane data, user plane data, and data plane data; and / or The third node includes at least one of the following functions: data mapping, secure data processing, data retransmission; and / or The third node includes at least one of the following protocol layers: Service Data Adaptation Protocol, Packet Data Convergence Protocol, and some or all of the Radio Link Control Protocol.

5. The method as described in claim 1, further comprising: The second node is the base station where the at least one cell is located, or the centralized unit of the base station, or the control plane portion of the centralized unit of the base station.

6. The method of claim 1, further comprising: The first configuration message is sent by the first node after receiving at least one of the following messages: The second configuration message sent by the third node provides auxiliary information for generating security-related configurations and / or provides security-related configuration information; The first configuration response message sent by the third node is used to provide configuration information for the data after the third node receives the first configuration request message sent by the first node. The second configuration response message sent by the second node is used to provide configuration information of the target cell or candidate cell at the second node after the second node receives the second configuration request message sent by the first node.

7. The method of claim 2, further comprising: The information related to the security algorithm includes at least one of the following: full-plane algorithm information for indicating the security algorithm required for data in all planes of the user equipment; partial-plane algorithm information for indicating the security algorithm required for data in at least two planes of the user equipment; and single-plane algorithm information for indicating the security algorithm required for one plane of the user equipment. The security indication information includes at least one of the following: a first key change indication information indicating whether the key for data applicable to all planes needs to be changed; a second key change indication information indicating whether the key for data applicable to at least two planes needs to be changed; a third key change indication information indicating whether the key for data applicable to one plane needs to be changed; a key separation indication information indicating whether data for different planes uses different keys; and a key update range indication information used to determine whether a key update is needed. The key indication information includes at least one of the following: key information, key update information for updating the key, and first auxiliary information for generating the key; The first applicable information includes at least one of the following: area identification information, cell identification information, cell set identification information, candidate configuration identification information, path identification information, and plane indication information.

8. The method of claim 6, further comprising: The second configuration message includes at least one of the following: the identification information of the third node, information indicating the service range of the third node, and information indicating the support of functions or parameters supported by the third node; The first configuration request message includes at least one of the following: a first data request message containing information about requesting the data to be served by the third node; a first service node message containing information about the old or current service node of the user equipment; second security configuration information generated by the first node; and a first security configuration request message for requesting the third node to provide information related to security configuration. The first configuration response message includes at least one of the following: a first data response message containing configuration information for the third node to serve the data, and security-related configuration information generated by the third node; The second configuration request message includes at least one of the following: first cell request information containing information about the target cell or candidate cell to be requested; second service node information containing information about the node currently serving the data of the user equipment; and cell-related information containing configuration information of at least one target cell or candidate cell configured for the user equipment. The second configuration response message includes at least one of the following: first cell response information containing configuration information of the admitted cell, and fourth service node information indicating information about the node that serves the data after the user equipment accesses the admitted cell.

9. A method performed by a first node in a wireless communication system, comprising: Receive a first configuration response message sent by a third node, the first configuration response message being used to provide configuration information for the user equipment's data; Send a first configuration message containing security configuration information of the data to the user equipment; The data belongs to at least one of the following planes: control plane, user plane, and data plane; The data is processed and / or transmitted by a third node when the user equipment moves between second nodes in at least one cell.

10. The method of claim 9, further comprising: The security configuration information of the data includes at least one of the following: information related to the security algorithm, security indication information indicating the configuration information of the key, key indication information indicating the key used when updating the key, and first applicable information indicating the scope of application of the security configuration information related to the data.

11. The method of claim 9, further comprising: The first configuration message also includes configuration information of the at least one cell, wherein the at least one cell may be at least one of a serving cell, a target cell, and a candidate cell; The configuration information of the at least one cell includes at least one of the following: second cell identification information, configured identification information, range indication information of the cell indicated by the "second cell identification information", security configuration information used by the user equipment when accessing the cell indicated by the "second cell identification information", and at least one of auxiliary information and identification information required for generating a key when the user equipment accesses the cell indicated by the "second cell identification information".

12. The method of claim 9, further comprising: The third node is used to process at least one of control plane data, user plane data, and data plane data; and / or The third node includes at least one of the following functions: data mapping, secure data processing, data retransmission; and / or The third node includes at least one of the following protocol layers: Service Data Adaptation Protocol, Packet Data Convergence Protocol, and some or all of the Radio Link Control Protocol.

13. The method of claim 9, further comprising: receiving a second configuration message transmitted by the third node, the second configuration message providing assistance information for generating security-related configuration and / or providing security-related configuration information; and / or Send a first configuration request message to the third node; and / or Send a second configuration request message to the second node; and / or The second configuration response message sent by the second node is received, and the second configuration response message is used to provide configuration information of the target cell or candidate cell at the second node; and / or Send a first notification message, including the handover information of the user equipment, to the third node.

14. The method of claim 10, further comprising: The information related to the security algorithm includes at least one of the following: full-plane algorithm information for indicating the security algorithm required for data in all planes of the user equipment; partial-plane algorithm information for indicating the security algorithm required for data in at least two planes of the user equipment; and single-plane algorithm information for indicating the security algorithm required for one plane of the user equipment. The security indication information includes at least one of the following: a first key change indication information indicating whether the key for data applicable to all planes needs to be changed; a second key change indication information indicating whether the key for data applicable to at least two planes needs to be changed; a third key change indication information indicating whether the key for data applicable to one plane needs to be changed; a key separation indication information indicating whether data for different planes uses different keys; and a key update range indication information used to determine whether a key update is needed. The key indication information includes at least one of the following: key information, key update information for updating the key, and first auxiliary information for generating the key; The first applicable information includes at least one of the following: area identification information, cell identification information, cell set identification information, candidate configuration identification information, path identification information, and plane indication information.

15. The method as described in claim 9 or 13, further comprising: The second configuration message includes at least one of the following: the identification information of the third node, information indicating the service range of the third node, and information indicating the support of functions or parameters supported by the third node; The first configuration request message includes at least one of the following: a first data request message containing information about requesting the data to be served by the third node; a first service node message containing information about the old or current service node of the user equipment; second security configuration information generated by the first node; and a first security configuration request message for requesting the third node to provide information related to security configuration. The first configuration response message includes at least one of the following: a first data response message containing configuration information for the third node to serve the data, and security-related configuration information generated by the third node; The second configuration request message includes at least one of the following: first cell request information containing information about the target cell or candidate cell to be requested; second service node information containing information about the node currently serving the data of the user equipment; and cell-related information containing configuration information of at least one target cell or candidate cell configured for the user equipment. The second configuration response message includes at least one of the following: first cell response information containing configuration information of the admitted cell, and fourth service node information indicating information about the node serving the data after the user equipment accesses the admitted cell; The first notification message includes at least one of the following: target node information, information indicating the data transmission required.

16. A method performed by a third node in a wireless communication system, comprising: Send a first configuration response message to the first node, wherein the first configuration response message is used to provide configuration information of the user equipment data; The user equipment processes and / or transmits the data as it moves between second nodes where at least one cell is located; The data belongs to at least one of the following planes: control plane, user plane, and data plane; The second node is the base station where the at least one cell is located, or the centralized unit of the base station, or the control plane portion of the centralized unit of the base station.

17. The method of claim 16, further comprising: Receive the first configuration request message sent by the first node; and / or Send a second configuration message to the first node, the second configuration message providing auxiliary information for generating security-related configurations and / or providing security-related configuration information; and / or Receive a first notification message sent by the first node, which includes the handover information of the user equipment.

18. The method of claim 16, further comprising: The third node is used to process at least one of control plane data, user plane data, and data plane data; and / or The third node includes at least one of the following functions: data mapping, secure data processing, data retransmission; and / or The third node includes at least one of the following protocol layers: Service Data Adaptation Protocol, Packet Data Convergence Protocol, and some or all of the Radio Link Control Protocol.

19. The method as described in claim 16 or 17, further comprising: The second configuration message includes at least one of the following: the identification information of the third node, information indicating the service range of the third node, and information indicating the support of functions or parameters supported by the third node; The first configuration request message includes at least one of the following: a first data request message containing information about requesting the data to be served by the third node; a first service node message containing information about the old or current service node of the user equipment; second security configuration information generated by the first node; and a first security configuration request message for requesting the third node to provide information related to security configuration. The first configuration response message includes at least one of the following: a first data response message containing configuration information for the third node to serve the data, and security-related configuration information generated by the third node; The first notification message includes at least one of the following: target node information, information indicating the data transmission required.

20. A user equipment, a first node, a second node, or a third node in a wireless communication system, comprising: A transceiver is used to send and receive signals; as well as A controller, coupled to the transceiver and configured to perform the method as described in any one of the preceding claims 1 to 19.