Communication methods and communication devices
By verifying network permissions before data retrieval, the communication method addresses data leakage issues in 5G non-public networks, enhancing security and reducing resource overhead.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- HUAWEI TECH CO LTD
- Filing Date
- 2023-12-04
- Publication Date
- 2026-06-30
AI Technical Summary
The existing 5G communication systems in non-public networks face issues with data leakage due to direct data retrieval from public networks, compromising location security in location-based services.
Implementing a communication method where a storage function network element determines whether the requesting network is permitted to retrieve data from a terminal device, based on network domain verification and local configuration, before sending data to a Gateway Mobile Location Center.
This approach enhances data security by preventing unauthorized data access and reducing resource overhead, thus improving location security in non-public networks.
Smart Images

Figure 0007883069000001 
Figure 0007883069000002 
Figure 0007883069000003
Abstract
Description
Technical Field
[0001] This application claims the priority of Chinese Patent Application No. 202310007285.0, titled "Communication Method and Communication Device", filed with the China National Intellectual Property Administration on January 4, 2023, the entire content of which is incorporated herein by reference.
[0002] Technical Field Embodiments of this application relate to the field of communications, and more specifically, to communication methods and communication devices.
Background Art
[0003] Currently, the 5th generation (5G) communication system provides a positioning service in a non-public network (positioning service in PNINPN, sometimes called local positioning). PNINPN is a Public Network Integrated Non-Public Network.
[0004] In a positioning method for a positioning service based on a non-public network, after receiving a positioning service request, a Gateway Mobile Location Center (GMLC) can obtain the privacy data of a terminal device from an Integrated Data Management (UDM) network element. GMLC belongs to the non-public network, and UDM belongs to the public network. The non-public network and the public network belong to different security domains. In this positioning method, the non-public network can actively obtain user data in the public network through an existing interface. This may cause leakage of user data stored in the public network.
[0005] Therefore, improving the location security of location-based services that rely on non-public networks is an urgent issue that needs to be addressed. [Overview of the project] [Problems that the invention aims to solve]
[0006] Embodiments of the present invention provide a communication method for improving location security of location-based services on non-public networks. [Means for solving the problem]
[0007] According to the first aspect, a communication method is provided which includes the following: A gateway mobile location center (GMLC) in a first network sends a first request message to a storage function network element in a second network, the first request message includes an identifier for a terminal device, and the first request message is used to request the retrieval of data from the terminal device; the storage function network element, in response to the first request message, determines whether the first network is a network permitted to retrieve data from the terminal device, and the storage function network element, based on the determination result, decides whether to send the data from the terminal device to the GMLC.
[0008] A second aspect provides a communication method. This method may be performed by a memory network element in a second network, or by a component of the memory network element (e.g., a chip or circuit). This is not limited herein. For ease of explanation, the following examples will use the method performed by a memory network element for illustrative purposes.
[0009] The communication method includes the following: A memory function network element in the second network receives a first request message from a gateway mobile location center (GMLC) in the first network, the first request message includes an identifier for a terminal device, and the first request message is used to request the acquisition of data from the terminal device; in response to the first request message, the memory function network element determines whether the first network is a network permitted to acquire data from the terminal device; and based on the determination result, the memory function network element decides whether to transmit the data from the terminal device to the GMLC.
[0010] Based on the aforementioned technical solution, when a storage function network element in the second network receives a request message from the GMLC in the first network requesting to retrieve data from a terminal device, the storage function network element first determines whether the first network is a network permitted to retrieve data from terminal devices, and then, based on the determination result, decides whether to send the data from the terminal device to the GMLC, thereby avoiding the leakage of user data in the second network that would occur when the GMLC in the first network directly and actively retrieves data from the storage function network element in the second network through an existing interface. Thus, data security is improved.
[0011] For example, when the aforementioned technical solution is applied to a local location scenario, after receiving a request message from a GMLC in a non-public network to retrieve data from a terminal device, a storage function network element in a public network can determine whether the non-public network is a network that is permitted to retrieve data from terminal devices, and then decide whether to send the data from the terminal device to the GMLC, thereby improving the location security of location services based on non-public networks.
[0012] Referring to the first or second aspect, in some implementations of the first or second aspect, the method further includes the following before the memory function network element determines whether the first network is a network that is permitted to retrieve data from terminal devices: The memory function network element determines that the GMLC and the memory function network element belong to different network domains.
[0013] Based on the aforementioned technical solution, before determining whether the first network is a network permitted to retrieve data from terminal devices, the storage function network element in the second network first determines that the GMLC sending the request message to request the retrieval of data from terminal devices and the storage function network element belong to different network domains. Specifically, when determining that the GMLC and the storage function network element belong to different network domains, the storage function network element determines whether the first network is a network permitted to retrieve data from terminal devices, thus avoiding the case where the storage function network element would still have to determine whether the first network is a network permitted to retrieve data from terminal devices if the GMLC and the storage function network element belong to the same network domain. This avoids unnecessary resource overhead.
[0014] Referring to the first or second aspect, in some implementations of the first or second aspect, the determination by a storage network element that the GMLC and the storage network element belong to different network domains includes one of the following: the storage network element determines that the GMLC and the storage network element belong to different network domains based on a first network identifier contained in the first request message; the storage network element determines the first network identifier based on the GMLC's Internet Protocol IP address and determines that the GMLC and the storage network element belong to different network domains based on the first network identifier; or the storage network element determines the first network identifier based on the GMLC's certificate and determines that the GMLC and the storage network element belong to different network domains based on the first network identifier.
[0015] Based on the aforementioned technical solution, the memory function network elements in the second network may, in a different way, determine that the GMLC and the memory function network elements belong to different network domains, thereby improving the flexibility of the solution.
[0016] With reference to the first or second aspect, in some implementations of the first or second aspect, the memory function network element determines whether the first network is a network permitted to retrieve data from terminal devices, which includes: The memory function network element determines whether the first network is a network permitted to retrieve data from terminal devices based on local configuration information, the configuration information includes a list of identifiers for networks permitted to retrieve data from terminal devices.
[0017] Based on the aforementioned technical solution, a memory function network element in the second network can determine, based on local configuration information, whether the first network is permitted to retrieve data from terminal devices, without having to obtain the necessary information from another network element to determine whether the first network is permitted to retrieve data from terminal devices. This simplifies the solution procedure.
[0018] With reference to the first or second aspect, in some implementations of the first or second aspect, the memory network element's determination of whether a first network is a network permitted to retrieve data from terminal devices, based on local configuration information, includes the following: If the identifier of the first network belongs to the list of identifiers of networks permitted to retrieve data from terminal devices, the memory network element determines that the first network is a network permitted to retrieve data from terminal devices; or if the identifier of the first network does not belong to the list of identifiers of networks permitted to retrieve data from terminal devices, the memory network element determines that the first network is a network not permitted to retrieve data from terminal devices.
[0019] With reference to the first or second aspect, in some implementations of the first or second aspect, a memory function network element determines whether the first network is a network permitted to retrieve data from terminal devices, which includes: The memory function network element determines whether the first network is a network permitted to retrieve data from terminal devices based on a correspondence between a mobility management network element serving terminal devices and the mobility management network element corresponding to the first network. Specifically, the mobility management network element corresponding to the first network may be determined based on second configuration information, which includes a correspondence between an identifier of at least one network and an identifier of at least one mobility management network element in the second network.
[0020] With reference to the first or second aspect, in some implementations of the first or second aspect, a memory network element determines whether a first network is a network permitted to retrieve data from terminal devices based on the correspondence between a mobility management network element serving terminal devices and a mobility management network element corresponding to the first network, which includes: If the mobility management network elements serving terminal devices are a subset of the mobility management network elements corresponding to the first network, the memory network element determines that the first network is a network permitted to retrieve data from terminal devices; or if the mobility management network elements serving terminal devices are not a subset of the mobility management network elements corresponding to the first network, the memory network element determines that the first network is a network not permitted to retrieve data from terminal devices.
[0021] With reference to the first or second aspect, in some implementations of the first or second aspect, the memory function network element's decision on whether to send terminal device data to the GMLC based on a determination result includes the following: If the determination result is that the first network is not permitted to retrieve terminal device data, the memory function network element refuses to send terminal device data to the GMLC.
[0022] With reference to the first or second aspect, in some implementations of the first or second aspect, the memory function network element's decision on whether to transmit terminal device data to the GMLC based on a determination result includes the following: If the determination result is that the first network is not permitted to retrieve terminal device data, the memory function network element transmits the terminal device's publicly available subscriber identifier (GPSI) or pseudonym to the GMLC.
[0023] With reference to the first or second aspect, in some implementations of the first or second aspect, the memory function network element's decision to send terminal device data to the GMLC based on a determination result includes the following: If the determination result is that the first network is a network permitted to retrieve terminal device data, the memory function network element sends terminal device data to the GMLC.
[0024] In relation to the first or second aspect, in some implementations of the first or second aspect, the data of the terminal device includes at least one of the following: the terminal device's subscription permanent identifier (SUPI), the terminal device's privacy settings, or the address of a mobility management network element serving the terminal device.
[0025] Referring to the first side or the second side, in some implementations of the first side or the second side, the second network is a public network and the first network is a local network.
[0026] According to a third aspect, there is provided a communication device configured to implement the method shown in the second aspect. The device includes a transceiver module configured to receive a first request message from a gateway mobile location center GMLC in a first network, the first request message including an identifier of a terminal device, the first request message being used to request to obtain data of the terminal device; and a processing module configured to determine whether the first network is a network permitted to obtain data of the terminal device in response to the first request message, the processing module being further configured to determine whether to send data of the terminal device to the GMLC based on the determination result.
[0027] Referring to the third aspect, in some implementations of the third aspect, before the processing module determines whether the first network is a network permitted to obtain data of the terminal device, the processing module is further configured to determine that the GMLC and the communication device belong to different network domains.
[0028] In connection with the third aspect, in some implementations of the third aspect, for the processing module to determine that the GMLC and the communication device belong to different network domains includes any one of the following. The processing module determines that the GMLC and the communication device belong to different network domains based on the identifier of the first network included in the first request message; the processing module determines the identifier of the first network based on the Internet Protocol (IP) address of the GMLC and determines that the GMLC and the communication device belong to different network domains based on the identifier of the first network; or the processing module determines the identifier of the first network based on the certificate of the GMLC and determines that the GMLC and the communication device belong to different network domains based on the identifier of the first network.
[0029] Referring to the third aspect, in some implementations of the third aspect, for the processing module to determine whether the first network is a network permitted to obtain data of the terminal device includes the following. The processing module determines, based on the local configuration information, whether the first network is a network permitted to obtain data of the terminal device, and the configuration information includes a list of identifiers of networks permitted to obtain data of the terminal device.
[0030] Referring to the third aspect, in some implementations of the third aspect, the processing module's determination of whether a first network is a network permitted to retrieve data from terminal devices, based on local configuration information, includes the following: If the identifier of the first network belongs to the list of identifiers of networks permitted to retrieve data from terminal devices, the processing module determines that the first network is a network permitted to retrieve data from terminal devices; or, if the identifier of the first network does not belong to the list of identifiers of networks permitted to retrieve data from terminal devices, the processing module determines that the first network is a network not permitted to retrieve data from terminal devices.
[0031] Referring to the third aspect, in some implementations of the third aspect, the processing module's determination of whether the first network is a network permitted to retrieve data from terminal devices includes the following: The processing module determines whether the first network is a network permitted to retrieve data from terminal devices based on the correspondence between the mobility management network elements serving the terminal devices and the mobility management network elements corresponding to the first network.
[0032] Referring to the third aspect, in some implementations of the third aspect, the processing module's determination of whether a first network is a network permitted to retrieve data from a terminal device, based on the correspondence between mobility management network elements serving a terminal device and mobility management network elements corresponding to a first network, includes the following: If the mobility management network elements serving a terminal device are a subset of the mobility management network elements corresponding to a first network, the processing module determines that the first network is a network permitted to retrieve data from a terminal device; or if the mobility management network elements serving a terminal device are not a subset of the mobility management network elements corresponding to a first network, the processing module determines that the first network is a network not permitted to retrieve data from a terminal device.
[0033] Referring to the third aspect, in some implementations of the third aspect, the processing module's decision on whether to send terminal device data to the GMLC based on the determination result includes the following: If the determination result is that the first network is a network that is not permitted to retrieve terminal device data, the processing module refuses to send terminal device data to the GMLC.
[0034] Referring to the third aspect, in some implementations of the third aspect, the processing module's decision on whether to send terminal device data to the GMLC based on the determination result includes the following: If the determination result is that the first network is not permitted to receive terminal device data, the transceiver module is further configured to send the terminal device's publicly available subscriber identifier (GPSI) or pseudonym to the GMLC.
[0035] Referring to the third aspect, in some implementations of the third aspect, the processing module's decision on whether to send terminal device data to the GMLC based on a determination result includes the following: If the determination result is that the first network is a network permitted to receive terminal device data, the transceiver module is further configured to send terminal device data to the GMLC.
[0036] Referring to the third aspect, in some implementations of the third aspect, the data of the terminal device includes at least one of the following: the terminal device's subscription permanent identifier (SUPI), the terminal device's privacy settings, or the address of a mobility management network element serving the terminal device.
[0037] Referring to the third aspect, in some implementations of the third aspect, the second network is a public network and the first network is a local network.
[0038] A fourth aspect provides a communication method. The method may be performed by a first network element in a second network, or by a component of the first network element (e.g., a chip or circuit). This is not limited herein. For the sake of clarity, the following examples will use the method performed by a first network element for illustrative purposes.
[0039] The communication method includes the following: A first network element in a second network receives a first request message from a second network element in a first network, the first request message including an identifier for a terminal device, and the first request message is used to request the retrieval of data from the terminal device; the first network element sends a first response message to the second network element in response to the first request message, the information contained in the first response message is determined based on a verification result, which indicates whether the first network is a network permitted to retrieve data from a terminal device.
[0040] Based on the aforementioned technical solution, after a first network element in a second network receives a request message from a second network element in the first network requesting to retrieve data from a terminal device, the information contained in the first response message sent by the first network element to the second network element is determined based on a verification result, which indicates whether the first network is permitted to retrieve data from terminal devices, thereby avoiding the leakage of user data within the second network that would occur when a second network element in the first network directly and actively retrieves data from terminal devices through an existing interface. Thus, data security is improved.
[0041] Referring to the fourth aspect, in some implementations of the fourth aspect, when the first network is a network that is permitted to retrieve data from a terminal device, the first response message contains some or all of the data from the terminal device.
[0042] Referring to the fourth aspect, in some implementations of the fourth aspect, when the first network is a network that is not permitted to obtain data from a terminal device, the first response message is used to refuse to provide data from the terminal device.
[0043] Referring to the fourth aspect, in some implementations of the fourth aspect, when the first network is a network that is not permitted to obtain data from terminal devices, the first response message includes the terminal device's publicly available subscriber identifier (GPSI) or pseudonym.
[0044] Referring to the fourth aspect, in some implementations of the fourth aspect, before the first network element sends a first response message to the second network element, the method further includes: the first network element determines the verification result, or the first network element receives the verification result from a memory function network element in the second network.
[0045] Referring to the fourth aspect, in some implementations of the fourth aspect, the determination of the validation result by the first network element includes: the first network element determines the validation result based on first information, the first information includes subscriber data of terminal devices and / or a list of identifiers of terminal devices from which the first network is permitted to retrieve data, the subscriber data of terminal devices includes a correspondence between the identifiers of terminal devices and the identifiers of at least one network, the at least one network being a network from which data of terminal devices is permitted.
[0046] Referring to the fourth aspect, in some implementations of the fourth aspect, before the first network element determines the verification result, the method further includes the following: The first network element sends a second request message to a storage function network element in the second network, the second request message includes the identifier of the terminal device and / or the identifier of the second network, and the second request message is used to request the retrieval of the first information; the first network element receives the first information from the storage function network element.
[0047] Referring to the fourth aspect, in some implementations of the fourth aspect, the first network element determining the validation result based on the terminal device subscription data includes: if the identifier of the first network is one of the at least one network identifiers, the first network element determines that the first network is a network permitted to retrieve terminal device data; if the identifier of the first network is not one of the at least one network identifiers, the first network element determines that the first network is a network not permitted to retrieve terminal device data; if the identifier of the terminal device is one of the list of terminal device identifiers from which the first network is permitted to retrieve data, the first network element determines that the first network is a network permitted to retrieve terminal device data; or if the identifier of the terminal device is not one of the list of terminal device identifiers from which the first network is permitted to retrieve data, the first network element determines that the first network is a network not permitted to retrieve terminal device data.
[0048] Referring to the fourth aspect, in some implementations of the fourth aspect, the determination of the validation result by the first network element includes the following: The first network element determines the validation result based on the scope of data coverage of the terminal device and the scope of coverage of the first network, where the terminal device subscription data includes information about the scope of data coverage of the terminal device, and the scope of coverage of the first network is determined based on first configuration information, where the first configuration information includes information about the scope of coverage of at least one network.
[0049] Referring to the fourth aspect, in some implementations of the fourth aspect, before the first network element determines the verification result, the method further includes the following: The first network element sends a third request message to a storage function network element in the second network, the third request message includes an identifier for a terminal device, the third request message is used to request that the storage function network element retrieve the subscriber data for the terminal device, and the first network element receives the subscriber data for the terminal device from the storage function network element.
[0050] Referring to the fourth aspect, in some implementations of the fourth aspect, before the first network element determines the verification result, the method further includes the following: The first network element sends a fourth request message to a storage network element in the second network, the fourth request message containing the identifier of the first network, and the fourth request message is used to request that information about the scope of the first network be obtained; the first network element receives the information about the scope of the first network from the storage network element.
[0051] Referring to the fourth aspect, in some implementations of the fourth aspect, the data of the terminal device includes first data and second data, the scope of the first data is the first scope, the scope of the second data is the second scope, and the first network element determines the verification result based on the scope of the terminal device data and the scope of the first network, including the following: If there is an intersection set between the scope of the first network and the first scope, the first network element determines that the first network is a network permitted to obtain the first data, and the first response message includes the first data; if there is an intersection set between the scope of the first network and the second scope, the first network element determines that the first network is a network permitted to obtain the second data, and the first response message includes the second data; if there is an intersection set between the scope of the first network and the first and second scopes respectively, the first network element determines that the first network is a network permitted to obtain the first and second data, and the first response message includes the first and second data; or, if there is no intersection set between the scope of the first network and the scope of data of the terminal device, the first network element determines that the first network is a network not permitted to obtain data from the terminal device.
[0052] Referring to the fourth aspect, in some implementations of the fourth aspect, the determination of the validation result by the first network element includes the following: The first network element determines the validation result based on mobility management network elements serving terminal devices and mobility management network elements corresponding to the first network, the mobility management network elements corresponding to the first network are determined based on second configuration information, the second configuration information includes a correspondence between an identifier of at least one network and an identifier of at least one mobility management network element in the second network.
[0053] Referring to the fourth aspect, in some implementations of the fourth aspect, before the first network element determines the verification result, the method further includes the following: The first network element sends a fifth request message to a memory function network element in the second network, the fifth request message containing the identifier of the first network, and the fifth request message is used to request that the memory function network element obtain the identifier of the mobility management network element corresponding to the first network; the first network element receives the identifier of the mobility management network element corresponding to the first network from the memory function network element.
[0054] Referring to the fourth aspect, in some implementations of the fourth aspect, the first network element determines the verification result based on the relationship between the mobility management network element corresponding to the first network and the mobility management network element serving the terminal device, which includes: if the mobility management network element serving the terminal device is a subset of the mobility management network element corresponding to the first network, the first network element determines that the first network is a network permitted to retrieve data from terminal devices; or if the mobility management network element serving the terminal device is not a subset of the mobility management network element corresponding to the first network, the first network element determines that the first network is a network not permitted to retrieve data from terminal devices.
[0055] In relation to the fourth aspect, in some implementations of the fourth aspect, before the first network element receives the verification result from the storage function network element in the first network, the method further includes the following: The first network element sends a sixth request message to the storage function network element, the sixth request message including the identifier of the first network and / or the identifier of the target terminal device, and the sixth request message is used to request that the verification result be obtained.
[0056] In relation to the fourth aspect, in some implementations of the fourth aspect, the data of the terminal device includes at least one of the following: the terminal device's subscription permanent identifier (SUPI), the terminal device's privacy settings, or a mobility management network element that serves the terminal device.
[0057] Referring to the fourth aspect, in some implementations of the fourth aspect, the second network is a public network and the first network is a local network.
[0058] Referring to the fourth aspect, in some implementations of the fourth aspect, the first network element is a Unified Data Management Function network element (UDM), an Authentication Server Function network element (AUSF), or a Network Data Analysis Function network element (NWDAF); the second network element is a Gateway Mobile Location Center (GMLC), a Mobility Management Function network element (AMF), or a Session Management Function network element (SMF).
[0059] According to the fifth aspect, a communication method is provided which includes the following: A gateway mobile location center (GMLC) in a first network sends a first request message to a storage function network element in a second network, the first request message includes an identifier for a terminal device, and the first request message is used to request the GMLC to retrieve data from the terminal device; the storage function network element determines information to be included in a first response message sent to the GMLC based on the scope of the data for the terminal device and the scope of the first network, the terminal device subscription data includes information regarding the scope of the data for the terminal device, the scope of the first network is determined based on first configuration information, and the first configuration information includes information regarding the scope of at least one network.
[0060] Referring to the fifth aspect, in some implementations of the fifth aspect, the data of the terminal device includes first data and second data, the scope of the first data is the first scope, and the scope of the second data is the second scope, and the memory function network element determines the information to be included in the first response message sent to the GMLC based on the scope of the data of the terminal device and the scope of the first network, which includes the following: If there is an intersection set between the scope of the first network and the first scope, the memory network element determines that the first response message contains the first data; if there is an intersection set between the scope of the first network and the second scope, the memory network element determines that the first response message contains the second data; if there is an intersection set between the scope of the first network and each of the first and second scopes, the memory network element determines that the first response message contains the first data and the second data; or if there is no intersection set between the scope of the first network and the scope of data for the terminal device, the memory network element determines that the first response message contains information refusing to provide data for the terminal device.
[0061] According to the sixth aspect, a communication method is provided which includes the following: A gateway mobile location center (GMLC) in a first network transmits a first request message to a storage function network element in a second network, the first request message including an identifier for a terminal device, and the first request message is used to request the retrieval of data from the terminal device; the storage function network element determines whether to allow the transmission of data from the terminal device to the first network based on a mobility management network element that services the terminal device and a mobility management network element corresponding to the first network, the mobility management network element corresponding to the first network is determined based on second configuration information, the second configuration information including a correspondence between an identifier for at least one network and an identifier for at least one mobility management network element in the second network.
[0062] Referring to the sixth aspect, in some implementations of the sixth aspect, the determination by which a memory network element allows the transmission of terminal device data to the first network, based on the relationship between the mobility management network element corresponding to the first network and the mobility management network element serving the terminal device, includes: If the mobility management network element serving the terminal device is a subset of the mobility management network element corresponding to the first network, the memory network element decides to allow the transmission of terminal device data to the first network; or if the mobility management network element serving the terminal device is not a subset of the mobility management network element corresponding to the first network, the memory network element decides not to allow the transmission of terminal device data to the first network.
[0063] Referring to the sixth aspect, in some implementations of the sixth aspect, when a memory function network element decides to allow data from a terminal device to be transmitted to the first network, the method further includes: The memory function network element transmits a first response message to the GMLC in response to a first request message, the first response message containing data from the terminal device.
[0064] Referring to the sixth aspect, in some implementations of the sixth aspect, when a memory function network element decides not to allow terminal device data to be transmitted to the first network, the method further includes: The memory function network element sends a first response message to the GMLC in response to the first request message, the first response message being used to refuse to provide terminal device data.
[0065] Referring to the sixth aspect, in some implementations of the sixth aspect, when a memory network element decides not to allow terminal device data to be transmitted to the first network, the method further includes: the memory network element sends a first response message to the GMLC in response to the first request message, the first response message containing the terminal device's publicly available subscriber identifier (GPSI) or pseudonym.
[0066] According to the seventh aspect, a communication method is provided that includes the following: A gateway mobile location center (GMLC) in the first network sends a first request message to a first network element in the second network, the first request message including an identifier for a terminal device, and is used to request the retrieval of data from the terminal device; the first network element sends a second request message to a storage function network element in the second network, the second request message including an identifier for a terminal device and / or an identifier for the second network, and is used to request the retrieval of first information, the first information including subscriber data for a terminal device and / or a list of identifiers for terminal devices from which the first network is permitted to retrieve data; the storage function network element sends the first information to the first network element; the first network element determines a verification result based on the first information, the verification result indicating whether the first network is a network permitted to retrieve data from terminal devices; the first network element sends a first response message to the second network element in response to the first request message, the information contained in the first response message is determined based on the verification result.
[0067] Referring to the seventh aspect, some implementations of the seventh aspect further include the following: A memory function network element determines a list of identifiers of terminal devices that the second network is allowed to retrieve data from, based on the subscription data of at least one terminal device and the identifier of the second network.
[0068] Referring to the seventh aspect, in some implementations of the seventh aspect, the first response message contains data from the terminal device when the first network is a network that is permitted to retrieve data from a terminal device.
[0069] Referring to the seventh aspect, in some implementations of the seventh aspect, when the first network is a network that is not permitted to obtain data from a terminal device, the first response message is used to refuse to provide data from the terminal device.
[0070] Referring to the seventh aspect, in some implementations of the seventh aspect, when the first network is a network that is not permitted to obtain data from terminal devices, the first response message includes the terminal device's publicly available subscriber identifier (GPSI) or pseudonym.
[0071] According to the eighth aspect, a communication method is provided which includes the following: A gateway mobile location center (GMLC) in a first network sends a first request message to a storage function network element in a second network, the first request message including an identifier for a terminal device, and the first request message is used to request the retrieval of data for the terminal device; the first network element sends a third request message to a storage function network element in a second network, the third request message including an identifier for a terminal device, and the third request message is used to request the retrieval of subscriber data for the terminal device; the storage function network element sends the subscriber data for the terminal device to the first network element; and the first network element sends a fourth request message to the storage function network element. A fourth request message is sent to a network element, and the fourth request message includes an identifier for the second network, and is used to request that information about the scope of the first network be obtained; the storage function network element transmits the information about the scope of the first network to the first network element; the first network element determines the information to be included in the first response message sent to the GMLC based on the scope of the data of the terminal device and the scope of the first network, the subscriber data of the terminal device includes information about the scope of said data of the terminal device, the scope of the first network is determined based on first configuration information, and the first configuration information includes information about the scope of at least one network.
[0072] Referring to the eighth aspect, some implementations of the eighth aspect further include the following: A memory function network element determines the scope of the first network based on the first configuration information and the identifier of the first network.
[0073] Referring to the eighth aspect, in some implementations of the eighth aspect, the terminal device data includes first data and second data, the scope of the first data is the first scope, the scope of the second data is the second scope, and the first network element determines the information to be included in the first response message sent to the GMLC based on the scope of the terminal device data and the scope of the first network, which includes the following: If there is an intersection set between the scope of the first network and the first scope, the first network element determines that the first response message contains the first data; if there is an intersection set between the scope of the first network and the second scope, the first network element determines that the first response message contains the second data; if there is an intersection set between the scope of the first network and each of the first and second scopes, the first network element determines that the first response message contains the first data and the second data; or if there is no intersection set between the scope of the first network and the scope of data for the terminal device, the first network element determines that the first response message contains information refusing to provide data for the terminal device.
[0074] According to the ninth aspect, a communication method is provided which includes the following: A gateway mobile location center (GMLC) in a first network sends a first request message to a memory network element in a second network, the first request message including an identifier for a terminal device, and is used to request the retrieval of data from the terminal device; the first network element sends a fifth request message to the memory network element in the second network, the fifth request message including an identifier for the second network, and is used to request the retrieval of an identifier for a mobility management network element corresponding to the first network; the memory network element sends the identifier for the mobility management network element corresponding to the first network to the first network element; and the first network element determines whether to allow the transmission of data from the terminal device to the first network based on the mobility management network elements serving the terminal device and the mobility management network elements corresponding to the first network.
[0075] Referring to Aspect 9, in some implementations of Aspect 9, the determination by which a first network element allows terminal device data to be transmitted to the first network, based on the relationship between the mobility management network element corresponding to the first network and the mobility management network element serving the terminal device, includes: if the mobility management network element serving the terminal device is a subset of the mobility management network element corresponding to the first network, the first network element decides to allow terminal device data to be transmitted to the first network; or if the mobility management network element serving the terminal device is not a subset of the mobility management network element corresponding to the first network, the first network element decides not to allow terminal device data to be transmitted to the first network.
[0076] Referring to Aspect 9, in some implementations of Aspect 9, when a first network element decides to allow terminal device data to be transmitted to the first network, the Method further includes: the first network element transmits a first response message to the GMLC in response to a first request message, the first response message containing terminal device data.
[0077] Referring to Aspect 9, in some implementations of Aspect 9, when the first network element decides not to allow terminal device data to be transmitted to the first network, the method further includes: the first network element sends a first response message to the GMLC in response to the first request message, the first response message being used to refuse to provide terminal device data.
[0078] Referring to Aspect 9, in some implementations of Aspect 9, when the first network element decides not to allow terminal device data to be transmitted to the first network, the Method further includes: the first network element sends a first response message to the GMLC in response to the first request message, the first response message containing the terminal device's publicly available subscriber identifier (GPSI) or pseudonym.
[0079] According to the tenth aspect, a communication device is provided. This device is configured to perform the method provided in the second or fourth aspect. Specifically, the communication device may include units and / or modules configured to perform the method according to either the implementation of the second or fourth aspect, such as a processing unit and an acquisition unit.
[0080] In some implementations, the transceiver unit may be a transceiver or an input / output interface, and the processing unit may be at least one processor. Optionally, the transceiver may be a transceiver circuit. Optionally, the input / output interface may be an input / output circuit.
[0081] In other implementations, the transceiver unit may be a chip, chip system, or input / output interface, interface circuit, output circuit, input circuit, pin, associated circuit, etc. on a circuit; the processing unit may be at least one processor, processing circuit, logic circuit, etc.
[0082] According to the eleventh aspect, the present application provides a processor configured to perform the methods provided in the aforementioned aspects. In the process of performing these methods, the process of transmitting the aforementioned information and the process of acquiring / receiving the aforementioned information in the aforementioned methods can be understood as the process of outputting the aforementioned information by the processor and the process of receiving the aforementioned input information by the processor. When outputting information, the processor outputs the information to a transceiver, thereby causing the transceiver to perform the transmission of the information. After the information is output by the processor, further processing of the information may be required before the information arrives at the transceiver. Similarly, when the processor receives input information, the transceiver acquires / receives the information and inputs it to the processor. Furthermore, after the transceiver receives the information, further processing of the information may be required before the information is input to the processor.
[0083] Based on the aforementioned principles, for example, receiving a request message in the aforementioned method can be understood as the processor receiving input information.
[0084] Unless otherwise specified, or unless the operations such as transmission, transmission, and acquisition / reception related to the processor are consistent with the actual function or internal logic of the operation in the relevant description, all operations may be more generally understood as operations such as processor output, reception, and input, rather than transmission, transmission, and reception operations performed directly by radio frequency circuits and antennas.
[0085] In the implementation process, the processor may be a processor specifically configured to perform these methods, or a processor that executes computer instructions in memory to perform these methods, such as a general-purpose processor. The memory may be non-transitory memory, such as read-only memory (ROM). The memory and processor may be integrated on the same chip, or they may be located separately on different chips. The type of memory, and the arrangement of the memory and processor, are not limited to the embodiments of this application.
[0086] According to the twelfth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores program code to be executed by a device, and the program code is used to execute any method provided in the second or fourth aspect.
[0087] According to the 13th aspect, a computer program product containing instructions is provided. When the computer program product is executed on the computer, the computer becomes capable of performing any of the methods provided in the second or fourth aspect.
[0088] According to the fourteenth aspect, a chip is provided. The chip includes a processor and a communication interface. The processor reads instructions stored in memory through the communication interface and performs any method provided in the second or fourth aspect.
[0089] Optionally, in some implementations, the chip may further include memory. The memory stores instructions, and the processor is configured to execute the instructions stored in memory. Once an instruction is executed, the processor is configured to perform any method provided in the second or fourth aspect.
[0090] According to the 15th aspect, a communication system is provided which includes a gateway mobile location center GMLC in a first network and a memory function network element in a second network, wherein the memory function network element performs any method provided in the second or fourth aspect.
[0091] Specifically, the GMLC is configured to send a first request message to a storage function network element, the first request message including an identifier for a terminal device, the first request message is used to request the retrieval of data from the terminal device, the storage function network element is configured to respond to the first request message by determining whether the first network is a network permitted to retrieve data from the terminal device; the storage function network element is further configured to determine, based on the determination result, whether to send the data from the terminal device to the GMLC.
[0092] Referring to Aspect 15, in some implementations of Aspect 15, the memory function network element is further configured to determine whether the GMLC and the memory function network element belong to different network domains before the memory function network element determines whether the first network is a network permitted to retrieve data from terminal devices.
[0093] Referring to Aspect 15, in some implementations of Aspect 15, determining whether a storage network element belongs to a different network domain from the GMLC includes one of the following: the storage network element determines whether the GMLC belongs to a different network domain based on a first network identifier contained in the first request message; the storage network element determines the first network identifier based on the GMLC's Internet Protocol IP address and determines whether the GMLC belongs to a different network domain based on the first network identifier; or the storage network element determines the first network identifier based on the GMLC's certificate and determines whether the GMLC belongs to a different network domain based on the first network identifier.
[0094] Referring to Aspect 15, in some implementations of Aspect 15, the memory function network element determines whether a first network is a network permitted to retrieve data from a terminal device, which includes the following: The memory function network element determines whether a first network is a network permitted to retrieve data from a terminal device, based on local configuration information, which includes a list of identifiers for networks permitted to retrieve data from terminal devices.
[0095] Referring to Aspect 15, in some implementations of Aspect 15, the memory network element's determination of whether a first network is a network permitted to retrieve data from terminal devices, based on local configuration information, includes the following: If the identifier of the first network belongs to the list of identifiers of networks permitted to retrieve data from terminal devices, the memory network element determines that the first network is a network permitted to retrieve data from terminal devices; or if the identifier of the first network does not belong to the list of identifiers of networks permitted to retrieve data from terminal devices, the memory network element determines that the first network is a network not permitted to retrieve data from terminal devices.
[0096] Referring to Aspect 15, in some implementations of Aspect 15, a memory function network element determines whether a first network is a network permitted to retrieve data from terminal devices, which includes: The memory function network element determines whether a first network is a network permitted to retrieve data from terminal devices based on the correspondence between a mobility management network element serving terminal devices and the mobility management network element corresponding to the first network.
[0097] Referring to Aspect 15, in some implementations of Aspect 15, a memory network element determines whether a first network is permitted to retrieve data from terminal devices based on the correspondence between a mobility management network element serving terminal devices and a mobility management network element corresponding to a first network, which includes: If the mobility management network elements serving terminal devices are a subset of the mobility management network elements corresponding to a first network, the memory network element determines that the first network is permitted to retrieve data from terminal devices; or, if the mobility management network elements serving terminal devices are not a subset of the mobility management network elements corresponding to a first network, the memory network element determines that the first network is not permitted to retrieve data from terminal devices.
[0098] Referring to Aspect 15, in some implementations of Aspect 15, the determination by which a memory function network element decides whether to send terminal device data to the GMLC based on a determination result includes the following: If the determination result is that the first network is not permitted to retrieve terminal device data, the memory function network element refuses to send terminal device data to the GMLC.
[0099] Referring to Aspect 15, in some implementations of Aspect 15, the memory function network element's decision on whether to transmit terminal device data to the GMLC based on a determination result includes the following: If the determination result is that the first network is not permitted to retrieve terminal device data, the memory function network element uses the terminal device's publicly available subscriber identifier (GPSI) or pseudonym to transmit to the GMLC.
[0100] Referring to Aspect 15, in some implementations of Aspect 15, the determination by which a memory function network element decides whether to send terminal device data to the GMLC based on a determination result includes the following: When the determination result is that the first network is a network permitted to retrieve terminal device data, the memory function network element is used to send terminal device data to the GMLC.
[0101] In relation to the 15th aspect, in some implementations of the 15th aspect, the data of the terminal device includes at least one of the following: the terminal device's subscription permanent identifier (SUPI), the terminal device's privacy settings, or the address of a mobility management network element serving the terminal device.
[0102] Referring to Aspect 15, in some implementations of Aspect 15, the second network is a public network and the first network is a local network.
[0103] Referring to Aspect 15, in some implementations of Aspect 15, the communication system further includes a mobile location services client, which is configured to send location services requests to the GMLC, and the location services request includes an identifier for the terminal device. [Brief explanation of the drawing]
[0104] [Figure 1] This is a diagram of the architecture of a communication system applicable to one embodiment of the present invention.
[0105] [Figure 2] This is a diagram of a location-based service architecture in a PNNINPN scenario according to one embodiment of the present invention.
[0106] [Figure 3] This is a schematic flowchart of the location determination method.
[0107] [Figure 4] This is a schematic flowchart of the communication method according to this application.
[0108] [Figure 5] This is a schematic flowchart of another communication method according to the present invention.
[0109] [Figure 6] This is a block diagram of a communication device according to one embodiment of the present invention.
[0110] [Figure 7] This is a block diagram of a communication device according to another embodiment of the present application.
[0111] [Figure 8] This is a block diagram of a communication device according to yet another embodiment of the present invention. [Modes for carrying out the invention]
[0112] The technical solution of this application will be described below with reference to the attached drawings.
[0113] The technical solutions provided in this application can be applied to various communication systems, such as new radio (NR) systems, long-term evolution (LTE) systems, LTE frequency division duplex (FDD) systems, and LTE time division duplex (TDD) systems.
[0114] In communication systems, networks operated by operators are sometimes called public land mobile networks (PLMNs), or sometimes operator networks. A PLMN is a network established and operated by a government or a government-approved operator to provide land mobile communication services to the public, and is primarily a public network where mobile network operators (MNOs) provide mobile broadband access services to users. In embodiments of this application, a PLMN may specifically be a network that satisfies certain requirements of the 3GPP standard, and is abbreviated as a 3GPP network. A 3GPP network typically includes, but is not limited to, 5G networks, 4th-generation (4G) mobile communication networks, and other future communication systems, such as 6th-generation (6G) networks.
[0115] For the sake of clarity, a PLMN or 5G network is used as an example for the purposes of explanation in the embodiments of this application.
[0116] Figure 1 is a diagram of the network architecture 100 according to the present application. A 5G network architecture based on a service-based architecture (SBA) in a non-roaming scenario as defined in the 3GPP standardization process is used as an example. As shown in the figure, the network architecture may include three parts: a terminal device part, a data network (DN) part, and a carrier network (PLMN) part. The functions of the network elements in each part are briefly described below.
[0117] The terminal device portion may include a terminal device 110, which may also be called user equipment (UE). The terminal device 110 in this application is a device having radio transmission and reception functions and may communicate with one or more core network (CN) devices via access network devices (sometimes called access devices) in a radio access network (RAN) 120. The terminal device 110 may also be called an access terminal, terminal, subscriber unit, subscriber station, mobile station, remote station, remote terminal, mobile device, user terminal, user agent, user equipment, etc. The terminal device 110 may be located on land, including indoor or outdoor devices, or handheld or vehicle-mounted devices; it may be located on water (e.g., a ship), or in the air (e.g., an airplane, balloon, or satellite). The terminal device 110 may be a cellular phone, cordless phone, session initiation protocol (SIP) phone, smartphone, mobile phone, wireless local loop (WLL) station, personal digital assistant (PDA), etc. Alternatively, the terminal device 110 may be a handheld device with wireless communication capabilities, a computing device, another device connected to a wireless modem, an in-vehicle device, a wearable device, an unmanned aerial vehicle device, a terminal in the Internet of Things or the Internet of Vehicles, any form of terminal in a 5G network or a future network, relay user equipment, a terminal in a future advanced 6G network, etc. Relay user equipment may be, for example, a 5G residential gateway (RG).For example, the terminal device 110 may be a virtual reality (VR) terminal, an augmented reality (AR) terminal, a wireless terminal in industrial control, a wireless terminal in self-driving, a wireless terminal in remote medical, a wireless terminal in a smart grid, a wireless terminal in transportation safety, a wireless terminal in a smart city, a wireless terminal in a smart home, and the like. The terminal device here is a 3GPP terminal. The type, category, etc., of the terminal device are not limited to the embodiments of this application. For the sake of clarity, in this application, the example in which UE represents a terminal device is used for the following description.
[0118] The operator network PLMN portion may include, but is not limited to, the (radio) access network ((R)AN)120 and the core network (CN) portion.
[0119] (R)AN 120 may be considered a subnetwork of the carrier network and is an implementation system between service nodes within the carrier network and terminal devices 110. To access the carrier network, terminal devices 111 may first pass through (R)AN 120 and then connect to service nodes within the carrier network through (R)AN 120. The access network device (RAN device) in the embodiments of the present application is a device that provides wireless communication functionality for terminal devices 110 and may also be called a network device. RAN devices include, but are not limited to, next-generation node base stations (gNBs) in 5G systems, evolved NodeBs (eNBs) in long-term evolution (LTE), radio network controllers (RNCs), NodeBs (NBs), base station controllers (BSCs), base transceiver stations (BTSs), home base stations (e.g., home evolved NodeBs or home NodeBs, HNBs), baseband units (BBUs), transmitting and receiving points (TRPs), transmitting points (TPs), small cell base station devices (pico), mobile switching centers, and network devices in future networks. In systems using different radio access technologies, devices that function as access network devices may have different names. For the sake of clarity, in all embodiments of this application, the devices that provide wireless communication capabilities for the terminal device 110 are collectively referred to as access network devices, or abbreviated as RAN or AN. It should be understood that specific types of access network devices are not limited herein.
[0120] The CN portion may, but is not limited to, include the following NFs: user plane function (UPF) 130, network exposure function (NEF) 131, network function repository function (NRF) 132, policy control function (PCF) 133, unified data management (UDM) function 134, unified data repository (UDR) function 135, network data analytics function (NWDAF) 136, authentication server function (AUSF) 137, access and mobility management function (AMF) 138, and session management function (SMF) 139.
[0121] The data network DN 140, sometimes called a packet data network (PDN), is typically a network located outside the carrier network, such as a third-party network. Of course, in some implementations, the DN may alternatively be deployed by the carrier, i.e., the DN is part of the PLMN. Whether the DN belongs to the PLMN is not limited in this application. The carrier network PLMN can access multiple data network DNs 140. Multiple services may be deployed on the data network DN 140, and the data network DN 140 may provide data services, voice services, etc., for terminal devices 110. For example, the data network DN 140 may be a private network of a smart factory, and the terminal devices 110 may be sensors installed in the workshop of the smart factory, and a control server for the sensors may be deployed on the data network DN 140, and the control server may provide services for the sensors. The sensors can communicate with the control server to obtain commands from the control server and, based on those commands, transmit collected sensor data to the control server, etc. In another example, the data network DN 140 may be the company's internal office network, and the company employee's mobile phone or computer may be the terminal device 110, which may access information, data resources, etc., within the company's internal office network. The terminal device 110 may establish a connection to the carrier network through an interface provided by the carrier network (e.g., N1) and use data services, voice services, etc., provided by the carrier network. The terminal device 110 may further access the data network DN 140 through the carrier network and use carrier services and / or services provided by third parties deployed on the data network DN 140.
[0122] The following provides a more brief explanation of the NF function included in CN.
[0123] 1. UPF 130 is a gateway provided by the carrier and serves as a gateway for communication between the carrier network and the data network DN 140. UPF network functions 130 include user plane-related functions such as data packet routing and transmission, data packet detection, traffic usage reporting, quality of service (QoS) processing, lawful listening, uplink data packet detection, and downlink data packet storage.
[0124] 2. NEF 131 is a control plane function provided by the operator and is primarily used to enable third parties to use services provided by the network, to open up network capabilities, to support the network in event and data analysis, to translate security configuration information from external applications to PLMN and to exchange information inside and outside PLMN, to provide an open API interface to the outside by the operator network, and to provide interaction between external servers and the internal operator network.
[0125] 3. NRF 132 is a control plane function provided by the operator and can be configured to maintain real-time information on network functions and services within the network. For example, NRF 132 may support network service discovery, maintain services supported by NF configuration data (NF profiles) of NF instances, support service discovery of service communication proxies (SCPs), maintain SCP configuration data (SCP profiles) of SCP instances, send notifications about newly registered, deregistered, and updated NFs and SCPs, and maintain the health status of NFs and SCPs.
[0126] 4. PCF 133 is a control plane function provided by the operator that governs network behavior and supports a unified policy framework for providing policy rules and subscriber information related to policy decisions for other control functions.
[0127] 5. The UDM 134 is a control plane function provided by the operator and is responsible for storing subscriber subscription permanent identifiers (SUPIs), generic public subscription identifiers (GPSIs), credentials, and other information within the operator network. The SUPI is initially encrypted during the transmission process, and the encrypted SUPI is called a subscription concealed identifier (SUCI). The information stored in the UDM network function 134 can be used for authentication and authorization for terminal devices 110 to access the operator network. Specifically, a subscriber of the operator network may be a user who uses services provided by the operator network, for example, a user who uses a China Telecom subscriber identity module (SIM) card, or a user who uses a China Mobile SIM card. The subscriber credentials may be a long-term key stored on the SIM card, or a small stored file, for example, information related to the encryption of the SIM card, and are used for authentication and / or authorization. It should be noted that persistent identifiers, credentials, security context, authentication data (cookies), and tokens are equivalent to information related to verification / authentication and authorization, and are not limited to or distinguished from each other for the sake of facilitating the description in the embodiments of this application.
[0128] 6. UDR 135 is a control plane function provided by the operator, which provides the ability to store and retrieve subscriber data for the UDM, the ability to store and retrieve policy data for the PCF, and the ability to store and retrieve the user's NF group ID information, etc.
[0129] 7. NWDAF 136 is a control plane function provided by the operator. The main function of NWDAF 136 is to collect data from NF, external application functions AF, operations, administration, and maintenance (OAM) systems, etc., and to provide NWDAF service registration, data publication, data analysis, etc. to NF and AF.
[0130] 8. AUSF 137 is a control plane function provided by the operator and is typically used for primary authentication, i.e., authentication between the terminal device 110 (subscriber) and the operator network. After receiving an authentication request initiated by the subscriber, the AUSF network function 137 may perform authentication and / or authorization on behalf of the subscriber by using authentication and / or authorization information stored in the UDM network function 134, or may generate authentication and / or authorization information for the subscriber through the UDM network function 134. The AUSF network function 137 may feed back the authentication and / or authorization information to the subscriber.
[0131] 9. AMF 138 is a control plane network function provided by the carrier network, responsible for access control and mobility management for terminal devices 110 to access the carrier network, and includes functions such as mobility status management, assignment of temporary user identification information, and user authentication and authorization.
[0132] The AMF 138 is configured to perform a Non-Access Stratum (NAS) connection to the UE and has the same 5G NAS security context as the UE. The 5G NAS security context includes the KAMF, NAS hierarchical key, the same key identification information as the NAS hierarchical key, the UE security capability, and the uplink and downlink NAS COUNT values. The NAS hierarchical key includes the NAS encryption key and the NAS integrity protection key, which are used for protecting the confidentiality and integrity of NAS messages, respectively.
[0133] 10. SMF 139 is a control plane network function provided by the carrier network and is responsible for managing PDU sessions of terminal devices 110. A PDU session is a channel for the transmission of PDUs, and terminal devices and data network DN 140 need to transmit PDUs to each other through the PDU session. SMF network function 139 is responsible for establishing, maintaining, and deleting PDU sessions. SMF network function 139 includes session management (e.g., session establishment, modification, and release, including tunnel maintenance between user plane function UPF 130 and (R)AN 120), selection and control of UPF network function 130, service and session continuity (SSC) mode selection, and session-related functions such as roaming.
[0134] 11. AF 141 is a control plane network function provided by the carrier network and is configured to provide application layer information. AF 141 can interact with the policy framework through network elements of network exposure functions, or it can directly interact with the policy framework to make policy decision requests, etc. AF 141 can be located inside or outside the carrier network.
[0135] It can be understood that the aforementioned network elements or functions may be physical entities within a hardware device, software instances running on dedicated hardware, or virtualization functions instantiated on a shared platform (e.g., a cloud platform). In short, NF may be implemented by hardware or software.
[0136] In Figure 1, Nnef, Nnrf, Npcf, Nudm, Nudr, Nnwdaf, Nausf, Namf, Nsmf, N1, N2, N3, N4, and N6 are interface sequence numbers. For example, refer to the meaning of interface sequence numbers as defined in the 3GPP standard protocol. The meaning of interface sequence numbers is not limited in this application. Note that the names of interfaces between network functions in the figure are merely examples. In specific implementations, the names of interfaces in the system architecture may be alternatively named. This is not limited in this application. In addition, the names of messages (or signaling) whose transmission is performed between the aforementioned network elements are merely examples and do not constitute any limitation on the function of the message.
[0137] For the sake of clarity, in the embodiments of this application, network functions (e.g., NEF 131, ..., and SMF 139) are collectively / simply referred to as NF. In other words, in the embodiments of this application, the NF described below may be replaced by any network function. Also, Figure 1 illustrates only some network functions as examples, and the NF described below is not limited to the network functions shown in Figure 1.
[0138] The aforementioned network architecture applicable to the embodiments of this application is merely a network architecture described in terms of a service-based architecture, and it should be understood that the network architecture applicable to the embodiments of this application is not limited to that. Any network architecture capable of implementing the functionality of the aforementioned network elements is applicable to the embodiments of this application.
[0139] The AMF, SMF, UPF, NEF, AUSF, NRF, PCF, and UDM shown in the figure may be understood as network elements configured to implement different functions within the core network, and may, for example, be combined as needed to form network slices. These core network elements may be independent devices or integrated into the same device to implement different functions. The specific forms of the aforementioned network elements are not limited herein.
[0140] It should be further understood that the aforementioned names are defined solely to facilitate the distinction between different functions and should not constitute any limitation to this application. This application does not preclude the possibility that different names may be used in 5G networks and other future networks. For example, in 6G networks, some or all of the aforementioned network elements may still use the terminology used in 5G, or they may use other names.
[0141] In particular, this application primarily relates to non-public network location services (location services in PNINPN) (sometimes called local location services) in 5G system architectures, which will be abbreviated as PNINPN services below. For ease of understanding, the location service architecture in the PNINPN scenario will be briefly described below with reference to Figure 2. Figure 2 is a diagram of the location service architecture in the PNINPN scenario according to one embodiment of this application. It should be understood that the 5G system described herein is merely an example and should not constitute any limitation to this application. The two networks described herein are a public network and a local network, which are merely examples and should not constitute any limitation to this application. For example, the two networks are alternatively a first public network and a second public network.
[0142] As shown in Figure 2, the location-based service architecture in the PNINN scenario may include, but is not limited to, the following components:
[0143] The UE, radio access networks (RAN) (for example, NG-RAN#1, NG-RAN#2, and NG-RAN#3 shown in Figure 2), and core network elements. User equipment includes localized devices, and the access network may be configured to implement functions related to radio access. Core network elements may include, but are not limited to, serving access and mobility management function (serving AMF) network elements, local access and mobility management function (local AMF) network elements, location management function (LMF) network elements, Gateway Mobile Location Center (GMLC), unified data management (UDM), and Location service (LCS client).
[0144] It should be noted that the network elements shown in Figure 2 belong to two different networks (for example, the public network and the local network shown in Figure 2). Specifically, the Serving AMF and UDM are network elements in the public network, while the UE, RAN (NG-RAN#1, NG-RAN#2, and NG-RAN#3 shown in Figure 2), local AMF, LMF, GMLC, and LCS clients belong to the local network.
[0145] It should be understood that public and local networks may include additional network elements in addition to those described above. For example, a public network may further include NEFs, UDRs, NWDAFs, AUSFs, etc., and a local network may further include AMFs, SMFs, etc. Further details are not described herein.
[0146] It should be further understood that local networks are a type of non-public network, sometimes also called campus networks or non-public networks.
[0147] The network elements shown in Figure 2 will be briefly explained below.
[0148] 1. For information on the UE, please refer to the description of the terminal device in Figure 1. Further details will not be provided in this specification. The UE may be a terminal device that is located (or distanced).
[0149] 2. For RAN devices, please refer to the description of (R)AN 120 in Figure 1. Further details are not provided in this specification.
[0150] 3. Access and mobility management functions include the serving AMF and local AMF shown in Figure 2. See the description of AMF 138 in Figure 1.
[0151] In location services, the AMF is configured to receive location service requests and select gateway mobile location center network elements, etc. In the PNINPN scenario, a local AMF is additionally deployed and configured to send location-related messages transmitted by the base station to the location management network elements.
[0152] 4. The LMF is configured to receive a location request, determine a location method based on the capabilities of the UE and network, Quality of Service (QoS) requirements, and client type, exchange location-related information with the UE, base station, etc., calculate the location result, and perform validation on the location result. In the PNINPN scenario, the LMF is deployed on the local network, and location-related information is not exposed to the public network.
[0153] 5. The GMLC is the first network element through which external location-based applications access the core network and request routing and privacy configuration information for the UE from the UDM. In the PNINPN scenario, the GMLC is deployed on the local network.
[0154] 6. The LCS client is a third-party client (external client) that requests to obtain the user's location. The external client may be replaced by an AF, which accesses the GMLC through the NEF interface. In the PNINPN scenario, the location service client is a location service client within the local network.
[0155] It can be understood that the aforementioned network elements or functions may be network elements within a hardware device, software functions running on dedicated hardware, or virtualization functions instantiated on a platform (e.g., a cloud platform).
[0156] It should be noted that the names of the network elements and communication interfaces between network elements in Figure 2 are briefly explained by using examples specified in the current protocol. However, embodiments of the present application are not limited to those applicable only to currently known communication systems. Therefore, all standard names used when the current protocol is used as an example for explanation are functional descriptions. Specific names such as network elements, interfaces, and signalings are not limited in this application and merely represent the function of that network element, interface, or signaling, and may be extended to accommodate other systems, e.g., future communication systems.
[0157] To facilitate understanding of the technical solution in the embodiments of this application, a location method for a location service based on a non-public network, as shown in Figure 2, will be briefly described below with reference to Figure 3.
[0158] Figure 3 is a schematic flowchart of the location determination method. This method includes the following steps:
[0159] S310: A location client (or application functional network element) initiates a location service request to the GMLC.
[0160] Specifically, a Location Securing Service Request (LCS Service Request) carries the identification information of the target UE. The identification information of the target UE may be a Generic Public Subscription Identifier (GPSI) or a Subscription Permanent Identifier (SUPI).
[0161] For example, a location-finding client or application functionality network element may send a location-finding service request directly to the GMLC, or it may send a location-finding request message to the GMLC via the NEF.
[0162] S320: GMLC requests the target UE's privacy settings from UDM, and UDM returns the target UE's privacy settings to GMLC.
[0163] For example, privacy settings include: (1) Location identification is not permitted; (2) Location tracking is permitted and does not need to be communicated to the user; (3) Location tracking is permitted and the user must be notified; (4) Location tracking must be notified to the user, confirmed by the user, authorized by the user, or permitted if there is no response; or (5) Location tracking must be notified to the user and confirmed by the user, and location tracking is permitted only with the user's authorization.
[0164] Privacy settings may further include the duration and geographical scope of their effectiveness.
[0165] S330:GMLC sends request message #1 to the UDM.
[0166] Request message #1 is used to carry the identification information of the target UE and to request the UE's context management service. Specifically, request message #1 is a Nudm_UEcontextmanagement_Get request message.
[0167] S340: The UDM sends response message #1 to the GMLC.
[0168] Response message #1 carries the network address of the serving AMF of the target UE. If the identification information of the target UE in step S330 is GPSI, response message #1 further includes the SUPI of the target UE.
[0169] S350:GMLC sends a location service request to the serving AMF.
[0170] Specifically, the GMLC sends a localization service request to the serving AMF based on the serving AMF's network address. The localization service request carries localization attribute information such as the target UE's identification information (SUPI) and client type.
[0171] Based on the target UE's privacy settings, the location service request may further include instruction information #1.
[0172] For example, instruction information #1 could indicate one of the following: (1) Location tracking is permitted and does not need to be communicated to the user; (2) Location tracking is permitted and the user must be notified; (3) Location tracking must be notified to the user and confirmed by the user, and if there is no response, location tracking is permitted; or (4) Location tracking must be notified to the user and confirmed by the user; if there is no response, location tracking will not be permitted.
[0173] S360:AMF triggers the paging procedure.
[0174] Optionally, when the target UE is in idle mode, the AMF initiates a network-triggered service request procedure, i.e., the AMF triggers a paging procedure, to establish a connection between the network and the UE.
[0175] For example, when paging is successful, the AMF determines, based on instruction #1, whether to notify the user and whether user confirmation is required. If only notification is required, the AMF sends a NAS message to the target UE, which carries the identification information of the localization client. If both user notification and user confirmation are required, the message must further carry instruction #2 indicating that user confirmation is required.
[0176] The AMF receives response message #2 from the target UE, and response message #2 carries a location privacy instruction, and the location privacy instruction is (1) Location identification is permitted, or (2) Location identification is not permitted That could be the case.
[0177] Optionally, response message #2 carries the applicable time period for location-based privacy instructions, such as the start and end times.
[0178] S370:AMF selects LMF.
[0179] In the PNINPN scenario, the AMF selects an LMF within the local network based on its configuration information.
[0180] S380: The AMF sends a location request message to the LMF.
[0181] The location determination request message (Nlmf_Location_DetermimeLocation request) carries identification information for the target UE, where the identifier is an identifier related to location determination.
[0182] S390: The LMF sends a location response message to the AMF.
[0183] Specifically, after receiving a location request message sent by the AMF, the LMF may optionally trigger a location procedure. Based on its configuration information, the LMF sends a location response message (LCS response) to the AMF.
[0184] S391: The LMF sends response message #3 (LCS service response) to the GMLC.
[0185] S392:GMLC sends response message #4 (LCS service response) to the localization client or application function network element.
[0186] S393: The LMF triggers the localization procedure.
[0187] In the PNINPN scenario, the localization procedure is a network-assisted localization method. The LMF selects an AMF within the public network to send UE-related NRPPa signaling messages. The LMF selects a local AMF to send non-UE-related NRPPa signaling messages. The local base station reports localization-related parameters, such as measurement reports, to the local LMF via the local AMF, and the local LMF calculates the location of the target UE.
[0188] S394: LMF sends response message #5 (Nlmf_Location_EventNotify) to GMLC.
[0189] Response message #5 carries the location of the target UE.
[0190] S395:GMLC transmits the measurement results (LCS service report) to a localization client or application function network element to provide the location of the target UE.
[0191] In addition, the following explanations are provided to facilitate understanding of the embodiments of this application.
[0192] Firstly, in this application, "to indicate" can include "to indicate directly" and "to indicate indirectly." When the indicating information is described as indicating A, the indicating information may indicate A directly or indirectly, but this does not necessarily mean that the indicating information includes A.
[0193] The information indicated by the instruction information is called the information to be indicated. In a particular implementation process, there are multiple ways of indicating the information to be indicated. The information to be indicated may be transmitted as a whole, or it may be divided into multiple sub-informations to be transmitted separately. Furthermore, the transmission cycle and / or transmission opportunities of these sub-informations may be the same or different. The specific transmission method is not limited in this application.
[0194] Secondly, in this application, “at least one” means one or more, and “multiple” means two or more. In addition, in the embodiments of this application, “first,” “second,” and various numbers (e.g., “#1” and “#2”) are used for distinction to facilitate explanation and not to limit the scope of the embodiments of this application. Sequence numbers in the following processes do not mean execution sequences. The execution sequence of a process should be determined based on the function and internal logic of the process and should not constitute any limitation to the implementation process of the embodiments of this application. It should be understood that the subjects described in this manner may be interchangeable where appropriate, and as a result, solutions other than the embodiments of this application may be described. In addition, in the embodiments of this application, words such as “310” and “320” are merely identifiers to facilitate explanation and do not limit the sequence in which the steps are performed.
[0195] Thirdly, in this application, terms such as “example” or “for example” are used to indicate that an example, illustration, or explanation is being given. Any embodiment or design scheme described as “example” or “for example” in this application should not be described as being preferable to or having more advantages than another embodiment or design scheme. More precisely, the use of terms such as “example” or “for example” is intended to present a relative concept in a particular way.
[0196] Fourth, “stored” in embodiments of the present application may mean stored in one or more memories. These one or more memories may be separately located or integrated into an encoder or decoder, processor, or communication device. Alternatively, some of the one or more memories may be separately located, or some of the one or more memories may be integrated into a decoder, processor, or communication device. The type of memory may be any form of storage medium; this is not limited to the present application.
[0197] Fifth, the term “and / or” as used herein is merely a relational relationship used to describe related subjects, and three such relationships may exist. For example, A and / or B could represent three cases: A exists alone, both A and B exist, or B exists alone. Furthermore, the symbol “ / ” as used herein generally indicates an “or” relationship between related subjects.
[0198] The above briefly describes scenarios to which the communication method provided in the embodiment of the present application may be applied, with reference to Figures 1 and 2, and describes a location identification method with reference to Figure 3.
[0199] As shown in Figure 3, the location procedure indicates that after receiving a location service request, the GMLC may be able to retrieve private data from the terminal device from the UDM network element. The GMLC belongs to a non-public network, while the UDM belongs to a public network. Non-public and public networks belong to different security domains (or network domains). In this location method, a non-public network can actively retrieve user data within the public network through existing interfaces. This could lead to the leakage of user data stored in the public network.
[0200] For example, a GMLC within a local network can proactively transmit a UE's identification information to a UDM within a public network, and the UDM returns the corresponding privacy settings for the UE. Furthermore, if the UE's identification information is a GPSI, the GMLC may also obtain the UE's SUPI. This can lead to the leakage of user data stored on the public network.
[0201] In another example, while the local network serves only UE1 and UE2, a malicious GMLC network element could construct or obtain identification information for UEs other than UE1 and UE2 (e.g., UE3 and UE4), and further obtain the UEs' privacy settings and / or SUPI. This could lead to the leakage of user data stored on the public network.
[0202] If a GMLC network element within the local network is a malicious network element (for example, if the GMLC network element is captured), it should be understood that the attack mode is independent of the UE's registration status, and the attack is an independent procedure initiated by the network side.
[0203] To avoid the leakage of user data stored on a public network that may be caused by the aforementioned location identification procedure, this application provides a communication method for ensuring that user data stored on a public network is not leaked.
[0204] It should be understood that the communication methods provided in the embodiments of this application may be applied to a location-based communication system for location-based services based on a non-public network, for example, to the communication architecture shown in Figure 2, or to another location-based communication architecture for location-based services based on a non-public network, or to another communication architecture in which a network element in a local network retrieves data from a public network for a terminal device in a hybrid networking scenario (for example, a GMLC in a visited network actively retrieves the privacy settings of a terminal device from a GMLC in a home network). The application scenarios are not limited herein, and any communication system including the functional network elements in the following embodiments may be used.
[0205] It should be further understood that the specific structure of the implementer of the method provided in the embodiments of the present application is not particularly limited in the following embodiments, insofar as a program recording the code of the method provided in the embodiments of the present application can be executed to perform communication in accordance with the method provided in the embodiments of the present application. For example, the implementer of the method provided in the embodiments of the present application may be a device or a functional module that can call and execute a program within the device.
[0206] In the following, we will use the interaction between network elements as an example to describe in detail the communication method provided in the embodiments of the present invention.
[0207] Figure 4 is a schematic flowchart of the communication method according to the present invention. This method is applicable to hybrid networking that includes a first network and a second network. For example, the second network is a public network and the first network is a non-public network (e.g., a local network, private network, or campus network). In another example, the first and second networks are different public networks (e.g., the first network is a home network and the second network is a visited network).
[0208] Public networks, non-public networks, etc., are merely examples and should be understood as not constituting any limitation on the scope of protection of this application. In this embodiment, the specific forms of the second network and the first network are not limited, and the second network and the first network may be different networks.
[0209] The communication method includes the following steps:
[0210] S410: The first network element receives the first request message from the second network element; in other words, the second network element sends the first request message to the first network element.
[0211] The first network element is a network element having a communication interface with the second network element, such as a UDM, UDR, AUSF, or NWDAF in the second network.
[0212] The second network element is a network element that needs to acquire data from a terminal device, such as a GMLC, AMF, or SMF within the first network.
[0213] For example, the first network element is a UDM in the second network and the second network element is a GMLC in the first network; the first network element is a UDR in the second network and the second network element is a GMLC in the first network; the first network element is an AUSF or NWDAF in the second network and the second network element is a GMLC in the first network; the first network element is a UDM in the second network and the second network element is an AMF in the first network; or the first network element is a UDM in the second network and the second network element is an SMF in the first network.
[0214] Specifically, the first request message includes an identifier for the terminal device, and the first request message is used to request the retrieval of data from the terminal device. The terminal device identifier includes, but is not limited to, the terminal device's GPSI or SUPI. The terminal device data includes, but is not limited to, the terminal device's SUPI, the terminal device's privacy settings, and the address of the AMF servicing the terminal device.
[0215] In this embodiment, after receiving the first request message, the first network element does not directly provide the terminal device data to the second network element, but decides whether to send some or all of the terminal device data to the second network element based on the verification result. The verification result indicates whether the first network is a network that is permitted to obtain terminal device data.
[0216] For example, in this embodiment, there are the following embodiments 1 to 3 for determining the verification results.
[0217] Embodiment 1: The first network element is a memory function network element in the second network that locally stores other configuration information necessary to determine the subscriber data and / or verification results of a terminal device (e.g., the first configuration information, the second configuration information, etc., as described below). The memory function network element is a network element located in the second network that provides the function of storing and retrieving subscriber data, and includes, but is not limited to, UDMs, UDRs, etc., in the second network.
[0218] In this implementation, the first network element may determine, based on locally stored information, whether the first network is a network that is permitted to retrieve data from terminal devices. The method procedure shown in Figure 4 further includes the following steps.
[0219] S411: The first network element determines the verification result based on locally stored information.
[0220] For example, the first network element determining the verification result based on locally stored information in embodiment 1 includes the following possibilities 1 to 3:
[0221] Possibility 1: Locally stored information includes subscription data for at least one terminal device. The subscription data for a terminal device includes a correspondence between the identifier of the terminal device and the identifier of at least one network (hereinafter referred to as the first correspondence for ease of explanation). The at least one network may be understood as a network from which data from the terminal device is permitted (or not permitted), or as a network from which data from the terminal device is permitted (or not permitted) to be processed by the terminal device, or as a network from which data from the terminal device is accessible (or not accessible).
[0222] The identifier of a terminal device is the UE ID. The network identifier may be at the network granularity, for example, a network identifier or network name; or the network identifier may be at the slice granularity, for example, a slice identifier. In this embodiment, the specific form of the network identifier is not limited as long as the identifier can identify the network.
[0223] Optionally, as shown in possibility 1, the primary key for the terminal device's subscriber data may be the UE ID. For example, a list of allowed network identifiers may be stored, thereby allowing the allowed network identifiers to be retrieved based on an index of the UE ID.
[0224] Optionally, in the case shown in possibility 1, the primary key of the list of identifiers of terminal devices from which the network is allowed to retrieve data may be the network identifier. For example, a list of IDs of UEs served by each network may be stored, thereby allowing the UEs from which the network is allowed to retrieve data to be retrieved based on an index of the network identifier.
[0225] As described above, in the case shown in possibility 1, in addition to the conventional data of the terminal device (e.g., privacy information and SUPI), the subscriber data of the terminal device stored in the first network element further includes a first correspondence, which indicates a network from which the terminal device data can be retrieved. Therefore, after receiving a request message to retrieve the terminal device data, the first network element decides whether to provide the terminal device data based on the network to which the network element requesting the data belongs and the first correspondence.
[0226] In the case shown in possibility 1, the first network element determining the verification result based on locally stored information includes the following:
[0227] The first network element determines the verification result based on the first information, which includes subscriber data of terminal devices and / or a list of identifiers of terminal devices from which the first network is allowed to retrieve data.
[0228] Optionally, when the first information is subscriber data of a terminal device and the subscriber data of the terminal device includes a first correspondence, the first network element determining the verification result based on the first correspondence includes the following:
[0229] If at least one network identifier in the first correspondence is an identifier of a network that is permitted to retrieve terminal device data, then if the first network identifier is one of the at least one network identifiers, the first network element determines that the first network is a network that is permitted to retrieve terminal device data; or, if the first network identifier is not one of the at least one network identifiers, the first network element determines that the first network is a network that is not permitted to retrieve terminal device data. For example, if the identifier of the first network is network #1, and the terminal device join data stored locally in the first network element includes a first correspondence between the UE ID and network #1 and network #2, then the first network element determines that the first network is a network that is permitted to retrieve terminal device data.
[0230] If the identifier of at least one network in the first correspondence is the identifier of a network that is not permitted to retrieve terminal device data, then if the identifier of the first network is one of the at least one network identifiers, the first network element determines that the first network is a network that is not permitted to retrieve terminal device data; or if the identifier of the first network is not one of the at least one network identifiers, then the first network element determines that the first network is a network that is permitted to retrieve terminal device data. For example, if the identifier of the first network is network #1, and the terminal device join data stored locally in the first network element includes a first correspondence between the UE ID and network #1 and network #2, then the first network element determines that the first network is a network that is not permitted to retrieve terminal device data.
[0231] In this embodiment, it should be understood that the identifier of the first network may be determined in the following manner.
[0232] (1) The first request message carries an identifier of the first network to which the second network element belongs, and the first network element may determine information about the network to which the second network element belongs based on the first request message.
[0233] For example, the first request message carries the network identifier or network name of the first network.
[0234] (2) The first network element determines the IP address of the second network element and, based on the IP address of the second network element, determines information about the network to which the second network element belongs.
[0235] (3) The first network element determines information about the network to which the second network element belongs, based on the certificate information of the second network element.
[0236] For example, the certificate of the second network element carries a network identifier. In the process of establishing a secure connection between the second network element and the first network element, the second NF obtains the certificate of the second network element, stores the associated network identifier, and determines information about the network to which the second network element belongs based on the network identifier in the certificate.
[0237] (4) The first network element determines information about the network to which the second network element belongs, based on information transmitted by another network element (for example, a gateway).
[0238] For example, a second network element is connected to a first network element through another network, and this other network element has the ability to sense information about the network to which the second network element belongs and reports information about the network to which the second network element belongs to the first network element.
[0239] (1) to (4) are merely examples illustrating how the first network element obtains information about the network to which the second network element belongs, and should be understood as not constituting any limitation to the scope of protection of this application. In this embodiment, the first network element may alternatively obtain information about the network to which the second network element belongs in a different manner. For example, the first network element may infer information about the network to which the second network element belongs based on historical communication data. Further details are again not described herein.
[0240] In this implementation, it should be further understood that the first network element determines whether the second network element and the first network element belong to different network or security domains before deciding whether verification needs to be performed. Specifically, if the second network element and the first network element belong to the same network domain (or security domain), the first network element may, in response to the first request message, provide the terminal device data for the second network element; or if the second network element and the first network element belong to different network domains (or security domains), the first network element must perform verification to determine whether to provide the terminal device data for the second network element.
[0241] For example, after determining the identifier of the first network, the first network element can determine, based on the identifier of the first network, that the second network element and the first network element belong to different network domains or security domains.
[0242] Optionally, when the first information is a list of identifiers of terminal devices from which the first network is allowed to retrieve data, the first network element determining a validation result based on the first information includes the following:
[0243] The first network element determines a list of identifiers for terminal devices from which the first network is permitted to retrieve data, based on a first correspondence in the subscriber data of at least one terminal device. If the identifier for a terminal device is one of the identifiers for terminal devices from which the first network is permitted to retrieve data, the first network element determines that the first network is a network from which the first network is permitted to retrieve data from terminal devices; or if the identifier for a terminal device is not one of the identifiers for terminal devices from which the first network is permitted to retrieve data, the first network element determines that the first network is a network from which the first network is not permitted to retrieve data from terminal devices.
[0244] For example, the first network element locally stores the UE#1 subscribe data, the UE#2 subscribe data, and the UE#3 subscribe data. The UE#1 subscribe data includes a first correspondence between the UE#1 ID and networks #1 and #2; the UE#2 subscribe data includes a first correspondence between the UE#2 ID and networks #2 and #3; and the UE#3 subscribe data includes a first correspondence between the UE#3 ID and networks #1 and #2. If the identifier of the first network is network #1, the first network element determines, based on the first correspondence in the subscribe data of at least one terminal device, that the list of terminal device identifiers that the first network is allowed to retrieve data from includes the UE#1 ID and the UE#3 ID. When the terminal device identifier is either the UE#1 ID or the UE#3 ID, the first network element determines that the first network is a network that is allowed to retrieve terminal device data.
[0245] Possibility 2: The locally stored information includes first configuration information and subscription data for at least one terminal device, the terminal device subscription data includes information regarding the scope of data coverage for the terminal device, and the first configuration information includes information regarding the scope of coverage for at least one network.
[0246] The scope of data coverage on a terminal device may be understood as the service scope to which the data on the terminal device is applicable, the scope to which the data on the terminal device is applicable, or by another name. This is not limited to the embodiments. The scope of coverage on a network may be understood as the service scope provided by the network. The service scope may be a network identifier such as a tracking area identifier or cell identifier, or it may be an identifier of a physical service scope, such as longitude and latitude.
[0247] As described above, in the case shown in possibility 2, in addition to the conventional data of the terminal device (e.g., privacy information and SUPI), the terminal device subscription data stored in the first network element further includes information indicating the scope of the terminal device data. Therefore, after receiving a request message to retrieve terminal device data, the first network element decides whether to provide the terminal device data based on the scope of the network to which the network element requesting the data belongs and the scope of the terminal device data.
[0248] In the case shown in possibility 2, the first network element determining the verification result based on locally stored information includes the following:
[0249] The first network element determines the scope of the first network based on the first configuration information and the identifier of the first network, and determines the verification result based on the scope of the data on the terminal device and the scope of the first network.
[0250] For example, the data on a terminal device includes first data and second data, the scope of application of the first data is the first scope, and the scope of application of the second data is the second scope.
[0251] If there is an intersection set between the scope of the first network and the first scope, then the first network element is determined to be a network that the first network is permitted to retrieve first data from.
[0252] If there is an intersection set between the scope of the first network and the scope of the second network, the element of the first network is determined to be a network that the first network is permitted to retrieve data from the second network.
[0253] If there is an intersection set between the scope of the first network and the first and second scopes, then the first network element determines that the first network is a network that is permitted to retrieve the first and second data.
[0254] If there is no intersection set between the scope of the first network and the scope of the terminal device data, the first network element determines whether the first network is a network that is not permitted to obtain terminal device data, or whether the first network is permitted to obtain data from the default terminal device.
[0255] For example, the first configuration information stored locally in the first network element indicates that the scope of network #1 is scope #1, the scope of network #2 is scope #2, and the scope of network #3 is scope #3. The subscriber data of the terminal device indicates that the scope of data #1 is scope #11, and the scope of data #2 is scope #22. There is an intersection set between scope #1 and scope #11, and there is an intersection set between scope #2 and scope #22. If the identifier of the first network is network #1, then the first network is a network that is allowed to retrieve data #1.
[0256] In the case shown in possibility 2, the concept of verification results does not need to be introduced. The information locally stored in the first network element includes first configuration information and subscription data for at least one terminal device. The subscription data for the terminal device includes information regarding the scope of application of the data for the terminal device. The first configuration information includes information regarding the scope of application of at least one network. After receiving the first request message, the first network element may directly determine the content of the data for the terminal device to be returned to the second network element based on the locally stored information. In this case, step S411 can be understood as the first network element determining the information to be sent to the second network element.
[0257] For example, the first configuration information stored locally in the first network element indicates that the scope of network #1 is scope #1, the scope of network #2 is scope #2, and the scope of network #3 is scope #3. The subscriber data of the terminal device indicates that the scope of data #1 is scope #11, and the scope of data #2 is scope #22. There is an intersection set between scope #1 and scope #11, and there is an intersection set between scope #2 and scope #22. If the identifier of the first network is network #1, the first network element decides to send data #1 to the second network element.
[0258] In another example, the first configuration information stored locally in the first network element indicates that the scope of network #1 is scope #1, the scope of network #2 is scope #2, and the scope of network #3 is scope #3. The terminal device's join data indicates that the scope of data #1 is scope #11, and the scope of data #2 is scope #22. There is an intersection set between scope #1 and scope #11, and there is an intersection set between scope #2 and scope #22. If the identifier of the first network is network #3, the first network element decides, based on the pre-configured information, not to send terminal device data to the second network element, or to send default terminal device data to the second network element.
[0259] Possibility 3: Locally stored information includes second configuration information, which includes a correspondence between at least one network identifier and at least one mobility management network element identifier within the second network (hereinafter referred to as the second correspondence for ease of explanation). The mobility management network element in the embodiments of the present invention is a network element that can implement access control and mobility management control functions for terminal devices to access the carrier network, and may be, for example, the aforementioned AMF, or another network element that can implement AMF functions.
[0260] In the case shown in possibility 3, in addition to the conventional data of the terminal device (e.g., privacy information and SUPI), the subscriber data of the terminal device stored in the first network element further includes a second correspondence, the second correspondence indicating a mobility management network element from which the terminal device data can be retrieved. Thus, after receiving a request message to retrieve the terminal device data, the first network element decides whether to provide the terminal device data based on the mobility management network element corresponding to the network to which the network element requesting the data belongs, and the second correspondence.
[0261] In the case shown in possibility 3, the first network element determining the verification result based on locally stored information includes the following:
[0262] The first network element determines the mobility management network element corresponding to the first network based on the second configuration information and the identifier of the first network, and determines the verification result based on the mobility management network element that provides services to the terminal device and the mobility management network element corresponding to the first network.
[0263] If the mobility management network elements serving the terminal device are a subset of the mobility management network elements corresponding to the first network, the first network elements determine that the first network is a network permitted to obtain data from the terminal device; or if the mobility management network elements serving the terminal device are not a subset of the mobility management network elements corresponding to the first network, the first network elements determine that the first network is a network not permitted to obtain data from the terminal device.
[0264] For example, the first configuration information stored locally in the first network element indicates that network #1 corresponds to AMF#1 and AMF#2 within the first network (i.e., there is an interface between network #1 and each of AMF#1 and AMF#2 within the first network, but no interface between network #1 and an AMF in another network), network #2 corresponds to AMF#2 within the first network, and network #3 corresponds to AMF#1 within the first network. If the mobility management network element serving the terminal device is AMF#1 and the identifier of the first network is network #1, then the first network element determines that the first network is a network that is permitted to retrieve data from terminal devices.
[0265] Furthermore, in the case shown in possibility 3, it is not necessary to introduce the concept of verification results. After receiving the first request message, the first network element may decide, based on locally stored information, whether to allow the terminal device data to be transmitted to the first network. In this case, step S411 can be understood as the first network element deciding whether to allow the terminal device data to be transmitted to the first network.
[0266] For example, if a mobility management network element that provides services to a terminal device is a subset of a mobility management network element that corresponds to a first network, the first network element decides to allow the terminal device data to be transmitted to the first network.
[0267] In another example, if the mobility management network elements serving a terminal device are not a subset of the mobility management network elements corresponding to the first network, the first network element decides not to allow the terminal device data to be transmitted to the first network.
[0268] Embodiment 2: The first network element is not a memory-enabled network element within the first network (the first network element is a different network element from the UDM, e.g., AUSF or NWDAF). The memory-enabled network element locally stores the information necessary to determine the verification result (e.g., the subscriber data of the terminal device shown in Embodiment 1 above, the first configuration information, and the second configuration information). The first network element obtains the information necessary to determine the verification result from the memory-enabled network element via a request message, and then determines the verification result based on the obtained information.
[0269] For example, the first network element determining the verification result in embodiment 2 includes the following possibilities 1 to 3.
[0270] Possibility 1: Corresponding to Possibility 1 of Embodiment 1 above, the first network element obtains first information necessary to determine the verification result from the memory function network element via a request message, the first information including the subscriber data of the terminal device and / or a list of identifiers of terminal devices from which the first network is permitted to obtain data. In the case shown in Possibility 1 of Embodiment 2, the method procedure shown in Figure 4 further includes the following steps:
[0271] S421: The first network element sends a second request message to the memory network element; in other words, the memory network element receives the second request message from the first network element.
[0272] The second request message includes the identifier of the terminal device and / or the identifier of the first network, and the second request message is used to request the acquisition of the first information.
[0273] S422: A memory function network element determines the first piece of information.
[0274] Optionally, the second request message includes an identifier for a terminal device, and the memory function network element determines the subscriber data for a terminal device based on the subscriber data stored locally on at least one terminal device and the identifier for the terminal device.
[0275] Optionally, a second request message includes an identifier for the first network, and a memory-enabled network element determines a list of identifiers for terminal devices that the first network is allowed to retrieve data from, based on the subscriber data stored locally on at least one terminal device and the identifier for the first network.
[0276] S423: The memory function network element transmits the first information to the first network element; in other words, the first network element receives the first information from the memory function network element.
[0277] S424: The first network element determines the verification result based on the first information.
[0278] Specifically, for an explanation of how the first network element determines the verification result in the case shown in Possibility 1 of Embodiment 2, please refer to the above explanation of Possibility 1 of Embodiment 1. Further details are not provided herein.
[0279] Possibility 2: Corresponding to Possibility 2 of Embodiment 1 above, the first network element obtains from the memory function network element, via a request message, the subscriber data of the terminal device and information regarding the scope of the first network necessary to determine the verification result, the scope of the first network being determined by the memory function network element based on first configuration information, the first configuration information including information regarding the scope of at least one network. In the case shown in Possibility 2 of Embodiment 2, the method procedure shown in Figure 4 further includes the following steps.
[0280] S431: The first network element transmits the third request message and / or the fourth request message to the memory function network element. In other words, the memory function network element receives the third request message and / or the fourth request message from the first network element.
[0281] The third request message includes the identifier of the terminal device and is used to request to obtain the joining data of the terminal device. The fourth request message includes the identifier of the first network and is used to request to obtain information regarding the scope of application of the first network.
[0282] The third request message and the fourth request message may be the same request message or different request messages, and may be transmitted simultaneously or sequentially.
[0283] The scope of application of the first network may be locally configured by the first network element. Thus, it should be understood that there may be cases where the first network element does not need to request to obtain information regarding the scope of application of the first network via the fourth request message.
[0284] S432: The memory function network element determines the joining data of the terminal device and the scope of application of the first network.
[0285] The memory function network element determines the joining data of the terminal device based on the identifier of the terminal device included in the third request message, the joining data stored locally for at least one terminal device, and the identifier of the terminal device. In other words, it determines information regarding the scope of application of the data of the terminal device within the joining data of the terminal device.
[0286] In addition, the memory function network element determines the applicable range of the first network based on the identifier of the first network included in the fourth request message, the locally stored first configuration information, and the identifier of the first network.
[0287] S433: The memory function network element transmits information regarding the joining data of the terminal device and the applicable range of the first network to the first network element, in other words, the first network element receives information regarding the joining data of the terminal device and the applicable range of the first network from the memory function network element.
[0288] S434: The first network element determines the verification result based on the applicable range of the terminal device's data and the applicable range of the first network.
[0289] Specifically, for the explanation of determining the verification result in the case shown in Possibility 2 of Aspect 2 by the first network element, refer to the above explanation of Possibility 2 of Aspect 1. Details will not be explained again in this specification.
[0290] Possibility 3: Corresponding to Possibility 3 in the above Aspect 1, the first network element obtains, via the request message, from the memory function network element the identifier of the mobility management network element corresponding to the first network, which is required to determine the verification result. The mobility management network element corresponding to the first network is determined by the memory function network element based on the second configuration information, and the second configuration information includes the correspondence between the identifier of at least one network and the identifier of at least one mobility management network element within the second network. When shown in Possibility 3 of Aspect 2, the method procedure shown in FIG. 4 further includes the following steps.
[0291] S441: The first network element sends a fifth request message to the memory network element; in other words, the memory network element receives a fifth request message from the first network element.
[0292] The fifth request message includes the identifier of the first network, and the fifth request message is used to request the retrieval of the identifier of the mobility management network element corresponding to the first network.
[0293] S442: A memory function network element determines the mobility management network element corresponding to the first network.
[0294] The memory function network element determines the mobility management network element corresponding to the first network based on locally stored second configuration information and the identifier of the first network.
[0295] S443: The memory function network element transmits the identifier of the mobility management network element corresponding to the first network to the first network element; in other words, the first network element receives the identifier of the mobility management network element corresponding to the first network from the memory function network element.
[0296] S444: The first network element determines the verification result based on the mobility management network element that serves the terminal device and the mobility management network element that corresponds to the first network.
[0297] Specifically, for an explanation of how the first network element determines the verification result in the case shown in Possibility 3 of Embodiment 2, please refer to the above explanation of Possibility 3 of Embodiment 1. Further details are not provided herein.
[0298] Embodiment 3: The first network element is not a memory network element within the first network, and the memory network element locally stores the information necessary to determine the verification result (for example, the subscriber data of the terminal device shown in Embodiment 1 above, the first configuration information, and the second configuration information). The first network element requests to obtain the verification result via a request message. This can be understood in Embodiment 3 as the memory network element determining the verification result and providing the verification result for the first network element. In this case, the method procedure shown in Figure 4 further includes the following steps.
[0299] S451: The first network element sends a sixth request message to the memory network element; in other words, the memory network element receives the sixth request message from the first network element.
[0300] The sixth request message includes the identifier of the first network and / or the identifier of the target terminal device, and the sixth request message is used to request that the verification result be obtained.
[0301] S452: The memory function network element determines the verification result.
[0302] Specifically, for how the memory function network elements determine the verification results, please refer to the above-mentioned descriptions of possibilities 1 to 3 in Embodiment 1. Further details are not provided herein.
[0303] S453: The memory function network element transmits the verification result to the first network element; in other words, the first network element receives the verification result from the memory function network element.
[0304] In one possible implementation, after determining the verification results in aspects 1 to 3, the first network element may decide, based on the verification results, whether to provide some or all of the data from the terminal device to the second network element.
[0305] For example, if the verification result indicates that the first network is a network that is permitted to obtain data of the terminal device, the first network element determines, based on the verification result, to provide the data of the terminal device for the second network element.
[0306] In another example, if the verification result indicates that the first network is a network that is permitted to obtain first data in the data of the terminal device, the first network element determines, based on the verification result, to provide the first data for the second network element.
[0307] In another possible implementation, in Mode 3, the memory function network element sends an instruction to the first network element indicating whether to provide some or all of the data of the terminal device for the second network element. In other words, in this implementation, after determining the verification result in Mode 3, the memory function network element further determines whether to provide some or all of the data of the terminal device to the second network element based on the verification result, and may notify the first network element via the instruction information, whereby the first network element sends a response to the second network element based on the instruction.
[0308] The method procedure shown in FIG. 4 further includes the following steps.
[0309] S420: The first network element sends a first response message to the second network element. In other words, the second network element receives the first response message from the first network element.
[0310] Specifically, the information carried in the first response message is determined based on the verification result.
[0311] In one possible implementation, when the first network is a network that is permitted to retrieve data from a terminal device, the first response message includes some or all of the data from the terminal device.
[0312] For example, if the verification result indicates that the first network is permitted to retrieve the first data from the data of the terminal device, then the first response message will include the first data.
[0313] In another possible implementation, when the first network is a network that is not permitted to retrieve data from a terminal device, the first response message is used to refuse to provide data from the terminal device. In this implementation, the first response message may be understood as a rejection message, which may contain information indicating the reason for the rejection.
[0314] In yet another possible implementation, when the first network is a network that is not permitted to retrieve data from terminal devices, the first response message includes the GPSI or pseudonym of the terminal device. The pseudonym is generated by the first network element or memory-enabled network element, and the first network element or memory-enabled network element stores the correspondence between the SUPI / GPSI and the pseudonym.
[0315] The embodiment shown in Figure 4 can be applied to the location scenario shown in Figure 2. For example, the second network is a public network, the first network is a local network, the first network element is a UDM in the second network, and the second network element is a GMLC in the first network. Below, with reference to a specific example, we will explain how to perform location in a location scenario while ensuring that user data stored on the public network is not leaked.
[0316] Example 1: Figure 5 illustrates a communication method applied to a location-finding scenario according to one embodiment of the present invention. This method includes the following steps:
[0317] S510: A location-finding client (or application functional network element) initiates a location-finding service request to the GMLC.
[0318] Specifically, a Location Securing Service Request (LCS service request) carries the identification information of the target UE. The identification information of the target UE may be the target UE's GPSI or SUPI.
[0319] For example, a location-finding client or application functional network element may send a location-finding service request directly to the GMLC, or it may send a location request message to the GMLC via the NEF.
[0320] S520: The GMLC sends a first request message to the UDM; in other words, the UDM receives a first request message from the GMLC.
[0321] Specifically, the first request message is used to request data from the target UE. The target UE data includes, but is not limited to, one or more of the following: the target UE's SUPI, the target UE's privacy settings, or the addresses of the AMFs serving the target UE. For a description of the first request message, see the description of the first request message in step S410 of the communication method in Figure 4. Further details are not provided herein.
[0322] For example, the first request message is a Nudm_SDM_Get or Nudm_UECM_Get request message.
[0323] S530: The UDM determines whether to provide data for the target UE based on locally stored information.
[0324] For example, in this embodiment, assuming that it is determined that the first network to which the GMLC belongs and the second network to which the UDM belongs are in different network domains or security domains, the UDM further decides whether to provide data to the target UE.
[0325] For example, before deciding whether to provide data to the target UE, the UDM determines whether the GMLC and UDM belong to different network domains or security domains. The GMLC and UDM belonging to different network domains can be understood as the identifier of the network to which the GMLC belongs being different from the identifier of the network to which the UDM belongs. Security domains are an effective way to divide an entire system from a security perspective and implement security levels of protection for large and complex information systems. The GMLC and UDM belonging to different security domains can be understood as the GMLC and UDM belonging to different security levels.
[0326] Optionally, when the GMLC and UDM belong to different network domains, the GMLC and UDM belong to different security domains; or when the GMLC and UDM belong to the same network domain but have different security levels, the GMLC and UDM belong to different security domains. When the UDM and GMLC belong to different network domains (security domains), if the GMLC directly obtains target UE data from the UDM through the interface between the GMLC and UDM, and the UDM directly provides target UE data, the target UE data may be leaked and security cannot be guaranteed. Therefore, in this embodiment, when the UDM determines that the UDM and GMLC belong to different security domains, the UDM needs to further decide whether to provide target UE data.
[0327] For example, in this embodiment, the UDM can determine that the UDM and GMLC belong to different network domains in some of the following implementations.
[0328] In one possible implementation, the UDM determines that the GMLC and UDM belong to different network domains based on the identifier of the first network included in the first request message.
[0329] In another possible implementation, the UDM first determines the identifier of a first network based on the GMLC's IP address, and then, based on the identifier of the first network, determines that the GMLC and the UDM belong to different network domains.
[0330] In yet another possible implementation, the UDM first determines the identifier of the first network based on the GMLC's certificate, and then, based on the identifier of the first network, determines that the GMLC and the UDM belong to different network domains.
[0331] For example, a GMLC certificate carries the identifier of the first network. In the process of establishing a secure connection between the UDM and the GMLC, the UDM retrieves the GMLC's certificate, stores the identifier of the first network, and determines information about the first network to which the GMLC belongs based on the identifier of the first network in the certificate.
[0332] In yet another possible implementation, the UDM determines information about the network to which the GMLC belongs based on information transmitted by another network element (e.g., a gateway).
[0333] For example, the GMLC is connected to the UDM through another network, and this other network element has the ability to sense information about the network to which the GMLC belongs and reports information about the first network to which the GMLC belongs to the UDM.
[0334] Corresponding to the embodiment shown in Figure 4, in this embodiment, the UDM's decision on whether to provide data for the target UE based on locally stored information includes the following three possibilities:
[0335] Possibility 1: The UDM determines, based on local configuration information, whether the first network is a network that is permitted to retrieve data from terminal devices, and the configuration information includes a list of identifiers for networks that are permitted to retrieve data from terminal devices.
[0336] Specifically, in the case shown in possibility 1, in response to the first request message, the UDM determines whether the first network is a network permitted to retrieve data from the target UE and obtains a determination result. Here, the determination result indicates whether the first network is a network permitted to retrieve data from the target UE. Furthermore, after obtaining the determination result, the first network element decides whether to send the target UE data to the GMLC based on the determination result.
[0337] If the identifier of the first network belongs to the list of identifiers of networks that are permitted to retrieve data from terminal devices, the UDM determines that the first network is a network that is permitted to retrieve data from terminal devices, or If the identifier of the first network does not belong to the list of network identifiers that are permitted to retrieve data from terminal devices, the UDM determines that the first network is a network that is not permitted to retrieve data from terminal devices.
[0338] Optionally, the local configuration information may further include a list of identifiers for terminal devices from which the network is allowed to retrieve data.
[0339] If the identifier of the target terminal device belongs to the list of terminal device identifiers that the first network is allowed to retrieve data from, the UDM determines that the first network is a network that is allowed to retrieve data from terminal devices, or If the identifier of the target terminal device does not belong to the list of terminal device identifiers that the first network is allowed to retrieve data from, the UDM determines that the first network is a network that is not allowed to retrieve terminal device data.
[0340] To facilitate understanding, the following example illustrates how the UDM decides whether to provide data from the target terminal device for the GMLC in the case shown in Possibility 1.
[0341] For example, a local network is a corporate campus network that provides services only for corporate employees and devices. The corporate can provide a linking relationship between the local network identifier and the UE identifiers of its employees and devices (e.g., UE#2 and UE#3), and this linking relationship is stored in the UDM within the public network. If a UE (e.g., UE#1) is not a user of the local network, there is no linking or joining relationship between the identifier of UE#1 and the local network identifier. If the GMLC requests data for UE#1 via a first request message, the UDM, based on the joining data, determines that there is no linking / joining relationship between UE#1 and the local network and refuses to send UE#1's UE data to the GMLC. If the GMLC requests data for UE#3 via a first request message, the UDM, based on the joining data, determines that there is a linking / joining relationship between UE#3 and the local network and sends UE#3's UE data to the GMLC.
[0342] Possibility 2: The UDM determines the information to be included in the first response message sent to the GMLC based on the data coverage of the terminal device and the coverage of the first network.
[0343] For example, the data on the target terminal device includes data #1 and data #2, the scope of data #1 is range #1, the scope of data #2 is range #2, and the scope of the first network is range #3.
[0344] If an intersection set exists between range #3 and range #1, the UDM determines that the first response message contains data #1.
[0345] If an intersection set exists between range #3 and range #2, the UDM determines that the first response message contains data #2.
[0346] If there is an intersection set between range #3 and ranges #1 and #2 respectively, the UDM determines that the first response message contains data #1 and data #2.
[0347] If no intersection sets exist between range #3 and ranges #1 and #2 respectively, the UDM determines that the first response message contains information indicating a refusal to provide data from the target terminal device.
[0348] To facilitate understanding, the following will illustrate, with specific examples, how the UDM decides whether to provide data from the target terminal device for the GMLC in the case shown in Possibility 2.
[0349] For example, the local network is a company's campus network, and the network's scope is Scope #1. The company can provide a link between the local network identifier and Scope #1, and this link is stored in the UDM within the public network. In addition, the UDM within the public network further stores a link between the identifier of at least one UE and the data scope of that UE. When the local network requests data from a UE (e.g., UE#1), the UDM determines the data scope of UE#1 based on the link between the identifier of UE#1 and the data scope of the UE (e.g., the scope of data #1 of UE#1 is Scope #1, and the scope of data #2 of UE#1 is Scope #2). The UDM determines, based on the local network identifier and the UE#1 identifier, that there is an intersection between the scope of the local network and the scope of UE#1 data #1, and decides to provide UE#1 data #1 for GMLC; the UDM determines, based on the local network identifier and the UE#1 identifier, that there is an intersection between the scope of the local network and the scope of UE#1 data #2, and decides to provide UE#1 data #2 for GMLC; or the UDM determines, based on the local network identifier and the UE#1 identifier, that there is no intersection between the scope of the local network and the respective scopes of UE#1 data #1 and UE#1 data #2, and decides not to provide UE#1 data for GMLC.
[0350] Possibility 3: The UDM decides whether to allow the target terminal device to transmit data to the first network based on the AMF serving the target terminal device and the AMF corresponding to the first network. The AMF corresponding to the first network is determined based on second configuration information, which includes a correspondence between at least one network identifier and at least one mobility management network element identifier within the second network.
[0351] If the AMF serving the target terminal device is a subset of the AMF corresponding to the first network, the UDM decides to allow the target terminal device's data to be transmitted to the first network, or
[0352] If the AMF serving the target terminal device is not a subset of the AMF corresponding to the first network, the UDM decides not to allow the target terminal device's data to be transmitted to the first network.
[0353] To facilitate understanding, the following will explain, with the help of a specific example, how the UDM decides whether to provide data from the target terminal device for the GMLC in the case shown in Possibility 3.
[0354] For example, the local network is a company's campus network, and the company can provide a connection relationship between the local network identifier and AMF#1 in the public network, and this connection relationship is stored in the UDM in the public network. When the local network requests data for a UE (e.g., UE#1), the UDM determines that the AMF serving UE#1 is AMF#2, and since there is no intersection set between AMF#1 and AMF#2, it refuses to send the UE data for UE#1 to the GMLC; or the UDM determines that the AMF serving UE#1 is AMF#1, and since there is no intersection set between AMF#1 and AMF#1, it sends the UE data for UE#1 to the GMLC.
[0355] S540: The UDM sends a first response message to the GMLC; in other words, the GMLC receives a first response message from the UDM.
[0356] For example, the first response message is a Nudm_SDM_Get or Nudm_UECM_Get response message. If the first response message contains data for the target UE, see the description of the current prior art for subsequent localization procedures. This is not limited to the present invention.
[0357] If the first response message does not contain data for the target UE, or if the first response message is a rejection message or carries a rejection instruction, this location process is terminated.
[0358] In the location procedure shown in Figure 5, before providing the data to the GMLC, the UDM must perform verification based on locally stored information (e.g., terminal device subscription data, first configuration information, or second configuration information), and only provide the data to the GMLC when the GMLC can retrieve the terminal device data, thereby allowing the GMLC to retrieve only a portion of the UE's data and avoiding data leakage. It should be noted that the example shown in Figure 5 is for illustrative purposes only and does not constitute any limitation on the scenarios to which the communication method provided herein may be applied. The communication method provided herein may be further used in other scenarios requiring a second network element in a first network to retrieve user data in the second network. Further details are not described herein.
[0359] It should be understood that the sequence numbers of the aforementioned processes do not represent the execution sequence. The execution sequence of a process should be determined based on the function and internal logic of that process and should not be interpreted as any limitation to the implementation processes of the embodiments of this application.
[0360] In the embodiments of this application, unless otherwise specified or unless there is a logical inconsistency, the terminology and / or descriptions in different embodiments are consistent and may be referenced to one another, and the technical features in different embodiments may be combined on the basis of their internal logical relationships to form new embodiments.
[0361] It should be further understood that in some of the embodiments described above, devices in existing network architectures (e.g., GMLCs or UDMs) are used primarily as illustrative examples. It should be understood that the specific form of the device is not limited to the embodiments of this application. For example, all devices that may implement the same functionality in the future are applicable to the embodiments of this application.
[0362] In the method embodiments described above, it can be understood that the methods and operations performed by the UDM may be performed by components that can be used for the UDM, and the methods and operations performed by the GMLC may be performed by components that can be used for the GMLC.
[0363] The above describes in detail the communication method provided in the embodiments of the present application with reference to Figures 4 and 5. The aforementioned communication method is described primarily in terms of interaction between terminal devices. To implement the aforementioned functions, it can be understood that the terminal devices include corresponding hardware structures and / or software modules for performing the functions.
[0364] Those skilled in the art will be able to recognize, in combination with the example units and algorithmic steps described in the embodiments disclosed herein, that the present application can be implemented in hardware or in combination of hardware and computer software. Whether the functions are performed by hardware or by hardware driven by computer software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for specific applications, but such implementations should not be considered to be beyond the scope of the present application.
[0365] The communication device provided in the embodiments of the present application will be described in detail below with reference to Figures 6 to 8. Please understand that the description of the device embodiment corresponds to the description of the method embodiment. Therefore, for details not described in detail, please refer to the method embodiment described above. For brevity, some details will not be explained again.
[0366] In embodiments of the present application, functional modules of a transmitter or receiver device may be obtained through partitioning based on the examples of the methods described above. For example, each functional module may be obtained through partitioning based on each function, or two or more functions may be integrated into a single processing module. The integrated module may be implemented in hardware form or in the form of a software functional module. Note that in embodiments of the present application, the module partitioning is an example and is merely a logical functional partitioning. In actual implementations, other partitioning schemes may be used. The following explanation is provided by using an example in which each functional module is obtained through partitioning based on each corresponding function.
[0367] Figure 6 is a block diagram of a communication device 10 according to one embodiment of the present invention. The device 10 includes a transceiver module 11 and a processing module 12. The transceiver module 11 can implement corresponding communication functions. The processing module 12 is configured to perform data processing. In other words, the transceiver module 11 is configured to perform operations related to receiving and transmitting, and the processing module 12 is configured to perform operations other than receiving and transmitting. The transceiver module 11 is sometimes referred to as a communication interface or communication unit.
[0368] Optionally, the device 10 may further include a storage module 13. The storage module 13 may be configured to store instructions and / or data. The processing module 12 may read instructions and / or data from the storage module, enabling the device to perform the operation of the device or network element in the method embodiment described above.
[0369] In the first design, the apparatus 10 may correspond to the GMLC in the embodiment of the method described above, or it may be a component of the GMLC (for example, a chip).
[0370] Apparatus 10 can implement the corresponding steps or procedures performed by the GMLC in the method embodiments described above. Transceiver module 11 may be configured to perform the receive and transmit-related operations of the GMLC in the method embodiments described above. Processing module 12 may be configured to perform the processing-related operations of the GMLC in the method embodiments described above.
[0371] In one possible implementation, transceiver module 11 is configured to send a first request message to a memory function network element in a second network, the first request message containing an identifier for a terminal device, and the first request message is used to request the retrieval of data from the terminal device; transceiver module 11 is further configured to receive a first response message from the memory function network element in the second network, the information contained in the first response message containing data from the terminal device, denial information, or the terminal device's publicly available subscriber identifier GPSI or pseudonym.
[0372] If the device 10 is configured to perform the method shown in Figure 4, the transceiver module 11 may be configured to perform steps in the method that transmit information, for example, steps S410 and S420, and the processing module 12 may be configured to perform processing steps in the method.
[0373] If the device 10 is configured to perform the method shown in Figure 5, the transceiver module 11 may be configured to perform steps in the method that transmit information, for example, steps S510, S520, and S540, and the processing module 12 may be configured to perform processing steps in the method.
[0374] It should be understood that the specific process by which the unit performs the corresponding steps described above is described in detail in the method embodiments described above. For the sake of brevity, the details are again not described herein.
[0375] In the second design, the device 10 may correspond to the UDM in the method embodiment described above, or it may be a component of the UDM (for example, a chip).
[0376] The device 10 can implement the corresponding steps or procedures performed by the UDM in the method embodiments described above. The transceiver module 11 may be configured to perform the receive and transmit-related operations of the UDM in the method embodiments described above. The processing module 12 may be configured to perform the processing-related operations of the UDM in the method embodiments described above.
[0377] In one possible implementation, transceiver module 11 is configured to receive a first request message from a gateway mobile location center (GMLC) in a first network, the first request message containing an identifier for a terminal device, and the first request message is used to request the retrieval of data from the terminal device; processing module 12 is configured to respond to the first request message by determining whether the first network is a network permitted to retrieve data from the terminal device; and processing module 12 is further configured to determine, based on the determination result, whether to send the data from the terminal device to the GMLC.
[0378] If the device 10 is configured to perform the method shown in Figure 4, the transceiver module 11 may be configured to perform steps in the method that receive and transmit information, for example, steps S410, S421, S423, S431, S433, S441, S443, S451, S453, and S420, and the processing module 12 may be configured to perform processing steps in the method, for example, steps S411, S422, S424, S432, S434, S442, S444, and S452.
[0379] If the device 10 is configured to perform the method shown in Figure 5, the transceiver module 11 may be configured to perform steps in the method that receive and transmit information, for example, steps S520 and S540, and the processing module 12 may be configured to perform processing steps in the method, for example, step S530.
[0380] It should be understood that the specific process by which the unit performs the corresponding steps described above is described in detail in the method embodiments described above. For the sake of brevity, the details are again not described herein.
[0381] It should be further understood that the apparatus 10 described herein is embodied in the form of a functional module. The term “module” as used herein may mean an application-specific integrated circuit (ASIC), an electronic circuit, a processor (e.g., a shared processor, a dedicated processor, or a group processor) configured to run one or more software or firmware programs, memory, merge logic circuits, and / or other suitable components that support the functions described. In an optional example, those skilled in the art will understand that the apparatus 10 may specifically be a mobility management network element in the embodiments described above, and may be configured to perform procedures and / or steps corresponding to the mobility management network element in the method embodiments described above. Alternatively, the apparatus 10 may specifically be a terminal device in the embodiments described above, and may be configured to perform procedures and / or steps corresponding to the terminal device in the method embodiments described above. To avoid repetition, further details are not described here.
[0382] The device 10 in the aforementioned solution has the function of performing the corresponding steps performed by the network elements (for example, the first network element or the second network element) in the aforementioned method. The function may be implemented by hardware or by hardware running the corresponding software. The hardware or software includes one or more modules corresponding to the aforementioned function. For example, a transceiver module may be replaced by a transceiver (for example, a transmitting unit in a transceiver module may be replaced by a transmitter, and a receiving unit in a transceiver module may be replaced by a receiver), and another unit such as a processing module may be replaced by a processor to perform the receiving and transmitting operations and processing-related operations in the embodiment of the method, respectively.
[0383] In addition, the transceiver module 11 may alternatively be a transceiver circuit (for example, it may include a receiving circuit and a transmitting circuit), and the processing module may be a processing circuit.
[0384] Figure 7 shows another communication device 20 according to one embodiment of the present invention. The device 20 includes a processor 21. The processor 21 is configured to execute computer programs or instructions stored in memory 22, or to read data / signaling stored in memory 22 to perform the method in the embodiment of the method described above. Optionally, one or more processors 21 are present.
[0385] Optionally, as shown in Figure 7, the device 20 further includes a memory 22, which is configured to store computer programs or instructions and / or data. The memory 22 and the processor 21 may be integrated or located separately. Optionally, there may be one or more memories 22.
[0386] Optionally, as shown in Figure 7, the device 20 further includes a transceiver 23. The transceiver 23 is configured to receive and / or transmit signals. For example, the processor 21 is configured to control the transceiver 23 to receive and / or transmit signals.
[0387] In one solution, the device 20 is configured to implement the operations performed by the GMLC in the embodiments of the method described above.
[0388] In an alternative solution, the device 20 is configured to implement the operations performed by the UDM in the embodiments of the method described above.
[0389] It should be understood that the processor in the embodiments of this application may be a central processing unit (CPU), or another general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), or another programmable logic device, discrete gate or transistor logic device, discrete hardware component, etc. The general-purpose processor may be a microprocessor, or the processor may be any conventional processor, etc.
[0390] It should be further understood that the memory in the embodiments of this application may be volatile memory and / or non-volatile memory. Non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory may be random access memory (RAM). For example, RAM may be used as an external cache. As an example, rather than an exhaustive list, RAM includes multiple forms such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchlink dynamic random access memory (synchlink DRAM, SLDRAM), and direct rambus random access memory (direct rambus RAM, DR RAM).
[0391] Note that when the processor is a general-purpose processor, DSP, ASIC, FPGA, or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, memory (storage module) may be integrated into the processor.
[0392] It should be further noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memory.
[0393] Figure 8 shows a chip system 30 according to one embodiment of the present invention. The chip system 30 (which may also be called a processing system) includes a logic circuit 31 and an input / output interface 32.
[0394] The logic circuit 31 may be a processing circuit within the chip system 30. The logic circuit 31 is coupled to a memory unit and can call instructions within the memory unit, so that the chip system 30 can implement the methods and functions of the embodiments of the present invention. The input / output interface 32 may be an input / output circuit within the chip system 30, which outputs information processed by the chip system 30 or inputs data or signaling information to be processed into the chip system 30 for processing.
[0395] In one solution, the chip system 30 is configured to implement the operations performed by the GMLC in the aforementioned method embodiment.
[0396] For example, the logic circuit 31 is configured to implement the processing-related operations performed by the GMLC in the method embodiment described above, and the input / output interface 32 is configured to implement the transmit and / or receive-related operations performed by the GMLC in the method embodiment described above.
[0397] In an alternative solution, the chip system 30 is configured to implement the operations performed by the UDM in the method embodiment described above.
[0398] For example, the logic circuit 31 is configured to implement processing-related operations performed by the UDM in the method embodiment described above, and the input / output interface 32 is configured to implement transmit and / or receive-related operations performed by the UDM in the method embodiment described above.
[0399] One embodiment of the present invention further provides a computer-readable storage medium for storing computer instructions for implementing a method performed by a network element in the aforementioned method embodiment.
[0400] For example, when a computer program is executed by a computer, the computer can implement the method performed by GMLC or UDM in the method embodiments described above.
[0401] One embodiment of the present invention further provides a computer program product including instructions. When the instructions are executed by a computer, the method executed by the device (e.g., GMLC or UDM) in the above-described method embodiment is implemented.
[0402] One embodiment of the present invention further provides a communication system including the aforementioned GMLC and UDM.
[0403] For a description of the relevant aspects and beneficial effects of any one of the devices provided above, please refer to the corresponding embodiments of the methods provided above. Further details are not described herein.
[0404] In some embodiments provided herein, it should be understood that the disclosed apparatus and methods may be implemented in other ways. For example, the described apparatus embodiments are merely examples. For example, the division into units is merely a logical functional division, and other divisions may be used in actual implementations. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the mutual coupling, direct coupling, or communication connection shown or described may be implemented through some interfaces. Indirect coupling or communication connection between apparatus or units may be implemented electronically, mechanically, or in other forms.
[0405] All or part of the embodiments described above may be implemented using software, hardware, firmware, or any combination thereof. When software is used to implement an embodiment, all or part of the embodiment may be implemented in the form of a computer program product. A computer program product includes one or more computer instructions. When a computer program instruction is loaded onto a computer and executed, all or part of the procedures or functions described in the embodiments of this application are generated. The computer may be a general-purpose computer, a dedicated computer, a computer network, or another programmable device. For example, the computer may be a personal computer, a server, a network device, etc. Computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic cable, or digital subscriber line (DSL)) or wireless (e.g., infrared, radio waves, microwaves, etc.) method. Computer-readable storage media can be any available medium accessible by a computer, or a data storage device that integrates one or more available media, such as a server or data center. Available media may include magnetic media (e.g., floppy disks, hard disks, or magnetic tapes), optical media (e.g., DVDs), and semiconductor media (e.g., solid-state drives (SSDs)). For example, available media may include, but are not limited to, any medium capable of storing program code, such as USB flash drives, removable hard disks, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0406] The foregoing description is merely a specific implementation of the present application and is not intended to limit the scope of protection of the present application. Any modifications or substitutions that are readily conceivable by a person skilled in the art within the scope of the art disclosed herein shall fall within the scope of protection of the present application. Accordingly, the scope of protection of the present application shall be subject to the scope of protection of the claims.
Claims
1. It is a method of communication: A step in which a memory function network element in a second network receives a first request message from a gateway mobile location center in a first network, wherein the first request message includes an identifier for a terminal device, and the first request message is used to request the acquisition of data from the terminal device; The memory function network element determines, in response to the first request message, whether the first network is a network that is permitted to acquire the data from the terminal device; The memory function network element determines, based on the determination result, whether to transmit the data from the terminal device to the gateway mobile location center. Methods that include...
2. Before determining whether the first network is a network that is permitted to acquire the data from the terminal device by the memory function network element, the method: The memory function network element further includes the step of determining that the gateway mobile location center and the memory function network element belong to different network domains. The method according to claim 1.
3. The memory function network element can determine that the gateway mobile location center and the memory function network element belong to different network domains, as follows: The memory function network element determines, based on the identifier of the first network included in the first request message, that the gateway mobile location center and the memory function network element belong to different network domains; The memory function network element determines the identifier of the first network based on the Internet Protocol address of the gateway mobile location center, and determines, based on the identifier of the first network, that the gateway mobile location center and the memory function network element belong to different network domains; or, The memory function network element determines the identifier of the first network based on the certificate of the gateway mobile location center, and determines, based on the identifier of the first network, that the gateway mobile location center and the memory function network element belong to different network domains. Includes any one of the following: The method according to claim 2.
4. The memory function network element can determine whether the first network is a network that is permitted to acquire the data from the terminal device: The memory function network element includes determining, based on local configuration information, whether the first network is a network permitted to retrieve the data from the terminal device, wherein the configuration information includes a list of identifiers of networks permitted to retrieve the data from the terminal device. The method according to any one of claims 1 to 3.
5. The memory function network element determines, based on the local configuration information, whether the first network is a network that is permitted to acquire the data from the terminal device: If the identifier of the first network belongs to the list of identifiers of networks permitted to retrieve the data from the terminal device, the storage function network element determines that the first network is a network permitted to retrieve the data from the terminal device; or If the identifier of the first network does not belong to the list of network identifiers that are permitted to retrieve the data from the terminal device, the storage function network element determines that the first network is a network that is not permitted to retrieve the data from the terminal device. The method according to claim 4.
6. The memory function network element can determine whether the first network is a network that is permitted to acquire the data from the terminal device: The memory function network element includes determining whether the first network is a network permitted to acquire the data from the terminal device, based on the correspondence between the mobility management network element serving the terminal device and the mobility management network element corresponding to the first network. The method according to any one of claims 1 to 3.
7. The memory function network element determines, based on the correspondence between the mobility management network element serving the terminal device and the mobility management network element corresponding to the first network, whether the first network is a network permitted to acquire the data from the terminal device: If the mobility management network elements serving the terminal device are a subset of the mobility management network elements corresponding to the first network, the memory function network element determines that the first network is a network permitted to acquire the data from the terminal device; or If the mobility management network elements serving the terminal device are not a subset of the mobility management network elements corresponding to the first network, the memory function network element determines that the first network is a network that is not permitted to acquire the data from the terminal device, The method according to claim 6.
8. The memory function network element determines, based on the determination result, whether to transmit the data from the terminal device to the gateway mobile location center: If the determination result is that the first network is not permitted to acquire the data from the terminal device, the storage function network element may refuse to transmit the data from the terminal device to the gateway mobile location center. The method according to any one of claims 1 to 3.
9. The memory function network element determines, based on the determination result, whether to transmit the data from the terminal device to the gateway mobile location center: If the determination result is that the first network is not permitted to acquire the data from the terminal device, the memory function network element includes transmitting the publicly available subscriber identifier or pseudonym of the terminal device to the gateway mobile location center. The method according to any one of claims 1 to 3.
10. The memory function network element determines, based on the determination result, whether to transmit the data from the terminal device to the gateway mobile location center: If the determination result is that the first network is a network permitted to acquire the data from the terminal device, the storage function network element includes transmitting the data from the terminal device to the gateway mobile location center. The method according to any one of claims 1 to 3.
11. The data of the aforementioned terminal device is: The subscriber permanent identifier of the terminal device, the privacy settings of the terminal device, or the address of the mobility management network element serving the terminal device. The method according to any one of claims 1 to 3, comprising at least one of the above.
12. The method according to any one of claims 1 to 3, wherein the second network is a public network and the first network is a local network.
13. The method according to any one of claims 1 to 3, wherein the first request message includes an identifier for the first network.
14. The method according to any one of claims 1 to 3, wherein the identifier of the terminal device includes a publicly available subscriber identifier of the terminal device or a subscriber concealment identifier of the terminal device.
15. The method further: The method according to any one of claims 1 to 3, comprising transmitting the first request message to the memory function network element by the gateway mobile location center.
16. Before the gateway mobile location center transmits the first request message to the memory function network element, the method further: The gateway mobile location center includes receiving location service requests from mobile location service clients. The method according to any one of claims 1 to 3.
17. A step of receiving a first request message from a gateway mobile location center in a first network, wherein the first request message includes an identifier for a terminal device, and the first request message is used to request the acquisition of data from the terminal device; The steps include: determining whether the first network is a network that is permitted to acquire the data from the terminal device in response to the first request message; A step of determining whether to transmit the data from the terminal device to the gateway mobile location center based on the determination result. A communication device configured to perform the following actions.
18. It is a communication device: Memory configured to store computer programs; and The communication device executes the computer program stored in the memory: A step of receiving a first request message from a gateway mobile location center in a first network, wherein the first request message includes an identifier for a terminal device, and the first request message is used to request the acquisition of data from the terminal device; The steps include: determining whether the first network is a network that is permitted to acquire the data from the terminal device in response to the first request message; A step of determining whether to transmit the data from the terminal device to the gateway mobile location center based on the determination result. A processor configured to enable the execution of Communication device.
19. A computer-readable storage medium stores computer instructions, and when the computer instructions are executed on the device's computer, the device: A step of receiving a first request message from a gateway mobile location center in a first network, wherein the first request message includes an identifier for a terminal device, and the first request message is used to request the acquisition of data from the terminal device; The steps include: determining whether the first network is a network that is permitted to acquire the data from the terminal device in response to the first request message; A step of determining whether to transmit the data from the terminal device to the gateway mobile location center based on the determination result. A computer-readable storage medium that can be used to execute [something].
20. A communication system having a memory function network element in a second network and a gateway mobile location center in a first network, The aforementioned memory function network element is: A step of receiving a first request message from a gateway mobile location center in a first network, wherein the first request message includes an identifier for a terminal device, and the first request message is used to request the acquisition of data from the terminal device; The steps include: determining whether the first network is a network that is permitted to acquire the data from the terminal device in response to the first request message; A step of determining whether to transmit the data from the terminal device to the gateway mobile location center based on the determination result. It is configured to perform the following actions: The aforementioned gateway mobile location center is: It is configured to send a first request message to the memory function network element. Communication system.