Communication system, communication method and related apparatus

Abstract

Provided in the embodiments of the present application are a communication system, a communication method and a related apparatus. The method comprises: transmitting a first uplink message of which the destination address is the address of a proxy network element, the first uplink message comprising a security establishment request of which the destination address is the address of a sensing server, the security establishment request being used for establishing an end-to-end security link between an access network device and the sensing server, and the end-to-end security link being used for transmitting service data corresponding to the sensing server; receiving a first downlink message of which the source address is the address of the proxy network element, the first downlink message comprising a security establishment reply in response to the security establishment request, and the security establishment reply being used for establishing the end-to-end security link between the access network device and the sensing server; and, on the basis of the first downlink message, determining to process the security establishment reply or not to process the security establishment reply. Implementing the present application can support establishing end-to-end security links between access network devices and sensing servers.

Description

Communication systems, communication methods and related devices

[0001] This application claims priority to Chinese Patent Application No. 202411834706.8, filed on December 12, 2024, with the China National Intellectual Property Administration, entitled “Communication System, Communication Method and Related Apparatus”, the entire contents of which are incorporated herein by reference. Technical Field

[0002] This application relates to the field of communications, and more particularly to a communication system, communication method and related apparatus. Background Technology

[0003] With the continuous development of mobile communication technology and the enhancement of air interface capabilities, mobile networks are poised for a qualitative leap, moving beyond simply providing voice, SMS, and data services to achieving the Internet of Things. Furthermore, the continuous innovation of information technology is giving rise to new demands and services such as artificial intelligence, immersive experiences, and digital twins, while also placing higher demands on communication networks for information interaction. In addition to improvements in traditional communication capabilities, future mobile communication networks will also provide capabilities in computing, sensing, artificial intelligence, and security. Among these, sensing capabilities will become a crucial capability and characteristic of future mobile communication networks.

[0004] The implementation of sensing can be referenced from the principle of radar: a transmitter sends electromagnetic waves, which are reflected by the object to be sensed and acquired by a receiver. The acquired reflected signals (called sensing data) are then processed to produce the sensing result. The transmitter and receiver in this sensing process can be called sensing nodes. The transmitter and receiver can be terminal devices or access network devices. Different combinations of sensing nodes can yield various sensing modes. In the sensing mode where an access network device acts as a sensing node (e.g., as a transmitter or receiver), the sensing data acquired by the access network device needs to be sent to a sensing server. Current technology cannot support establishing an end-to-end secure link between the access network device and the sensing server. Summary of the Invention

[0005] This application discloses a communication system, communication method, and related apparatus that can support the establishment of an end-to-end secure link between access network devices and sensing servers.

[0006] In a first aspect, embodiments of this application disclose a communication system, including an access network device, a proxy network element, and a sensing server, wherein: the access network device is configured to send a first uplink message to the proxy network element whose destination address is the address of the proxy network element, the first uplink message including a security establishment request whose destination address is the address of the sensing server, the security establishment request being used to establish an end-to-end secure link between the access network device and the sensing server, the end-to-end secure link being used to send service data corresponding to the sensing server; the proxy network element is configured to send a first downlink message to the access network device whose source address is the address of the proxy network element, the first downlink message including a security establishment response in response to the security establishment request, the security establishment response being used to establish an end-to-end secure link between the access network device and the sensing server; the access network device is further configured to determine, based on the first downlink message, whether to process the security establishment response or not.

[0007] In existing technologies, access network devices act as relay devices between terminal devices and core network devices. When receiving uplink and downlink data packets, the access network device does not decode the data packets but only forwards them. This solution, on the one hand, establishes an end-to-end secure link between the access network device and the sensing server through a secure establishment request and response. On the other hand, in addition to retaining its relay function, the access network device adds the ability to further process uplink and downlink data packets upon receipt, instead of simply forwarding them. Specifically, after receiving the first downlink message, the access network device can determine whether to process the secure establishment response or not based on the information in the first downlink message. In other words, after receiving the first downlink message, the access network device can determine whether to further process the uplink and downlink data packets (process the secure establishment response) or continue forwarding the data packets (without processing the secure establishment response).

[0008] In one possible implementation, the access network device is configured to determine not to process the security establishment response if the source address of the first downlink message is not included in the first association relationship, wherein the first association relationship includes an association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element does not include the address of the proxy network element.

[0009] In this scheme, the communication tunnel between the access network device and the proxy network element is a dedicated communication tunnel. Therefore, the address of the proxy network element can be used to determine whether an end-to-end secure link has been established between the access network device communicating through that proxy network element and the sensing server. That is, if an end-to-end secure link has been established between the sensing server and the access network device, the first association relationship will include the association between the addresses of the sensing server, the access network device, and the proxy network element; if no end-to-end secure link has been established between the sensing server and the access network device, the first association relationship will not include the association between the addresses of the sensing server, the access network device, and the proxy network element. The first association relationship includes the association between the addresses of at least one proxy network element, at least one sensing server, and at least one address of the access network device. The source address of the first downlink message is the address of the proxy network element. If the source address of the first downlink message is not included in the first association relationship, it means that there is no address of the sensing server associated with the address of the proxy network element, nor is there an address of the access network device associated with the address of the proxy network element. In other words, an end-to-end secure link has not yet been established between the access network device communicating through the proxy network element and the sensing server. Therefore, when the access network device receives the first downlink message, it can determine that it should perform the forwarding function when the access network device is acting as a relay device (i.e., determine not to process the security establishment reply) instead of proceeding with further processing of the first downlink message (i.e., determine to process the security establishment reply).

[0010] In one possible implementation, the access network device is configured to determine the processing of the security establishment response when the source address of the first downlink message is included in the first association relationship, wherein the first association relationship includes an association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element includes the address of the proxy network element.

[0011] In this scheme, the communication tunnel between the access network device and the proxy network element is a dedicated communication tunnel. Therefore, the address of the proxy network element can be used to determine whether an end-to-end secure link has been established between the access network device communicating through that proxy network element and the sensing server. That is, if an end-to-end secure link has been established between the sensing server and the access network device, the first association relationship will include the association between the addresses of the sensing server, the access network device, and the proxy network element; if no end-to-end secure link has been established between the sensing server and the access network device, the first association relationship will not include the association between the addresses of the sensing server, the access network device, and the proxy network element. The first association relationship includes the association between the addresses of at least one proxy network element, at least one sensing server, and at least one address of the access network device. The source address of the first downlink message is the address of the proxy network element. If the first association includes the source address of the first downlink message, it means that there is an address of a sensing server associated with the address of the proxy network element, and there is an address of an access network device associated with the address of the proxy network element. In other words, an end-to-end secure link has been established between the access network device communicating through the proxy network element and the sensing server. Thus, when the access network device receives the first downlink message, it can determine that it will not perform the forwarding function when the access network device is acting as a relay device (i.e., determine not to process the security establishment reply), but will proceed with the next step of processing the first downlink message (i.e., determine to process the security establishment reply).

[0012] In one possible implementation, the system also includes sensing network elements;

[0013] The sensing network element is configured to send a sensing configuration request to the access network device. The sensing configuration request includes the address of the proxy network element and the address of the sensing server. The access network device is further configured to determine a sensing configuration response in response to the sensing configuration request. The sensing configuration response includes the address of the access network device or an existing link indication. The existing link indication is used to indicate that an end-to-end secure link has been established between the access network device and the sensing server.

[0014] In this scheme, the sensing network element sends a sensing configuration request to the access network device. The sensing configuration request includes the address of the proxy network element and the address of the sensing server. After receiving the sensing configuration request, the access network device can determine the sensing configuration response based on the addresses of the proxy network element and the sensing server in the sensing configuration request. For example, if the first association relationship includes the association between the address of the proxy network element and the address of the sensing server in the sensing configuration request, it indicates that the sensing server and the access network device have established an end-to-end secure link; then the access network device determines to include the address of the access network in the sensing configuration response for establishing an end-to-end secure link between the sensing server and the access network device. If the first association relationship includes the association between the address of the proxy network element and the address of the sensing server in the sensing configuration request, it indicates that the sensing server and the access network device have established an end-to-end secure link; then the access network device determines to include an existing link indication in the sensing configuration response, indicating that it is not necessary to establish an end-to-end secure link between the sensing server and the access network device again. Alternatively, for example, regardless of whether an end-to-end secure link has been established between the sensing server and the access network device, the address of the access network device is included in the sensing configuration response to establish an end-to-end secure link between the sensing server and the access network device.

[0015] In one possible implementation, the access network device is further configured to determine that the sensing configuration response includes the address of the access network device, and add an association between the address of the access network device, the address of the proxy network element, and the address of the sensing server in the first association relationship.

[0016] In this scheme, the access network device is used to determine whether the sensing configuration response includes the address of the access network device. The address of the access network device can be self-assigned by the access network device. One possible scenario is that an end-to-end link has not yet been established between the access network device and the sensing server, and the first association relationship does not include the association relationship between the address of the sensing server, the address of the proxy network element, and the address of the access network device. Therefore, the access network device is used to determine whether the sensing configuration response includes the address of the access network device. Another possible scenario is that regardless of whether an end-to-end secure link has been established between the access network device and the sensing server, the access network device is used to determine whether the sensing configuration response includes the address of the access network device, in order to (re)establish the end-to-end secure link between the access network device and the sensing server. Furthermore, the access network device can also be used to add the association relationship between the address of the access network device, the address of the proxy network element, and the address of the sensing server in the first association relationship, for the purpose of establishing an end-to-end secure link between the sensing server and the access network device.

[0017] In one possible implementation, the perception configuration request further includes a perception task identifier, which is used to identify the perception service provided by the perception network element to the perception server; the access network device is further used to add the association relationship between the address of the access network device, the address of the proxy network element, the address of the perception server and the perception task identifier in the first association relationship.

[0018] In one possible implementation, the address of the at least one sensing server in the first association does not include the address of the sensing server.

[0019] In this scheme, if the address of at least one sensing server in the first association does not include the address of the sensing server, the access network device is used to determine that the sensing configuration response includes the address of the access network device. That is, if the first association does not include the association between the address of the sensing server, the address of the access network device, and the address of the proxy network element, the access network device is used to determine that the sensing configuration response includes the address of the access network device, so as to establish an end-to-end secure link between the access network device and the sensing server.

[0020] In one possible implementation, the access network device is further configured to send a second uplink message to the proxy network element, the second uplink message including a sensing data message, the sensing data message including the service data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on the first association relationship.

[0021] In this solution, after establishing an end-to-end secure link between the access network device and the sensing server, the access network device can send sensing data messages to the sensing server. These sensing data messages may include service data.

[0022] In one possible implementation, the access network device is further configured to determine that the sensing configuration response includes the existing link indication if the address of the at least one sensing server in the first association relationship includes the address of the sensing server.

[0023] In this scheme, if the address of at least one sensing server in the first association relationship includes the address of a sensing server, it indicates that the first association relationship includes the association relationship of the address of the sensing server, the address of the proxy network element, and the address of the access network device, that is, an end-to-end secure link has been established between the sensing server and the access network device. Therefore, the access network device can be used to determine whether the sensing configuration response includes an existing link indication.

[0024] In one possible implementation, the sensing network element is further configured to respond with a channel configuration request based on the sensing configuration, the channel configuration request including the address of the access network device or the existing link indication.

[0025] In this scheme, the sensing network element can send the address of the access network device or an existing link indication to the proxy network element in two ways. The first implementation: The sensing network element sends the address of the access network device or an existing link indication to the proxy network element through a session management network element. Specifically, the sensing network element sends a channel configuration request to the session management network element, which includes the address of the access network device or an existing link indication. After receiving the channel configuration request, the session management network element sends a transmission channel configuration to the proxy network element, which includes the address of the access network device or an existing link indication. If the channel configuration request includes the address of the access network device, then the transmission channel configuration includes the address of the access network device; if the channel configuration request includes an existing link indication, then the transmission channel configuration includes an existing link indication. The second implementation: The sensing network element does not need to go through a session management network element; the sensing network element directly sends the address of the access network device or an existing link indication to the proxy network element. Specifically, the sensing network element sends a channel configuration request to the proxy network element, which includes the address of the access network device or an existing link indication.

[0026] In one possible implementation, the channel configuration request includes the address of the access network device.

[0027] The proxy network element is also used to determine a second association relationship, which includes the association relationship between the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0028] In this scheme, the channel configuration request includes the address of the access network device, indicating that an end-to-end secure link needs to be established between the access network device and the sensing server. Therefore, after receiving the channel configuration request that includes the address of the access network device, the proxy network element can determine the second association relationship. The second association relationship includes the association relationship between the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0029] In one possible implementation, the channel configuration request includes the existing link indication.

[0030] The proxy network element is also used to delete a second association, which includes the association between the address of the sensing server and the address of the proxy network element.

[0031] In this scheme, the channel configuration request includes an existing link indication, indicating that an end-to-end secure link has been established between the access network device and the sensing server. However, since the proxy network element established an association relationship (second association relationship) between the address of the sensing server and the address of the proxy network element in the aforementioned steps, the association relationship (second association relationship) between the address of the sensing server and the address of the proxy network element in the aforementioned steps can be deleted after receiving the channel configuration request including the existing link indication.

[0032] In one possible implementation, the system further includes a sensing network element, wherein the first downlink message includes a sensing task identifier, the sensing task identifier being used to identify the sensing service provided by the sensing network element to the sensing server; and the access network device is used to determine the processing of the security establishment response based on a third association relationship including the sensing task identifier, wherein the third association relationship includes an association relationship between at least one sensing task identifier, the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the at least one sensing task identifier includes the sensing task identifier.

[0033] In this scheme, the communication tunnel between the access network device and the proxy network element is a public communication tunnel. Therefore, it is impossible to determine whether an end-to-end secure link has been established between the access network device communicating through the proxy network element and the sensing server based on the address of the proxy network element. In this case, the sensing task identifier can be used to determine whether an end-to-end secure link has been established between the access network device communicating through the proxy network element and the sensing server. That is, if an end-to-end secure link has been established between the sensing server and the access network device, the third association relationship will include the association relationship between the sensing task identifier, the address of the sensing server, the address of the access network device, and the address of the proxy network element; if an end-to-end secure link has not been established between the sensing server and the access network device, the third association relationship will not include the association relationship between the sensing task identifier, the address of the sensing server, the address of the access network device, and the address of the proxy network element. The third association relationship includes the association relationship between at least one sensing task identifier, at least one proxy network element address, at least one sensing server address, and at least one address of the access network device. If the third association includes a sensing task identifier, the access network device can use it to determine whether to process the security establishment response; if the third association does not include a sensing task identifier, the access network device can use it to determine whether to process the security establishment response.

[0034] In one possible implementation, the sensing network element is configured to send a sensing request to the access network device, the sensing request including the address of the proxy network element, the address of the sensing server, and the sensing task identifier; the access network device is further configured to add an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship.

[0035] In this scheme, the sensing network element sends a sensing request to the access network device. The sensing request includes the address of the proxy network element, the address of the sensing server, and the sensing task identifier. After receiving the sensing request, the access network device adds the association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship, so as to establish an end-to-end secure link between the access network device and the sensing server.

[0036] In one possible implementation, the first uplink message includes the sensing task identifier.

[0037] In this scheme, by including a sensing task identifier in the first uplink message, it can be used to establish an end-to-end secure link between the sensing server and the access network device.

[0038] In one possible implementation, the sensing task identifier is determined by the sensing network element or by the sensing server.

[0039] In this scheme, the sensing task identifier can be determined by the sensing network element, i.e., generated by the sensing network element; or it can be generated by the sensing server. If it is generated by the sensing network element, the sensing network element needs to send the sensing task identifier to the application function network element to ensure the uniqueness of the sensing task identifier.

[0040] In one possible implementation, the proxy network element is further configured to determine a fourth association after obtaining the first uplink message. The fourth association includes the association between the sensing task identifier, the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0041] In one possible implementation, the access network device is further configured to send a second uplink message to the proxy network element, the second uplink message including a sensing data message, the sensing data message including the service data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on the third association relationship.

[0042] In this solution, after establishing an end-to-end secure link between the access network device and the sensing server, the access network device can send sensing data messages to the sensing server. These sensing data messages may include service data.

[0043] Secondly, embodiments of this application disclose a communication method applied to an access network device. The method includes: sending a first uplink message with a destination address being the address of a proxy network element, the first uplink message including a security establishment request with a destination address being the address of a sensing server, the security establishment request being used to establish an end-to-end secure link between the access network device and the sensing server, the end-to-end secure link being used to send service data corresponding to the sensing server; receiving a first downlink message with a source address being the address of the proxy network element, the first downlink message including a security establishment response in response to the security establishment request, the security establishment response being used to establish an end-to-end secure link between the access network device and the sensing server; and determining, based on the first downlink message, whether to process the security establishment response or not.

[0044] In one possible implementation, determining whether to process the security establishment response or not based on the first downlink message includes: if the source address of the first downlink message is not included in the first association relationship, determining not to process the security establishment response, wherein the first association relationship includes an association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element does not include the address of the proxy network element.

[0045] In one possible implementation, determining whether to process the security establishment response or not based on the first downlink message includes: if the source address of the first downlink message is included in the first association relationship, determining to process the security establishment response, wherein the first association relationship includes an association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element includes the address of the proxy network element.

[0046] In one possible implementation, the method further includes: receiving a sensing configuration request sent by a sensing network element, the sensing configuration request including the address of the proxy network element and the address of the sensing server; determining a sensing configuration response in response to the sensing configuration request, wherein the sensing configuration response includes the address of the access network device or an existing link indication, the existing link indication indicating that an end-to-end secure link has been established between the access network device and the sensing server.

[0047] In one possible implementation, determining the perception configuration response in response to the perception configuration request includes: determining that the perception configuration response includes the address of the access network device, and adding an association between the address of the access network device, the address of the proxy network element, and the address of the perception server in the first association relationship.

[0048] In one possible implementation, the perception configuration request further includes a perception task identifier, which is used to identify the perception service provided by the perception network element to the perception server. The method further includes adding an association between the address of the access network device, the address of the proxy network element, the address of the perception server, and the perception task identifier in the first association relationship.

[0049] In one possible implementation, the address of the at least one sensing server in the first association does not include the address of the sensing server.

[0050] In one possible implementation, the method further includes: sending a second uplink message, the second uplink message including a sensing data message, the sensing data message including the service data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on the first association relationship.

[0051] In one possible implementation, the method further includes: determining that the sensing configuration response includes the existing link indication if the address of the at least one sensing server in the first association includes the address of the sensing server.

[0052] In one possible implementation, the first downlink message includes a sensing task identifier, which identifies the sensing service provided by the sensing network element to the sensing server. The method further includes:

[0053] The security establishment response is processed based on the perception task identifier included in the third association relationship, wherein the third association relationship includes the association relationship between at least one perception task identifier, the address of at least one proxy network element, the address of at least one perception server, and at least one address of the access network device, and the at least one perception task identifier includes the perception task identifier.

[0054] In one possible implementation, the method further includes: receiving a sensing request, the sensing request including the address of the proxy network element, the address of the sensing server, and the sensing task identifier; and adding an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship.

[0055] In one possible implementation, the first uplink message includes the sensing task identifier.

[0056] In one possible implementation, the sensing task identifier is determined by the sensing network element or by the sensing server.

[0057] In one possible implementation, the method also includes:

[0058] A second uplink message is sent to the proxy network element. The second uplink message includes a sensing data message, which includes the service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The address of the proxy network element and the address of the sensing server are determined based on the third association relationship.

[0059] Thirdly, another communication method provided in this application embodiment is applied to a proxy network element. The method includes: receiving a first uplink message sent by an access network device with the destination address being the address of the proxy network element, the first uplink message including a security establishment request with the destination address being the address of a sensing server, the security establishment request being used to establish an end-to-end secure link between the access network device and the sensing server, and the end-to-end secure link being used to send service data corresponding to the sensing server;

[0060] A first downlink message with the source address of the proxy network element is sent to the access network device. The first downlink message includes a security establishment response in response to the security establishment request. The security establishment response is used to establish an end-to-end secure link between the access network device and the sensing server.

[0061] In one possible implementation, the method further includes: receiving a second uplink message, the second uplink message including a sensing data message, the sensing data message including business data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on a first association relationship.

[0062] In one possible implementation, the method further includes: determining a second association relationship, which includes the association relationship between the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0063] In one possible implementation, the method further includes: deleting a second association, which includes the association between the address of the sensing server and the address of the proxy network element.

[0064] In one possible implementation, the method further includes: after obtaining the first uplink message, determining a fourth association relationship, which includes the association relationship between the sensing task identifier, the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0065] In one possible implementation, the method further includes: receiving a second uplink message, the second uplink message including a sensing data message, the sensing data message including business data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on a third association relationship.

[0066] Fourthly, another communication method provided in this application embodiment is applied to a sensing network element. This method includes sending a sensing configuration request to an access network device, the sensing configuration request including the address of the proxy network element and the address of the sensing server.

[0067] In one possible implementation, the method further includes: sending a channel configuration request in response to a sensing configuration, the channel configuration request including the address of the access network device or an indication of an existing link.

[0068] In one possible implementation, the method further includes sending a sensing request to the access network device, the sensing request including the address of the proxy network element, the address of the sensing server, and the sensing task identifier.

[0069] Fifthly, this application discloses a communication device including units, modules, or means for performing the steps of the methods described in the second, third, or fourth aspects or any of the implementation methods therein.

[0070] Sixthly, embodiments of this application disclose another communication device, which can be a terminal device or a network device. The communication device may include a processor configured to execute instructions stored in memory, or via logic circuitry, cause the communication device to perform any of the methods described above or any possible examples.

[0071] In some feasible examples, the communication device also includes one or more of a memory or transceiver for sending and receiving data and / or signaling.

[0072] In a seventh aspect, this application discloses a seventh type of communication device, including a processor and a memory and a communication interface connected to the processor, the memory being used to store one or more programs and configured to be executed by the processor according to any of the steps described above.

[0073] Eighthly, embodiments of this application disclose a communication system that includes the communication device described in any of the above aspects.

[0074] In conjunction with aspects five, six, seven, or eight, in one feasible example, the communication apparatus may include access network equipment, sensing network element, agent network element, sensing server, application function network element, and session management network element, or apparatus thereof.

[0075] Ninthly, embodiments of this application disclose a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the methods described above.

[0076] In a tenth aspect, embodiments of this application disclose a computer program product for storing a computer program, which, when run on a computer, causes the computer to perform the methods described above.

[0077] Eleventhly, embodiments of this application disclose a first type of chip, including a processor and a memory, wherein the processor is used to call and execute instructions stored in the memory, causing a device on which the chip is mounted to perform the method described above.

[0078] In a twelfth aspect, embodiments of this application disclose a second type of chip, including: an input interface, an output interface, and a processing circuit, wherein the input interface, the output interface, and the processing circuit are connected through an internal connection path, and the processing circuit is used to execute the method of any of the above aspects.

[0079] In a thirteenth aspect, embodiments of this application disclose a third type of chip, including: an input interface, an output interface, and a processor. Optionally, it may also include a memory. The input interface, output interface, processor, and memory are connected through an internal connection path. The processor is used to execute code in the memory. When the code is executed, the processor is used to execute the method in any of the above aspects.

[0080] In a fourteenth aspect, embodiments of this application disclose a chip system including at least one processor, a memory, and an interface circuit. The memory, transceiver, and at least one processor are interconnected via lines. The at least one memory stores a computer program. The computer program is executed by the processor using the methods described in any of the above aspects. Attached Figure Description

[0081] Figure 1 shows two possible network architectures in the 5G network provided in the embodiments of this application;

[0082] Figure 2 is a schematic diagram of the SBA network architecture in the 5G network provided in the embodiment of this application;

[0083] Figure 3 is a schematic diagram of a base station performing a sensing operation according to an embodiment of this application;

[0084] Figure 4 is a schematic diagram of parameters affecting sensing accuracy and resolution provided in an embodiment of this application;

[0085] Figure 5 is a schematic diagram of a user plane protocol stack provided in an embodiment of this application;

[0086] Figure 6 is an interactive schematic diagram of a communication method provided in an embodiment of this application;

[0087] Figure 7 is an interactive schematic diagram of another communication method provided in an embodiment of this application;

[0088] Figure 8 is an interactive schematic diagram of another communication method provided in an embodiment of this application;

[0089] Figure 9 is an interactive schematic diagram of another communication method provided in an embodiment of this application;

[0090] Figure 10 is a schematic diagram of the structure of a communication device provided in an embodiment of this application;

[0091] Figure 11 is a schematic diagram of another communication device provided in an embodiment of this application. Detailed Implementation

[0092] The technical solution provided in this application will now be described with reference to the accompanying drawings.

[0093] The method provided in this application can be applied to various communication systems, such as: Long Term Evolution (LTE) systems, LTE Frequency Division Duplex (FDD) systems, LTE Time Division Duplex (TDD) systems, 5G mobile communication systems, or new radio access technology (NR). Among these, 5G mobile communication systems can include non-standalone (NSA) and / or standalone (SA) networks.

[0094] The technical solutions provided in this application can also be applied to machine-type communication (MTC), long-term evolution-machine (LTE-M) technology, device-to-device (D2D) networks, machine-to-machine (M2M) networks, Internet of Things (IoT) networks, or other networks. IoT networks, for example, can include vehicle-to-everything (V2X) networks. The communication methods in V2X systems are collectively referred to as vehicle-to-other-device (V2X) systems. For example, V2X can include vehicle-to-vehicle (V2V) communication, vehicle-to-infrastructure (V2I) communication, vehicle-to-pedestrian (V2P) communication, or vehicle-to-network (V2N) communication, etc.

[0095] The technical solutions provided in this application can also be applied to future communication systems, such as 6th Generation (6G) mobile communication systems. This application does not limit the application in this regard.

[0096] To facilitate understanding, the network architecture applicable to the methods provided in the embodiments of this application will be described in more detail first with reference to the accompanying drawings.

[0097] Figure 1a) and b) illustrate two possible architectures in a 5G network: converged architecture (see Figure 1a) and standalone architecture (see Figure 1b)). The difference between converged and standalone architectures lies in the location of the sensing function (SF) network elements dedicated to sensing services.

[0098] As shown in Figure 1(a), in the converged architecture, the SF can be deployed in the traditional 5G core network (5GC) and connected to other network elements using a service-based architecture (SBA) interface. A more detailed explanation of SBA can be found in Figure 2, which will not be elaborated upon here. The SF connects to network exploit function (NEF) network elements and can interact with servers outside the 5GC through the NEF, such as receiving sensing request messages from external servers. The SF can also connect to user plane function (UPF) network elements, allowing RAN equipment such as base stations to send received sensing data to the SF for processing via the user plane.

[0099] As shown in Figure 1b), in a standalone architecture, the SF can be deployed outside the traditional 5GC. The SF cannot connect to other network elements using the SBA interface and may need to interact with other 5GC network elements through a NEF (such as NEF 1 in the figure). On one hand, the SF can also connect to a NEF (such as NEF 2 in the figure) to interact with external servers, or the SF can directly interact with external servers without going through the NEF. On the other hand, the SF can connect to RAN equipment to interact with terminal equipment.

[0100] It should be understood that the two possible architectures shown in Figure 1 (a) and (b) are merely illustrative examples of the 5GC architecture and should not be construed as limiting the scope of this application. The methods provided in this application are not limited to use in the two architectures shown in Figure 1.

[0101] Figure 2 is a schematic diagram of the SBA network architecture in a 5G network provided in an embodiment of this application. As shown in Figure 2, the 5G network architecture may include three parts: the terminal, the data network (DN), and the operator network.

[0102] The following is a brief explanation of the network elements involved in Figures 1 and 2.

[0103] A terminal can also be called user equipment (UE), access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal equipment, wireless communication equipment, user agent, or user device.

[0104] A terminal is a device with wireless transceiver capabilities. A terminal can communicate with one or more core network (CN) devices (or core equipment) via access network equipment (or access devices) in a wireless access network. Terminal devices can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; they can also be deployed on water (such as on ships); and they can also be deployed in the air (e.g., on airplanes, balloons, and satellites).

[0105] A terminal can also be a terminal in an Internet of Things (IoT) system, also known as an IoT node. IoT is an important component of future information technology development. Its main technical characteristic is connecting objects to networks via communication technologies, thereby realizing an intelligent network that enables human-machine interaction and machine-to-machine interaction. Connections can be made through broadband or narrowband (NB) technologies. IoT technology, for example, can achieve massive connectivity, deep coverage, and low power consumption at the terminal through narrowband technology.

[0106] In this embodiment, the device for implementing the terminal's functions can be a terminal itself, or a device capable of supporting the terminal in implementing those functions, such as a chip system. This device can be installed in the terminal or used in conjunction with the terminal. In this embodiment, the chip system can consist of chips or include chips and other discrete components. This embodiment only uses a terminal as an example to illustrate the device for implementing the terminal's functions and does not limit the solution of this embodiment.

[0107] The terminal in this application can be a hardware device, a software function running on dedicated hardware, a software function running on general-purpose hardware, or a virtualized device, such as a device implemented through general-purpose hardware and instantiated virtualization functions, or dedicated hardware and instantiated virtualization functions. The general-purpose hardware can be a server, such as a cloud server.

[0108] The operator network may include one or more of the following network elements: authentication server function (AUSF) network elements, network explosure function (NEF) network elements, policy control function (PCF) network elements, unified data management (UDM) network elements, network repository function (NRF) network elements, application function (AF) network elements, access and mobility management function (AMF) network elements, session management function (SMF) network elements, user plane function (UPF) network elements, network slice selection function (NSSF) network elements, and access network (AN) (such as radio access network (RAN) network elements). The portion of the operator network excluding the RAN network elements can be referred to as the core network portion. For ease of explanation, the term "network element" will be omitted in the following text. For example, AF network element is abbreviated as AF, UDM network element as UDM, SF network element as SF, and so on.

[0109] RAN is a network composed of multiple RAN nodes, which implements radio physical layer functions, resource scheduling and radio resource management, radio access control, and mobility management functions. 5G-RAN can connect to the user plane function (UPF) through the user plane interface N3 to transmit data from terminal equipment; 5G-RAN establishes a control plane signaling connection with the access and mobility management function (AMF) through the control plane interface N2 to implement functions such as radio access bearer control.

[0110] RAN nodes provide wireless communication services, enabling terminals to access the wireless network. RAN nodes can also be called RAN devices or access network devices, etc.

[0111] In one possible scenario, a RAN node can be a base station, an evolved NodeB (eNodeB), an access point (AP), a transmission reception point (TRP), a next-generation NodeB (gNB), a next-generation base station in a 6th-generation (6G) mobile communication system, or a base station in a future mobile communication system. A RAN node can be a macro base station, a micro base station, an indoor station, a relay node, a donor node, or a radio controller in a cloud radio access network (CRAN) scenario.

[0112] In another possible scenario, multiple RAN nodes collaborate to assist the terminal in achieving wireless access, with each RAN node performing a portion of the base station's functions. For example, RAN nodes can be central units (CUs), distributed units (DUs), CU-control plane (CPs), CU-user plane (UPs), or radio units (RUs), etc. CUs and DUs can be separate entities or included in the same network element, such as a baseband unit (BBU). RUs can be included in radio frequency equipment or radio frequency units, such as remote radio units (RRUs), active antenna units (AAUs), or remote radio heads (RRHs).

[0113] In different systems, CU (or CU-CP and CU-UP), DU, or RU may have different names, but those skilled in the art will understand their meaning. For example, in an open access network (open RAN, O-RAN, or ORAN) system, CU can also be called an open CU (O-CU), DU can also be called an O-DU, CU-CP can also be called an O-CU-CP, CU-UP can also be called an O-CU-UP, and RU can also be called an O-RU. For ease of description, this application uses CU, CU-CP, CU-UP, DU, and RU as examples. Any of the units among CU (or CU-CP, CU-UP), DU, and RU in this application can be implemented through a software module, a hardware module, or a combination of software and hardware modules.

[0114] In this embodiment, the device for implementing the RAN node function can be the RAN node itself; or it can be a device capable of supporting the RAN node in implementing this function, such as a chip system, hardware circuit, software module, or hardware circuit plus software module. This device can be installed in the RAN node or used in conjunction with the RAN node. In this embodiment, the RAN node is used as an example to illustrate the device for implementing the RAN node function, and this does not constitute a limitation on the solution of this embodiment.

[0115] The RAN node in this application can be a hardware device, a software function running on dedicated hardware, a software function running on general-purpose hardware, or a virtualized device, such as through general-purpose hardware and instantiated virtualization functions, or dedicated hardware and instantiated virtualization functions. The general-purpose hardware can be a server, such as a cloud server.

[0116] In another implementation, the RAN node can also be a specific component of the various types of devices mentioned above, such as a dedicated module, computing card, or processing unit, or a specific device attached to the RAN node, such as an external computing module or a pluggable processing unit.

[0117] SF is mainly responsible for processing related to sensing operations, such as determining sensing results or business data based on the acquired sensing data, such as whether someone has intruded, or calculating the distance, direction, and position of surrounding reflective objects within the sensing area.

[0118] The AMF is primarily responsible for terminal authentication, terminal mobility management (MM), network slice selection, and SMF selection; it serves as the anchor point for N1 and N2 signaling connections and provides routing for N1 / N2 session management (SM) messages to the SMF; and it maintains and manages the terminal's state information.

[0119] SMF is primarily responsible for all control plane functions of terminal session management, including UPF selection, Internet Protocol (IP) address allocation, session quality of service (QoS) management, and obtaining PCC (policy and charging control) policies (from PCF).

[0120] UPF serves as the anchor point for protocol data unit (PDU) session connections, and is responsible for filtering terminal data packets, data transmission / forwarding, rate control, and generating billing information.

[0121] The unified data repository (UDR) is primarily used to store user data, including subscription data invoked by UDM, policy information invoked by PCF, structured data used for capability exposure, and application data invoked by NEF.

[0122] UDM is mainly used to manage user data, such as the management of subscription information, including obtaining subscription information from UDR and providing it to other network elements (such as AMF); generating 3GPP authentication credentials for terminals; and registering and maintaining the network elements currently serving the terminal (for example, the AMF represented by AMF ID1 is the current serving AMF of the terminal).

[0123] The NEF is used to connect other internal network elements of the core network with the application function (AF) network elements corresponding to the external application server (AS) of the core network, so as to provide network open capabilities to the AF, or provide information provided by the AF to the core network elements.

[0124] The AUSF authentication server function is used to perform security authentication on terminals when they access the network.

[0125] PCF primarily controls Quality of Service (QoS) policies and charging policies. It provides configuration policy information to terminals and management policy information to network control plane elements (such as AMF and SMF) for managing terminals.

[0126] The Application Provider (AF) primarily conveys the application's requests to the network and can be considered an application server or its proxy. The AF can interact with core network elements to provide services; for example, it can interact with the Process Control Function (PCF) for service policy control, interact with the Network Provider Function (NEF) to obtain network capability information or provide application information to the network, and provide data network access point information to the PCF to generate routing information for corresponding data services.

[0127] The DN primarily provides service to users. Network elements communicate with each other through interfaces. For example, the interface between the terminal and the AMF is interface N1, the interface between the AN and the AMF is interface N2, the interface between the AN and the UPF is interface N3, the interface between the SMF and the UPF is interface N4, and the interface between the UPF and the DN is interface N6. Some network elements can communicate based on service-oriented interfaces. In Figure 1, Nnssf, Nnef, Nnrf, Npcf, Nudm, Naf, Nusf, Namf, Npcf, and Nsf are service-oriented interfaces. Here, interface Nsf is only one possible name; this application does not limit the name of the service-oriented interface corresponding to SF.

[0128] The above description of the various network elements in the core network and the interfaces between them is merely illustrative and should not constitute any limitation on this application. Furthermore, the network elements shown in the diagram can be understood as network elements in the core network used to implement different functions, such as network slices that can be combined as needed. These core network elements can be independent devices or integrated into the same device to implement different functions; this application does not limit the specific form of the aforementioned network elements.

[0129] It is understood that the network elements used in future communication systems may be any of the aforementioned network elements, or network elements with the same or similar functions under other names; this application does not limit this.

[0130] In this embodiment, the device used to implement the various functions of the core network can be a core network element corresponding to each function; it can also be a device capable of supporting the core network element to implement its respective function, such as a chip system, hardware circuit, software module, or hardware circuit plus software module. This device can be installed in a core network element or used in conjunction with a core network element. In this embodiment, only the device used to implement core network functions is described as a core network element, and this does not constitute a limitation on the solution of this embodiment.

[0131] The core network elements in this application can be hardware devices, software functions running on dedicated hardware, software functions running on general-purpose hardware, or virtualized devices. For example, they can be implemented using general-purpose hardware and instantiated virtualization functions, or dedicated hardware and instantiated virtualization functions. The general-purpose hardware can be a server, such as a cloud server.

[0132] Currently, some base stations or terminals in the RAN (Radio Area Network) possess sensing capabilities through electromagnetic waves and can be used as sensing nodes. The implementation of sensing is similar to the principle of radar. That is, the transmitter (i.e., the sensing node) emits electromagnetic waves, which are reflected by the object to be sensed and acquired by the receiver. The receiver (i.e., the sensing node) can further process the acquired reflected signal (which can be called raw sensing data) to obtain sensing data, which can be used to acquire sensing results or service data.

[0133] For example, when a base station is used as a sensing node, it has the functions shown in Table A and Figure 3. Table A provides examples of the sensing capabilities of speed measuring radar, surveillance radar, and imaging radar.

[0134] Table A

[0135] Figure 3 is a schematic diagram of a base station performing sensing operations. Figure 3 is an example of integrated sensing and communication (ISAC). The base station shown in Figure 3 can reuse electromagnetic wave signals from the communication system for sensing. As shown, the resources for communication and sensing at the base station can be time-division multiplexed (as shown in Figure 3) or space-division multiplexed. The base station can use electromagnetic wave signals for sensing and detection, and can also receive signals (reflected signals, or echo signals) emitted back after reaching an obstacle (i.e., the detected target), and obtain sensing data based on the echo signals. As shown in Figure 3, the base station can perform serial-to-parallel conversion, phase-shift keying, inverse fast Fourier transform (IFFT), parallel-to-serial conversion, and digital-to-analog conversion on the signals to be transmitted. The base station can also perform analog-to-digital conversion, parallel-to-serial conversion, fast Fourier transform, serial-to-parallel conversion, and demodulation on the received echo signals. The signal to be transmitted can also be sent to a radar processor, so that the radar processor can acquire sensing data based on the signal to be transmitted and the received echo signal (which can be understood to be the echo signal after the above processing). It should be understood that the processing performed by the base station on the signal to be transmitted and the received echo signal shown in Figure 3 is only an example and should not constitute any limitation on this application.

[0136] Sensing nodes in a communication system can perceive and identify designated areas, objects, or events, meeting perception needs in various fields such as autonomous driving, safety monitoring, home health, and weather monitoring. Specific examples are as follows:

[0137] I. Autonomous Driving

[0138] In V2X and unmanned aerial vehicle (VAU) scenarios, for example, since the perception distance of vehicles or drones is short or they cannot perceive non-line-of-sight (NLOS) paths, dynamic maps can be generated based on perception data. Another example is that during vehicle or drone operation, there may be traffic hazards such as pedestrians or non-motorized vehicles suddenly appearing or being in blind spots; these hazards can be identified based on perception data, and the vehicle or drone can be notified to perform emergency operations. Yet another example is in autonomous driving assistance for vehicles or drones, where customized high-precision dynamic maps can be generated based on perception data to assist vehicles or drones in autonomous driving.

[0139] II. Safety Supervision

[0140] In V2X and drone scenarios, it is possible to identify illegal driving by vehicles or drones based on perception data, such as vehicles occupying emergency lanes or drones leaving their flight paths, and to issue real-time alerts.

[0141] In perimeter security scenarios, based on perception data, it can detect situations such as foreign objects intruding into railway tracks or drones intruding into no-fly zones (such as airports), and can track the illegal objects and perform real-time emergency response.

[0142] III. Family Health

[0143] For example, abnormal postures can be identified based on sensory data, thereby detecting falls and issuing timely alerts; or, physiological parameters such as human breathing or heart rate can be obtained from sensory data, thereby identifying abnormalities and issuing timely alerts.

[0144] IV. Meteorological Monitoring

[0145] It can sense and predict changes in the environment, climate, and weather.

[0146] Figure 4 is a schematic diagram of the parameters affecting perception accuracy and resolution. Taking the vehicle-to-everything (V2X) scenario as an example, Figure 4 shows several parameters among the KPIs affecting perception, including perception positioning accuracy (including vertical and horizontal), perception speed accuracy (including vertical and horizontal), and perception resolution (including area and speed).

[0147] 1. Range resolution α: The ability to distinguish nearby targets by distance, usually measured by the smallest resolvable distance interval, used to identify different vehicles.

[0148] 2. Velocity resolution β: The ability to distinguish targets in terms of radial velocity.

[0149] 3. Angular accuracy θ: The radar's ability to distinguish nearby targets by angle, usually measured by the smallest resolvable angle.

[0150] 4. Horizontal field of view (FOV): The FOV shown in Figure 4 is 120°. Under this 120° FOV, the blind spot range in both directions is less than 18m when the two-way road width is 30m, and the blind spot area ratio is <1%.

[0151] To facilitate understanding of the embodiments of this application, the following points will be explained first:

[0152] First, in this application, the indication includes explicit indication (also known as direct indication) and implicit indication (also known as indirect indication). Explicit indication information A means including information A; implicit indication information A means indicating information A through the correspondence between information A and information B, and direct indication information B. The correspondence between information A and information B can be predefined, pre-stored, pre-burned, or pre-configured; or it can refer to indicating information A through information B and preset rules.

[0153] Second, in this application, information C is used to determine information D, which includes both determining information D based solely on information C and determining it based on information C and other information. Furthermore, information C can also be used to determine information D indirectly, for example, in the case where information D is determined based on information E, and information E is determined based on information C.

[0154] Third, in this application, "at least one" means one or more, and "more than one" means two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can mean: A alone, A and B simultaneously, or B alone, where A and B can be singular or plural. The character " / " generally indicates an "or" relationship between the preceding and following related objects, but it does not exclude the possibility of indicating an "and" relationship; the specific meaning can be understood in context. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can mean: a, b, c; a and b; a and c; b and c; or a and b and c. Here, a, b, and c can be single or multiple.

[0155] Fourth, the use of prefixes such as "first" and "second" in this application is merely for the purpose of distinguishing and describing different things belonging to the same category, and does not constrain the order, size, or quantity of things. For example, "first communication device" and "second communication device" are simply different communication devices, and there is no relationship between them in terms of size or priority.

[0156] Fifth, in this application, "send" and "receive" indicate the direction of signal transmission. For example, "send information to the terminal" can be understood as the destination of the information being the terminal, which may include direct transmission via the air interface or indirect transmission via the air interface from other units or modules. "Receive information from the terminal" can be understood as the source of the information being the terminal, which may include direct reception from the terminal via the air interface or indirect reception from the terminal via the air interface from other units or modules. "Send" can also be understood as the "output" of the chip interface, and "receive" can also be understood as the "input" of the chip interface.

[0157] Sixth, in the embodiments of this application, "when," "if," and "if" all refer to the device making corresponding processing under certain objective circumstances, and are not limited to a time, nor do they require the device to make a judgment action when it is implemented, nor do they mean that there are other limitations.

[0158] Seventh, in this application, the words "example," "exemplarily," "for example," or "such as" are used to indicate that something is an example, illustration, or description. Any embodiment or design described as "example," "exemplarily," "for example," or "such as" in this application should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of the words "example," "exemplarily," "for example," or "such as" is intended to present the relevant concepts in a specific manner.

[0159] Eighth, this application introduces various message names, such as uplink message, downlink message, perception configuration request, perception configuration reply, perception request, perception reply, etc. These messages are only examples for easy distinction and should not constitute any limitation on this application. This application does not limit the names of each signaling.

[0160] Ninth, the correspondences shown in the tables of this application are merely examples and should not be construed as limiting the scope of this application. The content in each table is only illustrative and can be configured with other content; this application does not limit this. When configuring these correspondences, it is not necessarily required to configure all the correspondences shown in each table. For example, the correspondences shown in some rows may not be configured. For another example, some columns may be replaced with other forms. Furthermore, appropriate modifications and adjustments can be made to the tables shown herein, such as splitting, merging, etc.

[0161] In addition, tables are only one possible form of correspondence. In specific implementations, other data structures can also be used, such as arrays, queues, containers, stacks, linear lists, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables, or hash tables.

[0162] With the continuous development of mobile communication technology and the enhancement of air interface capabilities, mobile networks are poised for a qualitative leap, moving beyond simply providing voice, SMS, and data services to achieving the Internet of Things. Furthermore, the continuous innovation of information technology is giving rise to new demands and services such as artificial intelligence, immersive experiences, and digital twins, while also placing higher demands on communication networks for information interaction. In addition to improvements in traditional communication capabilities, future mobile communication networks will also provide capabilities in computing, sensing, artificial intelligence, and security. Among these, sensing capabilities will become a crucial capability and characteristic of future mobile communication networks.

[0163] The implementation of sensing can be referenced from the principle of radar, where a transmitter sends electromagnetic waves, which are reflected by the object to be sensed and acquired by a receiver. The acquired reflected signal (called sensing data) is then processed to produce a sensing result. The transmitter and receiver in this sensing process can be called sensing nodes. The transmitter and receiver can be terminal devices or access network devices. Various sensing modes can be obtained based on different combinations of sensing nodes. In the sensing mode where the access network device acts as a sensing node (e.g., as a transmitter or receiver), the sensing data acquired by the access network device needs to be sent to a sensing server. Current technology cannot support establishing an end-to-end secure link between the access network device and the sensing server. Figure 5 below illustrates the problems with the existing technology.

[0164] Please refer to Figure 5, which is a schematic diagram of a user plane protocol stack provided in an embodiment of this application.

[0165] As shown in Figure 5, the user plane network elements used to send UE user plane messages include 5G-AN (i.e., RAN) and UPF. N3 is the interface between RAN and UPF, mainly used to transmit uplink and downlink user plane data between 5G-AN and UPF; N6 is the interface between UPF and DN, used to transmit uplink and downlink user data streams between UPF and DN. The UE's user plane protocol stack may include the application layer, PDU layer, and 5G-AN protocol layer. The access network equipment may include the 5G-AN protocol layer, GTP-U layer, UDP / IP layer, L2 layer, and L1 layer. The UPF may include the PDU layer, GTP-U layer, UDP / IP layer, L2 layer, and L1 layer. Among them, the GTP-U layer and UDP / IP of the UPF and access network equipment can be referred to as GTP-U tunnels. Therefore, the UDP / IP layer can also be referred to as the IP layer of GTP-U or the UDP layer of GTP-U. Specifically, the address of the GTP-U layer and the IP layer of GTP-U on the RAN side, as well as the address of the GTP-U layer and the IP layer of GTP-U on the UPF side, can be used to uniquely identify a GTP-U tunnel. As shown in Figure 5, the UE is the starting point of the uplink data packet and the ending point of the downlink data packet. The UE is responsible for generating routing information at the PDU layer (e.g., IP routing information). Routes between the UE, RAN, and UPF can be matched one-to-one through the communication links between nodes. The RAN maintains the mapping relationship between the air interface communication link between the UE and the RAN and the GTP-U tunnel (e.g., the GTP-U layer address and the GTP-U IP layer address) on the N3 interface (RAN to UPF). The UPF maintains the mapping relationship between the downlink data packet address information (e.g., the IP 5-tuple, i.e., source IP address and port number, destination IP address and port number, and transport protocol name) and the GTP-U tunnel (e.g., the GTP-U layer address and the GTP-U IP layer address) on the N3 interface. It should be noted that the embodiments of this application are not limited to the user plane protocol stack shown in Figure 5. The user plane protocol stack shown in Figure 5 is merely exemplary and should not constitute any limitation on the embodiments of this application.

[0166] When the RAN receives a user plane data packet from the UE, it directly obtains the corresponding GTU-U tunnel information based on the air interface communication link and uses the tunnel to send the uplink data packet. The UPF sends the data packet to the server based on the routing information in the PDU Layer of the data packet. When the UPF receives a downlink data packet from the server, it determines the GTP-U tunnel information based on the address information of the downlink data packet and uses the tunnel to send the downlink data packet to the RAN. The RAN further determines the air interface communication link based on the IP address information of the GTP-U and the tunnel IP layer, and uses the link to send the data packet to the UE.

[0167] As shown in Figure 5, for downlink messages, the UPF can index the relevant N3 tunnel based on the IP source address. However, after the RAN receives the downlink message, since the existing RAN protocol stack does not have an upper-layer PDU layer and application layer, the RAN does not continue to parse the upper-layer data packets in the current logic. Since the end-to-end secure link between the access network device and the sensing server depends on the interaction between upper-layer protocols, the existing technology cannot implement the protocol stack processing used to establish upper-layer E2E security. In other words, the existing technology cannot currently support establishing an end-to-end secure link between the access network device and the sensing server.

[0168] Based on this, this application proposes a communication method that can support the establishment of an end-to-end secure link between access network devices and sensing servers.

[0169] Please refer to Figure 6, which is an interactive schematic diagram of a communication method provided in an embodiment of this application, and may include the following steps S101 to S120.

[0170] Step S101: The sensing network element obtains the list of access network devices.

[0171] The access network device list may include one or more access network devices, which are access network devices that support establishing end-to-end encryption (E2EE) links with sensing servers. The end-to-end secure link is used to send service data corresponding to the sensing server. In one possible implementation, the access network device list indicates that the access network devices support establishing E2EE secure links with any sensing server. In another possible implementation, the access network device list indicates that the access network devices support establishing E2EE secure links with one or more sensing servers. Further, the access network device list indicates access network devices that support establishing end-to-end E2EE links with sensing servers under specific sensing requirements, or it indicates access network devices that support establishing end-to-end E2EE links with one or more sensing servers under specific sensing requirements. Specific sensing requirements may be one or more of the following: sensing accuracy requirements, sensing service types (e.g., intrusion detection, target tracking, etc.), and sensing scenarios (e.g., vehicle-to-everything (V2X), drones, smart homes, etc.).

[0172] It should be further noted that, in this embodiment, the perception server can be used to process the business data corresponding to the perception server. The business data corresponding to the perception server corresponds to the perception service provided or requested by the perception server. The perception service corresponding to the perception server can be a service that satisfies the perception requirements in multiple aspects as shown in Figure 3 above, or it can be a service for logging the perception processing process or storing business data, etc. When the perception service is for logging the perception processing process, the perception server can also be called a log server; when the perception service is for storing business data, the perception server can also be called a data storage server. This embodiment does not limit this.

[0173] It should be further noted that, in this embodiment of the application, the end-to-end secure link between the access network device and the sensing server is specifically such that the information transmitted in this link is only readable by the receiving end and the sending end (i.e., the access network device or the sensing server). That is, only the receiving end and the sending end can perform confidentiality protection and deconfidentiality protection on the transmitted information, while all nodes in between the receiving end and the sending end used to transmit information are kept confidential to prevent unauthorized users from accessing the transmitted information.

[0174] In one possible implementation, the access network device may send its perception-related capabilities to the sensing network element. The sensing network element can then obtain these capabilities and determine the list of access network devices. For example, the perception-related capabilities of the access network device may include its E2EE capabilities. These E2EE capabilities indicate that the access network device supports establishing end-to-end secure links with any sensing server. In another possible implementation, the access network device may send its perception-related capabilities for a specific sensing server to the sensing network element. The sensing network element can then obtain these capabilities and determine the list of access network devices. For example, the perception-related capabilities of the access network device may include E2EE capabilities corresponding to one or more sensing server identifiers. These perception-related capabilities indicate that the access network device supports establishing end-to-end secure links with one or more sensing servers corresponding to those identifiers. Optionally, the perception-related capabilities may also include E2EE capabilities corresponding to specific perception requirements. That is, the access network devices in the access network device list are access network devices that support establishing E2EE links with any perception server under specific perception requirements, or access network devices that support establishing end-to-end E2EE links with one or more perception servers corresponding to one or more perception server identifiers under specific perception requirements. In other words, it indicates that the access network device possesses the corresponding E2EE capabilities to meet specific perception requirements. These specific perception requirements can be one or more of the following: perception accuracy requirements, perception service types (e.g., intrusion detection, target tracking, etc.), and perception scenarios (e.g., vehicle-to-everything (V2X), drones, smart homes, etc.). Furthermore, when the access network device sends its perception-related capabilities to the perception network element, it also carries the access network device's identifier. Accordingly, the perception network element determines the access network device list based on the access network device's identifier and its perception-related capabilities.

[0175] In another possible implementation, the access network device list is pre-configured in the sensing network element. For example, the access network device list can be pre-configured in the sensing network element by the operator.

[0176] Step S102: The application function network element sends the first sensing message to the sensing network element.

[0177] Correspondingly, the sensing network element receives the first sensing message from the application function network element.

[0178] The first sensing message is used to request the access network device to obtain service data and send a sensing data message to the sensing server. The sensing data message includes the service data corresponding to the sensing server.

[0179] The first sensing message may include one or more of the following: the identifier of the application function network element, external sensing requirements, and the address of the sensing server. The external sensing requirements instruct the application function network element on the requested service data requirements corresponding to the sensing task performed by the access network device. For example, external sensing requirements may include one or more of the following: sensing location accuracy, sensing speed accuracy, sensing resolution, or the duration required for sensing. As another example, external sensing requirements may include specific sensing requirements mentioned above, such as one or more of vehicle-to-everything (V2X), drones, and smart homes. Alternatively, external sensing requirements may include other sensing requirements. When external sensing requirements include other sensing requirements, the sensing network element or network open function network element can convert the external sensing requirements into sensing requirements.

[0180] Optionally, the first sensing message may also include an E2EE security requirement indication and / or a pre-shared key (PSK) identifier. The E2EE security requirement indication instructs the access network device to send sensing data messages to the sensing server using an end-to-end secure link. The PSK identifier identifies the PSK, which is used to establish E2EE security between the access network device and the sensing server. The PSK can be pre-configured in the access network device.

[0181] In step S103, the sensing network element determines the sensing mode and assigns a sensing task identifier based on the first sensing message.

[0182] In this embodiment, the sensing mode can be one of the following: the access network device acts as a sensing node (e.g., as a transmitter or receiver for sensing). For example: a sensing mode where both the transmitter and receiver are access network device A; a sensing mode where the transmitter is access network device A and the receiver is access network device B; a sensing mode where the transmitter is an access network device and the receiver is a terminal device; and a sensing mode where the transmitter is a terminal device and the receiver is an access network device. The sensing task identifier is used to identify the sensing service provided by the sensing network element to the sensing server. For example, it can be a sensing service, log recording service, or data storage service that meets the sensing requirements in multiple aspects as shown in Figure 3 above. This embodiment does not limit this. The sensing network element determines to trigger the establishment of an end-to-end secure link between the access network device and the sensing server, and selects an access network device that meets E2EE capabilities. An access network device that meets E2EE capabilities can refer to an access network device that has E2EE capabilities and can meet the sensing requirements. Specifically, the sensing network element can select an access network device that meets E2EE capabilities from the list of access network devices obtained in step S101.

[0183] Optionally, the sensing network element determines whether to trigger the access network device to establish an end-to-end secure link with the sensing server based on the E2EE security requirement indication and / or PSK identifier in the first sensing message.

[0184] Step S104: The sensing network element sends a first configuration message to the session management network element.

[0185] Correspondingly, the session management network element receives the first configuration message sent by the sensing network element.

[0186] The first configuration message is used to trigger the session management network element to configure the establishment of a GTP-U tunnel between the access network device and the agent network element [the user plane protocol stack will be explained before writing the method embodiment]. The first configuration message may include the address of the perception server. The address of the perception server may include at least one of the following: IP address, IP port number, fully qualified domain name (FQDN), or uniform resource locator (URL). Optionally, the first configuration message may also include the identifier of the application function network element.

[0187] Step S105: Select the proxy network element for session management network element.

[0188] In this context, the proxy network element is a network element used to send, receive, and forward user plane messages (e.g., sensing data messages) that the access network device needs to send to and from the sensing server. The proxy network element can be a user plane function (UPF) or a packet data network gateway (P-GW), etc., and this application embodiment does not limit it to these.

[0189] In one possible implementation, the session management network element can select a proxy network element based on the association between the proxy network element and the application function network element. For example, if the first configuration message includes the identifier of the application function network element, the session management network element can find the proxy network element that is associated with that application function network element based on the identifier. It is understood that the association between a proxy network element and an application function network element indicates that the proxy network element can interact with the perception server associated with the associated application function network element.

[0190] In one possible implementation, the correspondence between proxy network elements and application function network elements can be pre-configured in the session management network element.

[0191] In step S106, the session management network element sends a second configuration message to the agent network element.

[0192] Correspondingly, the agent network element receives the second configuration message sent by the session management network element.

[0193] The second configuration message may include the address of the sensing server.

[0194] In step S107, the proxy network element determines its address and associates the address of the sensing server with the address of the proxy network element.

[0195] The proxy network element determines its address by allocating an address based on the second configuration message and associating it with the address of the sensing server. The proxy network element's address is used by the access network device to determine the destination address of uplink messages. The proxy network element's address may include at least one of the following: the GTP-U address of the proxy network element's address and / or the IP address of the GTP-U tunnel of the proxy network element's address. Optionally, the proxy network element may also allocate an external communication address for the access network device. This external communication address is used for communication between the access network device and the sensing server. The access network device's external communication address may include at least one of the following: IP address, IP port number, fully qualified domain name (FQDN), or uniform resource locator (URL). The sensing server's address can be obtained from the second configuration message, and the proxy network element's address can be allocated by the proxy network element.

[0196] In step S108, the agent network element sends a second configuration reply message to the session management network element.

[0197] Correspondingly, the session management network element receives the second configuration reply message sent by the agent network element.

[0198] The second configuration response message may include the address of the proxy network element. Optionally, the second configuration response message may also include the external communication address of the access network device.

[0199] Step S109: The session management network element sends a first configuration reply message to the sensing network element.

[0200] Correspondingly, the sensing network element receives the first configuration reply message sent by the session management network element.

[0201] The first configuration response message may include the address of the proxy network element. Optionally, the first configuration response message may also include an external communication address.

[0202] In step S110, the sensing network element sends a sensing configuration request to the access network device.

[0203] Correspondingly, the access network device receives the sensing configuration request.

[0204] The perception configuration request may include the address of the proxy network element and the address of the perception server. Optionally, the perception configuration request may also include a perception task identifier. Optionally, the perception configuration request may also include a PSK or a PSK identifier.

[0205] The PSK identifier can be obtained through pre-configuration in the access network device. Correspondingly, the sensing network element or application function network element is configured with the same PSK identifier as the access network device. In one possible implementation, if the application function network element configures a PSK identifier, it can send the PSK identifier to the sensing network element. In another possible implementation, the access network device can pre-configure multiple PSK identifiers for establishing end-to-end secure links with different sensing servers.

[0206] The sensing network element obtains the PSK (Proof of Service) in the following ways: First, the sensing network element sends a certificate acquisition request to the access network device to request a certificate. Upon receiving the certificate acquisition request, the access network device sends a certificate acquisition reply, which includes the access network device's certificate. After receiving the certificate acquisition request, the sensing network element sends a second sensing message to the application function network element, which also includes the access network device's certificate. Upon receiving the second sensing message, the application function network element generates a PSK and uses the access network device's certificate to protect its confidentiality. Furthermore, the application function network element can also sign the PSK using its own certificate and send it back to the sensing network element, or sign the confidential PSK and send it back to the sensing network element. In other words, the PSK obtained by the sensing network element and the PSK in the sensing configuration request are both PSKs with confidentiality protected by the access network device's certificate and / or PSKs generated using the application function network element's certificate, and their signature information.

[0207] Optionally, the awareness configuration request may also include the external communication address of the access network device.

[0208] Step S111: The access network device determines the perception configuration response in response to the perception configuration request.

[0209] In other words, the perception configuration response is a reply in response to the perception configuration request. The access network device determines that the perception configuration response includes the address of the access network device or an existing link indication. The address of the access network device may include the address of the access network device's GTP-U and / or the IP address of the access network device's GTP-U tunnel. The existing link indication is used to indicate that an end-to-end secure link has been established between the access network device and the perception server. The existing link indication can be either explicit or implicit. First, explicit indication: The existing link indication may include two pieces of information (assuming they are a first part and a second part, respectively). The first part indicates that an end-to-end secure link has been established between the access network device and the perception server, and the second part is the address of the proxy network element, or the address of the perception server and the address of the proxy network element. In this explicit indication method, the first part of the information clearly confirms that an end-to-end secure link has been established between the access network device and the perception server. The proxy network element can use the second part of the information to determine the address of the proxy network element allocated in step S107 and delete the association between the address of the proxy network element and the address of the perception server. The second type is implicit indication: The existing link indication includes the address of the proxy network element, or the existing link indication includes both the address of the sensing server and the address of the proxy network element. It can be understood that when the existing link indication includes the address of the proxy network element, or the existing link indication includes both the address of the sensing server and the address of the proxy network element, it implicitly indicates that an end-to-end secure link has been established between the access network device and the sensing server. Furthermore, the proxy network element can implicitly indicate the need to delete the association between the address of the proxy network element and the address of the sensing server.

[0210] In one possible implementation, the access network device determines that the sensing configuration response includes the address of the access network device, and adds an association relationship between the address of the access network device, the address of the proxy network element, and the address of the sensing server in a first association relationship, wherein the first association relationship includes an association relationship between the address of at least one access network device, the address of at least one proxy network element, and the address of at least one sensing server.

[0211] It is known that the sensing configuration request received by the access network may include the addresses of the proxy network element and the sensing server. Therefore, to add the association between the access network device's address, the proxy network element's address, and the sensing server's address in the first association relationship of the access network device, it is necessary to determine the address of the access network device. For example, the address of the access network device can be assigned by the access network device. After obtaining the address of the access network device, and considering that the received sensing configuration request may include the addresses of the proxy network element and the sensing server, the association between the addresses of the access network device, the proxy network element, and the sensing server can be added to the first association relationship.

[0212] The access network device's determination of the sensing configuration response, including the access network device's address, can include the following two scenarios:

[0213] In the first scenario: regardless of whether an end-to-end secure link has been established between the access network device and the sensing server, the access network device ensures that its sensing configuration response includes its address. The first association relationship includes the association between the addresses of at least one proxy network element, at least one sensing server, and at least one address of the access network device. It can be understood that if the first association relationship includes the addresses of the sensing server and the access network device, it can be interpreted as an end-to-end secure link having been established between them. For example, if the first association relationship includes the association between the address of sensing server A and the address of access network device A, it indicates that an end-to-end secure link has been established between sensing server A and access network device A.

[0214] In the second scenario: if the address of at least one server in the first association does not include the address of the sensing server, then the access network device determines that the sensing configuration response includes the address of the access network device.

[0215] In addition to the association between the address of at least one agent network element, the address of at least one sensing server, and at least one address of the access network device, the first association may also include the association with the sensing task identifier.

[0216] For example, if the perception configuration request also includes a perception task identifier, the access network device can add the association between the address of the access network device, the address of the proxy network element, the address of the perception server, and the perception task identifier in the first association relationship.

[0217] Corresponding to the second scenario above, if the address of at least one sensing server in the first association relationship includes a sensing server, the access network device determines that the sensing configuration response includes an existing link indication.

[0218] In other words, based on the fact that at least one sensing server in the first association relationship includes a sensing server, the access network device can determine that the sensing server and the access network device have established an end-to-end secure link. Therefore, the access network device can determine that the sensing configuration response includes an indication of an existing link without sending the address of the access network device.

[0219] Step S112: The access network device sends a sensing configuration response to the sensing network element.

[0220] Correspondingly, the sensing network element receives the sensing configuration response sent by the access network device.

[0221] The perception configuration response includes the address of the access network device or an indication of an existing link. Specifically, it can be determined, based on step S111 above, that the perception configuration response includes the address of the access network device or that the perception configuration response includes an indication of an existing link.

[0222] Step S113: The sensing network element sends a channel configuration request to the session management network element.

[0223] Correspondingly, the session management network element receives the channel configuration request sent by the sensing network element.

[0224] Specifically, the sensing network element sends a channel configuration request based on the sensing configuration response. That is, if the sensing configuration response includes the address of the access network device, the channel configuration request sent by the sensing network element also includes the address of the access network device; if the sensing configuration response includes an existing link indication, the channel configuration request sent by the sensing network element also includes an existing link indication.

[0225] Step S114: The session management network element sends the transmission channel configuration to the agent network element.

[0226] Correspondingly, the proxy network element receives the transmission channel configuration sent by the session management network element.

[0227] Specifically, the session management network element sends the transmission channel configuration based on the channel configuration request. That is, if the channel configuration request includes the address of the access network device, the transmission channel configuration sent by the session management network element also includes the address of the access network device; if the channel configuration request includes an existing link indication, the transmission channel configuration sent by the session management network element also includes an existing link indication.

[0228] If the transmission channel configuration includes the address of the access network device, the proxy network element executes step S115; if the transmission channel configuration includes an existing link indication, the proxy network element executes step S116.

[0229] Step S115: The agent network element determines the second association relationship.

[0230] The second association includes the association between the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0231] In step S107, the proxy network element has been associated with the address of the proxy network element and the address of the sensing server. When step S115 is executed, it can be seen that the transmission channel configuration received by the proxy network element in step S114 includes access network devices. Therefore, the proxy network element can determine the second association relationship, which can mean that the proxy network element obtains the second association relationship by associating the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0232] Step S116: The agent network element deletes the second association relationship.

[0233] The second association includes the association between the address of the sensing server and the address of the proxy network element.

[0234] When step S116 is executed, it is known that the transmission channel configuration received by the proxy network element in step S114 includes an existing link indication. That is, the sensing server and the access network device have established an end-to-end secure link. In other words, the first association relationship already includes the association between the address of the sensing server, the address of the access network device, and the address of the proxy network element; the proxy network element does not need to re-associate the addresses of the sensing server, the access network device, and the proxy network element. However, in step S107, the proxy network element has already associated its own address with the address of the sensing server to obtain a second association relationship. Therefore, the proxy network element can delete the second association relationship in step S107 and release the proxy network element address allocated in step S107. It can be understood that releasing the proxy network element address can refer to releasing the communication resources associated with that address.

[0235] Step S117: The access network device sends a first uplink message to the proxy network element, with the destination address being the address of the proxy network element.

[0236] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0237] The first uplink message includes a security establishment request with the destination address being the sensing server's address. This security establishment request is used to establish an end-to-end secure link between the access network device and the sensing server. This end-to-end secure link is used to send the service data corresponding to the sensing server. The service data corresponding to the sensing server can refer to the service data corresponding to the sensing services provided by the sensing network element to the sensing server; for example, it could be service data related to sensing services, log recording services, or data storage services.

[0238] Specifically, the process of the access network device sending a first uplink message to the proxy network element with the destination address being the address of the proxy network element may include steps S1171 to S1172.

[0239] Step S1171: The access network device sends the first uplink message to the agent network element.

[0240] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0241] The destination address of the first uplink message is the address of the proxy network element, therefore the first uplink message sent by the access network device can be received by the proxy network element.

[0242] In step S1172, the agent network element sends a security establishment request to the perception server.

[0243] Correspondingly, the perception server receives the security establishment request sent by the proxy network element.

[0244] The first uplink message includes a security establishment request with the destination address being the address of the sensing server. Therefore, after receiving the first uplink message, the agent network element can send a security establishment request to the corresponding sensing server based on the destination address of the security establishment request in the first uplink message. The source address of the security establishment request can be the external communication address of the access network device.

[0245] In one possible implementation, step S117 may use a PSK or a PSK identifier to establish a secure link between the access network device and the sensing server. Specifically, security may be established using a PSK-based IPSec (internet protocol security) protocol or a PSK-based transport layer security (TLS) protocol.

[0246] For example, an end-to-end secure link can be established based on the PSK identifier pre-configured in the access network device or the PSK identifier corresponding to the PSK identifier in the awareness configuration request received by the access network device in step S110. Alternatively, an end-to-end secure link can be established by decrypting the confidentiality-protected PSK in the awareness configuration request received by the access network device in step S110.

[0247] In another possible implementation, step S117 may use a certificate to establish a secure link between the access network device and the sensing server, for example, by using a certificate-based IPSec protocol or a certificate-based Transport Layer Security (TLS) protocol.

[0248] In step S118, the proxy network element sends a first downlink message to the access network device with the source address being the address of the proxy network element.

[0249] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0250] The first downlink message includes a security establishment response in response to the security establishment request. The security establishment response is used to establish an end-to-end secure link between the access network device and the sensing server. The security establishment response is sent by the sensing server to the proxy network element.

[0251] Specifically, the process of the proxy network element sending a first downlink message with the source address of the proxy network element to the access network device may include steps S1181 to S1183.

[0252] Step S1181: The perception server sends a security establishment response to the agent network element.

[0253] Correspondingly, the agent network element receives the security establishment response sent by the sensing server.

[0254] The source address of the security establishment response can be the address of the sensing server, and the destination address of the security establishment response can be the external communication address of the access network device.

[0255] Step S1182: The proxy network element determines the address of the proxy network element that sends the first downlink message.

[0256] Specifically, based on the address of the sensing server, the proxy network element determines the address of the proxy network element corresponding to the address of the sensing server and the address of the access network device in the second association relationship. The address of the proxy network element is the source address of the first downlink message, and the address of the access network device is the destination address of the first downlink message.

[0257] Step S1183: The proxy network element sends a first downlink message with the source address of the proxy network element to the access network device.

[0258] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0259] In step S119, the access network device determines whether to process the security establishment reply or not based on the first downlink message.

[0260] Access network devices can decide whether to process a security establishment response or not, depending on the circumstances.

[0261] In one possible implementation, if no first association exists, the access network device determines not to process the security establishment response.

[0262] If no primary association exists, it means that the access network device has not established an end-to-end secure link with any sensing server. Therefore, the access network device can determine not to process the security establishment response further.

[0263] In one possible implementation, if the source address of the first downlink message is not included in the first association, the access network device determines not to process the security establishment reply.

[0264] The source address of the first downlink message is the address of the proxy network element. The first association does not include the source address of the first downlink message; that is, the first association does not include the address of the proxy network element. Therefore, it can be concluded that no end-to-end secure link has been established between the access network device and the sensing server. Consequently, since the access network device can determine not to process a secure establishment response based on the fact that the source address of the first downlink message is not included in the first association, the access network device can proceed.

[0265] In one possible implementation, if the first association does not include the association between the source address and the destination address of the first downlink message, the access network device determines not to process the security establishment reply.

[0266] The source address of the first downlink message is the address of the proxy network element, and the destination address is the address of the access network device. The first association relationship does not include the association between the source and destination addresses of the first downlink message; that is, it does not include the association between the address of the proxy network element and the address of the access network device. Therefore, it can be concluded that no end-to-end secure link has been established between the access network device and the sensing server. Consequently, since the access network device can determine not to process a secure establishment response based on the fact that the first association relationship does not include the source and destination addresses of the first downlink message, it can proceed with the decision not to process the secure establishment response.

[0267] In one possible implementation, if the source address of the first downlink message is included in the first association, the access network device determines the processing of the security establishment response.

[0268] The source address of the first downlink message is the address of the proxy network element. The first association relationship includes the source address of the first downlink message, meaning it includes the address of the proxy network element. Therefore, it can be determined that an end-to-end secure link has been established between the access network device and the sensing server. Thus, given that the access network device can determine and process the secure establishment response based on the fact that the source address of the first downlink message is included in the first association relationship.

[0269] In one possible implementation, if the first association includes the association between the source address and the destination address of the first downlink message, the access network device determines and processes the security establishment response.

[0270] The source address of the first downlink message is the address of the proxy network element, and the destination address is the address of the access network device. The first association relationship includes the association between the source address and the destination address of the first downlink message; that is, it includes the association between the address of the proxy network element and the address of the access network device. Therefore, it can be determined that an end-to-end secure link has been established between the access network device and the sensing server. Thus, based on the association relationship between the source and destination addresses of the first downlink message included in the first association relationship, the access network device can determine and process the secure establishment response.

[0271] If the access network device determines that it is processing a security establishment response, step S120 may also be included.

[0272] In step S120, the access network device sends a second uplink message to the agent network element.

[0273] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0274] The second uplink message may include a sensing data message. The sensing data message may include service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The addresses of the proxy network element and the sensing server are determined based on the first association relationship.

[0275] Specifically, the process of the access network device sending the second uplink message to the agent network element includes steps S1201 to S1202.

[0276] Step S1201: The access network device sends a second uplink message to the agent network element.

[0277] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0278] In step S1202, the agent network element sends a sensing data message to the sensing server.

[0279] Correspondingly, the perception server receives perception data messages sent by the agent network element.

[0280] After receiving the second uplink message, the agent network element can send the sensing data message to the corresponding sensing server based on the destination address of the sensing data message in the second uplink message being the address of the sensing server.

[0281] The communication method provided in this application embodiment can establish a dedicated communication tunnel (GTP-U and / or GTP-U tunnel IP layer) between the access network device and the sensing server. This allows the access network device to distinguish whether downlink data packets need further parsing of the upper-layer protocol stack based on the tunnel, thus enabling protocol interaction that relies on the establishment of an end-to-end secure link in the upper-layer protocol stack. In other words, the access network device can determine whether to process the secure establishment response or not based on the association between the address of the access network device, the address of the sensing server, and the address of the proxy network element.

[0282] Please refer to Figure 7, which is an interactive schematic diagram of another communication method provided in this application embodiment. Similar to the communication method shown in Figure 6, the communication method shown in Figure 7 also establishes a dedicated communication tunnel (GTP-U and / or GTP-U tunnel IP layer) between the access network device and the sensing server. This allows the access network device to distinguish whether downlink data packets need further parsing of the upper-layer protocol stack based on the tunnel, thus realizing protocol interaction dependent on the establishment of an end-to-end secure link in the upper-layer protocol stack. Unlike the communication method shown in Figure 6, in the communication method shown in Figure 7, the sensing network element, in addition to implementing the functions of the sensing network element in Figure 6, also implements the functions of the session management network element in Figure 6. That is, in the communication method shown in Figure 7, the sensing network element, in addition to executing the steps executed by the sensing network element in Figure 6, also executes the steps executed by the session management network element in Figure 6. The communication method shown in Figure 7 may include the following steps S201 to S216.

[0283] Step S201: The sensing network element obtains the list of access network devices.

[0284] Step S202: The application function network element sends the first sensing message to the sensing network element.

[0285] The corresponding sensing network element receives the first sensing message from the application function network element.

[0286] In step S203, the sensing network element determines the sensing mode and assigns a sensing task identifier based on the first sensing message.

[0287] The specific implementation methods of steps S201 to S203 can be referred to in the specific implementation methods of steps S101 to S103 in Figure 6, which will not be repeated here.

[0288] In step S204, the sensing network element sends a third configuration message to the agent network element.

[0289] Correspondingly, the agent network element receives the third configuration message sent by the sensing network element.

[0290] The third configuration message is used to trigger the establishment of a GTP-U tunnel between the access network device and the agent network element. The third configuration message may include the address of the sensing server. The address of the sensing server may include at least one of the following: IP address, IP port number, fully qualified domain name (FQDN), or uniform resource locator (URL). Optionally, the third configuration message may also include the identifier of the application function network element.

[0291] In this context, the proxy network element is a network element used to send, receive, and forward user plane messages (e.g., sensing data messages) that the access network device needs to send to and from the sensing server. The proxy network element can be a user plane function (UPF) or a packet data network gateway (P-GW), etc., and this application embodiment does not limit it to these.

[0292] In one possible implementation, the proxy network element can be selected by the sensing network element based on the association between the proxy network element and the application function network element. That is, the sensing network element can select the proxy network element based on the association between the proxy network element and the application function network element. For example, if the third configuration message includes the identifier of the application function network element, the sensing network element can find the proxy network element that is associated with that application function network element based on the identifier. It can be understood that the association between the proxy network element and the application function network element indicates that the proxy network element can interact with the sensing server associated with the associated application function network element.

[0293] In one possible implementation, the correspondence between agent network elements and application function network elements can be pre-configured in the sensing network elements.

[0294] In step S205, the proxy network element determines its address and associates the address of the sensing server with the address of the proxy network element.

[0295] The proxy network element determines its address by assigning an address to itself based on a third configuration message and associating it with the address of the sensing server. The proxy network element's address is used by the access network device to determine the destination address of uplink messages. The proxy network element's address may include at least one of the following: the address of the proxy network element's GTP-U and / or the IP address of the GTP-U tunnel of the proxy network element's address. Optionally, the proxy network element may also assign an external communication address to the access network device. This external communication address is used by the access network device to communicate with the sensing server. The access network device's external communication address may include at least one of the following: an IP address, an IP port number, a fully qualified domain name (FQDN), or a uniform resource locator (URL). The address of the sensing server can be obtained from the third configuration message, and the proxy network element's address can be assigned by the proxy network element.

[0296] Step S206: The agent network element sends a third configuration reply message to the sensing network element.

[0297] Correspondingly, the sensing network element receives the third configuration reply message sent by the agent network element.

[0298] The third configuration response message may include the address of the proxy network element. Optionally, the third configuration response message may also include the external communication address of the access network device.

[0299] Step S207: The sensing network element sends a sensing configuration request to the access network device.

[0300] Correspondingly, the access network device receives the sensing configuration request.

[0301] Step S208: The access network device determines the perception configuration response in response to the perception configuration request.

[0302] Step S209: The access network device sends a sensing configuration response to the sensing network element.

[0303] Correspondingly, the sensing network element receives the sensing configuration response sent by the access network device.

[0304] The specific implementation methods of steps S207 to S209 can be referred to the specific implementation methods of steps S110 to S112 in Figure 6, which will not be repeated here.

[0305] Step S210: The sensing network element sends a channel configuration request to the agent network element.

[0306] Correspondingly, the agent network element receives the channel configuration request sent by the sensing network element.

[0307] Specifically, the sensing network element sends a channel configuration request based on the sensing configuration response. That is, if the sensing configuration response includes the address of the access network device, the channel configuration request sent by the sensing network element also includes the address of the access network device; if the sensing configuration response includes an existing link indication, the channel configuration request sent by the sensing network element also includes an existing link indication.

[0308] If the channel configuration request includes the address of the access network device, the proxy network element executes step S211; if the channel configuration request includes an existing link indication, the proxy network element executes step S212.

[0309] Step S211: The agent network element determines the second association relationship.

[0310] Step S212: The agent network element deletes the second association relationship.

[0311] Step S213: The access network device sends a first uplink message to the proxy network element, with the destination address being the address of the proxy network element.

[0312] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0313] Specifically, the process of the access network device sending a first uplink message to the proxy network element with the destination address being the address of the proxy network element may include steps S2131 to S2132.

[0314] Step S2131: The access network device sends the first uplink message to the agent network element.

[0315] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0316] In step S2132, the agent network element sends a security establishment request to the perception server.

[0317] Correspondingly, the perception server receives the security establishment request sent by the proxy network element.

[0318] In step S214, the proxy network element sends a first downlink message to the access network device with the source address being the address of the proxy network element.

[0319] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0320] Specifically, the process of the proxy network element sending a first downlink message with the source address of the proxy network element to the access network device may include steps S2141 to S2143.

[0321] Step S2141: The perception server sends a security establishment response to the agent network element.

[0322] Correspondingly, the agent network element receives the security establishment response sent by the sensing server.

[0323] In step S2142, the proxy network element determines the address of the proxy network element that will send the first downlink message.

[0324] Specifically, based on the address of the sensing server, the proxy network element determines the address of the proxy network element corresponding to the address of the sensing server in the second association relationship. The address of this proxy network element is the source address of the first downlink message.

[0325] Step S2143: The proxy network element sends the first downlink message to the access network device.

[0326] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0327] In step S215, the access network device determines whether to process the security establishment reply or not based on the first downlink message.

[0328] If the access network device determines that it is processing a security establishment response, step S216 may also be included.

[0329] Step S216: The access network device sends a second uplink message to the agent network element.

[0330] Specifically, the process of the access network device sending the second uplink message to the agent network element includes steps S2161 to S2162.

[0331] Step S2161: The access network device sends a second uplink message to the agent network element.

[0332] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0333] In step S2162, the agent network element sends a sensing data message to the sensing server.

[0334] Correspondingly, the perception server receives perception data messages sent by the agent network element.

[0335] The specific implementation methods of steps S211 to S216 can be referred to in steps S115 to S120 of Figure 6. The specific implementation methods of steps S2131 to S2132 can be referred to in steps S1171 to S1172 of Figure 6. The specific implementation methods of steps S2141 to S2143 can be referred to in steps S1181 to S1183 of Figure 6. The specific implementation methods of steps S1201 to S1202 of Figure 6 can be referred to in Figure 6. They will not be repeated here.

[0336] Please refer to Figures 8 and 9, which are interactive schematic diagrams of another communication method provided in the embodiments of this application. Unlike the communication methods shown in Figures 6 and 7, where the GTP-U and / or GTP-U tunnel IP layer is a dedicated communication tunnel between the access network device and the sensing server, the communication methods shown in Figures 8 and 9 use the GTP-U and / or GTP-U tunnel IP layer as a shared communication tunnel between the access network device and multiple sensing servers. In the communication methods shown in Figures 8 and 9, the access network device determines whether to process the security establishment response or not through the sensing task identifier.

[0337] The communication method shown in Figure 8 may include the following steps S301 to S310.

[0338] Step S301: The access network device establishes a tunnel with the agent network element.

[0339] That is, establishing IP layer links for GTP-U and GTP-U tunnels between access network devices and agent network elements.

[0340] Step S302: The sensing network element acquires tunnel information.

[0341] Tunnel information refers to the tunnel information established between the access network and the proxy network element. Tunnel information may include the address of the access network device and / or the address of the proxy network element. The address of the access network device may include at least one of the following: the address of the access network device's GTP-U and / or the IP address of the access network device's GTP-U tunnel. The address of the proxy network element may include at least one of the following: the address of the proxy network element's GTP-U and / or the IP address of the proxy network element's GTP-U tunnel.

[0342] It should be noted that the execution order of each step in the various embodiments provided in this application is not limited without affecting the execution of subsequent steps. That is, if step A and step B are independent of each other and have no necessary connection, step A can be executed first and then step B, or step B can be executed first and then step A, or steps A and B can be executed simultaneously. For example, in one implementation, the sensing network element can obtain tunnel information from the proxy network element after step S301. That is, step S302 can be executed first, and then the subsequent step S303 can be executed. In another implementation, the sensing network element can execute step S302 to obtain tunnel information from the proxy network element after receiving the third sensing message of the subsequent step S303.

[0343] Step S303: The application function network element sends a third sensing message to the sensing network element.

[0344] Correspondingly, the sensing network element receives third sensing messages from the application function network element.

[0345] The third sensing message is used to request the access network device to obtain service data and send a sensing data message to the sensing server. The sensing data message includes the service data corresponding to the sensing server.

[0346] The third sensing message includes a sensing task identifier. This identifier can be determined by the application function network element or the sensing server. The sensing task identifier is unique among the application function network element and the sensing server, and can be used to index a specific sensing task requested by the application function network element and the sensing server, as well as to identify the sensing service provided by the sensing network element to the sensing server. For example, it could be a sensing service, log recording service, or data storage service to meet the sensing requirements in multiple aspects as shown in Figure 3 above. This embodiment of the application does not limit this. The third sensing message may also include one or more of the following: the identifier of the application function network element, external sensing requirements, and the address of the sensing server. The external sensing requirements are used to instruct the application function network element on the requirements of the requested service data for the description corresponding to the sensing task performed by the access network device. For example, external sensing requirements may include one or more of the following: sensing location accuracy, sensing speed accuracy, sensing resolution, or the duration required for sensing. For another example, external sensing requirements may include the specific sensing requirements mentioned above, such as one or more of vehicle-to-everything (V2X), drones, and smart homes. Alternatively, external sensing requirements may include other sensing requirements. When external sensing requirements include other sensing requirements, the sensing network element or network open function network element can convert the external sensing requirements into sensing requirements.

[0347] Optionally, the third sensing message may also include an E2EE security requirement indication and / or a pre-shared key (PSK) identifier. The E2EE security requirement indication instructs the access network device to send sensing data messages to the sensing server using an end-to-end secure link. The PSK identifier identifies the PSK, which is used to establish E2EE security between the access network device and the sensing server. The PSK can be pre-configured in the access network device.

[0348] In step S304, the sensing network element determines the sensing mode and selects the access network device based on the third sensing message.

[0349] In this embodiment of the application, the sensing mode can be one of the following: the access network device acts as a sensing node (e.g., as a sensing transmitter or receiver). For example: the sensing mode in which both the transmitter and receiver are access network device A; the sensing mode in which the transmitter is access network device A and the receiver is access network device B; the sensing mode in which the transmitter is access network device and the receiver is a terminal device; and the sensing mode in which the transmitter is a terminal device and the receiver is an access network device.

[0350] The sensing network element determines whether to trigger the establishment of an end-to-end secure link between the access network device and the sensing server, and selects an access network device that meets E2EE capabilities. An access network device meeting E2EE capabilities refers to an access network device that possesses E2EE capabilities and meets the sensing requirements. Specifically, the sensing network element can select an access network device meeting E2EE capabilities from a list of access network devices. This list may include one or more access network devices, and the access network devices in the list are those that support establishing an end-to-end secure (E2EE) link with the sensing server. The end-to-end secure link is used to send service data corresponding to the sensing server. In one possible implementation, the access network device list is used to indicate that the access network device supports establishing an E2EE secure link with any sensing server. In another possible implementation, the access network device list is used to indicate that the access network device supports establishing an E2EE secure link with one or more sensing servers. Furthermore, the access network device list is used to indicate access network devices that support establishing end-to-end E2EE links with sensing servers under specific sensing requirements, or the access network device list is used to indicate access network devices that support establishing end-to-end E2EE links with one or more sensing servers under specific sensing requirements. Specific sensing requirements can be one or more of the following: sensing accuracy requirements, sensing service types (e.g., intrusion detection, target tracking, etc.), and sensing scenarios (e.g., connected vehicles, drones, smart homes, etc.).

[0351] It should be further noted that, in this embodiment, the perception server can be used to process the business data corresponding to the perception server. The business data corresponding to the perception server corresponds to the perception service provided or requested by the perception server. The perception service corresponding to the perception server can be a service that satisfies the perception requirements in multiple aspects as shown in Figure 3 above, or it can be a service for logging the perception processing process or storing business data, etc. When the perception service is for logging the perception processing process, the perception server can also be called a log server; when the perception service is for storing business data, the perception server can also be called a data storage server. This embodiment does not limit this.

[0352] It should be further noted that, in this embodiment of the application, the end-to-end secure link between the access network device and the sensing server is specifically such that the information transmitted in this link is only readable by the receiving end and the sending end (i.e., the access network device or the sensing server). That is, only the receiving end and the sending end can perform confidentiality protection and deconfidentiality protection on the transmitted information, while all nodes in between the receiving end and the sending end used to transmit information are kept confidential to prevent unauthorized users from accessing the transmitted information.

[0353] In one possible implementation, the access network device may send its perception-related capabilities to the sensing network element. The sensing network element can then obtain these capabilities and determine the list of access network devices. For example, the perception-related capabilities of the access network device may include its E2EE capabilities. These E2EE capabilities indicate that the access network device supports establishing end-to-end secure links with any sensing server. In another possible implementation, the access network device may send its perception-related capabilities for a specific sensing server to the sensing network element. The sensing network element can then obtain these capabilities and determine the list of access network devices. For example, the perception-related capabilities of the access network device may include E2EE capabilities corresponding to one or more sensing server identifiers. These perception-related capabilities indicate that the access network device supports establishing end-to-end secure links with one or more sensing servers corresponding to those identifiers. Optionally, the perception-related capabilities may also include E2EE capabilities corresponding to specific perception requirements. That is, the access network devices in the access network device list are access network devices that support establishing E2EE links with any perception server under specific perception requirements, or access network devices that support establishing end-to-end E2EE links with one or more perception servers corresponding to one or more perception server identifiers under specific perception requirements. In other words, it indicates that the access network device possesses the corresponding E2EE capabilities to meet specific perception requirements. These specific perception requirements can be one or more of the following: perception accuracy requirements, perception service types (e.g., intrusion detection, target tracking, etc.), and perception scenarios (e.g., vehicle-to-everything (V2X), drones, smart homes, etc.). Furthermore, when the access network device sends its perception-related capabilities to the perception network element, it also carries the access network device's identifier. Accordingly, the perception network element determines the access network device list based on the access network device's identifier and its perception-related capabilities.

[0354] In another possible implementation, the list of access network devices can be pre-configured in the sensing network element. For example, the list of access network devices can be pre-configured in the sensing network element by the operator.

[0355] Optionally, the sensing network element determines whether to trigger the access network device to establish an end-to-end secure link with the sensing server based on the E2EE security requirement indication and / or PSK identifier in the third sensing message.

[0356] S305, the sensing network element sends a sensing request to the access network device.

[0357] Correspondingly, the access network device receives the sensing request sent by the sensing network element.

[0358] The perception request may include the address of the proxy network element, the address of the perception server, and the perception task identifier. The address of the proxy network element can be determined based on the tunnel information obtained in step S302.

[0359] In this context, the proxy network element is a network element used to send, receive, and forward user plane messages (e.g., sensing data messages) that the access network device needs to send to and from the sensing server. The proxy network element can be a user plane function (UPF) or a packet data network gateway (P-GW), etc., and this application embodiment does not limit it to these.

[0360] In one possible implementation, the proxy network element can be selected by the sensing network element based on the association between the proxy network element and the application function network element. That is, the sensing network element can select the proxy network element based on the association between the proxy network element and the application function network element. For example, if the third configuration message includes the identifier of the application function network element, the sensing network element can find the proxy network element that is associated with that application function network element based on the identifier. It can be understood that the association between the proxy network element and the application function network element indicates that the proxy network element can interact with the sensing server associated with the associated application function network element.

[0361] In one possible implementation, the correspondence between agent network elements and application function network elements can be obtained by pre-configuring the sensing network elements.

[0362] The tunnel information acquired by the sensing network element in step S302 includes the address of the proxy network element. Therefore, after selecting the proxy network element, the sensing network element can determine its address.

[0363] Optionally, the perception request may also include a PSK or a PSK identifier.

[0364] The PSK identifier can be obtained through pre-configuration in the access network device. Correspondingly, the sensing network element or application function network element is configured with the same PSK identifier as the access network device. In one possible implementation, if the application function network element configures a PSK identifier, it can send the PSK identifier to the sensing network element. In another possible implementation, the access network device can pre-configure multiple PSK identifiers for establishing end-to-end secure links with different sensing servers.

[0365] The sensing network element obtains the PSK (Proof of Service) in the following ways: First, the sensing network element sends a certificate acquisition request to the access network device to request a certificate. Upon receiving the certificate acquisition request, the access network device sends a certificate acquisition reply, which includes the access network device's certificate. After receiving the certificate acquisition request, the sensing network element sends a second sensing message to the application function network element, which also includes the access network device's certificate. Upon receiving the second sensing message, the application function network element generates a PSK and uses the access network device's certificate to protect its confidentiality. Furthermore, the application function network element can also sign the PSK using its own certificate and send it back to the sensing network element, or sign the confidential PSK and send it back to the sensing network element. In other words, the PSK obtained by the sensing network element and the PSK in the sensing configuration request are both PSKs with confidentiality protected by the access network device's certificate and / or PSKs generated using the application function network element's certificate, and their signature information.

[0366] Optionally, the sensing request may also include the external communication address of the access network device. This external communication address can be obtained by the sensing network element from the proxy network element in step S302, or it can be assigned to the access network device by the sensing network element. This external communication address of the access network device is used for communication between the access network device and the sensing server. The external communication address of the access network device may include at least one of the following: IP address, IP port number, fully qualified domain name (FQDN), or uniform resource locator (URL).

[0367] Step S306: The access network device adds an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship based on the sensing request.

[0368] The third association relationship includes the association relationship between at least one sensing task identifier, at least one agent network element address, at least one sensing server address, and at least one address of the access network device.

[0369] In step S301, the access network device has established a tunnel with the proxy network element. Therefore, based on the address of the proxy network element included in the sensing request, the access network device can determine the address of the access network device that has established a tunnel with the proxy network element. Thus, the access network device can add an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship.

[0370] Step S307: The access network device sends a first uplink message to the proxy network element, with the destination address being the address of the proxy network element.

[0371] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0372] The first uplink message includes a security establishment request with the destination address being the sensing server's address. This security establishment request is used to establish an end-to-end secure link between the access network device and the sensing server. This end-to-end secure link is used to send the service data corresponding to the sensing server. The service data corresponding to the sensing server can refer to the service data corresponding to the sensing services provided by the sensing network element to the sensing server; for example, it could be service data related to sensing services, log recording services, or data storage services.

[0373] In one possible implementation, the first uplink message includes a sensing task identifier. This sensing task identifier can be included in the GTP-U layer header and / or the IP layer header of the GTP-U packet. Optionally, the access network device may also include the sensing task identifier in the security establishment request.

[0374] Specifically, the process of the access network device sending a first uplink message to the proxy network element with the destination address being the address of the proxy network element may include steps S3071 to S3073.

[0375] Step S3071: The access network device sends the first uplink message to the agent network element.

[0376] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0377] The destination address of the first uplink message is the address of the proxy network element, therefore the first uplink message sent by the access network device can be received by the proxy network element.

[0378] Step S3072: The agent network element determines the fourth association relationship.

[0379] The fourth association includes the association between the sensing task identifier, the address of the sensing server, the address of the access network device, and the address of the agent network element.

[0380] In one possible implementation, the proxy network element obtains the sensing task identifier in the first uplink message. Based on the first acquisition of the sensing task identifier, the proxy network element determines that the security establishment request carried in the first uplink message is used to establish an end-to-end secure link between the access network device and the sensing server, and then determines that a fourth association relationship needs to be maintained. The sensing server obtains the address of the sensing server based on the destination address of the security establishment request message.

[0381] In step S3073, the agent network element sends a security establishment request to the perception server.

[0382] Correspondingly, the perception server receives the security establishment request sent by the proxy network element.

[0383] The first uplink message includes a security establishment request with the destination address being the address of the sensing server. Therefore, after receiving the first uplink message, the agent network element can send a security establishment request to the corresponding sensing server based on the destination address of the security establishment request in the first uplink message. The source address of the security establishment request can be the external communication address of the access network device. The security establishment request may include a sensing task identifier.

[0384] In one possible implementation, step S307 may use a PSK or a PSK identifier to establish a secure link between the access network device and the sensing server. Specifically, security may be established using a PSK-based IPSec (internet protocol security) protocol or a PSK-based transport layer security (TLS) protocol.

[0385] For example, an end-to-end secure link can be established based on the PSK identifier pre-configured in the access network device or the PSK identifier corresponding to the PSK identifier in the awareness configuration request received by the access network device in step S110. Alternatively, an end-to-end secure link can be established by decrypting the confidentiality-protected PSK in the awareness configuration request received by the access network device in step S110.

[0386] In another possible implementation, step S307 can use a certificate to establish a secure link between the access network device and the sensing server, for example, by using a certificate-based IPSec protocol or a certificate-based Transport Layer Security (TLS) protocol.

[0387] Optionally, the agent network element obtains the sensing task identifier in the first uplink message in step S3072 and sends the sensing task identifier to the sensing server in the security establishment request.

[0388] In step S308, the proxy network element sends a first downlink message to the access network device with the source address being the address of the proxy network element.

[0389] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0390] The first downlink message includes a security establishment response in response to the security establishment request. This response is used to establish an end-to-end secure link between the access network device and the sensing server. The security establishment response is sent by the sensing server to the proxy network element. Specifically, the proxy network element sending the first downlink message with its source address as the proxy network element's address to the access network device may include steps S3081 to S3083.

[0391] Step S3081: The perception server sends a security establishment response to the agent network element.

[0392] Correspondingly, the agent network element receives the security establishment response sent by the sensing server.

[0393] The source address of the security establishment response can be the address of the sensing server, and the destination address can be the external communication address of the access network device. The security establishment response may include a sensing task identifier.

[0394] In one possible implementation, the perception server obtains the perception task identifier from the security establishment request and carries the perception task representation in the security establishment response to the security establishment request.

[0395] In step S3082, the proxy network element determines the address of the proxy network element that will send the first downlink message.

[0396] Specifically, based on the sensing task identifier, the proxy network element determines the address of the proxy network element corresponding to the sensing task identifier and the address of the access network device in the fourth association relationship. The address of the proxy network element is the source address of the first downlink message, and the address of the access network device is the destination address of the first downlink message.

[0397] In step S3083, the proxy network element sends a first downlink message to the access network device with the source address being the address of the proxy network element.

[0398] Correspondingly, the access network device receives the first downlink message sent by the proxy network element. In one possible implementation, the proxy network element carries a sensing task identifier in the GTP-U layer header and / or the IP layer header of the GTP-U in the first downlink message.

[0399] In step S309, the access network device determines whether to process the security establishment reply or not based on the first downlink message.

[0400] Access network devices can decide whether to process a security establishment response or not, depending on the circumstances.

[0401] In one possible implementation, if the first downlink message does not include a sensing task identifier, it is determined that no security establishment response will be processed.

[0402] In one possible implementation, if the first downlink message includes a sensing task identifier, and at least one sensing task identifier in the third association does not include a sensing task identifier, then it is determined that no security establishment response will be processed.

[0403] In one possible implementation, if the first downlink message includes a sensing task identifier, then if at least one sensing task identifier in the third association includes a sensing task identifier, then it is determined that a security establishment response will be processed.

[0404] In step S310, the access network device sends a second uplink message to the agent network element.

[0405] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0406] The second uplink message may include a sensing data message. The sensing data message may include service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The addresses of the proxy network element and the sensing server are determined based on a third association relationship.

[0407] Specifically, the process of the access network device sending the second uplink message to the agent network element includes steps S3101 to S3102.

[0408] Step S3101: The access network device sends a second uplink message to the agent network element.

[0409] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0410] In step S3102, the agent network element sends a sensing data message to the sensing server.

[0411] Correspondingly, the perception server receives perception data messages sent by the agent network element.

[0412] After receiving the second uplink message, the agent network element can send the sensing data message to the corresponding sensing server based on the destination address of the sensing data message in the second uplink message being the address of the sensing server.

[0413] The communication method shown in Figure 9 may include the following steps S401 to S411.

[0414] Step S401: The access network device establishes a tunnel with the agent network element.

[0415] Step S402: The sensing network element acquires tunnel information.

[0416] The specific implementation methods of steps S401 to S402 can be referred to in Figure 8 for the specific implementation methods of steps S301 to S302, which will not be repeated here.

[0417] Step S403: The application function network element sends the fourth sensing message to the sensing network element.

[0418] Correspondingly, the sensing network element receives the fourth sensing message from the application function network element.

[0419] The fourth sensing message is used to request the access network device to obtain service data and send a sensing data message to the sensing server. The sensing data message includes the service data corresponding to the sensing server. The fourth sensing message may also include one or more of the following: the identifier of the application function network element, external sensing requirements, and the address of the sensing server. The external sensing requirements instruct the application function network element on the requirements of the requested service data for the access network device to perform the sensing task. For example, external sensing requirements may include one or more of the following: sensing location accuracy, sensing speed accuracy, sensing resolution, or the duration required for sensing. As another example, external sensing requirements may include specific sensing requirements mentioned above, such as one or more of vehicle-to-everything (V2X), drones, and smart homes. Alternatively, external sensing requirements may include other sensing requirements. When external sensing requirements include other sensing requirements, the sensing network element or network open function network element can convert the external sensing requirements into sensing requirements.

[0420] Optionally, the fourth sensing message may also include an E2EE security requirement indication and / or a pre-shared key (PSK) identifier. The E2EE security requirement indication instructs the access network device to send sensing data messages to the sensing server using an end-to-end secure link. The PSK identifier identifies the PSK, which is used to establish E2EE security between the access network device and the sensing server. The PSK can be pre-configured in the access network device.

[0421] In step S404, the sensing network element determines the sensing mode and assigns a sensing task identifier based on the fourth sensing message.

[0422] In this embodiment of the application, the sensing mode can be one of the following: the access network device acts as a sensing node (e.g., as a sensing transmitter or receiver). For example: the sensing mode in which both the transmitter and receiver are access network device A; the sensing mode in which the transmitter is access network device A and the receiver is access network device B; the sensing mode in which the transmitter is access network device and the receiver is a terminal device; and the sensing mode in which the transmitter is a terminal device and the receiver is an access network device.

[0423] The sensing network element determines whether to trigger the establishment of an end-to-end secure link between the access network device and the sensing server, and selects an access network device that meets E2EE capabilities. An access network device meeting E2EE capabilities refers to an access network device that possesses E2EE capabilities and meets the sensing requirements. Specifically, the sensing network element can select an access network device meeting E2EE capabilities from a list of access network devices. This list may include one or more access network devices, and the access network devices in the list are those that support establishing an end-to-end secure (E2EE) link with the sensing server. The end-to-end secure link is used to send service data corresponding to the sensing server. In one possible implementation, the access network device list is used to indicate that the access network device supports establishing an E2EE secure link with any sensing server. In another possible implementation, the access network device list is used to indicate that the access network device supports establishing an E2EE secure link with one or more sensing servers. Furthermore, the access network device list is used to indicate access network devices that support establishing end-to-end E2EE links with sensing servers under specific sensing requirements, or the access network device list is used to indicate access network devices that support establishing end-to-end E2EE links with one or more sensing servers under specific sensing requirements. Specific sensing requirements can be one or more of the following: sensing accuracy requirements, sensing service types (e.g., intrusion detection, target tracking, etc.), and sensing scenarios (e.g., connected vehicles, drones, smart homes, etc.).

[0424] It should be further noted that, in this embodiment, the perception server can be used to process the business data corresponding to the perception server. The business data corresponding to the perception server corresponds to the perception service provided or requested by the perception server. The perception service corresponding to the perception server can be a service that satisfies the perception requirements in multiple aspects as shown in Figure 3 above, or it can be a service for logging the perception processing process or storing business data, etc. When the perception service is for logging the perception processing process, the perception server can also be called a log server; when the perception service is for storing business data, the perception server can also be called a data storage server. This embodiment does not limit this.

[0425] It should be further noted that, in this embodiment of the application, the end-to-end secure link between the access network device and the sensing server is specifically such that the information transmitted in this link is only readable by the receiving end and the sending end (i.e., the access network device or the sensing server). That is, only the receiving end and the sending end can perform confidentiality protection and deconfidentiality protection on the transmitted information, while all nodes in between the receiving end and the sending end used to transmit information are kept confidential to prevent unauthorized users from accessing the transmitted information.

[0426] In one possible implementation, the access network device may send its perception-related capabilities to the sensing network element. The sensing network element can then obtain these capabilities and determine the list of access network devices. For example, the perception-related capabilities of the access network device may include its E2EE capabilities. These E2EE capabilities indicate that the access network device supports establishing end-to-end secure links with any sensing server. In another possible implementation, the access network device may send its perception-related capabilities for a specific sensing server to the sensing network element. The sensing network element can then obtain these capabilities and determine the list of access network devices. For example, the perception-related capabilities of the access network device may include E2EE capabilities corresponding to one or more sensing server identifiers. These perception-related capabilities indicate that the access network device supports establishing end-to-end secure links with one or more sensing servers corresponding to those identifiers. Optionally, the perception-related capabilities may also include E2EE capabilities corresponding to specific perception requirements. That is, the access network devices in the access network device list are access network devices that support establishing E2EE links with any perception server under specific perception requirements, or access network devices that support establishing end-to-end E2EE links with one or more perception servers corresponding to one or more perception server identifiers under specific perception requirements. In other words, it indicates that the access network device possesses the corresponding E2EE capabilities to meet specific perception requirements. These specific perception requirements can be one or more of the following: perception accuracy requirements, perception service types (e.g., intrusion detection, target tracking, etc.), and perception scenarios (e.g., vehicle-to-everything (V2X), drones, smart homes, etc.). Furthermore, when the access network device sends its perception-related capabilities to the perception network element, it also carries the access network device's identifier. Accordingly, the perception network element determines the access network device list based on the access network device's identifier and its perception-related capabilities.

[0427] In another possible implementation, the list of access network devices can be pre-configured in the sensing network element. For example, the list of access network devices can be pre-configured in the sensing network element by the operator.

[0428] Optionally, the sensing network element determines whether to trigger the access network device to establish an end-to-end secure link with the sensing server based on the E2EE security requirement indication and / or PSK identifier in the fourth sensing message.

[0429] S405, the sensing network element sends a fourth sensing response message to the application function network element.

[0430] Correspondingly, the application function network element receives the fourth sensing response message sent by the sensing network element.

[0431] The fourth sensing response message includes a sensing task identifier. While the sensing task identifier assigned by the sensing network element is unique on the network side, the application function network element and the sensing server need to verify whether this sensing task identifier is unique on their respective sides. Therefore, the fourth sensing response message sent by the sensing network element to the application function network element can include the sensing task identifier. This allows the application function network element to obtain the sensing task identifier assigned by the sensing network element and to verify whether the sensing task identifier is unique on its side.

[0432] In one possible implementation, if the sensing task identifier is not unique on the application function network element side, in order to make the sensing task identifier unique on the sensing network element, application function network element, and sensing server sides, the application function network element can send a message to the sensing network element to request the sensing network element to allocate and send a new sensing task identifier, or the application function network element can allocate a new sensing task identifier and send it to the sensing network element. This application embodiment does not limit this.

[0433] S406, the sensing network element sends a sensing request to the access network device.

[0434] S407, the access network device adds an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship based on the sensing request.

[0435] S408, the access network device sends a first uplink message to the proxy network element whose destination address is the address of the proxy network element.

[0436] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0437] Specifically, the process of the access network device sending a first uplink message to the proxy network element with the destination address being the address of the proxy network element may include steps S4081 to S4083.

[0438] Step S4081: The access network device sends the first uplink message to the agent network element.

[0439] Correspondingly, the proxy network element receives the first uplink message sent by the access network device.

[0440] The destination address of the first uplink message is the address of the proxy network element, therefore the first uplink message sent by the access network device can be received by the proxy network element.

[0441] Step S4082: The agent network element determines the fourth association relationship.

[0442] In step S4083, the agent network element sends a security establishment request to the perception server.

[0443] Correspondingly, the perception server receives the security establishment request sent by the proxy network element.

[0444] S409, the proxy network element sends a first downlink message to the access network device with the source address being the address of the proxy network element.

[0445] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0446] Specifically, the process of the proxy network element sending a first downlink message with the source address of the proxy network element to the access network device may include steps S4091 to S4093.

[0447] Step S4091: The perception server sends a security establishment response to the agent network element.

[0448] Correspondingly, the agent network element receives the security establishment response sent by the sensing server.

[0449] In step S4092, the proxy network element determines the address of the proxy network element that sent the first downlink message.

[0450] In step S4093, the proxy network element sends a first downlink message to the access network device with the source address being the address of the proxy network element.

[0451] Correspondingly, the access network device receives the first downlink message sent by the proxy network element.

[0452] In step S410, the access network device determines whether to process the security establishment reply or not based on the first downlink message.

[0453] Step S411: The access network device sends a second uplink message to the agent network element.

[0454] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0455] Specifically, the process of the access network device sending the second uplink message to the agent network element includes steps S4111 to S4112.

[0456] Step S4111: The access network device sends a second uplink message to the agent network element.

[0457] Correspondingly, the proxy network element receives the second uplink message sent by the access network device.

[0458] In step S4112, the agent network element sends a sensing data message to the sensing server.

[0459] Correspondingly, the perception server receives perception data messages sent by the agent network element.

[0460] The specific implementation methods of steps S406 to S411 can be referred to the specific implementation methods of steps S305 to S310 in Figure 8, and will not be repeated here. The specific implementation methods of steps S4081 to S4083 can be referred to the specific implementation methods of steps S3071 to S3073 in Figure 8, the specific implementation methods of steps S4091 to S4093 can be referred to the specific implementation methods of steps S3081 to S3083 in Figure 8, and the specific implementation methods of steps S4111 to S4112 can be referred to the specific implementation methods of steps S3101 to S3102 in Figure 8, and will not be repeated here.

[0461] The methods of the embodiments of this application have been described in detail above, and the apparatus of the embodiments of this application is provided below.

[0462] Please refer to Figure 10, which is a schematic diagram of the structure of a communication device provided in an embodiment of this application. The communication device may include a transceiver unit 1001 and a processing unit 1002. The transceiver unit 1001 may be a device with signal input (receiving) or output (transmitting) for transmitting signals with other network devices or other devices in the device.

[0463] The processing unit 1002 can be a device with processing capabilities, and may include one or more processors. The processor can be a general-purpose processor or a dedicated processor. The processor can be a baseband processor or a central processing unit (CPU). The baseband processor can be used to process communication protocols and communication data, while the CPU can be used to control the device (e.g., a host node, relay node, or chip), execute software programs, and process data from the software programs.

[0464] The communication device may include access network equipment, sensing network element, agent network element, sensing server, application function network element and session management network element, or devices thereof.

[0465] When the communication device is an access network device, it includes:

[0466] The transceiver unit 1001 is used to send a first uplink message to the proxy network element whose destination address is the address of the proxy network element. The first uplink message includes a security establishment request whose destination address is the address of the sensing server. The security establishment request is used to establish an end-to-end secure link between the access network device and the sensing server. The end-to-end secure link is used to send the service data corresponding to the sensing server.

[0467] The transceiver unit 1001 is also used to receive a first downlink message sent by the proxy network element with the source address being the address of the proxy network element. The first downlink message includes a security establishment response in response to the security establishment request. The security establishment response is used to establish an end-to-end secure link between the access network device and the sensing server.

[0468] The processing unit 1002 is used to determine whether to process the security establishment reply or not based on the first downlink message.

[0469] In one possible implementation, the processing unit 1002 is configured to determine not to process the security establishment reply if the source address of the first downlink message is not included in the first association relationship, wherein the first association relationship includes the association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of at least one proxy network element does not include the address of the proxy network element.

[0470] In one possible implementation, the processing unit 1002 is configured to determine the processing security establishment response when the first association relationship includes the source address of the first downlink message, wherein the first association relationship includes the association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of at least one proxy network element includes the address of the proxy network element.

[0471] In one possible implementation, the transceiver unit 1001 is further configured to receive a sensing configuration request sent by a sensing network element, the sensing configuration request including the address of the proxy network element and the address of the sensing server.

[0472] The processing unit 1002 is further configured to determine a perception configuration response in response to the perception configuration request, wherein the perception configuration response includes the address of the access network device or an existing link indication, the existing link indication indicating that an end-to-end secure link has been established between the access network device and the perception server.

[0473] In one possible implementation, the processing unit 1002 is further configured to determine that the perception configuration response includes the address of the access network device, and add an association relationship between the address of the access network device, the address of the proxy network element, and the address of the perception server in the first association relationship.

[0474] In one possible implementation, the perception configuration request further includes a perception task identifier, which is used to identify the perception service provided by the perception network element to the perception server; the processing unit 1002 is also used to add the association relationship between the address of the access network device, the address of the proxy network element, the address of the perception server and the perception task identifier in the first association relationship.

[0475] In one possible implementation, the address of at least one sensing server in the first association does not include the address of the sensing server.

[0476] In one possible implementation, the transceiver unit 1001 is further configured to send a second uplink message to the proxy network element. The second uplink message includes a sensing data message, which includes service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The address of the proxy network element and the address of the sensing server are determined based on a first association relationship.

[0477] In one possible implementation, the processing unit 1002 is further configured to determine, if the address of at least one sensing server in the first association relationship includes the address of the sensing server, that the sensing configuration response includes an existing link indication.

[0478] In one possible implementation, the first downlink message includes a sensing task identifier, which is used to identify the sensing service provided by the sensing network element to the sensing server; the processing unit 1002 is used to determine the processing security establishment response based on the sensing task identifier included in the third association relationship, wherein the third association relationship includes the association relationship between at least one sensing task identifier, the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the at least one sensing task identifier includes the sensing task identifier.

[0479] In one possible implementation, the transceiver unit 1001 is also used to receive a sensing request, which includes the address of the proxy network element, the address of the sensing server, and the sensing task identifier.

[0480] The processing unit 1002 is also used to add an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship.

[0481] In one possible implementation, the first uplink message includes a sensing task identifier.

[0482] In one possible implementation, the sensing task identifier is determined by the sensing network element or by the sensing server.

[0483] In one possible implementation, the transceiver unit 1001 is further configured to send a second uplink message to the proxy network element. The second uplink message includes a sensing data message, which includes service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The address of the proxy network element and the address of the sensing server are determined based on a third association relationship.

[0484] When the communication device is a proxy network element, it includes:

[0485] The transceiver unit 1001 is used to receive a first uplink message sent by the access network device with the destination address being the address of the proxy network element. The first uplink message includes a security establishment request with the destination address being the address of the sensing server. The security establishment request is used to establish an end-to-end secure link between the access network device and the sensing server. The end-to-end secure link is used to send the service data corresponding to the sensing server.

[0486] The transceiver unit 1001 is also used to send a first downlink message to the access network device with the source address being the address of the proxy network element. The first downlink message includes a security establishment response in response to the security establishment request. The security establishment response is used to establish an end-to-end secure link between the access network device and the sensing server.

[0487] In one possible implementation, the transceiver unit 1001 is further configured to receive a second uplink message, the second uplink message including a sensing data message, the sensing data message including service data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on a first association relationship.

[0488] In one possible implementation, the processing unit 1002 is used to determine a second association relationship, which includes the association relationship between the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0489] In one possible implementation, the processing unit 1002 is further configured to delete a second association, which includes the association between the address of the sensing server and the address of the proxy network element.

[0490] In one possible implementation, the processing unit 1002 is further configured to determine a fourth association relationship after obtaining the first uplink message. The fourth association relationship includes the association relationship between the sensing task identifier, the address of the sensing server, the address of the access network device, and the address of the proxy network element.

[0491] In one possible implementation, the transceiver unit 1001 is further configured to receive a second uplink message, the second uplink message including a sensing data message, the sensing data message including service data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on a third association relationship.

[0492] When the communication device is a sensing network element, it includes:

[0493] The transceiver unit 1001 is used to send a perception configuration request to the access network device. The perception configuration request includes the address of the proxy network element and the address of the perception server.

[0494] In one possible implementation, the transceiver unit 1001 is further configured to respond to a channel configuration request based on the perception configuration, the channel configuration request including the address of the access network device or an indication of an existing link.

[0495] In one possible implementation, the transceiver unit 1001 is used to send a sensing request to the access network device. The sensing request includes the address of the proxy network element, the address of the sensing server, and the sensing task identifier.

[0496] Please refer to Figure 11, which is a schematic diagram of another communication device provided in an embodiment of this application. This communication device may be an access network device, a sensing network element, a proxy network element, a sensing server, an application function network element, or a session management network element, or a device thereof, used to implement the method described in the method embodiments.

[0497] As shown in Figure 11, the communication device may include a processor 111 and a storage medium 112. The processor 111 may also be called a processing unit, which can implement certain control functions. The storage medium 112 may also be called a storage unit or a memory. Instructions 114 are stored on the storage medium 112. The instructions 114 can be executed on the processor 111, causing the communication device to perform any of the methods described in Figures 6 to 9 in the embodiments of this application.

[0498] Optionally, the processor 111 may include instructions 113 that can be executed on the processor 111 to cause the communication device to perform any of the methods described in Figures 6 to 9 of the embodiments of this application.

[0499] The communication device described in the above embodiments may be a first device or a second device, but the scope of the device described in this application is not limited thereto. The communication device may be a standalone device or part of a larger device. For example, the communication device may be:

[0500] (1) An independent integrated circuit IC, or chip, or chip system or subsystem;

[0501] (2) A collection of one or more ICs, optionally, the collection of ICs may include a storage component for storing data and / or instructions;

[0502] (3) ASIC, such as modems;

[0503] (4) Modules that can be embedded in other devices;

[0504] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, can implement the relevant processes in the communication method provided in the above-described method embodiments.

[0505] This application also provides a computer program product for storing a computer program that, when run on a computer (or processor), causes the computer to execute one or more steps of any of the aforementioned communication methods. If the constituent modules of the aforementioned devices are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.

[0506] This application provides a chip, including a processor, for calling and executing instructions stored in a memory, causing a communication device on which the chip is installed to perform any of the methods described above.

[0507] This application embodiment also provides another chip, including: an input interface, an output interface, and a processing circuit. The input interface, the output interface, and the processing circuit are connected via internal connection paths. The processing circuit is used to execute any of the methods described above. Optionally, the chip also includes a memory. The input interface, the output interface, the processor, and the memory are connected via internal connection paths. The processor is used to execute code in the memory. When the code is executed, the processor is used to execute any of the methods described above.

[0508] This application also provides a chip system including at least one processor and a communication interface. The communication interface and the at least one processor are interconnected via a circuit. The at least one processor is used to run computer programs or instructions to perform any of the methods described above. This chip system may be composed of chips or may include chips and other discrete devices.

[0509] This application also provides a communication system, which includes an access network device, a sensing network element, a proxy network element, a sensing server, an application function network element, and a session management network element, or a device thereof, and the specific description can be referred to any of the above methods.

[0510] It should be understood that the memory mentioned in the embodiments of this application can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Non-volatile memory can be a hard disk drive (HDD), a solid-state drive (SSD), ROM, programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. Volatile memory can be RAM, which is used as an external cache. Memory is any other medium capable of carrying or storing desired program code having an instruction or data structure form and accessible by a computer, but is not limited thereto. The memory in the embodiments of this application can also be a circuit or any other device capable of implementing a storage function for storing program instructions and / or data.

[0511] It should also be understood that the processor mentioned in the embodiments of this application can be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor can be a microprocessor, or any conventional processor, etc.

[0512] It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA, or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, the memory (storage module) is integrated into the processor.

[0513] It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

[0514] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments provided herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0515] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0516] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment, depending on actual needs.

[0517] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0518] The steps in the methods of this application can be adjusted, combined, or deleted according to actual needs. Each step in each embodiment can be partially performed (for example, the terminal device may not perform the steps performed by the terminal device in the above embodiments). The execution order of different steps can be changed. The embodiments described herein can be combined with other embodiments, different embodiments can be combined with each other, and different steps of different embodiments herein can be combined.

[0519] The modules / units in the device of this application embodiment can be merged, divided, and deleted according to actual needs.

[0520] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of this phrase in various places in the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments.

[0521] In this application, it may refer to a communication protocol or specification, such as the 3GPP communication protocol.

[0522] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in the embodiments of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.

[0523] In the embodiments of this application, "including" can refer to a relationship of inclusion or an equality relationship. For example, A includes B, which could mean that A includes B and may also include other content, or that A and B are the same content.

[0524] In the description of this application, unless otherwise stated, " / " indicates that the objects before and after it are in an "or" relationship. For example, A / B can mean A or B. "And / or" in this application is merely a description of the relationship between the related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, and B alone, where A and B can be singular or plural. Furthermore, in the description of this application, unless otherwise stated, "multiple" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of singular or plural items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.

[0525] It should be understood that in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.

Claims

1. A communication system, characterized in that, The system includes access network equipment, proxy network elements, and sensing servers, wherein: The access network device is configured to send a first uplink message to the proxy network element, the destination address of which is the address of the proxy network element. The first uplink message includes a security establishment request with the destination address of the sensing server. The security establishment request is used to establish an end-to-end secure link between the access network device and the sensing server. The end-to-end secure link is used to send service data corresponding to the sensing server. The proxy network element is used to send a first downlink message with the source address of the proxy network element to the access network device. The first downlink message includes a security establishment response in response to the security establishment request. The security establishment response is used to establish an end-to-end secure link between the access network device and the sensing server. The access network device is further configured to determine, based on the first downlink message, whether to process the security establishment response or not.

2. The system according to claim 1, characterized in that, The access network device is configured to determine not to process the security establishment response if the source address of the first downlink message is not included in the first association relationship, wherein the first association relationship includes the association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element does not include the address of the proxy network element.

3. The system according to claim 1, characterized in that, The access network device is configured to determine the processing of the security establishment response when the source address of the first downlink message is included in the first association relationship, wherein the first association relationship includes the association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element includes the address of the proxy network element.

4. The system according to claim 3, characterized in that, The system also includes sensing network elements; The sensing network element is used to send a sensing configuration request to the access network device. The sensing configuration request includes the address of the proxy network element and the address of the sensing server. The access network device is further configured to determine a perception configuration response in response to the perception configuration request, wherein the perception configuration response includes the address of the access network device or an existing link indication, the existing link indication indicating that an end-to-end secure link has been established between the access network device and the perception server.

5. The system according to claim 4, characterized in that, The access network device is further configured to determine that the sensing configuration response includes the address of the access network device, and to add an association relationship between the address of the access network device, the address of the proxy network element, and the address of the sensing server in the first association relationship.

6. The system according to claim 5, characterized in that, The address of the at least one sensing server in the first association does not include the address of the sensing server.

7. The system according to any one of claims 3-6, characterized in that, The access network device is further configured to send a second uplink message to the proxy network element. The second uplink message includes a sensing data message, which includes the service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The address of the proxy network element and the address of the sensing server are determined based on the first association relationship.

8. The system according to claim 4, characterized in that, The access network device is further configured to determine, when the address of at least one sensing server in the first association relationship includes the address of the sensing server, that the sensing configuration response includes the existing link indication.

9. The system according to claim 1, characterized in that, The system also includes a sensing network element, and the first downlink message includes a sensing task identifier, which is used to identify the sensing service provided by the sensing network element to the sensing server. The access network device is configured to determine the processing of the security establishment response based on the sensing task identifier included in the third association relationship, wherein the third association relationship includes the association relationship between at least one sensing task identifier, the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the at least one sensing task identifier includes the sensing task identifier.

10. The system according to claim 9, characterized in that, The sensing network element is used to send a sensing request to the access network device. The sensing request includes the address of the proxy network element, the address of the sensing server, and the sensing task identifier. The access network device is further configured to add an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship.

11. The system according to claim 10, characterized in that, The first uplink message includes the sensing task identifier.

12. The system according to claim 11, characterized in that, The sensing task identifier is determined by the sensing network element or by the sensing server.

13. The system according to any one of claims 9-12, characterized in that, The access network device is further configured to send a second uplink message to the proxy network element. The second uplink message includes a sensing data message, which includes the service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The address of the proxy network element and the address of the sensing server are determined based on the third association relationship.

14. A communication method, characterized in that, The method includes: Send a first uplink message whose destination address is the address of the proxy network element. The first uplink message includes a security establishment request whose destination address is the address of the sensing server. The security establishment request is used to establish an end-to-end secure link between the access network device and the sensing server. The end-to-end secure link is used to send the service data corresponding to the sensing server. The first downlink message, whose source address is the address of the proxy network element, is received. The first downlink message includes a security establishment response in response to the security establishment request. The security establishment response is used to establish an end-to-end secure link between the access network device and the sensing server. Based on the first downlink message, determine whether to process the security establishment response or not.

15. The method according to claim 14, characterized in that, The step of determining whether to process the security establishment response or not based on the first downlink message includes: If the source address of the first downlink message is not included in the first association relationship, it is determined that the security establishment response will not be processed, wherein the first association relationship includes the association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element does not include the address of the proxy network element.

16. The method according to claim 14, characterized in that, The step of determining whether to process the security establishment response or not based on the first downlink message includes: If the source address of the first downlink message is included in the first association relationship, the security establishment response is processed, wherein the first association relationship includes the association relationship between the address of at least one proxy network element, the address of at least one sensing server, and at least one address of the access network device, and the address of the at least one proxy network element includes the address of the proxy network element.

17. The method according to claim 16, characterized in that, The method further includes: Receive a sensing configuration request sent by a sensing network element, the sensing configuration request including the address of the proxy network element and the address of the sensing server; Determine a perception configuration response in response to the perception configuration request, wherein the perception configuration response includes the address of the access network device or an existing link indication, the existing link indication indicating that an end-to-end secure link has been established between the access network device and the perception server.

18. The method according to claim 17, characterized in that, The determination of the perception configuration response in response to the perception configuration request includes: The perception configuration response is determined to include the address of the access network device, and an association relationship is added between the address of the access network device, the address of the proxy network element, and the address of the perception server in the first association relationship.

19. The method according to claim 18, characterized in that, The perception configuration request further includes a perception task identifier, which identifies the perception service provided by the perception network element to the perception server. The method further includes: Add the association between the address of the access network device, the address of the proxy network element, the address of the sensing server, and the sensing task identifier in the first association relationship.

20. The method according to claim 17 or 18, characterized in that, The address of the at least one sensing server in the first association does not include the address of the sensing server.

21. The method according to any one of claims 16-20, characterized in that, The method further includes: Send a second uplink message, the second uplink message including a sensing data message, the sensing data message including the service data, the destination address of the second uplink message being the address of the proxy network element, the destination address of the sensing data message being the address of the sensing server, and the address of the proxy network element and the address of the sensing server being determined based on the first association relationship.

22. The method according to claim 17, characterized in that, The method further includes: If the address of at least one sensing server in the first association includes the address of the sensing server, it is determined that the sensing configuration response includes the existing link indication.

23. The method according to claim 14, characterized in that, The first downlink message includes a sensing task identifier, which is used to identify the sensing service provided by the sensing network element to the sensing server. The method further includes: The security establishment response is processed based on the perception task identifier included in the third association relationship, wherein the third association relationship includes the association relationship between at least one perception task identifier, the address of at least one proxy network element, the address of at least one perception server, and at least one address of the access network device, and the at least one perception task identifier includes the perception task identifier.

24. The method according to claim 23, characterized in that, The method further includes: Receive a sensing request, the sensing request including the address of the proxy network element, the address of the sensing server, and the sensing task identifier; Add an association between the sensing task identifier, the address of the proxy network element, the address of the sensing server, and the address of the access network device in the third association relationship.

25. The method according to claim 24, characterized in that, The first uplink message includes the sensing task identifier.

26. The method according to claim 25, characterized in that, The sensing task identifier is determined by the sensing network element or by the sensing server.

27. The method according to claims 23-26, characterized in that, The method further includes: A second uplink message is sent to the proxy network element. The second uplink message includes a sensing data message, which includes the service data. The destination address of the second uplink message is the address of the proxy network element, and the destination address of the sensing data message is the address of the sensing server. The address of the proxy network element and the address of the sensing server are determined based on the third association relationship.

28. A communication device, characterized in that, Includes units for performing the method as described in any one of claims 14 to 27.

29. A communication device, characterized in that, The communication device includes a processor and a storage medium storing instructions that, when executed by the processor, cause the method according to any one of claims 14 to 27 to be performed.

30. A computer-readable storage medium, characterized in that, The computer-readable storage medium includes instructions that, when executed by a processor, cause the method according to any one of claims 14 to 27 to be implemented.

Images