Communication method, and device and storage medium
By sending discovery request messages carrying capability-related information and using NRF services to select matching network elements for authentication, the incompatibility between ePDG and AUSF/UDM authentication methods is resolved, achieving seamless interoperability and session continuity between ePDG and 5G systems.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- ZTE CORP
- Filing Date
- 2025-12-04
- Publication Date
- 2026-07-02
AI Technical Summary
In existing UE access authentication methods, ePDG is incompatible with the AUSF/UDM authentication method, making the access authentication process complex and difficult to achieve seamless connectivity.
By sending discovery request messages carrying capability-related information, network elements matching the capabilities are selected for authentication. Network element discovery and selection are performed using NRF services, simplifying the interface and supporting access authentication based on ePDG.
It achieves seamless interoperability between ePDG and 5G systems, simplifies the access authentication process, and ensures session continuity and security for user equipment between 4G and 5G networks.
Smart Images

Figure CN2025140046_02072026_PF_FP_ABST
Abstract
Description
Communication methods, devices and storage media Technical Field
[0001] This application relates to the field of communication technology, specifically to a communication method, device, and storage medium. Background Technology
[0002] In the User Equipment (UE) access authentication process, the authentication method used by the UE to access the network through the evolved Packet Data Gateway (ePDG) differs from the authentication method supported by the Authentication Server Function (AUSF) / Unified Data Management (UDM) for 3GPP access, and these two authentication methods are incompatible. Therefore, how AUSF / UDM can support ePDG-based access authentication is a problem that urgently needs to be solved. Summary of the Invention
[0003] In view of this, embodiments of this application provide a communication method, device, and storage medium that enable access authentication processes based on ePDG.
[0004] This application provides a communication method applied to a packet data gateway, including:
[0005] Send a first discovery request message carrying at least first capability-related information to discover the first network element; wherein, the first capability-related information is capability-related information supported by the first network element;
[0006] Select the first network element that matches the information related to the first capability based on the received first discovery response message.
[0007] This application provides a communication method applied to a first network element, including:
[0008] Send a second discovery request message carrying at least the second capability-related information to discover the fourth network element; wherein, the second capability-related information is capability-related information supported by the fourth network element;
[0009] Select a fourth network element that matches the information related to the second capability based on the received second discovery response message.
[0010] This application provides a communication method applied to a third network element, including:
[0011] Send a third discovery request message carrying at least information related to the first capability to discover the first network element; wherein, the first capability-related information is information related to the capabilities supported by the first network element;
[0012] Based on the received third discovery response message, select the first network element that matches the information related to the first capability.
[0013] This application provides a communication method applied to a fourth network element, including:
[0014] Send a second registration request message to the fifth network element to create or update the network function configuration file of the fourth network element.
[0015] This application provides a network access device applied to a packet data gateway, comprising:
[0016] The first sending module is configured to send a first discovery request message carrying at least first capability-related information to discover the first network element; wherein, the first capability-related information is capability-related information supported by the first network element;
[0017] The first selection module is configured to select a first network element that matches the information related to the first capability based on the received first discovery response message.
[0018] This application provides a network access device applied to a first network element, including:
[0019] The first sending module is configured to send a second discovery request message carrying at least second capability-related information to discover the fourth network element; wherein, the second capability-related information is capability-related information supported by the fourth network element;
[0020] The first selection module is configured to select a fourth network element that matches the information related to the second capability based on the received second discovery response message.
[0021] This application provides a network access device applied to a third network element, including:
[0022] The first sending module is configured to send a third discovery request message carrying at least first capability-related information to discover the first network element; wherein, the first capability-related information is capability-related information supported by the first network element;
[0023] The first selection module is configured to select a first network element that matches the information related to the first capability based on the received third discovery response message.
[0024] This application provides a network access device applied to a fourth network element, including:
[0025] The sending module is configured to send a second registration request message to the fifth network element to create or update the network function configuration file of the fourth network element.
[0026] This application provides a communication device, including: a memory, and one or more processors;
[0027] The memory is configured to store one or more programs;
[0028] When the one or more programs are executed by the one or more processors, the one or more processors implement the method described in any of the above embodiments.
[0029] This application provides a storage medium storing a computer program, which, when executed by a processor, implements the methods described in any of the above embodiments. Attached Figure Description
[0030] Figure 1 is a schematic diagram of a non-roaming architecture for interoperability between ePDG / EPC and 5GS provided by related technologies;
[0031] Figure 2 is a schematic diagram of a local offloading roaming architecture for interoperability between ePDG / EPC and 5GS provided by related technologies;
[0032] Figure 3 is a schematic diagram of a home-location routing roaming architecture for interoperability between ePDG / EPC and 5GS provided by related technologies;
[0033] Figure 4 is a schematic diagram of a service-oriented interface reference architecture for the ePDG authentication process provided by related technologies;
[0034] Figure 5 is a schematic diagram of another ePDG authentication process service interface reference architecture provided by related technologies;
[0035] Figure 6 is a schematic diagram of another ePDG authentication process service interface reference architecture provided by related technologies;
[0036] Figure 7 is a flowchart of a communication method provided in an embodiment of this application;
[0037] Figure 8 is a flowchart of another communication method provided in an embodiment of this application;
[0038] Figure 9 is a flowchart of another communication method provided in an embodiment of this application;
[0039] Figure 10 is a flowchart of another communication method provided in an embodiment of this application;
[0040] Figure 11 is a flowchart illustrating the implementation of AUSF / UDM registering capability information with NRF according to an embodiment of this application.
[0041] Figure 12 is a flowchart illustrating the AUSF / UDM discovery and selection process during authentication, as provided in an embodiment of this application.
[0042] Figure 13 is a flowchart illustrating the implementation of an ePDG calling EIR service for inspection according to an embodiment of this application;
[0043] Figure 14 is a flowchart illustrating an implementation of access registration according to an embodiment of this application;
[0044] Figure 15 is a flowchart illustrating the implementation of a packet data connection establishment according to an embodiment of this application;
[0045] Figure 16 is a structural block diagram of a communication device provided in an embodiment of this application;
[0046] Figure 17 is a structural block diagram of another communication device provided in an embodiment of this application;
[0047] Figure 18 is a structural block diagram of another communication device provided in an embodiment of this application;
[0048] Figure 19 is a structural block diagram of another communication device provided in an embodiment of this application;
[0049] Figure 20 is a schematic diagram of the structure of a communication device provided in an embodiment of this application. Detailed Implementation
[0050] The embodiments of this application will be described below with reference to the accompanying drawings. The examples given are for illustrative purposes only and are not intended to limit the scope of this application.
[0051] ePDG can be used to support Voice over Wi-Fi (VoWiFi). Figure 1 is a schematic diagram of a non-roaming architecture for interoperability between ePDG / EPC and 5GS provided by related technologies. Figure 2 is a schematic diagram of a local offloading roaming architecture for interoperability between ePDG / EPC and 5GS provided by related technologies. Figure 3 is a schematic diagram of a home-location routing roaming architecture for interoperability between ePDG / EPC and 5GS provided by related technologies. Currently, interoperability between ePDG / EPC and the 5G system (5GS) requires the use of a 3GPP AAA server and a Diameter-based interface. Furthermore, a 3GPP AAA proxy is also required in roaming scenarios, as shown in Figures 1, 2, and 3.
[0052] To allow the use of Service Based Interface (SBI) interfaces instead of EPC interfaces, the following approach can be adopted:
[0053] Firstly, it supports using the N10 (Service-Based Interface, SBI) interface instead of the S6b (Diameter) interface.
[0054] Secondly, the Non-Seamless WLAN Offload (NSWO) feature has been upgraded to support 5G security mechanisms and no longer relies on the 3GPP AAA server.
[0055] Even for User Equipment (UE) connected via EPC, the N7 interface can be used instead of the Gx interface. SWm, SWx, and SWd are the remaining interfaces that still require the deployment of a 3GPP AAA server / agent.
[0056] Simplifying these interfaces and better integrating ePDG into a service-oriented architecture is a pressing issue. Figure 4 shows a reference architecture diagram of an ePDG authentication process service-oriented interface provided by related technologies; Figure 5 shows another reference architecture diagram of an ePDG authentication process service-oriented interface provided by related technologies; and Figure 6 shows yet another reference architecture diagram of an ePDG authentication process service-oriented interface provided by related technologies. As shown in Figure 4, removing the SWm, SWx, and SWd interfaces to support ePDG directly using AUSF, UDM, and Network Repository Function (NRF) is one direction.
[0057] Replacing 5G non-3GPP access gateways such as non-3GPP interworking functions (N3IWF) / trusted non-3GPP gateway functions (TNGF) with ePDG is also a solution to simplify the architecture of 5GS non-3GPP access.
[0058] The interface (S2b) between the ePDG and the Packet Data Network Gateway-Control Plane Function (PGW-C) and Session Management Function (SMF) can be further serviced, as shown in Figure 5; or, the ePDG can be co-located as a functional module of the User Plane Function (UPF), as shown in Figure 6.
[0059] Specifically, in the access authentication process, UEs currently use the EAP-AKA authentication method when accessing the network via ePDG, while AUSF / UDM currently supports EAP-AKA' and 5G AKA authentication methods for 3GPP access. EAP-AKA' is not compatible with the EAP-AKA authentication method, so how AUSF / UDM can support ePDG-based access authentication is an urgent problem to be solved.
[0060] Furthermore, in the existing architecture, the 3GPP AAA server / agent can be responsible for checking the UE's permanent identity through the Equipment Identity Register (EIR). In an architecture without a 3GPP AAA server / agent, how to support EIR checks is also one of the problems to be solved.
[0061] An Enhanced Packet Data Gateway (ePDG) is a component in the 3GPP architecture used to support interconnection between untrusted non-3GPP access networks (such as Wi-Fi or fixed broadband networks) and the 3GPP core network. Its role is to provide a secure connection between non-3GPP access networks and the Evolved Packet Core (EPC) or 5GC (5G Core), enabling User Equipment (UE) to access operator-provided services through these non-3GPP networks.
[0062] The key features of ePDG include the following five:
[0063] Firstly, security: ePDG provides security features such as IPsec tunnels or TLS encrypted channels to ensure the security of user data when transmitted over non-3GPP access networks.
[0064] Secondly, authentication and authorization: It participates in the user authentication process, usually using the AKA (Authentication and Key Agreement) mechanism to verify the user's identity and establish a secure association for the user.
[0065] Third, session management: ePDG is responsible for handling session management signaling from non-3GPP access points to EPC / 5GC, such as creating, maintaining and releasing bearers.
[0066] Fourth, mobility management: ePDG helps maintain session continuity and a seamless handover experience when users switch between 3GPP and non-3GPP networks.
[0067] Fifth, billing support: It can also support usage-based billing, recording the amount of data consumed by users through non-3GPP networks so that operators can calculate bills.
[0068] ePDG interoperability technology, which connects EPC (Evolved Packet Core) and 5GS (5G System), is a core technology for ensuring service continuity, mobility, and interoperability between 4G and 5G networks. This interoperability mechanism guarantees uninterrupted sessions when user equipment (UE) switches between 4G and 5G networks, and is an important component for achieving seamless connectivity.
[0069] In one embodiment, FIG7 is a flowchart of a communication method provided by an embodiment of this application. This embodiment can be executed by a packet data gateway. Exemplarily, the packet data gateway can be an ePDG. As shown in FIG7, this embodiment includes: S110-S120.
[0070] S110. Send a first discovery request message carrying at least first capability-related information to discover the first network element; wherein, the first capability-related information is capability-related information supported by the first network element.
[0071] For example, the first network element can be an AUSF. In an embodiment, the packet data gateway can invoke the NRF service and send a first discovery request message to the NRF to discover all first network elements that match the first capability-related information.
[0072] S120. Select the first network element that matches the first capability-related information based on the received first discovery response message.
[0073] In this embodiment, the NRF returns a first discovery response message to the packet data gateway, and the first discovery response message carries the first network element query result. The packet data gateway can select the first network element that matches the first capability-related information from the first network element query result carried in the first discovery response message, thereby realizing the discovery and selection process of the first network element during the authentication process, and then enabling the packet data gateway to establish a connection with the selected first network element to facilitate subsequent authentication operations.
[0074] In one embodiment, the first capability-related information includes at least one of the following: authentication method; access technology type; access node type. Wherein, the first capability-related information refers to capability-related information supported by the first network element; correspondingly, the authentication method included in the first capability-related information is the authentication method supported by the first network element, the access technology type included in the first capability-related information is the access technology type supported by the first network element, and the access node type included in the first capability-related information is the access node type supported by the first network element. For example, the authentication method may include, but is not limited to, one of the following: Quick UDP Internet Connection (5G-AKA), Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA), Extensible Authentication Protocol-Authentication and Key Agreement Prime (EAP-AKA), and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS); the access technology type may include, but is not limited to, one of the following: New Radio (NR), Narrow Band Internet of Things (NB-IoT), untrusted 3GPP, trusted 3GPP, and wired access; the access node type may include, but is not limited to, one of the following: ePDG, N3IWF, and TNGF.
[0075] In one embodiment, the communication method applied to a packet data gateway further includes: sending an authentication request message carrying at least device identity information to a first network element. In one example, the device identity information is used to represent a number that uniquely identifies a mobile user; for example, the device identity information can be an International Mobile Subscriber Identity (IMSI). Exemplarily, the authentication request message can be a Nausf_UEAuthentication_Authenticate request message. In this embodiment, the packet data gateway can send the authentication request message to the first network element, and include the user device's device identity information in the authentication request message. In one example, the device identity information can be directly carried in the authentication request message, or it can be indirectly carried in the authentication request message, that is, the device identity information can be directly carried in EAP-Request / Identity, and EAP-Request / Identity can be directly carried in the authentication request message.
[0076] In one embodiment, the authentication request message further carries at least one of the following: access technology type and access node type. In one example, in addition to including device identity information, the authentication request message may also include access technology type and / or access node type.
[0077] In one embodiment, when the packet data gateway and the second network element are co-located, the communication method applied to the packet data gateway further includes: sending a first signaling message to the third network element, carrying at least the authentication method supported by the first network element, so that the third network element performs the first network element discovery process. For example, the second network element can be a UPF; the third network element can be an SMF. The first signaling message can be an N4 signaling message, meaning that the signaling message can transmit data through the N4 interface. The co-location of the packet data gateway and the second network element can be understood as integrating the packet data gateway into the second network element. In the case of the architecture shown in Figure 6, i.e., when the packet data gateway and the second network element are co-located, the packet data gateway / second network element can send the first signaling message to the third network element through the N4 interface, and the first signaling message includes EAP-Response / Identity carrying device identity information, as well as the authentication method supported by the first network element; then, after receiving the first signaling message, the third network element can perform the first network element discovery process based on the authentication method supported by the first network element carried in the first signaling message.
[0078] In one embodiment, the communication method applied to a packet data gateway further includes: receiving a second signaling message sent by a third network element carrying at least a first authentication request; and returning a third signaling message carrying at least a first authentication response to the third network element. In one example, both the second and third signaling messages can be N4 signaling messages, meaning that the signaling message can transmit data through the N4 interface. After the third network element completes the discovery and selection of the first network element, the third network element sends the second signaling message carrying the first authentication request to the packet data gateway, and then the packet data gateway returns a third signaling message carrying the first authentication response to the third network element. Exemplarily, the first authentication request can be an EAP-Request or an AKA-Challenge; the first authentication response can be an EAP-Response or an AKA-Challenge.
[0079] In one embodiment, the communication method applied to a packet data gateway further includes: sending a data transmission session creation request message carrying data transmission session identification information to a third network element; receiving a data transmission session creation response message carrying a data transmission session context returned by the third network element; and receiving data transmission session-related information created by the third network element. Exemplarily, the data transmission session identification information can be PDU session identification information. In one example, the packet data gateway can select a suitable third network element based on local configuration information, or search for a suitable third network element from a fifth network element. After the packet data gateway selects a suitable third network element, it can call the session creation service of the third network element to request the establishment of a data transmission session context. The packet data gateway can send the data transmission session identification information generated for the user equipment to the third network element. The third network element obtains the user equipment's subscription information, etc., from a fourth network element, generates a data transmission session context, and sends the data transmission session context in the data transmission session creation response message to the packet data gateway. Then, the third network element calls the transmission service provided by the packet data gateway to retrieve data transmission session-related information.
[0080] In one embodiment, the communication method applied to the packet data gateway further includes: sending a device authentication request message carrying device identification information associated with the user equipment to a device identifier registrar; and receiving a device authentication response message carrying the device authentication result returned by the device identifier registrar. In one example, the device identification information is used to represent a code that uniquely identifies the user equipment; for example, the device identification information can be an International Mobile Equipment Identity (IMEI). The device authentication result is used to represent whether the user equipment's device identification information is invalid or illegal. In this embodiment, the packet data network element can call the N5g-eir_EquipmentIdentityCheck_Get service to check the user equipment's device identification information with the device identifier registrar. If it is determined that the user equipment's device identification information is invalid or illegal, the device authentication result is invalid or illegal. Then, the device identifier registrar returns a device authentication response message carrying the device authentication result to the packet data gateway, so that the packet data gateway sends a corresponding message representing the device authentication result to the user equipment based on the device authentication result.
[0081] In one embodiment, before sending a device authentication request message carrying device identification information associated with the user equipment to the device identification registrar, the communication method applied to the packet data gateway further includes: sending a first identification request message carrying a request indication of device identification information associated with the user equipment to the user equipment; and receiving a first identification response message carrying device identification information associated with the user equipment returned by the user equipment.
[0082] Correspondingly, when the device authentication result indicates a device identifier error, the communication method applied to the packet data gateway further includes: returning a first identifier request message carrying a deleted payload and indicating a device identifier error to the user equipment to release the current security association. In one example, the message types of the first identifier request message and the first identifier response message are the same. Exemplarily, the first identifier request message can be an INFORMATIONAL request message; the corresponding first identifier response message can be an INFORMATIONAL response message. The device identifier information request indication refers to a request to obtain the user equipment's device identifier information. The packet data gateway sends a first identifier request message to the user equipment, carrying a device identifier information request indication in the first identifier request message, requesting to obtain the user equipment's device identifier information based on the device identifier information request indication, and then the user equipment carries its own device identifier information in the first identifier response message and returns it to the packet data gateway. Then, the packet data gateway calls the N5g-eir_EquipmentIdentityCheck_Get service to check the device identification information from the device identification registrar. If the device authentication result is that the device identification is abnormal, the packet data network element returns a first identification request message carrying a payload and the device identification abnormality to the user equipment, requesting the user equipment to release the current security association, thereby effectively ensuring the information security of the users associated with the user equipment. In one example, the deletion payload can be a "DELETE" payload. Correspondingly, the first identification request message carrying the "DELETE" payload and the device identification abnormality can also include a notification type of "invalid or illegal identification".
[0083] In one embodiment, before sending a device authentication request message carrying device identification information associated with the user equipment to the device identification registrar, the communication method applied to the packet data gateway further includes: sending a second identification request message carrying a request indication of device identification information associated with the user equipment to the user equipment; and receiving a second identification response message carrying device identification information associated with the user equipment returned by the user equipment.
[0084] Accordingly, when the device authentication result indicates a device identifier error, the communication method applied to the packet data gateway further includes: returning a second identifier request message carrying the device identifier error to the user equipment to release the current security association. In one example, the message types of the second identifier request message and the second identifier response message are the same. For example, the second identifier request message can be an IKE_AUTH response message; the corresponding second identifier response message can be an IKE_AUTH request message. The device identifier information request indication refers to a request to obtain the user equipment's device identifier information. The packet data gateway sends a second identifier request message to the user equipment, carrying a device identifier information request indication in the second identifier request message, requesting to obtain the user equipment's device identifier information based on the device identifier information request indication, and then the user equipment carries its own device identifier information in the second identifier response message and returns it to the packet data gateway. Then, the packet data gateway calls the N5g-eir_EquipmentIdentityCheck_Get service to check the device identification information from the device identification registrar. If the device authentication result is that the device identification is abnormal, the packet data network element returns a second identification request message carrying a payload and indicating the abnormal device identification to the user equipment, requesting the user equipment to release the current security association, thereby effectively ensuring the information security of the users associated with the user equipment. In one example, the second identification request message can also carry a notification type of "invalid or illegal identification".
[0085] In one embodiment, FIG8 is a flowchart of another communication method provided by an embodiment of this application. This embodiment can be executed by a first network element. Exemplarily, the first network element can be an AUSF. As shown in FIG8, this embodiment includes: S210-S220.
[0086] S210. Send a second discovery request message carrying at least the second capability-related information to discover the fourth network element; wherein, the second capability-related information is capability-related information supported by the fourth network element.
[0087] For example, the fourth network element can be a UDM. In an embodiment, the first network element can invoke the NRF service and send a second discovery request message to the NRF to discover all fourth network elements that match the second capability-related information. For example, the second discovery request message can be an Nnrf_NFDiscovery_Request message.
[0088] S220. Select the fourth network element that matches the information related to the second capability based on the received second discovery response message.
[0089] For example, the second discovery response message is an Nnrf_NFDiscovery_Response message. In this embodiment, the NRF returns the second discovery response message to the first network element, and this second discovery response message carries the query result of the fourth network element. The first network element can select a fourth network element that matches the second capability-related information from the query result of the fourth network element carried in the second discovery response message, thus realizing the discovery and selection process of the fourth network element during the authentication process. This enables the first network element to establish a connection with the selected fourth network element, so as to facilitate subsequent authentication process-related operations. For example, the authentication process-related operation can be the operation of the first network element obtaining authentication vector information from the fourth network element.
[0090] In one embodiment, the second capability-related information includes at least one of the following: authentication method; access technology type; access node type. Wherein, the second capability-related information refers to capability-related information supported by the fourth network element; correspondingly, the authentication method included in the second capability-related information is an authentication method supported by the fourth network element, the access technology type included in the second capability-related information is an access technology type supported by the fourth network element, and the access node type included in the second capability-related information is an access node type supported by the fourth network element. For example, the authentication method may include, but is not limited to, one of the following: Quick UDP Internet Connection, 5G-AKA, EAP-AKA, EAP-AKA', and EAP-TLS, etc.; the access technology type may include, but is not limited to, one of the following: NR, NB_IOT, untrusted 3GPP, trusted 3GPP, and wired access; the access node type may include, but is not limited to, one of the following: ePDG, N3IWF, and TNGF.
[0091] In one embodiment, the communication method applied to the first network element further includes: sending a first registration request message to a fifth network element to create or update the network function configuration file of the first network element. In one example, the first registration request message refers to a message in which the first network element registers with the fifth network element. Exemplarily, the fifth network element can be an NRF. Exemplarily, the first registration request message can be an Nnrf_NFManagement_NFRegister request message. In this embodiment, the first network element can send the first registration request message to the fifth network element to register its own configuration parameters and information related to the capabilities it supports with the fifth network element, thereby creating or updating the network function configuration file of the first network element in the fifth network element.
[0092] In one embodiment, the first registration request message includes at least one of the following: an authentication method supported by the first network element; an access technology type; and an access node type. In one example, the first registration request message may carry configuration parameters and capability-related information that the first network element can support, such as the authentication method, access technology type, and access node type supported by the first network element. It should be noted that the explanations of the authentication method, access technology type, and access node type supported by the first network element can be found in the descriptions of the above embodiments, and will not be repeated here.
[0093] In one embodiment, FIG9 is a flowchart of another communication method provided by an embodiment of this application. This embodiment can be executed by a third network element. Exemplarily, the third network element can be an SMF. As shown in FIG9, this embodiment includes: S310-S320.
[0094] S310. Send a third discovery request message carrying at least the first capability information to discover the first network element; wherein, the first capability information is the capability information supported by the first network element.
[0095] S320. Select the first network element that matches the first capability-related information based on the received third discovery response message.
[0096] It should be noted that the process of the third network element discovering and selecting the first network element is similar to the process of the packet data gateway discovering and selecting the first network element described above, and will not be repeated here. It should also be noted that the message type of the third discovery request message and the first discovery request message are the same, as are the message types of the third discovery response message and the first discovery response message. In one example, the third discovery request message and the first discovery request message can be the same message, and the third discovery response message and the first discovery response message can be the same message.
[0097] In one embodiment, the communication method applied to a third network element further includes: sending an authentication request message carrying at least a first authentication response to a first network element; and receiving an authentication response message carrying at least the first authentication request returned by the first network element. In this embodiment, after the third network element discovers and selects the first network element, the third network element can send an authentication request message carrying the first authentication response to the first network element and receive an authentication response message carrying at least the first authentication request returned by the first network element. Exemplarily, the authentication request message can be a Nausf_UEAuthentication_Authenticate request message; the authentication response message can be a Nausf_UEAuthentication_Authenticate response message.
[0098] In one embodiment, the communication method applied to the third network element further includes: receiving a data transmission session creation request message carrying data transmission session identification information sent by a packet data network element; returning a data transmission session creation response message carrying a data transmission session context to the first network element; and sending the created data transmission session-related information to the first network element. Exemplarily, the data transmission session identification information can be PDU session identification information. In one example, the packet data gateway can select a suitable third network element based on local configuration information, or search for a suitable third network element from the fifth network element. After the packet data gateway selects a suitable third network element, it can call the session creation service of the third network element to request the establishment of a data transmission session context. The packet data gateway can send the data transmission session identification information generated for the user equipment to the third network element. The third network element obtains the user equipment's subscription information, etc., from the fourth network element, generates a data transmission session context, and sends the data transmission session context in the data transmission session creation response message to the packet data gateway. Then, the third network element calls the transmission service provided by the packet data gateway to process the data transmission session-related information.
[0099] In one embodiment, FIG10 is a flowchart of another communication method provided by an embodiment of this application. This embodiment can be executed by a fourth network element. Exemplarily, the fourth network element can be a UDM. As shown in FIG10, this embodiment includes: S410.
[0100] S410, Send a second registration request message to the fifth network element to create or update the network function configuration file of the fourth network element.
[0101] In one example, the second registration request message refers to a message in which the fourth network element registers with the fifth network element. Exemplarily, the fifth network element can be an NRF (Network Functions Request). Exemplarily, the second registration request message can be an Nnrf_NFManagement_NFRegister request message. In an embodiment, the fourth network element can send the second registration request message to the fifth network element to register its own configuration parameters and supported capability information, thereby creating or updating the network function configuration file of the fourth network element in the fifth network element.
[0102] In one embodiment, the second registration request message includes at least one of the following: the authentication method supported by the fourth network element; the access technology type; and the access node type. In one example, the second registration request message may carry configuration parameters and capability-related information that the fourth network element can support, such as the authentication method, access technology type, and access node type supported by the fourth network element.
[0103] In the following five embodiments, taking the packet data gateway as ePDG; the first network element as AUSF; the second network element as UPF; the third network element as SMF; the fourth network element as UDM; the fifth network element as NRF; and the device identifier registrar as EIR as an example, the process of the packet data gateway accessing the core network will be described.
[0104] Example 1
[0105] Figure 11 is a flowchart illustrating the implementation of AUSF / UDM registering capability information with NRF according to an embodiment of this application. This embodiment describes the process of AUSF / UDM registering configuration information containing capability information with NRF. In this embodiment, both the first registration request message and the second registration request message are Nnrf_NFManagement_NFRegister request messages. As shown in Figure 11, the process includes the following steps:
[0106] S501: The AUSF / UDM instance sends an Nnrf_NFManagement_NFRegister request message to the NRF to notify the NRF of its configuration file.
[0107] In one example, when AUSF registers with the NRF, the configuration file may contain at least one of the following AUSF-supported information: authentication method information, such as 5G-AKA, EAP-AKA, EAP-AKA' and other various possible authentication methods such as EAP-TLS; access technology type; access node type.
[0108] In one example, when the UDM registers with the NRF, the configuration file may contain at least one of the following UDM-supported information: authentication method information associated with authentication data, such as 5G-AKA, EAP-AKA, EAP-AKA' and other various possible authentication methods such as EAP-TLS; access technology type; access node type.
[0109] S502: NRF stores AUSF / UDM configuration files and marks the corresponding AUSF / UDM as available.
[0110] S503: NRF returns the Nnrf_NFManagement_NFRegister response message.
[0111] NRF confirms that AUSF / UDM registration has been accepted via S503: NRF acknowledges the acceptance of AUSF / UDM registration via the Nnrf_NFManagement_NFRegister response message.
[0112] Example 2
[0113] Figure 12 is a flowchart illustrating the AUSF / UDM discovery and selection process during authentication, as provided in an embodiment of this application. This embodiment describes the AUSF / UDM discovery and selection process during authentication. In this embodiment, the authentication request message can be a Nausf_UEAuthentication_Authenticate request message, the second discovery request message is an Nnrf_NFDiscovery_Request message, and the second discovery response message is an Nnrf_NFDiscovery_Response message. As shown in Figure 12, the process includes the following steps:
[0114] S601, UE, and ePDG perform Internet Key Exchange Security Association Initialization (IKE_SA_INIT) interaction.
[0115] S602, The UE sends an Internet Key Exchange Authentication (IKE_AUTH) request message to the ePDG.
[0116] The IKE_AUTH request message includes information such as the UE's identity and begins negotiating sub-security associations.
[0117] S603. Send an Nnrf_NFDiscovery_Request message to NRF.
[0118] In an embodiment, the ePDG calls the NRF service to send an Nnrf_NFDiscovery_Request message. The Nnrf_NFDiscovery_Request message may contain at least one of the following information supported by AUSF to be queried: authentication method information (such as EAP-AKA); access technology type; access node type.
[0119] S604. Return the Nnrf_NFDiscovery_Response message to ePDG.
[0120] In this embodiment, the NRF returns the AUSF query result to the ePDG in an Nnrf_NFDiscovery_Response message, from which the ePDG selects the appropriate AUSF.
[0121] S605 and ePDG send a Nausf_UEAuthentication_Authenticate request message to AUSF.
[0122] The Nausf_UEAuthentication_Authenticate request message contains UE identity information (it can directly contain UE identity information, or it can be included in EAP-Request / Identity), and it can also contain access technology type and / or access node type.
[0123] S606. Send an Nnrf_NFDiscovery_Request message to NRF.
[0124] AUSF invokes the NRF service to send an Nnrf_NFDiscovery_Request message to the NRF. The Nnrf_NFDiscovery_Request message may contain at least one of the following information supported by the UDM to be queried: authentication method information (such as EAP-AKA); access technology type; access node type.
[0125] S607. Return the Nnrf_NFDiscovery_Response message to ePDG.
[0126] In this embodiment, the NRF returns the UDM query result to the AUSF in an Nnrf_NFDiscovery_Response message, from which the AUSF selects a suitable UDM. (If the AUSF and UDM are co-located or the AUSF has locally configured the relevant UDM information, steps S606-607 are skipped.)
[0127] S608, AUSF sends a Nudm_UEAuthentication_Get request message to UDM.
[0128] The Nudm_UEAuthentication_Get request message contains UE identity information and may also contain at least one of the following: the authentication method requested (such as EAP-AKA); the access technology type; and the access node type.
[0129] S609, UDM determines the authentication method and generates the corresponding authentication vector based on the received Nudm_UEAuthentication_Get request information.
[0130] S610. Send the authentication vector and instruction to AUSF, which specifies that the authentication vector is applied to the EAP-AKA authentication method.
[0131] S611-S617: The UE and the network complete the subsequent EAP-AKA authentication process.
[0132] Example 3
[0133] Figure 13 is a flowchart illustrating the implementation of an ePDG calling the EIR service for inspection, as provided in an embodiment of this application. In this embodiment, taking the first identifier request message as an INFORMATIONAL request message and the corresponding first identifier response message as an INFORMATIONAL response message, and the second identifier request message as an IKE_AUTH response message and the corresponding second identifier response message as an IKE_AUTH request message as examples, the process of ePDG supporting EIR inspection is explained. ePDG can inspect the UE's device identification information (e.g., permanent device identifier) by calling the EIR service, according to relevant regulations.
[0134] S701a and ePDG request the permanent device identifier of the UE in the INFORMATIONAL request message.
[0135] S702a and ePDG request the UE's permanent device identifier in the IKE_AUTH response message.
[0136] S701b: The UE returns a permanent device identifier to the ePDG in the corresponding INFORMATIONAL response message.
[0137] S702b: The UE returns a permanent device identifier to the ePDG in the corresponding IKE_AUTH request message.
[0138] S703: ePDG calls the N5g-eir_EquipmentIdentityCheck_Get service to perform a Permanent Equipment Identifier (PEI) check on the UE from the EIR.
[0139] S704a, Release the current IKE SA in the INFORMATONAL request message.
[0140] If the EIR check result indicates that the UE's permanent identifier is invalid / illegal, the ePDG sends an INFORMATONAL request message to the UE containing a DELETE payload to release the current IKE SA, and includes a notification type of "invalid or illegal permanent identifier".
[0141] S704b: Release the current IKE SA in the IKE_AUTH response message.
[0142] If the EIR check result indicates that the UE's permanent identifier is invalid / illegal, the ePDG sends an IKE_AUTH response message containing a DELETE payload to the UE, which includes a notification type of "invalid or illegal permanent identifier" to release the current IKE SA.
[0143] In one example, S701a, S701b, S703, and S704a constitute one implementation process of ePDG calling EIR service for inspection; S702a, S702b, S703, and S704b constitute another implementation process of ePDG calling EIR service for inspection.
[0144] Example 4
[0145] Figure 14 is a flowchart illustrating an access registration implementation according to an embodiment of this application. This embodiment is an access registration process implemented on the architecture shown in Figure 6 above. When the ePDG and UPF are co-located, the authentication information flow path is: —> UPF—(N4)--> SMF---(N10)--> AUSF. The first signaling message, the second signaling message, and the third signaling message are all N4 signaling messages. As shown in Figure 14, the access registration process in this embodiment includes the following steps:
[0146] S801, UE and ePDG interact via IKE_SA_INIT.
[0147] S802, the UE sends an IKE_AUTH request message to the ePDG.
[0148] The IKE_AUTH request message includes information such as the UE's identity and begins negotiating sub-security associations.
[0149] S803: Send N4 signaling message.
[0150] In this embodiment, the ePDG / UPF sends an EAP message containing UE identity information to the SMF via the N4 interface signaling message, and may also include authentication method information.
[0151] S804: The SMF calls the NRF service to send a request containing the authentication method information supported by the AUSF to be queried (such as EAP-AKA). The NRF returns the AUSF query results to the SMF, and the SMF selects the appropriate AUSF from them.
[0152] S805-814, the network and UE complete the subsequent EAP-AKA access authentication process. In step 413, the SMF can send information such as the Public Data Network (PDN) address and Access Point Name (APN) assigned to the UE to the ePDG / UPF.
[0153] S815-816 and ePDG send PDN IP address, APN information, etc. via IKEv2 configuration payload in the IKE_AUTH response message.
[0154] Example 5
[0155] Figure 15 is a flowchart illustrating the implementation of packet data connection establishment according to an embodiment of this application. This embodiment is implemented based on the architecture shown in Figure 5. In this embodiment, the data transmission session creation request message is an Nsmf_PDUSession_CreateSMContext Request message, and the data transmission creation response message is an Nsmf_PDUSession_CreateSMContext Response message. After the UE performs the access authentication procedure through ePDG, it initiates the packet data connection establishment procedure. The SMF registers its ability to support ePDG interaction with the NRF.
[0156] S901, UE sends authentication parameters and other information to ePDG.
[0157] S902, Send the Nsmf_PDUSession_CreateSMContext Request message to SMF.
[0158] S903, Obtaining or updating contract information.
[0159] S904. Send the Nsmf_PDUSession_CreateSMContext Response message to the ePDG.
[0160] S905 and N4 session establishment.
[0161] The ePDG can select a suitable SMF based on local configuration information or search for a suitable SMF from the NRF. After selecting a suitable SMF, the ePDG calls the SMF session creation service request to establish a session context. The ePDG can send the PDU session identification information generated for the UE to the SMF. The SMF obtains the UE's subscription information from the UDM, generates a session context, and sends a session service response message to the ePDG. The SMF initiates the corresponding N4 session establishment procedure to the UPF.
[0162] S906: SMF calls the transport service provided by ePDG to send the session-related information created to ePDG.
[0163] S907: ePDG sends an IKE_AUTH response message to the UE, and the packet data connection is established.
[0164] In one embodiment, FIG16 is a structural block diagram of a communication device provided in an embodiment of this application. This embodiment is applied to a packet data gateway. As shown in FIG16, the communication device in this embodiment includes: a first transmitting module 1010 and a first selecting module 1020.
[0165] The first sending module 1010 is configured to send a first discovery request message carrying at least first capability-related information to discover the first network element; wherein, the first capability-related information is capability-related information supported by the first network element;
[0166] The first selection module 1020 is configured to select a first network element that matches the first capability-related information based on the received first discovery response message.
[0167] In one embodiment, the first capability-related information includes at least one of the following: authentication method; access technology type; access node type.
[0168] In one embodiment, the communication device applied to the packet data gateway further includes:
[0169] The second sending module is configured to send an authentication request message carrying at least device identity information to the first network element.
[0170] In one embodiment, the authentication request message also carries at least one of the following: access technology type and access node type.
[0171] In one embodiment, when the packet data gateway and the second network element are co-located, the communication device applied to the packet data gateway further includes:
[0172] The third sending module is configured to send a first signaling message to the third network element, carrying at least the authentication method supported by the first network element, so that the third network element can perform the first network element discovery process.
[0173] In one embodiment, the communication device applied to the packet data gateway further includes:
[0174] The first receiving module is configured to receive a second signaling message sent by a third network element, which carries at least a first authentication request;
[0175] The fourth sending module is configured to return a third signaling message to the third network element, which carries at least the first authentication response.
[0176] In one embodiment, the communication device applied to the packet data gateway further includes:
[0177] The fifth sending module is configured to send a data transmission session creation request message carrying data transmission session identifier information to the third network element;
[0178] The second receiving module is configured to receive a data transmission session creation response message carrying the data transmission session context returned by the third network element;
[0179] The third receiving module is configured to receive information related to the data transmission session created by the third network element.
[0180] In one embodiment, the communication device applied to the packet data gateway further includes:
[0181] The fifth sending module is configured to send a device authentication request message carrying the device identifier information associated with the user device to the device identifier registrar;
[0182] The fourth receiving module is configured to receive a device authentication response message carrying the device authentication result returned by the device identifier registrar.
[0183] In one embodiment, before sending a device authentication request message carrying device identification information associated with the user equipment to the device identifier registrar, the communication device applied to the packet data gateway further includes:
[0184] The sixth sending module is configured to send a first identification request message to the user equipment, carrying an indication of a request for device identification information associated with the user equipment;
[0185] The fifth receiving module is configured to receive a first identification response message returned by the user equipment, which carries the device identification information associated with the user equipment;
[0186] Accordingly, when the device authentication result indicates an abnormal device identifier, the communication device applied to the packet data gateway also includes:
[0187] The first release module is configured to return a first identification request message to the user equipment, carrying a deleted payload and a device identification exception, in order to release the current security association.
[0188] In one embodiment, before sending a device authentication request message carrying device identification information associated with the user equipment to the device identifier registrar, the communication device applied to the packet data gateway further includes:
[0189] The seventh sending module is configured to send a second identification request message to the user equipment, carrying an indication of a request for device identification information associated with the user equipment;
[0190] The sixth receiving module is configured to receive a second identification response message returned by the user equipment, which carries at least the device identification information related to the user equipment;
[0191] Accordingly, when the device authentication result indicates an abnormal device identifier, the communication device applied to the packet data gateway also includes:
[0192] The second release module is configured to return a second identifier request message carrying an abnormal device identifier to the user equipment in order to release the current security association.
[0193] The communication device provided in this embodiment is configured to implement the communication method applied to the data packet gateway in the embodiment shown in FIG7. The implementation principle and technical effect of the communication device provided in this embodiment are similar, and will not be described again here.
[0194] In one embodiment, FIG17 is a structural block diagram of another communication device provided in this application embodiment. This embodiment is applied to a first network element. As shown in FIG17, the communication device in this embodiment includes: a first transmitting module 1110 and a first selecting module 1120.
[0195] The first sending module 1110 is configured to send a second discovery request message carrying at least second capability-related information to discover the fourth network element; wherein, the second capability-related information is capability-related information supported by the fourth network element.
[0196] The first selection module 1120 is configured to select a fourth network element that matches the second capability-related information based on the received second discovery response message.
[0197] In one embodiment, the second capability-related information includes at least one of the following: authentication method; access technology type; access node type.
[0198] In one embodiment, the communication device applied to the first network element further includes:
[0199] The second sending module is configured to send a first registration request message to the fifth network element to create or update the network function configuration file of the first network element.
[0200] In one embodiment, the first registration request message includes at least one of the following: an authentication method supported by the first network element; an access technology type; and an access node type.
[0201] The communication device provided in this embodiment is configured to implement the communication method applied to the first network element in the embodiment shown in FIG8. The implementation principle and technical effect of the communication device provided in this embodiment are similar, and will not be described again here.
[0202] In one embodiment, FIG18 is a structural block diagram of another communication device provided in this application. This embodiment is applied to a third network element. As shown in FIG18, the communication device in this embodiment includes: a first transmitting module 1210 and a first selecting module 1220.
[0203] The first sending module 1210 is configured to send a third discovery request message carrying at least first capability-related information to discover the first network element; wherein, the first capability-related information is capability-related information supported by the first network element.
[0204] The first selection module 1220 is configured to select a first network element that matches the first capability-related information based on the received third discovery response message.
[0205] In one embodiment, the communication device applied to the third network element further includes:
[0206] The second sending module is configured to send an authentication request message carrying at least a first authentication response to the first network element;
[0207] The first receiving module is configured to receive an authentication response message returned by the first network element, which carries at least the first authentication request.
[0208] In one embodiment, the communication device applied to the third network element further includes:
[0209] The second receiving module is configured to receive a data transmission session creation request message carrying data transmission session identifier information sent by a packet data network element;
[0210] The feedback module is configured to return a data transmission session creation response message carrying the data transmission session context to the first network element;
[0211] The third sending module is configured to send information related to the data transmission session created to the first network element.
[0212] The communication device provided in this embodiment is configured to implement the communication method applied to the third network element in the embodiment shown in Figure 9. The implementation principle and technical effect of the communication device provided in this embodiment are similar, and will not be described again here.
[0213] In one embodiment, FIG19 is a structural block diagram of another communication device provided in this application embodiment. This embodiment is applied to a fourth network element. As shown in FIG19, the communication device in this embodiment includes: a transmitting module 1310.
[0214] The sending module 1310 is configured to send a second registration request message to the fifth network element to create or update the network function configuration file of the fourth network element.
[0215] In one embodiment, the second registration request message includes at least one of the following: the authentication method supported by the fourth network element; the access technology type; and the access node type.
[0216] The communication device provided in this embodiment is configured to implement the communication method applied to the fourth network element in the embodiment shown in FIG10. The implementation principle and technical effect of the communication device provided in this embodiment are similar, and will not be described again here.
[0217] In one embodiment, FIG20 is a schematic diagram of the structure of a communication device provided in an embodiment of this application. As shown in FIG20, the device provided in this application includes: a processor 1410, a memory 1420, and a communication module 1430. The number of processors 1410 in the device can be one or more; FIG20 shows an example of one processor 1410. The number of memories 1420 in the device can be one or more; FIG20 shows an example of one memory 1420. The processor 1410, memory 1420, and communication module 1430 of the device can be connected via a bus or other means; FIG20 shows an example of connection via a bus. In this embodiment, the device can be a packet data gateway, a first network element, a third network element, or a fourth network element.
[0218] The memory 1420, as a computer-readable storage medium, can be configured to store software programs, computer-executable programs, and modules, such as program instructions / modules corresponding to the device in any embodiment of this application (e.g., the first transmitting module 510 and the first selecting module 520 applied in a communication device for a packet data gateway). The memory 1420 may include a program storage area and a data storage area, wherein the program storage area may store an operating system and an application program required for at least one function; the data storage area may store data created according to the use of the device, etc. Furthermore, the memory 1420 may include high-speed random access memory and may also include non-volatile memory, such as at least one disk storage device, flash memory device, or other non-volatile solid-state storage device. In some instances, the memory 1420 may further include memory remotely located relative to the processor 1410, and these remote memories can be connected to the device via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
[0219] When the communication device is a packet data gateway, the device provided above can be configured to execute the communication method for packet data gateways provided in any of the above embodiments, and has the corresponding functions and effects.
[0220] When the communication device is the first network element, the device provided above can be configured to execute the communication method applied to the first network element provided in any of the above embodiments, and has the corresponding functions and effects.
[0221] When the communication device is the first network element, the device provided above can be configured to execute the communication method provided in any of the above embodiments for the third network element, and has the corresponding functions and effects.
[0222] When the communication device is the first network element, the device provided above can be configured to execute the communication method provided in any of the above embodiments for the fourth network element, and has the corresponding functions and effects.
[0223] This application embodiment also provides a storage medium containing computer-executable instructions, which, when executed by a computer processor, are used to execute a communication method applied to a packet data gateway. The method includes: sending a first discovery request message carrying at least first capability-related information to discover a first network element; wherein the first capability-related information is capability-related information supported by the first network element; and selecting a first network element that matches the first capability-related information based on a received first discovery response message.
[0224] This application embodiment also provides a storage medium containing computer-executable instructions, which, when executed by a computer processor, are used to execute a communication method applied to a first network element. The method includes: sending a second discovery request message carrying at least second capability-related information to discover a fourth network element; wherein the second capability-related information is capability-related information supported by the fourth network element; and selecting a fourth network element that matches the second capability-related information according to a received second discovery response message.
[0225] This application embodiment also provides a storage medium containing computer-executable instructions. When executed by a computer processor, the computer-executable instructions are used to execute a communication method applied to a third network element. The method includes: sending a third discovery request message carrying at least first capability-related information to discover a first network element; wherein the first capability-related information is capability-related information supported by the first network element; and selecting a first network element that matches the first capability-related information according to a received third discovery response message.
[0226] This application embodiment also provides a storage medium containing computer-executable instructions, which, when executed by a computer processor, are used to execute a communication method applied to a fourth network element. The method includes: sending a second registration request message to a fifth network element to create or update a network function configuration file of the fourth network element.
[0227] Those skilled in the art will understand that the term user equipment covers any suitable type of wireless user equipment, such as mobile phones, portable data processing devices, portable web browsers, or vehicle-mounted mobile stations.
[0228] Generally, the various embodiments of this application can be implemented in hardware or dedicated circuitry, software, logic, or any combination thereof. For example, some aspects can be implemented in hardware, while others can be implemented in firmware or software that can be executed by a controller, microprocessor, or other computing device, although this application is not limited thereto.
[0229] Embodiments of this application can be implemented by executing computer program instructions through the data processor of a mobile device, for example, in a processor entity, or through hardware, or through a combination of software and hardware. The computer program instructions can be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, status setting data, or source code or object code written in any combination of one or more programming languages.
[0230] Any block diagram of logical flow in the accompanying drawings of this application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions. The computer program may be stored on memory. Memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as, but not limited to, read-only memory (ROM), random access memory (RAM), optical storage devices and systems (Digital Video Disc (DVD) or Compact Disk (CD)), etc. Computer-readable media may include non-transitory storage media. The data processor may be of any type suitable to the local technical environment, such as, but not limited to, general-purpose computers, special-purpose computers, microprocessors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), and processors based on multi-core processor architectures.
[0231] The above are merely optional embodiments of this application and are not intended to limit this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.
Claims
1. A communication method applied to a packet data gateway, comprising: Send a first discovery request message carrying at least first capability-related information to discover a first network element; wherein, the first capability-related information is capability-related information supported by the first network element; Select the first network element that matches the information related to the first capability based on the received first discovery response message.
2. The method according to claim 1, wherein, The first capability-related information includes at least one of the following: authentication method; access technology type; access node type.
3. The method according to claim 1, further comprising: Send an authentication request message carrying at least device identity information to the first network element.
4. The method according to claim 3, wherein, The authentication request message also carries at least one of the following: access technology type and access node type.
5. The method according to claim 1, wherein when the packet data gateway and the second network element are co-located, the method further comprises: Send a first signaling message to the third network element, carrying at least the authentication method supported by the first network element, so that the third network element can perform the first network element discovery process.
6. The method according to claim 5, further comprising: Receive a second signaling message sent by the third network element, which carries at least a first authentication request; Return a third signaling message to the third network element, which carries at least the first authentication response.
7. The method according to any one of claims 1-6, wherein the method further comprises: Send a data transmission session creation request message carrying data transmission session identifier information to the third network element; Receive the data transmission session creation response message carrying the data transmission session context returned by the third network element; Receive data transmission session information created by the third network element.
8. The method according to claim 1, further comprising: Send a device authentication request message carrying the device identifier information associated with the user device to the device identifier registrar; Receive the device authentication response message returned by the device identifier registrar, which carries the device authentication result.
9. The method according to claim 8, further comprising, before sending the device authentication request message carrying the device identifier information associated with the user equipment to the device identifier registrar: Send a first identification request message to the user equipment, carrying an indication of a request for device identification information associated with the user equipment; Receive a first identification response message returned by the user equipment, which carries the device identification information associated with the user equipment; If the device authentication result indicates an abnormal device identifier, the method further includes: Return a first identification request message to the user equipment carrying a deleted payload and a device identification exception to release the current security association.
10. The method of claim 8, further comprising, before sending the device authentication request message carrying the device identifier information associated with the user equipment to the device identifier registrar: Send a second identification request message to the user equipment, carrying an indication of a request for device identification information associated with the user equipment; Receive a second identification response message returned by the user equipment, which carries the device identification information related to the user equipment; If the device authentication result indicates an abnormal device identifier, the method further includes: Return a second identifier request message carrying an abnormal device identifier to the user equipment in order to release the current security association.
11. A communication method applied to a first network element, comprising: Send a second discovery request message carrying at least the second capability-related information to discover the fourth network element; wherein, the second capability-related information is capability-related information supported by the fourth network element; Select a fourth network element that matches the information related to the second capability based on the received second discovery response message.
12. The method according to claim 11, wherein, The second capability-related information includes at least one of the following: authentication method; access technology type; access node type.
13. The method according to claim 11, further comprising: Send a first registration request message to the fifth network element to create or update the network function configuration file of the first network element.
14. The method according to claim 13, wherein, The first registration request message includes at least one of the following: the authentication method supported by the first network element; the access technology type and the access node type.
15. A communication method applied to a third network element, comprising: Send a third discovery request message carrying at least information related to the first capability to discover the first network element; wherein, the first capability-related information is information related to the capabilities supported by the first network element; Based on the received third discovery response message, select the first network element that matches the information related to the first capability.
16. The method according to claim 15, further comprising: Send an authentication request message carrying at least a first authentication response to the first network element; Receive the authentication response message returned by the first network element, which carries at least the first authentication request.
17. The method according to any one of claims 15-16, wherein the method further comprises: Receive a data transmission session creation request message carrying data transmission session identification information sent by a packet data network element; Return a data transmission session creation response message carrying the data transmission session context to the first network element; Send the data transmission session information created to the first network element.
18. A communication method applied to a fourth network element, comprising: Send a second registration request message to the fifth network element to create or update the network function configuration file of the fourth network element.
19. The method according to claim 18, wherein, The second registration request message includes at least one of the following: the authentication method supported by the fourth network element; the access technology type; and the access node type.
20. A communication device, comprising: Memory, and one or more processors; The memory is configured to store one or more programs; When the one or more programs are executed by the one or more processors, the one or more processors perform the method as described in any one of claims 1-10, 11-14, 15-17 or 18-19.
21. A storage medium storing a computer program that, when executed by a processor, implements the method as described in any one of claims 1-10, 11-14, 15-17, or 18-19.