Data processing method, communication system, storage medium, electronic apparatus and computer program product

By instructing users on relevant data processing information in the protocol data unit, the problem that the core network can only configure security processing at the PDU session level is solved, enabling flexible data processing and improving efficiency and user experience.

WO2026144412A1PCT designated stage Publication Date: 2026-07-09ZTE CORP

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
ZTE CORP
Filing Date
2025-10-17
Publication Date
2026-07-09

AI Technical Summary

Technical Problem

In traditional wireless communication systems, the core network can only configure the security processing method for user data at the PDU session level, resulting in a waste of wireless access network element resources.

Method used

By indicating information related to user data processing in the protocol data unit, network devices can flexibly indicate security processing requirements or statuses at different levels (such as PDU sessions, QoS flows, QoS sub-flows, DRBs, etc.), including encryption, integrity protection, etc.

Benefits of technology

It improves data processing efficiency, avoids unnecessary processing steps, reduces resource waste, and enhances user experience.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN2025128538_09072026_PF_FP_ABST
    Figure CN2025128538_09072026_PF_FP_ABST
Patent Text Reader

Abstract

Provided in the embodiments of the present disclosure are a data processing method, a communication system, a storage medium, an electronic apparatus and a computer program product. The method comprises: a first network device acquiring user data, and determining first information related to the processing of the user data; and the first network device sending to a second network device a protocol data unit carrying the user data, wherein the first network device indicates the first information by means of the protocol data unit, such that the second network device processes the user data on the basis of the first information.
Need to check novelty before this filing date? Find Prior Art

Description

Data processing methods, communication systems, storage media, electronic devices, and computer program products

[0001] Cross-reference to related applications

[0002] This disclosure is based on and claims priority to Chinese patent application CN2025100113262, filed on January 3, 2025, entitled “Data Processing Method, Communication System, Storage Medium, Electronic Device and Computer Program Product”, and incorporates the entire contents of that patent application by reference. Technical Field

[0003] This disclosure relates to the field of communications, and more specifically, to a data processing method, a communication system, a storage medium, an electronic device, and a computer program product. Background Technology

[0004] In traditional wireless communication systems, such as 5G NR (New Radio), when establishing resources for a User Equipment (UE) session (e.g., a Protocol Data Unit Session, PDU session) at the radio access network element, the core network element indicates session information via Next Generation Control Plane (NG-C) messages. This session information includes security processing requirements for session data. In practical applications, some data may already be encrypted during application and does not need to be encrypted again during wireless network transmission. However, in existing technologies, the core network can only configure the security processing method for user data at the PDU session level, leading to unnecessary waste of radio access network element processing resources. There is currently no good solution to this problem. Summary of the Invention

[0005] This disclosure provides a data processing method, a communication system, a storage medium, an electronic device, and a computer program product to at least solve the problem in related technologies that the core network can only configure the security processing method for user data at the PDU session level.

[0006] According to one embodiment of this disclosure, a data processing method is provided, comprising: a first network device acquiring user data and determining first information related to the processing of the user data; the first network device sending a protocol data unit carrying user data to a second network device, wherein the first network device instructs the first information through the protocol data unit so that the second network device processes the user data according to the first information.

[0007] According to another embodiment of this disclosure, a data processing method is provided, comprising: a second network device receiving a protocol data unit carrying user data from a first network device, wherein the first network device indicates first information related to the processing of user data through the protocol data unit; the second network device determining user data and the first information according to the protocol data unit; and processing the user data according to the first information.

[0008] According to another embodiment of this disclosure, a communication system is provided, including: a first network device and a second network device, wherein the first network device is configured to send a protocol data unit carrying user data to the second network device, wherein the first network device indicates first information related to the processing of user data through the protocol data unit; the second network device is configured to receive the protocol data unit from the first network device, determine user data and the first information according to the protocol data unit, and process the user data according to the first information.

[0009] According to yet another embodiment of this disclosure, a computer-readable storage medium is also provided, which stores a computer program that, when executed by a processor, implements the steps in any of the above method embodiments.

[0010] According to yet another embodiment of this disclosure, an electronic device is also provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in any of the above method embodiments.

[0011] According to yet another embodiment of this disclosure, a computer program product is also provided, including a computer program that, when executed by a processor, implements the steps in any of the above method embodiments. Attached Figure Description

[0012] Figure 1 is a schematic diagram of the network architecture of a wireless access network according to an embodiment of the present disclosure;

[0013] Figure 2 is a schematic diagram of the user plane protocol stack of the NG interface according to an embodiment of the present disclosure;

[0014] Figure 3 is a schematic diagram of the GTP-U protocol stack according to an embodiment of the present disclosure;

[0015] Figure 4 is a schematic diagram of the structure of the GTP-U head according to an embodiment of the present disclosure;

[0016] Figure 5 is a schematic diagram of the structure of the extension head of GTP-U according to an embodiment of the present disclosure;

[0017] Figure 6 is a hardware structure block diagram of the mobile terminal operating in the embodiments of the method disclosed herein;

[0018] Figure 7 is a flowchart of a data processing method for a first network device according to an embodiment of the present disclosure;

[0019] Figure 8 is a flowchart of a data processing method for a second network device according to an embodiment of the present disclosure;

[0020] Figure 9 is a block diagram of a communication system according to an embodiment of the present disclosure;

[0021] Figure 10 is a schematic diagram (a) of an information indication method according to an embodiment of the present disclosure;

[0022] Figure 11 is a schematic diagram (II) of an information indication method according to an embodiment of the present disclosure;

[0023] Figure 12 is a schematic diagram of information processing via an extended header content field indication according to an embodiment of the present disclosure;

[0024] Figure 13 is a schematic diagram (iii) of an information indication method according to an embodiment of the present disclosure;

[0025] Figure 14 is a schematic diagram illustrating relevant information for processing information indicated by an extended header content field according to an embodiment of the present disclosure;

[0026] Figure 15 is a schematic diagram of the user plane protocol stack between the access network element and the user equipment according to an embodiment of the present disclosure;

[0027] Figure 16 is a schematic diagram (a) of the PDU header of the PDCP PDU according to an embodiment of the present disclosure;

[0028] Figure 17 is a schematic diagram (II) of the PDU header of the PDCP PDU according to an embodiment of the present disclosure;

[0029] Figure 18 is a schematic diagram (III) of the PDU header of the PDCP PDU according to an embodiment of the present disclosure. Detailed Implementation

[0030] The embodiments of this disclosure will be described in detail below with reference to the accompanying drawings and examples.

[0031] It should be noted that the terms "first," "second," etc., in the specification, claims, and drawings of this disclosure are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.

[0032] The embodiments disclosed herein can be applied to wireless communication networks such as 5G and 6G networks. The following description uses a 5G wireless access network as an example, but this disclosure is not limited thereto.

[0033] Figure 1 is a schematic diagram of the network architecture of a wireless access network according to an embodiment of the present disclosure. The embodiments of the present disclosure can operate on the network architecture shown in Figure 1. As shown in Figure 1, the network architecture includes:

[0034] Access and Mobility Management Function (AMF) / User Plane Function (UPF) and 5G Node B (gNB), where AMF / UPF are core network elements and gNB is an access network element or base station.

[0035] The NG interface is the interface between the AMF / UPF and gNB. The NG interface includes the NG user plane interface (NG-U) and the NG control plane interface (NG-C).

[0036] The NG control plane interface (NG-C) provides functions including NG interface management, UE context management, UE mobility management, transmission of Non-Access Stratum (NAS) messages, paging, and PDU session management.

[0037] The NG User Plane Interface (NG-U) is defined between NG-RAN nodes (e.g., gNB) and the UPF.

[0038] Figure 2 is a schematic diagram of the user plane protocol stack of the NG interface according to an embodiment of the present disclosure. As shown in Figure 2,

[0039] The transport network layer is built on top of Internet Protocol (IP) transmission. The GPRS Tunneling Protocol-User Plane (GTP-U) protocol layer is located on top of User Datagram Protocol (UDP) / IP and is used to transmit Protocol Data Units (PDUs) of the user plane between radio access network elements and core network elements.

[0040] The GTP-U protocol entity provides packet transmission and reception services for access network elements (e.g., gNB, 6G wireless communication system base stations) and core network elements (e.g., UPF and Multi-Bearer User Plane Function (MB-UPF, 6G wireless communication system core network equipment)). The GTP-U protocol entity receives traffic from multiple GTP-U tunnel endpoints and transmits traffic to multiple GTP-U tunnel endpoints. There is one GTP-U protocol entity for each IP address.

[0041] Figure 3 is a schematic diagram of the GTP-U protocol stack according to an embodiment of the present disclosure. As shown in Figure 3, the GTP Packet Data Unit (G-PDU) is carried on top of the UDP / IP protocol stack. The G-PDU is used for transmission between GTP network nodes. The G-PDU includes a GTP-U header and a Transport PDU (T-PDU). The T-PDU is the payload of the GTP-U tunnel and may contain a user's IP data packet.

[0042] Figure 4 is a schematic diagram of the structure of the GTP-U header according to an embodiment of the present disclosure. As shown in Figure 4, the length of the GTP-U header is variable, including the first 8 fixed octets and several optional ones, as well as an extension header.

[0043] The first octet includes the following information: version, indicating the version of the protocol; PT, indicating the type of the protocol; E, indicating whether the Next Extension Header Type field exists; S, indicating whether the Sequence Number field exists; and PN, indicating whether the N-PDU number field exists.

[0044] The second octet is the message type, which indicates the type of GTP-U message.

[0045] The third and fourth octets are for length, indicating the length of the payload in addition to the fixed eight octets.

[0046] The 5th to 8th octets are the Tunnel Endpoint Identifier, which indicates the identifier of the GTP-U tunnel receiver.

[0047] The 9th to 12th octets are all optional. For example, as shown in Figure 4, the Sequence Number can include 2 octets, the N-PDU number can include 1 octet, and the Next Extension Header Type can include 1 octet, indicating the type of extension header.

[0048] Figure 5 is a schematic diagram of the structure of the extension head of GTP-U according to an embodiment of the present disclosure. As shown in Figure 5, the extension head of GTP-U includes the following information:

[0049] Extension Header Length indicates the length of this extension header;

[0050] Extension header content is the content contained within the extension header;

[0051] The Next Extension Header Type indicates the type of the next extension header. A value of all zeros for Next Extension Header Type indicates that there is no next extension header.

[0052] The methods and embodiments provided in this disclosure can be run on core network equipment, access network equipment, or user equipment. For example, core network equipment may include AMF network elements, UPF network elements, MB-UPF network elements, and other core network elements; access network equipment may include gNB, ng-eNB, and other access network equipment; and user equipment may include mobile terminals, computer terminals, etc.

[0053] The method embodiments provided in this disclosure can be executed in a mobile terminal, computer terminal, or similar computing device. Taking running on a mobile terminal as an example, FIG6 is a hardware structure block diagram of a mobile terminal running in the method embodiments of this disclosure. As shown in FIG6, the mobile terminal may include one or more (only one is shown in FIG1) processors 62 (processor 62 may include, but is not limited to, processing devices such as microprocessors MCUs or programmable logic devices FPGAs) and a memory 64 for storing data. The mobile terminal may also include a transmission device 66 for communication functions and an input / output device 68. Those skilled in the art will understand that the structure shown in FIG6 is only illustrative and does not limit the structure of the mobile terminal. For example, the mobile terminal may also include more or fewer components than shown in FIG1, or have a different configuration than shown in FIG1.

[0054] The memory 64 can be used to store computer programs, such as application software programs and modules, like the computer program corresponding to the data processing method in this embodiment. The processor 62 executes various functional applications and data processing by running the computer program stored in the memory 64, thus implementing the above-described method. The memory 64 may include high-speed random access memory and non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 64 may further include memory remotely located relative to the processor 62, and these remote memories can be connected to the mobile terminal via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0055] The transmission device 66 is used to receive or send data via a network. Specific examples of the network described above may include a wireless network provided by the mobile terminal's communication provider. In one example, the transmission device 66 includes a Network Interface Controller (NIC), which can connect to other network devices via a base station to communicate with the Internet. In another example, the transmission device 66 may be a Radio Frequency (RF) module, used for wireless communication with the Internet.

[0056] This disclosure provides a data processing method operating on the aforementioned wireless access network. Figure 7 is a flowchart of a data processing method for a first network device according to an embodiment of this disclosure. As shown in Figure 7, the process includes the following steps:

[0057] Step S702: The first network device acquires user data and determines first information related to the processing of the user data;

[0058] In step S704, the first network device sends a protocol data unit carrying user data to the second network device, wherein the first network device instructs first information through the protocol data unit so that the second network device processes the user data according to the first information.

[0059] Through the above steps, first information related to user data processing can be indicated in the Protocol Data Unit (PDU), enabling the second network device to accurately understand the data processing requirements or status, thus allowing for more flexible processing of user data. This method can improve data processing efficiency, avoid unnecessary processing steps, reduce waste of processing resources, and thereby solve the problem in related technologies where the core network can only configure the secure processing method for user data at the PDU session level.

[0060] In this embodiment, the first network device may be a core network device, an access network device, a user equipment, etc., and the second network device may be an access network device, a user equipment, etc.

[0061] In some embodiments, the first information may include one of the following:

[0062] The processing information of the user data;

[0063] The data type of the user data, wherein the data type corresponds to the processing information;

[0064] The user data is labeled, wherein the label corresponds to the processing information;

[0065] The processing type of the user data, wherein the processing type corresponds to the processing information;

[0066] The identifier of the QoS flow or QoS sub-flow to which the user data belongs, wherein the identifier of the QoS flow or QoS sub-flow corresponds to the processing information.

[0067] In this embodiment, user data processing information can be indicated directly or indirectly via a PDU, offering greater flexibility. For indirect indication, a mapping relationship can be established between processing information and information such as tags, data types, processing types, QoS flow identifiers, or QoS sub-flow identifiers. The PDU then indicates these tags, data types, processing types, QoS flow identifiers, or QoS sub-flow identifiers to the second network device, enabling the second network device to determine the corresponding processing information based on the mapping relationship. Furthermore, configuring user data processing information based on tags, data types, processing types, QoS flow identifiers, or QoS sub-flow identifiers can improve the efficiency of processing information indication, thereby enhancing the user experience.

[0068] In some embodiments, in response to the first network device being a core network device, the processing information includes the security processing requirements for the user data. Correspondingly, the second network device may be an access network device, and the core network device may implement the setting / configuration of PDU-level data security processing requirements. The second network device may determine whether user data needs to be security processed and how to perform security processing based on the security processing requirements.

[0069] In one exemplary embodiment, the security processing requirements for the user data may include at least one of the following:

[0070] Does the second network device need to encrypt a portion of the user data?

[0071] Does the second network device need to perform integrity protection on a portion of the user data?

[0072] Does the second network device need to encrypt the user data?

[0073] Does the second network device need to protect the integrity of the user data?

[0074] Is the user data encrypted?

[0075] Whether the second network device needs to process the user data using the processing method configured in the session where the protocol data unit is located, the QoS flow, the QoS sub-flow, or the data radio bearer DRB.

[0076] In this embodiment, some data may be data from a specified location or of a specified type in user data, such as sensitive data such as IP addresses, but this disclosure is not limited thereto.

[0077] In this embodiment, the PDU session is the foundation for providing network access and data transmission services to users. It can contain all Quality of Service (QoS) flows for data transmission from the core network to the UE. A QoS flow is a logical connection within a PDU session that defines QoS parameters for a specific type of data flow. The Data Radio Bearer (DRB) is used to carry the data of the QoS flows within the PDU session from the UPF to the gNB. A DRB can carry one or more QoS flows, depending on the UE's data transmission requirements.

[0078] In this embodiment, a QoS sub-flow is a quality of service sub-flow, and a QoS flow may contain one or more QoS sub-flows. QoS sub-flows provide a mechanism for finer-grained identification of data within a QoS flow.

[0079] Through the embodiments disclosed herein, indications of user data security processing requirements can be implemented at multiple levels, including PDU session level, QoS flow level, QoS sub-flow level, DRB level, and PDU level. The indication methods are more flexible and precise, capable of matching various user needs, thereby improving user experience.

[0080] In other embodiments, in response to the first network device being an access network device or a user equipment, the processing information includes the security processing status of the user data. For example, if the first network device is an access network device, the second network device can be a user equipment; conversely, if the first network device is a user equipment, the second network device can be an access network device. Embodiments of this disclosure can implement indication of the data security processing status at the PDU level. The second network device can determine the security processing method used for the user data based on the security processing status of the user data, and thus quickly and accurately process the user data accordingly.

[0081] In one exemplary embodiment, the secure processing status of the user data may include at least one of the following:

[0082] Has the first network device already encrypted a portion of the user data?

[0083] Whether the first network device has already performed integrity protection on a portion of the user data;

[0084] Has the first network device encrypted the user data?

[0085] Has the first network device already performed integrity protection on the user data?

[0086] Whether the first network device has already processed the user data using the processing method configured in the session, QoS flow, QoS sub-flow, or DRB where the protocol data unit is located.

[0087] In this embodiment, some data may be data from a specified location or of a specified type in user data, such as sensitive data such as IP addresses, but this disclosure is not limited thereto.

[0088] Through the embodiments disclosed herein, indications of the security processing status of user data can be implemented at multiple levels, including PDU session level, QoS flow level, QoS sub-flow level, DRB level, and PDU level. The indication method is more flexible and accurate, and can match various user needs, thereby improving the user experience.

[0089] In an exemplary embodiment, after determining the security processing status of user data, the second network device can quickly and accurately process the user data according to the security processing status. For example, if the user data has been encrypted, the second network device can decrypt the user data; if the user data has been protected for integrity, the second network device can perform integrity verification on the user data, thereby accelerating data processing efficiency.

[0090] In some embodiments, the method may further include at least one of the following:

[0091] In response to the fact that the first network device is the access network device and the processing information includes that the first network device has encrypted a portion of the user data, the first network device sends a first signaling to the second network device, wherein the first signaling carries the data length of the encrypted portion of the data;

[0092] In response to the first network device being the access network device and the processing information including that the first network device has performed integrity protection on a portion of the user data, the first network device sends a second signaling message to the second network device, wherein the second signaling message carries the data length of the portion of data that has been integrity protected.

[0093] In this embodiment, if the first network device only performs security processing on a portion of the data, the first network device can indicate the data length of this portion of data so that the second network device can accurately determine which portion of the data has been security processed and needs to be processed accordingly (e.g., data decryption, integrity verification), thereby improving the security processing efficiency and data processing accuracy of the second network device.

[0094] In some embodiments, the method may further include: the first network device and the second network device agreeing on the processing information corresponding to the data type, the tag, the processing type, the QoS flow identifier, or the QoS sub-flow identifier through a protocol; or, the first network device sending a control plane message or control signaling to the second network device, wherein the control plane message or the control signaling is used to indicate the processing information corresponding to the data type, the tag, the processing type, the QoS flow identifier, or the QoS sub-flow identifier.

[0095] In an exemplary embodiment, if the first network device is a core network device and the second network device is an access network device, they can configure the mapping relationships between data types and processing information, tags and processing information, processing types and processing information, QoS flow identifiers and processing information, or QoS sub-flow identifiers and processing information through control plane messages. If the first network device and the second network device are an access network device and a user equipment, respectively, the above mapping relationships can be configured through control signaling.

[0096] In an exemplary embodiment, a specific value for a flag, data type, or processing type can be defined to correspond to a default processing. The default processing is the one that is explicitly defined, and its specific content can be indicated through control plane messages or control signaling, or defined through a protocol. Furthermore, the specific content of the default processing can be configured for a specific PDU session, a specific QoS Flow, a specific QoS sub-flow, or a specific DRB. For example, for a DRB, an access network device can configure whether the user data of that DRB has been encrypted and whether integrity protection has been implemented through Radio Resource Control (RRC) messages. In this case, the default processing for that DRB refers to the processing configured for it through the RRC message.

[0097] In some embodiments, the processing information corresponding to the data type, the tag, or the processing type is configured for a specific session, a specific Quality of Service (QoS) flow, a specific QoS sub-flow, a specific QoS sub-flow, or a specific Data Radio Bearer (DRB). For example, the data type or tag can be an identifier for a session, QoS flow, QoS sub-flow, or DRB. This configuration for a specific session or flow can meet the data processing needs in different scenarios, improving the flexibility and efficiency of data processing.

[0098] In some embodiments, the protocol data unit includes a GPRS Tunneling Protocol-User Plane PDU (GTP-U PDU), wherein the indication method of the first information includes at least one of the following:

[0099] 1) The first information is indicated by one or more bits in the GTP-U header of the GTP-U PDU. This bit-level indication method can reduce the overhead of protocol data units and improve transmission efficiency.

[0100] 2) The first information is indicated by the message type in the GTP-U PDU. This method uses existing message type fields for indication, and one or more message type values ​​can be added to indicate various first information involved in this disclosure.

[0101] 3) The first information is indicated by the extension header in the GTP-U PDU, wherein the extension header type is a preset type, and the first information is located in the extension header content field of the extension header. This method requires the addition of new extension header types, and these newly defined extension header types need to be followed by corresponding extension headers. The extension header content field can carry more information and can be applied to scenarios that require complex processing.

[0102] 4) The first information is indicated by one or more extension header types in the GTP-U PDU. This method can simply add extension header types and indicate them through the extension header type field. These newly defined extension header types do not need to be followed by corresponding extension headers, thereby reducing overhead and improving transmission efficiency.

[0103] In this embodiment, the GTP-U PDU can transmit user data between core network equipment and access network equipment. By indicating the first information, the receiving end can clearly and accurately understand the user data processing requirements, thereby improving the processing efficiency of the receiving end. The GTP-U PDU includes a GTP-U header, and the extended header is an optional structure. The specific details of the GTP-U header and the extended header can be found in Figures 4 and 5.

[0104] In one exemplary embodiment, multiple bits can each indicate different information. For example, one bit can be used to indicate whether user data is encrypted, and another bit can be used to indicate whether user data is protected for integrity. Multiple bits in the GTP-U header can also collectively indicate one type of information. For example, multiple bits can be used to indicate the processing type of user data. This disclosure does not limit the specific manner in which the first information is indicated.

[0105] In some embodiments, the first information is configured for a specific Quality of Service (QoS) flow or a specific QoS sub-flow, wherein the indication of the specific QoS flow or the specific QoS sub-flow includes at least one of the following:

[0106] 1) The identifier of the specific QoS flow or the identifier of the specific QoS sub-flow is indicated by one or more bits in the GTP-U header;

[0107] 2) The extension header indicates the identifier of the specific QoS flow or the identifier of the specific QoS sub-flow, wherein the extension header type of the extension header is the preset type, and the first information is located in the extension header content field of the extension header.

[0108] In this embodiment, the indication of security processing information at the QoS flow level or QoS sub-flow level can be implemented, which provides greater flexibility and is suitable for scenarios that require complex processing of specific flows.

[0109] In some embodiments, the protocol data unit may include a Packet Data Convergence Protocol Protocol Data Unit (PDCP PDU), a Radio Link Control Protocol Data Unit (RLC PDU), or a Medium Access Control Protocol Data Unit (MAC PDU), wherein the indication of the first information includes indicating the first information through one or more fields in the protocol data unit header (PDU header) of the PDCP PDU, the RLC PDU, or the MAC PDU.

[0110] In this embodiment, PDCP PDU, RLC PDU, and MAC PDU can transmit user data between the access network device and the user equipment. By using the protocol data unit carrying the user data to indicate the first information, the receiving end of the user data can clearly and accurately determine the processing status of the user data, thereby improving the processing efficiency of the receiving end and reducing the interaction of control signaling. The format of PDCP PDU, RLC PDU, and MAC PDU can adopt the definitions in existing standards. For example, one bit field in the PDU header can be used to indicate whether the data has been encrypted, and another bit field in the PDU header can be used to indicate whether the data has been protected for integrity; alternatively, both bit fields in the PDU header can be used together as an indication field for the tag / processing type / data type, and this disclosure does not limit this.

[0111] Through the various embodiments of this disclosure, since first information related to user data processing can be indicated in the protocol data unit, the second network device can accurately understand the data processing requirements or processing status, thereby enabling more flexible processing of user data. This method can improve data processing efficiency, avoid unnecessary processing steps, reduce waste of processing resources, and thus solve the problem in related technologies where the core network can only configure the secure processing method of user data at the PDU session level.

[0112] This disclosure also provides a data processing method operating on the aforementioned wireless access network. Figure 8 is a flowchart of a data processing method for a second network device according to an embodiment of this disclosure. As shown in Figure 8, the process includes the following steps:

[0113] In step S802, the second network device receives a protocol data unit carrying user data from the first network device, wherein the first network device indicates first information related to the processing of the user data through the protocol data unit;

[0114] Step S804: The second network device determines the user data and the first information according to the protocol data unit;

[0115] Step S806: The second network device processes the user data based on the first information.

[0116] Through the above steps, first information related to user data processing can be indicated in the Protocol Data Unit (PDU), enabling the second network device to accurately understand the data processing requirements or status, thus allowing for more flexible processing of user data. This method can improve data processing efficiency, avoid unnecessary processing steps, reduce waste of processing resources, and thereby solve the problem in related technologies where the core network can only configure the secure processing method for user data at the PDU session level.

[0117] In this embodiment, the first network device may be a core network device, an access network device, a user equipment, etc., and the second network device may be an access network device, a user equipment, etc.

[0118] In some embodiments, the first information may include one of the following:

[0119] The processing information of the user data;

[0120] The data type of the user data, wherein the data type corresponds to the processing information;

[0121] The user data is labeled, wherein the label corresponds to the processing information;

[0122] The processing type of the user data, wherein the processing type corresponds to the processing information;

[0123] The identifier of the QoS flow or QoS sub-flow to which the user data belongs, wherein the identifier of the QoS flow or QoS sub-flow corresponds to the processing information.

[0124] In some embodiments, step S806 may include one of the following steps:

[0125] Step S806A: In response to the first information including the processing information, the second network device processes the user data according to the processing information; or,

[0126] In step S806B, in response to the first information including the data type, the tag, the processing type, the identifier of the QoS flow, or the identifier of the QoS sub-flow, the second network device determines the corresponding processing information based on the data type, the tag, the processing type, the identifier of the QoS flow, or the identifier of the QoS sub-flow, and the second network device processes the user data based on the processing information.

[0127] In this embodiment, user data processing information can be indicated directly or indirectly via a PDU, offering greater flexibility. For indirect indication, a mapping relationship can be established between processing information and information such as tags, data types, processing types, QoS flow identifiers, or QoS sub-flow identifiers. The PDU then indicates these tags, data types, and processing types to the second network device, enabling the second network device to determine the corresponding processing information based on the mapping relationship. This mapping relationship can be agreed upon through a protocol or pre-set via control plane messages or control signaling. Furthermore, configuring user data processing information based on tags, data types, and processing types can improve the efficiency of processing information indication, thereby enhancing the user experience.

[0128] In some embodiments, the processing information corresponding to the data type, the tag, or the processing type is configured for a specific session, a specific Quality of Service (QoS) flow, a specific QoS sub-flow, or a specific Data Radio Bearer (DRB). For example, the data type or tag can be a session, a QoS flow, a QoS sub-flow, or an identifier of the DRB. This configuration for a specific session or flow can meet the data processing needs in different scenarios, improving the flexibility and efficiency of data processing.

[0129] In some embodiments, in response to the first network device being a core network device, the processing information includes the security processing requirements of the user data, wherein the second network device processes the user data according to the processing information, including at least one of the following:

[0130] 1) The second network device encrypts a portion of the user data according to the security processing requirements; for example, the security processing requirements may include the second network device needing to encrypt a portion of the user data.

[0131] 2) The second network device performs integrity protection on a portion of the user data according to the security processing requirements; for example, the security processing requirements may include the second network device needing to perform integrity protection on a portion of the user data.

[0132] 3) The second network device encrypts the user data according to the security processing requirements; for example, the security processing requirements may include the second network device needing to encrypt the user data.

[0133] 4) The second network device performs integrity protection on the user data according to the security processing requirements; for example, the security processing requirements may include the second network device needing to perform integrity protection on the user data.

[0134] 5) The second network device does not encrypt the user data according to the security processing requirements; for example, the security processing requirements may include the user data being encrypted data.

[0135] 6) The second network device processes the user data using the processing method configured by the session where the protocol data unit is located, the QoS flow, the QoS sub-flow, or the DRB according to the security processing requirements; for example, the security processing requirements may include the second network device needing to process the user data using the processing method configured by the session where the protocol data unit is located, the QoS flow, the QoS sub-flow, or the DRB.

[0136] In this embodiment, some data may be data from a specified location or of a specified type in user data, such as sensitive data such as IP addresses, but this disclosure is not limited thereto.

[0137] Through the embodiments disclosed herein, indications of user data security processing requirements can be implemented at multiple levels, including PDU session level, QoS flow level, QoS sub-flow level, DRB level, and PDU level. The indication methods are more flexible and precise, capable of matching various user needs, thereby improving user experience.

[0138] In other embodiments, in response to the first network device being an access network device or a user equipment, the processing information includes the security processing status of the user data, wherein the second network device processes the user data according to the processing information, including at least one of the following:

[0139] 1) The second network device decrypts a portion of the user data according to the security processing status; for example, the security processing status may include the first network device having already encrypted a portion of the user data.

[0140] 2) The second network device performs integrity verification on a portion of the user data according to the security processing status; for example, the security processing status may include the first network device having already performed integrity protection on a portion of the user data.

[0141] 3) The second network device decrypts the user data according to the security processing status; for example, the security processing status may include the first network device having already encrypted the user data.

[0142] 4) The second network device performs integrity verification on the user data according to the security processing status; for example, the security processing status may include the first network device having already performed integrity protection on the user data.

[0143] 5) The second network device processes the user data according to the security processing state using the processing method configured in the session where the protocol data unit resides, the QoS flow, the QoS sub-flow, or the radio bearer DRB. For example, the security processing state may include the first network device having already processed the user data using the processing method configured in the session where the protocol data unit resides, the QoS flow, the QoS sub-flow, or the radio bearer DRB. Further, the processing at the sending end includes, but is not limited to, data encryption and integrity protection, while the corresponding processing at the receiving end includes, but is not limited to, decryption and integrity verification.

[0144] In this embodiment, some data may be data from a specified location or of a specified type within user data, such as sensitive data like IP addresses, but this disclosure is not limited to this. The sending and receiving ends of user data can also configure or negotiate the data length of some data through control signaling, or the data length of some data can be agreed upon through a protocol, enabling the receiving end to process the specified data securely and more quickly and accurately.

[0145] Through the embodiments disclosed herein, indications of the security processing status of user data can be implemented at multiple levels, including PDU session level, QoS flow level, QoS sub-flow level, DRB level, and PDU level. The indication method is more flexible and accurate, and can match various user needs, thereby improving the user experience.

[0146] In some embodiments, if the first network device is a core network device, the protocol data unit may include a GPRS Tunneling Protocol-User Plane PDU (GTP-U PDU) for transmitting information related to the security processing requirements of user data to the second network device. The specific method of indicating the first information via the GTP-U PDU can be found in the method embodiments on the first network device side, and will not be repeated here.

[0147] In other embodiments, if the first network device is an access network device or a user equipment, the protocol data unit may include a Packet Data Convergence Protocol Data Unit (PDCP PDU), a Radio Link Control Protocol Data Unit (RLC PDU), or a Medium Access Control Protocol Data Unit (MAC PDU), etc., used to transmit information related to the security processing status of user data to the second network device. The specific method of indicating the first information via PDCP PDU, RLC PDU, and MAC PDU can be found in the method embodiments on the first network device side, and will not be repeated here.

[0148] Through the various embodiments of this disclosure, since first information related to user data processing can be indicated in the protocol data unit, the second network device can accurately understand the data processing requirements or processing status, thereby enabling more flexible processing of user data. This method can improve data processing efficiency, avoid unnecessary processing steps, reduce waste of processing resources, and thus solve the problem in related technologies where the core network can only configure the secure processing method of user data at the PDU session level.

[0149] This disclosure also provides a communication system. FIG9 is a block diagram of the communication system according to an embodiment of this disclosure. As shown in FIG9, the communication system may include the following structure:

[0150] First network device 92 and second network device 94, wherein...

[0151] The first network device is configured to send a protocol data unit carrying user data to the second network device, wherein the first network device indicates first information related to the processing of the user data through the protocol data unit;

[0152] The second network device is configured to receive the protocol data unit from the first network device, determine the user data and the first information based on the protocol data unit, and process the user data based on the first information.

[0153] In this embodiment of the disclosure, the first network device may also perform data processing according to the various method embodiments of the first network device side described above, and the second network device may also perform data processing according to the various method embodiments of the second network device side described above.

[0154] In one exemplary embodiment, the first network device is a core network device, the second network device is an access network device, and the first information is information related to security processing requirements.

[0155] In another exemplary embodiment, the first network device is an access network device and the second network device is a user equipment; or, the first network device is a user equipment and the second network device is an access network device. The first information is information related to the security processing status.

[0156] Through the embodiments of this disclosure, first information related to user data processing can be indicated in the Protocol Data Unit (PDU), enabling the second network device to accurately understand the data processing requirements or processing status, thereby allowing for more flexible processing of user data. This method can improve data processing efficiency, avoid unnecessary processing steps, reduce waste of processing resources, and thus solve the problem in related technologies where the core network can only configure the secure processing method for user data at the PDU session level.

[0157] The data processing methods and information indication methods in this disclosure will be explained in detail below with reference to specific application scenarios.

[0158] Example 1

[0159] This embodiment provides a data processing method and information indication method applicable between network elements, especially between core network elements and wireless network access network elements, and between wireless network access network elements.

[0160] The data processing method includes: a first network element sending user data to a second network element. The first network element instructs the second network element on data processing information within a Protocol Data Unit (PDU) carrying the user data. The second network element processes the received user data accordingly based on the instructed processing information. The first network element instructs on the processing information for the user data carried by the GTP-U PDU in the header of the PDU as defined by the GTP-U protocol, i.e., the GTP-U header.

[0161] The information processed may include one or more of the following combinations:

[0162] Should only part of the data be encrypted, for example, the IP header?

[0163] Should integrity protection be applied only to a portion of the data, for example, the IP header?

[0164] Is the data encrypted?

[0165] Whether data integrity protection is implemented;

[0166] Has the data been encrypted? For example, has the data been encrypted at the application layer?

[0167] Whether to follow the processing method configured at the session, QoS flow, or QoS sub-flow level.

[0168] In this embodiment of the disclosure, the method of indicating the processing information in the GTP-U header includes the following methods.

[0169] Information indication mode 1 uses one or more bits in the GTP-U header to indicate the processing of the data carried by the GTP-U PDU.

[0170] In an exemplary embodiment, the idle bit (the fourth bit in the first octet) in the conventional version of the GTP-U header can be used. Figure 10 is a schematic diagram (a) of the information indication method according to an embodiment of the present disclosure. As shown in Figure 10, the fourth bit in the first octet of the GTP-U header can be defined as the C field, used to indicate whether the data carried by the GTP-U PDU needs to be encrypted, or whether the data has been encrypted, or whether it follows the processing method of PDU session, QoS flow, or QoS sub-flow.

[0171] Information indication method 2 indicates the processing of data carried by the GTP-U PDU through the message type of GTP-U.

[0172] In an exemplary embodiment, the processing corresponding to a message type can be specified as the default processing method, that is, the processing method configured in the session, QoS flow, or QoS sub-flow where the data is located.

[0173] In an exemplary embodiment, the message type value can be defined as M1, M2, M3, M4, etc. When the message type is equal to M1, it means that the data carried by the GTP-U PDU is not encrypted; when the message type is equal to M2, it means that the data carried by the GTP-U PDU is not protected for integrity; when the message type is equal to M3, it means that the IP header of the data carried by the GTP-U PDU is encrypted; when the message type is equal to M4, it means that the IP header of the data carried by the GTP-U PDU is protected for integrity, and so on.

[0174] Information indication method 3 defines an extension header of a GTP-U header and includes the information to be indicated in the extension header.

[0175] Figure 11 is a schematic diagram (II) of the information indication method according to an embodiment of the present disclosure. As shown in Figure 11, the type of the GTP-U header extension header can be defined as A, that is, the value of the Next Extension Header Type field in the GTP-U header is A, indicating that the corresponding extension header will carry indication information related to data processing.

[0176] Figure 12 is a schematic diagram illustrating the indication of processing information through an extension header content field according to an embodiment of the present disclosure. As shown in Figure 12, one or more bits can be defined in the extension header content field, with each bit indicating a processing message. For example, a C field can be defined in the extension header content field to indicate whether the data carried by the GTP-UPDU is encrypted, and an I field can be defined to indicate whether the data carried by the GTP-UPDU is protected for integrity, etc.

[0177] Information indication method 4 defines the type of one or more GTP-U header extension headers, and indicates the processing of the data carried by the GTP-U PDU through the type of extension header.

[0178] In an exemplary embodiment, the value of Extension Header Type can be defined as N1, N2, N3, N4, etc. The correspondence between extension header types and processing methods is defined as follows:

[0179] Extension Header Type = N1 means that the data carried by the GTP-U PDU will not be encrypted;

[0180] Extension Header Type = N2 indicates that no integrity protection is provided for the data carried by the GTP-U PDU;

[0181] Extension Header Type = N3 indicates that the IP header of the data carried by the GTP-U PDU is encrypted;

[0182] Extension Header Type = N4 indicates that the IP header of the data carried by the GTP-U PDU is protected for integrity.

[0183] In an exemplary embodiment, it can be agreed through the protocol that when the value of Next Extension Header Type in the GTP-U header is one of the values ​​defined above, there is no extension header following it, that is, the payload of GTP-U is immediately followed.

[0184] In the above embodiments, the first network element can be a core network element or an access network element, and the second network element can be an access network element.

[0185] The embodiments described above provide a method for indicating whether to perform security encryption or integrity protection on the user data carried in a PDU. This method, based on traditional PDU session-level security processing instructions, implements different processing requirements for certain user data. For example, if a PDU session is configured to require encryption and integrity protection, but a portion of the data is indicated as not requiring encryption, the second network element can perform different security processing on this portion of data compared to other PDU session data.

[0186] Example 2

[0187] This embodiment provides a data processing method and information indication method applicable between network elements, especially between core network elements and wireless network access network elements, and between wireless network access network elements.

[0188] The data processing method includes: a first network element sending user data to a second network element. The first network element, in its Protocol Data Unit (PDU) carrying the user data, indicates the data type carried by the PDU, or a mark (MARK) for the data carried by the PDU, or a processing type for the data carried by the PDU, or a QoS flow identifier or a QoS sub-flow identifier. The second network element determines the corresponding processing information based on the indicated data type, mark, or processing type, or the QoS flow identifier or QoS sub-flow identifier, and performs corresponding processing on the received user data.

[0189] The data type, tag or processing type, and the processing information corresponding to the identifier of the QoS flow or the identifier of the QoS sub-flow can be agreed upon by the protocol or indicated in the control plane message sent from the first network element to the second network element.

[0190] The information processed may include one or more of the following combinations:

[0191] Should only part of the data be encrypted, for example, the IP header?

[0192] Should integrity protection be applied only to a portion of the data, for example, the IP header?

[0193] Is the data encrypted?

[0194] Whether data integrity protection is implemented;

[0195] Has the data been encrypted? For example, has the data been encrypted at the application layer?

[0196] Whether to follow the processing method configured at the session, QoS flow, or QoS sub-flow level.

[0197] In this embodiment, if the first network element indicates the data type, tag, processing type, QoS flow, and QoS sub-flow corresponding to the processing in the control plane message sent to the second network element, this indication may be at the PDU session level, the QoS flow level, or the QoS sub-flow level.

[0198] The PDU session provides association for PDU connection services between the UE and the data network. A PDU session contains one or more QoS flows, a QoS flow contains one or more QoS sub-flows, and a QoS flow or QoS sub-flow contains one or more user data packets (i.e., protocol data units). For PDUs belonging to the same QoS flow or QoS sub-flow, the radio access network can use the same processing strategy.

[0199] In this embodiment, for different PDU sessions, QoS flows, or QoS sub-flows, the first network element may instruct the same data type, tag, or processing type to be mapped to different processing information.

[0200] In this embodiment of the disclosure, the PDU includes a PDU of the GTP-U protocol, and the method of indicating the processing information in the GTP-U PDU includes the following methods.

[0201] Information indication method 1 uses one or more bits in the GTP-U header to indicate the data type, tag, processing type, or QoS flow / QoS sub-flow carried by the GTP-U PDU.

[0202] In an exemplary embodiment, the idle bit in the conventional version can be used, for example, the fourth bit of the first octet in the GTP-U header. As shown in Figure 10, the fourth bit in the first octet of the GTP-U header can be defined as the C field, and the C field can be defined to indicate the data type, tag, or processing type of the user data carried by the GTP-U PDU, or the identifier of the QoS flow / QoS sub-flow.

[0203] Information indication method 2 defines GTP-U message type, which indicates the data type, tag or processing type of the user data carried by the GTP-U PDU, or the QoS flow / QoS sub-flow to which the user data carried by the GTP-U PDU belongs in the extension header.

[0204] In an exemplary embodiment, Message Type = T1 is defined to represent that the data type, tag, or processing type carried by the GTP-U PDU is TT1; Message Type = T2 is defined to represent that the data type, tag, or processing type carried by the GTP-U PDU is TT2, and so on.

[0205] Information indication method 3 defines an extension header type for a GTP-U header, and defines that the extension header of this type contains the data type, tag, and processing type of the user data carried by the GTP-U PDU, or the extension header contains the identifier of the QoS flow or QoS sub-flow to which the user data carried by the GTP-U PDU belongs.

[0206] Figure 13 is a schematic diagram (iii) of the information indication method according to an embodiment of the present disclosure. As shown in Figure 13, the type of the GTP-U header extension header can be defined as N, that is, the value of the Next Extension Header Type field in the GTP-U header is N, and the extension header of type N will carry data processing-related indication information such as data type, tag, processing type, QoS flow identifier or QoS sub-flow identifier.

[0207] Figure 14 is a schematic diagram of relevant information indicating processing information through the extension header content field according to an embodiment of the present disclosure. As shown in Figure 14, a C / I field containing one or more bits can be defined in the extension header content field. The value of the defined C / I field can represent data type, tag, processing type, QoS flow identifier or QoS sub-flow identifier, etc.

[0208] Information indication method 4 defines the type of one or more extended headers of GTP-U headers, which are used to indicate the data type, tag, processing type, etc. of the user data carried by the GTP-U PDU.

[0209] In an exemplary embodiment, the value of the Extension Header Type can be defined as N1, representing that the data type, tag, and processing type of the user data carried by the GTP-U PDU is TT2, and so on.

[0210] In an exemplary embodiment, it can be agreed through the protocol that when the value indicating the Next Extension Header Type in the GTP-U header is one of the values ​​defined above, there is no extension header following it, that is, the payload of GTP-U is immediately followed.

[0211] Through the embodiments of this disclosure, the data type, PDU marking, processing type, QoS flow identifier, or QoS sub-flow identifier can be indicated in the PDU header. The mapping relationship between processing information and data type, marking or processing type, QoS flow identifier, or QoS sub-flow identifier can be agreed upon through a protocol or indicated in the control plane message. This approach allows for flexible interpretation of the information indicated in the PDU header. The indications in the PDU header do not need to change with changes in the processing method.

[0212] In this embodiment of the disclosure, the method in Embodiment 2 can also achieve the effect of performing different processing on some data based on the security processing configuration at the PDU session level, QoS flow level, and QoS sub-flow level.

[0213] Example 3

[0214] This embodiment provides a data processing method and information indication method applied between a wireless network access network element (or base station) and a user equipment (UE).

[0215] Figure 15 is a schematic diagram of the user plane protocol stack between the access network element and the user equipment according to an embodiment of the present disclosure. As shown in Figure 15, the user plane protocol stack includes the following structure:

[0216] The system consists of the Physical (PHY) layer, the Medium Access Control (MAC) layer, the Radio Link Control (RLC) layer, the Packet Data Convergence Protocol (PDCP) layer, and the Service Data Adaptation Protocol (SDAP) layer.

[0217] Each layer in the user plane protocol stack defines the format of Protocol Data Units (PDUs) to carry user data. For example, SDAP PDU, PDCP PDU, RLC PDU, and MAC PDU are the protocol data units of the SDAP layer, PDCP layer, RLC layer, and MAC layer, respectively.

[0218] In the NR system, data encryption and integrity protection are performed at the PDCP layer.

[0219] In traditional wireless communication, access network elements (such as base stations) can configure data security processing methods through RRC messages. For example, in NR, the base station uses RRC messages to indicate whether a DRB should be encrypted and whether integrity protection should be performed. When transmitting data, the UE and the base station process each data packet according to the security processing configured in the RRC.

[0220] According to the data processing method and information indication method in the embodiments of this disclosure, the data sending end can perform security processing on user data as needed and indicate the security processing status of the user data in the Protocol Data Unit (PDU). The data receiving end can process the data accordingly based on the security processing status indicated in the PDU.

[0221] In this embodiment, the data sender can be an access network element or a UE, and the data receiver can be a UE or an access network element.

[0222] In this embodiment, the corresponding processing includes: if the sending end indicates that the data has been encrypted, the receiving end performs corresponding deciphering. If the sending end indicates that the data has been protected for integrity, the receiving end performs corresponding integrity verification.

[0223] In this embodiment of the disclosure, the PDU includes SDAP PDU, PDCP PDU, RLC PDU, MAC PDU, etc., and the method of indicating the processing information in the PDU includes the following methods.

[0224] Information indication method 1 indicates the processing information of the user data carried by the PDU in the PDU header.

[0225] In this embodiment, one or more fields can be defined in the PDU header to indicate the processing of the carried data. The data sender indicates the processing information (e.g., security processing status) of the user data in the PDU header, and the data receiver processes the received user data accordingly based on the processing information contained in the PDU header.

[0226] The processing information indicated in the PDU header may include one of the following:

[0227] Has the data carried by the PDU been encrypted?

[0228] Has the data carried by the PDU undergone complete line protection processing?

[0229] Does the data carried by the PDU only undergo partial encryption, such as encrypting only the IP header?

[0230] Does the data carried by the PDU only undergo partial integrity protection, such as only protecting the IP header line by line?

[0231] Whether the data carried by the PDU uses the processing method configured in the DRB, PDU session, QoS flow, or QoS sub-flow.

[0232] Figure 16 is a schematic diagram (a) of the PDU header of the PDCP PDU according to an embodiment of the present disclosure. As shown in Figure 16, a C field can be defined in the PDU header to indicate whether the data carried by the PDU has been encrypted, and / or an I field can be defined to indicate whether the data carried by the PDU has been protected for integrity.

[0233] In other embodiments, a C field can also be defined to indicate whether the data carried by the PDU is security-processed according to the DRB's configuration. For example, when the DRB is configured to encrypt data, a C field value of 0 indicates that the DRB configuration is used, i.e., the data has been encrypted; a C field value of 1 indicates that the DRB configuration is not used, i.e., the data has not been encrypted. For example, when the DRB is configured not to encrypt, a C field value of 0 indicates that the carried data is not encrypted; a C field value of 1 indicates that the carried data has been encrypted.

[0234] Figure 17 is a schematic diagram (II) of the PDU header of the PDCP PDU according to an embodiment of the present disclosure. As shown in Figure 17, a C / I field consisting of multiple bits can be defined in the PDU header. The value of the C / I field represents a combination of a set of processing information.

[0235] In one exemplary embodiment, a C / I value of 0 indicates that no encryption or integrity protection is performed; a C / I value of 1 indicates that only integrity protection is performed, without encryption; a C / I value of 2 indicates that only encryption is performed, without integrity protection; and a C / I value of 3 indicates that both encryption and integrity protection are performed.

[0236] Information indication method 2: The data sender indicates the data type or processing type, or the identifier of the QoS flow or the identifier of the QoS sub-flow in the PDU header.

[0237] In this embodiment, the access network element can indicate, through signaling or by protocol agreement, the data type, processing type, and processing information (e.g., security processing status) corresponding to the QoS flow or QoS sub-flow.

[0238] The receiving end receives the data and determines the corresponding processing information based on the data type or processing type, or the identifier of the QoS flow or the identifier of the QoS sub-flow, and then processes the data accordingly based on the processing information.

[0239] The processing method indicated by the processing information includes one or more of the following:

[0240] The data carried by the PDU has been / has not been encrypted;

[0241] The data carried by the PDU has / has not undergone integrity protection.

[0242] The data carried by the PDU is only partially encrypted; for example, only the IP header is encrypted.

[0243] The data carried by the PDU is only partially protected for integrity; for example, only the IP header is protected for full line coverage.

[0244] In some embodiments, the access network element can also indicate the length of the data to be encrypted or protected for integrity when partially encrypting or protecting the data carried by the PDU via signaling. This allows the receiving end to decrypt or verify the integrity of the received data based on this data length, thereby improving data processing efficiency.

[0245] In some embodiments, a value corresponding to a default process (i.e., default handling) can be defined in the definition of a data type or processing type. The default process can be a processing method indicated by the access network through signaling or defined by a protocol. The default process can be set for a PDU session, a QoS flow, a QoS sub-flow, or a DRB. For example, for a DRB, the access network device can configure whether data is encrypted and whether integrity protection is performed through RRC messages. The default process for this DRB refers to the processing method configured for this DRB through RRC messages.

[0246] In some embodiments, if the access network element does not indicate the processing method corresponding to the data type or processing type of a specific PDU session, QoS flow, QoS sub-flow, or DRB through signaling, it is assumed that the default processing is the processing of all data of that PDU session, QoS flow, QoS sub-flow, or DRB.

[0247] Figure 18 is a schematic diagram (iii) of the PDU header of the PDCP PDU according to an embodiment of the present disclosure. As shown in Figure 18, a type field consisting of multiple bits can be defined in the PDU header. The type is used to indicate the data type or processing type. Alternatively, an identifier field (ID) can be defined in the PDU header to indicate the identifier of the QoS flow to which the PDU belongs or the identifier of the QoS sub-flow.

[0248] In an exemplary embodiment, a Type value of 0 indicates default processing. The default processing configured by the access network element via RRC messages is: data encryption and integrity protection. A Type value of 1 indicates that the processing type or data type is 1. The access network element instructs the UE via signaling that the processing method corresponding to type 1 is: no data encryption, but data integrity protection. Therefore, the data carried by a PDCP PDU with a Type value of 1 is not encrypted, but integrity protection has been performed. In this case, the receiving end does not need to decrypt the data, but needs to verify its integrity.

[0249] In this embodiment, information indication method 2 offers greater flexibility than information indication method 1. While the information indicated in the PDU remains unchanged, the access network element can define the specific processing corresponding to a data type. This avoids fixing the encoding of processing in the protocol, facilitating the addition of data processing types in subsequent protocol versions without modifying the PDU format. Even if the processing corresponding to a data type or processing type is agreed upon through the protocol, it still offers the following flexibility: one type can correspond to a combination of multiple processing methods; for example, type 1 corresponds to no encryption but integrity protection. This helps reduce the signaling overhead associated with indicating multiple processing combinations in the PDU header.

[0250] The above examples of embodiments of this disclosure are based on the PDCP PDU header, but are equally applicable to SDAP PDU header, RLC PDU header, or MAC PDU header.

[0251] Using the methods in this disclosure, access network elements and UEs can perform encryption or integrity protection processing on data in a single PDU, different from the default processing method, as needed. For example, the default security processing method is encryption and integrity protection, but for some data that does not require encryption, the access network elements and UEs can indicate a specific processing method different from the default method in the PDU. This allows the receiver to correctly process the received data while saving processing resources.

[0252] In this embodiment, the core network differs from the access network in that multiple QoS flows may belong to the same DRB. Therefore, even if the core network can instruct access network elements on security processing according to QoS flows or QoS sub-flows, a mechanism is still needed to identify which data is securely encrypted and which is not at the radio interface. This embodiment provides such a method.

[0253] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods according to the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk), and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of this disclosure.

[0254] Embodiments of this disclosure also provide a computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the steps in any of the above method embodiments.

[0255] In one exemplary embodiment, the aforementioned computer-readable storage medium may include, but is not limited to, various media capable of storing computer programs, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard disk, magnetic disk, or optical disk.

[0256] Embodiments of this disclosure also provide an electronic device including a memory and a processor, the memory storing a computer program and the processor being configured to run the computer program to perform the steps in any of the above method embodiments.

[0257] In one exemplary embodiment, the electronic device may further include a transmission device and an input / output device, wherein the transmission device is connected to the processor and the input / output device is connected to the processor.

[0258] Embodiments of this disclosure also provide a computer program product, including a computer program that, when executed by a processor, implements the steps in any of the method embodiments described above.

[0259] Specific examples in this embodiment can be found in the examples described in the above embodiments and exemplary implementations, and will not be repeated here.

[0260] It is obvious to those skilled in the art that the modules or steps of this disclosure described above can be implemented using general-purpose computing devices. They can be centralized on a single computing device or distributed across a network of multiple computing devices. They can be implemented using computer-executable program code, and thus can be stored in a storage device for execution by a computing device. In some cases, the steps shown or described can be performed in a different order than those presented herein, or they can be fabricated as separate integrated circuit modules, or multiple modules or steps can be fabricated as a single integrated circuit module. Thus, this disclosure is not limited to any particular combination of hardware and software.

[0261] The above description is merely an exemplary embodiment of this disclosure and is not intended to limit this disclosure. Various modifications and variations can be made to this disclosure by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the principles of this disclosure should be included within the scope of protection of this disclosure.

Claims

1. A data processing method, comprising: The first network device acquires user data and determines first information related to the processing of the user data; The first network device sends a protocol data unit carrying the user data to the second network device, wherein the first network device instructs the first information through the protocol data unit so that the second network device processes the user data according to the first information.

2. The method according to claim 1, wherein, The first information includes one of the following: The processing information of the user data; The data type of the user data, wherein the data type corresponds to the processing information; The user data is labeled, wherein the label corresponds to the processing information; The processing type of the user data, wherein the processing type corresponds to the processing information; The identifier of the QoS flow or QoS sub-flow to which the user data belongs, wherein the identifier of the QoS flow or QoS sub-flow corresponds to the processing information.

3. The method according to claim 2, wherein, In response to the first network device being a core network device, the processing information includes the security processing requirements for the user data; In response to the first network device being an access network device or a user equipment, the processing information includes the security processing status of the user data.

4. The method according to claim 3, wherein, The security processing requirements for the user data include at least one of the following: Does the second network device need to encrypt a portion of the user data? Does the second network device need to perform integrity protection on a portion of the user data? Does the second network device need to encrypt the user data? Does the second network device need to protect the integrity of the user data? Is the user data encrypted? Whether the second network device needs to process the user data using the processing method configured in the session where the protocol data unit is located, the QoS flow, the QoS sub-flow, or the data radio bearer DRB.

5. The method according to claim 3, wherein, The secure processing status of the user data includes at least one of the following: Has the first network device already encrypted a portion of the user data? Whether the first network device has already performed integrity protection on a portion of the user data; Has the first network device encrypted the user data? Has the first network device already performed integrity protection on the user data? Whether the first network device has already processed the user data using the processing method configured in the session, QoS flow, QoS sub-flow, or DRB where the protocol data unit is located.

6. The method according to claim 5, wherein, The method further includes at least one of the following: In response to the fact that the first network device is the access network device and the processing information includes that the first network device has encrypted a portion of the user data, the first network device sends a first signaling to the second network device, wherein the first signaling carries the data length of the encrypted portion of the data; In response to the first network device being the access network device and the processing information including that the first network device has performed integrity protection on a portion of the user data, the first network device sends a second signaling message to the second network device, wherein the second signaling message carries the data length of the portion of data that has been integrity protected.

7. The method according to claim 2, wherein, The method further includes: The first network device and the second network device agree on the processing information corresponding to the data type, the tag, the processing type, the identifier of the QoS flow, or the identifier of the QoS sub-flow through a protocol; or, the first network device sends a control plane message or control signaling to the second network device, wherein the control plane message or control signaling is used to indicate the processing information corresponding to the data type, the tag, the processing type, the identifier of the QoS flow, or the identifier of the QoS sub-flow.

8. The method according to claim 7, wherein, The processing information corresponding to the data type, the tag, or the processing type is configured for a specified session, a specified QoS flow, a specified QoS sub-flow, or a specified DRB.

9. The method according to claim 2, wherein, The protocol data unit includes a GPRS tunneling protocol user plane protocol data unit (GTP-U PDU), wherein the indication method of the first information includes at least one of the following: The first information is indicated by one or more bits in the GTP-U header of the GTP-U PDU; The first information is indicated by the message type in the GTP-U PDU; The first information is indicated by the extension header in the GTP-U PDU, wherein the extension header type of the extension header is a preset type, and the first information is located in the extension header content field of the extension header; The first information is indicated by one or more extended header types in the GTP-U PDU.

10. The method according to claim 9, wherein, The first information is configured for a specific Quality of Service (QoS) flow or a specific QoS sub-flow, wherein the indication method for the specific QoS flow or the specific QoS sub-flow includes at least one of the following: The identifier of the specific QoS flow or the identifier of the specific QoS sub-flow is indicated by one or more bits in the GTP-U header; The extension header indicates the identifier of the specific QoS flow or the identifier of the specific QoS sub-flow, wherein the extension header type is the preset type, and the first information is located in the extension header content field of the extension header.

11. The method according to claim 2, wherein, The protocol data unit includes a Packet Data Convergence Protocol Data Unit (PDCP PDU), a Radio Link Control Protocol Data Unit (RLC PDU), or a Media Access Control Protocol Data Unit (MAC PDU), wherein the indication method of the first information includes: The first information is indicated by one or more fields in the protocol data unit header of the PDCP PDU, the RLC PDU, or the MAC PDU.

12. A data processing method, comprising: The second network device receives a protocol data unit carrying user data from the first network device, wherein the first network device indicates first information related to the processing of the user data through the protocol data unit; The second network device determines the user data and the first information based on the protocol data unit; The second network device processes the user data based on the first information.

13. The method according to claim 12, wherein, The first information includes one of the following: The processing information of the user data; The data type of the user data, wherein the data type corresponds to the processing information; The user data is labeled, wherein the label corresponds to the processing information; The processing type of the user data, wherein the processing type corresponds to the processing information; The identifier of the QoS flow or QoS sub-flow to which the user data belongs, wherein the identifier of the QoS flow or QoS sub-flow corresponds to the processing information.

14. The method according to claim 13, wherein, The second network device processes the user data based on the first information, including: In response to the first information including the processing information, the second network device processes the user data according to the processing information; or, In response to the first information including the data type, the tag, the processing type, the identifier of the QoS flow, or the identifier of the QoS sub-flow, the second network device determines the corresponding processing information based on the data type, the tag, the processing type, the identifier of the QoS flow, or the identifier of the QoS sub-flow, and the second network device processes the user data based on the processing information.

15. The method according to claim 14, wherein, In response to the first network device being a core network device, the processing information includes the security processing requirements of the user data, wherein the second network device processes the user data according to the processing information, including at least one of the following: The second network device encrypts a portion of the user data according to the security processing requirements; The second network device performs integrity protection on a portion of the user data according to the security processing requirements; The second network device encrypts the user data according to the security processing requirements; The second network device performs integrity protection on the user data according to the security processing requirements; The second network device does not encrypt the user data according to the security processing requirements; The second network device processes the user data according to the security processing requirements using the processing method configured in the session where the protocol data unit is located, the QoS flow, the QoS sub-flow, or the data radio bearer (DRB).

16. The method of claim 14, wherein, In response to the first network device being an access network device or a user equipment, the processing information includes the security processing status of the user data, wherein the second network device processes the user data according to the processing information, including at least one of the following: The second network device decrypts a portion of the user data based on the security processing status. The second network device performs integrity verification on a portion of the user data based on the security processing status; The second network device decrypts the user data according to the security processing status; The second network device performs integrity verification on the user data based on the security processing status; The second network device processes the user data according to the security processing status using the processing method configured in the session where the protocol data unit is located, the QoS flow, the QoS sub-flow, or the data radio bearer (DRB).

17. A communication system, comprising: A first network device and a second network device, wherein the first network device is configured to send a protocol data unit carrying user data to the second network device, wherein the first network device indicates first information related to the processing of the user data through the protocol data unit; The second network device is configured to receive the protocol data unit from the first network device, determine the user data and the first information based on the protocol data unit, and process the user data based on the first information.

18. A computer-readable storage medium, wherein, The storage medium stores a computer program, wherein when the computer program is executed by a processor, it implements the steps of the method described in any one of claims 1 to 11, or implements the steps of the method described in any one of claims 12 to 16.

19. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein, When the processor executes the computer program, it implements the steps of the method described in any one of claims 1 to 11, or the steps of the method described in any one of claims 12 to 16.

20. A computer program product comprising a computer program, wherein, When the computer program is executed by a processor, it implements the steps of the method described in any one of claims 1 to 11, or the steps of the method described in any one of claims 12 to 16.