阅读说明：本技术 一种通信方法及装置 (Communication method and device ) 是由 胡力 李�赫 郭龙华 雷骜 吴�荣 于 2020-04-30 设计创作，主要内容包括：一种通信方法及装置,用于解决现有技术中UE和网络侧传输数据无法兼顾及时性和安全性的问题。其中方法包括获取UE请求建立的第一用户面资源的需要速率、UE的剩余速率和请求建立的第一用户面资源的用户面安全策略；根据需要速率、剩余速率和用户面安全策略,确定是否开启第一用户面资源的用户面完整性保护；剩余速率是根据UE已建立的第二用户面资源的已使用速率和UE开启用户面完整性保护后的最大完整性保护速率确定的,用户面安全策略包括用户面完整性保护开启、可选开启或关闭。从而可较精确的确定出是否开启第一用户面资源的用户面完整性保护的条件,以尽可能的保证UE传输数据的及时性和安全性。(A communication method and a communication device are used for solving the problem that both timeliness and safety cannot be considered when data are transmitted by UE and a network side in the prior art. Acquiring a required rate of a first user plane resource requested to be established by UE, a residual rate of the UE and a user plane security policy of the first user plane resource requested to be established; determining whether to start user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy; the remaining rate is determined according to the used rate of the second user plane resource established by the UE and the maximum integrity protection rate after the UE starts the user plane integrity protection, and the user plane security policy comprises user plane integrity protection starting, optional starting or closing. Therefore, the condition whether to start the user plane integrity protection of the first user plane resource can be accurately determined, and the timeliness and the safety of the UE data transmission can be ensured as much as possible.)

1. A method of communication, comprising:

acquiring a required rate, a residual rate and a user plane security policy of a first terminal device, wherein the required rate is used for indicating a rate required by a first user plane resource requested to be established by the first terminal device, the residual rate is determined according to a used rate of the first terminal device and a maximum integrity protection rate of the first terminal device, the used rate is used for indicating a rate used by a second user plane resource established by the first terminal device, and the maximum integrity protection rate is used for indicating a maximum rate after the first terminal device starts user plane integrity protection; the user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing;

and determining whether to start user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy.

2. The method of claim 1, wherein the second user plane resource comprises a user plane resource that opens user plane integrity protection among user plane resources already established by the first terminal device.

3. The method of claim 1 or 2, wherein the method further comprises:

determining the used rate of the first terminal equipment according to the rate parameter; wherein the rate parameter comprises any one or a combination of any more of:

a maximum bit rate for PDU session aggregation of the second user plane resource;

an aggregated maximum bit rate for a terminal device of the first terminal device;

a maximum stream bit rate of a quality of service (Qos) flow of a Guaranteed Bit Rate (GBR) of the second user plane resource;

a guaranteed bit rate of a quality of service (Qos) flow of a Guaranteed Bit Rate (GBR) of the second user plane resource; and the combination of (a) and (b),

a real-time rate of the second user-plane resource.

4. The method of claim 3, wherein said determining the used rate of the first terminal device from the rate parameter comprises:

determining the sum of the maximum bit rate of all the PDU sessions aggregation and the maximum flow bit rate of all the GBR Qos flows as the used rate; alternatively, the first and second electrodes may be,

determining the sum of the aggregated maximum bit rate of the terminal device and the maximum stream bit rate of all the GBR Qos streams as the used rate.

5. The method of claim 3, wherein said determining the used rate of the first terminal device from the rate parameter comprises:

determining a sum of guaranteed bit rates of all of the GBR Qos flows as the used rate.

6. The method of claim 3, wherein said determining the used rate of the first terminal device from the rate parameter comprises:

determining a sum of a maximum bit rate aggregated for all the PDU sessions and a guaranteed bit rate for all the GBR QoS flows as the used rate.

7. The method according to any one of claims 1 to 6, wherein in case that the user plane security policy includes user plane integrity protection on or optional on, the determining whether to turn on user plane integrity protection of the first user plane resource according to the required rate, the remaining rate and the user plane security policy comprises:

and if the residual rate is greater than or equal to the required rate, sending first indication information to the first terminal equipment, wherein the first indication information is used for indicating that the user plane integrity protection of the first user plane resource is started.

8. The method of any one of claims 1 to 6, wherein, in a case that the user plane security policy includes user plane integrity protection activation, the determining whether to activate user plane integrity protection according to the required rate, the remaining rate, and the user plane security policy comprises:

and if the residual rate is less than the required rate, acquiring a third user plane resource, wherein a user plane security policy of the third user plane resource is that user plane integrity protection can be selectively started, the third user plane resource already starts user plane integrity protection, and the used rate of the third user plane resource is greater than or equal to the difference between the required rate and the residual rate, and sending second indication information to the first terminal device, wherein the second indication information is used for indicating that the user plane integrity protection of the first user plane resource is started and indicating that the user plane integrity protection of the third user plane resource is not started.

9. The method of any one of claims 1 to 6, wherein in the case that the user plane security policy includes user plane integrity protection optional turn-on, the determining whether to turn on user plane integrity protection according to the required rate, the remaining rate, and the user plane security policy comprises:

and if the residual rate is less than the required rate, sending third indication information to the first terminal, wherein the third indication is used for indicating that the user plane integrity protection of the first user plane resource is not started.

10. The method of any of claims 1 to 9, wherein the method is applied to a radio access network device;

the acquiring of the required rate, the remaining rate and the user plane security policy of the first terminal device includes:

receiving a required rate of the first terminal device, the maximum integrity protection rate and the user plane security policy from a session management function network element; the session management function network element obtains the required rate of the first terminal device from a policy control function network element, and obtains the maximum integrity protection rate from the first terminal device;

obtaining the used rate from the context of the first terminal device;

determining the remaining rate based on the maximum integrity protected rate and the used rate.

11. The method of claim 10, wherein the method is applied to the dual-connected master node;

the method further comprises the following steps:

and sending fourth indication information to the dual-connection auxiliary node, wherein the fourth indication information is used for the auxiliary node to determine whether to start user plane integrity protection.

12. The method according to any of claims 1 to 9, wherein the method is applied to a radio access network device in a handover procedure;

the acquiring of the required rate, the remaining rate and the user plane security policy of the first terminal device includes:

receiving a handover request message from a source radio access network device, the handover request message including a required rate of the first terminal device, the user plane security policy, the maximum integrity protection rate, and the used rate;

determining the remaining rate based on the maximum integrity protected rate and the used rate.

13. The method according to any of claims 1 to 9, wherein the method is applied to a radio access network device in a radio resource control, RRC, connection recovery procedure;

the acquiring of the required rate, the remaining rate and the user plane security policy of the first terminal device includes:

obtaining a context response message of the first terminal device from a target wireless access network device, wherein the context response message of the first terminal device comprises a required rate of the first terminal device, the user plane security policy, the maximum integrity protection rate and the used rate;

determining the remaining rate based on the maximum integrity protected rate and the used rate.

14. The method according to any of claims 1 to 9, wherein the method is applied to a dual-connected secondary node;

the acquiring of the required rate, the remaining rate and the user plane security policy of the first terminal device includes:

receiving the required rate, the maximum integrity protection rate, the used rate and the user plane security policy sent from the dual-connected master node;

determining the remaining rate based on the maximum integrity protected rate and the used rate.

15. The method of any of claims 10 to 14, wherein said determining the remaining rate based on the maximum integrity protected rate and the used rate comprises:

determining a difference between the maximum integrity-protected rate and the used rate as the remaining rate.

16. The method according to any of claims 1 to 9, wherein the method is applied to a dual-connected secondary node;

the acquiring of the required rate, the remaining rate and the user plane security policy of the first terminal device includes:

receiving the required rate, the remaining rate, and the user plane security policy from a master node.

17. The method of any of claims 14 to 16, further comprising:

and sending the rate for starting the user plane integrity protection of the first user plane resource to the dual-connection main node.

18. The method according to any of claims 1 to 9, characterized in that the method is applied to a second terminal device;

the acquiring of the required rate, the remaining rate and the user plane security policy of the first terminal device includes:

receiving the residual rate and a user plane security policy from the first terminal device;

obtaining the required rate from the context of the first terminal device.

19. A communications apparatus, comprising means for performing the method of any of claims 1-18.

20. A communications device comprising a processor and a transceiver for receiving signals from or transmitting signals to or from a communications device other than the communications device, the processor being operable by logic circuitry or executing code instructions for performing the method of any of claims 1 to 18.

Technical Field

The present application relates to the field of communications technologies, and in particular, to a communication method and apparatus.

Background

With the development of communication technology, security issues in communication networks, such as cut-off, falsification, or forgery of communication contents, are receiving more and more attention. To address these security issues, communication networks provide protection mechanisms for privacy, integrity, and the like. In the fifth Generation (5th-Generation, 5G) networks, in order to meet security requirements, security features for user plane integrity protection are introduced.

Currently, a Radio Access Network (RAN) determines whether to start user plane integrity protection according to a maximum integrity protection rate reported by User Equipment (UE). Currently, the maximum integrity protection rate reported by the UE only defines two values, namely 64 kilobits per second (kbps) and full-data-rate (full-data-rate). When the maximum integrity protection rate reported by the UE is 64Kbps, the rate is small, which means that the data transmission between the UE and the RAN cannot open the user plane integrity protection basically, so that the security of the transmitted data cannot be guaranteed; when the maximum integrity protection rate of the UE is the full data rate, the UE and the network side may always start the user plane integrity protection for data transmission, and the unregulated starting of the user plane integrity protection may cause the performance of the UE to be abnormal, so that the timeliness of data transmission may not meet the requirement.

In summary, how to ensure the security of data transmission between the UE and the network side and also consider the communication service requirement of the UE is an urgent technical problem to be solved.

Disclosure of Invention

The application provides a communication method and device, which are used for ensuring the safety of data transmission between UE and a network side and also considering the communication service requirements of the UE.

In a first aspect, the present application provides a communication method, including obtaining a required rate, a remaining rate, and a user plane security policy of a first terminal device; determining whether to start user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy; the required rate is used for indicating the rate required by the first user plane resource requested to be established by the first terminal device, the remaining rate is determined according to the used rate of the first terminal device and the maximum integrity protection rate of the first terminal device, the used rate is used for indicating the rate used by the second user plane resource established by the first terminal device, and the maximum integrity protection rate is used for indicating the maximum rate after the first terminal device starts user plane integrity protection; the user plane security policy comprises user plane integrity protection on, user plane integrity protection optional on or user plane integrity protection off.

Based on the scheme, whether the user plane integrity protection of the first user plane resource is started or not is judged according to the required rate, the residual rate and the maximum integrity protection rate of the first user plane resource to be established, so that the condition whether the user plane integrity protection of the first user plane resource is started or not can be accurately determined. So as to ensure the timeliness and the safety of the transmission data of the terminal equipment as much as possible. That is, the user plane integrity protection of the terminal device and the network side can be started as required according to the capability of the UE, which helps to avoid the problem that the security of the transmitted data cannot be guaranteed because the user plane integrity protection of the terminal device and the network side is always closed when the maximum integrity protection rate of the terminal device is 64Kpbs, or that the user plane integrity protection of the terminal device and the network side is always started when the maximum integrity protection rate of the terminal device is full data rate, which causes the performance abnormality of the terminal device.

In a possible implementation manner, the second user plane resource includes a user plane resource for starting user plane integrity protection in the user plane resources established by the first terminal device.

The residual rate of the first terminal equipment can be accurately determined by determining the use rate of the second user plane resource which starts the user plane integrity protection in the established user plane resources.

In one possible implementation, the used rate of the first terminal device may be determined according to the rate parameter; the rate parameter includes any one or a combination of any more of: (a) a maximum bit rate of Protocol Data Unit (PDU) session aggregation of the second user plane resource; (b) an aggregated maximum bit rate for a terminal device of the first terminal device; (c) a maximum flow bitrate of a quality of service (QoS) QoS flow of a Guaranteed Bitrate (GBR) of the second user plane resource; (d) a guaranteed bit rate for a quality of service, Qos, flow for GBR of the second user plane resource; (e) a real-time rate of the second user-plane resource.

Four possible implementations of determining the used rate are shown as follows.

In a first implementation, the maximum value of the rate is used.

In one possible implementation, the sum of the maximum bit rate of all PDU sessions aggregation and the maximum stream bit rate of all GBR Qos streams is determined as the used rate; or, the sum of the aggregated maximum bit rate of the terminal device and the maximum stream bit rate of all GBR Qos streams is determined as the used rate.

With the first implementation described above, the used rate is obtained on the assumption that the second user plane resources all transmit data using the maximum bit rate. In this way, the remaining rate represents the capability of the terminal to transmit data under the limit condition, so that the timeliness of the data transmission of the first terminal device can be guaranteed as much as possible. That is, the implementation is to determine whether to start the user plane integrity protection of the first user plane resource from the service availability of the first terminal device.

In implementation two, the minimum of the used rates.

In one possible implementation, the sum of the guaranteed bit rates of all GBR Qos flows is determined as the used rate.

With the second implementation described above, the used rate is obtained on the assumption that the second user plane resources all use the minimum bit rate for transmitting data. Therefore, the safety of data transmission of the first terminal equipment can be guaranteed as far as possible. That is, the second implementation manner is to determine whether to start the user plane integrity protection of the first user plane resource from the perspective of the security of data transmission of the first terminal device.

In a third implementation, the used rate is between the maximum value determined in the first implementation and the minimum value determined in the second implementation.

In one possible implementation, the sum of the maximum bit rate aggregated for all PDU sessions and the guaranteed bit rate for all GBR Qos flows is determined as the used rate.

With implementation three above, the used rate is obtained based on the assumption that the second user plane resource uses the adjusted medium rate for transmitting data. In this way, the remaining rate represents the integrated rate of the first terminal device, so that the availability of the communication service of the first terminal device can be guaranteed as much as possible, and the security of the data transmitted by the first terminal device and the network can be guaranteed as much as possible.

And the implementation mode is four, the real-time rate of the second user plane resource is monitored in real time.

In a possible implementation manner, the sum of the monitored real-time rates of all the second user-plane resources is determined as the used rate of the first terminal device.

With the fourth implementation described above, the used rate is obtained based on the assumption that the second user plane resource transmits data using the real-time rate. Therefore, the residual rate represents the accurate rate of the terminal, that is, the decision basis of whether to start the user plane integrity protection is the most accurate data, so that the availability or timeliness of the data transmission of the first terminal device can be guaranteed as much as possible, and the security of the data transmission of the first terminal device can be guaranteed as much as possible.

In a possible implementation manner, under the condition that the user plane security policy includes user plane integrity protection opening or optional opening, if the remaining rate is greater than or equal to the required rate, first indication information is sent to the first terminal device, where the first indication information is used to indicate opening of user plane integrity protection of the first user plane resource.

By the communication method, the safety of data transmission of the first terminal equipment can be guaranteed, and the timely data transmission of communication services can be guaranteed.

In a possible implementation manner, under the condition that the user plane security policy includes user plane integrity protection opening, if the remaining rate is less than the required rate, obtaining a third user plane resource, the user plane security policy of the third user plane resource being that the user plane integrity protection is optionally opened, and the third user plane resource has already opened the user plane integrity protection, and the used rate of the third user plane resource is greater than or equal to the difference between the required rate and the remaining rate, sending second indication information to the first terminal device, where the second indication information is used to indicate to open the user plane integrity protection of the first user plane resource and is used to indicate not to open the user plane integrity protection of the third user plane resource.

By the communication method, the security of the data corresponding to the first user plane resource which needs to start user plane integrity protection can be ensured, namely, the security of the data transmission of the first terminal equipment is protected as much as possible, and the timely data transmission of the communication service can be ensured.

In a possible implementation manner, under the condition that the user plane security policy includes that user plane integrity protection is optionally enabled, if the remaining rate is less than the required rate, third indication information is sent to the first terminal, where the third indication is used to indicate that user plane integrity protection of the first user plane resource is not enabled.

By the communication method, the timely transmission of the data of the communication service of the first terminal equipment can be ensured as much as possible.

In one possible implementation, the method is applicable to a radio access network device; the wireless access network equipment can receive the required rate, the maximum integrity protection rate and the user plane security policy of the first terminal equipment from the session management function network element; the session management function network element acquires the required rate of the first terminal equipment from the policy control function network element and acquires the maximum integrity protection rate from the first terminal equipment; obtaining a used rate from the context of the first terminal device; the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In one possible implementation, the method may be applied to a dual-connected master node; the main node can obtain the required rate of the first terminal device from the policy control function network element, obtain the maximum integrity protection rate of the first terminal device from the session management function network element, and obtain the used rate from the context of the first terminal device; and determining a remaining rate based on the maximum integrity protected rate and the used rate.

Further, the master node sends fourth indication information to the doubly-connected auxiliary node, and the fourth indication information is used for the auxiliary node to determine whether to start user plane integrity protection.

By the communication method, the auxiliary node can also accurately determine whether to start the user plane integrity protection of the first user plane resource.

In one possible implementation, the method may be applied to a radio access network device during handover; the wireless access network equipment in the switching process can acquire a switching request message from source wireless access network equipment, wherein the switching request message comprises the required rate of the first terminal equipment, a user plane security policy, a maximum integrity protection rate and a used rate; and determining a remaining rate based on the maximum integrity protected rate and the used rate.

In one possible implementation, the method may be applied to a radio access network device during Radio Resource Control (RRC) connection recovery; the wireless access network equipment in the RRC connection recovery process can acquire a context response message of the first terminal equipment from the target wireless access network equipment, wherein the context response message of the first terminal equipment comprises a required rate, a user plane security policy, a maximum integrity protection rate and a used rate of the first terminal equipment; and determining a remaining rate based on the maximum integrity protected rate and the used rate.

In one possible implementation, the method is applicable to dual-connected secondary nodes; the auxiliary node can receive the required rate, the maximum integrity protection rate, the used rate and the user plane security strategy which are sent by the main node with double connection; and determining a remaining rate based on the maximum integrity protected rate and the used rate.

By the communication method, the auxiliary node can also accurately determine whether to start the user plane integrity protection of the first user plane resource.

In one possible implementation, the difference between the maximum integrity-protected rate and the used rate may be determined as the remaining rate.

In one possible implementation, the method is applicable to dual-connected secondary nodes; the secondary node receives the required rate, the remaining rate and the user plane security policy from the primary node.

When the method is applied to the dual-connected secondary node, the secondary node can also send the rate used for starting the user plane integrity protection of the first user plane resource to the dual-connected primary node.

By the communication method, the main node can conveniently acquire and record the rate used by the user plane integrity protection of the first user plane resource, and when the user plane resource is newly built next time, the rate used by the user plane integrity protection of the first user plane resource is the second user plane resource, so that the used rate of the first terminal equipment can be conveniently determined.

In a possible implementation manner, the method may be applied to a second terminal device, and the second terminal device may receive the remaining rate and the user plane security policy from the first terminal device, and obtain the required rate from the context of the first terminal device.

In a second aspect, the present application provides a method of communication, the method being executable by a dual-connected master node. The method comprises the steps of obtaining the used rate, the required rate, the maximum integrity protection rate and the user plane security strategy of first terminal equipment; the required rate is used for indicating the rate required by a first user plane resource requested to be established by a first terminal device, the used rate is used for indicating the rate used by a second user plane resource established by the first terminal device, the maximum integrity protection rate is used for indicating the maximum rate after the first terminal device starts user plane integrity protection, and the user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing; determining a remaining rate according to the maximum integrity protection rate and the used rate; and sending the residual rate, the required rate and the user plane security policy to the auxiliary node of the double connection.

In a possible implementation manner, the rate used for starting the user plane integrity protection of the first user plane resource from the secondary node may also be obtained and recorded.

By the communication method, the main node can conveniently acquire and record the rate used by the user plane integrity protection of the first user plane resource, and when the user plane resource is newly built next time, the rate used by the user plane integrity protection of the first user plane resource is the second user plane resource, so that the used rate of the first terminal equipment can be conveniently determined.

In a third aspect, the present application provides a communication method, which may be performed by a first terminal device, the method including obtaining a used rate, a maximum integrity protection rate, and a user plane security policy of the first terminal device; determining a remaining rate according to the maximum integrity protection rate and the used rate; and sending the remaining rate and a user plane security policy to a second terminal device, wherein the used rate is used for indicating the rate used by a second user plane resource established by the first terminal device, the maximum integrity protection rate is used for indicating the maximum rate after the first terminal device starts user plane integrity protection, and the user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing.

In a fourth aspect, the present application provides a communication device having functionality for implementing any of the first or second aspects described above, or for implementing any of the second or second aspects described above. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible implementation, the communication apparatus may include: a transceiver and a processor. The processor may be configured to enable the communication device to perform the respective functions of the first or second aspect shown above, and the transceiver is configured to enable communication between the communication device and radio access network equipment, terminal equipment, and the like. The transceiver may be a separate receiver, a separate transmitter, a transceiver with integrated transceiving function, or an interface circuit. Optionally, the communication device may also include a memory, which may be coupled to the processor, that retains program instructions and data necessary for the communication device.

The transceiver cooperates with the processor, and is configured to obtain a required rate, a remaining rate, and a user plane security policy of a first terminal device, where the required rate is used to indicate a rate required by a first user plane resource that the first terminal device requests to establish, the remaining rate is determined according to a used rate of the first terminal device and a maximum integrity protection rate of the first terminal device, the used rate is used to indicate a rate used by a second user plane resource that the first terminal device has established, and the maximum integrity protection rate is used to indicate a maximum rate after the first terminal device starts user plane integrity protection; the user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing; and the processor is used for determining whether to start the user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy.

In a possible implementation manner, the second user plane resource includes a user plane resource for starting user plane integrity protection in the user plane resources established by the first terminal device.

In one possible implementation, the processor is further configured to determine a used rate of the first terminal device according to the rate parameter; wherein the rate parameter comprises any one or a combination of any more of: a maximum bit rate for protocol data unit, PDU, session aggregation for the second user plane resource; an aggregated maximum bit rate for a terminal device of the first terminal device; a maximum flow bit rate for a Qos flow for a GBR of the second user plane resource; a guaranteed bit rate of a Qos flow of a GBR of a second user plane resource; and, a real-time rate of the second user-plane resource.

In one possible implementation, the processor is specifically configured to determine a sum of a maximum bit rate of all PDU sessions aggregation and a maximum flow bit rate of Qos flows of all GBRs as a used rate; or, the sum of the aggregated maximum bit rate of the terminal device and the maximum stream bit rate of all GBR Qos streams is determined as the used rate.

In one possible implementation, the processor is specifically configured to: and determining the sum of the guaranteed bit rates of all the GBR Qos flows as the used rate.

In one possible implementation, the processor is specifically configured to: and determining the sum of the maximum bit rate aggregated by all PDU sessions and the guaranteed bit rate of all GBR Qos flows as the used rate.

In one possible implementation, in a case that the user plane security policy includes user plane integrity protection enable or optional enable, the processor is specifically configured to: and if the residual rate is greater than or equal to the required rate, sending first indication information to the first terminal equipment, wherein the first indication information is used for indicating that the user plane integrity protection of the first user plane resource is started.

In a possible implementation manner, in a case that the user plane security policy includes user plane integrity protection opening, the processor is specifically configured to: and if the residual rate is less than the required rate, acquiring a third user plane resource, wherein the user plane security policy of the third user plane resource is optionally started for user plane integrity protection, the third user plane resource already starts user plane integrity protection, the used rate of the third user plane resource is greater than or equal to the difference between the required rate and the residual rate, and sending second indication information to the first terminal device, wherein the second indication information is used for indicating the start of the user plane integrity protection of the first user plane resource and is used for indicating the non-start of the user plane integrity protection of the third user plane resource.

In a possible implementation manner, in a case that the user plane security policy includes a user plane integrity protection optional open, the processor is specifically configured to: and if the residual rate is less than the required rate, sending third indication information to the first terminal, wherein the third indication is used for indicating that the user plane integrity protection of the first user plane resource is not started.

In one possible implementation, the communication device is applied to a radio access network device; the transceiver is specifically configured to: receiving a required rate, a maximum integrity protection rate and a user plane security policy of first terminal equipment from a session management function network element; the session management function network element acquires the required rate of the first terminal equipment from the policy control function network element and acquires the maximum integrity protection rate from the first terminal equipment; obtaining a used rate from the context of the first terminal device; the processor is specifically configured to determine a remaining rate based on the maximum integrity protected rate and the used rate.

In one possible implementation, the communication means is applied to a dual-connected master node; the transceiver is further configured to: and sending fourth indication information to the auxiliary node with double connection, wherein the fourth indication information is used for the auxiliary node to determine whether to start user plane integrity protection.

In a possible implementation manner, the communication device is applied to a radio access network device in a handover process; the transceiver is specifically configured to: acquiring a switching request message from source wireless access network equipment, wherein the switching request message comprises a required rate, a user plane security policy, a maximum integrity protection rate and a used rate of first terminal equipment; the processor is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In a possible implementation manner, the communication device is applied to a radio access network device in an RRC connection recovery process; the transceiver is specifically configured to: acquiring a context response message of a first terminal device from a target wireless access network device, wherein the context response message of the first terminal device comprises a required rate, a user plane security policy, a maximum integrity protection rate and a used rate of the first terminal device; the processor is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In one possible implementation, the communication means is applied to a dual-connected secondary node; the transceiver is specifically configured to: receiving a required rate, a maximum integrity protection rate, a used rate and a user plane security policy which are sent by a main node with double connection; the processor is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In one possible implementation, the processor is specifically configured to: the difference between the maximum integrity-protected rate and the used rate is determined as the remaining rate.

In one possible implementation, the communication means is applied to a dual-connected secondary node; the transceiver is specifically configured to: the secondary node receives the required rate, the remaining rate and the user plane security policy from the primary node.

In one possible implementation, the transceiver is further configured to: and sending the rate used for starting the user plane integrity protection of the first user plane resource to the double-connected main node.

In one possible implementation, the communication means is applied to the second terminal device; the transceiver is specifically configured to: receiving the residual rate and the user plane security policy from the first terminal equipment; the required rate is obtained from the context of the first terminal device.

In a fifth aspect, the present application provides a communication device for implementing any one of the above first aspect or the first aspect, or for implementing any one of the above second aspect or the second aspect, including corresponding functional modules, respectively for implementing the steps in the above methods. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.

In a possible implementation, the communication apparatus may include a processing module and a transceiver module, where the transceiver module cooperates with the processing module to obtain a required rate, a remaining rate and a user plane security policy of a first terminal device, the required rate is used to indicate a rate required by a first user plane resource requested to be established by the first terminal device, the remaining rate is determined according to a used rate of the first terminal device and a maximum integrity protection rate of the first terminal device, the used rate is used to indicate a rate used by a second user plane resource established by the first terminal device, and the maximum integrity protection rate is used to indicate a maximum rate after the first terminal device starts user plane integrity protection; the user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing; the processing module is used for determining whether to start the user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy.

In a possible implementation manner, the second user plane resource includes a user plane resource for starting user plane integrity protection in the user plane resources established by the first terminal device.

In a possible implementation manner, the processing module is further configured to determine a used rate of the first terminal device according to the rate parameter; wherein the rate parameter comprises any one or a combination of any more of: a maximum bit rate for protocol data unit, PDU, session aggregation for the second user plane resource; an aggregated maximum bit rate for a terminal device of the first terminal device; maximum stream bit rate for quality of service Qos flows for guaranteed bit rate GBR; guaranteed bit rate of quality of service Qos flow of guaranteed bit rate GBR; and, a real-time rate of the second user-plane resource.

In a possible implementation manner, the processing module is specifically configured to determine a sum of a maximum bit rate of all PDU session aggregations and a maximum flow bit rate of Qos flows of all GBRs as a used rate; or, the sum of the aggregated maximum bit rate of the terminal device and the maximum stream bit rate of all GBR Qos streams is determined as the used rate.

In a possible implementation manner, the processing module is specifically configured to: and determining the sum of the guaranteed bit rates of all the GBR Qos flows as the used rate.

In a possible implementation manner, the processing module is specifically configured to: and determining the sum of the maximum bit rate aggregated by all PDU sessions and the guaranteed bit rate of all GBR Qos flows as the used rate.

In a possible implementation manner, in a case that the user plane security policy includes user plane integrity protection unlocking or optional unlocking, the processing module is specifically configured to: and if the residual rate is greater than or equal to the required rate, sending first indication information to the first terminal equipment, wherein the first indication information is used for indicating that the user plane integrity protection of the first user plane resource is started.

In a possible implementation manner, the processing module is specifically configured to, when the user plane security policy includes user plane integrity protection opening: and if the residual rate is less than the required rate, acquiring a third user plane resource, wherein the user plane security policy of the third user plane resource is optionally started for user plane integrity protection, the third user plane resource already starts user plane integrity protection, the used rate of the third user plane resource is greater than or equal to the difference between the required rate and the residual rate, and sending second indication information to the first terminal device, wherein the second indication information is used for indicating the start of the user plane integrity protection of the first user plane resource and is used for indicating the non-start of the user plane integrity protection of the third user plane resource.

In a possible implementation manner, the processing module is specifically configured to, when the user plane security policy includes user plane integrity protection optional opening: and if the residual rate is less than the required rate, sending third indication information to the first terminal, wherein the third indication is used for indicating that the user plane integrity protection of the first user plane resource is not started.

In one possible implementation, the communication device is applied to a radio access network device; the transceiver module is specifically configured to: receiving a required rate, a maximum integrity protection rate and a user plane security policy of first terminal equipment from a session management function network element; the session management function network element acquires the required rate of the first terminal equipment from the policy control function network element and acquires the maximum integrity protection rate from the first terminal equipment; obtaining a used rate from the context of the first terminal device; the processing module is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In one possible implementation, the communication means is applied to a dual-connected master node; the transceiver module is further configured to: and sending fourth indication information to the auxiliary node with double connection, wherein the fourth indication information is used for the auxiliary node to determine whether to start user plane integrity protection.

In a possible implementation manner, the communication device is applied to a radio access network device in a handover process; the transceiver module is specifically configured to: acquiring a switching request message from source wireless access network equipment, wherein the switching request message comprises a required rate, a user plane security policy, a maximum integrity protection rate and a used rate of first terminal equipment; the processing module is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In a possible implementation manner, the communication device is applied to a radio access network device in an RRC connection recovery process; the transceiver module is specifically configured to: acquiring a context response message of a first terminal device from a target wireless access network device, wherein the context response message of the first terminal device comprises a required rate, a user plane security policy, a maximum integrity protection rate and a used rate of the first terminal device; the processing module is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In one possible implementation, the communication means is applied to a dual-connected secondary node; the transceiver module is specifically configured to: receiving a required rate, a maximum integrity protection rate, a used rate and a user plane security policy which are sent by a main node with double connection; the processing module is specifically configured to: the remaining rate is determined based on the maximum integrity protected rate and the used rate.

In a possible implementation manner, the processing module is specifically configured to: the difference between the maximum integrity-protected rate and the used rate is determined as the remaining rate.

In one possible implementation, the communication means is applied to a dual-connected secondary node; the transceiver module is specifically configured to: the secondary node receives the required rate, the remaining rate and the user plane security policy from the primary node.

In one possible implementation, the transceiver module is further configured to: and sending the rate used for starting the user plane integrity protection of the first user plane resource to the double-connected main node.

In one possible implementation, the communication means is applied to the second terminal device; the transceiver module is specifically configured to: receiving the residual rate and the user plane security policy from the first terminal equipment; the required rate is obtained from the context of the first terminal device.

In a sixth aspect, the present application provides a computer readable storage medium having stored therein a computer program or instructions which, when executed by a communication apparatus, cause the communication apparatus to perform the method of the first aspect or any possible implementation manner of the first aspect, or cause the communication apparatus to perform the method of the second aspect or any possible implementation manner of the second aspect.

In a seventh aspect, the present application provides a computer program product comprising a computer program or instructions for implementing the method of the first aspect or any possible implementation manner of the first aspect, or for implementing the method of the second aspect or any possible implementation manner of the second aspect, when the computer program or instructions are executed by a communication device.

For technical effects that can be achieved by any one of the fourth aspect and the fifth aspect, reference may be made to the description of the advantageous effects in the first aspect, and details are not repeated here.

Drawings

Fig. 1a is a schematic diagram of a communication system architecture provided in the present application;

FIG. 1b is a schematic diagram of a communication system architecture provided herein;

fig. 2 is a schematic diagram of a communication system architecture provided in the present application;

fig. 3 is a schematic method flow diagram of a communication method provided in the present application;

fig. 4 is a schematic flowchart of a communication method applied to a radio access network device according to the present application;

fig. 5 is a flowchart illustrating a method of a communication method applied to a radio access network device during handover according to the present application;

fig. 6 is a flowchart illustrating a method of a communication method of a radio access network device applied to an RRC connection recovery procedure according to the present application;

fig. 7 is a schematic flowchart of a method applied to a communication method of an auxiliary node in dual connectivity according to the present application;

fig. 8 is a schematic flowchart of another method applied to a communication method of a secondary node in dual connectivity according to the present application;

fig. 9 is a schematic flowchart of a method of a communication method applied to a master node in dual connectivity according to the present application;

fig. 10 is a schematic flowchart of a method of a communication method applied to a radio access network device according to another embodiment of the present disclosure;

fig. 11 is a flowchart illustrating a method of a communication method applied to a second terminal device according to the present application;

fig. 12 is a schematic structural diagram of a communication device provided in the present application;

fig. 13 is a schematic structural diagram of a communication device according to the present application.

Fig. 14 is a schematic structural diagram of a terminal device provided in the present application;

fig. 15 is a schematic structural diagram of a radio access network device according to the present application.

Detailed Description

The embodiments of the present application will be described in detail below with reference to the accompanying drawings.

Some terms in the present application are explained below to facilitate understanding by those skilled in the art.

One, maximum integrity protection rate

And the maximum integrity protection rate is used for representing the maximum rate after the terminal equipment starts the integrity protection of the user plane. The maximum integrity protection rate includes an uplink maximum integrity protection rate and a downlink maximum integrity protection rate. The uplink maximum integrity protection rate indicates the maximum uplink rate after the terminal device starts the user plane integrity protection. The downlink maximum integrity protection rate indicates a maximum downlink rate after the terminal device starts the user plane integrity protection. For example, when the uplink maximum integrity protection rate is 64 kbits/s, after the user plane integrity protection is turned on behalf of the terminal device, the maximum rate at which data can be sent to the radio access network device is 64 kbits/s. When the maximum downlink integrity protection rate is 64 kbits/s, the maximum rate of data reception from the radio access network device is 64 kbits/s after the user plane integrity protection is turned on by the terminal device. For another example, when the downlink maximum integrity protection rate is a full data rate, after the user plane integrity protection is turned on behalf of the terminal device, there is no limit to the rate of receiving data from the radio access network device. Illustratively, the upstream maximum integrity protection rate value currently includes two values, 64 kilobits per second (kbps), and a full-data-rate (full-data-rate). Downstream maximum integrity protection rate values currently include two values of 64 kilobits per second (kbps) and full data rate (full-data-rate). In order to solve the problem that the UE performance may be overloaded when the maximum integrity protection rate value currently includes 64 kilobits per second (kbps), and the maximum integrity protection rate value is full-data rate (full-data rate), the uplink or downlink maximum integrity protection rate in the embodiment of the present application may include more values, for example, 1 gigabit per second (Gbps), 2Gbps, and the like. The uplink maximum integrity protection rate and the downlink maximum integrity protection rate may be equal to or different from each other, which is not limited in the present application.

Second, required rate

And the required rate is used for expressing the rate required by the terminal equipment and the wireless access network equipment to establish the user plane resources. The required rate includes an uplink required rate and a downlink required rate. Specifically, the uplink required rate may include the highest rate, the lowest rate, or the average rate at which the terminal device sends data to the radio access network device (e.g., the base station) on the user plane resource, and the downlink required rate includes the highest rate, the lowest rate, or the average rate at which the radio access network device sends data to the terminal device on the user plane resource. The user plane resource includes one or more Data Resource Bearers (DRBs), and the DRBs define a processing mode of a radio interface (Uu) for a packet.

In the 5G system, when a terminal device requests to establish or modify a Protocol Data Unit (PDU) session and simultaneously requests to establish one or more QoS streams, a radio access network device may establish a new DRB or multiplex an existing DRB to transmit QoS streams.

For Non-guaranteed Bit Rate (Non-GBR) QoS flows, the required Rate may be the Maximum Bit Rate of PDU session aggregation, i.e. the PDU session aggregation Maximum Bit Rate, which limits the Aggregate Bit Rate of all Non-GBR QoS flows for a particular PDU session. The uplink required rate may be an uplink maximum bit rate of the PDU session aggregation, and the downlink required rate may be a downlink maximum bit rate of the PDU session aggregation. The required Rate may also be an Aggregate Maximum Bit Rate of the terminal device, i.e., UE Aggregate Maximum Bit Rate, which limits the Aggregate Bit Rate that can be provided by all Non-GBR QoS streams of a terminal device. The uplink required rate may be an aggregated uplink maximum bit rate of the terminal device, and the downlink required rate may be an aggregated downlink maximum bit rate of the terminal device.

For a Guaranteed Bit Rate (GBR) QoS Flow, the required Rate may be a Maximum Flow Bit Rate, i.e., Maximum Flow Bit Rate, for limiting the Maximum Flow Bit Rate expected by the QoS Flow. The uplink required rate may be an uplink maximum stream bit rate, and the downlink required rate may be a downlink maximum stream bit rate. The required Rate may also be a Guaranteed Flow Bit Rate, i.e. Guaranteed Flow Bit Rate, which is used to indicate the Flow Bit Rate that the network guarantees to provide for the QoS Flow within the average time window. The uplink required rate may be an uplink guaranteed bit rate, and the downlink required rate may be a downlink guaranteed bit rate.

In the 4G system, when a terminal device requests to establish or modify an Evolved Packet System (EPS) bearer, a new DRB is simultaneously requested to be established.

For the EPS bearer of Non-GBR, the required Rate may be a Maximum Bit Rate aggregated by an Access Point Name (APN), that is, a per APN Aggregate Maximum Bit Rate, which is used to limit the aggregated Bit Rate that can be provided by the EPS bearers of all Non-GBRs of all PDN connections of the same APN. The uplink required rate may be an uplink maximum bit rate aggregated by the APN, and the downlink required rate may be a downlink maximum bit rate aggregated by the APN. The required Rate may also be an Aggregate Maximum Bit Rate of the terminal device, i.e. per UE Aggregate Maximum Bit Rate, which is used to limit the Aggregate Bit Rate that can be provided by the EPS bearers of all Non-GBRs of one UE. The uplink required rate may be an uplink maximum bit rate aggregated by the terminal device, and the downlink required rate may be a downlink maximum bit rate aggregated by the terminal device.

For an EPS bearer of GBR, the required Rate may be a Maximum Flow Bit Rate, i.e., Maximum Flow Bit Rate, for limiting the desired Maximum Flow Bit Rate of the EPS bearer. The uplink required rate may be an uplink maximum stream bit rate, and the downlink required rate may be a downlink maximum stream bit rate. The required Rate may be a Guaranteed streaming Bit Rate, i.e. Guaranteed Flow Bit Rate, which is used to indicate the streaming Bit Rate that the network guarantees to provide for the EPS bearer within the average time window. The uplink required rate may be an uplink guaranteed bit rate, and the downlink required rate may be a downlink guaranteed bit rate.

Third, used rate

The used rate is used for expressing the rate used by the user plane resources established by the terminal equipment. The used rate may be a real-time rate used by the user plane resources already established by the terminal device. Meanwhile, since the real-time rate often changes, the usage rate of the terminal at a certain time cannot be stably evaluated, and therefore, the usage rate may also be an estimated rate used by the user plane resource established by the terminal device. The estimated rate may be obtained based on a required rate for establishing user plane resources. The maximum integrity protection rate, which is used to indicate the maximum rate after the terminal device starts the user plane integrity protection, is an index for characterizing the performance of the UE, and the used rate can be used to characterize the performance of the UE that has been used at the integrity protection rate.

It should be understood that the used rate includes an uplink used rate and a downlink used rate.

Taking the user plane resource as the DRB as an example, the terminal device has already established DRB1, DRB2, and DRB3, where an uplink rate used by DRB1 is a1, a downlink rate is B1, an uplink rate used by DRB2 is a2, a downlink rate is B2, an uplink rate used by DRB3 is A3, and a downlink rate is B3, then an uplink used rate of the terminal device is a1+ a2+ A3, and a downlink used rate is B1+ B2+ B3.

Fourthly, user plane security policy (user plane security policy)

The user plane security policy comprises user plane encryption protection and user plane integrity protection. User plane encryption protection can be indicated by three possible values, which are not needed, referred and required respectively; the user plane integrity protection can also be indicated by three possible values, namely not needed, preferred and required, wherein not needed indicates that the switch-on is not needed; preferred represents optional turn-on, otherwise known as recommended turn-on, i.e., may or may not turn-on; required indicates that it must be turned on. The three possible values may be indicated with 2 bits (bit), for example 00 indicates no need to turn on, 01 indicates may or may not turn on, and 11 indicates that it must turn on. The user plane encryption protection indication information and the user plane integrity protection indication information specifically indicate three possible values in what manner, which is not limited in the embodiment of the present application. Since the user plane encryption protection does not affect the communication rate, the implementation of the user plane encryption protection is not limited by the application.

Based on the above, fig. 1a is a schematic diagram of a communication system architecture to which the present application is applicable. As shown in fig. 1a, the communication system may include a data management network element, an authentication service network element, a mobility management network element, a session management network element, a policy control network element, a user plane network element, an access network device, and a terminal device. Fig. 1a illustrates a data management network element as a Unified Data Management (UDM), an authentication service network element as an authentication server function (AUSF), a mobility management network element as an access and mobility management function (AMF), a session management network element as a Session Management Function (SMF), a policy control network element as a Policy Control Function (PCF), a user plane network element as a User Plane Function (UPF), and a terminal device as a UE.

The data management network element is mainly used for managing and storing user data, such as subscription information and authentication/authorization information. In 5G, the data management network element may be a UDM network element or a Unified Data Repository (UDR) network element, and in future communications such as 6th generation (6G), the data management network element may still be a UDM network element or a UDR network element, or have another name, which is not limited in this application.

The authentication service network element is mainly used for verifying a service function and storing a key by using an Extensible Authentication Protocol (EAP) so as to authenticate and authenticate a user. In 5G, the authentication server network element may be an AUSF network element, and in future communications such as 6G, the authentication server network element may still be an AUSF network element or have another name, which is not limited in this application.

The mobility management network element is mainly used for registration of terminal equipment in a mobile network, mobility management and tracking area updating processes. The mobility management network element terminates a Non Access Stratum (NAS) message, completes registration management, connection management and reachability management, allocates a tracking area list (TA list), mobility management, and the like, and transparently routes a Session Management (SM) message to the session management network element. In 5G communication, the mobility management network element may be an AMF network element, and in future communication such as 6G, the mobility management network element may still be an AMF network element, or have another name, which is not limited in this application.

The session management network element is mainly used for session management in a mobile network and selection and control of a user plane network element. Among them, the session management is such as session creation, modification, release. The specific functions include, for example, allocating an Internet Protocol (IP) address to a user, selecting a user plane network element providing a message forwarding function, and the like. In 5G, the session management network element may be an SMF network element, and in future communications such as 6G, the session management network element may still be an SMF network element, or have another name, which is not limited in this application. The message of the terminal equipment communicating with the SMF is packaged in an SM container (container) of the NAS message, and the AMF extracts SM container content from the NAS message and then sends the SM container content to the SMF.

The policy control network element is mainly used for managing user subscription data, controlling charging policy, controlling quality of service (QoS), and the like. In 5G, the policy control network element may be a PCF network element, and in future communications such as 6G, the policy control network element may still be a PCF network element, or have another name, which is not limited in this application.

The user plane network element is mainly used for user plane service processing, such as packet routing and transmission, packet detection, service usage reporting, quality of service (QoS) processing, lawful interception, uplink packet detection, downlink packet storage, and the like. In 5G, the user plane network element may be a UPF network element, and in future communications such as 6G, the user plane network element may still be a UPF network element or have another name, which is not limited in this application.

Access network equipment (also called Radio Access Network (RAN) equipment), which is access equipment for a terminal equipment to access to the communication system in a wireless manner, and may be a base station (base station), an evolved node B (eNB), a Transmission Reception Point (TRP), a next generation base station (next generation NodeB, gNB) in a 5G communication system, a next generation evolved node B (ng-eNB) node B (node B, NB), a base station controller (base station controller, BSC), a Base Transceiver Station (BTS), a home base station (e.g., home evolved node B, or home node B, HNB), a base station in a future communication system, or an access node in a wireless fidelity (WiFi) system, etc.; or may be a module or a unit that performs part of the functions of the base station, for example, a Centralized Unit (CU) or a Distributed Unit (DU). The embodiment of the present application does not limit the specific technology and the specific device form adopted by the access network device.

A terminal device may also be referred to as a terminal, a User Equipment (UE), a mobile station, a mobile terminal, or the like. The terminal device can be a mobile phone, a tablet computer, a computer with a wireless transceiving function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in remote operation, a wireless terminal in a smart grid, a wireless terminal in transportation safety, a wireless terminal in a smart city, a wireless terminal in a smart home and the like. The specific technology and the specific equipment form adopted by the terminal equipment are not limited in the application.

The present application may also be applied to the 4th generation (4G) communication system. Fig. 1b is a schematic diagram of an architecture of another communication system to which the present application is applicable. Fig. 1b illustrates an example of a data management network element as a Home Subscriber Server (HSS), a mobility management network element as a part of a function of a Mobility Management Entity (MME), a session management network element as a part of a function of an MME and a Service Gateway (SGW), a Policy and Charging Rules Function (PCRF) as a policy and charging rules function (policy and charging rules function), a packet data gateway (PGW) as a user plane network element, and a terminal device as a UE.

The core network elements in the communication system are all core network elements in an LTE network. The interface between the MME and the E-UTRAN is an S1-MME interface, i.e. an interface between the eNodeB and the MME, for transmitting user data and corresponding user plane control frames. The interface between the PGW and the SGW is an S5/S8 interface, and the S5 interface is an interface between the SGW and the PGW inside the network. The interface should be able to provide the function of SGW relocation during user mobility under the condition of SGW and PGW separation. S8 is an interface between an SGW and a PGW of a Public Land Mobile Network (PLMN), and has an S5 interface function in a roaming case. The interface between the SGW and the E-UTRAN is an S1-U interface, i.e. the interface between the eNodeB and the SGW, which is used to carry the user plane tunnel and the path switching between enodebs in handover. The interface between the SGW and the MME is an S11 interface, and is used for transmitting information such as bearer control and session control. The interface between the HSS and the MME is an S6a interface, and the S6a interface is mainly used for functions of user access authentication, user subscription data insertion, user PDN authorization for user access, authentication of a mobility management message of a user when interconnected with a non-3 GPP system, and the like.

The present application may also be applied to a dual connectivity network architecture. Fig. 2 shows another communication system architecture to which the present application is applicable. The communication system architecture may include a Master Node (MN), a Secondary Node (SN), a Core Network (CN), and a terminal device. In the dual connectivity communication system, a node that initiates dual connectivity is referred to as a master node, and may also be referred to as a master network node, a master base station, or the like. And the other node selected by the main node and cooperatively serving the terminal equipment is called an auxiliary node, and can also be called an auxiliary network node or an auxiliary base station.

Five dual-connected network architectures are exemplarily shown as follows.

In the first network architecture, MN is eNB, SN is eNB, and CN is MME. Wherein, the MN communicates with the SN through an X2 interface, and the MN communicates with the CN through an S1 interface, namely, the MN is connected to the MME in the 4G core network through an S1 interface.

And the network architecture II is that MN is eNB, SN is gNB and CN is MME. The MN and the SN communicate through an X2 interface, and the MN and the CN communicate through an S1 interface, that is, the MN may be connected to the MME in the 4G core network through an S1 interface. The network architecture two may also be referred to as evolved universal terrestrial radio access network and NR dual link (EN-DC) network architecture.

And the network architecture III is that MN is gNB, SN is ng-eNB, and CN is AMF. The MN and the SN communicate through an Xn interface, and the MN and the CN communicate through an N2 interface, that is, the MN can be connected to the AMF of the 5G core network through an N2 interface.

And the network architecture is four, wherein MN is ng-eNB, SN is gNB, and CN is AMF. The MN and the SN communicate through an Xn interface, and the MN and the CN communicate through an N2 interface, that is, the MN can be connected to the AMF of the 5G core network through an N2 interface.

And the network architecture is five, wherein MN is gNB, SN is gNB, and CN is AMF. The MN and the SN communicate through an Xn interface, and the MN and the CN communicate through an N2 interface, that is, the MN can be connected to the AMF of the 5G core network through an N2 interface.

In the five network architectures with dual connections, the terminal device can communicate with the MN or the SN through the Uu interface. For a specific possible configuration, reference is made to the description of the terminal device in fig. 1a, and details are not repeated here.

It should be understood that fig. 1a, fig. 1b and fig. 2 are only schematic diagrams, and that other wireless access network devices, such as a wireless relay device and a wireless backhaul device, may also be included in the communication system shown in fig. 1a and fig. 1b, which are not shown in fig. 1a and fig. 1 b. The number of core network devices, access network devices, and terminal devices included in the communication system is not limited in the present application.

It should be noted that the system architecture and the application scenario described in the present application are for more clearly illustrating the technical solution of the present application, and do not constitute a limitation to the technical solution provided in the present application, and as a person having ordinary skill in the art knows, along with the evolution of the system architecture and the appearance of a new service scenario, the technical solution provided in the present application is also applicable to similar technical problems.

Currently, when determining whether to start the integrity protection of the PDU session, the RAN determines based on two values, namely, 64Kbps and a full data rate, of the maximum integrity protection rate of the UE and a user plane security policy of the PDU session. Specifically, if the maximum integrity protection rate of the UE is 64Kbps and the user plane integrity protection policy of the PDU session is preferred, the RAN determines that the DRB does not start user plane integrity protection; if the maximum integrity protection rate of the UE is the full data rate and the UE session UE user plane integrity protection policy is preferred, the RAN determines whether to open the UE session UE user plane integrity protection according to its own condition (for example, if its own resources are sufficient, it is opened, otherwise, it is not opened). And if the user plane integrity protection strategy is not required, the RAN directly does not start the user plane integrity protection. If the maximum integrity protection rate of the UE is 64Kbps and the user plane integrity protection strategy of the PDU session is required, the SMF refuses the establishment or modification of the PDU session without distributing DRB to the RAN.

However, the maximum integrity protection rate in the current standard is only two values, namely 64Kbps and a full data rate, which are two extreme values, namely infinitesimal and infinitesimal. When the maximum integrity protection rate of the UE is 64Kbps (which is a very small value), it means that the user plane integrity protection cannot be turned on for most of the time in data transmission between the UE and the network side, and then the security of the user data is not guaranteed. When the maximum integrity protection rate of the UE is the full data rate (this value is infinite), it means that whether the UE and the network side data transmission turn on the user plane integrity protection is determined entirely by the RAN. In case the user plane integrity protection policy is preferred and the RAN resources are sufficient, all data transmission between the UE and the network side may turn on user plane integrity protection. Since the integrity protection of the user plane is started, the performance of the UE is greatly affected, and thus, the service on the UE may be abnormal. For example, due to the poor performance of the UE, the data transmission timeliness is not required.

In view of this, the present application provides a communication method, which fully considers the maximum integrity protection rate of the terminal device and the used rate of the user plane resource on which integrity protection is started when determining whether to start integrity protection of the first user plane resource, so as to ensure timeliness and security of data transmission of the terminal device as much as possible. For example, the maximum integrity protection rate of the terminal device is 1000Mbps, and the sum of the used rates corresponding to the user plane resources on which the user plane integrity protection has been started is 400Mbps, at this time, if the rate corresponding to the first user plane resource requested to be established by the terminal device is less than 600Mbps, the terminal device may also start the user plane integrity protection of the first user plane resource. That is, the user plane integrity protection of the terminal device and the network side can be started as required according to the capability of the UE, which helps to avoid the problem that the security of the transmitted data cannot be guaranteed because the user plane integrity protection of the terminal device and the network side is always closed when the maximum integrity protection rate of the terminal device is 64Kpbs, or that the user plane integrity protection of the terminal device and the network side is always started when the maximum integrity protection rate of the terminal device is full data rate, which causes the performance abnormality of the terminal device.

Referring to fig. 3, a method flow diagram of a communication method provided in the present application is shown. The method comprises the following steps:

step 301, the first communication device obtains a required rate, a remaining rate and a user plane security policy of the first terminal device.

The user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing. The required rate is used to indicate a rate required by the first user plane resource requested to be established by the first terminal device. The first user plane resource is a user plane resource to be established between the first terminal device and the first communication device. The first user plane resources may include one or more data bearers, such as DRBs, sidelink radio bearers (SLRBs). The remaining rate is determined based on the used rate of the first terminal device and the maximum integrity protection rate of the first terminal device. The maximum integrity protection rate is used for indicating the maximum rate of the first terminal equipment after the user plane integrity protection is started. It should be appreciated that the user plane security policy is used to determine whether to turn on integrity protection of the first user plane resource. That is to say, the user plane security policy is a user plane security policy corresponding to a first user plane resource to be established by the first terminal device. In addition, the first user plane resource may include one or more DRBs, and the user plane security policies of the one or more DRBs included in the first user plane resource are the same.

Here, the used rate is used to indicate a rate used by the first terminal device and the established second user plane resource of the first communication apparatus, and optionally, the second user plane resource includes all the established user plane resources of the first terminal device. Optionally, the second user plane resource includes a user plane resource for starting user plane integrity protection in the user plane resources established by the first terminal device. Further, if the second user plane resource established by the first terminal device includes one, the used rate of the first terminal device is equal to the rate used by the second user plane resource; if the second user plane resources established by the first terminal device include a plurality of second user plane resources, the used rate of the first terminal device is equal to the sum of the rates used by the second user plane resources in the plurality of established second user plane resources.

Exemplarily, taking the user plane resource as a DRB, the user plane resources established by the first terminal device include DRB11, DRB12, DRB13, and DRB14, where DRB11, DRB12, and DRB13 all have user plane integrity protection enabled, and DRB14 has no user plane integrity protection enabled, and the second user plane resources include DRB11, DRB12, and DRB 13. Further, the used rate is equal to the sum of the rate used by DRB11, the rate used by DRB12, and the rate used by DRB 13.

In one possible implementation, the difference between the maximum integrity-protected rate and the used rate may be determined as the remaining rate. Further, the maximum integrity protection rate comprises an uplink maximum integrity protection rate and a downlink maximum integrity protection rate, the required rate comprises an uplink required rate and a downlink required rate, and the residual rate comprises an uplink residual rate and a downlink rate; the uplink residual rate is equal to the difference between the uplink maximum integrity protection rate and the uplink required rate, and the downlink residual rate is equal to the difference between the downlink maximum integrity protection rate and the downlink required rate.

In a possible implementation manner, the first communication device may be a radio access network device, and the process of the radio access network device acquiring the required rate, the remaining rate and the user plane security policy of the first terminal device may be as described in fig. 4 or 10 below; alternatively, the first communication device may be a radio access network device in a handover process, and the radio access network device in the handover process may obtain the required rate, the remaining rate and the user plane security policy of the first terminal device, which are described in the following description of the target radio access network in fig. 5; alternatively, the first communication device may be a radio access network device in an RRC connection recovery process, where the process of the radio access network device in the RRC connection recovery process for acquiring the required rate, the remaining rate, and the user plane security policy of the first terminal device may be as described in fig. 6 below; alternatively, the first communication apparatus may be a secondary node in dual connectivity, and the process of the secondary node acquiring the required rate, the remaining rate and the user plane security policy of the first terminal device may be as described in fig. 7 or fig. 8 below; alternatively, the first communication device may be a master node in dual connectivity, and the process of the master node acquiring the required rate, the remaining rate and the user plane security policy of the first terminal device may be as described in fig. 9 below; or; the first communication device may be a second terminal device, and the process of the second terminal device acquiring the required rate, the remaining rate and the user plane security policy of the first terminal device may refer to the following description of fig. 11; and will not be repeated here.

In step 302, the first communications device may determine whether to initiate user plane integrity protection for the first user plane resource based on the required rate, the remaining rate, and the user plane security policy.

Here, based on the user plane security policy, three different scenarios are exemplarily shown for determining whether to turn on the possible implementation of the user plane integrity protection of the first user plane resource.

In case 1, the user plane security policy includes user plane integrity protection open (required).

Based on the situation 1, if the remaining rate is greater than or equal to the required rate, first indication information is sent to the first terminal device, where the first indication information is used to indicate that user plane integrity protection of the first user plane resource is started. Correspondingly, the first terminal equipment receives the first indication information and starts the user plane integrity protection of the first user plane resource according to the first indication information. It should be understood that if the remaining rate is greater than or equal to the required rate, it indicates that the normal communication service of the first terminal device is not affected after the user plane integrity protection of the first user plane resource is started.

Based on the situation 1, if the remaining rate is less than the required rate, obtaining a third user plane resource, and sending second indication information to the first terminal device, where the second indication information is used to indicate to start user plane integrity protection of the first user plane resource and is used to indicate not to start (i.e., to close) user plane integrity protection of the third user plane resource, where a user plane security policy of the third user plane resource is that user plane integrity protection is optionally started, and the third user plane resource has started user plane integrity protection, and a used rate of the third user plane resource is greater than or equal to a difference between the required rate and the remaining rate. Correspondingly, the first terminal device receives the second indication information, starts the user plane integrity protection of the first user plane resource according to the second indication information, and closes the user plane integrity protection of the third user plane resource.

It should be noted that the third user plane resource may be one or more. That is, the user plane security policy in the first terminal device may be optionally turned on for user plane integrity protection, and the turned on user plane resources may be multiple, one user plane resource whose used rate is greater than or equal to the difference between the required rate and the remaining rate may be selected from the multiple, and the selected user plane resource is the third user plane resource; or, a plurality of user plane resources can be selected from the plurality, the sum of the used rates of the plurality of user plane resources is greater than or equal to the difference between the required rate and the remaining rate, and the selected plurality of user plane resources are the third user plane resources.

Illustratively, the user plane security policy in the first terminal device protects the optionally opened user plane resource for user plane integrity, including: user plane resource 1, user plane resource 2, user plane resource 3, user plane resource 4 and user plane resource 5; wherein, the user interface resource 1, the user interface resource 2 and the user interface resource 3 have started the user interface integrity protection, and the user interface resource 4 and the user interface resource 5 have not started the user interface integrity protection; a third user plane resource may be selected from among user plane resource 1, user plane resource 2, and user plane resource 3. For example, if the used rate of the user plane resource 1 is greater than or equal to the difference between the required rate and the remaining rate, the user plane resource 1 is the third user plane resource. Of course, the user plane resource 1, the user plane resource 2, and the user plane resource 3 may be all used as the third user plane resource; or both the user plane resource 1 and the user plane resource 2 can be used as the third user plane resource. For another example, the used rates of the user plane resource 1, the user plane resource 2 and the user plane resource 3 are all smaller than the difference between the required rate and the remaining rate, and the sum of the used rates of the user plane resource 1 and the user plane resource 2 is greater than or equal to the difference between the required rate and the remaining rate, so that the user plane resource 1 and the user plane resource 2 are the third user plane resource; the user plane resource 1, the user plane resource 2 and the user plane resource 3 can be all used as the third user plane resource. This is not further enumerated here.

It should be noted that, if the user plane security policy in the first terminal device is that the user plane integrity protection is optionally enabled, and the sum of the used rates of all the user plane resources for which the user plane integrity protection is enabled is smaller than the difference between the required rate and the remaining rate, the request for establishing the first user plane resource by the first terminal device is rejected at this time.

In a possible implementation, if the remaining rate is less than the required rate, the request for establishing the first user plane resource by the first terminal device may be rejected. For example, a first message is sent to the first terminal device, and the first message is used for refusing the first terminal device to establish the first user plane resource. Or, a rejection request is sent to other radio access network devices to trigger the other radio access network devices to send a second message to the first terminal device, where the second message is used to reject the first terminal device to establish the first user plane resource. That is, based on the remaining rate and the required rate, it may be determined whether to accept or reject establishment of the first user plane resource. Further, after the first user plane resource is established, whether to start the user plane integrity protection of the first user plane resource is determined.

In case 2, the user plane security policy includes user plane integrity protection optional unlock (preferred).

In case 2, if the remaining rate is greater than or equal to the required rate, first indication information is sent to the first terminal device, where the first indication information is used to indicate that user plane integrity protection of the first user plane resource is started. Correspondingly, the first terminal equipment receives the first indication information and starts the user plane integrity protection of the first user plane resource according to the first indication information.

In case 2, if the remaining rate is less than the required rate, third indication information is sent to the first terminal, where the third indication is used to indicate that the user plane integrity protection of the first user plane resource is not started. Correspondingly, the first terminal device receives the third indication information and does not start the user plane integrity protection of the first user plane resource.

In case 3, the user plane security policy includes user plane integrity protection not opened (not connected).

Based on the situation 3, it is determined not to start the user plane integrity protection of the first user plane resource, and third indication information is sent to the first terminal device, where the third indication is used to indicate not to start the user plane integrity protection of the first user plane resource. Correspondingly, the first terminal device receives the third indication information and does not start the user plane integrity protection of the first user plane resource.

It should be noted that the fact that the remaining rate is greater than or equal to the required rate means that: the uplink residual rate is greater than or equal to the uplink required rate and/or the downlink residual rate is greater than or equal to the downlink required rate. The remaining rate being less than the required rate means: the uplink residual rate is smaller than the uplink required rate and/or the downlink residual rate is smaller than the downlink required rate.

In step 301, the used rate of the first terminal device may be determined by any one or a combination of the following rate parameters (a), (b), (c), (d), (e), and (f). The rate parameters may include a real-time rate, a highest rate, a lowest rate, an average rate, etc. at which the first communication device transmits data on the user plane resource.

In one possible implementation, the Rate parameter (a) is the Maximum Bit Rate of PDU session aggregation for the second user plane resource, i.e. the PDU session aggregation Maximum Bit Rate. Further, the Maximum Bit Rate of the PDU session aggregation includes the Downlink/Uplink Maximum Bit Rate of the PDU session aggregation, that is, the PDU session aggregation Maximum Bit Rate includes PDU session aggregation Maximum Bit Rate Downlink/Uplink. The rate parameter (a) may be stored in PDU session related policy information of the PCF. The Rate parameter (b) is a Maximum Bit Rate of APN aggregation of the second user plane resource, namely per APN aggregation Maximum Bit Rate, and the Maximum Bit Rate of APN aggregation comprises a Maximum Downlink/Uplink Bit Rate of APN aggregation, namely per UE aggregation Maximum Bit Rate down/Uplink. The rate parameter (b) may be stored in APN related policy information of the PCRF. The Rate parameter (c) is the Aggregate Maximum Bit Rate of the terminal device of the first terminal device, i.e. the UE Aggregate Maximum Bit Rate. Further, the Maximum Aggregate Bit Rate of the terminal device includes the Maximum Aggregate Downlink/Uplink Bit Rate of the terminal device, that is, the UE Aggregate Maximum Bit Rate includes the UE Aggregate Maximum Bit Rate Downlink/Uplink. The rate parameter (c) may be stored in the PCF access and mobility related policy control information or in the HSS/UDM UE subscription information. The Rate parameter (d) is the Maximum Flow Bit Rate of the Qos Flow of the GBR of the second user plane resource, i.e. Maximum Flow Bit Rate. Further, the maximum streaming bit rate of the GBR Qos flow includes a downlink/uplink maximum streaming bit rate of the GBR Qos flow. Namely, Maximum Flow Bit Rate includes Maximum Flow Bit Rate Downlink/Uplink. The rate parameter (d) may be stored in policy and charging control and charging (PCC) rules of the PCF or PCRF. The Rate parameter (e) is a Guaranteed Flow Bit Rate of the Qos Flow of the GBR of the second user plane resource, i.e., Guaranteed Flow Bit Rate. Further, the Guaranteed Flow Bit Rate of the GBR Qos Flow includes a Downlink/Uplink Guaranteed Flow Bit Rate of the GBR Qos Flow, that is, the Guaranteed Flow Bit Rate includes a Guaranteed Flow Bit Rate Downlink/Uplink. The rate parameter (e) may be stored in the PCC of the PCF or PCRF. The rate parameter (f) a real-time rate of the second user-plane resource. Further, the real-time rate also includes an uplink real-time rate and a downlink real-time rate.

Illustratively, the second user plane resource in the terminal device includes DRB11, DRB12, and DRB13, the QoS flow of DRB11 is non-GBR, and the QoS flows of DRB12 and DRB13 are both GBR, then the rate parameter (a) is the maximum bit rate of PDU session aggregation of the PDU session corresponding to DRB 11. The rate parameter (b) is the maximum bit rate of APN session aggregation of the APN corresponding to the DRB 11. The rate parameter (c) is the aggregated maximum bit rate of the terminal device. The rate parameter (d) is the maximum stream bit rate of the Qos streams contained in DRB12 and DRB 13. The rate parameter (e) is the guaranteed stream bit rate for the QoS streams contained in DRB12 and DRB 13.

Four possible implementations of determining the used rate are shown as follows.

In a first implementation, the maximum value of the rate is used.

In one possible implementation, the sum of the maximum bit rate of all PDU sessions aggregation and the maximum stream bit rate of all GBR Qos streams is determined as the used rate; or determining the sum of the aggregated maximum bit rate of the terminal device and the maximum stream bit rate of all the GBR Qos streams as the used rate.

The second user plane resources may be both non-GBRs or partially non-GBRs, as examples. Determining a sum of a maximum bit rate aggregated for PDU sessions of Qos flows of all non-GBRs of the first terminal device and a maximum flow bit rate of Qos flows of all GBRs of the first terminal device as a used rate; or, determining the sum of the aggregated maximum bit rate of the UEs of all the first terminal devices of the first terminal device and the maximum flow bit rate of the Qos flows of all the GBRs of the first terminal device as the used rate.

Further, the used rate includes an uplink used rate and a downlink used rate, and the sum of the downlink maximum bit rate aggregated by PDU sessions of all non-GBR Qos flows of the first terminal device or the aggregated downlink maximum bit rate of the UE of the first terminal device and the downlink maximum bit rate of all GBR Qos flows of the first terminal device is determined as the downlink used rate of the first terminal device; and determining the sum of the uplink maximum bit rate aggregated by the PDU sessions of all non-GBR Qos flows of the first terminal equipment or the aggregated uplink maximum bit rate of the UE of the first terminal equipment and the uplink maximum bit rate of all GBR Qos flows of the first terminal equipment as the uplink used rate of the first terminal equipment.

In another possible implementation manner, the sum of the maximum bit rate of PDU session aggregation of all the non-GBR Qos flows of which user plane integrity protection is turned on of the first terminal device and the maximum flow bit rate of all the GBR Qos flows of which user plane integrity protection is turned on of the first terminal device is determined as the used rate.

Further, the used rate includes an uplink used rate and a downlink used rate, and the sum of the downlink maximum bit rate of PDU session aggregation of all the non-GBR Qos flows of which user plane integrity protection has been started of the first terminal device and the downlink maximum bit rate of all the GBR Qos flows of which user plane integrity protection has been started of the first terminal device is determined as the downlink used rate of the first terminal device; and determining the sum of the uplink maximum bit rate of the PDU session aggregation of all the non-GBR QoS flows with the user plane integrity protection opened of the first terminal equipment and the uplink maximum bit rate of all the GBR QoS flows with the user plane integrity protection opened of the first terminal equipment as the uplink used rate of the first terminal equipment.

With the first implementation described above, the used rate is obtained on the assumption that the second user plane resources all transmit data using the maximum bit rate. In this way, the remaining rate represents the transmission capability that the terminal still has in the limit, so that the communication service of the first terminal device can be guaranteed as much as possible. That is, the implementation is to determine whether to start the user plane integrity protection of the first user plane resource from the service availability of the first terminal device.

In implementation two, the minimum of the used rates.

In one possible implementation, the sum of the guaranteed bit rates of all GBR Qos flows of the first terminal device is determined as the used rate.

Further, the used rate includes an uplink used rate and a downlink used rate; determining the sum of guaranteed downlink bit rates of all GBR Qos streams of the first terminal equipment as a downlink used rate of the first terminal equipment; and determining the sum of the guaranteed uplink bit rates of all the GBR Qos flows of the first terminal equipment as the uplink used rate of the first terminal equipment.

In another possible implementation manner, the sum of the guaranteed bit rates of all Qos flows of the GBR with the user plane integrity protection turned on of the first terminal device is determined as the used rate.

Further, the used rate includes an uplink used rate and a downlink used rate; determining the sum of guaranteed downlink bit rates of all user plane integrity protected (GBR) QoS flows of the first terminal equipment as a downlink used rate of the first terminal equipment; and determining the sum of the guaranteed uplink bit rates of all the Qos flows of the GBR with the user plane integrity protection started for the first terminal equipment as the uplink used rate of the first terminal equipment.

With the second implementation described above, the used rate is obtained on the assumption that the second user plane resources all use the minimum bit rate for transmitting data. Therefore, the safety of data transmission of the first terminal equipment can be guaranteed as far as possible. That is, the second implementation manner is to determine whether to start the user plane integrity protection of the first user plane resource from the perspective of the security of data transmission of the first terminal device.

In a third implementation, the used rate is between the maximum value determined in the first implementation and the minimum value determined in the second implementation.

In one possible implementation, the sum of the maximum bit rate aggregated for all PDU sessions and the guaranteed bit rate for all GBR Qos flows is determined as the used rate.

Illustratively, the used rate is determined as the adjustment value of the maximum bit rate aggregated by the PDU sessions of all non-GBR Qos flows of the first terminal device or the adjustment value of the maximum bit rate aggregated by the UE of the first terminal device, and the sum of the guaranteed bit rates of all GBR Qos flows.

The adjustment value may be obtained by adjusting down a maximum bit rate of the PDU session aggregation or an aggregated maximum bit rate of the UE. For example, the adjustment value may be obtained based on transmission statistics of QoS flows of non-GBR.

Further, the used rate includes an uplink used rate and a downlink used rate; determining the downlink maximum bit rate of PDU session aggregation of all non-GBR Qos flows of the first terminal equipment and the sum of guaranteed downlink bit rates of all GBR Qos flows as the downlink used rate; and determining the sum of the uplink maximum bit rate of PDU session aggregation of all non-GBR Qos flows of the first terminal equipment and the guaranteed uplink bit rate of all GBR Qos flows as the uplink used rate.

In another possible implementation manner, the used rate is determined as the sum of the maximum bit rate of the PDU session aggregation of all the non-GBR Qos flows with user plane integrity protection turned on of the first terminal device or the adjustment value of the maximum bit rate of the aggregation of the UE of the first terminal device and the guaranteed bit rate of all the GBR Qos flows with user plane integrity protection turned on.

Further, the used rate includes an uplink used rate and a downlink used rate; determining the downlink maximum bit rate of PDU session aggregation of all non-GBR Qos flows with user plane integrity protection started and the sum of guaranteed downlink bit rates of all GBR Qos flows with user plane integrity protection started of a first terminal device as a downlink used rate; and determining the sum of the uplink maximum bit rate of PDU session aggregation of all the non-GBR QoS flows with the user plane integrity protection opened and the guaranteed uplink bit rate of all the GBR QoS flows with the user plane integrity protection opened of the first terminal equipment as the uplink used rate.

With implementation three above, the used rate is obtained based on the assumption that the second user plane resource uses the adjusted medium rate for transmitting data. In this way, the remaining rate represents the rate integrated by the terminal, so that the availability of the communication service of the first terminal device can be guaranteed as much as possible, and the security of data transmission of the first terminal device can be guaranteed as much as possible.

And the implementation mode is four, the real-time rate of the second user plane resource is monitored in real time.

In a possible implementation manner, the sum of the monitored real-time rates of all the second user-plane resources is determined as the used rate of the first terminal device.

Further, the used rate includes an uplink used rate and a downlink used rate; and determining the sum of the monitored uplink real-time rates of the second user plane resource as an uplink used rate, and determining the sum of the monitored downlink real-time rates of the second user plane resource as a downlink used rate.

Illustratively, the sum of the monitored real-time rates of all the second user plane resources with the user plane integrity protection opened is determined as the used rate of the first terminal equipment.

Further, the used rate includes an uplink used rate and a downlink used rate; and determining the sum of the monitored uplink real-time rates of the second user plane resources with the user plane integrity protection started as the uplink used rate, and determining the sum of the monitored downlink real-time rates of the second user plane resources with the user plane integrity protection started as the downlink used rate.

With the fourth implementation described above, the used rate is obtained based on the assumption that the second user plane resource transmits data using the real-time rate. Therefore, the residual rate represents the most accurate rate of the first terminal device, so that the basis for guaranteeing the decision is the most accurate data, the availability of the communication service of the first terminal device is guaranteed as far as possible, and the security of data transmission of the first terminal device is guaranteed as far as possible.

The communication method provided by the present application is described below with reference to possible application scenarios.

Scenario one, it can be applied to PDU session establishment procedure or PDU session modification procedure or EPS bearer establishment procedure.

Please refer to fig. 4, which is a communication method applied to a radio access network device according to the present application. In this method, the radio access network device is the first communication apparatus in fig. 3. The session management network element may be the SMF in fig. 1a or the MME in fig. 1 b; the data management network element may be the UDM in fig. 1a or the HSS in fig. 1b described above; the policy control network element may be the PCF in fig. 1a or the PCRF in fig. 1b described above. The method comprises the following steps:

step 401, a first terminal device sends a first request message to a session management network element. Accordingly, the session management network element receives a first request message from the first terminal device.

Here, the first request message is for requesting PDU session setup or PDU session modification or requesting bearer resource change. The first request message includes a maximum integrity protection rate of the first terminal device. I.e. the session management network element may obtain the maximum integrity protection rate of the first terminal device from the first terminal device. Further, the maximum integrity protection rate of the first terminal device reported to the session management network element by the first terminal device may have multiple values, such as 1Gbps (i.e., 1000Mbps) and 2Gbps, and the specific value may be set according to the performance of the first terminal device. Exemplarily, if the performance of the first terminal device is higher, the value may be larger; if the performance of the first terminal device is low, the value can be smaller. Compared with the prior art that the maximum integrity protection rate of the terminal device is only two values of 64Kbps and full data rate, in the application, the maximum integrity protection rate of the first terminal device reported by the first terminal device can take more values, and the performance of the first terminal device can be embodied.

It should be noted that, during the PDU session establishment or PDU session modification or bearer resource change process, the first terminal device may finally establish the first user plane resource with the radio access network device, where the first user plane resource may be one or more DRBs.

Step 402, the session management network element obtains the user plane security policy of the first user plane resource according to the first request message.

Here, the session management network element may obtain an identity of the first terminal device, e.g. a subscriber permanent subscription identity (SUPI), from the context of the terminal device according to the first request message.

In one possible implementation, the session management network element sends a subscription acquisition request message to the data management network element. Accordingly, the data management network element receives the subscription acquisition request message from the session management network element. Here, the subscription obtaining request message is used to request to obtain a user plane security policy of the first terminal device, where the subscription obtaining request message may include an identifier of the first terminal device, a Data Network Name (DNN) and/or an identifier of a network slice (NSSAI), and the data management network element may obtain subscription information of the first terminal device according to the SUPI, and then obtain the user plane security policy of the first terminal device according to the DNN and/or the NSSAI.

In another possible implementation manner, the session management network element may also obtain the user plane security policy of the first terminal device according to the local configuration. For example, when the DNN and/or NSSAI is included in the first request message, the session management network element may determine the user plane security policy of the first terminal device from the local configuration according to the DNN and/or NSSAI.

It should be noted that the user plane security policy of the first terminal device obtained by the session management function is subsequently used as a basis for the radio access network device to determine whether integrity protection is started on the first user plane resource, and therefore, may also be referred to as a user plane security policy of the first user plane resource.

Step 403, the session management network element obtains the required rate for establishing the first user plane resource according to the first request message.

In one possible implementation, the session management network element sends a policy control creation message to the policy control network element. The policy control creation message is for requesting establishment of a required rate of the first user plane resource. When the policy control creation message includes SUPI, DNN and/or NSSAI, the policy control network element may obtain policy information of the first terminal device according to SUPI, and obtain a required rate for establishing the first user plane resource from the policy information according to DNN and/or NSSAI. At this time, the required rate may be a maximum bit rate of PDU session aggregation, a maximum bit rate of APN session aggregation.

In another possible implementation, when the policy control creation message includes the SUPI, the DNN and/or the NSSAI and the flow template, the policy control network element may obtain the policy information of the first terminal device according to the SUPI, and then obtain the required rate for establishing the first user plane resource from the policy information according to the DNN and/or the NSSAI and the flow template. The flow template is used to indicate the QoS flow. At this time, the required rate may be a maximum stream bit rate, a guaranteed stream bit rate.

It should be noted that the required rate of the first terminal device obtained by the session management function will be subsequently used as a reference for the radio access network device to establish the first user plane resource for the first terminal device, and therefore may also be referred to as the required rate of the first user plane resource.

It should be further noted that, there is no sequence between the step 402 and the step 403, and the step 402 may be executed first and then the step 403 may be executed; step 403 may be executed first and then step 403 may be executed; step 402 and step 403 may also be performed simultaneously; this is not limited in this application.

Step 404, the session management network element sends a first response message to the radio access network device. Accordingly, the radio access network device receives the first response message from the session management network element.

Here, the first response message includes a user plane security policy of the first user plane resource, a maximum integrity protection rate of the first terminal device, and a required rate for establishing the first user plane resource.

In step 405, the radio access network device obtains the used rate of the first terminal device from the context of the terminal device stored locally.

The required rate, the maximum integrity protection rate, and the used rate may be referred to the related description of step 301, and are not repeated herein.

In step 406, the radio access network device determines the remaining rate of the first terminal device according to the maximum integrity protection rate of the first terminal device and the used rate of the first terminal device.

This step 406 may refer to the manner of determining the remaining rate in step 301, and will not be repeated here.

Step 407, the radio access network device determines whether to start the user plane integrity protection of the first user plane resource according to the rate required for establishing the first user plane resource, the remaining rate of the first terminal device, and the user plane security policy of the first user plane resource.

For example, the maximum integrity protection rate of the first terminal device is 1000Mbps, and the rate used by the second user plane resource already established on the first terminal device is 400Mbps, that is, the used rate of the first terminal device is 400Mbps, then if the required rate of the first user plane resource to be established is less than or equal to 600Mbps, it indicates that the first terminal device has the ability to start the user plane integrity protection of the first user plane resource. Further, if the user plane security policy of the first user plane resource is the user plane integrity protection starting, it may be determined to start the user plane integrity protection of the first user plane resource. If the user plane security policy of the first user plane resource is the user plane integrity protection optional start, the user plane integrity protection of the first user plane resource can also be determined to be started.

The step 407 can refer to the description of the step 302, and the description is not repeated here.

In step 408, the radio access network device sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the radio access network device.

In one possible implementation, the RRC reconfiguration message includes security indication information. The security indication information is used for indicating the first terminal device to start or not start the user plane integrity protection of the first user plane resource. Further, the safety indication information may be the first indication information, the second indication information, or the third indication information. If the safety indication information is the third indication information, the safety indication information is also used for indicating to close the user plane integrity protection of the third user plane resource. The description of the first indication information, the second indication information, or the third indication information may refer to the description of step 302, and will not be repeated herein.

In step 409, the first terminal device sends an RRC reconfiguration complete message to the radio access network device.

The RRC reconfiguration complete message is used to indicate that the first terminal device has started or has not started user plane integrity protection of the first user plane resource.

Through the above steps 401 to 409, the radio access network device may accurately determine whether to start the user plane integrity protection of the first user plane resource based on the maximum integrity protection rate, the used rate, the required rate, and the user plane security policy, so as to ensure timeliness and security of data transmission of the first terminal device as much as possible. That is, the user plane integrity protection of the terminal device and the network side can be started as required according to the capability of the terminal device, which is helpful for avoiding the problem that the security of the transmitted data cannot be guaranteed because the user plane integrity protection of the terminal device and the network side is always closed under the condition that the maximum integrity protection rate of the terminal device is 64Kpbs, or the performance of the terminal device is abnormal because the user plane integrity protection of the terminal device and the network side is always started under the condition that the maximum integrity protection rate of the terminal device is full data rate.

And a second scenario is applied to a switching process of the terminal equipment between different wireless access network equipment.

Referring to fig. 5, a communication method applied to a handover process of a terminal device between radio access network devices is provided in the present application. In the method, the target radio access network device is the first communication apparatus in fig. 3, and the source radio access network device is a radio access network device to which the first terminal device is currently accessed. The method comprises the following steps:

step 500, the first terminal device sends a measurement report to the source radio access network device. Accordingly, the source radio access network device receives a measurement report from the first terminal device.

In a possible implementation manner, the source radio access network device may determine whether to perform handover according to a measurement report reported by the first terminal device, and if the handover is performed, the source radio access network device performs step 501, that is, sends a handover request message to the target radio access network device. For example, if the measurement report shows that the signal strength between the first terminal device and the target radio access network device is good, and the signal strength between the first terminal device and the source radio access network device is poor, the source radio access network device sends a handover request message to the target radio access network device.

Step 501, a source wireless access network device sends a handover request message to a target wireless access network device. Accordingly, the target radio access network device receives the handover request message from the source radio access network device.

The handover request message includes a required rate of the first user plane resource, a user plane security policy of the first user plane resource, and a maximum integrity protection rate of the first terminal device. Wherein the required rate of the first user plane resource, the user plane security policy of the first user plane resource, and the maximum integrity protection rate of the first terminal device are obtained by the source radio access network device from the context of the first terminal device.

In particular, since the handover procedure is to migrate all the context information of the first terminal device from the source radio access network device to the target radio access network device, for the target radio access network device, the required rate of the first terminal device includes the required rate of the user plane resources already established by the source radio access network device and the first terminal device. Or, as understood, the required rate of the first user plane resource for the target radio access network device comprises an established required rate of the user plane resource in the source radio access network device.

For example, if the source radio access network device has established DRBs 11, DRBs 12, DRBs 13 with the first terminal device, the required rate of the first user plane resource may include a required rate for establishing DRBs 11, a required rate for establishing DRBs 12, and a required rate for establishing DRBs 13.

In particular, the user plane security policy may be different or the same for different user plane resources. The user plane security policy includes a user plane security policy of a user plane resource established by the source radio access network device and the first terminal device.

Step 502, the target radio access network device determines the remaining rate of the first terminal device according to the maximum integrity protection rate of the first terminal device and the used rate of the first terminal device.

Specifically, when the target radio access network device receives the handover request message, the target radio access network device temporarily does not establish the user plane resource with the first terminal device, so that the used rate is 0 initially, and at this time, the remaining rate is the maximum integrity protection rate. After the target wireless access network equipment judges that the integrity protection of the user plane resources is continuously started, the used rate is gradually increased, and the residual rate is continuously reduced.

The step 502 may refer to the manner of determining the remaining rate in the step 301, and details are not repeated here.

Step 503, the target radio access network device determines whether to start the user plane integrity protection of the first user plane resource according to the required rate of the first user plane resource, the remaining rate of the first terminal device, and the user plane security policy of the first user plane resource.

The first user plane resource comprises user plane resources established by the source wireless access network equipment and the first terminal equipment.

Optionally, the target radio access network device preferentially determines whether to start the user plane integrity protection of the user plane resource whose user plane security policy is user plane integrity protection start (required), and then determines whether to start the user plane security policy of the user plane integrity protection of the user plane resource whose user plane integrity protection can be selectively started (preferred).

Optionally, after the target radio access network device determines whether to start the user plane integrity protection of the user plane resource, step 503 is repeated until the determination of whether to start the user plane integrity protection of all the user plane resources included in the first user plane resource is completed.

For example, if the first user plane resource includes a user plane security policy of DRB11, DRB12, DRB13, and DRB11 indicating that user plane integrity protection is enabled, a user plane security policy of DRB12 indicating that user plane integrity protection is optionally enabled, and a user plane security policy of DRB13 indicating that user plane integrity protection is not enabled, the target radio access network device first determines whether user plane integrity protection of DRB11 can be enabled according to a required rate and a remaining rate (at this time, a maximum integrity protection rate) of DRB11, and then determines whether user plane integrity protection of DRB12 can be enabled according to a required rate and a remaining rate of DRB12, and the target radio access network device does not enable user plane integrity protection of DRB 13.

This step 503 can be referred to the description of step 302 above, and will not be repeated here.

In step 504, the target radio access network device sends a handover response message to the source radio access network device.

The handover response message includes security indication information. The security indication information can be referred to the description of the security indication information in step 408, and is not described herein again.

In step 505, the source radio access network device sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the source radio access network device.

This step 505 can be referred to the description of step 408 above, and will not be repeated here.

In step 506, the first terminal device sends an RRC reconfiguration complete message to the target radio access network device.

The RRC reconfiguration complete message in step 506 may refer to the description of step 409, and is not repeated here.

And a third scenario, which is applied to the RRC connection recovery process.

Please refer to fig. 6, which is a communication method applied in an RRC connection recovery procedure according to the present application. In this method, the target radio access network device is the first communication apparatus in fig. 3. The method comprises the following steps:

step 601, the first terminal device sends an RRC recovery request message to the target radio access network device. Accordingly, the target access network device receives the RRC recovery request message from the first terminal device.

In a possible implementation manner, the RRC recovery request message is used to request recovery of the RRC connection, and the RRC recovery request message may include an identifier of the first terminal device.

Step 602, the target radio access network device sends a Context Request message (UE Context Request) of the terminal device to the source radio access network device according to the RRC recovery Request message. Accordingly, the source access network device receives a context request message from the terminal device of the target radio access network device.

In a possible implementation manner, the context request message of the terminal device is used to request the context of the first terminal device, and the context request message of the terminal device includes an identifier of the first terminal device.

Step 603, the source radio access network device determines the context of the terminal device of the first terminal device according to the context request message of the terminal device.

Here, the source radio access network device may determine the context of the terminal device according to the identifier of the first terminal device in the context request message of the terminal device, where the context of the terminal device includes a required rate of the first terminal device, a user plane security policy, and a maximum integrity protection rate.

In step 604, the source radio access network device sends a Context Response message (UE Context Response) of the terminal device to the target radio access network device. Accordingly, the target radio access network device receives a context response message from the terminal device of the source radio access network device.

The context response message of the terminal device includes a required rate, a user plane security policy and a maximum integrity protection rate of the first terminal device.

This step 604 can be seen in the introduction to step 501.

Step 605, the target radio access network device determines the remaining rate of the first terminal device according to the maximum integrity protection rate and the used rate of the first terminal device.

The step 605 can refer to the description of the step 502, and the description thereof is not repeated.

Step 606, the target radio access network device determines whether to start the user plane integrity protection of the first user plane resource according to the required rate and the user plane security policy in the context response message of the terminal device and the determined remaining rate.

The step 606 can be referred to the description of the step 504, and the description thereof is not repeated here.

In step 607, the target radio access network device sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the target radio access network device.

This step 607 can be referred to the description of step 408 above, and will not be repeated here.

In step 608, the first terminal device sends an RRC reconfiguration complete message to the target radio access network device.

This step 608 can be referred to the description of the step 409, and will not be repeated here.

And a fourth scenario, which is applied to a bearer addition process or a bearer modification process in the dual-connection system.

As shown in fig. 7, a communication method applied to a secondary node in dual connectivity is provided for the present application. In this method, the secondary node is the first communication device in fig. 3. The method comprises the following steps:

step 701, the master node obtains a required rate, a maximum integrity protection rate, a used rate and a user plane security policy of the first terminal device.

In a possible implementation manner, the primary node determines to load the established first user plane resource to the secondary node, that is, the primary node determines to unload the first user plane resource and requests the secondary node to establish the first user plane resource for the first terminal, and the primary node may obtain a required rate, a maximum integrity protection rate, a used rate, and a user plane security policy of the first terminal device from a context of the terminal device stored locally.

At this time, the used rate is used to indicate that the rate used by the first user plane resource is not included in the second user plane resource established by the first terminal device and the master node. Optionally, the second user plane resource includes all the established user plane resources of the first terminal device excluding the first user plane resource. Optionally, if the first user plane resource already starts the user plane integrity protection, the second user plane resource includes a user plane resource which starts the user plane integrity protection in the user plane resources established by the first terminal device.

Exemplarily, taking a user plane resource as a DRB as an example, the user plane resources established by the first terminal device and the primary node include DRB11, DRB12, DRB13, and DRB14, where DRB11, DRB12, and DRB13 all have user plane integrity protection enabled, DRB14 has no user plane integrity protection enabled, and the primary node is ready to load DRB11 to the secondary node, and the second user plane resource includes DRB12 and DRB 13.

In another possible implementation manner, when it is determined that the secondary node is requested to establish the first user plane resource for the first terminal, that is, when the primary node does not offload an existing user plane resource, the primary node may obtain a required rate, a maximum integrity protection rate, a used rate, and a user plane security policy of the first terminal device from a context obtained by the locally stored terminal device. At this time, the used rate may be obtained by referring to the above-mentioned manner for determining the used rate in step 301 in fig. 3, and details are not repeated here.

In step 702, the master node sends an SN Addition Request message or an SN Modification Request message of the first terminal device to the slave node. Accordingly, the secondary node receives an SN Addition Request message or an SN Modification Request message from the primary node.

Here, the SN Addition Request message or the SN Modification Request message carries a required rate, a maximum integrity protection rate, a used rate, and a user plane security policy of the first terminal device.

In step 703, the secondary node determines the remaining rate according to the maximum integrity protection rate and the used rate.

The step 703 may refer to the manner of determining the remaining rate in the step 301, and is not repeated here.

Step 704, the secondary node determines whether to start the user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy.

This step 704 can be referred to the description of step 302 above, and will not be repeated here.

Step 705, the secondary node sends an SN Addition Request ACK message or an SN Modification Request ACK message to the primary node.

Here, the SN Addition Request ACK message or the SN Modification Request ACK message includes security indication information. The security indication information is used for indicating the first terminal device to start or not start the user plane integrity protection of the first user plane resource.

Optionally, the SN Addition Request ACK message or the SN Modification Request ACK message includes a rate used to start user plane integrity protection of the first user plane resource, where the rate used is used to indicate a rate of use after the user plane integrity protection of the first user plane resource is started. The secondary node may send to the primary node after determining to start user plane integrity protection of the first user plane resource.

In step 706, the primary node obtains and records the rate used by the secondary node to start the integrity protection of the user plane of the first user plane resource.

In a possible implementation manner, the master node may record the rate used for the user plane integrity protection of the first user plane resource in the context of the terminal device of the first terminal device, and when a new user plane resource is created next time, the rate used for the first user plane resource to start the user plane integrity protection is used as the second user plane resource, which becomes an input for obtaining the used rate.

In step 707, the primary node sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the primary node.

Step 707 is an optional step, and can be referred to the description of step 408 above, and will not be repeated here.

Step 708 the first terminal device sends an RRC reconfiguration complete message to the primary node.

This step 708 can be referred to the description of the step 409, and will not be repeated here.

Through the above steps 701 to 708, the primary node sends the determined maximum integrity protection rate, used rate, required rate, and user plane security policy of the first terminal device to the secondary node, and the secondary node can accurately determine whether to start user plane integrity protection of the first user plane resource based on the maximum integrity protection rate, used rate, required rate, and user plane security policy, so as to ensure timeliness and security of data transmission of the terminal device as much as possible.

And a fifth scenario, which is applied to a bearer addition process or a bearer modification process in the dual connectivity system.

Referring to fig. 8, a communication method applied to a dual-connected secondary node is provided in the present application. In the method, the secondary node is the first communication device in fig. 3. The method comprises the following steps:

step 801, a master node acquires a used rate, a required rate, a maximum integrity protection rate and a user plane security policy of a first terminal device.

For step 801, reference may be made to the description of step 701 above, and details are not repeated here.

In step 802, the master node determines the remaining rate based on the maximum integrity protection rate and the used rate.

The step 802 may refer to the manner of determining the remaining rate in the step 301, and details are not repeated here.

In step 803, the master node sends an SN Addition Request message or an SN Modification Request message to the slave node. Accordingly, the secondary node receives an SN Addition Request message or an SN Modification Request message from the primary node.

Here, the SN Addition Request message or the SN Modification Request message carries the required rate, the remaining rate, and the user plane security policy of the first terminal device.

And step 804, the auxiliary node determines whether to start the user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy.

This step 804 can be referred to the description of step 302 above, and will not be repeated here.

In step 805, the secondary node sends an SN Addition Request ACK message or an SN Modification Request ACK message to the primary node.

Here, the SN Addition Request ACK message or the SN Modification Request ACK message includes security indication information. The security indication information is used for indicating the first terminal device to start or not start the user plane integrity protection of the first user plane resource.

Optionally, the SN Addition Request ACK message or the SN Modification Request ACK message includes a rate used to start user plane integrity protection of the first user plane resource, where the rate used is used to indicate a rate of use after the user plane integrity protection of the first user plane resource is started. The secondary node may send to the primary node after determining to start user plane integrity protection of the first user plane resource.

In step 806, the primary node obtains and records the rate used by the secondary node to start the integrity protection of the user plane of the first user plane resource.

This step 806 can be referred to the description of step 706, and will not be repeated here.

In step 807, the primary node sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the primary node.

This step 807 is an optional step, which can be referred to the description of step 408 above, and will not be repeated here.

Step 808, the first terminal device sends an RRC reconfiguration complete message to the master node.

Through the above steps 801 to 808, the primary node sends the determined remaining rate, required rate, and user plane security policy of the first terminal device to the secondary node, and the secondary node can accurately determine whether to start user plane integrity protection of the first user plane resource based on the remaining rate, required rate, and user plane security policy of the first terminal device, so as to ensure timeliness and security of data transmission of the terminal device as much as possible.

The difference between the above fig. 8 and the above fig. 7 is that the remaining rate in fig. 7 is determined by the secondary node; the remaining rate in fig. 8 is determined by the master node.

And a sixth scenario, which is applied to a bearer addition process or a bearer modification process in the dual connectivity system.

Referring to fig. 9, a communication method applied to a dual-connection master node is provided. In this method, the master node is the first communication device in fig. 3. The method comprises the following steps:

in step 901, the master node obtains a required rate, a maximum integrity protection rate, a used rate, and a user plane security policy of the first terminal device.

In a possible implementation manner, when the master node determines to establish the first user plane resource for the first terminal device, the master node may trigger to acquire a required rate, a maximum integrity protection rate, a used rate, and a user plane security policy of the first terminal device.

In step 902, the master node determines the remaining rate based on the maximum integrity protection rate and the used rate.

The step 902 may refer to the manner of determining the remaining rate in the step 301, and details are not repeated here.

Step 903, the master node determines whether to start user plane integrity protection of the first user plane resource according to the required rate, the residual rate and the user plane security policy.

The step 903 may refer to the description of the step 302, and the description is not repeated here.

And step 904, the primary node sends fourth indication information to the secondary node.

Here, the fourth indication information is used to indicate that the secondary node determines whether to turn on user plane integrity protection. It may also be understood that the fourth indication information is used to indicate whether the master node determines to start the user plane integrity protection of the first user plane resource, that is, the fourth indication information is used to notify the secondary node whether the master node starts the user plane integrity protection of the first user plane resource. This fourth indication information may also be referred to as user plane security decision information.

This step 904 is an optional step. In a possible implementation manner, the master node sends an SN Addition Request message or an SN Modification Request message to the slave node, where the SN Addition Request message or the SN Modification Request message carries fourth indication information.

Step 905, the primary node sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the primary node.

This step 905 can be referred to the description of step 408 above, and will not be repeated here.

In step 906, the first terminal device sends an RRC reconfiguration complete message to the primary node.

This step 906 can be referred to the description of step 409, and will not be repeated here.

As can be seen from steps 901 to 906, after the master node in the dual connection accurately determines whether to start the user plane integrity protection of the first user plane resource, the master node notifies the secondary node of the determination result, so that the secondary node can also accurately determine whether to start the user plane integrity protection of the first user plane resource, and the timeliness and the security of data transmission of the terminal device are ensured as much as possible.

And a seventh scenario, which is applied to a PDU session establishment process, a PDU session modification process or an EPS bearer establishment process.

Please refer to fig. 10, which is a flowchart illustrating another communication method applied to a radio access network device according to the present application. In this method, the radio access network device is the first communication apparatus in fig. 3. The method may comprise the steps of:

step 1001, the first terminal device obtains a used rate and a maximum integrity protection rate of the first terminal device.

In a possible implementation manner, when the first terminal device determines to request PDU session establishment or PDU session modification or EPS bearer establishment, obtaining the used rate and the maximum integrity protection rate of the first terminal device may be triggered.

In a possible implementation manner, the first terminal device may determine a used rate of the first terminal device according to the second user plane resource in the first terminal device; the maximum integrity protection rate of the first terminal device may be determined based on the first terminal device performance. Exemplarily, if the performance of the first terminal device is high, the maximum integrity protection rate may be a larger value; if the first terminal device has low performance, the maximum integrity protection rate may be smaller.

In step 1002, the first terminal device determines a remaining rate according to the maximum integrity protection rate and the used rate.

The step 1002 may refer to the manner of determining the remaining rate in the step 301, and details are not repeated here.

In step 1003, the first terminal device sends a second request message to the session management network element.

Here, the second request message is for requesting PDU session setup or PDU session modification or requesting bearer resource change. The second request message includes the remaining rate of the first terminal device.

Step 1004, the session management network element sends a second response message to the radio access network device. Accordingly, the radio access network device receives the second response message from the session management network element.

The second response message includes the remaining rate of the first terminal device.

Step 1005, the radio access network device obtains the rate required for establishing the first user plane resource and the user plane security policy.

In one possible implementation, the radio access network device may obtain the user plane security policy and the required rate of the first user plane resource from the context information of the terminal device.

Step 1006, the radio access network device determines whether to start user plane integrity protection of the first user plane resource according to the rate required for establishing the first user plane resource, the remaining rate of the first terminal device, and the user plane security policy of the first user plane resource.

This step 1006 can be referred to the description of step 302 above, and will not be repeated here.

Step 1007, the radio access network device sends an RRC reconfiguration message to the first terminal device. Accordingly, the first terminal device receives an RRC reconfiguration message from the radio access network device.

Step 1007 is an optional step, and can be referred to the description of step 408 above, and will not be repeated here.

Step 1008, the first terminal device sends an RRC reconfiguration complete message to the radio access network device.

Through the steps 1001 to 1008, the first terminal device determines the remaining rate according to the maximum integrity protection rate and the used rate, and sends the remaining rate to the radio access network device, and the radio access network device accurately determines whether the first terminal device needs to start the user plane integrity protection of the first user plane resource according to the required rate and the remaining rate of the first terminal device, so as to ensure the timeliness and the safety of data transmission of the terminal device as much as possible.

Scene eight, applied to vehicle to all (V2X) scenes.

Please refer to fig. 11, which is a communication method applied to a second terminal device according to the present application. In this method, the second terminal device is the first communication apparatus in fig. 3. The method may comprise the steps of:

step 1101, the first terminal device obtains a used rate, a maximum integrity protection rate and a user plane security policy of the first terminal device.

Here, the used rate and the maximum integrity protection rate of the first terminal device obtained by the first terminal device may refer to the description of step 1001 above, and details are not repeated here.

In a possible implementation manner, when the first terminal device is in advance to communicate with the second terminal device, the first terminal device may trigger to acquire the used rate and the maximum integrity protection rate of the first terminal device.

Step 1102, the first terminal device determines a remaining rate of the first terminal device according to the maximum integrity protection rate and the used rate of the first terminal device.

The step 1102 may refer to the manner of determining the remaining rate in the step 301, and is not repeated here.

Step 1103, the first terminal device sends a direct connection communication request message or a direct connection security mode command message to the second terminal device. Accordingly, the second terminal device receives a direct connection communication request message or a direct connection security mode command message from the first terminal device.

In a possible implementation manner, the direct connection communication request message or the direct connection security mode command message carries the remaining rate and the user plane security policy of the first terminal device.

And 1104, the second terminal device obtains the required rate of the first user plane resource.

In a possible implementation manner, the second terminal device obtains the remaining rate of the first terminal device from the first terminal device, and establishes a user plane security policy of the first user plane resource. Further, the second terminal device obtains the required rate for establishing the first user plane resource from the context of the second terminal device.

In step 1105, the second terminal device determines whether to start the user plane integrity protection of the first user plane resource according to the rate required for establishing the first user plane resource, the remaining rate of the first terminal device, and the user plane security policy of the first user plane resource.

This step 1106 is an optional step, and can be referred to the description of step 302 above, and is not repeated here.

Step 1106, the second terminal device sends a direct connection communication response message or a direct connection security mode response message to the first terminal device. Accordingly, the first terminal device receives a security indication message from the second terminal device.

Here, the direct communication response message or the direct security mode response message may comprise a security indication message. The security indication message is used for indicating that the user plane integrity protection of the first user plane resource is started or not started.

In step 1107, the first terminal device sends a security indication complete message to the second terminal device.

Through the above steps 1101 to 1107, the first terminal device determines the remaining rate according to the maximum integrity protection rate and the used rate, and sends the remaining rate to the second terminal device, and the second terminal device accurately determines whether the first terminal device needs to start the user plane integrity protection of the first user plane resource according to the required rate and the remaining rate of the first terminal device, so as to ensure the timeliness and the security of the data transmission of the terminal device as much as possible.

It should be noted that the first user plane resource in fig. 4 to 11 may be a DRB, and the first user plane resource in fig. 11 may be an SLBR. The first user plane resource refers to a user plane resource to be established by the first terminal device; the second user plane resource refers to a user plane resource established by the first terminal device.

It is to be understood that, in order to implement the functions of the above-described embodiments, the communication device may include a corresponding hardware structure and/or software module that performs each function. Those of skill in the art will readily appreciate that the various illustrative modules and method steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software driven hardware depends on the particular application scenario and design constraints imposed on the solution.

Based on the above and the same concept, fig. 12 and fig. 13 are schematic structural diagrams of a possible communication device provided by the present application. These communication devices may be used to implement the functions of the radio access network device in the above method embodiment, or the primary node in dual connectivity, or the secondary node in dual connectivity, or the second terminal device, or the radio access network device in handover procedure, or the radio access network device in RRC connection recovery procedure, and therefore, the beneficial effects of the above method embodiment may also be implemented. In this application, the communication device may be an access network device as shown in fig. 1a, or a terminal device as shown in fig. 1a, or an access network device as shown in fig. 1b, or a terminal device as shown in fig. 1b, or a master node as shown in fig. 2, or an auxiliary node as shown in fig. 2, or a module (e.g., a chip) applied to the terminal device, the access network device, or the master node or the auxiliary node.

As shown in fig. 12, the communication apparatus 1200 includes a processing module 1201 and a transceiver module 1202. The communication apparatus 1200 is used to implement the functions of the radio access network device, the primary node in dual connectivity, the secondary node in dual connectivity, the second terminal device, the radio access network device in handover procedure, or the radio access network device in RRC connection recovery procedure in the above-described method embodiments shown in fig. 3 to fig. 10.

When the communication apparatus 1200 is used to implement the functionality of the method embodiment shown in fig. 3: a transceiver module 1202 and a processing module 1201 cooperate to obtain a required rate, a remaining rate and a user plane security policy of a first terminal device, where the required rate is used to indicate a rate required by a first user plane resource requested to be established by the first terminal device, the remaining rate is determined according to a used rate of the first terminal device and a maximum integrity protection rate of the first terminal device, the used rate is used to indicate a rate used by a second user plane resource established by the first terminal device, and the maximum integrity protection rate is used to indicate a maximum rate after user plane integrity protection is started by the first terminal device; the user plane security policy comprises user plane integrity protection starting, user plane integrity protection optional starting or user plane integrity protection closing; the processing module 1201 is configured to determine whether to start user plane integrity protection of the first user plane resource according to the required rate, the remaining rate, and the user plane security policy.

More detailed descriptions about the processing module 1201 and the transceiver module 1202 can be directly obtained by referring to the related descriptions in the embodiment of the method shown in fig. 3, and are not described again here.

It should be understood that the processing module 1201 in the embodiments of the present application may be implemented by a processor or a processor-related circuit component, and the transceiver module 1202 may be implemented by a transceiver or a transceiver-related circuit component.

Based on the above and the same concept, as shown in fig. 13, the present application further provides a communication apparatus 1300. The communication device 1300 may include a processor 1301 and a transceiver 1302. The processor 1301 and the transceiver 1302 are coupled to each other. It is understood that the transceiver 1302 may be an interface circuit or an input-output interface. Optionally, the communications apparatus 1300 may further include a memory 1303, configured to store instructions executed by the processor 1301, or store input data required by the processor 1301 to execute the instructions, or store data generated by the processor 1301 after executing the instructions.

When the communication device 1300 is configured to implement the method shown in fig. 3, the processor 1301 is configured to execute the functions of the processing module 1201 described above, and the transceiver 1302 is configured to execute the functions of the transceiver module 1202 described above.

When the communication device is a terminal device, fig. 14 shows a simplified structural diagram of the terminal device. For easy understanding and illustration, in fig. 14, the terminal device is exemplified by a mobile phone. As shown in fig. 14, the terminal device 1400 includes a processor, a memory, a radio frequency circuit, an antenna, and an input-output means. The processor is mainly configured to process the communication protocol and the communication data, control the entire terminal device, execute a software program, and process data of the software program, for example, to support the terminal device 1400 to execute the method executed by the terminal device in any of the embodiments described above. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user. It should be noted that some kinds of terminal devices may not have input/output devices.

When the terminal device is started, the processor can read the software program in the memory, interpret and execute the instruction of the software program, and process the data of the software program. When data needs to be transmitted, the processor performs baseband processing on the data to be transmitted and outputs baseband signals to the radio frequency circuit, and the radio frequency circuit performs radio frequency processing on the baseband signals and transmits the radio frequency signals to the outside in the form of electromagnetic waves through the antenna. When data is transmitted to the terminal device 1400, the rf circuit receives the rf signal through the antenna, converts the rf signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.

In an alternative implementation, the processor may include a baseband processor and a central processing unit, the baseband processor is mainly used for processing the communication protocol and the communication data, and the central processing unit is mainly used for controlling the whole terminal device 1400, executing the software program, and processing the data of the software program. The processor in fig. 14 integrates the functions of the baseband processor and the central processing unit, and it should be noted that the baseband processor and the central processing unit may also be independent processors, and are interconnected through a bus or the like. In addition, the terminal device may include a plurality of baseband processors to adapt to different network formats, the terminal device 1400 may include a plurality of central processors to enhance its processing capability, and various components of the terminal device 1400 may be connected by various buses. The baseband processor may also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit may also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and the communication data may be built in the processor, or may be stored in the storage module in the form of a software program, and the processor executes the software program to realize the baseband processing function.

In this application, the antenna and the rf circuit having the transceiving function may be regarded as a transceiving module of the terminal device, and the processor having the processing function may be regarded as a processing module of the terminal device. As shown in fig. 14, the terminal device includes a processing module 1401 and a transceiver module 1402. The transceiver module may also be referred to as a transceiver, a transceiver device, etc., and the processing module may also be referred to as a processor, a processing board, a processing unit, a processing device, etc. Alternatively, a device for implementing a receiving function in the transceiver module may be regarded as a receiving module, and a device for implementing a sending function in the transceiver module may be regarded as a sending module, that is, the transceiver module includes a receiving module and a sending module, the receiving module may also be referred to as a receiver, a receiving circuit, and the like, and the sending module may be referred to as a transmitter, a sending circuit, and the like.

Downlink signals (including data and/or control information) transmitted by the network equipment are received on the downlink through the antenna, uplink signals (including data and/or control information) are transmitted to the network equipment or other terminal equipment through the antenna on the uplink, service data and signaling messages are processed in the processor, and the modules perform processing according to the radio access technology (such as the access technology of LTE, NR and other evolution systems) adopted by the radio access network. The processor is further configured to control and manage the actions of the terminal device, and is configured to perform the processing performed by the terminal device in the foregoing embodiment. The processor is also configured to enable the terminal device to perform the method of fig. 3 that relates to the terminal device.

It should be noted that fig. 14 only shows one memory, one processor and one antenna. In an actual terminal device, the terminal device may contain any number of antennas, memories, processors, etc. The memory may also be referred to as a storage medium or a storage device. In addition, the memory may be provided separately from the processor, or may be integrated with the processor, which is not limited in this embodiment.

It should be understood that the transceiver module 1402 is configured to perform the transmitting operation and the receiving operation on the terminal device side in the method embodiment shown in fig. 3, and the processing module 1401 is configured to perform other operations besides the transceiving operation on the terminal device side in the method embodiment shown in fig. 3. For example, the transceiver module 1402 is configured to perform a transceiving step on the terminal device side in the embodiment shown in fig. 3, for example, step 301. A processing module 1401, configured to perform other operations besides the transceiving operation, such as step 302, on the terminal device side in the embodiment shown in fig. 3.

When the communication device is a chip-like device or circuit, the communication device may include a transceiver module and a processing module. The transceiver module can be an input/output circuit and/or an interface circuit; the processing module may be a processor or microprocessor or an integrated circuit integrated on the chip.

When the communication device is a radio access network device, fig. 15 exemplarily shows a schematic structural diagram of a radio access network device provided by the present application. As shown in fig. 15, the radio access network equipment 1500 may include one or more radio frequency units, such as a Remote Radio Unit (RRU) 1502 and one or more baseband units (BBUs) 1501. RRU1502, which may be referred to as a transceiver module, transceiver circuitry, or transceiver, among others, may include at least one antenna 15021 and a radio frequency unit 15022. The RRU1502 is mainly used for transceiving radio frequency signals and converting the radio frequency signals to baseband signals. The BBU1501 portion may be referred to as a processing module, a processor, and the like, and is mainly used for performing baseband processing, such as channel coding, multiplexing, modulation, spreading, and the like, and also for controlling a radio access network device, and the like. RRU1502 and BBU1501 may be physically collocated; or may be physically separated, i.e. distributed radio access network devices.

The BBU1501 is a control center of a base station, and may also be referred to as a processing module, and may correspond to the processing module 1201 in fig. 12, and is mainly used for completing baseband processing functions, such as channel coding, multiplexing, modulation, spreading, and the like. For example, the BBU (processing module) may be configured to control the base station to perform an operation procedure related to the radio access network device in the foregoing method embodiment, for example, determine whether to start user plane integrity protection of the first user plane resource.

As an optional implementation manner, the BBU1501 may be formed by one or more boards, and the multiple boards may collectively support a radio access network of a single access system (e.g., an LTE network), or may respectively support radio access networks of different access systems (e.g., an LTE network, a 5G network, or other networks). The BBU1501 also includes a memory 15012 and a processor 15011. The memory 15012 is used to store necessary instructions and data. The processor 15011 is configured to control the radio access network device to perform necessary actions, for example, to control the radio access network device to perform the method performed by the radio access network device in any of the above embodiments. The memory 15012 and the processor 15011 may serve one or more boards. That is, the memory and processor may be provided separately on each board. Or multiple boards may share the same memory and processor. In addition, each single board is provided with necessary circuits.

Uplink signals (including data and the like) transmitted by the terminal device are received on the uplink through the antenna 15021, downlink signals (including data and/or control information) are transmitted to the terminal device on the downlink through the antenna 15021, and traffic data and signaling messages are processed in the processor 15011, which are processed according to the radio access technology (e.g., the access technology of LTE, NR, and other evolved systems) employed by the radio access network. The processor 15011 is also configured to control and manage the operation of the radio access network device, and to perform the processing performed by the radio access network device in the above-described embodiment. The processor 15011 is also configured to support the radio access network device to perform the method performed by the radio access network device in fig. 3.

It should be noted that fig. 15 only shows a simplified design of the radio access network device. In practical applications, the radio access network device may include any number of antennas, memories, processors, radio frequency units, RRUs, BBUs, and the like, and all radio access network devices that can implement the present application are within the protection scope of the present application.

It should be understood that the transceiving module 1502 is configured to perform the transmitting operation and the receiving operation in the method embodiment shown in fig. 3, and the processing module 1501 is configured to perform other operations besides the transceiving operation in the method embodiment shown in fig. 3. For example, step 301. A processing module 1501 is configured to perform other operations besides the transceiving operation in the embodiment shown in fig. 3, for example, step 302.

Based on the foregoing and similar concepts, the present application provides a communication system. The communication system may comprise one or more of the aforementioned terminal devices, and one or more radio access network devices. The terminal equipment can execute any method at the terminal equipment side, and the wireless access network equipment can execute any method at the wireless access network equipment side. The possible implementation manners of the radio access network device and the terminal device can be referred to the above description, and are not described herein again.

It is understood that the processor in the embodiments of the present application may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. The general purpose processor may be a microprocessor, but may be any conventional processor.

The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in Random Access Memory (RAM), flash memory, read-only memory (ROM), programmable ROM, Erasable PROM (EPROM), Electrically EPROM (EEPROM), registers, a hard disk, a removable hard disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. In addition, the ASIC may reside in a network device or a terminal device. Of course, the processor and the storage medium may reside as discrete components in a network device or a terminal device.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are performed in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network appliance, a user device, or other programmable apparatus. The computer program or instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer program or instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire or wirelessly. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that integrates one or more available media. The usable medium may be a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape; or optical media such as Digital Video Disks (DVDs); it may also be a semiconductor medium, such as a Solid State Drive (SSD).

In the embodiments of the present application, unless otherwise specified or conflicting with respect to logic, the terms and/or descriptions in different embodiments have consistency and may be mutually cited, and technical features in different embodiments may be combined to form a new embodiment according to their inherent logic relationship.

In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In the description of the text of the present application, the character "/" generally indicates that the former and latter associated objects are in an "or" relationship; in the formula of the present application, the character "/" indicates that the preceding and following related objects are in a relationship of "division".

It is to be understood that the various numerical references referred to in the embodiments of the present application are merely for descriptive convenience and are not intended to limit the scope of the embodiments of the present application. The sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of the processes should be determined by their functions and inherent logic. The terms "first," "second," and the like, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprises" and "comprising," as well as any variations thereof, are intended to cover a non-exclusive inclusion, such as a list of steps or modules. The methods, systems, articles of manufacture, or apparatus need not be limited to the steps or modules explicitly listed, but may include other steps or modules not explicitly listed or inherent to such processes, methods, articles of manufacture, or apparatus.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.