阅读说明：本技术 提高通信系统安全性的机制 (Mechanism for improving security of communication system ) 是由 E·马尔卡马基 M·莱蒂拉 许翔 于 2019-05-14 设计创作，主要内容包括：本公开的实施例涉及用于提高通信系统的安全性的机制。根据本公开的实施例,宿主DU从数据分组中移除/重置标识信息(例如,流标签或DSCP)以保护标识信息,从而提高通信的安全性。(Embodiments of the present disclosure relate to mechanisms for improving security of a communication system. According to an embodiment of the present disclosure, the host DU removes/resets the identification information (e.g., flow label or DSCP) from the data packet to protect the identification information, thereby improving the security of the communication.)

1. A first device, comprising:

at least one processor; and

at least one memory including computer program code;

the at least one memory and the computer program code configured to, with the at least one processor, cause the first apparatus to:

receiving a data packet from a second device to the first device, the data packet including identification information used by the first device to process the data packet;

modifying the data packet to remove the identifying information; and

transmitting the modified data packet to a third device.

2. The first device of claim 1, wherein the identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

3. The first device of claim 1, wherein the first device is caused to transmit the modified data packet by:

mapping the modified data packet to a channel based on the identification information; and

transmitting the mapped modified data packet to the third device.

4. The first device of claim 3, wherein the channel is a backhaul radio link control channel or a logical channel.

5. The first device of claim 1, wherein the first device is caused to modify the data packet to remove the identifying information by:

removing the identification information from the data packet.

6. The first device of claim 1, wherein the first device is caused to modify the data packet to remove the identifying information by:

setting the identification information to a predetermined value or a randomly generated value.

7. The first device of any of claims 1-6, wherein the first network device is a hosted distributed unit, the second network device is a hosted centralized unit, and the third network device is an Integrated Access and Backhaul (IAB) node.

8. A first device, comprising:

at least one processor; and

at least one memory including computer program code;

the at least one memory and the computer program code configured to, with the at least one processor, cause the first apparatus to:

receiving a data packet from a third device to the first device, the data packet including first identification information of the data packet;

obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and

transmitting the data packet to the second device, the data packet including the second identification information.

9. The first device of claim 8, wherein the second identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

10. The first device of claim 8 or 9, wherein the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an Integrated Access and Backhaul (IAB) node.

11. A third device, comprising:

at least one processor; and

at least one memory including computer program code;

the at least one memory and the computer program code configured to, with the at least one processor, cause the third apparatus to:

generating, at the third device, first identification information of the data packet based on the mapping information received from the second device;

adding the first identification to the data packet; and;

and sending the data packet to a first device, wherein the sent data packet comprises the first identification information, so that the first device determines a second identification according to the first identification.

12. The third device of claim 11, wherein the second identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

13. The third device of claim 11 or 12, wherein the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an Integrated Access and Backhaul (IAB) node.

14. A method, comprising:

receiving a data packet from a second device to a first device, the data packet including identification information used by the first device to process the data packet;

modifying the data packet to remove the identifying information; and

transmitting the modified data packet to a third device.

15. The method of claim 14, wherein the identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

16. The method of claim 14, wherein sending the modified data packet comprises:

mapping the modified data packet to a channel based on the identification information; and

transmitting the mapped modified data packet to the third device.

17. The method of claim 16, wherein the channel is a backhaul radio link control channel or a logical channel.

18. The method of claim 14, wherein modifying the data packet to remove the identifying information comprises:

removing the identification information from the data packet.

19. The method of claim 14, wherein modifying the data packet to remove the identifying information comprises:

setting the identification information to a predetermined value or a randomly generated value.

20. The method of any of claims 14-19, wherein the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an Integrated Access and Backhaul (IAB) node.

21. A method, comprising:

receiving a data packet from a third device to a first device, the data packet including first identification information of the data packet;

obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and

transmitting the data packet to the second device, the data packet including the second identification information.

22. The method of claim 21, wherein the second identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

23. The method of claim 21 or 22, wherein the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an Integrated Access and Backhaul (IAB) node.

24. A method, comprising:

generating, at the third device, first identification information of the data packet based on the mapping information received from the second device;

adding the first identification to the data packet; and

and sending the data packet to a first device, wherein the sent data packet comprises the first identification information, so that the first device determines a second identification according to the first identification.

25. The method of claim 24, wherein the second identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

26. The method of claim 24 or 25, wherein the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an Integrated Access and Backhaul (IAB) node.

27. An apparatus, comprising:

means for receiving a data packet from a second device to a first device, the data packet comprising identification information used by the first device to process the data packet;

means for modifying the data packet to remove the identifying information; and

means for transmitting the modified data packet to a third device.

28. An apparatus, comprising:

means for receiving a data packet from a third device to a first device, the data packet including first identification information of the data packet;

means for obtaining second identification information of the data packet from the first identification information based on mapping information received from a second device; and

means for transmitting the data packet to the second device, the data packet including the second identification information.

29. An apparatus, comprising:

means for generating, at the third device, first identification information for the data packet based on the mapping information received from the second device;

means for adding the first identification to the data packet; and

means for transmitting the data packet to a first device, the transmitted data packet including the first identification information, such that the first device determines a second identification from the first identification.

30. A computer-readable medium having instructions stored thereon, which, when executed by at least one processing unit of a machine, cause the machine to perform the method of any one of claims 14-20.

31. A computer-readable medium having instructions stored thereon, which, when executed by at least one processing unit of a machine, cause the machine to perform the method of any one of claims 21-23.

32. A computer-readable medium having instructions stored thereon, which, when executed by at least one processing unit of a machine, cause the machine to perform the method of any one of claims 24-26.

Technical Field

Embodiments of the present disclosure relate generally to the field of communications, and in particular, to a method, apparatus, device, and computer-readable storage medium for improving security of a communication system.

Background

In the recent field of communications, several new communication technologies have been proposed. The third generation partnership project (3GPP) has established standards and specifications for New Radio (NR) Integrated Access and Backhaul (IAB) (e.g., via TR 38.874). Various layer 2 ("L2") and layer 3 ("L3") based solutions have been proposed. In the L2 based solution, the IAB node contains a Distributed Unit (DU) and the packets are forwarded by the radio layer below the Packet Data Convergence Protocol (PDCP) layer. In the L3 based solution, the IAB node contains DUs and/or gnbs and forwards the packets at layers above the PDCP layer. In both cases, the intermediate IAB node performs hop-by-hop routing to maintain connectivity between the serving IAB node of the terminal device and the IAB host with a non-wireless connection to the upstream node.

Disclosure of Invention

In general, embodiments of the present disclosure relate to a method and corresponding communication device for improving security of a communication system.

In a first aspect, a first device is provided. The first device includes: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the first apparatus to: a data packet is received from the second device to the first device, the data packet including identification information used by the first device to process the data packet. The first device is further caused to modify the data packet to remove the identification information. The first device is also caused to transmit the modified data packet to the third device.

In a second aspect, a first apparatus is provided. The first device comprises at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code are configured to, with the at least one processor, cause the first device to accept a data packet from a third device to the first device, the data packet including first identification information of the data packet. The first device is further caused to obtain second identification information of the data packet from the first identification information based on the mapping information received from the second device. The first device is further caused to send a data packet to the second device, the data packet comprising the actual further identification information.

In a third aspect, a third apparatus is provided. The third device comprises at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the third apparatus to: at the third device, first identification information of the data packet is generated based on the mapping information received from the second device. The third device is further caused to add the first identification to the data packet. The third device is further caused to transmit a data packet to the first device, the transmitted data packet including the first identification information, such that the first device determines the second identification from the first identification.

In a fourth aspect, a method is provided. The method includes receiving a data packet from a second device to a first device, the data packet including identification information used by the first device to process the data packet. The method also includes modifying the data packet to remove the identifying information. The method also includes transmitting the modified data packet to a third device.

In a fifth aspect, a method is provided. The method includes receiving a data packet from a third device to a first device, the data packet including first identification information of the data packet. The method also includes obtaining second identification information for the data packet from the first identification information based on the mapping information received from the second device. The method also includes transmitting a data packet to the second device, the data packet including the second identification information.

In a sixth aspect, a method is provided. The method includes generating, at the third device, first identification information for the data packet based on mapping information received from the second device. The method also includes adding the first identification to the data packet. The method also includes transmitting a data packet to the first device, the transmitted data packet including first identification information, such that the first device determines the second identification based on the first identification.

In a seventh aspect, an apparatus is provided. The apparatus includes means for receiving a data packet from a second device to a first device, the data packet including identification information used by a hosting distributed unit to process the data packet. The apparatus also includes means for modifying the data packet to remove the identification information. The apparatus also includes means for transmitting the modified data packet to a third device.

In an eighth aspect, an apparatus is provided. The apparatus includes means for receiving a data packet from a third device to a first device, the data packet including first identification information of the data packet. The apparatus also includes means for obtaining second identification information for the data packet from the first identification information based on the mapping information received from the second device. The apparatus also includes means for transmitting a data packet to the second device, the data packet containing the second identification information.

In a ninth aspect, an apparatus is provided. The apparatus includes means for generating, at a third device, first identification information for a data packet based on mapping information received from a second device. The apparatus also includes means for adding the first identification to the data packet. The apparatus also includes means for transmitting a data packet to the first device, the transmitted data packet including the first identification information, such that the first device determines the second identification from the first identification.

In a tenth aspect, there is provided a non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least a method according to any one of the fourth to sixth aspects described above.

It should be understood that the summary is not intended to identify key or essential features of embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become readily apparent from the following description.

Drawings

Some example embodiments will now be described with reference to the accompanying drawings, in which:

FIG. 1 shows a schematic diagram of a data packet structure;

FIG. 2 shows a schematic diagram of an IAB architecture with CU-DU partitioning;

FIG. 3 shows a schematic diagram of a protocol architecture for an IAB;

fig. 4 shows a schematic diagram of a communication system according to an embodiment of the present disclosure;

FIG. 5 shows a schematic diagram of interactions between devices according to an embodiment of the present disclosure;

FIG. 6 shows a schematic diagram of a structure of a data packet according to an embodiment of the present disclosure;

FIG. 7 shows a schematic diagram of interactions between devices according to an embodiment of the present disclosure;

FIG. 8 shows a schematic diagram of a structure of a data packet according to an embodiment of the present disclosure;

fig. 9 shows a flow diagram of a method implemented at a network device in accordance with an embodiment of the present disclosure;

FIG. 10 shows a flow diagram of a method implemented at a device in accordance with an embodiment of the present disclosure;

FIG. 11 shows a flow diagram of a method implemented at a device in accordance with an embodiment of the present disclosure;

FIG. 12 shows a schematic diagram of an apparatus according to an embodiment of the present disclosure; and

fig. 13 illustrates a block diagram of an example computer-readable medium in accordance with some embodiments of the present disclosure.

Throughout the drawings, the same or similar reference numbers refer to the same or similar elements.

Detailed Description

The principles of the present disclosure will now be described with reference to a few exemplary embodiments. It is understood that these embodiments are described only for the purpose of illustration and to aid those skilled in the art in understanding and practicing the present disclosure, and do not set forth any limitations on the scope of the present disclosure. The disclosure described herein may be implemented in various other ways than those described below.

In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.

References in the present disclosure to "one embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term "and/or" includes any and all combinations of one or more of the listed terms.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "has," "having," "includes," and/or "including," when used herein, specify the presence of stated features, elements, and/or components, but do not preclude the presence or addition of one or more other features, elements, components, and/or groups thereof.

As used herein, the term "circuitry" may refer to one or more or all of the following:

(a) a purely hardware circuit implementation (such as an implementation in analog and/or digital circuitry only), and

(b) a combination of hardware circuitry and software, such as (as applicable):

(i) combinations of analog and/or digital hardware circuitry and software/firmware, and

(ii) a hardware processor with software (including a digital signal processor), software and any portion of memory that work together to cause a device (such as a mobile phone or server) to perform various functions, and

(c) a hardware circuit and/or a processor, such as a microprocessor or a portion of a microprocessor, that requires software (e.g., firmware) for operation, but may not be present when operation is not required.

The definition of circuitry applies to all uses of the term in this application, including in any claims. As another example, as used in this application, the term circuitry also encompasses implementations in hardware circuitry only or a processor (or multiple processors) or a portion of a hardware circuitry or a processor and its (or their) accompanying software and/or firmware. The term circuitry also encompasses (e.g., and if applicable to a particular claim element) a baseband integrated circuit or processor integrated circuit of a mobile device, or a similar integrated circuit in a server, a cellular network device, or other computing or network device.

As used herein, the term "communication network" refers to a network that conforms to any suitable communication standard, such as Long Term Evolution (LTE), LTE-advanced (LTE-a), Wideband Code Division Multiple Access (WCDMA), High Speed Packet Access (HSPA), narrowband internet of things (NB-IoT), and so forth. Further, communication between user devices and network devices in the communication network may be performed according to any suitable generation communication protocol, including, but not limited to, first generation (1G), second generation (2G), 2.5G, 2.75G, third generation (3G), fourth generation (4G), 4.5G, fifth generation (5G) communication protocols, and/or any other protocol now known or later developed. Embodiments of the present disclosure may be applied to various communication systems. Given the rapid development of communications, there will, of course, also be future types of communication technologies and systems that may be used to embody the present disclosure. The scope of the present disclosure should not be limited to the above-described systems. A network device may refer to a gNB distributed unit (gNB-DU) or a gNB centralized unit (gNB-CU) or an integrated access backhaul node (IAB node) or an IAB node DU.

As used herein, the term "network device" refers to a node in a communication network via which a user equipment accesses the network and receives services therefrom. A network device may refer to a Base Station (BS) or an Access Point (AP), e.g., a NodeB (NodeB or NB), evolved NodeB (eNodeB or eNB), NR NB (also known as gNB), Remote Radio Unit (RRU), Radio Head (RH), Remote Radio Head (RRH), relay, low power node (such as femto, pico), etc., depending on the terminology and technology applied.

The term "terminal device" refers to any terminal device capable of wireless communication. By way of example, and not limitation, a terminal device may also be referred to as a communication device, User Equipment (UE), Subscriber Station (SS), portable subscriber station, Mobile Station (MS), or Access Terminal (AT). The end devices may include, but are not limited to, mobile phones, cellular phones, smart phones, voice over IP (VoIP) phones, wireless local loop phones, tablets, wearable end devices, Personal Digital Assistants (PDAs), portable computers, desktop computers, image capture end devices (such as digital cameras), gaming end devices, music storage and playback devices, in-vehicle wireless end devices, wireless terminals, mobile stations, laptop embedded devices (LEEs), laptop installation devices (LMEs), USB dongles, smart devices, wireless client devices (CPEs), internet of things (loT) devices, watches or other wearable devices, Head Mounted Displays (HMDs), vehicles, drones, medical devices and applications (e.g., tele-surgery), industrial devices and applications (e.g., robots and/or other wireless devices operating in industrial and/or automated processing chain environments), Consumer electronics devices, devices operating on commercial and/or industrial wireless networks, and the like. In the following description, the terms "terminal device", "communication device", "terminal", "user equipment" and "UE" may be used interchangeably.

Fig. 1 shows a schematic diagram of a data packet structure. The legacy data packet may include an original IP header 1010 and an original data payload 1020. An internet protocol security (IPsec) technique is presented. IPsec is a secure network protocol suite that authenticates and encrypts data packets sent over an internet protocol network. Two IPsec modes are possible: a transport (transport) mode and a tunnel mode. Data packet 110 in transport mode may have an original IP header 1010, an Encapsulating Security Payload (ESP) header 1030, an original data payload 1020, an ESP trailer portion 1040, and an ESP authentication portion 1050. The transport mode provides a secure connection between two endpoints by encapsulating the IP payload into a secure header. The original data payload 1020 and ESP trailer portion 1040 have been encrypted.

Data packet 120 in tunnel mode may include a new IP header 1060, an ESP header 1030, an original IP header 1010, original data 1020, an ESP trailer portion 1040, and an ESP authentication portion 1050. As shown, in tunnel mode, the entire original IP packet is secure, including original IP header 1010 and new IP header 1060 created for the tunnel routing information. Transport mode is used between end nodes, while tunnel mode is typically used with security gateways. Tunnel mode may also be used between end nodes.

Fig. 2 shows a schematic diagram of an IAB architecture with CU-DU separation. IAB node 210 hosts a Mobile Terminal (MT) portion 2020 and a Distributed Unit (DU) portion 2010. The MT part 2020 has UE functionality and is connected to a parent node DU. The parent node may be an IAB host or another IAB node 220. A backhaul Radio Link Control (RLC) channel is established between the MT part 2020/2040 and the parent node DU part 2050, and an adaptation layer called Backhaul Adaptation Protocol (BAP) is agreed upon above the RLC layer. The IAB node DU2030 section is connected to the IAB host CU2060 through an F1 interface enhanced to support IAB functionality. The F1 packets (GTP-U/UDP/IP for User Plane (UP) and F1AP/SCTP/IP for Control Plane (CP) are transported on top of the adaptation layer. Thus, the IAB implements L2 relaying. The IAB node represents a co-located resource that provides NR access coverage and backhaul over the air interface. In this way, the IAB node can assume the personality of the UE (MT part) used to communicate the backhaul traffic or the personality of the gNB (or gNB-DU) serving the connected UE and forward the backhaul traffic to the next hop.

Fig. 3 shows an example protocol stack for the user plane. Currently, 3GPP is working on NR integrated access and backhaul (as discussed in 3GPP Technical Report (TR) 38.874). Of all the IAB structures considered, a structure called structure 1a is defined.

According to an embodiment of the present disclosure, the host DU removes/resets the identification information (e.g., flow label or DSCP) from the data packet to protect the identification information, thereby improving the security of the communication.

Fig. 4 illustrates an example IAB system 400 in which example embodiments of the present disclosure may be implemented. IAB system 400 includes an IAB host 410 and IAB nodes 420-1, 420-2, 420-3, 420. The IAB nodes 420-1, 420-2, 420-3. It should be noted that embodiments of the present disclosure may be implemented in any suitable system. For purposes of illustration only, embodiments of the present disclosure are described as being implemented in an IAB system.

The IAB host 410 may be implemented as a gNB that terminates a wireless backhaul radio interface from one or more IAB nodes. The IAB host 410 has a wired/fiber connection to the core network. The IAB host 410 may include a Central Unit (CU)410-11 and one or more DUs. FIG. 4 shows, by way of example, that IAB host 410 includes DU 410-12. Hereinafter, a CU of an IAB host is also referred to as a host CU or a host central unit; and the IAB hosted DUs are also referred to as host DUs or host distributed units.

CUs (CUs such as host CUs or IAB nodes) may be logical nodes that may include functions (e.g., gNB functions) such as transport of user data, mobility control, radio access network sharing, positioning, session management, etc., in addition to those functions specifically allocated to DUs. The CU may control the operation of the DU over the front-end (F1) interface. The DU is a logical node, which may include a subset of functions (e.g., the gNB functions) depending on the function splitting option. The operation of the DUs can be controlled by the CUs.

It should be understood that the number of IAB nodes and terminal devices connected to the IAB nodes is for illustration purposes only and does not imply any limitation. The IAB system may include any suitable number of IAB nodes and terminal devices suitable for implementing example embodiments of the present disclosure.

It should be understood that the number of CU, DU, and IAB nodes is for illustrative purposes only and does not imply any limitation. System 400 may include any suitable number of network devices and terminal devices suitable for implementing embodiments of the present disclosure.

Communications in communication system 400 may be implemented in accordance with any suitable communication protocol, including, but not limited to, first-generation (1G), second-generation (2G), third-generation (3G), fourth-generation (4G), and fifth-generation (5G), etc. cellular communication protocols, wireless local area network communication protocols, such as Institute of Electrical and Electronics Engineers (IEEE)802.11, etc., and/or any other protocol currently known or developed in the future. Further, the communication may use any suitable wireless communication technology, including but not limited to: code Division Multiple Access (CDMA), Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Frequency Division Duplex (FDD), Time Division Duplex (TDD), Multiple Input Multiple Output (MIMO), Orthogonal Frequency Division Multiplexing (OFDM), discrete Fourier transform spread OFDM (DFT-s-OFDM), and/or any other technique now known or later developed.

Fig. 5 shows a schematic diagram of an interaction 500 according to an embodiment of the present disclosure. The interaction 500 may be implemented on any suitable device. For purposes of illustration only, interaction 500 is described as being implemented at the home CU410-11, the home DU410-12, and the IAB node 420-1. It should be noted that embodiments of the present invention may be implemented in any suitable device.

The host CU410-11 sends 5005 a first data packet to the host DU 410-12. It should be noted that the first data packet may be sent in any suitable protocol. For purposes of illustration only, the first data packet is described as being transmitted in IPv 6. The first data packet includes identification information required by the host DU 410-12. The identification information may comprise an identification of the bearer, e.g. GTP-utied. The identity of the bearer may be inserted into an optional extension header. Alternatively, the identification of the bearer may be in the source address. For example, the identification information may include a flow label of the first data packet. In some embodiments, the hosting CU410-11 may map the IPv6 flow label to a GPRS tunneling protocol tunnel endpoint identifier (GTP-UTEID). Alternatively or additionally, the identification information may include Differentiated Services Code Points (DSCPs) for quality of service (QoS) mapping. In some embodiments, the identification information may be any other extension header that is only needed by the host DUs 410-12 and is not part of the integrity protection.

Fig. 6 shows a schematic diagram of a data packet according to an embodiment of the present disclosure. In some embodiments, first data packet 610 may be in a transport mode and may include original IP header 6010-1, ESP header 6030-1, original data payload 6020-1, ESP trailer portion 6040-1, and ESP authentication portion 6050-1. The original data payload 6020-1 and ESP trailer portion 6040-1 are encrypted. In this case, the identification information may be included in the original IP header 6010-1.

In other embodiments, first data packet 620 may be in tunnel mode and include new IP header 6060, ESP header 6030-2, original IP header 6010-2, original data payload 6020-2, ESP trailer portion 6040-2, and ESP authentication portion 6050-2. Original IP header 6010-2, original data payload 6020-2, and ESP trailer portion 6040-2 may be encrypted. In this case, the identification information may be included in a new IP header 6060.

The host DU410-12 may obtain 5010 identification information from the first data packet. For example, the host DU410-12 may obtain identification information from the original IP header 6010-1. Alternatively, the home DU410-12 may obtain identification information from the new IP header 6060.

The host DUs 410-12 modify 5015 the first data packet to hide the identification information. The host DU410-12 may remove the identification information. Alternatively, the host DU410-12 may reset the identification information. The host DU410-12 may set the identification information to a predetermined value. For example, the host DU410-12 may set the identification information to all zeros. It should be noted that the identification information may be set to any suitable value. In other embodiments, the host DU410-12 may generate a random value and set the identification information to the random value. In this way, the identification information is protected, thereby improving the security of the communication.

In some embodiments, if the identification information is a flow label, the home DU410-12 may map 5020 the first data packet to the channel based on the flow label. For example, the home DUs 410-12 may map data packets to a Backhaul (BH) Radio Link Control (RLC) channel. Alternatively or additionally, the host DUs 410-12 may map data packets to logical channels.

In some embodiments, if the identification information is a DSCP, the host DU410-12 may perform 5025QOS mapping on the first data packet. For example, the donor DUs 410-12 can map the first data packet to a backhaul RLC channel or logical channel based on QoS priority. The host DUs 410-12 can map the first data packet to a backhaul RLC channel or logical channel with the appropriate priority. The host DU410-12 sends 5030 the modified first data packet to IAB 420-1.

Fig. 7 shows a schematic diagram of an interaction 700 according to an embodiment of the present disclosure. The interaction 700 may be implemented on any suitable device. For purposes of illustration only, interaction 700 is described as being implemented at home CU410-11, home DU410-12, and IAB node 420-1.

The IAB node 420-1 may generate a second data packet. For example, IAB node 420-1 may generate the second data packet in transmit mode. Alternatively, IAB node 420-1 may generate the second data packet in tunnel mode. Fig. 8 shows a schematic diagram of a data packet according to an embodiment of the present disclosure. In some embodiments, second data packet 810 may be in a delivery mode and may include original IP header 8010-1, ESP header 8030-1, original data payload 8020-1, ESP trailer portion 8040-1, and ESP authentication portion 8050-1. The original data payload 8020-1 and the ESP trailer portion 8040-1 are encrypted.

In other embodiments, second data packet 820 may be in tunnel mode and include new IP header 8060, ESP header 8030-2, original IP header 8010-2, original data payload 8020-2, ESP trailer portion 8040-2, and ESP authentication portion 8050-2. Original IP header 8010-2 and original data payload 8020-2 and ESP trailer portion 8040-2 may be encrypted.

The IAB node 420-1 generates 7010 first identification information. The first identification information is not the actual identification information of the second data packet. In some embodiments, IAB node 420-1 may generate a random value as the first identification information. In other embodiments, the donor CU410-11 may send 7008 mapping information to the IAB node 420-1. In some embodiments, IAB node 420-1 may generate the first identification information based on the received mapping information.

The IAB node 420-1 adds 7012 the first identification information to the second data packet. In some embodiments, the first identifying information may be in original IP header 8010-1. Alternatively, the first identification information may be in the new IP header 8060.

In some embodiments, the IAB node 420-1 may generate 7015 the second identification information as the actual identification information of the second data packet. The IAB node 420-1 may also encrypt 7020 the second identification information and add the second information to the second data packet. For example, the second identifying information may be added to the original IP header 8010-2. In this way, traffic on the interface is difficult to analyze, thereby improving security.

IAB node 420-1 sends 7025 a second data packet to the host DU 410-12. The IAB node 420-1 obtains 7030 a second identity from the first identity. For example, the host CU410-11 may send 7005 mapping information to the host DU410-12, the host DU410-12 obtaining the second identity from the first identity based on the mapping information. In some embodiments, donor CUs 410-11 may configure different flow labels for UL and DL packets related to a particular UE bearer.

In some embodiments, the home DU410-12 may modify 7035 the second data packet to include the second identification information in the second data packet. For example, if the first information is in original IP header 8010-1, home DU410-12 may replace the first identification information with the second identification information in original IP header 8010-1. For example, if the first information is in the new IP header 8060, the home DU410-12 may replace the first identification information with the second identification information in the new IP header 8060. The second identification in original IP header 8010-2 may remain untouched. The host DU410-12 may send 7040 the modified second data packet to the host CU 410-11.

Fig. 9 is a flow diagram of a method 900 implemented at a host DU in an IAB system, according to some example embodiments of the present disclosure. The method may be implemented at a host DU410-12 as shown in fig. 4. For discussion purposes, the method 900 will be described with reference to fig. 4.

At block 910, the home DU410-12 receives a data packet, e.g., from the home CU410-11, that includes identification information used by the home DU 410-12. It should be noted that the data packets may be sent in any suitable protocol. For purposes of illustration only, data packets are described as being transmitted in IPv 6. The data packet includes identification information specific to the host DU 410-12. For example, the identification information may include a flow label of the data packet. In some embodiments, the hosting CU410-11 may map the IPv6 flow label to a GPRS tunneling protocol tunnel endpoint identifier (GTP-UTEID). Alternatively or additionally, the identification information may include Differentiated Services Code Points (DSCPs) for quality of service (QoS) mapping. In some embodiments, the identification information may be any other extension header that is only needed by the host DUs 410-12.

The host DUs 410-12 can obtain identification information from the data packets. For example, the host DU410-12 may obtain identification information from the original IP header. Alternatively, the home DU410-12 may obtain the identification information from a new IP header or an outer IP header.

At block 920, the home DU410-12 modifies the data packet to hide the identification information. The host DU410-12 may remove the identification information. Alternatively, the host DU410-12 may reset the identification information. The host DU410-12 may set the identification information to a predetermined value. For example, the host DU410-12 may set the identification information to all zeros. It should be noted that the identification information may be set to any suitable value.

In other embodiments, the host DU410-12 may generate a random value and set the identification information to the random value. The host DU410-12 transmits the modified data packet to the IAB 420-1.

At block 930, the home DU410-12 transmits the modified data packet. In some embodiments, if the identification information is a flow label, the hosting DUs 410-12 may map the data packets to a channel based on the flow label. In some embodiments, a donor DU410-12 may map carriers to a Backhaul (BH) Radio Link Control (RLC) channel or a logical channel. The home DU410-12 may send the mapped modified data packet to IAB node 420-1.

In some embodiments, if the identification information is DSCP, the hosting DUs 410-12 can perform QoS mapping on the data packets. For example, a host DU410-12 may map data packets to a backhaul RLC channel or a logical channel according to their QoS priority. The home DU410-12 may send the modified data packet with the QoS mapping already performed to the IAB node 420-1.

Fig. 10 is a flow diagram of a method 1000 implemented at a host DU in an IAB system, according to some example embodiments of the present disclosure. The method may be implemented at a host DU410-12 as shown in fig. 4. For purposes of discussion, the method 1000 will be described with reference to fig. 4.

At block 1010, the home DU410-12 receives a data packet from IAB node 420-1. The data packet includes first identification information of the data packet. In some embodiments, the data packet may be in a transport mode and may include a raw IP header, an ESP header, a raw data payload, an ESP trailer portion, and an ESP authentication portion. The original data payload 8020-1 and the ESP trailer portion 8040-1 are encrypted.

In other embodiments, the data packet may be in tunnel mode and include a new IP header, an ESP header, a raw IP header, a raw data payload, an ESP trailer portion, and an ESP authentication portion. The original IP header and original data payload and ESP trailer may be encrypted.

At block 1020, the host DU410-12 obtains second identity information from the first identity. For example, the host CU410-11 may send mapping information to the host DU410-12, the host DU410-12 obtaining the second identity from the first identity based on the mapping information. In some embodiments, donor CUs 410-11 may configure different flow labels for UL and DL packets related to a particular UE bearer.

In some embodiments, a host DU410-12 may modify the data packet to include the second identification information in the data packet. For example, if the first information is in the original IP header, the home DU410-12 may replace the first identification information with the second identification information in the original IP header. For example, if the first information is in the new IP header 8060, the home DU410-12 may replace the first identification information with the second identification information in the new IP header. The second identification in original IP header 8010-2 may remain untouched.

At block 1030, the hosting DU410-12 sends the data packet to the hosting CU 410-11. The data packet includes second identification information.

Fig. 11 is a flow diagram of a method 1100 implemented at an IAB node in an IAB system, according to some example embodiments of the present disclosure. The method may be implemented at IAB node 420-1 shown in fig. 4. For discussion purposes, the method 1100 will be described with reference to fig. 4.

In some embodiments, IAB node 420-1 may generate a data packet. For example, IAB node 420-1 may generate a data packet in a transmit mode. Alternatively, IAB node 420-1 may generate the data packet in tunnel mode.

In some embodiments, the data packet may be in a transport mode and may include a raw IP header, an ESP header, a raw data payload, an ESP trailer portion, and an ESP authentication portion. The original data payload and the ESP trailer portion are encrypted.

In other embodiments, the data packet may be in tunnel mode and include a new IP header, an ESP header, a raw IP header, a raw data payload, an ESP trailer portion, and an ESP authentication portion. The original IP header and original data payload and ESP trailer may be encrypted.

At block 1110, IAB node 420-1 generates first identification information. The first identification information is not the actual identification information of the data packet. In some embodiments, IAB node 420-1 may generate a random value as the first identification information. In other embodiments, the donor CU410-11 may send the mapping information to the IAB node 420-1. In some embodiments, IAB node 420-1 may generate the first identification information based on the received mapping information.

At block 1120, the IAB node 420-1 adds the first identification information to the data packet. In some embodiments, the first identification information may be in an original IP header. Alternatively, the first identification information may be in a new IP header.

In some embodiments, IAB node 420-1 may generate the second identification information as actual identification information for the data packet. The IAB node 420-1 may also add the second information to the data packet and encrypt the second identification information. For example, the second identification information may be added to the original IP header. The second identification information includes at least one of: flow labels and differentiated services code points. In this way, traffic on the interface is difficult to analyze, thereby improving security.

At block 1130, IAB node 420-1 sends the data packet to the home DU 410-12.

In some embodiments, an apparatus (e.g., the host DU410-12) for performing the method 900 may include corresponding means for performing corresponding steps in the method 900. These components may be implemented in any suitable manner. For example, it may be implemented by a circuit or a software module.

In some embodiments, the apparatus comprises: means for receiving a data packet from a second device to a first device, the data packet including identification information used by the first device to process the data packet; means for modifying the data packet to remove the identifying information; and means for transmitting the modified data packet to a third device.

In some embodiments, the identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

In some embodiments, the means for transmitting the modified data packet comprises: means for mapping the modified data packet to a channel based on the identification information; and means for sending the mapped modified data packet to a third device.

In some embodiments, the means for modifying the data packet to remove the identifying information comprises: means for removing the identification information from the data packet.

In some embodiments, the means for modifying the data packet to remove the identifying information comprises: means for setting the identification information to a predetermined value or a randomly generated value.

In some embodiments, the first network device is a hosted distributed unit, the second network device is a hosted centralized unit, and the third network device is an Integrated Access and Backhaul (IAB) node.

In some embodiments, an apparatus (e.g., host DUs 410-12) for performing method 1000 may include corresponding means for performing corresponding steps in method 1000. These components may be implemented in any suitable manner. For example, it may be implemented by a circuit or a software module.

In some embodiments, the apparatus comprises: means for receiving a data packet from a third device to a first device, the data packet including first identification information of the data packet; means for obtaining second identification information of the data packet from the first identification information based on mapping information received from the second device; and means for transmitting a data packet to the second device, the data packet including the second identification information.

In some embodiments, the second identification information comprises at least one of: flow label, differentiated services code point and bearer identification.

In some embodiments, the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an integrated access and backhaul (IAB node).

In some embodiments, an apparatus (e.g., IAB node 420-1) for performing method 1100 may include respective means for performing respective steps in method 1100. These components may be implemented in any suitable manner. For example, it may be implemented by a circuit or a software module.

In some embodiments, the apparatus includes means for generating, at the third device, first identification information for the data packet based on mapping information received from the second device; means for adding a first identification to the data packet; and means for transmitting a data packet to the first device, the transmitted data packet including the first identification information, such that the first device determines the second identification from the first identification.

In some embodiments, the first device is a hosted distributed unit, the second device is a hosted centralized unit, and the third device is an Integrated Access and Backhaul (IAB) node.

In some embodiments, wherein the second identification information comprises at least one of: flow label, differentiated services code point and bearer identity.

Fig. 12 is a simplified block diagram of a device 1200 suitable for implementing embodiments of the present disclosure. Device 1200 may be used to implement a communication device, such as network device 120 or terminal device 110-1 shown in FIG. 1. As shown, the device 1200 includes one or more processors 1210, one or more memories 1220 coupled to the processors 1210, and one or more communication modules (e.g., transmitters and/or receivers (TX/RX))1240 coupled to the processors 1210.

The communication module 1240 is used for bidirectional communication. The communications module 1240 has at least one antenna to facilitate communications. The communication interface may represent any interface required to communicate with other network elements.

The processor 1210 may be of any type suitable for a local technology network, and may include, by way of non-limiting example, one or more of the following: general purpose computers, special purpose computers, microprocessors, Digital Signal Processors (DSPs), and processors based on a multi-core processor architecture. Device 1200 may have multiple processors, such as application specific integrated circuit chips that are time dependent from a clock synchronized to the main processor.

The memory 1220 may include one or more non-volatile memories and one or more volatile memories. Examples of non-volatile memory include, but are not limited to, Read Only Memory (ROM)1224, Electrically Programmable Read Only Memory (EPROM), flash memory, a hard disk, a Compact Disk (CD), a Digital Video Disk (DVD), and other magnetic storage and/or optical storage devices. Examples of volatile memory include, but are not limited to, Random Access Memory (RAM)1222 and other volatile memory that does not persist for the duration of the power down.

Computer programs 1230 include computer-executable instructions that are executed by an associated processor 1210. Program 1230 may be stored in ROM 1224. Processor 1210 may perform any suitable actions and processes by loading program 1230 into RAM 1222.

Embodiments of the present disclosure may be implemented by the program 1230 such that the device 1200 may perform any of the processes of the present disclosure as discussed with reference to fig. 5-11. Embodiments of the present disclosure may also be implemented by hardware or a combination of software and hardware.

In some embodiments, program 1230 may be tangibly embodied in a computer-readable medium, which may be included in device 1200 (such as in memory 1220) or other storage device accessible to device 1200. The device 1200 may load the program 1230 from the computer-readable medium into the RAM 1222 for execution. The computer readable medium may include any type of tangible, non-volatile memory, such as ROM, EPROM, flash memory, a hard disk, a CD, a DVD, etc. Fig. 13 shows an example of a computer-readable medium 1300 in the form of a CD or DVD. The computer readable medium has a program 1230 stored thereon.

In general, the various embodiments of the disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of the embodiments of the disclosure are illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that the block diagrams, apparatus, systems, techniques or methods described herein may be implemented in hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer-readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, that execute in the device on the target real or virtual processor to perform the methods 900 to 1100 described above with reference to fig. 9-11. Generally, program modules include routines, programs, libraries, objects, classes, components, data types, etc. that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within local or distributed devices. In a distributed facility, program modules may be located in both local and remote memory storage media.

Program code for performing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the execution of the program codes by the processor or controller causes the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present disclosure, computer program code or related data may be carried by any suitable carrier to enable a device, apparatus or processor to perform various processes and operations as described above. Examples of a carrier include a signal, computer readable medium, and the like.

The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination thereof. More specific examples of a computer-readable storage medium include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination thereof.

Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Also, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.

Although the disclosure has been described in language specific to structural features and/or methodological acts, it is to be understood that the disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.