[go: up one dir, main page]

WO2014048197A1 - Method, system and device for user equipment to select visited public land mobile network - Google Patents

Method, system and device for user equipment to select visited public land mobile network Download PDF

Info

Publication number
WO2014048197A1
WO2014048197A1 PCT/CN2013/082191 CN2013082191W WO2014048197A1 WO 2014048197 A1 WO2014048197 A1 WO 2014048197A1 CN 2013082191 W CN2013082191 W CN 2013082191W WO 2014048197 A1 WO2014048197 A1 WO 2014048197A1
Authority
WO
WIPO (PCT)
Prior art keywords
vplmn
network element
3gpp aaa
server
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2013/082191
Other languages
French (fr)
Chinese (zh)
Inventor
周晓云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2014048197A1 publication Critical patent/WO2014048197A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/12Mobility data transfer between location registers or mobility servers

Definitions

  • User equipment selects methods, systems and devices for accessing public land mobile networks
  • the present invention relates to a selection technique for a visited network, and more particularly to a method, system and device for a user equipment in an evolved packet system (EPS, Evolved Packet System) to select a public land mobile network.
  • EPS evolved packet system
  • Background technique Evolved Packet System
  • FIG. 1 is a schematic diagram of the system architecture of the EPS.
  • the EPS network architecture of the non-roaming scenario by the evolved universal mobile communication system land E-UTRAN (Evolved Universal Terrestrial Radio Access Network), Mobility Management Entity (MME), S-GW (Serving Gateway), Packet Data Network Gateway (P-GW or The PDN GW (Packet Data Network Gateway) is composed of a Home Subscriber Server (HSS), a Policy and Charging Rules Function (PCRF), and an operator's IP service network.
  • the PCRF is the core of Policy and Charging Control (PCC) and is responsible for policy decision making and charging rules.
  • PCC Policy and Charging Control
  • the PCRF provides network control rules based on service data flows, including network traffic detection, Gating Control, Quality of Service (QoS) control, and traffic-based charging rules. Wait.
  • the PCRF sends its policy and charging rules to the Policy and Charging Enforcement Function (PCEF).
  • PCEF Policy and Charging Enforcement Function
  • the PCRF also needs to ensure that these rules are consistent with the user's subscription information.
  • the basis for formulating the policy and charging rules by the PCRF includes: obtaining information related to the service from the application function entity (AF, Application Function); and obtaining the user policy charging control sign from the user subscription database (SPR, Subscription Profile Repository) About information; Obtain information about the bearer-related network from the PCEF.
  • EPS supports interworking with non-3GPP systems. Interworking with non-3GPP systems is implemented through the S2a/S2b/S2c interface, which acts as an anchor between 3GPP and non-3GPP systems. As shown in FIG. 1, in the EPS system, the non-3GPP system is divided into a trusted non-3GPP IP access network and an untrusted non-3GPP IP access network.
  • Trusted non-3GPP IP access networks and untrusted non-3GPP IP access networks are authenticated by EPS's insurance, authorization, and AAA, Authentication, Authorization, Accounting server (Server); trusted non-3GPP IP
  • the access network can be directly connected to the P-GW through the S2a interface; the untrusted non-3GPP IP access network needs to be connected to the P-GW through the ePLG (Evolved Packet Data Gateway), and can be accessed through the ePDG. GW;
  • the interface between the ePDG and the P-GW is S2b, and the user equipment (UE, User Equipment) and the ePDG use the Internet Protocol Security (IPSec, IP and Security) to encrypt the signaling and data.
  • the S2c provides user plane-related control and mobility support between the UE and the P-GW.
  • the supported mobility management protocol is the Moblie IPv6 support for dual stack Hosts and Router (DSMIPv6).
  • FIG. 2 is a schematic diagram of a home routing roaming architecture in a policy interworking scenario in which a UE accesses a 3GPP core network through a BBF access network (also referred to as a fixed broadband access network).
  • the BBF access network is considered to be an untrusted non-3GPP interface. Network access.
  • the UE accesses the mobile core network through the BBF access network.
  • the routing mode is an evolved packet core network route (EPC-routed)
  • the other is a UE accessed service.
  • EPC-routed evolved packet core network route
  • Non-Seamless WLAN Offload For the architecture shown in Figure 2, the BBF access network needs to visit the public land mobile network (VPLMN, Visited Public Land). Mobile Network) Interoperates with the Home Public Land Mobile Network (HPLMN), including authentication, data routing, and policy control.
  • VPN public land mobile network
  • HPLMN Home Public Land Mobile Network
  • FIG. 3 is a schematic diagram of a home routing roaming architecture in a policy convergence scenario in which a UE accesses a 3GPP core network through a BBF access network.
  • the main difference from FIG. 2 is that the BBF access network and the VPLMN belong to the same operator, and the V-PCRF passes the Gxd.
  • the interface supports interaction with the IP edge.
  • the H-PCRF needs to interact with the BBF access network through the V-PCRF.
  • FIG. 4 is a flow chart of attachment of a UE when accessing 3GPP through the DSMIPv6 protocol, and specifically includes the following steps:
  • Step 101 The UE accesses the BBF access network, and performs 3GPP-based authentication.
  • the third-generation partner program verification, authorization, and accounting agent (3GPPAAA Proxy) authenticates to the broadband forum.
  • the Authorization and Accounting Server (BBF AAA) returns the VPLMN ID of the VPLMN where it is located;
  • the 3GPP-based authentication is performed by: the BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete the Extensible Authentication Protocol (EAP) authentication. Further, the 3GPP AAA server also interacts with the HSS.
  • EAP Extensible Authentication Protocol
  • Step 102 The IP Edge in the BBF access network allocates a local IP address to the UE.
  • IKEv2 Internet Key Exchange
  • the ePDG interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication.
  • the UE selects the ePDG located in the VPLMN as follows: The UE may use the static configuration or dynamically select the ePDG.
  • the UE uses the VPLMN ID known by itself as the operator identifier to construct a Full Quality Domain Name (FQDN).
  • FQDN Full Quality Domain Name
  • DNS Domain Name System
  • Step 104 The ePDG sends a last IKEv2 message to the UE, where the IP address assigned to the UE is carried, and the IP address identifier assigned to the UE is IPAddress3, which is the care-of address (CoA) of the UE.
  • IP address assigned to the UE is carried, and the IP address identifier assigned to the UE is IPAddress3, which is the care-of address (CoA) of the UE.
  • Step 105 An Internet Protocol Security (IPSec) tunnel is established between the UE and the ePDG.
  • Step 106 The ePDG initiates a gateway control session establishment process by using the step 103. Specifically, the ePDG sends a gateway control session to the H-PCRF through the V-PCRF. The message is set to carry the information such as the IP address, user identifier, and PDN identifier of the UE; the H-PCRF returns an acknowledgement message.
  • IPSec Internet Protocol Security
  • Step 107 The UE performs a Bootstraping process, where the UE acquires an IP address of the P-GW that is to access the PDN, and completes communication with the 3GPP AAA server by using the P-GW.
  • the P-GW allocates an IPv6 address or prefix to the UE as the home address (HoA) of the UE;
  • the 3GPP AAA server also interacts with the HSS; the IP address of the P-GW that the UE acquires to access the PDN is: The UE is based on the access point name (APN, Access Point Name) ) Perform a naming system (DNS, Domain Name)
  • the UE uses IKEv2 to establish a security association and uses EAP for authentication.
  • Step 108 The UE sends a DSMHV6 binding update message to the P-GW, and the P-GW establishes a binding context.
  • the binding update message carries CoA and HoA; in the binding message, the lifetime parameter is not zero.
  • Step 109 The PCEF in the P-GW sends an IP connection access network (IP-CAN, IP-Connectivity Access Network) session establishment indication message to the H-PCRF; the H-PCRF is based on the IP-CAN.
  • IP-CAN IP connection access network
  • Step 110 The P-GW returns a binding acknowledgement message to the UE.
  • Step 111 The H-PCRF sends a PCR-initiated gateway control session establishment trigger message to the BPCF through the V-PCRF of the VPLMN, and the BPCF returns an acknowledgement message through the V-PCRF, and initiates a gateway control session flow to the H-PCRF.
  • step 112 the BPCF provides a policy to the IP Edge.
  • the UE when the UE dynamically selects the ePDG, the UE performs a DNS lookup using the VPLMN ID known by itself as the operator identity configuration FQDN to obtain the IP address of the ePDG in the VPLMN; however, the UE itself cannot be guaranteed.
  • the known VPLMN ID is the same as the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located. That is, the ePDG selected by the UE and the 3GPP AAA Proxy cannot be located in the same VPLMN, and the V-PCRF selected by the EPC-routed and the V-PCRF selected by the NSWO are not guaranteed. the same one. Summary of the invention
  • the embodiment of the present invention mainly provides a method, a system, and a device for a user equipment to select a public land mobile network.
  • the UE accesses the 3GPP through the DSMIPv6 protocol
  • the ePDG selected by the UE and the 3GPP AAA Proxy are located in the same VPLMN.
  • the method for the UE to select the VPLMN is provided by the embodiment of the present invention.
  • the method includes: the authentication server sends the VPLMN ID of the VPLMN selected by the UE to perform the access authentication to the UE, and the UE selects the core network of the VPLMN according to the VPLMN ID. And performing an IKEv2 tunnel establishment process with the core network element.
  • the authentication server sends the VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE:
  • the authentication server is a verification, authorization, and accounting server (BBF AAA) of the broadband forum
  • BBF AAA verification, authorization, and accounting server
  • the BBF AAA receives the VPLMN ID sent by the 3rd Generation Partnership Project Authentication, Authorization, and Accounting Agent (3GPP AAA Proxy) or the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. Sending the VPLMN ID to the UE.
  • the authentication server sends the VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE:
  • the authentication server is an HSS and/or a 3GPP AAA server.
  • the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy.
  • the HSS and the HSS And the 3GPP AAA server verifies whether the saved VPLMN ID is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the HSS and/or the 3GPP AAA server returns a reject message to the UE, and the reject message carries Reject the reason value and the VPLMN ID saved by itself.
  • the core network element of the VPLMN is an ePDG or a P-GW.
  • the UE selects a core network element of the VPLMN according to the VPLMN ID as follows: the UE constructs a full-quality domain name (FQDN) by using a VPLMN ID sent by the authentication server as an operator identifier, and performs a domain name system (DNS) search to obtain The IP address of the ePDG or P-GW in the VPLMN corresponding to the VPLMN ID.
  • FQDN full-quality domain name
  • DNS domain name system
  • the method further includes: when the UE performs access authentication, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy, and in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server authenticates and saves itself. Whether the VPLMN ID is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the HSS and/or the 3GPP AAA server returns a reject message to the UE, the reject message carrying the reject cause value and/or itself The saved VPLMN ID.
  • a system for selecting a VPLMN by a UE includes: an authentication server, a UE, and a core network element of a VPLMN;
  • the authentication server is configured to send, to the UE, a VPLMN ID of the VPLMN selected by the UE when performing the access authentication;
  • the UE is configured to: according to the VPLMN ID of the VPLMN sent by the authentication server, select a core network element of the VPLMN, and perform a process of establishing an IKEv2 tunnel with the core network element;
  • the core network element of the VPLMN is configured to complete the process of establishing an IKEv2 tunnel.
  • the authentication server is a BBF AAA, configured to receive a VPLMN ID sent by the 3GPP AAA Proxy or a VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address when the UE performs access authentication, and the VPLMN is configured.
  • the ID is sent to the UE;
  • the system further includes: a 3GPP AAA Proxy configured to send the VPLMN ID to the BBF AAA when the UE performs access authentication.
  • a 3GPP AAA Proxy configured to send the VPLMN ID to the BBF AAA when the UE performs access authentication.
  • the system further includes: an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID when the UE performs the access authentication, and verify whether the saved VPLMN ID is the core selected by the UE during the establishment of the IKEv2 tunnel.
  • the VPLMN ID of the VPLMN where the network element is located is the same.
  • a reject message is returned to the UE, where the reject message carries the reject reason value and/or the VPLMN ID saved by itself.
  • the authentication server is an HSS and/or a 3GPP AAA server, and is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs the access authentication, and verify whether the saved VPLMN ID is in the process of establishing the ⁇ 2 tunnel. Consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, when the inconsistency, the HSS and/or the 3GPP AAA server returns a reject message to the UE, where the reject message carries the reject reason value and the VPLMN ID saved by itself;
  • the system further includes: a 3GPP AAA Proxy configured to send the VPLMN ID to the HSS and/or the 3GPP AAA server when the UE performs the access authentication.
  • the core network element of the VPLMN is an ePDG or a P-GW.
  • the UE includes: a network element selection module and a tunnel establishment module; wherein the network element selection module is configured to be based on the VPLMN sent by the authentication server
  • VPLMN ID select the ePDG or P-GW of the VPLMN;
  • the tunnel establishment module is configured to perform an IKEv2 tunnel establishment process with the ePDG or P-GW selected by the network element selection module.
  • the network element selection module is configured to be sent by using an authentication server.
  • the VPLMN ID constructs an FQDN as an operator identifier, performs a DNS lookup, and obtains the VPLMN.
  • IP address of the ePDG or P-GW in the VPLMN corresponding to the ID is the IP address of the ePDG or P-GW in the VPLMN corresponding to the ID.
  • the authentication server specifically includes: an ID obtaining module, a verification module, and a response module;
  • the ID obtaining module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication;
  • the verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the notification response module returns a rejection to the UE.
  • the response module is configured to return a reject message to the UE, where the reject message carries the reject cause value and the VPLMN ID saved by the ID acquisition module.
  • a UE is provided by the embodiment of the present invention, where the UE includes: a network element selection module and a tunnel establishment module;
  • the network element selection module is configured to select an ePDG or a P-GW of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server;
  • the tunnel establishment module is configured to perform an IKEv2 tunnel establishment process with the ePDG or P-GW selected by the network element selection module.
  • An authentication server is provided by the embodiment of the present invention, where the authentication server includes: ID acquisition Module, verification module, response module;
  • the ID obtaining module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication;
  • the verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the notification response module returns a rejection to the UE.
  • the response module is configured to return a rejection message to the UE.
  • the embodiment of the present invention provides a method, a system, and a device for a user equipment to select a public land mobile network.
  • the authentication server sends a VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE, and the UE uses the VPLMN.
  • the ID selects the core network element of the VPLMN and completes the IKEv2 tunnel establishment process with the core network element.
  • the ePDG selected by the UE and the 3GPP AAA Proxy are located in the same VPLMN.
  • FIG. 1 is a schematic diagram of a system architecture of an EPS in the prior art
  • FIG. 2 is a schematic diagram of a home routing roaming architecture in a scenario of a policy interworking scenario in which a UE accesses a 3GPP core network through a BBF access network in the prior art;
  • FIG. 3 is a schematic diagram of a home routing roaming architecture in a policy convergence scenario in which a UE accesses a 3GPP core network through a BBF access network in the prior art;
  • FIG. 4 is a flow chart of attaching a UE to a 3GPP through the DSMIPv6 protocol in the prior art
  • FIG. 5 is a schematic flowchart of a method for implementing a UE to select a VPLMN according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a system for implementing a UE to select a VPLMN according to an embodiment of the present invention
  • FIG. 7 is a schematic flowchart of a method for a UE to select a VPLMN according to an embodiment of the present invention
  • FIG. 8 is a schematic flowchart of a method for a UE to select a VPLMN according to Embodiment 2 of the present invention
  • FIG. 9 is a schematic diagram of a UE according to Embodiment 3 of the present invention
  • the policy of accessing the 3GPP core network through the BBF access network Schematic diagram of the home route roaming architecture in a slightly intercommunication scenario
  • FIG. 10 is a schematic diagram of a home routing roaming architecture in a policy convergence scenario in which a UE accesses a 3GPP core network through a BBF access network according to Embodiment 3 of the present invention
  • FIG. 11 is a schematic flowchart of a method for implementing a UE to select a VPLMN according to Embodiment 3 of the present invention. detailed description
  • the authentication server sends the VPLMN ID of the VPLMN selected by the UE to the UE when performing the access authentication, and the UE selects the core network element of the VPLMN according to the VPLMN ID, and performs IKEv2 with the core network element. Tunnel establishment process.
  • the embodiment of the present invention implements a method for a UE to select a VPLMN. As shown in FIG. 5, the method includes the following steps:
  • Step 201 The authentication server sends the VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE.
  • the authentication server is a BBF AAA.
  • the BBF AAA receives the VPLMN ID sent by the 3GPP AAA Proxy or obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address.
  • the VPLMN ID is sent to the UE;
  • the authentication server is an HSS and/or a 3GPP AAA server.
  • the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy.
  • the HSS and/or the 3GPP AAA server verifies that the VPLMN ID saved by the UE is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the HSS and/or the 3GPP AAA server returns a reject message to the UE.
  • the rejection message carries the rejection reason value and its own saved VPLMN ID.
  • Step 202 The UE selects a core network element of the VPLMN according to the VPLMN ID, and The core network element completes an IKEv2 tunnel establishment process;
  • the core network element of the VPLMN is generally an ePDG or a P-GW;
  • the UE selects the core network element of the VPLMN according to the VPLMN ID, specifically: the UE uses the VPLMN ID sent by the authentication server as the operator identifier to construct the FQDN, performs a DNS lookup, and obtains the ePDG or P in the VPLMN corresponding to the VPLMN ID. -GW's IP address;
  • the step further includes: when the authentication server is a BBF AAA, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy, and in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server Verifying that the saved VPLMN ID is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located. If not, the HSS and/or the 3GPP AAA server returns a reject message to the UE, where the reject message carries the reject cause value and/or Or the VPLMN ID saved by itself, if they are consistent, continue to establish an IKEv2 tunnel until the IKEv2 tunnel is established.
  • the method further includes: after the UE and the ePDG complete the establishment of the IKEv2 tunnel, an IPSec tunnel is established between the UE and the ePDG;
  • the method further includes: the ePDG initiates a gateway control session establishment procedure; the UE performs a Bootstraping process, and then sends a DSMIPv6 binding update message to the P-GW, and the P-GW establishes a binding context; the PCEF direction in the P-GW
  • the H-PCRF sends an IP-CAN session establishment indication message; the H-PCRF performs QoS authorization according to the user identifier in the IP-CAN session establishment indication message, the UE's IP address, and the NSW0-APN, and returns an acknowledgement message to the PCEF in the P-GW.
  • the P-GW returns a binding acknowledgement message to the UE; the H-PCRF sends a gateway control session trigger message initiated by the PCRF to the BPCF through the V-PCRF of the VPLMN, and the BPCF returns an acknowledgement message through the V-PCRF, and initiates a gateway establishment to the H-PCRF. Control the session flow; BPCF provides QoS policies to the IP Edge.
  • an embodiment of the present invention further provides a system for a UE to select a VPLMN.
  • the system includes: an authentication server 61, a UE 62, and a core network element 63 of the VPLMN;
  • the authentication server 6 1 is configured to send the VPLMN ID of the VPLMN selected by the UE 62 when performing the access authentication to the UE 62;
  • the UE 62 is configured to select a core network element 63 of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server 61, and perform a process of establishing an IKEv2 tunnel with the core network element 63;
  • the core network element 63 of the VPLMN is configured to complete the process of establishing an IKEv2 tunnel.
  • the authentication server 61 is a BBF AAA configured to receive the VPLMN ID sent by the 3GPP AAA Proxy 64 when the UE 62 performs the access authentication, or obtain the VPLMN ID of the VPLMN where the 3GPP AAA Proxy 64 is located according to the communication peer address, and the VPLMN The ID is sent to the UE 62;
  • the system further includes: a 3GPP AAA Proxy 64 configured to send a VPLMN ID to the BBF AAA when the UE 62 performs access authentication;
  • the system further includes: an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID sent by the 3GPP AAA Proxy 64 when the UE 62 performs the access authentication, and verify whether the saved VPLMN ID is related to the UE during the IKEv2 tunnel establishment process.
  • the selected VPLMN ID of the VPLMN is the same as that of the selected network element 63, and returns a reject message to the UE 62 when the inconsistency occurs, and the reject message carries the reject reason value and/or the VPLMN ID saved by itself;
  • the authentication server 61 is an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID sent by the 3GPP AAA Proxy 64 when the UE 62 performs access authentication, and verify the saved VPLMN in the process of establishing the IKEv2 tunnel. Whether the ID is consistent with the VPLMN ID of the VPLMN where the core network element 63 selected by the UE 62 is located.
  • the HSS and/or the 3GPP AAA server When the ID is inconsistent, the HSS and/or the 3GPP AAA server returns a reject message to the UE 62, and the reject message carries the reject cause value and the self-saved VPLMN ID;
  • the system also includes a 3GPP AAA Proxy 64 configured to send a VPLMN ID to the HSS and/or 3GPP AAA server when the UE 62 performs access authentication.
  • the core network element 63 of the VPLMN is generally an ePDG or a P-GW;
  • the UE 62 specifically includes: a network element selection module 621 and a tunnel establishment module 622.
  • the network element selection module 621 is configured to select an ePDG or a P-type of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server 61.
  • GW Gateway
  • the tunnel establishment module 622 is configured to perform an IKEv2 tunnel establishment process with the ePDG or the P-GW selected by the network element selection module 621.
  • the network element selection module 621 is configured to use the VPLMN ID sent by the authentication server 61 as an operator identifier to construct an FQDN, perform a DNS lookup, and obtain an IP address of an ePDG or a P-GW in the VPLMN corresponding to the VPLMN ID.
  • the method includes: an ID obtaining module, a verification module, and a response module;
  • the ID obtaining module is configured to: when the UE 62 performs access authentication, save the VPLMN ID sent by the 3GPP AAA Proxy;
  • the verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element 63 selected by the UE 62 is located, and if not, notify the response module to the UE. 62. Returning the reject message; the answering module, configured to return a reject message to the UE 62, the reject message carrying the reject cause value and the VPLMN ID saved by the ID acquisition module.
  • the embodiment of the present invention further provides a UE.
  • the UE 62 includes: a network element selection module 621 and a tunnel establishment module 622.
  • the network element selection module 621 is configured to select an ePDG or a P-GW of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server 61.
  • the tunnel establishment module 622 is configured to be selected with the ePDG or the network element selection module 621. The process of establishing an IKEv2 tunnel by the P-GW;
  • the network element selection module 621 is configured to use the VPLMN ID sent by the authentication server 61 as an operator identifier to construct an FQDN, perform a DNS lookup, and obtain an IP address of an ePDG or a P-GW in the VPLMN corresponding to the VPLMN ID.
  • the embodiment of the present invention further provides an authentication server, where the authentication server is an HSS and/or a 3GPP AAA server, and includes: an ID acquisition module, a verification module, and a response module;
  • the ID obtaining module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication;
  • the verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the notification response module returns a rejection to the UE.
  • the response module is configured to return a reject message to the UE, where the reject message carries the reject reason value and/or the VPLMN ID saved by the ID obtaining module. Reason.
  • the embodiment is based on the architecture diagram of FIG. 2 or FIG. 3, and the method for the UE to select the VPLMN is implemented in this embodiment. As shown in FIG. 7, the method includes the following steps:
  • Step 301 The UE accesses the BBF access network, and performs 3GPP-based authentication.
  • the 3GPP AAA Proxy returns the VPLMN ID of the VPLMN where the BVPMN is located or the BBF AAA of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. ID, the BBF AAA sends the VPLMN ID to the UE;
  • BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete the EAP authentication, and further, the 3GPP AAA server also The HSS interacts.
  • BBF AAA further informs the IP Edge of the VPLMN ID
  • the 3GPP AAA Proxy reports the VPLMN ID to the 3GPP AAA server or the 3GPP AAA server obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address, and the 3GPP AAA server saves the VPLMN ID, and/or the 3GPP AAA server.
  • the VPLMN ID is sent to the HSS, and the HSS saves the VPLMN ID.
  • Step 302 The IP edge in the BBF access network allocates a local IP address to the UE, and performs a process of establishing an IKEv2 tunnel with the ePDG.
  • the ePDG interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication.
  • the UE selects the ePLG of the VPLMN according to the VPLMN ID sent by the BBF AAA: the UE constructs the FQDN by using the VPLMN ID sent by the BBF AAA as the carrier identifier, performs a DNS lookup, and obtains the IP address of the ePDG in the VPLMN;
  • the 3GPP AAA server also interacts with the HSS.
  • the step further includes: in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server verify whether the saved VPLMN ID is selected by the UE.
  • the VPLMN ID of the VPLMN is the same as the IKEv2 tunnel.
  • the HSS and/or the 3GPP AAA server returns a refusal message to the UE. carry out;
  • the UE sends an IKE authentication request (IKE_AUTH Request) to the ePDG, and the ePDG sends an AAR (Authentication and Authorization Request) message to the 3GPP AAA Proxy.
  • the 3GPP AAA proxy sends an AAR message to the 3GPP AAA server, where the AAR message carries the 3GPP.
  • the 3GPP AAA server After receiving the AAR message sent by the 3GPP AAA Proxy, the 3GPP AAA server will send the AAR message.
  • the carried VPLMN ID and the 3GPP AAA server compare the VPLMN ID saved when the UE accesses the authentication or further request the HSS to obtain the VPLMN ID saved when the user accesses the authentication, and in the case of inconsistency, the authentication authorization returned to the 3GPP AAA proxy
  • a refusal message is returned in the AAA, Authentication and Authorization Answer message, and the refusal message may carry a reject reason value, that is, the VPLMN selection is inconsistent, and the reject message may also carry the VPLMN ID selected by the UE when accessing the authentication, 3GPP AAA
  • the MME sends the AAA message to the ePDG, and the ePDG sends an IKE authentication response (IKE_AUTH Answer) message to the UE.
  • the IKE authentication response message carries the refusal indication and the rejection reason value, and the IKE authentication response message carries the UE access authentication.
  • the BBF AAA does not send the VPLMN ID to the UE in step 301, but only in step 303, the refusal message returned by the HSS and/or the 3GPP AAA server carries the VPLMN ID saved by itself, triggering the UE to perform the re-execution.
  • the ePDG is selected, and then steps 303-312 are performed.
  • the embodiment is based on the architecture diagram of FIG. 2 or 3.
  • the method for the UE to select the VPLMN is implemented. As shown in FIG. 8, the method includes the following steps:
  • Step 401 The UE accesses the BBF access network, and performs 3GPP-based authentication.
  • the 3GPP AAA Proxy returns the VPLMN ID of the VPLMN where the BVPMN is located or the BBF AAA of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. ID, the BBF AAA sends the VPLMN ID to the UE;
  • BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication. Further, the 3GPP AAA server also interacts with the HSS. BBF AAA further informs the IP Edge of the VPLMN ID;
  • the 3GPP AAA Proxy reports the VPLMN ID to the 3GPP AAA server or the 3GPP AAA server obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address, and the 3GPP AAA server saves the VPLMN ID, and/or the 3GPP AAA server.
  • the VPLMN ID is sent to the HSS, and the HSS saves the VPLMN ID.
  • Step 402 The IP Edge in the BBF access network allocates a local IP address to the UE, and performs a process of establishing an IKEv2 tunnel with the ePDG.
  • the ePDG interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication.
  • the ePLG of the VPLMN selected by the UE in the BBF AAA is:
  • the UE uses the VPLMN ID sent by the BBF AAA as the operator identifier to construct the FQDN, performs a DNS lookup, and obtains the IP address of the ePDG in the VPLMN;
  • the 3GPP AAA server also interacts with the HSS.
  • the step further includes: in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server verify whether the saved VPLMN ID is selected by the UE.
  • the VPLMN ID of the VPLMN where the ePDG is located is consistent.
  • the HSS and/or the 3GPP AAA server returns a reject message to the UE.
  • the IKEv2 tunnel is continuously established until the IKEv2 tunnel is established.
  • the UE sends an IKE authentication request to the ePDG
  • the ePDG sends an AAR message to the 3GPP AAA Proxy
  • the 3GPP AAA proxy sends an AAR message to the 3GPP AAA server, where the AAR message carries the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located
  • the 3GPP AAA server receives the 3GPP AAA server.
  • the AAA Proxy compare the VPLMN ID carried in the AAR message with the VPLMN ID saved by the 3GPP AAA server when the UE accesses the authentication, or further request the HSS to obtain the VPLMN ID saved during the user access authentication.
  • the refusal message may be returned, and the refusal message may carry the refusal reason value, that is, the VPLMN selection is inconsistent, and the refusal message may also carry the VPLMN ID selected when the UE accesses the authentication.
  • the 3GPP AAA Proxy forwards the AAA message to the ePDG, and the ePDG sends an IKE authentication response message to the UE.
  • the IKE authentication response message carries the reject indication and the reject reason value, and the IKE authentication response message carries the VPLMN selected when the UE accesses the authentication. ID, where the cause value and the VPLMN ID can be delivered at the same time, or one of them can be issued.
  • Step 404 triggered by step 403, the ePDG initiates a gateway control session establishment process. Specifically, the ePDG sends a gateway control session setup message to the H-PCRF through the V-PCRF, and carries information such as the IP address, user identifier, and PDN identifier of the UE; - The PCRF returns a confirmation message.
  • Step 405 After the ePDG selects the P-GW, sends a DSMIPv6 binding update message to the selected P-GW, and the P-GW establishes a binding context.
  • the binding update message carries CoA and HoA; in the binding message, the lifetime parameter is not zero.
  • Step 406 The P-GW sends an update P-GW IP address message to the 3GPP AAA server, and sends the IP address of the P-GW to the 3GPP AAA server.
  • the 3GPP AAA server further interacts with the HSS to save the address of the P-GW to the HSS.
  • Step 407 The PCEF in the P-GW sends an IP-CAN session establishment indication message to the H-PCRF.
  • the H-PCRF performs QoS authorization according to the user identifier in the IP-CAN session establishment indication message, the IP address of the UE, and the NSWO-APN. Returning a confirmation message to the PCEF in the P-GW;
  • Step 408 The P-GW returns a binding acknowledgement message to the ePDG, and carries an IP address allocated to the UE.
  • Step 409 the binding update is successful, and an IPSec tunnel is established between the UE and the ePDG.
  • Step 411 triggered by step 404, the V-PCRF initiates a gateway control session establishment procedure. Specifically, in the architecture shown in FIG. 2, the H-PCRF sends a PCRF initiated gateway control session establishment trigger message to the BPCF through the V-PCRF of the VPLMN.
  • the BPCF receives the trigger message, sends a gateway control session establishment message to the V-PCRF, and the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF;
  • the H-PCRF sends a PCRF-initiated gateway control session establishment trigger message to the IP Edge through the V-PCRF of the VPLMN to provide the local IP address of the UE; the IP Edge receives the trigger message to the V-
  • the PCRF sends a gateway control session setup message, the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF.
  • Step 412 The BPCF or IP Edge returns an acknowledgement message to the H-PCRF.
  • the BBF AAA does not send the VPLMN ID to the UE in step 401, but only in step 403, the reject message returned by the HSS and/or the 3GPP AAA server further carries the VPLMN ID saved by itself, triggering the UE to perform the re-run.
  • the ePDG is selected, and then step 403-step 412 is performed.
  • the embodiment is based on the architecture diagram of FIG. 9 or 10.
  • the method for the UE to select the VPLMN is implemented. As shown in FIG. 11, the method includes the following steps:
  • Step 501 The UE accesses the BBF access network, and performs 3GPP-based authentication.
  • the 3GPP AAA Proxy returns the VPLMN ID of the VPLMN where the BVPMN is located or the BBF AAA of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. ID, the BBF AAA sends the VPLMN ID to the UE;
  • the 3GPP-based authentication is performed as follows: BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication. Further, the 3GPP AAA server also interacts with the HSS.
  • BBF AAA further informs the IP Edge of the VPLMN ID; Further, the 3GPP AAA Proxy reports the VPLMN ID to the 3GPP AAA server or the 3GPP AAA server obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address, and the 3GPP AAA server saves the VPLMN ID, and/or the 3GPP AAA server.
  • the VPLMN ID is sent to the HSS, and the HSS saves the VPLMN ID.
  • Step 502 The IP Edge in the BBF access network allocates a local IP address to the UE.
  • Step 503 The UE performs a Bootstraping process, where the UE selects a P-GW of the VPLMN according to the VPLMN ID sent by the BBF AAA, and performs a IKEv2 tunnel establishment process with the P-GW.
  • the P-GW interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete the EAP authentication.
  • the P-GW of the VPLMN is selected by the UE according to the VPLMN ID sent by the BBF AAA: the UE uses the VPLMN ID sent by the BBF AAA as the operator identifier to construct the FQDN, performs a DNS lookup, and obtains the IP address of the P-GW in the VPLMN;
  • the 3GPP AAA server also interacts with the HSS.
  • the step further includes: in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server verify whether the saved VPLMN ID is selected by the UE.
  • the VPLMN ID of the VPLMN where the P-GW is located is the same.
  • the HSS and/or the 3GPP AAA server returns a reject message to the UE. If the IKEv2 tunnel is established, the IKEv2 tunnel is established.
  • the UE sends an IKE authentication request to the P-GW
  • the P-GW sends an AAR message to the 3GPP AAA Proxy
  • the 3GPP AAA proxy sends an AAR message to the 3GPP AAA server, where the AAR message carries the VPLMN ID of the network where the 3GPP AAA Proxy is located
  • the server After receiving the 3GPP AAA Proxy, the server compares the VPLMN ID carried in the message with the VPLMN ID saved by the 3GPP AAA server when the UE accesses the authentication, or further requests the HSS to obtain the VPLMN ID saved when the UE accesses the authentication.
  • the AAA message returned by the 3GPP AAA proxy returns a reject message, and the reject message may carry a reject cause value, that is, the VPLMN selection is inconsistent, and the reject message may also carry the VPLMN ID selected when the UE accesses the authentication, and the 3GPP AAA Proxy to P -
  • the GW forwards the AAA message, and the P-GW sends an IKE authentication response (IKE_AUTH Answer) to the UE, where the message carries a rejection indication and a rejection reason value, and the IKE authentication response message carries the VPLMN ID selected when the UE accesses the authentication.
  • the cause value and the VPLMN ID can be delivered at the same time, or one of them can be issued.
  • Step 504 The UE sends a DSMIPv6 binding update message to the P-GW, where the P-GW establishes a binding context.
  • the binding update message carries CoA and HoA; in the binding message, the lifetime parameter is not zero.
  • Step 505 The PCEF in the P-GW sends an IP-CAN session establishment indication message to the H-PCRF.
  • the H-PCRF performs QoS authorization according to the user identifier in the IP-CAN session establishment indication message, the IP address of the UE, and the NSWO-APN. Returning a confirmation message to the PCEF in the P-GW;
  • Step 506 The P-GW returns a binding acknowledgement message to the UE.
  • Step 507 triggered by step 504, the V-PCRF initiates a gateway control session establishment procedure.
  • the H-PCRF sends a PCRF-initiated gateway control session establishment trigger to the BPCF through the V-PCRF of the VPLMN. a message, providing a local IP address of the UE; the BPCF receives the trigger message, sends a gateway control session establishment message to the V-PCRF, and the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF;
  • the H-PCRF sends a PCRF-initiated gateway control session establishment trigger message to the IP Edge through the V-PCRF of the VPLMN, and provides the local IP address of the UE; the IP Edge receives the trigger message to the V-
  • the PCRF sends a gateway control session setup message, the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF.
  • Step 508 The BPCF or IP Edge returns an acknowledgement message to the H-PCRF.
  • the BBF AAA does not send the VPLMN ID to the UE in step 501, but only in step 503, the reject message returned by the HSS and/or the 3GPP AAA server further carries the VPLMN ID saved by itself, triggering the UE to perform the re-execution.
  • the P-GW selects, and then performs steps 503-508.
  • the authentication server sends the VPLMN ID of the VPLMN selected by the UE to the UE when performing the access authentication, and the UE selects the core network element of the VPLMN according to the VPLMN ID, and completes with the core network element.
  • the IKEv2 tunnel establishment process is performed. In this way, when the UE accesses the 3GPP through the DSMIPv6 protocol, the ePDG selected by the UE and the 3GPP AAA Proxy are located in the same VPLMN.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed is a method for a user equipment (UE) to select a visited public land mobile network (VPLMN). A certification server sends to a UE a VPLMN ID of a VPLMN which is selected when the UE performs access certification, and the UE selects a core network element of the VPLMN according to the VPLMN ID, and performs an Internet key exchange version 2 (IKEv2) tunnel establishment flow with the core network element. Also disclosed are a system and device for a user equipment to select a visited public land mobile network. The solution of the present invention can ensure that a core network element of the VPLMN selected by a UE is located in one and the same VPLMN as a third-generation partnership project verification, authorization and accounting proxy.

Description

用户设备选择拜访公共陆地移动网络的方法、 系统和设备 技术领域  User equipment selects methods, systems and devices for accessing public land mobile networks

本发明涉及拜访网络的选择技术, 尤其涉及演进的分组系统 (EPS , Evolved Packet System ) 中的用户设备选择拜访公共陆地移动网络的方法、 系统和设备。 背景技术  The present invention relates to a selection technique for a visited network, and more particularly to a method, system and device for a user equipment in an evolved packet system (EPS, Evolved Packet System) to select a public land mobile network. Background technique

图 1为 EPS的系统架构示意图, 如图 1所示, 在第三代合作伙伴计划 ( 3GPP, 3rd Generation Partnership Project ) 的 EPS中, 非漫游场景的 EPS 网络架构 ,由演进的通用移动通信系统陆地无线接入网( E-UTRAN, Evolved Universal Terrestrial Radio Access Network )、移动管理单元 ( MME, Mobility Management Entity )、 月良务网关 (S-GW, Serving Gateway ), 分组数据网络 网关( P-GW或者 PDN GW, Packet Data Network Gateway), 归属用户服务 器( HSS , Home Subscriber Server )、策略和计费规则功能实体( PCRF, Policy and Charging Rules Function )及运营商的 IP业务网等其他支撑节点组成。 PCRF是策略和计费控制 (PCC, Policy and Charging Control ) 的核心, 负 责策略决策和计费规则的制定。 PCRF提供了基于业务数据流的网络控制规 贝' J , 这些网络控制包括业务数据流的检测、 门控(Gating Control ), 服务质 量(QoS , Quality of Service )控制以及基于数据流的计费规则等。 PCRF 将其制定的策略和计费规则发送给策略和计费执行功能实体( PCEF, Policy and Charging Enforcement Function )执行, 同时, PCRF还需要保证这些规 则和用户的签约信息一致。 PCRF制定策略和计费规则的依据包括: 从应用 功能实体(AF, Application Function )获取与业务相关的信息; 从用户签约 数据库(SPR, Subscription Profile Repository )获取与用户策略计费控制签 约信息; 从 PCEF获取与承载相关网络的信息。 Figure 1 is a schematic diagram of the system architecture of the EPS. As shown in Figure 1, in the EPS of the 3rd Generation Partnership Project (3GPP, 3rd Generation Partnership Project), the EPS network architecture of the non-roaming scenario, by the evolved universal mobile communication system land E-UTRAN (Evolved Universal Terrestrial Radio Access Network), Mobility Management Entity (MME), S-GW (Serving Gateway), Packet Data Network Gateway (P-GW or The PDN GW (Packet Data Network Gateway) is composed of a Home Subscriber Server (HSS), a Policy and Charging Rules Function (PCRF), and an operator's IP service network. The PCRF is the core of Policy and Charging Control (PCC) and is responsible for policy decision making and charging rules. The PCRF provides network control rules based on service data flows, including network traffic detection, Gating Control, Quality of Service (QoS) control, and traffic-based charging rules. Wait. The PCRF sends its policy and charging rules to the Policy and Charging Enforcement Function (PCEF). The PCRF also needs to ensure that these rules are consistent with the user's subscription information. The basis for formulating the policy and charging rules by the PCRF includes: obtaining information related to the service from the application function entity (AF, Application Function); and obtaining the user policy charging control sign from the user subscription database (SPR, Subscription Profile Repository) About information; Obtain information about the bearer-related network from the PCEF.

EPS支持与非 3GPP系统的互通。与非 3GPP系统的互通通过 S2a/ S2b/ S2c接口实现, P-GW作为 3GPP与非 3GPP系统间的锚点。 如图 1所示, 在 EPS的系统中, 非 3GPP系统被分为可信任非 3GPP IP接入网和不可信 任非 3GPP IP接入网。可信任非 3GPP IP接入网和不可信任非 3GPP IP接入 网通过 EPS 的险证、 授权和 i己贝长(AAA, Authentication, Authorization, Accounting )服务器( Server )进行认证; 可信任非 3GPP IP接入网可直接 通过 S2a接口与 P-GW连接; 不可信任非 3GPP IP接入网需经过演进的分 组数据网关( ePDG, Evolved Packet Data Gateway )与 P-GW相连,通过 ePDG 才能接入 P-GW; ePDG与 P-GW间的接口为 S2b, 并且用户设备( UE, User Equipment )和 ePDG之间采用 Internet协议安全性(IPSec, IP and Security )对信令和数据进行加密保护。 S2c提供了 UE与 P-GW之间的用 户面相关的控制和移动性支持, 其支持的移动性管理协议为支持双栈的移 动 IPv6 ( DSMIPv6, Moblie IPv6 support for dual stack Hosts and Router )。  EPS supports interworking with non-3GPP systems. Interworking with non-3GPP systems is implemented through the S2a/S2b/S2c interface, which acts as an anchor between 3GPP and non-3GPP systems. As shown in FIG. 1, in the EPS system, the non-3GPP system is divided into a trusted non-3GPP IP access network and an untrusted non-3GPP IP access network. Trusted non-3GPP IP access networks and untrusted non-3GPP IP access networks are authenticated by EPS's insurance, authorization, and AAA, Authentication, Authorization, Accounting server (Server); trusted non-3GPP IP The access network can be directly connected to the P-GW through the S2a interface; the untrusted non-3GPP IP access network needs to be connected to the P-GW through the ePLG (Evolved Packet Data Gateway), and can be accessed through the ePDG. GW; The interface between the ePDG and the P-GW is S2b, and the user equipment (UE, User Equipment) and the ePDG use the Internet Protocol Security (IPSec, IP and Security) to encrypt the signaling and data. The S2c provides user plane-related control and mobility support between the UE and the P-GW. The supported mobility management protocol is the Moblie IPv6 support for dual stack Hosts and Router (DSMIPv6).

目前很多运营商都很关注固网移动融合 ( FMC , Fixed Mobile At present, many operators are very concerned about fixed-line mobile convergence (FMC, Fixed Mobile).

Convergence )技术, 并针对 3GPP和宽带论坛( BBF, Broadband Forum ) 互联互通技术进行了研究。 Convergence technology, and research on 3GPP and Broadband Forum (BBF) interconnect technology.

图 2为 UE通过 BBF接入网 (也称固定宽带接入网 )接入 3GPP核心 网的策略互通场景下的家乡路由漫游架构示意图, 图中 BBF接入网被认为 是不可信任的非 3GPP接入网。 UE通过 BBF接入网接入移动核心网。目前, 基于图 2的架构, 有两种业务的方式: 一种是 UE访问业务是需要路由回 EPC的, 路由方式为演进分组核心网路由 (EPC-routed ), 另一种是 UE访 问的业务不回 EPC, 直接从 BBF接入网路由到业务网络, 称为非无缝无线 局域网卸载( NSWO, Non-Seamless WLAN Offload )。对于图 2所示的架构, BBF接入网需要通过拜访公共陆地移动网络( VPLMN , Visited Public Land Mobile Network )与归属公共陆地移动网络( HPLMN ) 实现互通, 包括认 证、 数据路由和策略控制等。 2 is a schematic diagram of a home routing roaming architecture in a policy interworking scenario in which a UE accesses a 3GPP core network through a BBF access network (also referred to as a fixed broadband access network). In the figure, the BBF access network is considered to be an untrusted non-3GPP interface. Network access. The UE accesses the mobile core network through the BBF access network. Currently, based on the architecture of FIG. 2, there are two modes of service: one is that the UE access service needs to be routed back to the EPC, the routing mode is an evolved packet core network route (EPC-routed), and the other is a UE accessed service. Without going back to the EPC, routing directly from the BBF access network to the service network is called Non-Seamless WLAN Offload (NSSO). For the architecture shown in Figure 2, the BBF access network needs to visit the public land mobile network (VPLMN, Visited Public Land). Mobile Network) Interoperates with the Home Public Land Mobile Network (HPLMN), including authentication, data routing, and policy control.

图 3为 UE通过 BBF接入网接入 3GPP核心网的策略融合场景下的家 乡路由漫游架构示意图, 与图 2主要区别在于, BBF接入网和 VPLMN属 于同一个运营商, V-PCRF通过 Gxd接口支持与 IP边缘( Edge )交互, H-PCRF 需要通过 V-PCRF与 BBF接入网交互。  3 is a schematic diagram of a home routing roaming architecture in a policy convergence scenario in which a UE accesses a 3GPP core network through a BBF access network. The main difference from FIG. 2 is that the BBF access network and the VPLMN belong to the same operator, and the V-PCRF passes the Gxd. The interface supports interaction with the IP edge. The H-PCRF needs to interact with the BBF access network through the V-PCRF.

图 4为 UE通过 DSMIPv6协议接入 3GPP时的附着流程图, 具体包括 以下步驟:  FIG. 4 is a flow chart of attachment of a UE when accessing 3GPP through the DSMIPv6 protocol, and specifically includes the following steps:

步驟 101 , UE接入 BBF接入网, 执行基于 3GPP ( 3GPP-based ) 的认 证,在认证过程中,第三代合作伙伴计划验证、授权和记账代理( 3GPPAAA Proxy )向宽带论坛的验证、 授权和记账服务器(BBF AAA )返回自身所在 VPLMN的 VPLMN ID;  Step 101: The UE accesses the BBF access network, and performs 3GPP-based authentication. In the authentication process, the third-generation partner program verification, authorization, and accounting agent (3GPPAAA Proxy) authenticates to the broadband forum. The Authorization and Accounting Server (BBF AAA) returns the VPLMN ID of the VPLMN where it is located;

所述执行基于 3GPP的认证为: BBF AAA通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成扩展认证协议( EAP, Extensible Authentication Protocol )认证, 进一步的, 3GPPAAA服务器还与 HSS进行交互。  The 3GPP-based authentication is performed by: the BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete the Extensible Authentication Protocol (EAP) authentication. Further, the 3GPP AAA server also interacts with the HSS.

步驟 102, BBF接入网中的 IP Edge为 UE分配本地 IP地址; 步驟 103: UE选择位于 VPLMN的 ePDG, 并与 ePDG执行互联网密 钥交换协议 ( IKEv2, Internet Key Exchange ) 隧道建立流程;  Step 102: The IP Edge in the BBF access network allocates a local IP address to the UE. Step 103: The UE selects an ePDG located in the VPLMN, and performs an Internet Key Exchange (IKEv2, Internet Key Exchange) tunnel establishment process with the ePDG.

在 IKEv2隧道建立过程中 , 所述 ePDG通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证;  During the establishment of the IKEv2 tunnel, the ePDG interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication.

所述 UE选择位于 VPLMN的 ePDG为: UE可以采用静态配置或动态 选择 ePDG, 在动态选择 ePDG时 , UE使用自身已知的 VPLMN ID作为运 营商标识构造全质量域名 (FQDN, Full Quality Domain Name ), 执行域名 系统( DNS, Domain Name System ) 查找, 获得 VPLMN中的 ePDG的 IP 地址; 本步驟, 在 EAP认证过程中, 所述 3GPP AAA服务器还与 HSS交互。 步驟 104, ePDG向 UE发送最后一条 IKEv2消息, 其中携带为 UE分 配的 IP地址, 所述为 UE分配的 IP地址标识为 IPAddress3 , 作为 UE的转 交地址( CoA ); The UE selects the ePDG located in the VPLMN as follows: The UE may use the static configuration or dynamically select the ePDG. When dynamically selecting the ePDG, the UE uses the VPLMN ID known by itself as the operator identifier to construct a Full Quality Domain Name (FQDN). , performing a Domain Name System (DNS) lookup to obtain the IP address of the ePDG in the VPLMN; In this step, in the EAP authentication process, the 3GPP AAA server also interacts with the HSS. Step 104: The ePDG sends a last IKEv2 message to the UE, where the IP address assigned to the UE is carried, and the IP address identifier assigned to the UE is IPAddress3, which is the care-of address (CoA) of the UE.

步驟 105 , UE和 ePDG之间建立 Internet协议安全性( IPSec ) 隧道; 步驟 106, 受步驟 103触发, ePDG发起网关控制会话建立流程; 具体的, ePDG通过 V-PCRF向 H-PCRF发送网关控制会话建立消息, 携带 UE的 IP地址、 用户标识、 PDN标识等信息; H-PCRF返回确认消息。  Step 105: An Internet Protocol Security (IPSec) tunnel is established between the UE and the ePDG. Step 106: The ePDG initiates a gateway control session establishment process by using the step 103. Specifically, the ePDG sends a gateway control session to the H-PCRF through the V-PCRF. The message is set to carry the information such as the IP address, user identifier, and PDN identifier of the UE; the H-PCRF returns an acknowledgement message.

步驟 107, UE执行 Bootstraping过程, 其中, UE获取所要接入 PDN 的 P-GW的 IP地址, 通过所述 P-GW与 3GPP AAA服务器进行通信完成 Step 107: The UE performs a Bootstraping process, where the UE acquires an IP address of the P-GW that is to access the PDN, and completes communication with the 3GPP AAA server by using the P-GW.

EAP认证, 并且所述 P-GW为 UE分配一个 IPv6地址或前缀作为 UE的家 乡地址( HoA ); EAP authentication, and the P-GW allocates an IPv6 address or prefix to the UE as the home address (HoA) of the UE;

本步驟, 在 EAP认证过程中, 所述 3GPP AAA服务器还与 HSS交互; 所述 UE获取所要接入 PDN的 P-GW的 IP地址为: 所述 UE根据接入 点名称 (APN, Access Point Name ) 进行或名系统 ( DNS, Domain Name In this step, in the EAP authentication process, the 3GPP AAA server also interacts with the HSS; the IP address of the P-GW that the UE acquires to access the PDN is: The UE is based on the access point name (APN, Access Point Name) ) Perform a naming system (DNS, Domain Name)

System ) 查找, 获得所要接入 PDN的 P-GW的 IP地址。 System ) Find and obtain the IP address of the P-GW to which the PDN is to be accessed.

所述 UE和所述 P-GW之间交互 DSMIPv6消息;  Interacting with the DSMIPv6 message between the UE and the P-GW;

为了保护 UE和 P-GW之间的 DSMIPv6消息, UE使用 IKEv2建立安 全联盟, 并采用 EAP进行认证。  To protect the DSMIPv6 message between the UE and the P-GW, the UE uses IKEv2 to establish a security association and uses EAP for authentication.

步驟 108, UE向 P-GW发送 DSMHV6绑定更新消息, P-GW建立绑定 上下文;  Step 108: The UE sends a DSMHV6 binding update message to the P-GW, and the P-GW establishes a binding context.

所述绑定更新消息中携带 CoA和 HoA; 所述绑定消息中, 生命期参数 不为零。  The binding update message carries CoA and HoA; in the binding message, the lifetime parameter is not zero.

步驟 109, P-GW中的 PCEF向 H-PCRF发送 IP连接访问网络( IP-CAN, IP-Connectivity Access Network )会话建立指示消息; H-PCRF根据 IP-CAN 会话建立指示消息中的用户标识、 UE的 IP地址、 NSWO-APN进行 QoS授 权, 向 P-GW中的 PCEF返回确认消息; Step 109: The PCEF in the P-GW sends an IP connection access network (IP-CAN, IP-Connectivity Access Network) session establishment indication message to the H-PCRF; the H-PCRF is based on the IP-CAN. The user identifier in the session establishment indication message, the IP address of the UE, and the NSWO-APN perform QoS authorization, and return an acknowledgement message to the PCEF in the P-GW;

步驟 110, P-GW向 UE返回绑定确认消息;  Step 110: The P-GW returns a binding acknowledgement message to the UE.

步驟 111 , H-PCRF通过 VPLMN的 V-PCRF向 BPCF发送 PCRF发起 的网关控制会话建立触发消息, BPCF通过 V-PCRF返回确认消息, 并向 H-PCRF发起建立网关控制会话流程;  Step 111: The H-PCRF sends a PCR-initiated gateway control session establishment trigger message to the BPCF through the V-PCRF of the VPLMN, and the BPCF returns an acknowledgement message through the V-PCRF, and initiates a gateway control session flow to the H-PCRF.

步驟 112, BPCF向 IP Edge提供策略。  In step 112, the BPCF provides a policy to the IP Edge.

在上述接入认证过程中, UE在动态选择 ePDG时, UE使用自身已知 的 VPLMN ID作为运营商标识构造 FQDN执行 DNS查找, 获得 VPLMN 中的 ePDG的 IP地址;然而,并不能保证 UE自身已知的 VPLMN ID与 3GPP AAA Proxy所在 VPLMN的 VPLMN ID一致,即不能保证 UE选择的 ePDG 与 3GPP AAA Proxy位于同一个 VPLMN,进而不能保证 EPC-routed选择的 V-PCRF与 NSWO选择的 V-PCRF是同一个。 发明内容  In the above-mentioned access authentication process, when the UE dynamically selects the ePDG, the UE performs a DNS lookup using the VPLMN ID known by itself as the operator identity configuration FQDN to obtain the IP address of the ePDG in the VPLMN; however, the UE itself cannot be guaranteed. The known VPLMN ID is the same as the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located. That is, the ePDG selected by the UE and the 3GPP AAA Proxy cannot be located in the same VPLMN, and the V-PCRF selected by the EPC-routed and the V-PCRF selected by the NSWO are not guaranteed. the same one. Summary of the invention

本发明实施例主要提供一种用户设备选择拜访公共陆地移动网络的方 法、 系统和设备, 保证 UE通过 DSMIPv6协议接入 3GPP时, UE选择的 ePDG与 3GPP AAA Proxy位于同一个 VPLMN。  The embodiment of the present invention mainly provides a method, a system, and a device for a user equipment to select a public land mobile network. When the UE accesses the 3GPP through the DSMIPv6 protocol, the ePDG selected by the UE and the 3GPP AAA Proxy are located in the same VPLMN.

本发明实施例的技术方案是这样实现的:  The technical solution of the embodiment of the present invention is implemented as follows:

本发明实施例提供的一种 UE选择 VPLMN的方法, 该方法包括: 认证服务器将 UE执行接入认证时所选择的 VPLMN的 VPLMN ID发 送给 UE, UE根据所述 VPLMN ID选择 VPLMN的核心网网元, 并与所述 核心网网元执行 IKEv2隧道建立流程。  The method for the UE to select the VPLMN is provided by the embodiment of the present invention. The method includes: the authentication server sends the VPLMN ID of the VPLMN selected by the UE to perform the access authentication to the UE, and the UE selects the core network of the VPLMN according to the VPLMN ID. And performing an IKEv2 tunnel establishment process with the core network element.

上述方案中, 所述认证服务器将 UE执行接入认证时所选择的 VPLMN 的 VPLMN ID发送给 UE为:  In the above solution, the authentication server sends the VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE:

所述认证服务器为宽带论坛的验证、 授权和记账服务器(BBF AAA ), 在 UE执行接入认证时, 所述 BBF AAA接收第三代合作伙伴计划验证、 授 权和记账代理( 3GPP AAA Proxy )发送的 VPLMN ID或根据通信对端地址 获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 将所述 VPLMN ID发 送给 UE。 The authentication server is a verification, authorization, and accounting server (BBF AAA) of the broadband forum, When the UE performs access authentication, the BBF AAA receives the VPLMN ID sent by the 3rd Generation Partnership Project Authentication, Authorization, and Accounting Agent (3GPP AAA Proxy) or the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. Sending the VPLMN ID to the UE.

上述方案中, 所述认证服务器将 UE执行接入认证时所选择的 VPLMN 的 VPLMN ID发送给 UE为:  In the above solution, the authentication server sends the VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE:

所述认证服务器为 HSS和 /或 3GPPAAA服务器,在 UE执行接入认证 时,所述 HSS和 /或 3GPP AAA服务器保存 3GPP AAA Proxy发送的 VPLMN ID, 在 IKEv2隧道建立的过程中, 所述 HSS和 /或 3GPP AAA服务器验证 自身保存的 VPLMN ID 是否与 UE选择的核心网网元所在 VPLMN 的 VPLMN ID一致, 在不一致时, 所述 HSS和 /或 3GPPAAA服务器向 UE返 回拒绝消息, 所述拒绝消息携带拒绝原因值和自身保存的 VPLMN ID。  The authentication server is an HSS and/or a 3GPP AAA server. When the UE performs access authentication, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy. In the process of establishing the IKEv2 tunnel, the HSS and the HSS And the 3GPP AAA server verifies whether the saved VPLMN ID is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the HSS and/or the 3GPP AAA server returns a reject message to the UE, and the reject message carries Reject the reason value and the VPLMN ID saved by itself.

上述方案中 , 所述 VPLMN的核心网网元为 ePDG或 P-GW。  In the foregoing solution, the core network element of the VPLMN is an ePDG or a P-GW.

上述方案中 , 所述 UE根据所述 VPLMN ID选择 VPLMN的核心网网 元为: UE使用认证服务器发送的 VPLMN ID作为运营商标识构造全质量域 名 (FQDN ), 执行域名系统(DNS ) 查找, 获得所述 VPLMN ID对应的 VPLMN中 ePDG或 P-GW的 IP地址。  In the foregoing solution, the UE selects a core network element of the VPLMN according to the VPLMN ID as follows: the UE constructs a full-quality domain name (FQDN) by using a VPLMN ID sent by the authentication server as an operator identifier, and performs a domain name system (DNS) search to obtain The IP address of the ePDG or P-GW in the VPLMN corresponding to the VPLMN ID.

上述方案中, 该方法还包括: 在 UE执行接入认证时, HSS和 /或 3GPP AAA服务器保存 3GPP AAA Proxy发送的 VPLMN ID, 在 IKEv2隧道建立 的过程中, HSS和 /或 3GPPAAA服务器验证自身保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID一致,在不一致时,所述 HSS和 /或 3GPP AAA服务器向 UE返回拒绝消息, 所述拒绝消息携带拒绝 原因值和 /或自身保存的 VPLMN ID。  In the foregoing solution, the method further includes: when the UE performs access authentication, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy, and in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server authenticates and saves itself. Whether the VPLMN ID is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the HSS and/or the 3GPP AAA server returns a reject message to the UE, the reject message carrying the reject cause value and/or itself The saved VPLMN ID.

本发明实施例提供的一种 UE选择 VPLMN的系统 ,该系统包括:认证 服务器、 UE、 VPLMN的核心网网元; 其中, 所述认证服务器, 配置为将 UE执行接入认证时所选择的 VPLMN的 VPLMN ID发送给 UE; A system for selecting a VPLMN by a UE, where the system includes: an authentication server, a UE, and a core network element of a VPLMN; The authentication server is configured to send, to the UE, a VPLMN ID of the VPLMN selected by the UE when performing the access authentication;

所述 UE, 配置为根据所述认证服务器发送的 VPLMN的 VPLMN ID, 选择 VPLMN的核心网网元, 与所述核心网网元执行 IKEv2隧道建立的流 程;  The UE is configured to: according to the VPLMN ID of the VPLMN sent by the authentication server, select a core network element of the VPLMN, and perform a process of establishing an IKEv2 tunnel with the core network element;

所述 VPLMN的核心网网元, 配置为完成 IKEv2隧道建立的流程。 上述方案中, 所述认证服务器为 BBF AAA, 配置为在 UE执行接入认 证时, 接收 3GPP AAA Proxy发送的 VPLMN ID或根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 将所述 VPLMN ID发送给 UE;  The core network element of the VPLMN is configured to complete the process of establishing an IKEv2 tunnel. In the above solution, the authentication server is a BBF AAA, configured to receive a VPLMN ID sent by the 3GPP AAA Proxy or a VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address when the UE performs access authentication, and the VPLMN is configured. The ID is sent to the UE;

该系统还包括: 3GPP AAA Proxy, 配置为在 UE执行接入认证时, 发 送 VPLMN ID给 BBF AAA。  The system further includes: a 3GPP AAA Proxy configured to send the VPLMN ID to the BBF AAA when the UE performs access authentication.

上述方案中, 该系统还包括: HSS和 /或 3GPPAAA服务器, 配置为在 UE执行接入认证时, 保存 VPLMN ID, 在 IKEv2隧道建立的过程中 , 验证 自身保存的 VPLMN ID 是否与 UE选择的核心网网元所在 VPLMN 的 VPLMN ID一致, 在不一致时, 向 UE返回拒绝消息, 所述拒绝消息携带拒 绝原因值和 /或自身保存的 VPLMN ID。  In the above solution, the system further includes: an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID when the UE performs the access authentication, and verify whether the saved VPLMN ID is the core selected by the UE during the establishment of the IKEv2 tunnel. The VPLMN ID of the VPLMN where the network element is located is the same. When the network element is inconsistent, a reject message is returned to the UE, where the reject message carries the reject reason value and/or the VPLMN ID saved by itself.

上述方案中, 所述认证服务器为 HSS和 /或 3GPPAAA服务器, 配置为 在 UE执行接入认证时 ,保存 3GPP AAA Proxy发送的 VPLMN ID ,在 ΙΚΕν2 隧道建立的过程中, 验证自身保存的 VPLMN ID是否与 UE选择的核心网 网元所在 VPLMN的 VPLMN ID一致 , 在不一致时 , 所述 HSS和 /或 3GPP AAA服务器向 UE返回拒绝消息, 所述拒绝消息携带拒绝原因值和自身保 存的 VPLMN ID;  In the above solution, the authentication server is an HSS and/or a 3GPP AAA server, and is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs the access authentication, and verify whether the saved VPLMN ID is in the process of establishing the ΙΚΕν2 tunnel. Consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, when the inconsistency, the HSS and/or the 3GPP AAA server returns a reject message to the UE, where the reject message carries the reject reason value and the VPLMN ID saved by itself;

该系统还包括: 3GPP AAA Proxy, 配置为在 UE执行接入认证时, 向 HSS和 /或 3GPPAAA月良务器发送 VPLMN ID。 上述方案中 , 所述 VPLMN的核心网网元为 ePDG或 P-GW。 The system further includes: a 3GPP AAA Proxy configured to send the VPLMN ID to the HSS and/or the 3GPP AAA server when the UE performs the access authentication. In the foregoing solution, the core network element of the VPLMN is an ePDG or a P-GW.

上述方案中, 所述 UE包括: 网元选择模块、 隧道建立模块; 其中, 所述网元选择模块, 配置为根据所述认证服务器发送的 VPLMN 的 In the above solution, the UE includes: a network element selection module and a tunnel establishment module; wherein the network element selection module is configured to be based on the VPLMN sent by the authentication server

VPLMN ID, 选择 VPLMN的 ePDG或 P-GW; VPLMN ID, select the ePDG or P-GW of the VPLMN;

所述隧道建立模块, 配置为与网元选择模块选择的 ePDG或 P-GW执 行 IKEv2隧道建立的流程。  The tunnel establishment module is configured to perform an IKEv2 tunnel establishment process with the ePDG or P-GW selected by the network element selection module.

上述方案中, 所述网元选择模块, 配置为使用认证服务器发送的 In the above solution, the network element selection module is configured to be sent by using an authentication server.

VPLMN ID作为运营商标识构造 FQDN,执行 DNS查找,获得所述 VPLMNThe VPLMN ID constructs an FQDN as an operator identifier, performs a DNS lookup, and obtains the VPLMN.

ID对应的 VPLMN中 ePDG或 P-GW的 IP地址。 IP address of the ePDG or P-GW in the VPLMN corresponding to the ID.

上述方案中, 所述认证服务器, 具体包括: ID获取模块、 验证模块、 应答模块; 其中,  In the above solution, the authentication server specifically includes: an ID obtaining module, a verification module, and a response module;

所述 ID获取模块,配置为在 UE执行接入认证时,保存 3GPP AAA Proxy 发送的 VPLMN ID;  The ID obtaining module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication;

所述验证模块, 配置为在 IKEv2隧道建立的过程中, 验证 ID获取模块 保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID 一致, 在不一致时, 通知应答模块向 UE返回拒绝消息;  The verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the notification response module returns a rejection to the UE. Message

应答模块, 配置为向 UE返回拒绝消息, 所述拒绝消息携带拒绝原因值 和 ID获取模块保存的 VPLMN ID。  The response module is configured to return a reject message to the UE, where the reject message carries the reject cause value and the VPLMN ID saved by the ID acquisition module.

本发明实施例提供的一种 UE, 所述 UE包括: 网元选择模块、 隧道建 立模块; 其中,  A UE is provided by the embodiment of the present invention, where the UE includes: a network element selection module and a tunnel establishment module;

所述网元选择模块, 配置为根据所述认证服务器发送的 VPLMN 的 VPLMN ID, 选择 VPLMN的 ePDG或 P-GW;  The network element selection module is configured to select an ePDG or a P-GW of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server;

所述隧道建立模块, 配置为与网元选择模块选择的 ePDG或 P-GW执 行 IKEv2隧道建立的流程。  The tunnel establishment module is configured to perform an IKEv2 tunnel establishment process with the ePDG or P-GW selected by the network element selection module.

本发明实施例提供的一种认证服务器, 所述认证服务器包括: ID获取 模块、 验证模块、 应答模块; 其中, An authentication server is provided by the embodiment of the present invention, where the authentication server includes: ID acquisition Module, verification module, response module;

所述 ID获取模块,配置为在 UE执行接入认证时,保存 3GPP AAA Proxy 发送的 VPLMN ID;  The ID obtaining module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication;

所述验证模块, 配置为在 IKEv2隧道建立的过程中, 验证 ID获取模块 保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID 一致, 在不一致时, 通知应答模块向 UE返回拒绝消息;  The verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the notification response module returns a rejection to the UE. Message

应答模块, 配置为向 UE返回拒绝消息。  The response module is configured to return a rejection message to the UE.

本发明实施例提供了一种用户设备选择拜访公共陆地移动网络的方 法、 系统和设备, 认证服务器将 UE执行接入认证时所选择的 VPLMN的 VPLMN ID发送给 UE, UE才艮据所述 VPLMN ID选择 VPLMN的核心网网 元, 并与所述核心网网元完成 IKEv2 隧道建立流程; 如此, 能够保证 UE 通过 DSMIPv6协议接入 3GPP时, UE选择的 ePDG与 3GPP AAA Proxy位 于同一个 VPLMN。 附图说明  The embodiment of the present invention provides a method, a system, and a device for a user equipment to select a public land mobile network. The authentication server sends a VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE, and the UE uses the VPLMN. The ID selects the core network element of the VPLMN and completes the IKEv2 tunnel establishment process with the core network element. In this way, when the UE accesses the 3GPP through the DSMIPv6 protocol, the ePDG selected by the UE and the 3GPP AAA Proxy are located in the same VPLMN. DRAWINGS

图 1为现有技术中 EPS的系统架构示意图;  1 is a schematic diagram of a system architecture of an EPS in the prior art;

图 2为现有技术中 UE通过 BBF接入网接入 3GPP核心网的策略互通 场景下的家乡路由漫游架构示意图;  2 is a schematic diagram of a home routing roaming architecture in a scenario of a policy interworking scenario in which a UE accesses a 3GPP core network through a BBF access network in the prior art;

图 3为现有技术中 UE通过 BBF接入网接入 3GPP核心网的策略融合 场景下的家乡路由漫游架构示意图;  3 is a schematic diagram of a home routing roaming architecture in a policy convergence scenario in which a UE accesses a 3GPP core network through a BBF access network in the prior art;

图 4为现有技术中 UE通过 DSMIPv6协议接入 3GPP时的附着流程图; 图 5为本发明实施例实现 UE选择 VPLMN的方法的流程示意图; 图 6为本发明实施例实现 UE选择 VPLMN的系统的结构示意图; 图 7为本发明实施例一实现 UE选择 VPLMN的方法的流程示意图; 图 8为本发明实施例二实现 UE选择 VPLMN的方法的流程示意图; 图 9为本发明实施例三中 UE通过 BBF接入网接入 3GPP核心网的策 略互通场景下的家乡路由漫游架构示意图; 4 is a flow chart of attaching a UE to a 3GPP through the DSMIPv6 protocol in the prior art; FIG. 5 is a schematic flowchart of a method for implementing a UE to select a VPLMN according to an embodiment of the present invention; FIG. 6 is a schematic diagram of a system for implementing a UE to select a VPLMN according to an embodiment of the present invention; FIG. 7 is a schematic flowchart of a method for a UE to select a VPLMN according to an embodiment of the present invention; FIG. 8 is a schematic flowchart of a method for a UE to select a VPLMN according to Embodiment 2 of the present invention; FIG. 9 is a schematic diagram of a UE according to Embodiment 3 of the present invention; The policy of accessing the 3GPP core network through the BBF access network Schematic diagram of the home route roaming architecture in a slightly intercommunication scenario;

图 10为本发明实施例三中 UE通过 BBF接入网接入 3GPP核心网的策 略融合场景下的家乡路由漫游架构示意图;  10 is a schematic diagram of a home routing roaming architecture in a policy convergence scenario in which a UE accesses a 3GPP core network through a BBF access network according to Embodiment 3 of the present invention;

图 11为本发明实施例三实现 UE选择 VPLMN的方法的流程示意图。 具体实施方式  FIG. 11 is a schematic flowchart of a method for implementing a UE to select a VPLMN according to Embodiment 3 of the present invention. detailed description

本发明实施例中,认证服务器将 UE执行接入认证时所选择的 VPLMN 的 VPLMN ID发送给 UE, UE根据所述 VPLMN ID选择 VPLMN的核心网 网元, 并与所述核心网网元执行 IKEv2隧道建立流程。  In the embodiment of the present invention, the authentication server sends the VPLMN ID of the VPLMN selected by the UE to the UE when performing the access authentication, and the UE selects the core network element of the VPLMN according to the VPLMN ID, and performs IKEv2 with the core network element. Tunnel establishment process.

下面通过附图及具体实施例对本发明做进一步的详细说明。  The invention will be further described in detail below with reference to the drawings and specific embodiments.

本发明实施例实现一种 UE选择 VPLMN的方法,如图 5所示,该方法 包括以下几个步驟:  The embodiment of the present invention implements a method for a UE to select a VPLMN. As shown in FIG. 5, the method includes the following steps:

步驟 201 : 认证服务器将 UE执行接入认证时所选择的 VPLMN 的 VPLMN ID发送给 UE;  Step 201: The authentication server sends the VPLMN ID of the VPLMN selected by the UE when performing the access authentication to the UE.

具体的, 所述认证服务器为 BBF AAA, 在 UE执行接入认证时, 所述 BBF AAA接收 3GPP AAA Proxy发送的 VPLMN ID或根据通信对端地址获 取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 将所述 VPLMN ID发送 给 UE;  Specifically, the authentication server is a BBF AAA. When the UE performs the access authentication, the BBF AAA receives the VPLMN ID sent by the 3GPP AAA Proxy or obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. The VPLMN ID is sent to the UE;

或者, 所述认证服务器为 HSS和 /或 3GPPAAA服务器, 在 UE执行接 入认证时, 所述 HSS和 /或 3GPP AAA服务器保存 3GPP AAA Proxy发送的 VPLMN ID, 在 IKEv2隧道建立的 EAP认证过程中 , 所述 HSS和 /或 3GPP AAA服务器验证自身保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID一致,在不一致时, 所述 HSS和 /或 3GPPAAA服务 器向 UE 返回拒绝消息, 所述拒绝消息携带拒绝原因值和自身保存的 VPLMN ID。  Or the authentication server is an HSS and/or a 3GPP AAA server. When the UE performs the access authentication, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy. In the EAP authentication process established by the IKEv2 tunnel, The HSS and/or the 3GPP AAA server verifies that the VPLMN ID saved by the UE is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the HSS and/or the 3GPP AAA server returns a reject message to the UE. The rejection message carries the rejection reason value and its own saved VPLMN ID.

步驟 202: UE根据所述 VPLMN ID选择 VPLMN的核心网网元, 并与 所述核心网网元完成 IKEv2隧道建立流程; Step 202: The UE selects a core network element of the VPLMN according to the VPLMN ID, and The core network element completes an IKEv2 tunnel establishment process;

所述 VPLMN的核心网网元一般是 ePDG或 P-GW;  The core network element of the VPLMN is generally an ePDG or a P-GW;

所述 UE根据所述 VPLMN ID选择 VPLMN的核心网网元, 具体为: UE使用认证服务器发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得所述 VPLMN ID对应的 VPLMN中 ePDG或 P-GW的 IP 地址;  The UE selects the core network element of the VPLMN according to the VPLMN ID, specifically: the UE uses the VPLMN ID sent by the authentication server as the operator identifier to construct the FQDN, performs a DNS lookup, and obtains the ePDG or P in the VPLMN corresponding to the VPLMN ID. -GW's IP address;

本步驟还包括:在所述认证服务器为 BBF AAA时,所述 HSS和 /或 3GPP AAA服务器保存 3GPP AAA Proxy发送的 VPLMN ID, 在 IKEv2隧道建立 的过程中, 所述 HSS和 /或 3GPP AAA服务器验证自身保存的 VPLMN ID 是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID一致, 在不一致 时, 所述 HSS和 /或 3GPPAAA服务器向 UE返回拒绝消息, 所述拒绝消息 携带拒绝原因值和 /或自身保存的 VPLMN ID, 在一致时, 继续建立 IKEv2 隧道, 直到 IKEv2隧道建立完成。  The step further includes: when the authentication server is a BBF AAA, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy, and in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server Verifying that the saved VPLMN ID is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located. If not, the HSS and/or the 3GPP AAA server returns a reject message to the UE, where the reject message carries the reject cause value and/or Or the VPLMN ID saved by itself, if they are consistent, continue to establish an IKEv2 tunnel until the IKEv2 tunnel is established.

在所述 VPLMN的核心网网元为 ePDG时, 上述方法还包括: 在 UE与 ePDG完成 IKEv2隧道建立之后 , UE和 ePDG之间建立 IPSec隧道;  When the core network element of the VPLMN is an ePDG, the method further includes: after the UE and the ePDG complete the establishment of the IKEv2 tunnel, an IPSec tunnel is established between the UE and the ePDG;

进一步的, 上述方法还包括: 所述 ePDG发起网关控制会话建立流程; UE执行 Bootstraping过程, 之后向 P-GW发送 DSMIPv6绑定更新消息, P-GW建立绑定上下文; P-GW中的 PCEF向 H-PCRF发送 IP-CAN会话建 立指示消息; H-PCRF根据 IP-CAN会话建立指示消息中的用户标识、 UE 的 IP地址、 NSW0-APN进行 QoS授权, 向 P-GW中的 PCEF返回确认消 息; P-GW向 UE返回绑定确认消息; H-PCRF通过 VPLMN的 V-PCRF向 BPCF发送 PCRF发起的网关控制会话触发消息, BPCF通过 V-PCRF返回 确认消息, 并向 H-PCRF发起建立网关控制会话流程; BPCF向 IP Edge提 供 QoS策略。  Further, the method further includes: the ePDG initiates a gateway control session establishment procedure; the UE performs a Bootstraping process, and then sends a DSMIPv6 binding update message to the P-GW, and the P-GW establishes a binding context; the PCEF direction in the P-GW The H-PCRF sends an IP-CAN session establishment indication message; the H-PCRF performs QoS authorization according to the user identifier in the IP-CAN session establishment indication message, the UE's IP address, and the NSW0-APN, and returns an acknowledgement message to the PCEF in the P-GW. The P-GW returns a binding acknowledgement message to the UE; the H-PCRF sends a gateway control session trigger message initiated by the PCRF to the BPCF through the V-PCRF of the VPLMN, and the BPCF returns an acknowledgement message through the V-PCRF, and initiates a gateway establishment to the H-PCRF. Control the session flow; BPCF provides QoS policies to the IP Edge.

为了实现上述方法,本发明实施例还提供一种 UE选择 VPLMN的系统, 如图 6所示, 该系统包括: 认证服务器 61、 UE 62、 VPLMN的核心网网元 63; 其中, In order to implement the foregoing method, an embodiment of the present invention further provides a system for a UE to select a VPLMN. As shown in FIG. 6, the system includes: an authentication server 61, a UE 62, and a core network element 63 of the VPLMN;

所述认证服务器 61 ,配置为将 UE 62执行接入认证时所选择的 VPLMN 的 VPLMN ID发送给 UE 62; The authentication server 6 1 is configured to send the VPLMN ID of the VPLMN selected by the UE 62 when performing the access authentication to the UE 62;

所述 UE 62,配置为根据所述认证服务器 61发送的 VPLMN的 VPLMN ID, 选择 VPLMN的核心网网元 63 , 与所述核心网网元 63执行 IKEv2隧 道建立的流程;  The UE 62 is configured to select a core network element 63 of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server 61, and perform a process of establishing an IKEv2 tunnel with the core network element 63;

所述 VPLMN的核心网网元 63 , 配置为完成 IKEv2隧道建立的流程。 所述认证服务器 61为 BBF AAA, 配置为在 UE 62执行接入认证时, 接收 3GPP AAA Proxy 64发送的 VPLMN ID或根据通信对端地址获取 3GPP AAA Proxy 64所在 VPLMN的 VPLMN ID, 将所述 VPLMN ID发送给 UE 62;  The core network element 63 of the VPLMN is configured to complete the process of establishing an IKEv2 tunnel. The authentication server 61 is a BBF AAA configured to receive the VPLMN ID sent by the 3GPP AAA Proxy 64 when the UE 62 performs the access authentication, or obtain the VPLMN ID of the VPLMN where the 3GPP AAA Proxy 64 is located according to the communication peer address, and the VPLMN The ID is sent to the UE 62;

该系统还包括: 3GPP AAA Proxy 64,配置为在 UE 62执行接入认证时 , 发送 VPLMN ID给 BBF AAA;  The system further includes: a 3GPP AAA Proxy 64 configured to send a VPLMN ID to the BBF AAA when the UE 62 performs access authentication;

该系统还包括: HSS和 /或 3GPPAAA服务器, 配置为在 UE 62执行接 入认证时 , 保存 3GPP AAA Proxy 64发送的 VPLMN ID, 在 IKEv2隧道建 立的过程中 , 验证自身保存的 VPLMN ID是否与 UE 62选择的核心网网元 63所在 VPLMN的 VPLMN ID一致,在不一致时,向 UE 62返回拒绝消息, 所述拒绝消息携带拒绝原因值和 /或自身保存的 VPLMN ID;  The system further includes: an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID sent by the 3GPP AAA Proxy 64 when the UE 62 performs the access authentication, and verify whether the saved VPLMN ID is related to the UE during the IKEv2 tunnel establishment process. The selected VPLMN ID of the VPLMN is the same as that of the selected network element 63, and returns a reject message to the UE 62 when the inconsistency occurs, and the reject message carries the reject reason value and/or the VPLMN ID saved by itself;

或者, 所述认证服务器 61为 HSS和 /或 3GPP AAA服务器, 配置为在 UE 62执行接入认证时, 保存 3GPP AAA Proxy 64发送的 VPLMN ID, 在 IKEv2隧道建立的过程中 , 验证自身保存的 VPLMN ID是否与 UE 62选择 的核心网网元 63所在 VPLMN的 VPLMN ID一致,在不一致时,所述 HSS 和 /或 3GPPAAA服务器向 UE 62返回拒绝消息, 所述拒绝消息携带拒绝原 因值和自身保存的 VPLMN ID; 该系统还包括: 3GPP AAA Proxy 64 ,配置为在 UE 62执行接入认证时 , 向 HSS和 /或 3GPPAAA服务器发送 VPLMN ID。 Alternatively, the authentication server 61 is an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID sent by the 3GPP AAA Proxy 64 when the UE 62 performs access authentication, and verify the saved VPLMN in the process of establishing the IKEv2 tunnel. Whether the ID is consistent with the VPLMN ID of the VPLMN where the core network element 63 selected by the UE 62 is located. When the ID is inconsistent, the HSS and/or the 3GPP AAA server returns a reject message to the UE 62, and the reject message carries the reject cause value and the self-saved VPLMN ID; The system also includes a 3GPP AAA Proxy 64 configured to send a VPLMN ID to the HSS and/or 3GPP AAA server when the UE 62 performs access authentication.

所述 VPLMN的核心网网元 63—般是 ePDG或 P-GW;  The core network element 63 of the VPLMN is generally an ePDG or a P-GW;

所述 UE 62具体包括: 网元选择模块 621、 隧道建立模块 622; 其中, 所述网元选择模块 621 ,配置为根据所述认证服务器 61发送的 VPLMN 的 VPLMN ID, 选择 VPLMN的 ePDG或 P-GW;  The UE 62 specifically includes: a network element selection module 621 and a tunnel establishment module 622. The network element selection module 621 is configured to select an ePDG or a P-type of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server 61. GW;

所述隧道建立模块 622, 配置为与网元选择模块 621选择的 ePDG或 P-GW执行 IKEv2隧道建立的流程;  The tunnel establishment module 622 is configured to perform an IKEv2 tunnel establishment process with the ePDG or the P-GW selected by the network element selection module 621.

所述网元选择模块 621 ,具体配置为使用认证服务器 61发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得所述 VPLMN ID对 应的 VPLMN中 ePDG或 P-GW的 IP地址。  The network element selection module 621 is configured to use the VPLMN ID sent by the authentication server 61 as an operator identifier to construct an FQDN, perform a DNS lookup, and obtain an IP address of an ePDG or a P-GW in the VPLMN corresponding to the VPLMN ID.

所述认证服务器 61为 HSS和 /或 3GPP AAA服务器时, 具体包括: ID 获取模块、 验证模块、 应答模块; 其中,  When the authentication server 61 is an HSS and/or a 3GPP AAA server, the method includes: an ID obtaining module, a verification module, and a response module;

所述 ID获取模块, 配置为在 UE 62执行接入认证时, 保存 3GPPAAA Proxy发送的 VPLMN ID;  The ID obtaining module is configured to: when the UE 62 performs access authentication, save the VPLMN ID sent by the 3GPP AAA Proxy;

所述验证模块, 配置为在 IKEv2隧道建立的过程中,验证 ID获取模块 保存的 VPLMN ID是否与 UE 62选择的核心网网元 63所在 VPLMN的 VPLMN ID一致 , 在不一致时 , 通知应答模块向 UE 62返回拒绝消息; 应答模块, 配置为向 UE 62返回拒绝消息, 所述拒绝消息携带拒绝原 因值和 ID获取模块保存的 VPLMN ID。  The verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element 63 selected by the UE 62 is located, and if not, notify the response module to the UE. 62. Returning the reject message; the answering module, configured to return a reject message to the UE 62, the reject message carrying the reject cause value and the VPLMN ID saved by the ID acquisition module.

基于上述系统,本发明实施例还提供一种 UE,如图 6所示,所述 UE 62 包括: 网元选择模块 621、 隧道建立模块 622; 其中,  Based on the above system, the embodiment of the present invention further provides a UE. As shown in FIG. 6, the UE 62 includes: a network element selection module 621 and a tunnel establishment module 622.

所述网元选择模块 621 ,配置为根据所述认证服务器 61发送的 VPLMN 的 VPLMN ID, 选择 VPLMN的 ePDG或 P-GW;  The network element selection module 621 is configured to select an ePDG or a P-GW of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server 61.

所述隧道建立模块 622, 配置为与网元选择模块 621选择的 ePDG或 P-GW执行 IKEv2隧道建立的流程; The tunnel establishment module 622 is configured to be selected with the ePDG or the network element selection module 621. The process of establishing an IKEv2 tunnel by the P-GW;

所述网元选择模块 621 ,具体配置为使用认证服务器 61发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得所述 VPLMN ID对 应的 VPLMN中 ePDG或 P-GW的 IP地址。  The network element selection module 621 is configured to use the VPLMN ID sent by the authentication server 61 as an operator identifier to construct an FQDN, perform a DNS lookup, and obtain an IP address of an ePDG or a P-GW in the VPLMN corresponding to the VPLMN ID.

基于上述系统, 本发明实施例还提供一种认证服务器, 所述认证服务 器为 HSS和 /或 3GPP AAA服务器, 包括: ID获取模块、 验证模块、 应答 模块; 其中,  Based on the above system, the embodiment of the present invention further provides an authentication server, where the authentication server is an HSS and/or a 3GPP AAA server, and includes: an ID acquisition module, a verification module, and a response module;

所述 ID获取模块,配置为在 UE执行接入认证时,保存 3GPP AAA Proxy 发送的 VPLMN ID;  The ID obtaining module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication;

所述验证模块, 配置为在 IKEv2隧道建立的过程中, 验证 ID获取模块 保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID 一致, 在不一致时, 通知应答模块向 UE返回拒绝消息;  The verification module is configured to verify, in the process of establishing the IKEv2 tunnel, whether the VPLMN ID saved by the ID obtaining module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located, and if not, the notification response module returns a rejection to the UE. Message

应答模块, 配置为向 UE返回拒绝消息, 所述拒绝消息中携带拒绝原因 值和 /或 ID获取模块保存的 VPLMN ID。 理。  The response module is configured to return a reject message to the UE, where the reject message carries the reject reason value and/or the VPLMN ID saved by the ID obtaining module. Reason.

实施例一  Embodiment 1

本实施例基于图 2或图 3的架构图,本实施例实现 UE选择 VPLMN的 方法, 如图 7所示, 包括以下步驟:  The embodiment is based on the architecture diagram of FIG. 2 or FIG. 3, and the method for the UE to select the VPLMN is implemented in this embodiment. As shown in FIG. 7, the method includes the following steps:

步驟 301 , UE接入 BBF接入网, 执行基于 3GPP的认证, 在认证过程 中, 3GPPAAA Proxy向 BBF AAA返回自身所在 VPLMN的 VPLMN ID或 BBF AAA根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID , 所述 BBF AAA将所述 VPLMN ID发送给 UE;  Step 301: The UE accesses the BBF access network, and performs 3GPP-based authentication. In the authentication process, the 3GPP AAA Proxy returns the VPLMN ID of the VPLMN where the BVPMN is located or the BBF AAA of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. ID, the BBF AAA sends the VPLMN ID to the UE;

所述执行基于 3GPP的认证为: BBF AAA通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证, 进一步的, 3GPPAAA月良务器还与 HSS进行交互。 The performing the 3GPP-based authentication is: BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete the EAP authentication, and further, the 3GPP AAA server also The HSS interacts.

BBF AAA进一步将 VPLMN ID通知给 IP Edge;  BBF AAA further informs the IP Edge of the VPLMN ID;

进一步的, 所述 3GPP AAA Proxy将 VPLMN ID上报给 3GPP AAA服 务器或者 3GPP AAA服务器根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 3GPP AAA服务器保存所述 VPLMN ID,和 /或 3GPP AAA服务器将所述 VPLMN ID发送至 HSS , HSS保存所述 VPLMN ID。  Further, the 3GPP AAA Proxy reports the VPLMN ID to the 3GPP AAA server or the 3GPP AAA server obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address, and the 3GPP AAA server saves the VPLMN ID, and/or the 3GPP AAA server. The VPLMN ID is sent to the HSS, and the HSS saves the VPLMN ID.

步驟 302, BBF接入网中的 IP Edge为 UE分配本地 IP地址; 并与所述 ePDG执行 IKEv2隧道建立的流程;  Step 302: The IP edge in the BBF access network allocates a local IP address to the UE, and performs a process of establishing an IKEv2 tunnel with the ePDG.

在 IKEv2隧道建立的过程中 ,所述 ePDG通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证;  During the establishment of the IKEv2 tunnel, the ePDG interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication.

所述 UE ^据 BBF AAA发送的 VPLMN ID选择 VPLMN的 ePDG为: UE使用 BBF AAA发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得 VPLMN中的 ePDG的 IP地址;  The UE selects the ePLG of the VPLMN according to the VPLMN ID sent by the BBF AAA: the UE constructs the FQDN by using the VPLMN ID sent by the BBF AAA as the carrier identifier, performs a DNS lookup, and obtains the IP address of the ePDG in the VPLMN;

本步驟, 在 EAP认证过程中, 所述 3GPP AAA服务器还与 HSS交互; 本步驟还包括:在 IKEv2隧道建立的过程中,所述 HSS和 /或 3GPPAAA 服务器验证自身保存的 VPLMN ID是否与 UE选择的 ePDG所在 VPLMN 的 VPLMN ID一致, 在不一致时, 所述 HSS和 /或 3GPPAAA服务器向 UE 返回拒绝消息,所述拒绝消息中携带拒绝原因值,在一致时,继续建立 IKEv2 隧道, 直到 IKEv2隧道建立完成;  In this step, in the EAP authentication process, the 3GPP AAA server also interacts with the HSS. The step further includes: in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server verify whether the saved VPLMN ID is selected by the UE. The VPLMN ID of the VPLMN is the same as the IKEv2 tunnel. When the IPSec is not consistent, the HSS and/or the 3GPP AAA server returns a refusal message to the UE. carry out;

具体的, UE向 ePDG发送 IKE认证请求( IKE_AUTH Request ), ePDG 向 3 GPP AAA Proxy发送认证授权请求消息 ( AAR, Authentication and Authorization Request ), 3GPPAAA proxy向 3GPP AAA服务器发送 AAR消 息, AAR消息中携带 3GPP AAA Proxy所在 VPLMN的 VPLMN ID , 3GPP AAA服务器在收到 3GPP AAA Proxy发送的 AAR消息后, 将 AAR消息中 携带的 VPLMN ID和 3GPP AAA服务器在 UE接入认证时保存的 VPLMN ID或进一步向 HSS请求获得在用户接入认证时保存的 VPLMN ID进行比 较, 在不一致时, 在向 3GPP AAA proxy返回的认证授权应答(AAA, Authentication and Authorization Answer )消息中返回拒绝消息 , 所述拒绝消 息可以携带拒绝原因值, 即 VPLMN选择不一致, 并且所述拒绝消息还可 以携带 UE接入认证时选择的 VPLMN ID, 3GPP AAA Proxy向 ePDG转发 所述 AAA消息 , ePDG向 UE发送 IKE认证应答 ( IKE—AUTH Answer )消 息, IKE认证应答消息中携带拒绝指示以及拒绝原因值, 还可以在 IKE认 证应答消息中携带 UE 接入认证时选择的 VPLMN ID , 其中原因值和 VPLMN ID可以同时下发, 也可以任选一个下发。 Specifically, the UE sends an IKE authentication request (IKE_AUTH Request) to the ePDG, and the ePDG sends an AAR (Authentication and Authorization Request) message to the 3GPP AAA Proxy. The 3GPP AAA proxy sends an AAR message to the 3GPP AAA server, where the AAR message carries the 3GPP. The VPLMN ID of the VPLMN where the AAA Proxy is located. After receiving the AAR message sent by the 3GPP AAA Proxy, the 3GPP AAA server will send the AAR message. The carried VPLMN ID and the 3GPP AAA server compare the VPLMN ID saved when the UE accesses the authentication or further request the HSS to obtain the VPLMN ID saved when the user accesses the authentication, and in the case of inconsistency, the authentication authorization returned to the 3GPP AAA proxy A refusal message is returned in the AAA, Authentication and Authorization Answer message, and the refusal message may carry a reject reason value, that is, the VPLMN selection is inconsistent, and the reject message may also carry the VPLMN ID selected by the UE when accessing the authentication, 3GPP AAA The MME sends the AAA message to the ePDG, and the ePDG sends an IKE authentication response (IKE_AUTH Answer) message to the UE. The IKE authentication response message carries the refusal indication and the rejection reason value, and the IKE authentication response message carries the UE access authentication. The selected VPLMN ID, where the cause value and the VPLMN ID can be delivered at the same time, or one of them can be issued.

步驟 304-步驟 312与步驟 104-步驟 112—致。  Step 304 - Step 312 and Step 104 - Step 112.

另外的实施例中, BBF AAA在步驟 301中不向 UE发送 VPLMN ID , 而是只在步驟 303中, HSS和 /或 3GPPAAA服务器返回的拒绝消息中还携 带自身保存的 VPLMN ID,触发 UE重新进行 ePDG选择,再执行步驟 303- 步驟 312。  In another embodiment, the BBF AAA does not send the VPLMN ID to the UE in step 301, but only in step 303, the refusal message returned by the HSS and/or the 3GPP AAA server carries the VPLMN ID saved by itself, triggering the UE to perform the re-execution. The ePDG is selected, and then steps 303-312 are performed.

实施例二  Embodiment 2

本实施例基于图 2或 3的架构图,本实施例实现 UE选择 VPLMN的方 法, 如图 8所示, 包括以下步驟:  The embodiment is based on the architecture diagram of FIG. 2 or 3. In this embodiment, the method for the UE to select the VPLMN is implemented. As shown in FIG. 8, the method includes the following steps:

步驟 401 , UE接入 BBF接入网, 执行基于 3GPP的认证, 在认证过程 中, 3GPPAAA Proxy向 BBF AAA返回自身所在 VPLMN的 VPLMN ID或 BBF AAA根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID , 所述 BBF AAA将所述 VPLMN ID发送给 UE;  Step 401: The UE accesses the BBF access network, and performs 3GPP-based authentication. In the authentication process, the 3GPP AAA Proxy returns the VPLMN ID of the VPLMN where the BVPMN is located or the BBF AAA of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. ID, the BBF AAA sends the VPLMN ID to the UE;

所述执行基于 3GPP的认证为: BBF AAA通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证, 进一步的, 3GPPAAA月良务器还与 HSS进行交互。 BBF AAA进一步将 VPLMN ID通知给 IP Edge; The performing 3GPP-based authentication is: BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication. Further, the 3GPP AAA server also interacts with the HSS. BBF AAA further informs the IP Edge of the VPLMN ID;

进一步的, 所述 3GPP AAA Proxy将 VPLMN ID上报给 3GPP AAA服 务器或者 3GPP AAA服务器根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 3GPP AAA服务器保存所述 VPLMN ID,和 /或 3GPP AAA服务器将所述 VPLMN ID发送至 HSS , HSS保存所述 VPLMN ID。  Further, the 3GPP AAA Proxy reports the VPLMN ID to the 3GPP AAA server or the 3GPP AAA server obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address, and the 3GPP AAA server saves the VPLMN ID, and/or the 3GPP AAA server. The VPLMN ID is sent to the HSS, and the HSS saves the VPLMN ID.

步驟 402, BBF接入网中的 IP Edge为 UE分配本地 IP地址; 并与所述 ePDG执行 IKEv2隧道建立的流程;  Step 402: The IP Edge in the BBF access network allocates a local IP address to the UE, and performs a process of establishing an IKEv2 tunnel with the ePDG.

在 IKEv2隧道建立的过程中 ,所述 ePDG通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证;  During the establishment of the IKEv2 tunnel, the ePDG interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication.

所述 UE 居 BBF AAA发送的 VPLMN ID选择 VPLMN的 ePDG为: UE使用 BBF AAA发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得 VPLMN中的 ePDG的 IP地址;  The ePLG of the VPLMN selected by the UE in the BBF AAA is: The UE uses the VPLMN ID sent by the BBF AAA as the operator identifier to construct the FQDN, performs a DNS lookup, and obtains the IP address of the ePDG in the VPLMN;

本步驟, 在 EAP认证过程中, 所述 3GPP AAA服务器还与 HSS交互; 本步驟还包括:在 IKEv2隧道建立的过程中,所述 HSS和 /或 3GPPAAA 服务器验证自身保存的 VPLMN ID是否与 UE选择的 ePDG所在 VPLMN 的 VPLMN ID一致, 在不一致时, 所述 HSS和 /或 3GPPAAA服务器向 UE 返回拒绝消息, 在一致时, 继续建立 IKEv2隧道, 直到 IKEv2隧道建立完 成;  In this step, in the EAP authentication process, the 3GPP AAA server also interacts with the HSS. The step further includes: in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server verify whether the saved VPLMN ID is selected by the UE. The VPLMN ID of the VPLMN where the ePDG is located is consistent. When the inconsistency, the HSS and/or the 3GPP AAA server returns a reject message to the UE. When the packets are consistent, the IKEv2 tunnel is continuously established until the IKEv2 tunnel is established.

具体的, UE向 ePDG发送 IKE认证请求, ePDG向 3GPP AAA Proxy 发送 AAR消息, 3GPP AAA proxy向 3GPP AAA服务器发送 AAR消息, AAR消息中携带 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 3GPPAAA 服务器在收到 3GPP AAA Proxy发送的 AAR消息后, 将 AAR消息中携带 的 VPLMN ID和 3GPP AAA服务器在 UE接入认证时保存的 VPLMN ID或 进一步向 HSS请求获得在用户接入认证时保存的 VPLMN ID进行比较,在 不一致时, 在向 3GPP AAA proxy返回的 AAA消息中返回拒绝消息, 所述 拒绝消息可以携带拒绝原因值, 即 VPLMN选择不一致, 并且所述拒绝消 息还可以携带 UE接入认证时选择的 VPLMN ID, 3GPP AAA Proxy向 ePDG 转发所述 AAA消息, ePDG向 UE发送 IKE认证应答消息, IKE认证应答 消息中携带拒绝指示以及拒绝原因值, 还可以在 IKE认证应答消息中携带 UE接入认证时选择的 VPLMN ID, 其中原因值和 VPLMN ID可以同时下 发, 也可以任选一个下发。 Specifically, the UE sends an IKE authentication request to the ePDG, the ePDG sends an AAR message to the 3GPP AAA Proxy, and the 3GPP AAA proxy sends an AAR message to the 3GPP AAA server, where the AAR message carries the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located, and the 3GPP AAA server receives the 3GPP AAA server. After the AAR message sent by the AAA Proxy, compare the VPLMN ID carried in the AAR message with the VPLMN ID saved by the 3GPP AAA server when the UE accesses the authentication, or further request the HSS to obtain the VPLMN ID saved during the user access authentication. If the AAA message returned by the 3GPP AAA proxy is inconsistent, the refusal message may be returned, and the refusal message may carry the refusal reason value, that is, the VPLMN selection is inconsistent, and the refusal message may also carry the VPLMN ID selected when the UE accesses the authentication. The 3GPP AAA Proxy forwards the AAA message to the ePDG, and the ePDG sends an IKE authentication response message to the UE. The IKE authentication response message carries the reject indication and the reject reason value, and the IKE authentication response message carries the VPLMN selected when the UE accesses the authentication. ID, where the cause value and the VPLMN ID can be delivered at the same time, or one of them can be issued.

步驟 404, 受步驟 403触发, ePDG发起网关控制会话建立流程; 具体的, ePDG通过 V-PCRF向 H-PCRF发送网关控制会话建立消息, 携带 UE的 IP地址、 用户标识、 PDN标识等信息; H-PCRF返回确认消息。  Step 404, triggered by step 403, the ePDG initiates a gateway control session establishment process. Specifically, the ePDG sends a gateway control session setup message to the H-PCRF through the V-PCRF, and carries information such as the IP address, user identifier, and PDN identifier of the UE; - The PCRF returns a confirmation message.

步驟 405 , ePDG选择 P-GW后向所选择的 P-GW发送 DSMIPv6绑定 更新消息, P-GW建立绑定上下文;  Step 405: After the ePDG selects the P-GW, sends a DSMIPv6 binding update message to the selected P-GW, and the P-GW establishes a binding context.

所述绑定更新消息中携带 CoA和 HoA; 所述绑定消息中, 生命期参数 不为零。  The binding update message carries CoA and HoA; in the binding message, the lifetime parameter is not zero.

步驟 406, P-GW向 3GPPAAA服务器发送更新 P-GW IP地址消息,将 P-GW的 IP地址发送给 3GPPAAA服务器;  Step 406: The P-GW sends an update P-GW IP address message to the 3GPP AAA server, and sends the IP address of the P-GW to the 3GPP AAA server.

所述 3GPP AAA服务器进一步与 HSS交互, 将 P-GW的地址保存到 HSS中。  The 3GPP AAA server further interacts with the HSS to save the address of the P-GW to the HSS.

步驟 407, P-GW中的 PCEF向 H-PCRF发送 IP-CAN会话建立指示消 息; H-PCRF根据 IP-CAN会话建立指示消息中的用户标识、 UE的 IP地址、 NSWO-APN进行 QoS授权, 向 P-GW中的 PCEF返回确认消息;  Step 407: The PCEF in the P-GW sends an IP-CAN session establishment indication message to the H-PCRF. The H-PCRF performs QoS authorization according to the user identifier in the IP-CAN session establishment indication message, the IP address of the UE, and the NSWO-APN. Returning a confirmation message to the PCEF in the P-GW;

步驟 408, P-GW向 ePDG返回绑定确认消息, 携带为 UE分配的 IP地 址;  Step 408: The P-GW returns a binding acknowledgement message to the ePDG, and carries an IP address allocated to the UE.

步驟 409, 绑定更新成功, UE和 ePDG之间建立 IPSec隧道; 步驟 410, ePDG向 UE发送最后一条 IKEv2消息,携带 UE的 IP地址; 步驟 411 , 受到步驟 404的触发, V-PCRF发起网关控制会话建立流程; 具体的 , 图 2所示的架构中 H-PCRF通过 VPLMN的 V-PCRF向 BPCF 发送 PCRF发起的网关控制会话建立触发消息, 提供 UE的本地 IP地址; BPCF收到所述触发消息,向 V-PCRF发送网关控制会话建立消息, V-PCRF 返回确认消息, 并向 H-PCRF发起建立网关控制会话流程; Step 409, the binding update is successful, and an IPSec tunnel is established between the UE and the ePDG. Step 410: The ePDG sends the last IKEv2 message to the UE, carrying the IP address of the UE. Step 411, triggered by step 404, the V-PCRF initiates a gateway control session establishment procedure. Specifically, in the architecture shown in FIG. 2, the H-PCRF sends a PCRF initiated gateway control session establishment trigger message to the BPCF through the V-PCRF of the VPLMN. Providing a local IP address of the UE; the BPCF receives the trigger message, sends a gateway control session establishment message to the V-PCRF, and the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF;

图 3所示的架构中, H-PCRF通过 VPLMN的 V-PCRF向 IP Edge发送 PCRF发起的网关控制会话建立触发消息,提供 UE的本地 IP地址; IP Edge 收到所述触发消息, 向 V-PCRF发送网关控制会话建立消息, V-PCRF返回 确认消息, 并向 H-PCRF发起建立网关控制会话流程。  In the architecture shown in Figure 3, the H-PCRF sends a PCRF-initiated gateway control session establishment trigger message to the IP Edge through the V-PCRF of the VPLMN to provide the local IP address of the UE; the IP Edge receives the trigger message to the V- The PCRF sends a gateway control session setup message, the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF.

步驟 412, BPCF或 IP Edge向 H-PCRF返回确认消息。  Step 412: The BPCF or IP Edge returns an acknowledgement message to the H-PCRF.

另外的实施例中, BBF AAA在步驟 401中不向 UE发送 VPLMN ID , 而是只在步驟 403中, HSS和 /或 3GPPAAA服务器返回的拒绝消息中还携 带自身保存的 VPLMN ID,触发 UE重新进行 ePDG选择,再执行步驟 403- 步驟 412。  In another embodiment, the BBF AAA does not send the VPLMN ID to the UE in step 401, but only in step 403, the reject message returned by the HSS and/or the 3GPP AAA server further carries the VPLMN ID saved by itself, triggering the UE to perform the re-run. The ePDG is selected, and then step 403-step 412 is performed.

实施例三  Embodiment 3

本实施例基于图 9或 10的架构图, 本实施例实现 UE选择 VPLMN的 方法, 如图 11所示, 包括以下步驟:  The embodiment is based on the architecture diagram of FIG. 9 or 10. In this embodiment, the method for the UE to select the VPLMN is implemented. As shown in FIG. 11, the method includes the following steps:

步驟 501 , UE接入 BBF接入网, 执行基于 3GPP的认证, 在认证过程 中, 3GPPAAA Proxy向 BBF AAA返回自身所在 VPLMN的 VPLMN ID或 BBF AAA根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID , 所述 BBF AAA将所述 VPLMN ID发送给 UE;  Step 501: The UE accesses the BBF access network, and performs 3GPP-based authentication. In the authentication process, the 3GPP AAA Proxy returns the VPLMN ID of the VPLMN where the BVPMN is located or the BBF AAA of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address. ID, the BBF AAA sends the VPLMN ID to the UE;

所述执行基于 3GPP的认证为: BBF AAA通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证, 进一步的, 3GPPAAA月良务器还与 HSS进行交互。  The 3GPP-based authentication is performed as follows: BBF AAA interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete EAP authentication. Further, the 3GPP AAA server also interacts with the HSS.

BBF AAA进一步将 VPLMN ID通知给 IP Edge; 进一步的, 所述 3GPP AAA Proxy将 VPLMN ID上报给 3GPP AAA服 务器或者 3GPP AAA服务器根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 3GPP AAA服务器保存所述 VPLMN ID,和 /或 3GPP AAA服务器将所述 VPLMN ID发送至 HSS , HSS保存所述 VPLMN ID。 BBF AAA further informs the IP Edge of the VPLMN ID; Further, the 3GPP AAA Proxy reports the VPLMN ID to the 3GPP AAA server or the 3GPP AAA server obtains the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located according to the communication peer address, and the 3GPP AAA server saves the VPLMN ID, and/or the 3GPP AAA server. The VPLMN ID is sent to the HSS, and the HSS saves the VPLMN ID.

步驟 502, BBF接入网中的 IP Edge为 UE分配本地 IP地址;  Step 502: The IP Edge in the BBF access network allocates a local IP address to the UE.

步驟 503 , UE执行 Bootstraping流程, 其中, UE根据 BBF AAA发送 的 VPLMN ID选择 VPLMN的 P-GW, 并与所述 P-GW执行 IKEv2隧道建 立的流程;  Step 503: The UE performs a Bootstraping process, where the UE selects a P-GW of the VPLMN according to the VPLMN ID sent by the BBF AAA, and performs a IKEv2 tunnel establishment process with the P-GW.

在 IKEv2隧道建立的过程中 ,所述 P-GW通过 3GPP AAA Proxy与 3GPP AAA服务器进行交互, 完成 EAP认证;  During the establishment of the IKEv2 tunnel, the P-GW interacts with the 3GPP AAA server through the 3GPP AAA Proxy to complete the EAP authentication.

所述 UE根据 BBF AAA发送的 VPLMN ID选择 VPLMN的 P-GW为: UE使用 BBF AAA发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得 VPLMN中的 P-GW的 IP地址;  The P-GW of the VPLMN is selected by the UE according to the VPLMN ID sent by the BBF AAA: the UE uses the VPLMN ID sent by the BBF AAA as the operator identifier to construct the FQDN, performs a DNS lookup, and obtains the IP address of the P-GW in the VPLMN;

本步驟, 在 EAP认证过程中, 所述 3GPP AAA服务器还与 HSS交互; 本步驟还包括:在 IKEv2隧道建立的过程中,所述 HSS和 /或 3GPPAAA 服务器验证自身保存的 VPLMN ID是否与 UE选择的 P-GW所在 VPLMN 的 VPLMN ID一致, 在不一致时, 所述 HSS和 /或 3GPPAAA服务器向 UE 返回拒绝消息, 在一致时, 继续建立 IKEv2隧道, 直到 IKEv2隧道建立完 成;  In this step, in the EAP authentication process, the 3GPP AAA server also interacts with the HSS. The step further includes: in the process of establishing the IKEv2 tunnel, the HSS and/or the 3GPP AAA server verify whether the saved VPLMN ID is selected by the UE. The VPLMN ID of the VPLMN where the P-GW is located is the same. When the CSS is not consistent, the HSS and/or the 3GPP AAA server returns a reject message to the UE. If the IKEv2 tunnel is established, the IKEv2 tunnel is established.

具体的, UE向 P-GW发送 IKE认证请求, P-GW向 3GPP AAA Proxy 发送 AAR消息, 3GPP AAA proxy向 3GPP AAA服务器发送 AAR消息, AAR消息中携带 3GPP AAA Proxy所在网络的 VPLMN ID , 3GPP AAA服 务器在收到 3GPP AAA Proxy发送的后, 将消息中携带的 VPLMN ID和 3GPP AAA服务器在 UE接入认证时保存的 VPLMN ID或进一步向 HSS请 求获得在 UE接入认证时保存的 VPLMN ID进行比较, 在不一致时, 在向 3GPP AAA proxy返回的 AAA消息中返回拒绝消息, 所述拒绝消息可以携 带拒绝原因值, 即 VPLMN选择不一致, 并且所述拒绝消息还可以携带 UE 接入认证时选择的 VPLMN ID, 3GPP AAA Proxy向 P-GW转发所述 AAA 消息, P-GW向 UE发送 IKE认证应答( IKE_AUTH Answer ) , 消息中携带 拒绝指示以及拒绝原因值, 还可以在 IKE认证应答消息中携带 UE接入认 证时选择的 VPLMN ID, 其中原因值和 VPLMN ID可以同时下发 , 也可以 任选一个下发。 Specifically, the UE sends an IKE authentication request to the P-GW, the P-GW sends an AAR message to the 3GPP AAA Proxy, and the 3GPP AAA proxy sends an AAR message to the 3GPP AAA server, where the AAR message carries the VPLMN ID of the network where the 3GPP AAA Proxy is located, 3GPP AAA After receiving the 3GPP AAA Proxy, the server compares the VPLMN ID carried in the message with the VPLMN ID saved by the 3GPP AAA server when the UE accesses the authentication, or further requests the HSS to obtain the VPLMN ID saved when the UE accesses the authentication. In the case of inconsistency, in the direction The AAA message returned by the 3GPP AAA proxy returns a reject message, and the reject message may carry a reject cause value, that is, the VPLMN selection is inconsistent, and the reject message may also carry the VPLMN ID selected when the UE accesses the authentication, and the 3GPP AAA Proxy to P - The GW forwards the AAA message, and the P-GW sends an IKE authentication response (IKE_AUTH Answer) to the UE, where the message carries a rejection indication and a rejection reason value, and the IKE authentication response message carries the VPLMN ID selected when the UE accesses the authentication. The cause value and the VPLMN ID can be delivered at the same time, or one of them can be issued.

步驟 504, UE向 P-GW发送 DSMIPv6绑定更新消息, P-GW建立绑定 上下文;  Step 504: The UE sends a DSMIPv6 binding update message to the P-GW, where the P-GW establishes a binding context.

所述绑定更新消息中携带 CoA和 HoA; 所述绑定消息中, 生命期参数 不为零。  The binding update message carries CoA and HoA; in the binding message, the lifetime parameter is not zero.

步驟 505, P-GW中的 PCEF向 H-PCRF发送 IP-CAN会话建立指示消 息; H-PCRF根据 IP-CAN会话建立指示消息中的用户标识、 UE的 IP地址、 NSWO-APN进行 QoS授权, 向 P-GW中的 PCEF返回确认消息;  Step 505: The PCEF in the P-GW sends an IP-CAN session establishment indication message to the H-PCRF. The H-PCRF performs QoS authorization according to the user identifier in the IP-CAN session establishment indication message, the IP address of the UE, and the NSWO-APN. Returning a confirmation message to the PCEF in the P-GW;

步驟 506, P-GW向 UE返回绑定确认消息;  Step 506: The P-GW returns a binding acknowledgement message to the UE.

步驟 507,受到步驟 504的触发, V-PCRF发起网关控制会话建立流程; 具体的 ,图 9所示的架构中 , H-PCRF通过 VPLMN的 V-PCRF向 BPCF 发送 PCRF发起的网关控制会话建立触发消息, 提供 UE的本地 IP地址; BPCF收到所述触发消息,向 V-PCRF发送网关控制会话建立消息, V-PCRF 返回确认消息, 并向 H-PCRF发起建立网关控制会话流程;  Step 507, triggered by step 504, the V-PCRF initiates a gateway control session establishment procedure. Specifically, in the architecture shown in FIG. 9, the H-PCRF sends a PCRF-initiated gateway control session establishment trigger to the BPCF through the V-PCRF of the VPLMN. a message, providing a local IP address of the UE; the BPCF receives the trigger message, sends a gateway control session establishment message to the V-PCRF, and the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF;

图 10所示的架构中, H-PCRF通过 VPLMN的 V-PCRF向 IP Edge发送 PCRF发起的网关控制会话建立触发消息,提供 UE的本地 IP地址; IP Edge 收到所述触发消息, 向 V-PCRF发送网关控制会话建立消息, V-PCRF返回 确认消息, 并向 H-PCRF发起建立网关控制会话流程。  In the architecture shown in FIG. 10, the H-PCRF sends a PCRF-initiated gateway control session establishment trigger message to the IP Edge through the V-PCRF of the VPLMN, and provides the local IP address of the UE; the IP Edge receives the trigger message to the V- The PCRF sends a gateway control session setup message, the V-PCRF returns an acknowledgement message, and initiates a gateway control session flow to the H-PCRF.

步驟 508 , BPCF或 IP Edge向 H-PCRF返回确认消息。 另外的实施例中, BBF AAA在步驟 501中不向 UE发送 VPLMN ID , 而是只在步驟 503中, HSS和 /或 3GPPAAA服务器返回的拒绝消息中还携 带自身保存的 VPLMN ID,触发 UE重新进行 P-GW选择,再执行步驟 503- 步驟 508。 工业实用性 Step 508: The BPCF or IP Edge returns an acknowledgement message to the H-PCRF. In another embodiment, the BBF AAA does not send the VPLMN ID to the UE in step 501, but only in step 503, the reject message returned by the HSS and/or the 3GPP AAA server further carries the VPLMN ID saved by itself, triggering the UE to perform the re-execution. The P-GW selects, and then performs steps 503-508. Industrial applicability

综上所述, 认证服务器将 UE执行接入认证时所选择的 VPLMN 的 VPLMN ID发送给 UE, UE才艮据所述 VPLMN ID选择 VPLMN的核心网网 元, 并与所述核心网网元完成 IKEv2 隧道建立流程; 这样, 能够保证 UE 通过 DSMIPv6协议接入 3GPP时, UE选择的 ePDG与 3GPP AAA Proxy位 于同一个 VPLMN。  In summary, the authentication server sends the VPLMN ID of the VPLMN selected by the UE to the UE when performing the access authentication, and the UE selects the core network element of the VPLMN according to the VPLMN ID, and completes with the core network element. The IKEv2 tunnel establishment process is performed. In this way, when the UE accesses the 3GPP through the DSMIPv6 protocol, the ePDG selected by the UE and the 3GPP AAA Proxy are located in the same VPLMN.

以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 claims 1、 一种用户设备 ( UE )选择拜访公共陆地移动网络(VPLMN ) 的方 法, 包括: 1. A method for user equipment (UE) to choose to visit a public land mobile network (VPLMN), including: 认证服务器将 UE执行接入认证时所选择的 VPLMN的 VPLMN ID发 送给 UE, UE根据所述 VPLMN ID选择 VPLMN的核心网网元, 并与所述 核心网网元执行互联网密钥交换协议 ( IKEv2 ) 隧道建立流程。 The authentication server sends the VPLMN ID of the VPLMN selected when the UE performs access authentication to the UE. The UE selects the core network element of the VPLMN based on the VPLMN ID, and executes the Internet Key Exchange Protocol (IKEv2) with the core network element. ) tunnel establishment process. 2、 根据权利要求 1所述的方法, 其中, 所述认证服务器将 UE执行接 入认证时所选择的 VPLMN的 VPLMN ID发送给 UE为: 2. The method according to claim 1, wherein the authentication server sends the VPLMN ID of the VPLMN selected when the UE performs access authentication to the UE as: 所述认证服务器为宽带论坛的验证、 授权和记账服务器(BBF AAA ), 在 UE执行接入认证时, 所述 BBF AAA接收第三代合作伙伴计划验证、 授 权和记账代理( 3GPP AAA Proxy )发送的 VPLMN ID或根据通信对端地址 获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID, 将所述 VPLMN ID发 送给 UE。 The authentication server is the Broadband Forum's verification, authorization and accounting server (BBF AAA). When the UE performs access authentication, the BBF AAA receives the third generation partner program verification, authorization and accounting agent (3GPP AAA Proxy ) or obtain the VPLMN ID of the VPLMN where the 3GPP AAA Proxy is located based on the communication peer address, and send the VPLMN ID to the UE. 3、 根据权利要求 1所述的方法, 其中, 所述认证服务器将 UE执行接 入认证时所选择的 VPLMN的 VPLMN ID发送给 UE为: 3. The method according to claim 1, wherein the authentication server sends the VPLMN ID of the VPLMN selected when the UE performs access authentication to the UE as: 所述认证服务器为归属用户服务器( HSS )和 /或 3GPP AAA服务器, 在 UE执行接入认证时, 所述 HSS和 /或 3GPP AAA服务器保存 3GPP AAA Proxy发送的 VPLMN ID ,在 ΙΚΕν2隧道建立的过程中 ,所述 HSS和 /或 3GPP AAA服务器验证自身保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID一致,在不一致时, 所述 HSS和 /或 3GPPAAA服务 器向 UE 返回拒绝消息, 所述拒绝消息携带拒绝原因值和自身保存的 VPLMN ID。 The authentication server is a home subscriber server (HSS) and/or a 3GPP AAA server. When the UE performs access authentication, the HSS and/or 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy during the ΙΚΕν2 tunnel establishment process. , the HSS and/or 3GPP AAA server verifies whether the VPLMN ID saved by itself is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located. If it is inconsistent, the HSS and/or 3GPP AAA server returns a rejection message to the UE. , the rejection message carries the rejection reason value and the VPLMN ID saved by itself. 4、 根据权利要求 1所述的方法, 其中, 所述 VPLMN的核心网网元为 演进的分组数据网关 (ePDG )或分组数据网络网关 (P-GW )。 4. The method according to claim 1, wherein the core network element of the VPLMN is an evolved packet data gateway (ePDG) or a packet data network gateway (P-GW). 5、 根据权利要求 4所述的方法, 其中, 所述 UE根据所述 VPLMN ID 选择 VPLMN的核心网网元为: UE使用认证服务器发送的 VPLMN ID作为 运营商标识构造全质量域名 (FQDN ), 执行域名系统(DNS ) 查找, 获得 所述 VPLMN ID对应的 VPLMN中 ePDG或 P-GW的 IP地址。 5. The method according to claim 4, wherein the UE performs the operation according to the VPLMN ID. The core network element of VPLMN is selected as follows: The UE uses the VPLMN ID sent by the authentication server as the operator identifier to construct a full-quality domain name (FQDN), performs a domain name system (DNS) search, and obtains the ePDG or P- in the VPLMN corresponding to the VPLMN ID. GW’s IP address. 6、 根据权利要求 2所述的方法, 其中, 该方法还包括: 在 UE执行接 入认证时, HSS 和 /或 3GPP AAA服务器保存 3GPP AAA Proxy发送的 VPLMN ID, 在 IKEv2隧道建立的过程中, HSS和 /或 3GPPAAA服务器验 证自身保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID一致, 在不一致时, 所述 HSS和 /或 3GPPAAA服务器向 UE返 回拒绝消息, 所述拒绝消息携带拒绝原因值和 /或自身保存的 VPLMN ID。 6. The method according to claim 2, wherein the method further includes: when the UE performs access authentication, the HSS and/or the 3GPP AAA server saves the VPLMN ID sent by the 3GPP AAA Proxy, and during the establishment of the IKEv2 tunnel, The HSS and/or 3GPPAAA server verifies whether the VPLMN ID saved by itself is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located. If it is inconsistent, the HSS and/or 3GPPAAA server returns a rejection message to the UE. The rejection message Carry the rejection reason value and/or its own saved VPLMN ID. 7、 一种 UE选择 VPLMN的系统, 包括: 认证服务器、 UE、 VPLMN 的核心网网元; 其中, 7. A system for a UE to select a VPLMN, including: an authentication server, a UE, and a core network element of the VPLMN; wherein, 所述认证服务器, 配置为将 UE执行接入认证时所选择的 VPLMN的 VPLMN ID发送给 UE; The authentication server is configured to send the VPLMN ID of the VPLMN selected when the UE performs access authentication to the UE; 所述 UE, 配置为根据所述认证服务器发送的 VPLMN的 VPLMN ID, 选择 VPLMN的核心网网元, 与所述核心网网元执行 IKEv2隧道建立的流 程; The UE is configured to select a core network element of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server, and perform an IKEv2 tunnel establishment process with the core network element; 所述 VPLMN的核心网网元, 配置为完成 IKEv2隧道建立的流程。 The core network element of the VPLMN is configured to complete the process of establishing an IKEv2 tunnel. 8、 根据权利要求 7所述的系统, 其中, 所述认证服务器为 BBF AAA, 配置为在 UE执行接入认证时 ,接收 3GPP AAA Proxy发送的 VPLMN ID或 根据通信对端地址获取 3GPP AAA Proxy所在 VPLMN的 VPLMN ID,将所 述 VPLMN ID发送给 UE; 8. The system according to claim 7, wherein the authentication server is BBF AAA, configured to receive the VPLMN ID sent by the 3GPP AAA Proxy or obtain the location of the 3GPP AAA Proxy according to the communication peer address when the UE performs access authentication. The VPLMN ID of the VPLMN, sending the VPLMN ID to the UE; 该系统还包括: 3GPP AAA Proxy, 配置为在 UE执行接入认证时, 发 送 VPLMN ID给 BBF AAA。 The system also includes: 3GPP AAA Proxy, configured to send the VPLMN ID to BBF AAA when the UE performs access authentication. 9、根据权利要求 8所述的系统,其中,该系统还包括: HSS和 /或 3GPP AAA服务器, 配置为在 UE执行接入认证时, 保存 VPLMN ID , 在 ΙΚΕν2 隧道建立的过程中, 验证自身保存的 VPLMN ID是否与 UE选择的核心网 网元所在 VPLMN的 VPLMN ID一致 , 在不一致时 , 向 UE返回拒绝消息 , 所述拒绝消息携带拒绝原因值和 /或自身保存的 VPLMN ID。 9. The system according to claim 8, wherein the system further includes: HSS and/or 3GPP AAA server, configured to save the VPLMN ID when the UE performs access authentication, and in ΙΚΕν2 During the tunnel establishment process, it verifies whether the VPLMN ID saved by itself is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located. If it is inconsistent, a rejection message is returned to the UE. The rejection message carries the rejection reason value and/or itself. Saved VPLMN ID. 10、 根据权利要求 7所述的系统, 其中, 所述认证服务器为 HSS和 / 或 3GPP AAA服务器,配置为在 UE执行接入认证时,保存 3GPP AAA Proxy 发送的 VPLMN ID,在 IKEv2隧道建立的过程中 ,验证自身保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID一致 , 在不一 致时, 所述 HSS和 /或 3GPP AAA服务器向 UE返回拒绝消息, 所述拒绝消 息携带拒绝原因值和自身保存的 VPLMN ID; 10. The system according to claim 7, wherein the authentication server is an HSS and/or a 3GPP AAA server, configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication, and when the IKEv2 tunnel is established During the process, it is verified whether the VPLMN ID saved by itself is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located. If it is inconsistent, the HSS and/or 3GPP AAA server returns a rejection message to the UE, and the rejection message carries a rejection. The reason value and the VPLMN ID saved by itself; 该系统还包括: 3GPP AAA Proxy, 配置为在 UE执行接入认证时, 向 HSS和 /或 3GPPAAA月良务器发送 VPLMN ID。 The system also includes: 3GPP AAA Proxy, configured to send the VPLMN ID to the HSS and/or 3GPP AAA server when the UE performs access authentication. 11、 根据权利要求 7所述的系统, 其中, 所述 VPLMN的核心网网元 为 ePDG或 P-GW。 11. The system according to claim 7, wherein the core network element of the VPLMN is an ePDG or a P-GW. 12、 根据权利要求 11所述的系统, 其中, 所述 UE包括: 网元选择模 块、 隧道建立模块; 其中, 12. The system according to claim 11, wherein the UE includes: a network element selection module and a tunnel establishment module; wherein, 所述网元选择模块, 配置为根据所述认证服务器发送的 VPLMN 的 VPLMN ID, 选择 VPLMN的 ePDG或 P-GW; The network element selection module is configured to select the ePDG or P-GW of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server; 所述隧道建立模块, 配置为与网元选择模块选择的 ePDG或 P-GW执 行 IKEv2隧道建立的流程。 The tunnel establishment module is configured to perform an IKEv2 tunnel establishment process with the ePDG or P-GW selected by the network element selection module. 13、 根据权利要求 12所述的系统, 其中, 所述网元选择模块, 具体配 置为使用认证服务器发送的 VPLMN ID作为运营商标识构造 FQDN, 执行 DNS查找, 获得所述 VPLMN ID对应的 VPLMN中 ePDG或 P-GW的 IP 地址。 13. The system according to claim 12, wherein the network element selection module is specifically configured to use the VPLMN ID sent by the authentication server as the operator identification to construct an FQDN, perform a DNS search, and obtain the VPLMN corresponding to the VPLMN ID. IP address of ePDG or P-GW. 14、根据权利要求 10所述的系统, 其中, 所述认证服务器, 具体包括: ID获取模块、 验证模块、 应答模块; 其中, 所述 ID获取模块,配置为在 UE执行接入认证时,保存 3GPP AAA Proxy 发送的 VPLMN ID; 14. The system according to claim 10, wherein the authentication server specifically includes: an ID acquisition module, a verification module, and a response module; wherein, The ID acquisition module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication; 所述验证模块, 配置为在 IKEv2隧道建立的过程中, 验证 ID获取模块 保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID 一致, 在不一致时, 通知应答模块向 UE返回拒绝消息; The verification module is configured to verify whether the VPLMN ID saved by the ID acquisition module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located during the establishment of the IKEv2 tunnel. If it is inconsistent, notify the response module to return a rejection to the UE. information; 应答模块, 配置为向 UE返回拒绝消息, 所述拒绝消息携带拒绝原因值 和 ID获取模块保存的 VPLMN ID。 The response module is configured to return a rejection message to the UE, where the rejection message carries the rejection reason value and the VPLMN ID saved by the ID acquisition module. 15、 一种 UE, 包括: 网元选择模块、 隧道建立模块; 其中, 15. A UE, including: a network element selection module and a tunnel establishment module; wherein, 所述网元选择模块, 配置为根据所述认证服务器发送的 VPLMN 的 VPLMN ID, 选择 VPLMN的 ePDG或 P-GW; The network element selection module is configured to select the ePDG or P-GW of the VPLMN according to the VPLMN ID of the VPLMN sent by the authentication server; 所述隧道建立模块, 配置为与网元选择模块选择的 ePDG或 P-GW执 行 IKEv2隧道建立的流程。 The tunnel establishment module is configured to perform an IKEv2 tunnel establishment process with the ePDG or P-GW selected by the network element selection module. 16、 根据权利要求 15所述的 UE, 其中, 所述网元选择模块, 具体配 置为使用认证服务器发送的 VPLMN ID作为运营商标识构造 FQDN , 执行 DNS查找, 获得所述 VPLMN ID对应的 VPLMN中 ePDG或 P-GW的 IP 地址。 16. The UE according to claim 15, wherein the network element selection module is specifically configured to use the VPLMN ID sent by the authentication server as the operator identification to construct an FQDN, perform a DNS search, and obtain the VPLMN corresponding to the VPLMN ID. IP address of ePDG or P-GW. 17、 一种认证服务器, 包括: ID获取模块、 验证模块、 应答模块; 其 中, 17. An authentication server, including: ID acquisition module, verification module, response module; wherein, 所述 ID获取模块,配置为在 UE执行接入认证时,保存 3GPP AAA Proxy 发送的 VPLMN ID; The ID acquisition module is configured to save the VPLMN ID sent by the 3GPP AAA Proxy when the UE performs access authentication; 所述验证模块, 配置为在 IKEv2隧道建立的过程中,验证 ID获取模块 保存的 VPLMN ID是否与 UE选择的核心网网元所在 VPLMN的 VPLMN ID 一致, 在不一致时, 通知应答模块向 UE返回拒绝消息; The verification module is configured to verify whether the VPLMN ID saved by the ID acquisition module is consistent with the VPLMN ID of the VPLMN where the core network element selected by the UE is located during the establishment of the IKEv2 tunnel. If it is inconsistent, notify the response module to return a rejection to the UE. information; 应答模块, 配置为向 UE返回拒绝消息。 The response module is configured to return a rejection message to the UE. 18、 根据权利要求 17 所述的认证服务器, 其中, 所述认证服务器为 HSS和 /或 3GPP AAA服务器。 18. The authentication server according to claim 17, wherein the authentication server is HSS and/or 3GPP AAA server. 19、 根据权利要求 17所述的认证服务器, 其中, 所述拒绝消息中携带 拒绝原因值和 /或 ID获取模块保存的 VPLMN ID。 19. The authentication server according to claim 17, wherein the rejection message carries a rejection reason value and/or the VPLMN ID saved by the ID acquisition module.
PCT/CN2013/082191 2012-09-27 2013-08-23 Method, system and device for user equipment to select visited public land mobile network Ceased WO2014048197A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210365839.6 2012-09-27
CN201210365839.6A CN103702327B (en) 2012-09-27 2012-09-27 Method, system and the equipment of user equipment selection visited Public Land mobile network

Publications (1)

Publication Number Publication Date
WO2014048197A1 true WO2014048197A1 (en) 2014-04-03

Family

ID=50363701

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/082191 Ceased WO2014048197A1 (en) 2012-09-27 2013-08-23 Method, system and device for user equipment to select visited public land mobile network

Country Status (2)

Country Link
CN (1) CN103702327B (en)
WO (1) WO2014048197A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10485035B2 (en) 2015-04-28 2019-11-19 Telefonaktiebolaget Lm Ericsson (Publ) Adaptive peer status check over wireless local area networks

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105208555B (en) * 2014-06-16 2020-01-14 中兴通讯股份有限公司 Cluster service registration method and device
JP6585188B2 (en) * 2015-05-18 2019-10-02 インテル アイピー コーポレイション Device, system and method for ePDG selection where HPLMN is preferred in roaming scenarios
US10237795B2 (en) * 2015-10-11 2019-03-19 Qualcomm Incorporated Evolved packet data gateway (EPDG) reselection
CN109587680B (en) * 2017-09-29 2021-11-30 华为技术有限公司 Method, device and system for protecting parameters
CN111163493B (en) * 2018-11-08 2022-08-19 中国电信股份有限公司 Communication configuration method, system and related equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100512488C (en) * 2005-03-24 2009-07-08 华为技术有限公司 Method and system for providing presentation information by radio local area network to presentation system
WO2011052995A2 (en) * 2009-10-27 2011-05-05 Samsung Electronics Co., Ltd. Method and system for managing security in mobile communication system
CN102224721A (en) * 2008-12-03 2011-10-19 松下电器产业株式会社 Secure tunnel establishment upon attachment or handover to an access network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100512488C (en) * 2005-03-24 2009-07-08 华为技术有限公司 Method and system for providing presentation information by radio local area network to presentation system
CN102224721A (en) * 2008-12-03 2011-10-19 松下电器产业株式会社 Secure tunnel establishment upon attachment or handover to an access network
WO2011052995A2 (en) * 2009-10-27 2011-05-05 Samsung Electronics Co., Ltd. Method and system for managing security in mobile communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
3GPP TS 23.402 V 10.7.0, 31 March 2012 (2012-03-31) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10485035B2 (en) 2015-04-28 2019-11-19 Telefonaktiebolaget Lm Ericsson (Publ) Adaptive peer status check over wireless local area networks

Also Published As

Publication number Publication date
CN103702327A (en) 2014-04-02
CN103702327B (en) 2018-11-16

Similar Documents

Publication Publication Date Title
CN101267319B (en) A method for issuing policy and charging control rules
CN102340866B (en) A kind of method and system of reporting access information of fixed network
CN101335675B (en) Policy control method
WO2013064070A1 (en) Method, system and pcrf for realizing reflection qos mechanism
WO2013104234A1 (en) Policy control method and system for converged network
CN102958046B (en) A kind of control method, system and the DRA of mobile terminal accessing business
WO2012003764A1 (en) Method for policy and charging rules function (pcrf) informing centralized deployment functional architecture (bpcf) of user equipment access information
WO2012003760A1 (en) Method and system for information transmission
WO2014173340A1 (en) Inter-network subscription authorization charging policy method and device
WO2012019507A1 (en) Policy control method and system for accessing fixed broadband access network
US9609028B2 (en) Method, apparatus and system for establishing session
WO2014048197A1 (en) Method, system and device for user equipment to select visited public land mobile network
CN102340763A (en) Method and system for obtaining broadband access position information of subscriber
CN101459524B (en) Method for distributing policy charging control rule
CN102340766B (en) Home network obtains the method and system of net element information in visited network
WO2006135216A1 (en) System and method for tunnel management over a 3g-wlan interworking system
WO2013020448A1 (en) Information transmission method, packet data gateway, and policy and charging rules function
CN101448209B (en) Notification method of location information of user equipment of evolved packet system and system thereof
WO2014048191A1 (en) Method and system for selecting vplmn and packet data network gateway
CN102958117A (en) Method and system for solving control conflicts of service quality policies
WO2012155774A1 (en) Method, system for establishing s9 sub-session, and policy and charging rules function
CN102378143B (en) A kind of method and system triggering fixed network mobile fusion policy conferring
CN103379465B (en) Delete method, system and the strategic server bound in Diameter route agents
Ahmed et al. Inter-system mobility in evolved packet system (EPS): Connecting non-3GPP accesses
WO2013152655A1 (en) Policy control method and system in convergence network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13840412

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13840412

Country of ref document: EP

Kind code of ref document: A1