Search

EP-3731550-B1 - DUAL-CONNECTION COMMUNICATION METHOD AND DEVICE THEREOF, AND SYSTEM

EP3731550B1EP 3731550 B1EP3731550 B1EP 3731550B1EP-3731550-B1

Inventors

  • LI, HE
  • CHEN, JING

Dates

Publication Date
20260513
Application Date
20190809

Claims (14)

  1. A method for dual-connectivity communication, comprising: obtaining (S401), by a master Node, a first user plane security policy of a user terminal in a packet data unit, PDU, session establishment process; generating (S402), by the master Node, a second user plane security policy according to the first user plane security policy of the user terminal; sending (S403), by the master Node, a first message to a secondary Node, wherein the first message comprises the second user plane security policy and a security capability of the user terminal, and the second user plane security policy is used by the secondary Node to determine a user plane security protection method between the secondary Node and the user terminal; wherein the user plane security protection method refers to whether user plane encrypted protection and whether user plane integrity protection is enabled; receiving (S406), by the master Node, a second message from the secondary Node, wherein the second message comprises user plane security enabling type indication information and a security algorithm that is between the secondary Node and the user terminal and that is selected by the secondary Node based on the security capability of the user terminal, and the user plane security enabling type indication information is used to indicate the user plane security protection method between the secondary Node and the user terminal; and sending (S410), by the master Node, a third message to the user terminal, wherein the third message comprises the user plane security enabling type indication information and the security algorithm that is between the secondary Node and the user terminal and that is selected by the secondary Node.
  2. The method according to claim 1, wherein the first user plane security policy is received from a session management function.
  3. The method according to claim 1 or 2, wherein if the secondary Node does not support user plane integrity protection, when user plane integrity protection indication information in the first user plane security policy is "preferred", user plane integrity protection indication information in the second user plane security policy generated by the master Node is "not needed", wherein the "not needed" indicates that activation is not needed and the "preferred" indicates that activation may be or may be not performed.
  4. The method according to claim 3, wherein the secondary Node is a next generation evolved Node Base station, ng-eNB in a long term evolution, LTE, network.
  5. The method according to any one of claims 1 to 4, wherein the first message is an SN addition/modification request, the second message is an SN addition/modification response, and the third message is a radio resource control, RRC, connection reconfiguration request.
  6. A method for dual-connectivity communication, comprising: receiving (S403), by a secondary Node, a first message from a master Node, wherein the first message comprises a second user plane security policy and a security capability of a user terminal; wherein the second user plane security policy is generated by the master Node based on a first user plane security policy obtained in a packet data unit, PDU, session establishment process, and the second user plane security policy is used by the secondary Node to determine a user plane security protection method between the secondary Node and the user terminal; wherein the user plane security protection method refers to whether user plane encrypted protection and whether user plane integrity protection is enabled, and the second user plane security policy is generated (S402) by the master Node according to a first user plane security policy of the user terminal obtained (S401) by the master Node; determining (S404), by the secondary Node, the user plane security protection method according to the second user plane security policy; selecting (S405), by the secondary Node based on the security capability of the user terminal, a security algorithm between the secondary Node and the user terminal; activating, by the secondary Node, the user plane security protection method between the secondary Node and the user terminal; and sending (S406), by the secondary Node, a second message to the master Node, wherein the second message comprises user plane security enabling type indication information and the security algorithm between the secondary Node and the user terminal, and the user plane security enabling type indication information is used to indicate the user plane security protection method between the secondary Node and the user terminal.
  7. A master Node, comprising a transceiver unit and a processing unit, wherein the processing unit is configured to obtain a first user plane security policy of a user terminal in a packet data unit, PDU, session establishment process and to generate a second user plane security policy according to the first user plane security policy of the user terminal before sending a first message to a secondary Node; the transceiver unit is configured to send the first message to the secondary Node, wherein the first message comprises the second user plane security policy and a security capability of the user terminal, and the second user plane security policy is used by the secondary Node to determine a user plane security protection method between the secondary Node and the user terminal; wherein the user plane security protection method refers to whether user plane encrypted protection and whether user plane integrity protection is enabled; the transceiver unit is further configured to receive a second message from the secondary Node, wherein the second message comprises user plane security enabling type indication information and a security algorithm that is between the secondary Node and the user terminal and that is selected by the secondary Node based on the security capability of the user terminal, and the user plane security enabling type indication information is used to indicate the user plane security protection method between the secondary Node and the user terminal; and the transceiver unit is further configured to send a third message to the user terminal, wherein the third message comprises the user plane security enabling type indication information and the security algorithm that is between the secondary Node and the user terminal and that is selected by the secondary Node.
  8. The master Node according to claim 7, wherein the transceiver unit is further configured to receive the first user plane security policy from a session management function.
  9. The master Node according to claim 7 or 8, wherein if the secondary Node does not support user plane integrity protection, when user plane integrity protection indication information in the first user plane security policy is "preferred", user plane integrity protection indication information in the second user plane security policy generated by the master Node is "not needed", wherein the "not needed" indicates that activation is not needed and the "preferred" indicates that activation may be or may be not performed.
  10. The master Node according to claim 9, wherein the secondary Node is a next generation evolved Node Base station, ng-eNB in a long term evolution, LTE, network.
  11. The master Node according to any one of claims 7 to 10, wherein the first message is an SN addition/modification request, the second message is an SN addition/modification response, and the third message is a radio resource control, RRC, connection reconfiguration request.
  12. A secondary Node, wherein the secondary Node comprises a transceiver unit and a processing unit, wherein the transceiver unit is configured to receive a first message from a master Node, wherein the first message comprises a second user plane security policy and a security capability of a user terminal; wherein the second user plane security policy is generated by the master Node based on a first user plane security policy obtained in a packet data unit, PDU, session establishment process, and the second user plane security policy is used by the secondary Node to determine a user plane security protection method between the secondary Node and the user terminal; wherein the user plane security protection method refers to whether user plane encrypted protection and whether user plane integrity protection is enabled, and the second user plane security policy is generated by the master Node according to a first user plane security policy of the user terminal obtained by the master Node; the processing unit is configured to determine the user plane security protection method according to the second user plane security policy; select, based on the security capability of the user terminal, a security algorithm between the secondary Node and the user terminal; the processing unit is further configured to activate the user plane security protection method between the secondary Node and the user terminal; and the transceiver unit is further configured to send a second message to the master Node, wherein the second message comprises user plane security enabling type indication information and the security algorithm between the secondary Node and the user terminal, and the user plane security enabling type indication information is used to indicate the user plane security protection method between the secondary Node and the user terminal.
  13. A system for dual-connectivity communication, comprising a master Node according to one of the claims 7-11 and a secondary Node according to claim 12.
  14. A computer-readable storage medium, wherein the computer-readable storage medium comprises an instruction; and when the instruction is run on a computer, the computer is enabled to perform the method according to any one of claims 1 to 5 or according to claim 6.

Description

TECHNICAL FIELD Embodiments of this application relate to the field of communications technologies, and specifically, to a method, an apparatus, and a system for dual-connectivity communication. BACKGROUND With development of communications technologies, to meet a security requirement in a 5th generation (5th-generation, 5G) scenario, in addition to user plane encrypted protection in a long term evolution (long term evolution, LTE) system, user plane integrity protection is introduced. The user plane integrity protection protects integrity of data in a user plane transmission process. Moreover, user plane on-demand security is further introduced, to be specific, the user plane encrypted protection and the user plane integrity protection can be enabled as required. Currently, in a scenario of a single connection between a user terminal (for example, user equipment (user equipment, UE)) and a network node, namely, a scenario in which only one network node serves the user terminal, a procedure for enabling user plane security between the user terminal and the network node may include: 1. A session management network element sends a user plane security policy obtained by the session management network element to the network node (namely, a base station), where the user plane security policy includes that the user plane encrypted protection is required (required) to be enabled, preferred (preferred) to be enabled, or does not need (not needed) to be enabled, and the user plane integrity protection is required (required) to be enabled, preferred (preferred) to be enabled, or does not need (not needed) to be enabled. 2. For "required", the network node enables corresponding protection; for "not needed", the network node does not need to enable corresponding protection; for "preferred", the network node determines, depending on whether a resource is sufficient, whether to enable corresponding protection. 3. The network node sends a radio resource control (radio resource control, RRC) reconfiguration request message to the user terminal, where the message carries indication information of a user plane protection type, and the indication information is used to indicate whether to enable the encrypted protection and whether to enable the integrity protection. 4. The user terminal receives an RRC reconfiguration message from the network node, activates corresponding user plane security according to indication information of the user plane protection type, and generates a protection key the same as that of the network node. 5. The user terminal sends an RRC reconfiguration response message to the network node. The foregoing procedure for enabling user plane security is specific to a 5G single connection scenario. In a 5G dual connectivity scenario, namely, a scenario in which one user terminal is connected to two network nodes (a master Node and a secondary Node), how to enable user plane security protection between the user terminal and the secondary Node is a technical problem that urgently needs to be resolved. US 2016/0191471 A1 discloses that under a dual connectivity environment a terminal is simultaneously linked to a macro cell base station and a small cell bases station. WO 2015/037926 A1 discloses a secure communication for the UE operating in dual connectivity mode. US 2018/0098250 A1 discloses that in a dual connection architecture, new cells can be added for the UE based on the UE's measurement reports. SUMMARY Embodiments of this application provide a method, an apparatus, and a system for dual-connectivity communication, to resolve a technical problem of how to enable user plane security protection between a user terminal and a secondary Node in a 5G dual connectivity scenario, thereby ensuring confidentiality and integrity of user plane data transmission in the 5G dual connectivity scenario. The invention is defined in the independent claims. Additional features of the invention are provided in the dependent claims. In the following, parts of the description and drawings referring to embodiments which are not covered by the claims are not presented as embodiments of the invention, but as examples useful for understanding the invention. A first aspect of the embodiments of this application provides a method for dual-connectivity communication, including: sending, by a master Node, a first message to a secondary Node, where the first message includes a user plane security policy, and the user plane security policy is used by the secondary Node to determine a user plane security protection method between the secondary Node and a user terminal;receiving, by the master Node, a second message from the secondary Node, where the second message includes user plane security enabling type indication information, and the user plane security enabling type indication information is used to indicate the user plane security protection method between the secondary Node and the user terminal; andsending, by the master Nod