Search

KR-102963657-B1 - METHOD AND APPARATUS FOR APPLYING USER PLANE SECURITY POLICY FOR PDU SESSION

KR102963657B1KR 102963657 B1KR102963657 B1KR 102963657B1KR-102963657-B1

Abstract

The present disclosure relates to a method and apparatus for applying different security policies for service traffic to a PDU session in a wireless communication system. According to an embodiment of the present disclosure, a method for determining a user plane security policy for a PDU session in a wireless communication system comprises: a process in which an SMF managing a session for a terminal receives first configuration information regarding a first user plane security policy of the terminal from a UDM managing subscriber information of the terminal; a process in which the SMF receives second configuration information regarding a second user plane security policy to be applied to a specific service data flow from a PCF managing policy and billing control rules (PCC Rule); and a process in which the SMF determines a user plane security policy to be applied to the terminal based on one selected according to priority among the first user plane security policy and the second user plane security policy.

Inventors

  • 최홍진
  • 이덕기
  • 손중제
  • 임태형
  • 백영교

Assignees

  • 삼성전자주식회사

Dates

Publication Date
20260512
Application Date
20210804

Claims (20)

  1. In a method for determining a user plane security policy for a PDU (protocol data unit) session in a wireless communication system, A process in which a session management function (SMF) managing a session for a terminal receives first configuration information regarding a first user plane security policy of the terminal from a unified data management (UDM) managing subscription information of the terminal; The process of the above SMF receiving second configuration information regarding a second user plane security policy to be applied to a specific service data flow from a PCF (policy and control function) that manages policy and billing control rules (PCC Rule); and A method comprising the process of determining a user plane security policy to be applied to the terminal based on one selected according to priority among the first user plane security policy and the second user plane security policy by the above SMF.
  2. delete
  3. In Article 1, Different user plane security policies are applied to each terminal for the aforementioned specific service data flow, and The above-mentioned decision process is, A method comprising determining the user plane security policy to be applied to the terminal based on the information regarding the priority, wherein at least one of the first setting information and the second setting information includes information regarding the priority.
  4. In Article 1, Different user plane security policies are applied to each terminal for the aforementioned specific service data flow, and A method in which the first setting information received from the UDM takes precedence over the second setting information received from the PCF in determining the above user plane security policy.
  5. In Article 1, A user plane security policy different from other service data flows is applied to the aforementioned specific service data flow, and The same user plane security policy is commonly applied among terminals to which the above specific service data flow is applied, and The above-mentioned decision process is, A method comprising determining the user plane security policy to be applied to the terminal based on the information regarding the priority, wherein at least one of the first setting information and the second setting information includes information regarding the priority.
  6. In Article 1, A user plane security policy different from other service data flows is applied to the aforementioned specific service data flow, and A method in which the second setting information received from the PCF takes precedence over the first setting information received from the UDM in determining the above user plane security policy.
  7. In Article 1, A method further comprising the process of the above SMF generating a packet detection rule (PDR) to be used when classifying traffic in a user plane function (UPF) responsible for data transmission in the user plane based on the above-determined user plane security policy, and a QoS enforcement rule (QER) containing information related to the enforcement of QoS (quality of service) of traffic identified by the PDR, and transmitting it to the UPF.
  8. In Article 1, The above SMF includes a process of transmitting a message containing security instruction information corresponding to the determined user plane security policy and a QoS flow identifier (QFI) to the base station to which the terminal is connected, through an AMF that manages the mobility of the terminal. A method in which the above security instruction information includes at least one of ciphering information and integrity protection information.
  9. delete
  10. In a session management function (SMF) that manages protocol data unit (PDU) sessions for a terminal in a wireless communication system, Transmitter/receiver; and Through the above transceiver, first configuration information regarding the first user plane security policy of the terminal is received from a UDM (unified data management) that manages the subscription information of the terminal, and Through the above transceiver, second configuration information regarding a second user plane security policy to be applied to a specific service data flow is received from a PCF (policy and control function) that manages policy and billing control rules (PCC Rule), and An SMF comprising a processor configured to determine a user plane security policy to be applied to the terminal based on one selected according to priority among the first user plane security policy and the second user plane security policy.
  11. delete
  12. In Article 10, Different user plane security policies are applied to each terminal for the aforementioned specific service data flow, and The above processor is, An SMF configured to determine the user plane security policy to be applied to the terminal based on the information regarding the priority when at least one of the first setting information and the second setting information includes information regarding the priority.
  13. In Article 10, Different user plane security policies are applied to each terminal for the aforementioned specific service data flow, and The above processor is an SMF configured to determine the user plane security policy by applying the first configuration information received from the UDM in priority over the second configuration information received from the PCF.
  14. In Article 10, A user plane security policy different from other service data flows is applied to the aforementioned specific service data flow, and The same user plane security policy is commonly applied among terminals to which the above specific service data flow is applied, and The above processor is, An SMF configured to determine the user plane security policy to be applied to the terminal based on the information regarding the priority when at least one of the first setting information and the second setting information includes information regarding the priority.
  15. In Article 10, A user plane security policy different from other service data flows is applied to the aforementioned specific service data flow, and The above processor is an SMF configured to determine the user plane security policy by applying the second configuration information received from the PCF in priority over the first configuration information received from the UDM.
  16. In Article 10, The above processor is further configured to generate a packet detection rule (PDR) to be used when classifying traffic in a user plane function (UPF) responsible for data transmission in the user plane based on the determined user plane security policy, and a QoS enforcement rule (QER) containing information related to the quality of service (QoS) enforcement of traffic identified by the PDR, and to transmit it to the UPF through the transceiver.
  17. In Article 10, The processor is further configured to transmit a message containing security instruction information corresponding to the determined user plane security policy and a QoS flow identifier (QFI) to the base station to which the terminal is connected via an AMF that manages the mobility of the terminal. The above security instruction information is an SMF comprising at least one of ciphering information and integrity protection information.
  18. delete
  19. A method for determining a user plane security policy for a protocol data unit (PDU) session of a terminal in a wireless communication system, A process in which a policy and control function (PCF) managing policy and billing control rules (PCC Rule) generates configuration information including information on the priority of user plane security policies to be applied to a specific service data flow; and The above PCF includes a process of transmitting the above configuration information, which includes the above information regarding the priority, to the SMF (session management function) that manages the PDU session for the terminal, and A method in which a user plane security policy to be applied to the PDU session of the above terminal is determined based on the above priority.
  20. In a policy and control function (PCF) that manages policy and billing control rules (PCC Rule) in a wireless communication system, Transmitter/receiver; and Create configuration information that includes information on the priority of user plane security policies to be applied to specific service data flows, and It includes a processor configured to transmit, through the above transceiver, the configuration information including the information regarding the priority to a session management function (SMF) that manages a protocol data unit (PDU) session for a terminal, and The user plane security policy to be applied to the PDU session of the above terminal is a PCF determined based on the above priority.

Description

Method and apparatus for applying user plane security policy for PDU sessions in a wireless communication system The present disclosure relates to a communication system, and more specifically, to a method and apparatus for applying a security policy to a protocol data unit (PDU) session when establishing a PDU session to access a data network. Efforts are being made to develop improved 5G (5th generation) communication systems or pre-5G communication systems to meet the increasing demand for wireless data traffic following the commercialization of 4G (4th generation) communication systems. For this reason, 5G communication systems or pre-5G communication systems are referred to as systems beyond 4G networks or systems following LTE (long term evolution) systems. To achieve high data transmission rates, 5G communication systems are being considered for implementation in the mmWave band (e.g., the 60 GHz band). To mitigate path loss and increase the transmission distance of radio waves in the mmWave band, beamforming, massive MIMO, full Dimensional MIMO (FD-MIMO), array antenna, analog beamforming, and large-scale antenna technologies are being discussed for 5G communication systems. In addition, to improve the network of the system, the development of technologies such as advanced small cell, advanced small cell, cloud radio access network (cloud RAN), ultra-dense network, Device to Device communication (D2D), wireless backhaul, moving network, cooperative communication, CoMP (Coordinated Multi-Points), and interference cancellation is taking place in 5G communication systems. In addition, advanced coding modulation (ACM) methods such as FQAM (Hybrid FSK and QAM Modulation) and SWSC (Sliding Window Superposition Coding), as well as advanced access technologies such as FBMC (Filter Bank Multi Carrier), NOMA (non-orthogonal multiple access), and SCMA (sparse code multiple access) are being developed in 5G systems. Meanwhile, the Internet is evolving from a human-centered network where humans generate and consume information into an IoT (Internet of Things) network where distributed components, such as objects, exchange and process information. IoE (Internet of Everything) technology, which combines IoT technology with big data processing technology through connections with cloud servers, is also emerging. To implement IoT, technological elements such as sensing technology, wired and wireless communication and network infrastructure, service interface technology, and security technology are required; recently, technologies such as sensor networks, machine-to-machine (M2M) communication, and machine-type communication (MTC) are being researched for connecting objects. In an IoT environment, intelligent IT (Internet Technology) services that create new value for human life by collecting and analyzing data generated from connected objects can be provided. Through the convergence and integration of existing IT (Information Technology) and various industries, IoT can be applied to fields such as smart homes, smart buildings, smart cities, smart or connected cars, smart grids, healthcare, smart home appliances, and advanced medical services. Accordingly, various attempts are being made to apply 5G communication systems to IoT networks. For example, technologies such as sensor networks, Machine to Machine (M2M) communication, and Machine Type Communication (MTC) are being implemented using 5G communication techniques such as beamforming, MIMO, and array antennas. The application of cloud radio access networks (cloud RAN) as the big data processing technology described earlier can also be considered an example of the convergence of 5G and IoT technologies. As described above and with the advancement of mobile communication systems, it has become possible to provide various services, and thus, measures to effectively provide these services are required. 5G systems are considering support for a wider variety of services compared to existing 4G systems. For example, the most representative services may include enhanced mobile broadband (eMBB), ultra-reliable and low-latency communication (URLLC), massive machine-type communication (mMTC), and evolved multimedia broadcast/multicast service (eMBMS). Furthermore, a system providing the aforementioned URLLC service may be referred to as a URLLC system, and a system providing eMBB service may be referred to as an eMBB system. Additionally, the terms "service" and "system" may be used interchangeably. Among these, URLLC services are being newly considered in 5G systems, unlike existing 4G systems, and require the satisfaction of ultra-high reliability (e.g., packet error rate of about 10⁻⁵ ) and low latency (e.g., about 0.5 msec) compared to other services. To satisfy these strict requirements, URLLC services may require the application of a transmission time interval (TTI) shorter than that of eMBB services, and various operational methods utilizing this are being considered.