Abstract: Examples in this application disclose satellite network communication methods, communications apparatuses, and communications systems. One example method includes determining, by a user device, address information of the user device, where the address information includes a second sub-area identifier and a user device identifier (UDID) of the user device, and the second EID indicates a second sub-area which the user device is currently located in, and the second sub-area is one of a plurality of sub-areas divided from earth surface, and sending, by the user device, the address information to a first satellite.

Abstract: The technology of this application relates to a user data management method and a related device, to improve user information security. The method in embodiments of this application includes a data request device sends a first request to a blockchain platform, where the first request indicates that the data request device needs to access a data storage device. The data request device receives first permission information sent by the blockchain platform, where the first permission information indicates whether the data request device has permission to access the data storage device. If the first permission information indicates that the data request device has the permission to access the data storage device, the data request device sends a second request to the data storage device, where the second request includes an access address.

Abstract: Embodiments of this application provide a user data management method and a related device, to improve user data security. The method includes: A data request device sends a first request to a blockchain platform, where the first request indicates that the data request device needs to access a data storage device. The data request device receives first permission information sent by the blockchain platform, where the first permission information indicates whether the data request device has permission to access the data storage device, and the permission is related to signature information of the data request device, an access type, and an operator public key; and sends a second request to the data storage device if the first permission information indicates that the data request device has the permission to access the data storage device, where the second request includes an access address and an operator private key signature.

Abstract: This disclosure provides a communication system and a communication method. The communication system may include a network service node (NSN) and a user service node (USN). The NSN communicates with the USN through an external interface. The NSN includes an authentication function entity and/or an access management function entity. The USN is associated with one more terminal devices. The USN includes the following function entities: a data forwarding function entity, a session management function entity, and a user data storage function entity. The function entities included in the USN communicate with each other through an internal interface. Based on the function entities included in the USN, the USN may provide a basic network service for the associated one or more terminal devices.

Abstract: A communication method and a communication system. The method may include: A first network device generates a node identifier, where the node identifier includes a global part and a local part, and the global part is determined based on geographical location information of a region covered by a second network device in which a node is located, for example, the second network device may be a device in mobile edge computing (MEC), and the local part is determined based on identity information of a terminal device associated with the node. The first network device sends the node identifier to the terminal device. In embodiments of this application, the geographical location information is introduced into the node identifier, so that a node that is identified nearby in space can also be short-distance in a physical network, thereby reducing an end-to-end latency.

Abstract: This application provides methods and apparatuses for communication. In an example method, a first digital reflection (DR) receives a first message, where the first message includes data to be sent to a first terminal device and an identifier of the first terminal device, and the first DR is associated with the first terminal device. The first DR transmits the data to the first terminal device based on a local locator (LLOC) of the first terminal device, where the first DR stores a twin-globally unique temporary identity (TWIN-GUTI) of the first terminal device, the TWIN-GUTI includes the LLOC, the LLOC corresponds to the identifier of the first terminal device, the first DR is deployed on first multi-access edge computing (MEC), and the TWIN-GUTI is generated by the first MEC.

Abstract: This disclosure provides methods and apparatuses for association between communication devices. One method includes: sending, by a terminal device to a network device, a first message for establishment of an association relationship between the terminal device and a digital reflection (DR), wherein the first message comprises a first twin-globally unique temporary identity (TWIN-GUTI) of the terminal device, and wherein the first TWIN-GUTI comprises a first temporary identity (DRTI) of the DR and a globally unique identity (GUMEI) of first multi-access edge computing (MEC), and receiving, by the terminal device from the DR, a response message.

Abstract: The present disclosure relates to mutual authentication methods and apparatuses. In one example method, a digital reflection (DR) sends a first message to a terminal device, where the first message includes a first DR public key that is a public key of the DR signed by using a private key of a home network. The DR encrypts a first random number by using a second terminal device public key. The DR sends a second message to the terminal device, where the second message includes the first random number encrypted by using the second terminal device public key. The DR receives a second response message sent by the terminal device, where the second response message includes an encrypted first random number encrypted by using a second DR public key. The DR decrypts the encrypted first random number by using a private key of the DR to obtain the first random number.

Abstract: A computation offloading method and an apparatus. In network edge computation offloading, an edge node receives states of computational tasks sent by one or more served terminal devices and determines allocation of computing resources based on received states of one or more computational tasks. Then, the edge node broadcasts the allocation of the computing resources to the served terminal devices, and the terminal devices each determine, based on the resource allocation, whether to offload the computational task to the edge node for computing. Therefore, the edge node and the terminal device each can have a wider capability of sensing an environment in actual decision-making, thereby effectively improving decision-making benefits of the edge node and the terminal device.

Abstract: This disclosure relates to the field of communication technologies, and provides a communication system, a server, and a communication method and apparatus. The communication system includes a multi-access edge computing MEC and a digital reflection DR, at least one DR is deployed on the MEC, the DR corresponds to one group of terminal devices, and one group of terminal devices include at least one terminal device. The DR may provide a service for the group of terminal devices corresponding to the DR. The DR has at least one core network function, where the core network function includes at least one of mobility management, unified data management, session management, policy management, and access authentication and authorization.

Abstract: A set of raw data relating to activity of one or more users in accordance with a communication network is obtained. The communication network is managed by a network operator. The obtained set of raw data is processed in accordance with at least one data isolation policy maintained by the network operator to generate a first set of data comprising at least a portion of the set of raw data with sensitive data associated with the one or more users removed; a second set of data comprising the sensitive data removed from the set of raw data; and a third set of data comprising a mapping between portions of the set of raw data and the first set of data. The first set of data is exposed to a third party, while the second set of data and the third set of data are isolated from the third party.

Abstract: This application provides a data packet processing method and apparatus, applied to a satellite communications system. An earth surface, space, and network space are divided based on a satellite constellation and an ephemeris of a satellite, and an identifier is allocated to each ground area, each space area, and each network that are sub-divisions of the earth surface, space and network space, to establish a fixed mapping relationship between the EID, the SID, and the NID. In addition, each satellite maintains mapping relationship information recording the mapping relationship. Unless a satellite joins the constellation or one satellite leave service, the mapping relationship recorded in the mapping relationship information does not need to be updated. Based on the mapping relationship information, a satellite may route a data packet, thereby reducing a large amount of signaling interaction caused by establishing and maintaining a routing table in the conventional manner.

Abstract: A first security service function chain is generated that identifies at least a first service function path comprising an identified set of security service functions, with at least one of the identified set of security service functions comprising a virtualized network function in a software defined networking (SDN) network architecture. The first security service function chain is utilized to create classification policies associating packets of a given packet type with the first security service function chain, and the first service function path is utilized to create forwarding policies specifying handling of packets of the given packet type by respective ones of the identified set of security service functions. The classification policies are provided to one or more nodes in a communication network comprising the SDN network architecture, and the forwarding policies are provided to one or more of the identified set of security service functions in the communication network.

Abstract: A security service function chain is created including a set of security service functions. The security service function chain is created in response to instantiation of a given network partition (e.g., network slice) in a communication network (5G or similar network). The communication network supports instantiation of a plurality of network partitions for providing a respective plurality of network services. The security service function chain is utilized to perform at least one security service (e.g., authentication) for an entity (e.g., a subscriber or a device) accessing or seeking access to a network service (e.g., one of eMBB, massive IoT, and mission-critical IoT) corresponding to the given network partition.

Abstract: This application relates to the field of wireless communications technologies, and discloses a satellite location information transmission method, and related apparatus, system, and storage medium. The method includes: receiving satellite location information sent by at least one satellite base station, where the satellite location indicates a location of a satellite base station in a satellite orbit; determining a target satellite base station among the at least one satellite base station based on the received satellite location information; and initiating a random access process to the target satellite base station. The technical solutions provided in the embodiments of this application can reduce UE power consumption.

Abstract: This application discloses a satellite network communication method and a related apparatus, and relates the field of communications technologies. The method includes: determining user device address information of a user device, where the user device address information includes a second sub-area identifier EID and a user device identifier UDID of the user device, the second EID is used to indicate a second sub-area in which the user device is currently located, and the second sub-area is one of a plurality of sub-areas divided from the earth surface; and sending, by the user device, the user device address information to a first satellite. The identifier of the sub-area in which the user device is located is included in the user device address information. This can adapt to a high-speed mobility feature of a satellite on a satellite network and improve communication efficiency of the satellite network.

Abstract: Embodiments provide a user equipment (UE) device that includes a processor and a transceiver. The processor is configured to direct a handover request to an evolved packet core (EPC) access node via the transceiver. The access node may be, e.g. a wireless local area network (WLAN) access point or an E-UTRAN access point. The handover request may initiate a transfer of connectivity of the UE device from the WLAN access point to the E-UTRAN access point, or from the E-UTRAN access point to the WLAN access point. The processor is configured to receive a handover response from the current access node, wherein the response includes a cryptographic key identifier, and to derive a handover key from the key identifier. The processor may then operate the UE device to provide connectivity based on the handover key between the UE device and the other of the access nodes.

Abstract: At least one security policy is obtained from a policy creator at a controller in an SDN network. The security policy is implemented in the SDN network, via the controller, based on one or more attributes specifying a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy.

Abstract: A first security service function chain is generated that identifies at least a first service function path comprising an identified set of security service functions, with at least one of the identified set of security service functions comprising a virtualized network function in a software defined networking (SDN) network architecture. The first security service function chain is utilized to create classification policies associating packets of a given packet type with the first security service function chain, and the first service function path is utilized to create forwarding policies specifying handling of packets of the given packet type by respective ones of the identified set of security service functions. The classification policies are provided to one or more nodes in a communication network comprising the SDN network architecture, and the forwarding policies are provided to one or more of the identified set of security service functions in the communication network.

Abstract: A security service function chain is created including a set of security service functions. The security service function chain is created in response to instantiation of a given network partition (e.g., network slice) in a communication network (5G or similar network). The communication network supports instantiation of a plurality of network partitions for providing a respective plurality of network services. The security service function chain is utilized to perform at least one security service (e.g., authentication) for an entity (e.g., a subscriber or a device) accessing or seeking access to a network service (e.g., one of eMBB, massive IoT, and mission-critical IoT) corresponding to the given network partition.