Abstract: The present disclosure relates to user plane information reporting methods and apparatus. In one example method, a session management network element obtains parameter information, and initiates establishment of a dedicated tunnel between a first communications apparatus and a second communications apparatus, where the parameter information indicates the first communications apparatus to report user plane information when a reporting condition is met. The session management network element sends a first rule to the first communications apparatus, where the first rule indicates the first communications apparatus to send a packet to the second communications apparatus through the dedicated tunnel when the reporting condition is met.

Abstract: A method may include: a first terminal device receiving a first identifier from a core network element, where the first identifier is used to modify a security protection policy of a terminal device; in a process in which the first terminal device establishes a connection to a second terminal device for a service, the first terminal device determines, based on the first identifier, whether to enable security protection for the connection; and the first terminal device sends first information to the second terminal device, where the first information indicates whether to enable security protection for the connection.

Abstract: A communication method includes sending, by a service consumer network element, a first service request message to a service communication proxy, and receiving, by the service consumer network element, a first response message of the first service request message from the service communication proxy. The first service request message is useable to request a first service from a service producer network element. The first service request message includes a first client credentials assertion. The first client credentials assertion is useable to authenticate the service consumer network element. The first client credentials assertion includes a first network function type of the service producer network element and a second network function type of a network element configured to provide a second service. The second service is useable to provide information about the service producer network element.

Abstract: This application provides a method for controlling disorder of downlink data and an apparatus thereof. The method includes: A control plane network element determines to switch from a first user plane device to a second user plane device, and sends indication information to the second user plane device. The second user plane device buffers, according to the received indication information, downlink data received from a session anchor, and sends the buffered downlink data after reception of an end marker from the first user plane device.

Abstract: A security configuration method in a handover scenario and a communication apparatus are provided. The method includes that a target access network node receives a first message including first information indicating a terminal device to be handed over from a source access network node to the target access network node, and indicating to use a user plane security configuration that is of a data radio bearer and that is the same as that of a data radio bearer of the source access network node. The target access network node sends a response message of the first message. The response message includes second information indicating a user plane security configuration of a second data radio bearer of the target access network node, which is the same as a user plane security configuration of a first data radio bearer of the source access network node.

Abstract: An address obtaining method includes obtaining, by a third network device, an identifier of a first application from a terminal device. The identifier of the first application indicates a request for obtaining an address of an instance of the first application. The address obtaining method further includes sending, by the third network device, a first message to a first network device, wherein the first message comprises the identifier of the first application, and the first message is useable to request the address of the instance of the first application. The address obtaining method further includes receiving, by the third network device, the address of the instance of the first application from the first network device, and sending the address of the instance of the first application to the terminal device.

Abstract: Embodiments of this application disclose a service authorization method and system, and a communication apparatus. The method includes: A first network element obtains a first access token from a token generation network element, and sends a first service request for a specified service to a second network element. The first service request includes the first access token. The first access token indicates that an NF service consumer network element has permission to access a specified service provided by an NF service producer network element belonging to a specified service domain. The first access token includes an identifier of the NF service consumer network element, an identifier of the specified service, and first service domain information associated with the specified service domain. The first service domain information is carried in the first access token, so that service domain-based access control can be implemented, thereby helping improve security of service authorization.

Abstract: This application discloses a security parameter obtaining method, an apparatus, and a system, to ensure security of a private network service. In this application, security parameters used to derive an air interface control plane key and an air interface user plane key are separately generated, the security parameter used to derive the air interface user plane key is derived by using a root key of a private network, and derivation is completed in the private network, to prevent the root key of the private network and a process of deriving the security parameter from being exposed in a public network. In this way, when the air interface user plane key is used to securely transmit service data, security of service data transmission over an air interface can be improved.

Abstract: An authentication management function AUSF receives an authentication request message from an access and mobility management function AMF, where the authentication request message carries a subscription concealed identifier SUCI. The AUSF sends an authentication vector get request message to a unified data management UDM function, where the authentication vector get request message carries the SUCI. The AUSF receives an authentication vector get response message from the UDM, where the authentication vector get response message includes authentication and key management for application AKMA indication information. The AUSF generates, based on the AKMA indication information, an authentication and key management for application-key identifier based on a routing indicator RID in the SUCI.

Abstract: First user equipment generates a first temporary identifier based on a first key; the first user equipment sends a first request to second user equipment, where the first request is used to establish a communication connection between the first user equipment and the second user equipment, and the first request includes the first temporary identifier and a relay service code; and the first user equipment generates a shared key based on a second key and the relay service code, where the shared key is used to protect the communication connection between the first user equipment and the second user equipment.

Abstract: A method includes: User equipment determines whether confidentiality protection is activated for communication data between the user equipment and an application function device. The user equipment sends a user plane message to the application function device. The user plane message includes an identifier of the user equipment, and the identifier is an encrypted identifier in a case in which the confidentiality protection is inactivated.

Abstract: This application discloses a key obtaining method and a communication apparatus. A remote terminal device sends a first identifier and a relay service code to a relay terminal device. The first identifier is an identifier that is of the remote terminal device and that is corresponding to the relay service code, or the first identifier is an anonymous identifier of the remote terminal device. The remote terminal device generates, based on a first shared key, the relay service code, and at least one first freshness parameter, a root key for communication between the remote terminal device and the relay terminal device. A remote authentication service function network element is an authentication service function network element that serves the remote terminal device, and the first shared key is a key shared between the remote terminal device and the remote authentication service function network element.

Abstract: A local network accessing method and apparatus are provided. The local network accessing method comprises sending a trigger message to a terminal, the trigger message is for triggering the terminal to establish a session, receiving a first message from the terminal, the first message requesting to establish a first session, and the first session is for the terminal to access a target local network, determining a target network access identifier based on the first message, the target network access identifier indicating the target local network, determining a first session management function network element based on the target network access identifier, and sending the target network access identifier to the first session management function network element, the target network access identifier is for the first session management function network element to determine a target user plane function network element.

Abstract: This application provides a method for performing data transmission by two terminal devices and an apparatus, so that only a spectrum resource needs to be occupied or fewer spectrum resources need to be occupied, and fewer spectrum resources are consumed, thereby helping alleviate a strain on spectrum resources. The method includes: A first core network device determines that a first terminal and a second terminal are in a mutual backup relationship. The first core network device sends pairing indication information to a base station, where the pairing indication information indicates that the first terminal and the second terminal are in the mutual backup relationship.

Abstract: A method and an apparatus for establishing secure communication. The method includes: a terminal device receives a first message from a first network element, where the first message includes an identifier of a second network element and first indication information, and the first indication information indicates a candidate authentication mechanism associated with the second network element. The terminal device establishes a communication connection with the second network element based on the candidate authentication mechanism. The terminal device may obtain an authentication mechanism of the dynamically configured second network element, to meet a requirement for establishing a secure communication connection through authentication in an MEC architecture.

Abstract: This application provides a communication method, a network element, a terminal apparatus, and a system. The communication method includes: receiving, by a first network element, first indication information from a second network element, where the first indication information is used to indicate that a current condition supports establishment of a session of a first network for a terminal apparatus; obtaining, by the first network element, first quality of service QoS control information of a first session of the terminal apparatus after receiving the first indication information, where the first session is a session established by the terminal apparatus by using a second network; and sending, by the first network element, the first QoS control information to the second network element. The communication method in the embodiments of this application can improve communication efficiency.

Abstract: A secure communication method and apparatus are disclosed, to ensure security of a direct communication between terminal devices. In this application, a first terminal device may receive a key generation parameter from a first network element, where the key generation parameter includes a ProSe temporary identity of the first terminal device. Then, the first terminal device may generate a first discovery key based on the key generation parameter. The first terminal device sends a ProSe request message, where the ProSe request message includes the ProSe temporary identity and a message integrity code, and the message integrity code is generated based on the discovery key. The second terminal device receives the ProSe request message, and verifies the first terminal device based on the message integrity code, to ensure the security of a direct communication between the first terminal device and the second terminal device.

Abstract: Embodiments of this application provide a communication method, apparatus, and system, to improve security of a V2X PC5 establishment procedure. The method includes: A first terminal device obtains a first security protection method, where the first security protection method is a security protection method determined in a discovery procedure between the first terminal device and a second terminal device; and the first terminal device determines a second security protection method according to the first security protection method, where the second security protection method is a security protection method for a PC5 connection between the first terminal device and the second terminal device. For example, a security level of the second security protection method is not lower than a security level of the first security protection method. The communication method is applicable to the V2X communication field.

Abstract: The present disclosure relates to session information management methods. One example method includes sending, by a session management function (SMF) network element, identification information of a terminal device, a data network name (DNN), and slice information to a data management network element to request first subscription data that is of the terminal device and that is associated with the DNN and the slice information, where the slice information is used to identify a network slice served by the SMF network element, and receiving, by the SMF network element, the first subscription data from the data management network element.

Abstract: Embodiments provide a method for reporting location information of user equipment, and an apparatus. A master access node is provided, including an obtaining module, configured to obtain location information of user equipment, where the location information of the user equipment includes serving cell information of at least one secondary access node of the user equipment. The master access node also includes a sending module, configured to send the location information of the user equipment to a core network node, where the location information is used by the core network node to determine a control policy for the user equipment according to the location information of the user equipment.