With the advent of a mobile broadband era, a user needs to use a broadband access service anytime and anywhere, which puts forward a higher requirement on a mobile communication network, such as, a higher transmission rate, a shorter delay, higher system capacity and so on. In order to maintain an advantageous position of a 3GPP network, the 3GPP standard organization started research and standardization working of a System Architecture Evolution (SAE) program at the end of 2004, and defined a new mobile communication network framework, which is referred to as an evolved packet system (EPS). With the trend of convergence and integration of core networks, 3GPP also provides a possibility of accessing of a non-3GPP access network in a core network Evolved Packet Core (EPC) in the EPS system, for example, accessing from WLAN, Wimax and so on to the EPC.
An S2c interface adopts a Mobile IPv6 Support for Dual Stack Hosts (DSMIPv6) protocol, and may be used for a trusted or non-trusted non-3GPP access network to access an EPS network. When a User Equipment (UE) accesses the EPC from the non-3GPP access network through the S2c interface, a security association (SA) is established between the UE and a Packet Data Network Gateway (PDN-GW, which may also be referred to as PGW) to protect DSMIPv6 signaling. When the UE accesses the EPC through the S2c interface from a trusted non-3GPP access network, after 3GPP defines establishment of a DSMIPv6 tunnel between the UE and the PDN-GW, the PDN-GW may initiate establishment of a child security association (Child SA) with the UE to protect a data plane. However, when the UE accesses the EPC from a non-trusted non-3GPP access network, an IPSec security channel is established between the UE and a non-3GPP access gateway, e.g., evolved PDG (ePDG), so that security protection is performed on a data packet between the UE and the PDN-GW through the IPSec security channel. That is, when the UE accesses the EPS in a trusted manner, the Child SA may be established on an S2c tunnel to protect integrity and confidentiality of the data plane; and when the UE accesses the EPS in a non-trusted manner, the IPSec security channel between the UE and the ePDG provides integrity protection and confidentiality protection of data.
As described in the foregoing, when the UE accesses the EPC through the S2c interface, the PDN-GW needs to distinguish between a trusted access scenario and a non-trusted access scenario, so as to complete establishment processes of different data security channels. However, since the PDN-GW cannot determine whether the current UE accesses the EPC from the trusted non-3GPP access network or from the non-trusted non-3GPP access network, it is impossible to select a correct method for establishing an S2c tunnel data security channel.