Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.

A method and a system for providing one or more services to one or more user devices [202] in an IoT network in a scalable M2M (Machine to Machine) framework. The method comprises receiving a connection request from the one or more user devices [202] at a load balance of the IoT network, the connection request comprises at least a username comprising a cluster identifier. The load balancer [204] determines a cluster identifier based on the connection request and identifies at least one target cluster from the one or more clusters [206], said target cluster being associated with the identifier cluster identifier. The load balancer [204] routes the connection request to the at least one target cluster to provide the one or more services to the one or more user devices [202].

A load distribution apparatus connected, via a network, to a plurality of relay apparatuses that relay communication performed by a terminal, and to the terminal, including: storage means configured to store relay apparatus identifiers that identify each of the plurality of relay apparatuses, installation site information that indicates installation sites of each of the plurality of relay apparatuses, and load information that indicates loads of each of the plurality of relay apparatuses; load management means configured to collect the load information from each of the plurality of relay apparatuses to store the load information in the storage means; selection means configured, when receiving a request from the terminal, to select a relay apparatus for relaying communication performed by the terminal from among the plurality of relay apparatuses based on the installation site information or the load information; and transmission means configured to transmit, to the terminal that transmits the request, a relay apparatus identifier of the relay apparatus selected by the selection means.

Methods for operating a device and for managing bootstrapping of devices are disclosed. The method (100) for operating a device comprises computing (102) a derivative of a secret shared between the device and a server entity of a network, generating (104) a temporary bootstrap URI by combining at least a part of the computed derivative with a static bootstrap URI for the network, and sending (106) a bootstrap request to the temporary bootstrap URI. The method for managing bootstrapping of devices comprises generating temporary bootstrap URIs corresponding to devices operable to connect to a network, and updating a network DNS registry to map the generated temporary bootstrap URIs to the IP address of at least one of a bootstrap server instance reachable via the network and/or a bootstrap load balancer. Also disclosed are a device, a bootstrap load balancer, a bootstrap server, and a computer program.

A system and method for diameter agent load balancing. The method including: receiving a request from a sending diameter node; parsing at least one Attribute-Value Pair (AVP) from the request; determining a partition-identifier (partition-id) from the at least one AVP; determining a receiving diameter node, based on the partition-id; and sending the request to the receiving diameter node. The system including: a message module configured to receive a request from a sending diameter node; a parsing module configured to parse at least one Attribute-Value Pair (AVP) of the message from the request and determine a partition-id from the at least one AVP and a receiving diameter node, based on the partition-id; and a forwarding module configured to send the request to the receiving diameter node.

Systems and methods for establishing a multipath connection include a first processor of a first cluster forwarding a first request from a client to establish a first connection with a server to a second processor of a second cluster. A third processor of the first cluster receives a second request to establish a multipath connection between the client and the server. The third processor forwards the second request to the second processor responsive to determining that the second request is to establish a multipath connection. The second processor establishes the multipath connection that includes the first connection and a second connection used as paths of the multipath connection.

A method and a system for providing one or more services to one or more user devices

in an IoT network in a scalable M2M (Machine to Machine) framework. The method comprises receiving a connection request from the one or more user devices [202] at a load balance of the IoT network, the connection request comprises at least a username comprising a cluster identifier. The load balancer [204] determines a cluster identifier based on the connection request and identifies at least one target cluster from the one or more clusters [206], said target cluster being associated with the identifier cluster identifier. The load balancer [204] routes the connection request to the at least one target cluster to provide the one or more services to the one or more user devices [202].

Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.