Abstract: An IoT E2E Service Layer Security Management system supports methods and procedures to allow an application to establish, use, and teardown an IoT SL communication session that has application specified E2E security preferences and that targets one or more SL addressable targets (e.g., an IoT application, device, or gateway SL addressable resource). E2E SL Session based methods and procedures described herein achieve a required overall E2E security level, by allowing IoT SL instances to influence and coordinate hop security for a multi-hop communication path spanning across multiple intermediary nodes. The methods and procedures described herein reduce overhead, simplify and obviate the need for E2E service level nodes (initiation and termination nodes) from having to perform security service negotiation, in order to establish secure hop-by-hop security associations aligned with an E2E security requirement.

Abstract: Embodiments concern a dynamic authorization framework. Security Classification Process (SCP) is the process of classifying raw data, information extracted from raw data, content or code from security-value perspective. Security Achievability Determination Process (SADP) is a process based on a SV/SC that has been assigned, the RHE may determine the Security Requirements and how the security requirements may be achieved. During the Security Achievability Listing Process (SALP), the RHE uploads onto the Resource Listing Entity (RLE) the URI of the resource, the SAM associated with the resource and optionally a digital certificate associated with the resource. During the SAM Assessment Process (SAMAP) process, a Client evaluates the security mechanisms that must be carried out in order to meet the SAM that was provided as part of the Discovery Process (DP). Based on the SAM obtained from the RLE, the Client may initiate a Security Achievability Enabling Process (SAEP).

Abstract: The application describes a computer-implemented apparatus that includes a non-transitory memory having instructions stored thereon for assigning address space in a network. The apparatus also includes a processor, operably coupled to the non-transitory memory, configured to execute at least the instruction of receiving a solicitation from a router in the network. The processor is also configured to execute the instruction of replying to the solicitation with address space. The processor is also configured to execute the instruction of receiving a second solicitation from the router to register a new address. The processor is further configured to execute the instruction of determining if the new address is from a dedicated address space or a shared address space. The processor is even further configured to execute the instruction of sending a neighbor advertisement with the address registration to the router.

Abstract: Embodiments concern a dynamic authorization framework. Security Classification Process (SCP) is the process of classifying raw data, information extracted from raw data, content or code from security-value perspective. Security Achievability Determination Process (SADP) is a process based on a SV/SC that has been assigned, the RHE may determine the Security Requirements and how the security requirements may be achieved. During the Security Achievability Listing Process (SALP), the RHE uploads onto the Resource Listing Entity (RLE) the URI of the resource, the SAM associated with the resource and optionally a digital certificate associated with the resource. During the SAM Assessment Process (SAMAP) process, a Client evaluates the security mechanisms that must be carried out in order to meet the SAM that was provided as part of the Discovery Process (DP). Based on the SAM obtained from the RLE, the Client may initiate a Security Achievability Enabling Process (SAEP).

Abstract: In a machine-to-machine/Internet-of-things environment, end-to-end authentication of devices separated by multiple hops is achieved via direct or delegated/intermediated negotiations using pre-provisioned hop-by-hop credentials, uniquely generated hop-by-hop credentials, and-or public key certificates, whereby remote resources and services may be discovered via single-hop communications, and then secure communications with the remote resources may be established using secure protocols appropriate to the resources and services and capabilities of end devices, and communication thereafter conducted directly without the overhead or risks engendered hop-by-hop translation.

Abstract: Mechanisms for discovering ad hoc Service Layer Entities (aSLEs) either deployed in ad hoc or switched from normal operation mode to ad hoc mode can support an IoT service in a distributive self-organized system.

Abstract: Enhancements to the device management functionality within service layer architecture of a Gateway node are described. The SL application registration procedure can be enhanced for devices in support of device management. Functionality can be added to the service layer to initiate automated request notification for DM purposes. Lightweight SL Transport Protocol bindings can support sending multiple DM commands called DM Action Scripts with a specific focus on the Constrained Application Protocol (CoAP) Protocol.

Abstract: An M2M entity may retrieve data such that the representation of the data may consistently be returned in a form that can be dynamically specified in order to reduce complexity and overhead required by a requestor or consumer of the data. The semantic descriptions of the data that exist in the service layer may be used in order to provide desired results to the requestor or consumer of the data.

Abstract: Wireless channels and timeslots are allocated in a distributed and reactive manner by network devices. A source device sends to neighbor devices a track discovery request indicating a destination and data bandwidth/channel and timeslot requirements. The neighbors conditionally forward the message until it reaches the destination device. The forwarded message includes information about the devices traversed by the message. Messages will not be forwarded if the recipient lacks sufficient resources to accommodate the data bandwidth requirements. The destination selects a path to be a communications track based upon characteristics of the one or more paths by which the request was received, and sends a reply back to the source device along the selected path. Once established, tracks may be kept alive, updated, and/or repaired via messaging among the devices along the track.

Abstract: It is recognized herein that existing approaches to M2M/IoT networks do not realize Network Functions Virtualization (NFV). In particular, existing M2M service layers (e.g. oneM2M) are not built, managed, or operated in accordance with NFV practices. In an example embodiment, an M2M apparatus assigns various roles to various common service entities, such that common service functions can be pooled together with one another. The roles can be migrated among common service entities to ensure that the pools are managed and controlled efficiently. Further, pool members can exit and join one or more pools.

Abstract: Multicast messaging may be managed in a machine-to-machine/Internet of things context, such as a CoAP network, via the inclusion of server selection criterion in multicast request messages and/or resource directory registration management. Server selection criteria may be explicit or implicit. An explicit criterion may be expressed, for example, as an IP address, a server identifier relative to a group context, or a Bloom filter. An implicit criterion may, for example, relate to the context of the request or the requestor, and include such information as data accuracy, data type, application, operating system, network location, geolocation, resource creation time, and resource update time. Server selection criteria may be maintained by a resource directory and/or via a user interface.

Abstract: Enhancements to the device management functionality within service layer architecture of a Gateway node are described. The SL application registration procedure can be enhanced for devices in support of device management. Functionality can be added to the service layer to initiate automated request notification for DM purposes. Lightweight SL Transport Protocol bindings can support sending multiple DM commands called DM Action Scripts with a specific focus on the Constrained Application Protocol (CoAP) Protocol.

Abstract: Existing approaches to security within network, for instance oneM2M networks, are limited. For example, content might only be protected while the content is in transit between entities that trust each other. Here, the integrity and the confidentiality of content in an M2M network are protected. Such content may be “at rest,” such that the content is stored at a hosting node. Only authorized entities may store and retrieve the data that is stored at the hosting node, and the data may be protected from a confidentiality perspective and an integrity perspective.

Abstract: CoAP network nodes may leverage context awareness to take autonomous action to adjust network operations. Context-aware procedures may be pre-configured, established by management entities, or negotiated between nodes, and include parameters for the monitoring and evaluation of data, as well has triggers for taking action. By monitoring requests to observe a resource, a node may determine when a resource should transition to multicast or unicast notification, and dynamically manage multicast group membership based on observation registrations and/or cancellations. By monitoring resource requests, a proxy may determine when to proactively refresh a cached representation of a resource. By monitoring timeouts and/or retransmissions, a client may dynamically adjust a timeout value to optimize communications.

Abstract: IoT service layer capabilities may be employed to automate and simplify the service enrollment process for IoT service subscribers/enrollees. These capabilities enable virtualization of a service subscriber and the physical IoT devices, applications, data and authorized users of the subscriber into a software profile that is representative of the subscriber. Once virtualized, a service subscriber may then delegate the complexities and burden of service enrollment to an automated IoT service enrollment software function.

Abstract: Existing approaches to security within network, for instance one M2M networks, are limited. For example, content might only be protected while the content is in transit between entities that trust each other. Here, the integrity and the confidentiality of content in an M2M network are protected. Such content may be “at rest,” such that the content is stored at a hosting node. Only authorized entities may store and retrieve the data that is stored at the hosting node, and the data may be protected from a confidentiality perspective and an integrity perspective.

Abstract: A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity. Mechanisms to distribute the security credentials to other entities which could then use the credentials to perform an End-to-End authentication at the Service Layer or the Session Layer and using Direct or Delegated modes are developed.

Abstract: The present application is directed to a computer-implemented apparatus for negotiating service layer attributes. The apparatus includes a non-transitory memory including instructions stored thereon for a negotiation service layer for negotiating a service attributes. The apparatus also includes a processor, operably coupled to the non-transitory memory. The processor is configured to perform the instruction of reviewing a negotiable service layer attribute received from a negotiatee. The processor is also configured to perform the instruction of sending a negotiation request to the negotiatee based upon the reviewed attribute. The processor is also configured to perform the instruction of receiving an offered suggestion from the negotiatee. Another aspect of the application is directed to a networked system including a computer-implemented negotiatee and a computer-implemented negotiator for negotiating service layer attributes.

Abstract: Mechanisms for discovering ad hoc Service Layer Entities (aSLEs) either deployed in ad hoc or switched from normal operation mode to ad hoc mode can support an IoT service in a distributive self-organized system.

Abstract: Methods are described that can enable resource monitoring over HTTP/2. These methods may rely on using multiple streams over persistent connections and on the HTTP/2 Push mechanism. Furthermore, a mechanism is proposed that can enable resource monitoring over multiple servers.