Abstract: Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.

Abstract: Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.

Abstract: The use and processing of update messages (e.g., BGP UPDATEs) that bind (e.g., MPLS) labels to address prefixes is improved such that labels are used more efficiently, and/or such that such update messages can be processed more efficiently. A distance vector control signaling protocol (e.g., BGP) peer device receives a control plane message (e.g., BGP Update) from a downstream peer device, the control plane message including (1) a network address of the downstream device as a next hop value, (2) a prefix value, and (3) at least one label associated with the prefix value. Responsive to receiving the control plane message, the peer device generates a new control plane message including (1) a network address of the peer device as a next hop value, (2) the prefix value from the control plane message, and (3) a label stack including (i) the at least one label from the control plane message, and (ii) a local label associated with the peer device.

Abstract: The challenge of isolating a protocol peer(s) from routing information churn caused by to a peering protocol (e.g., due to updating the peering protocol, due to a bug in the peering protocol, due to a crash in the peering protocol, etc.) is solved by using a separate data store to isolate the protocol peer(s) from the peering protocol. The separate data store may: (a) receive, from at least one of the outside peering devices, incoming routing information; (b) store the incoming routing information received in a first storage system; (c) provide a copy of at least some of the stored incoming routing information received to a second storage system used by a process for selecting routes using the routing information, the process generating state information to be distributed (e.g.

Abstract: The challenge of isolating a protocol peer(s) from routing information churn caused by to a peering protocol (e.g., due to updating the peering protocol, due to a bug in the peering protocol, due to a crash in the peering protocol, etc.) is solved by using a separate data store to isolate the protocol peer(s) from the peering protocol. The separate data store may: (a) receive, from at least one of the outside peering devices, incoming routing information; (b) store the incoming routing information received in a first storage system; (c) provide a copy of at least some of the stored incoming routing information received to a second storage system used by a process for selecting routes using the routing information, the process generating state information to be distributed (e.g.

Abstract: The disclosed computer-implemented method for improving forwarding capabilities during route convergence may include (1) identifying, at an upstream network device, a set of updated routes that define network paths that have each experienced at least one topology change since the upstream network device last converged with a downstream network device, (2) determining, at the upstream network device, levels of priority for the set of updated routes based at least in part on amounts of traffic that traverse the network paths defined by the set of updated routes, (3) arranging, at the upstream network device, the set of updated routes in a prioritized order in accordance with the levels of priority, and then (4) converging the upstream network device with the downstream network device by sending the set of updated routes in the prioritized order to the downstream network device. Various other methods, systems, and apparatuses are also disclosed.

Abstract: The disclosed computer-implemented method for improving forwarding capabilities during route convergence may include (1) identifying, at an upstream network device, a set of updated routes that define network paths that have each experienced at least one topology change since the upstream network device last converged with a downstream network device, (2) determining, at the upstream network device, levels of priority for the set of updated routes based at least in part on amounts of traffic that traverse the network paths defined by the set of updated routes, (3) arranging, at the upstream network device, the set of updated routes in a prioritized order in accordance with the levels of priority, and then (4) converging the upstream network device with the downstream network device by sending the set of updated routes in the prioritized order to the downstream network device. Various other methods, systems, and apparatuses are also disclosed.