Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

2.	Claims 1-3, 6, 14, 16 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Pub. 2014/0140305 to Barrett in view of U.S. Patent 8,855,071 to Sankaran and U.S. Patent Pub. 2013/0310006 to Chen. 

Regarding claims 1 and 14, Barrett teaches a method operational at a radio access network (RAN) node for establishing a first secure connection with a first service network node, comprising:
receiving a first service registration request from a client device (see for example, Figs. 1-2 and 4, as described in sections [0045] to [0047], which teach a UE 101 sending a service request to an eNB 102);
forwarding the first service registration request, comprising a first service identifier and an access node certificate of the RAN node to a connectivity network node under a connectivity context (see for example, Fig. 4 as described in sections [0045] to [0047], which teach the eNB 102 forwarding the service request to the MME 105, where the MME is the “connectivity node” and see sections [0041], [0054] to [0057], which teach an “IP context” the “RRC context” which are “connectivity contexts”, as recited);

In an analogous art, Sankaran teaches a mobile device sending an eNB a request for a session service request.  See for example, column 8 line 46, to column 9, line 3, which describe a “session service registration request” received at the eNB from the mobile device, which is then sent to the MME. 
In an analogous art, Chen teaches a wireless system which receives requests for mobile services, and generates a certificate between the eNB and the RNC as described in sections [0217] to [0236], which relate to Fig. 8.  It is also noted that the MME does not have the IP sec key generated between the eNB and the RNC (see section [0245]).  
Therefore, as Barrett teaches security associations between nodes and as Chen explicitly teaches that the security association is based on a certificate associated with the RAN node (eNB), it would have been obvious to modify Barrett with this security association as Chen teaches the benefits of this association.   
Regarding the amendments and features of:    
“establishing the first secure connection under a first service context of a plurality of simultaneous distinct service contexts separate from the connectivity context, through the connectivity network node, with the first service network node identified by the first service identifier based on the access node certificate of the RAN node forwarded to the first service network node by the connectivity network node; and 
under the first service context, wherein the first security key is secured against access by the connectivity network node by the first secure connection under the first service context”, see sections [0055] and [0061] of Barrett which teach the NAS service contexts, which include security, QoS and other service settings.  Also regarding the “service contexts” see for example, column 18, lines 28-34, of Sankaran which teach storing each “session context” which are each one of the number of different simultaneously available service contexts, and see column 8 line 46, to column 9, line 3 of Sankaran, which also describes a “second service registration request”.  Therefore, these newly recited features are taught and/or rendered obvious by the combination of Barret as modified by Chen and Sankaran.  
In other words, as Barrett and Sankaran teach connectivity and service contexts, modifying the eNB of Barret to include it’s certificate (as in Chen), exchanges security keys and establishes a secure connection from eNB to destination server (as in Chen), where the secure channel passes through the MME (“connectivity node”) of Barret.

Regarding claim 2, which recites “further comprising: 
receiving a second service registration request from the client device;
forwarding the second service registration request, comprising a second service identifier and [[an]] the access node certificateunder the connectivity context;
under a second service context of the plurality of simultaneous distinct service contexts, through the connectivity network node, with a second service network node identified by the second service identifier, based on the access node certificate network node
receiving a second security key from the second service network node through the connectivity network node under the second service context, wherein: the second security key is secured against access by the connectivity network node by the second secure connection under the second service context, the first service context and the second service context are distinct simultaneous service contexts that are separate from the connectivity context, and
the first and second secured connections, associated with the respective simultaneous distinct service contexts, are multiplexed over a single Laver 2 connection of a communication protocol stack”, as described above in the rejection of claim 1, see column 8 line 46, to column 9, line 3 of Sankaran, which also describes a “second service registration request” received from the mobile device, which is sent to the MME.  See also the discussion in column 9, lines 15-20, which taches that each connection has its own bearers, which are distinct and secured from the other bearers (for the other connections).  Regarding the feature of which recites that a second secure connection “is based on a certificate associated with the RAN node, between the RAN node...” ,  see Chen as applied to claim 1 above.  
the first and second secured connections, associated with the respective simultaneous distinct service contexts, are multiplexed over a single Laver 2 connection of a communication protocol stack”, as layer 2 communications are via the MAC layer (as shown in Fig. 13 of Barrett) and as all communications from a single UE are addressed to the same MAC address of the UE, the eNB of Barrett will direct (multiplex) all connections over this single layer connection as now recited.
Regarding claims 3 and 16, which now recite “further comprising:
receiving a second service registration request from the client device; and establishing a second secure connection under a second service context of the plurality of simultaneous distinct service contexts, through the connectivity network node, with a second service network node, different from the first service network node, based on the access node certificate forwarded to the second service network node by the connectivity network node, wherein the first service context and the second service context are simultaneous service contexts and are separate from the connectivity context 
as described above in the rejection of claim 1, see sections [0055] and [0061] of Barrett which teach the NAS service contexts, which include security, QoS and other service settings, and see for example, column 18, lines 28-34, of Sankaran which teach storing each “session context” which are each one of the number of different service 
Regarding claim 6, which recites “wherein establishing the first secure connection with the first service network node further comprises: receiving a secure connection request from the connectivity network node which originated from the service network node”, both Barrett and Sankaran teach establishing the secure connection by receiving the connection request at the MME which is sent from the eNB, as recited.  

Regarding claim 31, which recites “wherein the first secure connection between the RAN and the first service network node is secured using a security context unknown to the connectivity node”, as described above, as Chen teaches that the MME does not know the IPsec key (generated between the eNB and the RNC), the combination of references teach and/or render obvious this feature, as recited.
 

Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Sankaran and Chen as applied to claims 1 and 14 above, and further in view of U.S. Patent 2015/0351148 to Jha (hereinafter “Jha”).

Regarding claims 5 and 17, which recite “wherein establishing the first secure connection with the first service network node further comprises: determining whether the RAN node has a pre-existing secure connection with the first service network node 
Therefore, the combination of Barrett and Sankaran would appear to teach and/or render obvious these features, however as these references do not explicitly teach “reusing the previous connection”, Jha is added.  
In an analogous art, Jha teaches a wireless system which assigns resources and reuses previous connections (if stored).  See for example, section [0025], which explicitly teaches that the bearers and security information from the previous connection are reused. 
Therefore, as Barrett/Sankaran teach initializing and “activating” connections, and as Jha teaches reusing connection data, it would have been obvious to modify the Barrett/Sankaran combination, as Jha teaches the benefits and conventionality of reusing previous connection information.   


Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Chen and Sankaran as applied to claims 1 and 14 above, and further in view of either one of U.S. Patent Pubs. 2014/0302820 to Jones or 2014/0241317 to Jamadagni.
Regarding claims 7 and 18, which now recite “wherein the security key serves to secure communications between the RAN node and the client device”, as Barrett and Sankaran do not explicitly teach using keys, Jones or Jamadagni is added.
	In analogous art, both Jones and Jamadagni teach using keys between the eNB and the client device.  See for example, section [0018] of Jones and section [0048] of Jamadagni.
	Therefore, as Barrett/Sankaran teach using secure connections, and as both Jones and Jamadagni teach using keys between the eNB and the client device, it would have been obvious to modify the Barrett/Sankaran combination, with either one of Jones and Jamadagni, as keys are conventionality used for secure connections. 


Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Sankaran and Chen as applied to claims 1 and 14 above, and further in view of one of U.S. Patent 8,964,695 to Bachmann or U.S. Patent Pub. 2012/0100833 to Gao.

Regarding claims 10 and 20, which now recite “wherein the connectivity node is configured to forward the access network node certificate of the RAN node to the service network node”, as described above, although Chen teaches using the 
In analogous art, Bachmann teaches using certificates to establish a secure connection between nodes.  See column 9, line 15 and column 27, line 6, which teach sending device identifier information along with the certificate itself to ensure security. Sections [0018] to [0019] of Gao also teach that the base station and the service node exchange certificates. 
	Therefore, as Barrett/Sankaran teach sending service request connections, Chen teaches using certificates, and as Bachmann or Gao teach including the certificate in the connection process, it would have been obvious to modify the combination of Barrett/Sankaran/Chen to include the certificate, as is conventional and as for reasons as taught in Bachmann/Gao.  


Claims 21, 28 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Sankaran and Chen as applied to claim 1 above. 

Regarding claims 21 and 30, which now recite “a method operational at a service network node for establishing a secure connection with a radio access network (RAN) node, comprising: 
receiving from a connectivity network node, a service registration request comprising a client device identifier of a client device that initiated the service registration request and an access node certificate of the RAN node; (see Barret and Sakaran for the service request and Chen for the certificate); 

transmit a first security key to the RAN node through the connectivity network node, wherein the first security key is secured against access by the connectivity network node by the secure connection (key exchange of Chen, via MME of Barret).
Regarding the changes to claims 21 and 30, which are similar to claim 1, see the rejection of claim 1 above. 
Regarding claim 28, which now recites “wherein establishing the secure connection further comprises sending service network node information to the RAN node”, see for example, columns 13-14 of Sankaran, which teach “the service node sending the address to the radio access network node” and Chen which teaches sending security parameters, as recited.


Claim 29 is rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Sankaran and Chen as applied to claim 28, and further in view of Bachmann or Gao. 

Regarding claim 29, which recites “wherein the service network node information comprises at least a certificate associated with the service network node”, as Barrett, Sankaran and Chen do not teach including the certificate, Bachmann/Gao is added. 
In analogous art, Bachmann teaches using certificates to establish a secure connection between nodes.  See column 9, line 15 and column 27, line 6, which teach 
	Therefore, as Barrett/Sankaran teach sending service request connections, Chen teaches each node using it’s certificate, and as Bachmann teaches including the certificate in the connection process, it would have been obvious to modify the Barrett/Sankaran/Chen combination to include the certificate, as is conventional and as for reasons as taught in Bachmann/Gao.  

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Chen and Sankaran as applied to claim 21 above, and further in view of Jha.
Regarding claim 22, which now recites “wherein establishing the secure connection with the RAN node further comprises:
determining whether the service network node has a pre-existing secure connection with the RAN node prior to establishing the secure connection with the RAN node:
if the pre-existing secure connection is available, reusing the pre-existing secure connection with the RAN node; and 
if the pre-existing secure connection is not available, establishing the secure connection with the RAN node”, Jha is added. 
In an analogous art, Jha teaches a wireless system which assigns resources and reuses previous connections (if stored).  See for example, section [0025], which 
Therefore, as Barrett/Sankaran teach initializing and “activating” connections, and as Jha teaches reusing connection data, it would have been obvious to modify the Barrett/Sankaran combination, as Jha teaches the benefits and conventionality of reusing previous connection information.   


Claims 24 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Barrett, Sankaran and Chen as applied to claim 21, and further in view of either one of U.S. Patent Pub. 2010/0056156 to Xu or U.S. Patent Pub. 2010/0173610 to Kitazoe.

Regarding claim 24, which recites “further comprising: performing authentication and key agreement with the client device and deriving the first security key for the client device based on an authentication session key”, Barrett/Sankaran do not explicitly teach these features. 


In an analogous art, Xu and Kitazoe teach wireless systems which use keys (for both Access Straum (AS) and Non-Access Stratum (NAS) layers) which are sent to the UE.  See for example, sections [0017] and [0088] to [0089] of Xu and section [0077] of Kitazoe.  
Therefore, as Barrett/Sankaran teach using secure connections, and as Xu and Kitazoe teach using keys for secure connections, it would have been obvious to modify 
Regarding claim 26, which recites “wherein the first security key serves to secure access stratum communications”, see the rejection of claims 24-25 above, which both address security keys in the access stratum layer, as recited.


Response to Arguments
Regarding Applicant’s remarks filed on 10-23-20, these are now moot in view of the new grounds of rejection.    


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEVEN SHAUN KELLEY whose telephone number is (571)272-5652.  The examiner can normally be reached on Mondays to Fridays.  
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lester Kincaid can be reached on (571)272-7922.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/STEVEN S KELLEY/Primary Examiner, Art Unit 2646