Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s amendment filed on 12 October 2020. Claims 1, 6, and 8-10 have been amended. Claims 1-20 remain pending. 

	
Information Disclosure Statement
4.	The Information Disclosure Statements respectfully submitted on 14 October 2020 has been considered by the Examiner.

Response to Arguments
Applicant’s arguments, see pages 7-9, filed 12 October 2020, with respect to the rejection(s) of claim(s) 1-20 under Shen et al. (Pub No. 2017/0163599) in view of Kwan (Pub No. 2009/0254973) have been fully considered, but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. The newly added claim limitation – “performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network is taught and disclosed in the Bansal et al. reference.
In light of the previous 103 rejection, the Applicant contends that the cited references Shen et al. in view of Kwan fail to explicitly disclose, suggest, or teach “a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter, the MFE implementing a logical network that connects a plurality of DCNs within the public datacenter”. The Examiner respectfully disagrees and asserts that Shen et al. discloses in paragraphs 38-40, a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a datacenter and the MFE implements a logical network that connects a plurality of DCNs with the datacenter. Shen et al. further discloses the MFE comprises three virtual endpoints and is a software forwarding element implemented in the virtualization software of the host 100, the VTEP is a separate software entity, which the host connects to the physical network of the datacenter. The three virtual endpoints correspond to three separate physical network interface controllers (pNICs), which are the physical interfaces of the host machine that connect to the physical network of the datacenter.
Therefore, the rejection of claims 1-20 will be maintained in view of the reasons above and below.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being obvious over Shen et al. (Pub No. 2017/0163599) in view of Kwan (Pub No. 2009/0254973) and in further view of Bansal et al. (Pub No. 2017/0317972).
Referring to the rejection of claims 1, Shen et al. discloses for a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter, the MFE implementing a logical network that connects a plurality of DCNs within the public datacenter, a method comprising: (See Shen et al., para. 38) 
Please note that in this example, a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a datacenter and the MFE implements a logical network that connects a plurality of DCNs with the datacenter.
receiving a packet directed to the DCN, wherein the packet (i) has a logical network first source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network; (See Shen et al., para. 114-116)
Please note that in this example, receive packet sent from the local data compute node (DCN) wherein the source address is encapsulated with the destination address.
determining whether the logical network first source address is a valid source address for the logical network for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses; (See Shen et al., para. 117-118)
Please note that in this example, determine if the addresses are valid based upon the mapping table for mapping network addresses.
However, Shen et al. fail to explicitly disclose and when the first source address is not a valid source address for the packet, dropping the packet.
Kwan discloses a system and method for source IP anti-spoofing security.
Kwan discloses and when the logical network first source address is not a valid source address for the packet, dropping the packet. (See Kwan, para. 28-30)
Please note that in this example, if the data packet contains a source MAC address and source IP address pair which does not match the previously identified MAC address/IP address pair stored in the mapping table the security procedures will block data packets from the invalid source MAC address.	The combination of Shen et al. and Kwan fail to explicitly disclose performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network.
Bansal et al. discloses a system and method for translating a logical switch into a set of network addresses.
(See Bansal et al., Figures 2-3 and para. 34-42)
Please note that in this example, spoof guard is configured for the managed forwarding element (MFE) in order to protect the MFE from unwanted traffic. The spoof guard includes a set of one or more valid network addresses, if the traffic entering the MFE does not match that network address, the traffic is not forwarded and is dropped. The spoof guard collects a list of authorized network addresses for the MFE to determine whether packet traffic received by the MFE are from authorized sources. Therefore, this will prevent invalid network addresses for the logical network.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Shen et al.’s method for encapsulating packets in a tunnel at a source managed forwarding element (MFE) for communication to a destination managed forwarding element and Kwan’s system and method for source IP anti-spoofing security modified with Bansal et al.’s system and method for translating a logical switch into a set of network addresses. 
Motivation for such implementation would enable a method for enhancing security and reduce the risk created by the spoofing of IP addresses by using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. (See Kwan, Abstract and para. 2)


Referring to the rejection of claims 2 and 13, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein the host computer is a first host computer, wherein the first host computer receives the mapping table from a network controller that (i) operates on a second host computer in the public datacenter and (ii) configures the MFE to implement the logical network. (See Shen et al., para. 51-52 and 63-64)
Referring to the rejection of claims 3 and 14, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein the network controller distributes the mapping table to a controller agent executing on the first DCN, said controller agent directly configuring the MFE to implement the logical network and to use the mapping table. (See Shen et al., para. 52 and 62)

Referring to the rejection of claim 4, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein the network controller operating on the second host computer is a first network controller that manages a plurality of MFEs operating in the public datacenter to implement the logical network, wherein the first network controller receives logical network configuration data from a second network controller operating (See Shen et al., para. 63-64 and 100-101)
Referring to the rejection of claim 5, (Shen et al. and Kwan modified by Bansal et al.)  discloses wherein: the second network controller has access to and provides configuration data for managed forwarding elements operating in virtualization software of a plurality of host computers of the second datacenter, and the second network controller does not have access to forwarding elements operating in virtualization software of the first and second host computers of the first datacenter. (See Shen et al., para. 39, 130, and 133)
Referring to the rejection of claims 6 and 16, (Shen et al. and Kwan modified by Bansal et al.)  discloses wherein: the DCN is a first DCN, the logical network first source address is a logical network address for applications executing on a second DCN, and the second source address is an address assigned to the second DCN by the public datacenter. (See Shen et al., para. 51 and 55-56)

Referring to the rejection of claims 7 and 17, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein a workload application executes on the DCN alongside the MFE, wherein the packet is directed to the workload application. (See Shen et al., para. 60-61)

Referring to the rejection of claims 8 and 18, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein the packet has a logical network first destination (See Shen et al., para. 63-64 and 66-67)
Referring to the rejection of claims 9 and 19, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein when the logical network first source address is a valid source address for the packet, the MFE forwards the packet to the workload application. (See Shen et al., para. 55, 71, and 94)
Referring to the rejection of claim 10, (Shen et al. and Kwan modified by Bansal et al.)  discloses wherein determining whether the logical network first source address is a valid source address for the packet comprises: identifying an entry of the mapping table for the logical network first source address; (See Shen et al., para. 79) 
identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical first network source address according to the mapping table entry; (See Shen et al., para. 97)
and determining whether the third source address matches the second source address. (See Shen et al., para. 98-99)
Referring to the rejection of claim 11, (Shen et al. and Kwan modified by Bansal et al.)  discloses wherein the third source address is an Internet Protocol (IP) address assigned by the public datacenter to a second DCN, wherein the packet is received (See Shen et al., para. 95-99)

Referring to the rejection of claim 12, (Shen et al. and Kwan modified by Bansal et al.) discloses a non-transitory machine readable medium storing a managed forwarding element (MFE) which when executed on a data compute node (DCN) operating on a host computer in a public datacenter implements a logical network that connects a plurality of DCNs within the public datacenter, the program comprising sets of instructions for: (See Shen et al., para. 38 and 143) 
Please note that in this example, a computer readable storage medium is shown for storing a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a datacenter and the MFE implements a logical network that connects a plurality of DCNs with the datacenter.
receiving a packet directed to the DCN, wherein the packet (i) has a first logical network source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network; (See Shen et al., para. 114-116)
Please note that in this example, receive packet sent from the local data compute node (DCN) wherein the source address is encapsulated with the destination address.
(See Shen et al., para. 117-118)
Please note that in this example, determine if the addresses are valid based upon the mapping table for mapping network addresses.
However, Shen et al. fail to explicitly disclose and when the first source address is not a valid source address for the packet, dropping the packet.
Kwan discloses a system and method for source IP anti-spoofing security.
Kwan discloses and when the first source address is not a valid source address for the packet, dropping the packet. (See Kwan, para. 28-30)
Please note that in this example, if the data packet contains a source MAC address and source IP address pair which does not match the previously identified MAC address/IP address pair stored in the mapping table the security procedures will block data packets from the invalid source MAC address.
The combination of Shen et al. and Kwan fail to explicitly disclose performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network.
Bansal et al. discloses a system and method for translating a logical switch into a set of network addresses.
Bansal et al. discloses a method of performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network. (See Bansal et al., Figures 2-3 and para. 34-42)
Please note that in this example, spoof guard is configured for the managed forwarding element (MFE) in order to protect the MFE from unwanted traffic. The spoof guard includes a set of one or more valid network addresses, if the traffic entering the MFE does not match that network address, the traffic is not forwarded and is dropped. The spoof guard collects a list of authorized network addresses for the MFE to determine whether packet traffic received by the MFE are from authorized sources. Therefore, this will prevent invalid network addresses for the logical network.
The rationale for combining Shen et al. and Kwan in view of Bansal et al. is the same as claim 1.

Referring to the rejection of claim 15, (Shen et al. and Kwan modified by Bansal et al.)  discloses wherein: the network controller operating on the second host computer is a first network controller that manages a plurality of MFEs operating in the public datacenter to implement the logical network; the first network controller receives logical network configuration data from a second network controller operating in a second datacenter; (See Shen et al., para. 63-64 and 100-101)
the second network controller has access to and provides configuration data for managed forwarding elements operating in virtualization software of a plurality of host computers of the second datacenter; and the second network controller does not have access to forwarding elements operating in virtualization software of the first and second host computers of the first datacenter. (See Shen et al., para. 39, 130, and 133)

Referring to the rejection of claim 20, (Shen et al. and Kwan modified by Bansal et al.) discloses wherein the set of instructions for determining whether the first logical network source address is a valid source address for the packet comprises sets of instructions for: identifying an entry of the mapping table for the first logical network source address; (See Shen et al., para. 79) 
identifying a third source address associated with the underlying public datacenter network that is a valid source address for the first logical network source address according to the mapping table entry, wherein the third source address is an Internet Protocol (IP) address assigned by the public datacenter to a second DCN; (See Shen et al., para. 97)
and determining whether the third source address matches the second source address, (See Shen et al., para. 98-99) wherein the packet is received from a third DCN that has been compromised by an attacker and is impersonating the second DCN to direct traffic to the first DCN. (See Shen et al., para. 95-99)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871.  The examiner can normally be reached on IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        January 30, 2021
/KENDALL DOLLY/Primary Examiner, Art Unit 2436