DETAILED ACTION
This is in response to Application # 16/406,872.  Claims 1-20 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable by Abodunrin, Akeem et al. (hereafter “Akeem”).

Regarding Claim 1,
A method comprising: 

physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing]; 

determining to execute the first function at a first network interface card, the first network interface card comprising a plurality of processors [Akeem: 0032; the NIC 120 may include one or more processing cores 122 (i.e., processing cores local to the NIC 120); in such embodiments, the processing core(s) 122 may be capable of performing one or more of the functions described herein];

creating a container at the first network interface card, the container comprising at least one processor of the plurality of processors [Akeem: 0048; the physical function 308 may be embodied as a virtualized PCI function that is capable of performing a given functionality of the NIC 120; the physical function 308 is configured to have full configuration access to resources such that the physical function 308 can configure, assign, or otherwise control a physical resource of the NIC 120; as such, depending on embodiment, the NIC 120 can present multiple virtual instances of itself to multiple hosts (e.g., to a VM 302, a container, a hypervisor, a processor core, etc.); 0051; the physical function policies may include any information usable to instantiate, configure, control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.); 0067; referring now to FIG. 8, an illustrative embodiment of a PCIe NIC (e.g., with PCIe passthrough, an SR-IOV virtual device composition module (VDCM), etc.) with control plane separation is shown in which the control plane is separated into a hypervisor/container 804 that has ownership of the control plane; as illustratively shown, the physical function driver 310 can be access restricted and proxy configuration requests received from the physical function 308c, effectively neutralizing the attack surface between the physical function driver 310 and the physical functions 308 residing on the hypervisor/container 804; 0076; wherein the trusted control path controller circuitry resides on the NIC and the trusted control path controller circuitry resides on one of a hypervisor of the NIC or in a container of the NIC]; and 

executing the first function at the container [Akeem: 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.); 0017; one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing]. 

Regarding Claim 2,
wherein receiving the first request to execute the first function comprises receiving the first request to execute the first function wherein the first function is a serverless function [Akeem: 0017; one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing; 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.)]. 

Regarding Claim 3,
wherein determining to execute the first function at the first network interface card comprises determining to execute the first function at the first network interface card based on at least one of: an amount of data traffic being ingested into the first network interface card; a location of data to be accessed by the first function; a load on the first network interface card; or a security policy specifying execution of the first function on a server hosting the first network interface card [Akeem: 0051; depending on the embodiments, the physical function policies may include any information usable to instantiate, configure, or otherwise manage operations of the physical function 308, including, for example, load balancing policies, mappings of physical functions to a given port of the NIC 120, etc.; 0057; If the NIC 120 determines that the physical function is to be configured, the method 400 advances to block 404, in which the NIC 120 identifies one or more tenant parameters; the tenant parameters may include any determine how to configure the physical function, as well as a level of access/trust to be associated with the physical function]. 

Regarding Claim 4,
wherein determining to execute the first function at the first network interface card comprises determining to execute the first function at the first network interface card when a latency requirement of the first function is less than a predetermined latency [Akeem: 0061; the host determines whether the physical function is an untrusted physical function or not; as described previously, untrusted physical functions do not have the ability to perform slow path operations (e.g., issue device resets, change the link configuration, write sensitive/device wide registers, update the device firmware, etc.), and are limited to performing fast path traffic processing operations; depending on the embodiment, the slow path operations can be abstracted through control commands executed by the internal firmware or the control physical function, which can then apply the right access control lists (ACLs) to define which commands are allowed for each physical function; 0063; an untrusted physical function starts with all accesses being trapped, after the fast-path configuration is "granted," the traps are removed and reads/writes are serviced by the appropriate hardware of the NIC 120]. 

Regarding Claim 5,
wherein determining to execute the first function at the first network interface card comprises determining to execute the first function at the first network interface card when a load on a server hosting the network interface card is more than a load balancing policies].

Regarding Claim 6,
wherein determining to execute the first function at the first network interface card comprises determining to execute the first function at the first network interface card when a security policy specifies executing the first function on the first network interface card [Akeem: 0057; If the NIC 120 determines that the physical function is to be configured, the method 400 advances to block 404, in which the NIC 120 identifies one or more tenant parameters; the tenant parameters may include any information usable to determine how to configure the physical function, as well as a level of access/trust to be associated with the physical function; 0062; if the host determines that the physical function is a trusted physical function (e.g., access to configure hardware of the NIC 120 has not been restricted), the method 500 branches to block 508, in which the host issues the control plane request via a trusted control path; to do so, in block 510, the host issues the control plane request to a trusted control path controller (e.g., the trusted control path controller 216 of FIG. 2); 0079; 0087; classifying, by the NIC, the physical function as an untrusted physical function based on the trust level associated with the physical function]. 

Regarding Claim 7,
control plane separation is shown in which the control plane is separated into another host 602 configured to be associated with a control physical function; as illustratively shown, the untrusted control path controller 218 (e.g., the separated control plane) is deployed in the host (4) 602d which is associated with a control physical function that serves as a trusted physical function capable of providing curated access to configuration of the NIC 120; 0072; untrusted control path controller circuitry to manage the untrusted control path; 0062; if the host determines that the physical function is an untrusted physical function (e.g., access to configure hardware of the NIC 120 has been restricted), the method 500 branches to block 512, in which the host issues the control plane request via an untrusted control path (i.e., via a separated control plane); to do so, in block 514, the host issues the control plane request to an untrusted control path controller (e.g., the untrusted control path controller 218 of FIG. 2); depending on the embodiment, the untrusted physical function may be supplied with a mailbox to the control physical function/firmware that is in charge of its configuration, depending on the embodiment]. 

Regarding Claim 8,
An apparatus comprising: a memory storage; and a processing unit coupled to the memory storage, wherein the processing unit is operative to: 

receive a first data traffic comprising a first request to execute a first function [Akeem: 0017; upon receipt of a network packet, the destination compute device 106, or more particularly a network interface controller (NIC) 120 of the destination compute device 106, performs one or more processing operations on at least a portion of the data associated with the received network traffic; to do so, one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing]; 

determine to execute the first function at a first network interface card, the first network interface card comprising a plurality of processors [Akeem: 0032; the NIC 120 may include one or more processing cores 122 (i.e., processing cores local to the NIC 120); in such embodiments, the processing core(s) 122 may be capable of performing one or more of the functions described herein]; 

create a container at the first network interface card to execute the first function [Akeem: 0048; the physical function 308 may be embodied as a virtualized PCI function that is capable of performing a given functionality of the NIC 120; the physical function 308 is configured to have full configuration access to resources such that the physical function 308 can configure, assign, or otherwise control a physical resource of the NIC the NIC 120 can present multiple virtual instances of itself to multiple hosts (e.g., to a VM 302, a container, a hypervisor, a processor core, etc.); 0051; the physical function policies may include any information usable to instantiate, configure, or otherwise manage operations of the physical function 308, including, for example, load balancing policies, mappings of physical functions to a given port of the NIC 120, etc; 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.); 0067; referring now to FIG. 8, an illustrative embodiment of a PCIe NIC (e.g., with PCIe passthrough, an SR-IOV virtual device composition module (VDCM), etc.) with control plane separation is shown in which the control plane is separated into a hypervisor/container 804 that has ownership of the control plane; as illustratively shown, the physical function driver 310 can be access restricted and proxy configuration requests received from the physical function 308c, effectively neutralizing the attack surface between the physical function driver 310 and the physical functions 308 residing on the hypervisor/container 804; 0076; wherein the trusted control path controller circuitry resides on the NIC and the trusted control path controller circuitry resides on one of a hypervisor of the NIC or in a container of the NIC]; and 

execute the first function in the container [Akeem: 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.); 0017; one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing]. 

Regarding Claim 9,
wherein the processing unit being operative to determine to execute the first function at the first network interface card comprises the processing unit being operative to determine to execute the first function at the first network interface card based on a location of a data storage, the data storage storing data corresponding to the first function [Akeen: 0018; the one or more physical functions of the NIC 120 may be embodied as a Peripheral Component Interconnect (PCI) function that is capable of performing various operations (e.g., direct memory access (DMA) operations) and otherwise facilitating communications with the I/O subsystem 122; 0032; the NIC 120 may be embodied as part of a SoC that includes one or more processors, or included on a multichip package that also contains one or more processors; as illustratively shown, in some embodiments, the NIC 120 may include one or more processing cores 122 (i.e., processing cores local to the NIC 120); in such embodiments, the processing core(s) 122 may be capable of performing one or more of the functions described herein. In some embodiments, the NIC 120 may additionally include a local memory (not shown). In such embodiments, the local memory of the NIC 120 may be integrated into one or more components of the destination compute device 106 at the board level, socket level, chip level, and/or other levels; 0064; the control plane separation may be applied to various embodiments of any PCIe NIC, as illustratively embodiment of a PCIe NIC with control plane separation is shown in which the control plane is separated into a local processor core of the NIC 120 (e.g., one of the core(s) 122 of FIG. 1); 0066; 0067]. 

Regarding Claim 10,
wherein the processing unit is operative to determine the first network interface card to execute the first function based on closeness of the first network interface card to the data storage [Akeen: 0018; the one or more physical functions of the NIC 120 may be embodied as a Peripheral Component Interconnect (PCI) function that is capable of performing various operations (e.g., direct memory access (DMA) operations) and otherwise facilitating communications with the I/O subsystem 122; 0032; the NIC 120 may be embodied as part of a SoC that includes one or more processors, or included on a multichip package that also contains one or more processors; as illustratively shown, in some embodiments, the NIC 120 may include one or more processing cores 122 (i.e., processing cores local to the NIC 120); in such embodiments, the processing core(s) 122 may be capable of performing one or more of the functions described herein. In some embodiments, the NIC 120 may additionally include a local memory (not shown). In such embodiments, the local memory of the NIC 120 may be integrated into one or more components of the destination compute device 106 at the board level, socket level, chip level, and/or other levels; 0064; the control plane separation may be applied to various embodiments of any PCIe NIC, as illustratively shown in FIGS. 6-8; referring now to FIG. 6, an illustrative embodiment of a PCIe NIC with control plane separation is shown in which 

Regarding Claim 11,
wherein the first network interface card is operable to access the data from the data storage via a peripheral component interconnect express bus [Akeem: 0032; it should be further appreciated that the NIC 120 may be embodied as any type of NIC for which the data path configuration can be separated from the control plane configuration to separate physical functions (e.g., Peripheral Component Interconnect Express (PCIe) physical functions); 0018; the one or more physical functions of the NIC 120 may be embodied as a Peripheral Component Interconnect (PCI) function that is capable of performing various operations (e.g., direct memory access (DMA) operations) and otherwise facilitating communications with the I/O subsystem 122; 0048; the physical function 308 is configured to be discovered, managed, and manipulated like any other peripheral device (e.g., a PCIe device); for example, the physical function 308 may be embodied as a virtualized PCI function that is capable of performing a given functionality of the NIC 120]. 

Regarding Claim 12,
wherein the first network interface card comprises an agent, wherein the agent is operative to facilitate in creating the container comprising at least one processor of the plurality of processors [Akeem: agent == physical function 308 or physical function manager 212; 0051; the physical function 308 is illustratively shown as being physical function 308 can configure, assign, or otherwise control a physical resource of the NIC 120; as such, depending on embodiment, the NIC 120 can present multiple virtual instances of itself to multiple hosts (e.g., to a VM 302, a container, a hypervisor, a processor core, etc.); 0043; the physical function manager 212, which may be embodied as hardware, firmware, software, virtualized hardware, emulated architecture, and/or a combination thereof as discussed above, is configured to manage the initialization and configuration of the physical functions of the NIC 120; ]. 

Regarding Claim 13,
wherein the processing unit is further operative to: receive a second data traffic comprising a second request to execute a second function; determine not to execute the second function at the first network interface card; and send the second request to at least one of a second network interface card or a server associated with the first control plane separation is shown in which the control plane is separated into another host 602 configured to be associated with a control physical function; as illustratively shown, the untrusted control path controller 218 (e.g., the separated control plane) is deployed in the host (4) 602d which is associated with a control physical function that serves as a trusted physical function capable of providing curated access to configuration of the NIC 120; 0072; untrusted control path controller circuitry to manage the untrusted control path; 0062; if the host determines that the physical function is an untrusted physical function (e.g., access to configure hardware of the NIC 120 has been restricted), the method 500 branches to block 512, in which the host issues the control plane request via an untrusted control path (i.e., via a separated control plane); to do so, in block 514, the host issues the control plane request to an untrusted control path controller (e.g., the untrusted control path controller 218 of FIG. 2); depending on the embodiment, the untrusted physical function may be supplied with a mailbox to the control physical function/firmware that is in charge of its configuration, depending on the embodiment]. 

Regarding Claim 14,
wherein the processing unit being operative to determine not to execute the second function at the first network interface card comprises the processing unit is operative to determine not to execute the second function at the first network interface operations of the physical function 308, including, for example, load balancing policies, mappings of physical functions to a given port of the NIC 120, etc.; 0057; If the NIC 120 determines that the physical function is to be configured, the method 400 advances to block 404, in which the NIC 120 identifies one or more tenant parameters; the tenant parameters may include any information usable to determine how to configure the physical function, as well as a level of access/trust to be associated with the physical function]. 

Regarding Claim 15,
wherein the processing unit being operative to determine not to execute the second function at the first network interface card comprises the processing unit being operative to determine not to execute the second function at the first network interface card when a load on the first network interface card is more than a predetermined load [Akeem: 0051; physical function policies may include any information usable to instantiate, configure, or otherwise manage operations of the physical function 308, including, for example, load balancing policies; 0066; the untrusted control path controller 218 (e.g., the separated control plane) is deployed in the host (4) 602d which 
Note:
Load balancing policies apply to deployment in host (4) 602d.

Regarding Claim 16,
wherein the processing unit being operative to determine not to execute the second function at the first network interface card comprises the processing unit being operative to determine not to execute the second function at the first network interface card when a latency requirement for the second function is more than a predetermined latency value [Akeem: 0061; the host determines whether the physical function is an untrusted physical function or not; as described previously, untrusted physical functions do not have the ability to perform slow path operations (e.g., issue device resets, change the link configuration, write sensitive/device wide registers, update the device firmware, etc.), and are limited to performing fast path traffic processing operations; depending on the embodiment, the slow path operations can be abstracted through control commands executed by the internal firmware or the control physical function, which can then apply the right access control lists (ACLs) to define which commands are allowed for each physical function; 0063; an untrusted physical function starts with all accesses being trapped, after the fast-path configuration is "granted," the traps are removed and reads/writes are serviced by the appropriate hardware of the NIC 120; 0066; the untrusted control path controller 218 (e.g., the separated control plane) is deployed in the host (4) 602d which is associated with a 

Regarding Claim 17,
A non-transitory computer readable medium that stores a set of instructions, which when executed by a processor, cause the performance a method comprising: 

receiving a first request to execute a first function [Akeem: 0017; upon receipt of a network packet, the destination compute device 106, or more particularly a network interface controller (NIC) 120 of the destination compute device 106, performs one or more processing operations on at least a portion of the data associated with the received network traffic; to do so, one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing]; 

determining to execute the first function at one of a plurality of network interface cards, each of the plurality of network interface cards comprising a plurality of processors [Akeem: 0032; the NIC 120 may include one or more processing cores 122 (i.e., processing cores local to the NIC 120); in such embodiments, the processing core(s) 122 may be capable of performing one or more of the functions described herein]; 

the NIC 120 can present multiple virtual instances of itself to multiple hosts (e.g., to a VM 302, a container, a hypervisor, a processor core, etc.); 0051; the physical function policies may include any information usable to instantiate, configure, or otherwise manage operations of the physical function 308, including, for example, load balancing policies, mappings of physical functions to a given port of the NIC 120, etc; 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.); 0067; referring now to FIG. 8, an illustrative embodiment of a PCIe NIC (e.g., with PCIe passthrough, an SR-IOV virtual device composition module (VDCM), etc.) with control plane separation is shown in which the control plane is separated into a hypervisor/container 804 that has ownership of the control plane; as illustratively shown, the physical function driver 310 can be access restricted and proxy configuration requests received from the physical function 308c, effectively neutralizing the attack surface between the physical function driver 310 and the physical functions 308 residing in a container of the NIC]; and 

executing the first function at the container [Akeem: 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.); 0017; one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing]. 

Regarding Claim 18,
wherein, the method further comprises: receiving a second request to execute a second function; and determining not to execute the second function at first network interface card [Akeem: second request to execute a second function == untrusted physical function leads to control plane request via an untrusted control path to an untrusted control path controller; 0066; referring now to FIG. 7, an illustrative embodiment of a PCIe NIC with control plane separation is shown in which the control plane is separated into another host 602 configured to be associated with a control physical function; as illustratively shown, the untrusted control path controller 218 (e.g., the separated control plane) is deployed in the host (4) 602d which is associated with a control physical function that serves as a trusted physical function capable of providing curated access to configuration of the NIC 120; 0072; untrusted an untrusted physical function (e.g., access to configure hardware of the NIC 120 has been restricted), the method 500 branches to block 512, in which the host issues the control plane request via an untrusted control path (i.e., via a separated control plane); to do so, in block 514, the host issues the control plane request to an untrusted control path controller (e.g., the untrusted control path controller 218 of FIG. 2); depending on the embodiment, the untrusted physical function may be supplied with a mailbox to the control physical function/firmware that is in charge of its configuration, depending on the embodiment]. 

Regarding Claim 19,
further comprising isolating a server associated with the first network interface card from executing the first function [Akeem: 0017; one or more physical functions of the NIC 120 (see, e.g., the physical function 308 of FIG. 3) may be configured to perform such processing; 0060; a method 500 for issuing control plane requests to a NIC (e.g., the NIC 120 of the destination compute device 106) is shown which may be executed at host of the destination compute device 106 (e.g., a VM, a hypervisor, a container, etc.)]. 

Regarding Claim 20,
wherein receiving the first request comprises receiving the first request at the first network interface card closest to data associated with execution of the first function [Akeen: 0018; the one or more physical functions of the NIC 120 may be embodied NIC 120 may include one or more processing cores 122 (i.e., processing cores local to the NIC 120); in such embodiments, the processing core(s) 122 may be capable of performing one or more of the functions described herein. In some embodiments, the NIC 120 may additionally include a local memory (not shown). In such embodiments, the local memory of the NIC 120 may be integrated into one or more components of the destination compute device 106 at the board level, socket level, chip level, and/or other levels; 0064; the control plane separation may be applied to various embodiments of any PCIe NIC, as illustratively shown in FIGS. 6-8; referring now to FIG. 6, an illustrative embodiment of a PCIe NIC with control plane separation is shown in which the control plane is separated into a local processor core of the NIC 120 (e.g., one of the core(s) 122 of FIG. 1); 0066; 0067].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Roy (US 2018/0285166) a server 126A includes multiple network interface cards and multiple processor cores to execute virtual router 142A and steers received packets among multiple processor cores [para. 0030].  Mick (US 2013/0304903) teaches that a hardware-based instruction processor can be Sridharan (US 2013/0061047) teaches that a VM 602 requests that information be offloaded from the parent partition 604 to an NIC 606 [para. 0117].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD A WAQAS whose telephone number is (571)270-5642.  The examiner can normally be reached on 8:30 - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Asad M Nawaz can be reached on (571) 272-3988.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 


SAAD A. WAQAS
Primary Examiner
Art Unit 2468



/Saad A. Waqas/Primary Examiner, Art Unit 2468