Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the claims filed 10/23/2019.  Claims 1-20 are pending with claims 1 (a method), 8 (a non-transitory CRM), and 15 (a machine) being independent.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-7 of U.S. Patent No. 10,476,850. Although the claims at issue are not identical, they are not patentably distinct from each other because the presently presented claims 1-20 are anticipated by claims 1-7 of ‘850.
Presently presented claim 1
Claim 1 of ‘850
storing, at the first host machine, a key policy exclusively for communication of certain one or more types of packets 



a single key policy exclusively for communication of unknown unicast (UU) packets
the key policy is different from one or more other key policies used by the first host machine for communication of packets other than the certain one or more types of packets to one or more host machines of the plurality of host machines;
the key policy is different from one or more other key policies used by the first host machine for communication of packets other than UU packets to one or more host machines of the plurality of host machines
receiving, at the virtual switch, a packet of the certain one or more types of packets on a logical overlay layer 2 network, wherein a destination MAC address of the packet is not included in the forwarding table of the virtual switch; (this is a description of what a UU packet is)
receiving, at a virtual switch on the first host machine, a UU packet on a logical overlay layer 2 network;

negotiating a session key with a second host machine using the key policy;
encrypting the packet using the session key; and
encrypting the UU packet using the session key;
transmitting the encrypted packet to the second host machine.
transmitting the encrypted UU packet to the second host machine.


Independent claims 8 and 15 are similar to claim 1 and rejected as anticipated by claim 1 of ‘850 for the reasons set forth above.	As to claims 2, 9, and 16, see claim 2 of ‘850.
As to claims 3, 10, and 17, see claim 3 of ‘850.
As to claims 4, 11, and 18, see claim 4 of ‘850.
As to claims 5, 12, and 19, see claim 5 of ‘850.
As to claims 6, 13, and 20, see claim 6 of ‘850.
As to claims 7, 14, see claim 7 of ‘850.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 8-12, and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batke et al., US 7,536,548 (filed 2002-06), in view of Tessmer et al., US 2015/0280928 (published 2015-10).

As to claims 1, 8, and 15, Batke discloses a method/CRM/machine comprising:
(as to the non-transitory medium of claim 8 and the processor/memory of claim 15: “The user programs are stored in memory and generally executed by the PLC in a sequential manner” Batke col. 1, ln. 36)
storing, at the first host machine (“policy modules 224 and 226, retrieve IPSEC policy (illustrated below in FIG. 4) from a local memory, directory domain, a configured set of local policies, or from a local cache.” Batke col. 6, ln. 63.), a key policy (“IPSEC rules are the part of the policy data that is employed to associate IKE negotiation parameters with one or more filters.” Batke col. 7, ln. 45) exclusively for communication of certain one or more types of packets (“Filter Action—Includes the type of action to take (permit, block, or secure) for packets matching the filter list. For the secure action, the negotiation data contains one or more security methods that are employed in order of preference during IKE negotiations and other IPSEC behavior settings…. Tunnel Endpoint” Batke col. 7, ln. 54 through col. 8, ln. 2. The policy is the 
“filter”) with a group of host machines within a network, wherein: (e.g. Batke Figures 1 and 6, multiple VPN/tunnels)
…
the key policy is different from one or more other key policies used by the first host machine for communication of packets other than the certain one or more types of 
	…
negotiating a session key with a second host machine using the key policy; (“The IKE modules 220, 222 generate session keys for both the inbound and outbound IPSEC SAs based on the Main Mode shared master key and nonce material exchanged during the Quick Mode negotiations. Additionally, Diffie-Heliman key exchange material can also be exchanged and utilized to enhance the cryptographic strength of the IPSEC session key.” Batke col. 10, ln. 52.  See generally Batke cols. 9 and 10 describing how IKE negotiation is performed.)
encrypting the packet using the session key; and (“After an SA has been established, the IKE modules 220, 222 send the SA and the shared encryption key to the IPSEC Drivers 230, 232 for use in protecting network traffic.” Batke col. 9, ln. 18)
transmitting the encrypted packet to the second host machine. (“one or more of the encryption and/or tunneling protocols described above (e.g., IPSEC, SSL, PPP) are employed to encrypt or encapsulate a plurality of control protocols illustrated at 760 that may also interact with a controller (not shown) via a network at 770.” Batke col. 13, ln. 18)

Batke does not disclose:

receiving, at the virtual switch, a packet of the certain one or more types of packets on a logical overlay layer 2 network, wherein a destination MAC address of the packet is not included in the forwarding table of the virtual switch; 

Tessmer discloses:
one or more destination media access control (MAC) addresses of the one or more certain types of packets are not included in a forwarding table of a virtual switch (“A host machine operating one or more VMs connected to (i.e., having link layer or L2 connectivity with) an overlay logical network or logical switch functions as a tunneling endpoint of that overlay logical network, and in the case of VXLAN tunnels this functionality is referred to as VXLAN Tunneling End Point (VTEP).” Tessmer ¶ 34. See Applicant’s specification ¶ 15) 
on the first host machine;  (“FIG. 10 conceptually illustrates a process 1000 performed by a host machine when BUM traffic comes from a VM of its host machine. The process 1000 starts when it receives (at 1010) a packet from the VM. The process then determines (at 1020) whether the destination MAC address of the packet is BUM traffic. Namely, the process examines the destination MAC address to see if it's for broadcast (e.g., ffffffffffff), a known multicast MAC address, or an unknown unicast address that requires flooding to all endpoints in the logical switch.” Tessmer ¶¶ 
receiving, at the virtual switch, a packet of the certain one or more types of packets on a logical overlay layer 2 network, wherein a destination MAC address of the packet is not included in the forwarding table of the virtual switch; (“FIG. 10 conceptually illustrates a process 1000 performed by a host machine when BUM traffic comes from a VM of its host machine.” Tessmer ¶ 92. BUM traffic does not have a destination MAC address that the switch knows.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Batke with Tessmer by utilizing the IPsec tunnel profile and filter rules of Batke for the multicast group tunnels of Tessmer.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Batke with Tessmer in order to bridge physical networks utilizing a logical network and accommodate BUM traffic in said logical network (Tessmer ¶¶ 31 and 49); thereby allowing networked applications at different physical locations to interoperate as though they were on a single contiguous network (e.g. Tessmer ¶ 31).  In other words, allowing the network application to communicate between its various nodes without concern for NAT traversal or other incompatible networking topologies/protocols.

As to claims 2, 9, and 16, Batke in view of Tessmer discloses a method/CRM/machine of claims 1, 8, and 15, and further discloses:
FIG. 10 conceptually illustrates a process 1000 performed by a host machine when BUM traffic comes from a VM of its host machine. 
The process 1000 starts when it receives (at 1010) a packet from the VM. The process then determines (at 1020) whether the destination MAC address of the packet is BUM traffic. Namely, the process examines the destination MAC address to see if it's for broadcast (e.g., ffffffffffff), a known multicast MAC address, or an unknown unicast address that requires flooding to all endpoints in the logical switch.” Tessmer ¶¶ 92-93.)


As to claims 3, 10, and 17, Batke in view of Tessmer discloses a method/CRM/machine of claims 1, 8, and 15, and further discloses:
wherein the packet is an unknown unicast (UU) packet, and wherein the method further comprises: (“FIG. 10 conceptually illustrates a process 1000 performed by a host machine when BUM traffic comes from a VM of its host machine. 
The process 1000 starts when it receives (at 1010) a packet from the VM. The process then determines (at 1020) whether the destination MAC address of the packet is BUM traffic. Namely, the process examines the destination MAC address to see if it's for broadcast (e.g., ffffffffffff), a known multicast MAC address, or an unknown unicast address that requires flooding to all endpoints in the logical switch.” Tessmer ¶¶ 92-93)

…
PSEC SAs based on the Main Mode shared master key and nonce material exchanged during the Quick Mode negotiations. Additionally, Diffie-Heliman key exchange material can also be exchanged and utilized to enhance the cryptographic strength of the IPSEC session key.” Batke col. 10, ln. 52)
encrypting each replicated UU packet with a different session key from the number of session keys; and (“After an SA has been established, the IKE modules 220, 222 send the SA and the shared encryption key to the IPSEC Drivers 230, 232 for use in protecting network traffic.” Batke col. 9, ln. 18. Each tunnel/endpoint has its own session keys.)
transmitting each encrypted UU packet (“an unknown unicast address that requires flooding to all endpoints in the logical switch.” Tessmer ¶¶ 92-93) to a host machine corresponding to the different session key. (“After an SA has been established, the IKE modules 220, 222 send the SA and the shared encryption key to the IPSEC or use in protecting network traffic.” Batke col. 9, ln. 18. Each tunnel has its own negotiated keys.)

Batke in view of Tessmer, as combined in claim 1, does not disclose:
replicating the UU packet for transmission to a number of host machines from the group of host machines;

Tessmer further discloses:
replicating the UU packet for transmission to a number of host machines from the group of host machines; (“FIG. 8 illustrates using PTEPs and MTEPs to perform replication for BUM traffic originates from a ToR…. ToR 721 tunnels the traffic as unicast to the PTEP 713 (PTEP of VXLAN400) by using its tunneling IP 1.1.2.3. The PTEP 713 in operation ‘2’ replicates the BUM traffic and tunnels the replicated traffic as unicast to the ToR 722 (by using its tunneling IP 2.1.3.1)” Tessmer ¶ 81. See also ¶¶ 82-84 discussing “replication” to multiple different tunnels.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Batke in view of Tessmer with Tessmer by performing BUM traffic replication over a plurality of multicast group tunnels.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine Batke in view of Tessmer with Tessmer in order to bridge physical networks utilizing a logical network and accommodate BUM traffic in said logical network (Tessmer ¶¶ 31 and 49); thereby allowing networked 

As to claims 4, 11, and 18, Batke in view of Tessmer discloses a method/CRM/machine of claims 1, 8, and 15, and further discloses:
wherein the key policy includes information corresponding to a master key, and wherein the session key is generated based on the master key. (“The IKE modules 220, 222 generate session keys for both the inbound and outbound IPSEC SAs based on the Main Mode shared master key and nonce material exchanged during the Quick Mode negotiations. Additionally, Diffie-Heliman key exchange material can also be exchanged and utilized to enhance the cryptographic strength of the IPSEC session key.” Batke col. 10, ln. 52.  See generally Batke cols. 9 and 10 describing how IKE negotiation is performed.)

As to claims 5, 12, and 19, Batke in view of Tessmer discloses a method/CRM/machine of claims 1, 8, and 15, but does not disclose:
wherein the key policy includes a flag for use by the group of host machines to identify the key policy for exclusively communicating the certain one or more types of packets.

Tessmer further discloses:
multicast group to handle broadcast, unknown unicast, or multicast (BUM) traffic within the overlay logical network, where a multicast group is defined to encompass the recipients of the BUM traffic within the overlay logical network.” Tessmer ¶ 49. The Flag being the definition of the multicast group.  See also Tessmer ¶¶ 62 and 123).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Batke in view of Tessmer with Tessmer by performing BUM traffic replication over a plurality of multicast group tunnels and including the multicast group definition data in the policy of Batke.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine Batke in view of Tessmer with Tessmer in order to bridge physical networks utilizing a logical network and accommodate BUM traffic in said logical network (Tessmer ¶¶ 31 and 49); thereby allowing networked applications at different physical locations to interoperate as though they were on a single contiguous network (e.g. Tessmer ¶ 31).  In other words, allowing the network application to communicate between its various nodes without concern for NAT traversal or other incompatible networking topologies/protocols (Tessmer ¶ 5, accommodating nodes that cannot join a multicast group).


Claims 6, 7, 13, 14, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batke et al., US 7,536,548 (filed 2002-06), in view of Tessmer et al., US 2015/0280928 (published 2015-10), and Thota et al., US 2015/0379282 (published 2015-12).

As to claims 6, 13, and 20, Batke in view of Tessmer discloses a method/CRM/machine of claims 1, 8, and 15, but does not disclose:
wherein the key policy is transmitted by a central controller to all host machines in the group of host machines.

Thota discloses: 
wherein the key policy is transmitted by a central controller to all host machines in the group of host machines.
(“From the encryption rule data store 425, any newly stored encryption rule gets published by the encryption rule publisher 454 to the encryption rule data store(s) 250 of any encryptor/decryptor that has to enforce the rule” Thota ¶ 139. See also ¶ 75)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Batke in view of Tessmer by including the rule publisher of Thota to distribute the policies/filters of Batke col. 6, ln. 63.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Batke in view of Tessmer with Thota in order to allow the 

As to claims 7 and 14, Batke in view of Tessmer discloses a method/CRM/machine of claims 1, 8, and 15, but does not disclose:
wherein the key policy is generated automatically by a manager entity.

Thota discloses: 
wherein the key policy is generated automatically by a manager entity.
(“When the processor 450 determines that it should specify an encryption rule for a received event, the processor 450 checks the agent's encryption rule data store 425 to determine whether it already contains this rule. If not, the processor 450 specifies the encryption rule and stores this rule in the data store 425.” Thota ¶ 72. Note that the rule is then published to the various entities as seen in Thota ¶¶ 75 and 139)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Batke in view of Tessmer by including the rule publisher of Thota to distribute the policies/filters of Batke col. 6, ln. 63.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Batke in view of Tessmer with Thota in order to allow the network to reconfigure itself to protect from malware or other threats, Thota ¶¶ 52 and 53.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Ravinutala et al., US 2016/0381015, discloses VTEP multicast groups and unknown unicast authentication packet processing.
Vorunganti et al., US 2011/0158248, discloses traffic thresholds for dropping bum traffic to avoid network congestion.
Swander et al., US 2004/0243853, discloses IPSec policies and filters for specifying whether to encrypt, allow, or drop packets.  Encryption involving deriving a session key from a master key.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 






/MICHAEL W CHAO/           Examiner, Art Unit 2492