DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to applicant’s amendment filed, 18 November 2020, of application filed, with the above serial number, on 26 December 2017 in which claims 1, 6, 9-10, 15, 18-19 have been amended, claims 21-23 are added, and claims 4-5, 13-14, 20 are cancelled. Claims 1-3, 6-12, 15-19, and 21-23 are pending in the application. 	

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 9-11, 18-19, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beliveau et al (hereinafter “Beliveau”, 2015/0124815) in view of Govindarajan et al (hereinafter “Govindarajan”, 20060095961).
As per Claim 1, Beliveau discloses a method comprising:
instructing, by a cloud-based service, one or more networking devices in a local area network (LAN) to form a virtual network overlay in the LAN that redirects traffic associated with a particular node in the LAN to a first isolation application instance 
receiving, at the first isolation application instance hosted by the cloud-based service, the redirected traffic associated with the particular node (at least paragraph 38-48; flow switch receiving packet for flow); 
determining, by the first isolation application instance hosted by the cloud-based service and based in part on characteristics of the particular node, a routing path for the traffic that comprises one or more other isolation application instances hosted by the cloud-based service (at least paragraph 44-48; flow switch identifying service chain/path for a particular packet flow), wherein one of the characteristics of the particular node comprise device identifier information of the particular node indicative of an identity of the particular node (at least paragraph 52-54; eg. microflow table w/ 5-tuple including destination IP address and destination port; subscriber identity (…destination IP address in the downstream); par. 84: destination MAC address);
tagging, by the first isolation application instance hosted by the cloud-based service, the traffic to indicate the determined routing path (at least paragraph 44-48; tag representing that path can be inserted in packet for flow); and 
forwarding, by the first isolation application instance hosted by the cloud-based service, the tagged traffic to a second isolation application instance along the 
wherein two or more of the other isolation application instances are associated with chained micro-services that perform operations on the tagged traffic (at least paragraph 44-45; service chain for tagged flow of packets); and
sharing, by the service, results of the operations between the two or more other isolation application instances (at least paragraph 46, 81; inline services in chain where eg. next service in chain having information regarding last service that has been applied to packet).
Beliveau fails to explicitly disclose wherein the first isolation application instance prevents access to the particular node to protect the particular node from external potential threats outside of the LAN. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Govindarajan. Govindarajan discloses, in an analogous art, attack traffic may be identified through host/platform intrusion detection/tolerant systems, such that identified anomalous traffic may be routed to an Intrusion Detection System (IDS) in an isolated subnet and traffic in the subnet may be prevented from reaching other machines in the network (at least paragraph 11-13). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Govindarajan’s isolation of machines with Beliveau as Govindarajan teaches 
As per Claim 2. The method as in claim 1, wherein determining the routing path for the traffic comprises: retrieving, by the first isolation application instance, the characteristics of the particular node from a database of device characteristics (at least paragraph 53; eg. microflow table w/ 5-tuple).
As per Claim 9. The method as in claim 1, further comprising: extracting, by the service, a query from the traffic associated with the particular node; and identifying, by the service, a second node in the LAN based on the query, wherein at least one isolation application instance in the determined routing path is associated with the identified second node (at least paragraph 44-46; each hop identifying next service (second node) and next hop in inline service chain from packet).
Claims 10-11, 18-19, 21 do not, in substance, add or define any additional limitations over claims 1-2, 9 and therefore are rejected for similar reasons, supra. Claims 10-11, 18 are corresponding apparatus claims to method claims 1-2, 9, and claims 19, 21 are corresponding non-transitory computer readable medium claim to method claim 1-2. 

Claims 3, 12, 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beliveau in view of Govindarajan, further in view of Chauvet et al (hereinafter “Chauvet”, 2018/0024537).
Beliveau fails to explicitly disclose wherein the particular node comprises a sensor, the traffic comprises a sensor reading, and at least one of the other isolation application instances is associated with a virtual programmable logic controller. Chauvet. Chauvet discloses, in an analogous software defined networking art, creating a virtual PLC by moving an application running in a PLC to a server where the devices sending traffic to the virtual PLC include sensors (at least paragraph 54). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Chauvet’s functionality with Beliveau as Chauvet teaches such being well known SDA (software defined automation) (using an SDN) (par. 42, 46) that simplifies deployment and configuration of automation applications and functions (par. 54-56), and using PLCs in automation networks that include sensors is an obvious use case for Beliveau’s system.

Claims 6, 15, 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beliveau in view of Govindarajan, further in view of Rao (hereinafter “Rao”, 2018/0145899).
Beliveau fails to disclose wherein determining the routing path for the traffic comprises: computing, by the service, a directed acyclic graph of isolation application instances for chained micro-services that perform operations on the tagged traffic. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Rao. Rao teaches, in an analogous service chain art, using a directed acyclic graph (DAG) (at least paragraph 98, 128-130). Therefore, it would have been Rao’s DAG with Beliveau as Rao teaches DAGs being well known and preferred for representing visibility fabrics because loops are bad for networks (e.g., traffic may continually be pushed around while consuming bandwidth). Rao teaches network solutions can be more easily designed and built using the DAG, a DAG providing network visibility that makes use of action sets, so that service chains can be readily created, destroyed, and modified on demand, making network management and application replacement/upgrade easier.

Claim 7-8, 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Beliveau in view of Govindarajan, further in view of Guo et al (hereinafter “Guo”, 2014/0204759).
As per Claims 7, 16. Beliveau teaches each node in the inline service chain determining the next destination, whether the destination is local or remote (at least paragraph 56), but fails to disclose wherein the traffic is tagged with Routing Protocol for Low-Power and Lossy Network (RPL) source routing information, the method further comprising: forwarding, by one of the isolation application instances in the routing path, the traffic to a second node in the LAN using the RPL source routing information, wherein the forwarding isolation application instance is associated with the second node. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Guo. Guo teaches, in an analogous art, using RPL in low-power and lossy networks (at least paragraph 2-5). Therefore, it would have been Guo’s RPL with Beliveau as Guo teaches it being a well-known IETF sanctioned IPv6 routing protocol for low power and lossy networks to define and discover routing paths while allowing load balancing (par. 2-4; Beliveau par. 54).
As per Claims 8, 17. The method as in claim 7 and apparatus as in claim 16, further comprising:
installing a shortcut path between the particular node and the second node in the LAN, the shortcut path allowing certain traffic from the particular node to bypass the first isolation application instance hosted by the service (Guo par. 2-4; Beliveau par. 54, 43; eg. firewall service); and
instructing, by the service, the one or more networking devices in the LAN to forward the certain traffic associated with the particular node to the second node via the shortcut path (Guo par. 2-4; Beliveau par. 54, 43; eg. firewall service).

Response to Arguments
Applicant's arguments filed 18 November 2020 have been fully considered but they are not persuasive.
Applicant argues that the prior art does not teach the amended limitations of claim 1 that are incorporated from prior claims 4-5, including:
wherein two or more of the other isolation application instances are associated with chained micro-services that perform operations on the tagged traffic; and
sharing, by the service, results of the operations between the two or more other isolation application instances.
Applicant argues on p. 12 that ‘techniques herein allow for new forms of routing that can take into account not only the contents of a packet, but also additional information such as application-level information and/or contextual information about the sending node’. And ‘Notably, contextual information about an isolated node may be used as part of the routing decision, allowing different connections to be established automatically and on the fly. Tagging of packets with application layer information may 
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., new forms of routing that can take into account not only the contents of a packet, but also additional information such as application-level information and/or contextual information about the sending node) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). While these features ‘may also be performed’, the claims do not recite such features.
Applicant argues that Beliveau, in particular does not teach operations being shared between “two or more other isolation application instances” as any sharing in Beliveau is between one node to a next node in a path, not two different nodes. However, the Examiner is not clear on a distinction between the two shares. 
The specification briefly describes the limitation in par. 103-115, ‘it may be beneficial in some situations to share results between micro-services and/or different applications.’ It is not clear what such results entail, but the description describes that ‘Cache the result of micro-service operations that were already run on the packet, to save common processing.’ and ‘the cached results can be used for subsequent calls. In some embodiments, this cache may be stored with the packet as a tag by chaining micro-service 708a.’ Thus, as best understood to the Examiner, the results are the result of the operation the micro-service performs on the packet, and could even be the results are passed on to the next service and so on to finish the chain of services on the packet to be delivered to the destination. Thereby the first service’s operation results are shared with the second service, and first and second service’s operation results are shared with the third service and so on. 
Claim 1 recites this as ‘sharing…results of the operations between the two or more other isolation application instances’. As broadly claimed, the plural operations, according to antecedent basis, of each micro-service are being shared with the other instances in some manner, whether individually as Applicant appears to suggest in the underlined argument, or collectively as outlined in the description and described above. However, the sharing argued in the underlined argument suggests the sharing from one-to-two or more different nodes would be a micro-service tree as described in par. 110 of the application, whereas the claim claims chained micro-services, a one-to-one-to-one structure, results being passed from one to the next to the next and so on.
Beliveau teaches the claimed limitations where packets are sent over the network along a service chain to a next inline service hop for a next service, a tagged flow of packets have a service chain performed on the flow such that inline services in the chain with a next service in the chain having the packet from the prior service’s operations and information regarding last service that has been applied to the packet (at least paragraph 44-48, 81). Beliveau additionally describes with a large number of services, the system also supports service ordering (par. 85) such that it is clear that a second service performed on a packet needs the results of the first service first acting on the packet, a third service performed on the packet needs the results of the first and second service acting on the packet, etc.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY G TODD whose telephone number is (303)297-4763.  The examiner can normally be reached on 8:30-5 MST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on (571)272-3889.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/GREGORY G TODD/Primary Examiner, Art Unit 2457