Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/15/2021 has been entered.

Title
The amendments to the title of the invention filed on 02/08/2021 is descriptive and therefore reviewed and accepted.  


Response to Arguments
In response to communication filed on 02/08/2021, applicant amends claims 1 and 12.  The following claims, 1-21 are presented for examination.   


3.1	Applicant’s arguments, pages 8-10, filed 02/08/2021, with respect to the rejection of claims 1-21 have been fully considered, but they are not persuasive.  
Applicant argues (1) Bransi is silent about the tunnel origination endpoint 100 and tunnel termination endpoint 105 being coupled to a plurality of devices or adjusting the transmit sizes of these devices to perform bridging services. Bransi does describe its system possibly being connected to many devices but it is not required leaving an indication its system works best as a single device.  Bransi provides no teachings of adjusting the transmit size of a number of devices at a tunnel endpoint.  Therefore, Bransi fails to teach or suggest “a plurality of devices are coupled to the second network interface,” and “a transmit size of each of the plurality of devices are adjusted to bridge the encrypted network traffic at the first network interface to the different network encryption at the second network interface,” as recited in independent claim 1.

In response to applicant’s arguments, (1) Bransi et al. teaches “any device along the path whose MTU is smaller than the packet will drop the packet, and send back an Internet Control Message Protocol (ICMP) "Fragmentation Needed" message containing the device's MTU, allowing the source host to reduce its path MTU appropriately, 0003”, “Network device 100 determines the path MTU by iteratively changing the size that can be sent from the tunnel origination endpoint 100 to the tunnel termination endpoint 105 without fragmentation … the tunnel termination endpoint 105 modifies a MTU field of the keep-alive packet to indicate the size of the first packet fragment, and sends the modified keep-alive packet back to the tunnel origination 



Upon further consideration, the rejection of claims 1-21 is set forth below.  



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Roy et al. (US2017/0048143 A1, publish date 02/16/2017) in view of Bransi et al. (US 2011/0103399 A1, publish date 05/05/2011).  

Claim 1:
With respect to claim 1, Roy et al. discloses a network security apparatus (gateway 220 can include a computer/CPU 222 capable of being configured to perform various tasks in connection with the various hardware components attached thereto, Figures 2 and 3), comprising:
a memory configured to store an address lookup table (gateway 320 also maintains and EVC table 332 which stores information pertaining to the specific EVC assigned to transmit the encapsulated layer-2 packet, 0035, Figure 3, 332);
a first network interface (the gateway 220 can further include an interface 224 which provides a physical connection to external networks such as the Internet, or the illustrated service provider network 240, 0024) (Figure 2, 224) (interface 328a, 0029, Figure 3), wherein a plurality of devices are coupled to the first network interface (two customer premise equipment or devices 242a, 242b, 0025, Figure 2, 242a, 242b);
a second network interface (can allow for interaction with different and/or multiple networks that can be public, private, or both, 0024) (multiple interfaces can be provided, interface 224 can be in the form of a physical connection point, router, switch, etc 0026) (interface 328ba, 0029, Figure 3); and
a processor operatively coupled to the memory, the first network interface, and the second interface (CPU 322, Figure 3, processor, 1003, Figure 10, 1103 Figure 11), the processor being configured to:
receive a first address resolution message at the first network interface (Figure 5, 510), 
transmit a second address resolution message at the second network interface (Figure 5, 530, 540) (the gateway 320 can broadcast an ARP message requesting the MAC address associated with the IP address, and wait for a response which identifies the correct MAC address, Once received, for example, the ARP cache 334 is updated to associate the MAC address received with the corresponding IP address, 0031); 
populate the address lookup table based on a response to the second address resolution message received at the second network interface (the gateway 320 can maintain and address resolution processing (ARP) cache 334 which maintains tables that identify the medium access control (MAC) addresses associated with corresponding IP network address, packets are transmitted and received by the gateway 320, the ARP cache 334 is examined in order to determine whether a MAC address has already been determined for a particular IP address.  If the IP address has already been resolved, then the MAC address stored in the ARP 334 cache is utilized.  Otherwise, the gateway 320 can perform the necessary steps and processes for determining the MAC address, ARP cache 334 is updated to associate the MAC address received with the corresponding IP address, 0030-0031) (gateway 320 also maintains and EVC table 332 which stores information pertaining to the specific EVC assigned to transmit the encapsulated layer-2 packet, traffic classes associated with received layer-2 packets can be maintained by mapping to a corresponding backbone 342, by reviewing the priority bits contained in the VLAN field of the layer-2 packet header, the priority class can be determined and mapped to the appropriate EVC backbone 342, thereby maintaining the original QoS for the packet, 0035-0036), and
bridge encrypted network traffic at the first network interface to a different network encryption at the second network interface (establishing a point-to-point Ethernet Virtual Circuit (EVC) to deliver carrier Ethernet between two network interfaces, 0003) (Prior to transmission over the satellite network, the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, The resulting encapsulated layer-2 packet 530 consists of the compressed IPv6 header, the layer-2 context ID, and the original layer-2 payload0033-0034), the processor is configured to reduce a payload size of messages received at the second network interface (If a single tag is supplied, however, then the length of the layer-2 header is reduced by 4 bytes to 18 bytes, 0032) (the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, 0034).

Roy et al. does not disclose wherein when a first payload size at the second network interface is greater than a second payload size at the first network interface, the processor is configured to transmit a message at the second network interface to reduce the payload size of messages received at the second network interface by adjusting a transmit size for each of the plurality of devices coupled to the first network interface as claimed.

However, Bransi et al. teaches Path MTU discovery (PMTUD) is a technique in computer networking for determining the maximum transmission unit (MTU) size on a network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP packet fragmentation (0002), wherein when a first payload size at the second network interface is greater than a second payload size at the first network interface, the processor is configured to transmit a message at the second network interface to reduce the payload size of messages received at the second network interface (any device along the path whose MTU is smaller than the packet will drop the packet, and send back an Internet Control Message Protocol (ICMP) "Fragmentation Needed" message containing the device's MTU, allowing the source host to reduce its path MTU appropriately, 0003) by adjusting a transmit size for each of the plurality of devices (Network device 100 determines the path MTU by iteratively changing the size that can be sent from the tunnel origination endpoint 100 to the tunnel termination endpoint 105 without fragmentation, 0035) (the tunnel termination endpoint 105 modifies a MTU field of the keep-alive packet to indicate the size of the first packet fragment, and sends the modified keep-alive packet back to the tunnel origination endpoint 100. 0036) coupled to the first network interface (a computing environment including various peripherals such as input devices, output devices, displays, pointing devices, memories, storage devices, media interfaces for transferring data to and from the processor(s), 0023) (computer system 700 suitable for implementing aspects of the present invention, many devices connected, 0051, Figure 7).

Roy et al. and Bransi et al. are analogous art because they are from the same field of endeavor of Ethernet networks.  

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Bransi et al. in Roy et al. for wherein when a first payload size at the second network interface is greater than a second payload size at the first network interface, the processor is configured to transmit a message at the second network interface to reduce the payload size of messages received at the second network interface by adjusting a transmit size for each of the plurality of devices coupled to the first network interface as claimed for purposes of enhancing the Ethernet-based networks of Roy et al. by determining the maximum transmission unit (MTU) size on a network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP packet fragmentation (see Bransi et al. 0002).

Claims 2, 17:
With respect to claims 2, 17, Roy et al. discloses wherein the processor is configured to receive an encrypted message at the first network interface, decrypt the encrypted message, and transmit a message based on the decrypted message at the second network interface (The terminals 250 perform appropriate processing of revived packets to identify and forward conventional layer-3 packets, while also processing encapsulated layer-2 packets so that the original layer-2 packets are reconstructed and forwarded to the appropriate customer devices 260, 0028) (the layer-2 module 466 is configured to decompress the IPv6 header and examine the layer-2 context ID in order to regenerate the original layer-2 packet.  Referring additionally to FIG. 5, the reconstructed layer-2 packet 540 is identical to the original layer-2 packet 510 received at the gateway 320, 0038).

Claim 3:
With respect to claim 3, Roy et al. discloses wherein the processor is configured to set a destination address of the encrypted message to a medium access control (MAC) address stored in the address lookup table (the gateway 320 can maintain and address resolution processing (ARP) cache 334 which maintains tables that identify the medium access control (MAC) addresses associated with corresponding IP network address, packets are transmitted and received by the gateway 320, the ARP cache 334 is examined in order to determine whether a MAC address has already been determined for a particular IP address.  If the IP address has already been resolved, then the MAC address stored in the ARP 334 cache is utilized.  Otherwise, the gateway 320 can perform the necessary steps and processes for determining the MAC address, ARP cache 334 is updated to associate the MAC address received with the corresponding IP address, 0030-0031)

Claims 4, 19:
With respect to claims 4, 19, Roy et al. discloses wherein the processor is configured to receive a message at the second network interface, encrypt the message, and transmit the encrypted message at the first network interface (the format of a conventional layer-2 packet 510: The header of the layer-2 packet 510 received by 
the layer-2 module 324 includes fields for a destination MAC address, source 
MAC address, VLAN tag, ether type, and layer-2 payload encapsulated layer-2 packet 530 consists of the compressed IPv6 header, the layer-2 context ID, and the original layer-2 payload, the reconstructed layer-2 packet 540 is identical to the original layer-2 packet 510 received at the gateway 320, 0032-0034, 0038, Figure 5).

Claims 5, 20:
With respect to claims 5, 20, Roy et al. discloses wherein the processor is configured to set a source address of the encrypted message to a MAC address associated with the first network interface (Source MAC address, On the return link, the source and destination MAC addresses are reversed, 0032, Figure 5).

Claims 6, 21:
With respect to claims 6, 21, Roy et al. discloses wherein the first network interface includes an IEEE 802.1ae interface, and the second network interface includes an IEEE 802.3 interface or VLAN encryption (the VLAN field can include a double tag in accordance with 802.1ad or a single tag in accordance with 802.1q, 032)

Claim 7:
With respect to claim 7, Roy et al. discloses wherein the address resolution message includes an Address Resolution Protocol (ARP) message (the gateway 320 can broadcast an ARP message, 0031).

Claims 8, 13:
With respect to claims 8, 13, Roy et al. discloses wherein the processor is configured to transmit a message at the second network interface to reduce a payload size of messages received at the second network interface (If a single tag is supplied, however, then the length of the layer-2 header is reduced by 4 bytes to 18 bytes, 0032) (the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, 0034).


Claims 9, 14:
With respect to claims 9, 14, Roy et al. discloses wherein the message to reduce the payload size includes at least one of an Internet Control Message Protocol Fragmentation Needed message, and an ICMPv6 Packet Too Big message (the layer-2 packet 510 and generates an IP header for subsequent encapsulation of the layer-2 payload, the IP header can be in the form of an IPv6 header, the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, robust header compression (ROHC) can be applied to reduce the length of the IPv6 header, 0033-0034).

Claims 10, 15:
With respect to claims 10, 15, Roy et al. discloses wherein the processor is configured to utilize a Link Layer Discovery Protocol message at the first network interface to enable an Ethernet jumbo frame size (Ethernet-based networks but can also be delivered over the data link layer (or layer-2) of the OSI reference model, 0003) (delivering link layer (layer-2) services over network layer (layer-3), 0021) (forward link, return link, 0050).

Claims 11, 16:
With respect to claims 11, 16, Roy et al. discloses wherein the first network interface includes encryption, and the second network interface includes clear text (The terminals 250 perform appropriate processing of revived packets to identify and forward conventional layer-3 packets, while also processing encapsulated layer-2 packets so that the original layer-2 packets are reconstructed and forwarded to the appropriate customer devices 260, 0028) (the layer-2 module 466 is configured to decompress the IPv6 header and examine the layer-2 context ID in order to regenerate the original layer-2 packet.  Referring additionally to FIG. 5, the reconstructed layer-2 packet 540 is identical to the original layer-2 packet 510 received at the gateway 320, 0038).

Claim 12:
With respect to claim 12, Roy et al. discloses a network security apparatus (gateway 220 can include a computer/CPU 222 capable of being configured to perform various tasks in connection with the various hardware components attached thereto, Figures 2 and 3), comprising:
a memory configured to store an address lookup table (gateway 320 also maintains and EVC table 332 which stores information pertaining to the specific EVC assigned to transmit the encapsulated layer-2 packet, 0035, Figure 3, 332);
a first network interface (the gateway 220 can further include an interface 224 which provides a physical connection to external networks such as the Internet, or the illustrated service provider network 240, 0024) (interface 328a, 0029, Figure 3),
wherein a plurality of devices are coupled to the first network interface (two customer premise equipment or devices 242a, 242b, 0025, Figure 2, 242a, 242b);
a second network interface (can allow for interaction with different and/or multiple networks that can be public, private, or both, 0024) (multiple interfaces can be provided, interface 224 can be in the form of a physical connection point, router, switch, etc 0026) (interface 328ba, 0029, Figure 3); and
a processor operatively coupled to the memory, the first network interface, and the second interface (CPU 322, Figure 3, processor, 1003, Figure 10, 1103 Figure 11),  the processor being configured to:
bridge encrypted network traffic at the first network interface to a different network encryption at the second network interface (establishing a point-to-point Ethernet Virtual Circuit (EVC) to deliver carrier Ethernet between two network interfaces, 0003) (Prior to transmission over the satellite network, the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, The resulting encapsulated layer-2 packet 530 consists of the compressed IPv6 header, the layer-2 context ID, and the original layer-2 payload0033-0034), and
control a transmit size of messages received at the second network interface (If a single tag is supplied, however, then the length of the layer-2 header is reduced by 4 bytes to 18 bytes, 0032) (the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, 0034) (applies a compression algorithm to the IPv6 header in order to reduce its length, robust header compression (ROHC) can be applied to reduce the length of the IPv6 header, 0033-0034), to reduce a payload size of messages received at the second network interface (If a single tag is supplied, however, then the length of the layer-2 header is reduced by 4 bytes to 18 bytes, 0032) (the layer-3 module 326 applies a compression algorithm to the IPv6 header in order to reduce its length, 0034).

Roy et al. does not disclose determining is a first payload size at the second network interface is greater than a second payload size at the first network interface, transmitting a message at the second network interface to reduce the payload size of messages received at the second network interface by adjusting a transmit size for each of the plurality of devices coupled to the first network interface as claimed.

However, Bransi et al. teaches Path MTU discovery (PMTUD) is a technique in computer networking for determining the maximum transmission unit (MTU) size on a network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP packet fragmentation (0002), determining is a first payload size at the second network interface is greater than a second payload size at the first network interface, transmitting a message at the second network interface to reduce the payload size of messages received at the second network interface (any device along the path whose MTU is smaller than the packet will drop the packet, and send back an Internet Control Message Protocol (ICMP) "Fragmentation Needed" message containing the device's MTU, allowing the source host to reduce its path MTU appropriately, 0003) by adjusting a transmit size for each of the plurality of devices (Network device 100 determines the path MTU by iteratively changing the size that can be sent from the tunnel origination endpoint 100 to the tunnel termination endpoint 105 without fragmentation, 0035) (the tunnel termination endpoint 105 modifies a MTU field of the keep-alive packet to indicate the size of the first packet fragment, and sends the modified keep-alive packet back to the tunnel origination endpoint 100. 0036) coupled to the first network interface (a computing environment including various peripherals such as input devices, output devices, displays, pointing devices, memories, storage devices, media interfaces for transferring data to and from the processor(s), 0023) (computer system 700 suitable for implementing aspects of the present invention, many devices connected, 0051, Figure 7).

Roy et al. and Bransi et al. are analogous art because they are from the same field of endeavor of Ethernet networks.  

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Bransi et al. in Roy et al. for determining is a first payload size at the second network interface is greater than a second payload size at the first network interface, transmitting a message at the second network interface to reduce the payload size of messages received at the second network interface by adjusting a transmit size for each of the plurality of devices coupled to the first network interface as claimed for purposes of enhancing the Ethernet-based networks of Roy et al. by determining the maximum transmission unit (MTU) size on a network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP packet fragmentation (see Bransi et al. 0002).

Claim 18:
With respect to claim 18, Roy et al. discloses wherein the processor is configured to
populate an address lookup table based upon network traffic between the first network interface and the second network interface, and set a destination address of the encrypted message to a (medium access control) MAC address stored in the lookup table (the gateway 320 can maintain and address resolution processing (ARP) cache 334 which maintains tables that identify the medium access control (MAC) addresses associated with corresponding IP network address, packets are transmitted and received by the gateway 320, the ARP cache 334 is examined in order to determine whether a MAC address has already been determined for a particular IP address.  If the IP address has already been resolved, then the MAC address stored in the ARP 334 cache is utilized.  Otherwise, the gateway 320 can perform the necessary steps and processes for determining the MAC address, ARP cache 334 is updated to associate the MAC address received with the corresponding IP address, 0030-0031) (gateway 320 also maintains and EVC table 332 which stores information pertaining to the specific EVC assigned to transmit the encapsulated layer-2 packet, traffic classes associated with received layer-2 packets can be maintained by mapping to a corresponding backbone 342, by reviewing the priority bits contained in the VLAN field of the layer-2 packet header, the priority class can be determined and mapped to the appropriate EVC backbone 342, thereby maintaining the original QoS for the packet, 0035-0036).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO Form 892).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm., every other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433