DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 03/03/2021.



EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Mr. Mani Adeli on 11/23/2020.

The claim of this application has amended as follows:

1.	(Canceled) 
2.	(Currently Amended) The method of claim [[1]] 7, wherein [[the]] each SPI is an unencrypted header value used to identify decryption parameters for decrypting the encrypted data message.
3.	(Original) The method of claim 2, wherein using the SPI comprises hashing at least the unencrypted SPI of the particular encrypted data message to identify a particular processing unit to process the particular encrypted data message.
4.	(Currently Amended) The method of claim [[1]] 7, wherein the first computer comprises a plurality of interfaces, each interface serving as a tunnel endpoint for at least one encryption-secured tunnel.
5.	(Currently Amended) The method of claim [[1]] 4, wherein at least one interface in the plurality of interfaces serves as a tunnel endpoint for multiple encryption-secured tunnels between the first computer and the second computer.
6.	(Currently Amended) The method of claim [[1]] 7, wherein multiple encryption-secured tunnels in the plurality of encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer.
7.	(Previously Presented) A method for processing a plurality of encrypted data messages sent over a plurality of encryption-secured tunnels using a plurality of data message processing units of a first computer in a first datacenter, each encryption-secured tunnel identified by a unique security parameter index (SPI), the method comprising:
	at the first computer:
		receiving the plurality of encrypted data messages through the plurality of encryption-secured tunnels established between the first computer and a second computer;
		using an SPI of a particular encrypted data message to select a processing unit in the plurality of processing units to process the particular encrypted data message; and
		using the selected processing unit to process the particular encrypted data message;
wherein a first set of data messages received at a particular interface of the first computer over a first encryption-secured tunnel includes a first SPI to identify decryption parameters used for decrypting the first set of data messages, and
wherein a second set of data messages received at the particular interface over a second, different encryption-secured tunnel includes a second, different SPI to identify decryption parameters used for decrypting the second set of data messages.
8.	(Original) The method of claim 7, wherein the first and second encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer.
9.	(Currently Amended) The method of claim [[1]] 7, wherein the encrypted data messages are encrypted using an internet protocol security (IPSec) protocol.
10-11.	(Canceled) 
12.	(Currently Amended) The non-transitory machine readable medium of claim [[11]] 17, wherein [[the]] each SPI is an unencrypted header value used to identify decryption parameters for decrypting the encrypted data message.
13.	(Original) The non-transitory machine readable medium of claim 12, wherein the set of instructions for using the SPI comprises a set of instructions for hashing at least the unencrypted SPI of the particular encrypted data message to identify a particular processing unit to process the particular encrypted data message.
14.	(Currently Amended) The non-transitory machine readable medium of claim [[11]] 17, wherein the first computer comprises a plurality of interfaces, each interface serving as a tunnel endpoint for at least one encryption-secured tunnel.
15.	(Currently Amended) The non-transitory machine readable medium of claim [[11]] 14, wherein at least one interface in the plurality of interfaces serves as a tunnel endpoint for multiple encryption-secured tunnels between the first computer and the second computer.
16.	(Currently Amended) The non-transitory machine readable medium of claim [[11]] 17, wherein multiple encryption-secured tunnels in the plurality of encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer.
17.	(Previously Presented) A non-transitory machine readable medium storing a program for execution by a plurality of processing units of a first computer in a first datacenter, the program for processing a plurality of encrypted data messages sent over a plurality of encryption-secured tunnels using the plurality of processing units of the first computer in the first datacenter, each encryption-secured tunnel identified by a unique security parameter index (SPI), the program comprising sets of instructions for:
receiving the plurality of encrypted data messages through the plurality of encryption-secured tunnels established between the first computer and a second computer;
using an SPI of a particular encrypted data message to select a processing unit in the plurality of processing units to process the particular encrypted data message; and
using the selected processing unit to process the particular encrypted data message;
wherein a first set of data messages received at a particular interface of the first computer over a first encryption-secured tunnel includes a first SPI to identify decryption parameters used for decrypting the first set of data messages, and
wherein a second set of data messages received at the particular interface over a second, different encryption-secured tunnel includes a second, different SPI to identify decryption parameters used for decrypting the second set of data messages.
18.	(Original) The non-transitory machine readable medium of claim 17, wherein the first and second encryption-secured tunnels are established between a first interface of the first computer and a second interface of the second computer.
19.	(Currently Amended) The non-transitory machine readable medium of claim [[11]] 17, wherein the encrypted data messages are encrypted using an internet protocol security (IPSec) protocol.
20.	(Canceled) 
21.	(Currently Amended) The method of claim [[1]] 7, wherein the processing units are processing cores of the set of CPUs.
22.	(Currently Amended) The method of claim [[1]] 7, wherein the set of CPUs are a set of virtual CPUs (vCPUs) and the processing units are virtual processors of the set of vCPUs.
23.	(Currently Amended) The method of claim [[1]] 7, wherein the processing units are virtual processing cores.
24.	(Currently Amended) The method of claim [[1]] 7, wherein at least a plurality of different virtual processing cores corresponds to a plurality of different physical processing cores.

 	 	Examiner’s statement of reason of allowance

The following is an examiner's statement of reasons for allowance: In interpreting the claims, in light of the Specification and the applicant's amendments filed on 08/24/2020, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
 	The present relates to multiple computers acting as tunnel endpoints in a network, some embodiments provide a method for distributing data messages among processors of a destination computer that receives encrypted data messages from a source computer. Each computer in some embodiments has a set of interfaces configured as tunnel endpoints connecting to multiple tunnels. The encrypted data messages are received at multiple interfaces of the destination computer and in some embodiments, include an identifier for a set of encryption parameters (e.g., a security parameter index). The encryption-parameter-set identifier is used to distribute encrypted data messages among processors of the destination computer. 
 
	Independent claims 7 and 14, recite the uniquely distinct features of “wherein a first set of data messages received at a particular interface of the first computer over a first encryption-secured tunnel includes a first SPI to identify decryption parameters used for decrypting the first set of data messages, and wherein a second set of data messages received at the particular interface over a second, different encryption-secured tunnel includes a second, different SPI to identify decryption parameters used for decrypting the second set of data messages”.


The closest prior art, ( Reddy et al US 2016/0352628), discloses sending a first request message to a first server associated with a first access network indicative of a request for an indication of whether the first server is configured to support prioritization of tunneled traffic, receiving a first response message from the first server indicative of whether the first server is configured to support prioritization of tunneled traffic, establishing one or more first tunnels with a security service when the first response message is indicative that the first server is configured to support prioritization of tunneled traffic, sending first flow characteristics and a first tunnel identifier to the first server; and receiving the first flow characteristics for each first tunnel from the first server at a first network controller. The first network controller is configured to apply a quality of service policy within the first access network for each tunnel in accordance with the flow characteristics.

The closest prior art, (Egevang et al   US 2003/0088787) discloses 0042   a secure connection may be created in accordance with ISAKMP Specification. According to the ISAKMP Specification, all secure connections are created using a particular port number, which is port 500. Flow module 302 may be configured to monitor all flows having an outbound destination port 500 or inbound source port 500, and retrieve an SPI for all ESP packets having a particular sequence number, such as sequence number 1. This packet typically identifies the beginning of a flow. Flow module 302 of SCAM 300 may receive this ESP packet and retrieve its SPI. Flow module 302 may then store the retrieved SPI and a time stamp in its flow table, along with the internal address for network node 110.

The closest prior art ( Wan et al US 2016/0226815) discloses 0044	the SSL VPN clients 112.sub.1, . . . , 112.sub.n are located behind Internet Service Provider (ISP) Network Address Translation (NAT) devices (not shown) from different ISPs. Indeed, the public IP addresses of the SSL VPN clients 112.sub.1, . . . , 112.sub.n would in fact be private and may even be in conflict (e.g. the same public IP Address being used for different SSL VPN clients), thereby preventing the SSL VPN server 114 from knowing which SSL VPN tunnel 118.sub.1, . . . , 118.sub.n to select for a given outgoing packet destined to a given originating client machine 108.sub.1, . . . , 108.sub.n. Indeed, no routing table would exist in this case and packets exiting the SSL VPN server 114 would therefore be dropped. In addition, even if the SSL VPN server 114 knows which SSL VPN tunnel 118.sub.1, . . . , or 118.sub.n to select and uses the public IP address from the ISP NAT device for routing, the SSL VPN client 112.sub.1, . . . , 112.sub.n that serves as the tunnel's endpoint will not know how to forward the outgoing packet that exits the SSL VPN tunnel 118.sub.1, . . . , or 118.sub.n because the packet's destination address will be the public IP address from the ISP NAT device. Moreover, all packets destined to a given ISP public IP address (i.e. packets for all clients behind a given ISP NAT device) would be sent through the same SSL VPN tunnel 118.sub.1, . . . , 118.sub.n. As a result, other client machines, which have not established an SSL VPN tunnel but are located behind the same ISP NAT device as client machines with which the SSL VPN tunnel 118.sub.1, . . . , or 118.sub.n is established, will see their traffic routed through the tunnel 118.sub.1, . . . , or 118.sub.n even if this should not occur. It can therefore be seen that the hypothetical solution of using the public IP address of the SSL VPN clients 112.sub.1, . . . , 112.sub.n for routing fails. There is therefore a need for another solution to the above-mentioned issues that arise when network extension is used. 

However, the prior art of record, either individually or in a reasonable combination, fails to disclose or suggest the underline limitations when in combination with the remaining limitations currently recited in the independent claims 7 and 14. In addition, updated search also did not yield any new applicable prior art with respect to the underlined limitations.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." 



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314.  The examiner can normally be reached on EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ABU S SHOLEMAN/Primary Examiner, Art Unit 2495