DETAILED ACTION
	This action is responsive to application filed on 10/31/2019. Claims 1-25 are pending and being considered. Claims 1, 9, 17 and 25 are independent. Thus, the claims 1-25 are rejected.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
The current application is a continuation of U.S. Patent Application No. 15/664,582, filed on July 31, 2017.

Information Disclosure Statement


The information disclosure statement (IDS) submitted on 03/04/2020 was filed on or after the mailing date of the application no.16/670,030 on 10/31/2019. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner and an initialed and dated copy of Applicant’s IDS forms 1449 filed on 03/04/2020 is attached to the instant office action. 

Specification
The disclosure(s), filed on 10/31/2019, has been reviewed and accepted.

Drawings
The drawings (Figs. 1-3), filed on 10/31/2019, has been reviewed and accepted.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

Claims 1-25 are rejected on the ground of non-statutory double patenting as being un-patentable over claims 1-19 of U.S. Patent No. 10,498,708 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because all the limitations of the claims 1-25 (of current application 16/670,030) are taught by the U.S. Patent No. 10,498,708 B2, as mentioned in comparison table(s) below, wherein the matched limitations of the U.S. Patent 10,498,708 B2 are underlined:

Current Application 16/670,030
U.S. Patent Application 10,498,708 B2
Claim 1: A method for processing encapsulated encrypted data packets at a virtual network interface card (VNIC) on a host machine, comprising: 
receiving at the VNIC an encapsulated encrypted data packet, the encapsulated 
calculating a hash value based at least in part on the SPI value; and 
assigning the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value. 
Claim 5: wherein each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to 
Claim 6: wherein each virtual CPU corresponds to resources of one or more physical CPUs of the host machine.
Claim 7-8: receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; and calculating a second hash value based at least in part on the second SPI value; and
Claim 7: redirecting the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet.
Claim 8: assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value; and processing the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet.
Claim 1: A method for processing encapsulated encrypted data packets at a virtual network interface card (VNIC) on a host machine, comprising:
receiving at the VNIC an encapsulated encrypted data packet, the encapsulated 
calculating a hash value based at least in part on the SPI value;
assigning the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value,
wherein each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to process 
wherein each virtual CPU corresponds to resources of one or more physical CPUs of the host machine;
receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; calculating a second hash value based at least in part on the second SPI value; and one of:
redirecting the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet; or


Claim 2: wherein the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint.
Claim 2: wherein the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint.
Claim 3: wherein the hash value is further calculated based on a second hash value calculated by a physical network interface card (PNIC) on the host machine for the encapsulated encrypted data packet.  
Claim 3: wherein the hash value is further calculated based on a third hash value calculated by a physical network interface card (PNIC) on the host machine for the encapsulated encrypted data packet.
Claim 4: determining an IP protocol number included in the first header indicates the encapsulated encrypted data packet is an encapsulating security 
Claim 4: determining an IP protocol number included in the first header indicates the encapsulated encrypted data packet is an encapsulating security 
Claim 7: receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; and calculating a second hash value based at least in part on the second SPI value; and 
redirecting the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet.
Claim 1: receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; calculating a second hash value based at least in part on the second SPI value; and one of: 
Claim 5: redirecting the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet.
Claim 8: receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; calculating a second hash value based at least in part on the second SPI value; 
assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value; and processing the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet.
Claim 1: receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; calculating a second hash value based at least in part on the second SPI value; 
Claim 6: assigning the second encapsulated encrypted data packet to the second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value; and processing the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet.
Claim 25: A method for processing encapsulated encrypted data packets at a physical network interface card (PNIC) on a computing device, comprising: 

calculating a hash value based at least in part on the SPI value; and 
assigning the encapsulated encrypted data packet to a first PNIC receive side scaling (RSS) queue of a plurality of PNIC RSS queues associated with the PNIC based on the hash value.
Claim 19: A method for processing encapsulated encrypted data packets at a physical network interface card (PNIC) on a computing device, comprising:

calculating a hash value based at least in part on the SPI value; 
assigning the encapsulated encrypted data packet to a first PNIC receive side scaling (RSS) queue of a plurality of PNIC RSS queues associated with the PNIC based on the hash value;



Below table represents the double patenting rejection(s) for ‘a non-transitory computer readable medium’ claim set 9-16 of the current application 16/670,030:

Claims of Current App. 16/670,030
9 & 13-16
10
11
12
15
16
Claims of US Patent 10,498,708 B2
7
8
9
10
7 & 11
7 & 12


Below table represents the double patenting rejection(s) for ‘a computer system’ claim set 17-24 of the current application 16/670,030:

Claims of Current App. 16/670,030
17 & 21-24
18
19
20
23
24
Claims of US Patent 10,498,708 B2
13
14
15
16
13 & 17
13 & 18


Thus, the claims 1-25 are rejected on the ground of non-statutory double patenting as being un-patentable over claims 1-19 of the U.S. Patent US 10498708 B2, because all the limitations of the claims 1-25 are taught by the claims 1-19 of the U.S. Patented No. 10498708 B2.

Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 2, 4-6, 9-10, 12-14, 17-18 and  20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Yang, Li-Jau (Steven) et al. (US 7,003,118 B1, provided by IDS), hereinafter (Yang), in view of Tumuluru; Laxminarayana et al. (US 2018/0069924 A1), hereinafter (Tumuluru).

As per claim 1, Yang teaches a method for processing encapsulated encrypted data packets at a virtual network interface card (VNIC) on a host machine, comprising (Yang, Fig. 1A- 1B and Col. 1; Lines 61- 67 and Col. 2; Lines 1- 4,discloses that the IPSEC standard defines an encapsulated payload (ESP) as the mechanism used to transfer encrypted data (packets) and see also Col. 1; Lines 31- 42, discloses to provide security operations or data processing in a virtual private network ):
receiving at the VNIC an encapsulated encrypted data packet (Yang, Col. 3; Lines 8- 15 and Col. 1; Lines 61- 67 and Col. 2; Lines 1- 4, discloses that the NIC receives the ESP inbound packet from the network), the encapsulated encrypted data packet comprising a first header and an encrypted payload (Yang, Col. 3; Lines 8- 15, discloses that as it is being received by the (virtual) NIC, the ESP inbound traffic is scanned, retrieving security services information 153 (e.g., AH or ESP) from the security related fields of the packet), the first header comprising a source IP address of a source tunnel endpoint, a destination IP address of a destination tunnel endpoint (Yang, Col. 5; Lines 18- 26, discloses that the IPv4 base header fields are classified as  a source (IP) address (of a source tunnel endpoint) and destination (IP) address (of a destination tunnel end point)), and a security parameter index (SPI) value corresponding to a security association between a source endpoint and a destination endpoint (Yang, Col. 8; Lines 18- 25, discloses to extract the security parameter index out of either ESP or AH header and by feeding this information to the hash state machine can generate the SA look-up index SA-ID (i.e., where the generated SA-ID corresponds to a security association between a source endpoint and a destination endpoint- Col. 2; Lines 46- 59)), the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint (Yang, Col. 8; Lines 25- 28, discloses an ESP header and see also Col. 5; Lines 18- 26, discloses the IPv4 base header fields such as  a source (IP) address (of a source tunnel endpoint) and destination (IP) address (of a destination tunnel end point)); 
calculating a hash value based at least in part on the SPI value (Yang, Col. 8; Lines 18- 25, discloses that the hash state machine generates the SA look-up index such as SA-ID (i.e., a hash value) based (at least in part) on the extracted SPI out of either ESP or AH header); and
assigning the Yang, Col. 8; Lines 46- 63, discloses that for each IPSEC enabled inbound packet, the IPSEC Rx Packet Parser State Machine 510 outputs a data structure onto a FIFO queue, hereafter used by the Rx_Control_State Machine 520, which monitors the fullness of the FIFO queue, fed by IPSEC Rx Packet Parser State Machine 510. It removes the top data structure from the queue and parses it. It uses the SA_ID (i.e., hash value) to perform security association lookup and examine the following SA fields to determine what IP processing is required for this IP packet).
However ‘Yang’ fails to explicitly disclose but ‘Tumurulu’ from the same field of technology teaches assigning the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value (Tumurulu, Fig. 2 and Para. [0048], and/or as disclosed in Para. [0005], placing the packet in one of a plurality of receive queues based on at least the hash value, wherein packets placed in each receive queue of the plurality of receive queues are processed by a respective CPU or core associated with the receive queue).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Tumurulu’ into the teachings of ‘Yang’, with a motivation to assigning the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value, as taught by Tumurulu, in which multiple IPsec tunnels are employed, each with affinity to a specific CPU (or core), in order to scale out throughput; Tumurulu, Para. [0047].

2, Yang as modified by Tumurulu teaches the method of claim 1, wherein Yang fails to explicitly disclose but Tumurulu further teaches the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint (Tumuluru, Para. [0058 and 0048], discloses to compute a hash based on fields of an outer header, such as source and destination IP addresses, or source and destination IP addresses and port number).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Tumurulu’ into the teachings of ‘Yang’, with a motivation to determine a hash value based on at least one or more fields in the packet, as taught by Tumurulu, in order to place the packet in a receive queue based on the determined or computed hash; Tumurulu, Para. [0005].

As per claim 4, Yang as modified by Tumurulu teaches the method of claim 1, wherein Yang further teaches: further comprising determining an IP protocol number included in the first header indicates the encapsulated encrypted data packet is an encapsulating security payload type packet and calculating the hash value based at least in part on the SPI value based on the IP protocol number (Yang, Col. 8; Lines 15- 25, discloses that the IPSEC Rx Packet Parser State Machine scans the inbound data packet while the NIC is receiving IP packet from the wire (network, for example) into the NIC memory, and identify the required security protocol(s). If IPSEC service is required, the state machine will extract the destination IP address and security protocol (51 for AH, 50 for ESP) out of the IP header, and the ).

As per claim 5, Yang as modified by Tumuluru teaches the method of claim 1, wherein Yang fails to explicitly disclose but Tumuluru further teaches each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to process packets in the corresponding VNIC RSS queue (Tumuluru, Para. [0049], discloses that when L2 concentrator 125 receives packets from other VMs via VNIC 222, L2 concentrator 125 hashes tuples of those packets and places the packets in queues associated with respective CPUs or cores based on the hash values. Illustratively, VNIC 222 of L2 concentrator 125 may implement receive-side scaling (RSS) that distributes received network traffic across receive queues based on a hash function so that such traffic can be processed by multiple CPUs or cores, and/or see also claim 9, wherein packets placed in each receive queue of the plurality of first receive queues are processed by a respective CPU or core associated with the receive queue).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Tumurulu’ into the teachings of ‘Yang’, with a motivation wherein each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to process packets in the 

As per claim 6, Yang as modified by Tumuluru teaches the method of claim 5, wherein Yang further teaches each Yang, Col. 2; Lines 66- 67, discloses to perform the tasks either by host CPU or an embedded processor).
However Yang fails to explicitly disclose but Tumurulu further teaches wherein each virtual CPU corresponds to resources of one or more physical CPUs of the host machine (Tumuluru, claim 9, wherein the computer having one or more physical central processing units (CPUs), wherein packets placed in each receive queue of the plurality of first receive queues are processed by a respective CPU or core associated with the receive queue, and as further disclosed in Fig. 4 and Para. [0047], that the CPUs or cores 420.sub.i may be either virtual or physical CPUs or cores).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Tumurulu’ into the teachings of ‘Yang’, with a motivation wherein each virtual CPU corresponds to resources of one or more physical CPUs of the host machine, as taught by Tumurulu, in which multiple IPsec tunnels are employed, each with affinity to a specific CPU (or core), in order to scale out throughput; Tumurulu, Para. [0047].

As per claims 9- 10 and 12-14, the claims recite substantially similar subject matter as claims 1- 2 and 4-6, respectively. Therefore, the response set forth above with 

As per claims 17- 18 and 20-22, the claims recite substantially similar subject matter as claims 1- 2 and 4-6, respectively. Therefore, the response set forth above with respect to claims 1- 2 and 4-6 are equally applicable to claims 17- 18 and 20-22 of “a computer system”, respectively.

Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yang, Li-Jau (Steven) et al. (US 7,003,118 B1; provided by IDS), hereinafter (Yang), in view of Tumuluru; Laxminarayana et al. (US 2018/0069924 A1), hereinafter (Tumuluru), and further in view of Saeki, Shuichi (US 20170063979 A1; provided by IDS), hereinafter (Saeki).

As per claim 3, Yang as modified by Tumurulu teaches the method of claim 1, wherein Yang fails to explicitly disclose but Tumurulu further teaches the hash value is further calculated based on a second hash value calculated Tumurulu, Para. [0054], discloses that the L2 concentrator 125 places each packet, based on its hash value, in one of a number of receive queues that are each processed by a respective CPU or core, and as further disclosed in Claim 4, determining a second hash value based on at least one or more fields in the packet, and as further disclosed in Para. [0031], wherein the L2 concentrators 125 and 185 include VNICs 222-224 and 262-264, respectively. VNICs 222-224 and 262-264 are software-based virtual network adapters that may be logically connected to one or more ).  
However Yang as modified by Tumurulu fails to explicitly disclose but Saeki from the same field of technology teaches wherein the hash value is further calculated based on a second hash value calculated by a physical network interface card (PNIC) on the host machine for the encapsulated encrypted data packet (Saeki, Para. [0059], discloses that a general-purpose physical NIC may be able to calculate hash values of IP addresses by using an RSS (Receive Side Scaling) function in a VF (Virtual Function) and perform distribution based on the hash values, and/or see also Para. [0001], discloses a second hash value calculated by PNIC).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Saeki’ into the teachings of ‘Yang’ as modified by ‘Tumurulu’, with a motivation to provide an enhanced security for a packet processing device that receives and processes user data packets from mobile terminals, and more particularly to a reception packet distribution method, a queue selector, a packet processing device, and a recording medium that properly distribute user data packets input from the outside over a plurality of CPU (central processing unit) cores allocated to a virtual machine; Saeki, Para. [0001].

As per claim 11, the claim recite substantially similar subject matter as claim 3. Therefore, the response set forth above with respect to claim 3 is equally applicable to claim 11 of “a non-transitory computer readable medium”.

19, the claim recite substantially similar subject matter as claim 3. Therefore, the response set forth above with respect to claim 3 is equally applicable to claim 19 of “a computer system”, respectively.

Claims 7, 15 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Yang, Li-Jau (Steven) et al. (US 7,003,118 B1; provided by IDS), hereinafter (Yang), in view of Tumuluru; Laxminarayana et al. (US 2018/0069924 A1), hereinafter (Tumuluru), and further in view of Halme, Matti et al. (US 20020097724 A1; provided by IDS), hereinafter (Halme), and Saeki, Shuichi (US 20170063979 A1; provided by IDS), hereinafter (Saeki).

As per claim 7, Yang as modified by Tumurulu teaches the method of claim 1, Wherein Yang further teaches further comprising: receiving at the VNIC a second encapsulated encrypted data packet Yang, Col. 3; Lines 5- 15, discloses to receive, by the (virtual) NIC, an inbound traffic which includes encrypted data packets (i.e., second packet)); and 
However Yang fails to explicitly disclose but Tumurulu further teaches calculating a second hash value Tumurulu, Para. [0058], discloses to compute a hash based on fields of an outer header and placing the packet in a receive queue based on the computed hash); and

However Yang as modified by Tumurulu fails to explicitly disclose but Halme from the same field of technology teaches receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint (Halme, Para. [0072], discloses that each of the established IPSec tunnels has a unique SPI value (or values). When the receiving entity (i.e., NIC) selects a value for the SPI, it already knows the details of the Security Association. The details indicate values for header fields in outbound data packets. Typically the hash functions used in calculating a hash value for an outbound data packet and a hash value for an inbound data packet are different and see also Para. [0087], discloses that the data packets, which are different from data packet in accordance to IPSec protocol suite, the header fields may be, for example, the source and destination fields of an IP header); and 
calculating a second hash value based at least in part on the second SPI value (Halme, Para. [0072], discloses to calculate another hash value based only on part of the selected SPI value and/or see also Para. [0087], discloses that it is possible that, for example, for two sorts of data packets similar hash functions are used, although ); and 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Halme’ into the teachings of ‘Yang‘, as modified by ‘Tumurulu’, with a motivation to provide an enhanced security for each IPSec capable entity that has a specific/ unique SPI value; Halme, Para. [0071].
However Yang as modified by Tumurulu in view of Halme fails to explicitly disclose but Saeki further teaches redirecting the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet (Saeki, Para. [0017], discloses that the network relay device, when receiving packets, holds the packets in the reception waiting queue temporarily. The lower-level flow identification unit picks out a packet from the reception waiting queue, calculates a hash function by using, for example, header information, such as a source IP address and a destination IP address in the IP header, and, in accordance with the calculated hash function, assign the packet into an upper-level flow identification waiting queue with respect to each lower-level flow).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Saeki’ into the teachings of ‘Yang’ as modified by ‘Tumurulu’ in view of ‘Halme’, with a motivation to provide an enhanced security by performing upper-level flow identification processing, 

As per claim 15, the claim recite substantially similar subject matter as claim 7. Therefore, the response set forth above with respect to claim 7 is equally applicable to claim 15 of “a non-transitory computer readable medium”.

As per claim 23, the claim recite substantially similar subject matter as claim 7. Therefore, the response set forth above with respect to claim 7 is equally applicable to claim 23 of “a computer system”, respectively.

Claims 8, 16 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Yang, Li-Jau (Steven) et al. (US 7,003,118 B1; provided by IDS), hereinafter (Yang), in view of Tumuluru; Laxminarayana et al. (US 2018/0069924 A1), hereinafter (Tumuluru), and further in view of Halme, Matti et al. (US 20020097724 A1; provided by IDS), hereinafter (Halme).

As per claim 8, Yang as modified by Tumurulu teaches the method of claim 1, Wherein Yang further teaches: further comprising: receiving at the VNIC a second encapsulated encrypted data packet Yang, Col. 3; Lines 5- 15, discloses to receive, by the (virtual) NIC, an inbound traffic which includes encrypted data packets (i.e., second packet)); 
assigning the second  based on the second hash value (Yang, Col. 8; Lines 46- 63, discloses that for each IPSEC enabled inbound packet, the IPSEC Rx Packet Parser State Machine 510 outputs a data structure onto a FIFO queue, hereafter used by the Rx_Control_State Machine 520, which monitors the fullness of the FIFO queue, fed by IPSEC Rx Packet Parser State Machine 510. It removes the top data structure from the queue and parses it. It uses the SA_ID (i.e., hash value) to perform security association lookup and examine the following SA fields to determine what IP processing is required for this IP packet); and 
processing the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet (Yang, Col. 7; Lines 3- 8, discloses that if there is more than one SA for the current IP packet, the above process is repeated until the end of SA condition is reached. The state machine does not retrieve next entry from the FIFO queue until it receives acknowledgment of IPsec service completion from IPSEC Tx Data State Machine 330 and/or see also Col. 9; Lines 14- 19).
However ‘Yang’ fails to explicitly disclose but ‘Tumurulu’ further teaches calculating a second hash value Tumurulu, Para. [0058], discloses to compute a hash based on fields of an outer header and placing the packet in a receive queue based on the computed hash);
assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value (Tumurulu, Fig. 2 and Para. [0048-0049], discloses that L2 concentrator 125 receives packets from other VMs via VNIC 222, L2 concentrator 125 hashes tuples of those packets and places the packets in queues associated with respective CPUs or cores based on the hash values values, and/or see also claim 4, determining a second hash value based on at least one or more fields in the packet, and placing the packet in one of a plurality of second receive queues based on at least the second hash value); and
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Tumurulu’ into the teachings of ‘Yang’, with a motivation to assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues, as taught by Tumurulu, in which multiple IPsec tunnels are employed, each with affinity to a specific CPU (or core), in order to scale out throughput; Tumurulu, Para. [0047].
However Yang as modified by Tumurulu fails to explicitly disclose But Halme from the same field of technology teaches receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint (Halme, Para. [0072], discloses that each of the established IPSec tunnels has a unique SPI value (or values). When the receiving entity (i.e., NIC) selects a value for the SPI, it ); 
calculating a second hash value based at least in part on the second SPI value (Halme, Para. [0072], discloses to calculate another hash value based only on part of the selected SPI value and/or see also Para. [0087], discloses that it is possible that, for example, for two sorts of data packets similar hash functions are used, although the header fields, using which hash values are calculated, are typically different for the data packet sorts);
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Halme’ into the teachings of ‘Yang‘ as modified by ‘Tumurulu’, with a motivation to receive at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint, as taught by Halme, in order to provide an enhanced security for each IPSec capable entity that has a specific/unique SPI value; Halme, Para. [0071].

16, the claim recite substantially similar subject matter as claim 8. Therefore, the response set forth above with respect to claim 8 is equally applicable to claim 16 of “a non-transitory computer readable medium”.

As per claim 24, the claim recite substantially similar subject matter as claim 8. Therefore, the response set forth above with respect to claim 8 is equally applicable to claim 24 of “a computer system”, respectively.
	
Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Yang, Li-Jau (Steven) et al. (US 7,003,118 B1; provided by IDS), hereinafter (Yang), in view of SAEKI; Shuichi (US 2017/0063979 A1; provided by IDS), hereinafter (Saeki).

As per claim 25, Yang teaches a method for processing encapsulated encrypted data packets at a physical network interface card (PNIC) on a computing device, comprising (Yang, Fig. 1A- 1B and Col. 1; Lines 61- 67 and Col. 2; Lines 1- 4,discloses that the IPSEC standard defines an encapsulated payload (ESP) as the mechanism used to transfer encrypted data (packets) and see also Col. 2; Lines 37- 45, discloses a high performance IPSEC accelerator that is installed on a Network Interface Card (i.e., PNIC) of a host machine on a network which assists the host in performing various security services for inbound and outbound traffic at the IP layer. (In other words, the IPSEC defined ESP standard can be used as a mechanism to process encrypted data (packets)/ inbound and outbound traffic at a (i.e., physical) network interface card of a host machine)): receiving at the PNIC an encapsulated encrypted data packet (Yang, Col. 3; Lines 8- 15 and Col. 1; Lines 61- 67 and Col. 2; Lines 1- 4, discloses that the (physical) NIC receives the ESP inbound packet from the network), the encapsulated encrypted data packet comprising a first header and an encrypted payload (Yang, Col. 3; Lines 8- 15, discloses that as it is being received by the (physical) NIC, the ESP inbound traffic is scanned, retrieving security services information 153 (e.g., AH or ESP) from the security related fields of the packet), the first header comprising a source IP address of a source tunnel endpoint, a destination IP address of a destination tunnel endpoint (Yang, Col. 5; Lines 18- 26, discloses that the IPv4 base header fields are classified as  a source (IP) address (of a source tunnel endpoint) and destination (IP) address (of a destination tunnel end point)), and a security parameter index (SPI) value corresponding to a security association between a source endpoint and a destination endpoint (Yang, Col. 8; Lines 18- 25, discloses to extract the security parameter index out of either ESP or AH header and by feeding this information to the hash state machine can generate the SA look-up index SA-ID (i.e., where the generated SA-ID corresponds to a security association between a source endpoint and a destination endpoint- Col. 2; Lines 46- 59)), the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint (Yang, Col. 8; Lines 25- 28, discloses an ESP header and see also Col. 5; Lines 18- 26, discloses the IPv4 base header fields such as  a source (IP) address (of a source tunnel endpoint) and destination (IP) address (of a destination tunnel end point)); 
calculating a hash value based at least in part on the SPI value (Yang, Col. 8; Lines 18- 25, discloses that the hash state machine generates the SA look-up index ); and
 assigning the Yang, Col. 8; Lines 46- 63, discloses that for each IPSEC enabled inbound packet, the IPSEC Rx Packet Parser State Machine 510 outputs a data structure onto a FIFO queue, hereafter used by the Rx_Control_State Machine 520, which monitors the fullness of the FIFO queue, fed by IPSEC Rx Packet Parser State Machine 510. It removes the top data structure from the queue and parses it. It uses the SA_ID (i.e., hash value) to perform security association lookup and examine the following SA fields to determine what IP processing is required for this IP packet).
However ‘Yang’ fails to explicitly disclose but ‘Saeki’ from the same field of technology teaches assigning the encapsulated encrypted data packet to a first PNIC receive side scaling (RSS) queue of a plurality of PNIC RSS queues associated with the PNIC based on the hash value (Saeki, Para. [0035], discloses to distribute reception packets over the respective reception packet queues in the (physical) NIC and/or see also Para. [0099], discloses that in functions of the queue selector 14 in the (physical) NIC 11, an encapsulated user IP address located in the payload of a reception packet is detected and, by referring to the determination table 13, a queue in the (physical) NIC, into which the reception packet is to be stored, is determined in accordance with a hash value of the user IP address and the like and/or see also Para. [0063-0064 or 0080]).
.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1.	Saha; Ashoke et al. (US 2011/0153985 A1), the the present application relates to systems and methods for distributing a plurality of cryptographic cards to a plurality of packet processing engines in operation within a multi-core system.
2.	ROCH; Evelyne (US 20160212098 A1), the current disclosure relates to load balancing network traffic and in particular to load balancing Internet Protocol Security (IPsec) traffic.
3.	Kamper; Liaz et al. (US 20160142307 A1), the present invention relates generally to computing systems, and particularly to methods and systems for efficient communication between computer-system nodes.
4.	Shen; Jianjun et al. (US 20170163598 A1), this disclosure is related to learning of tunnel endpoint selections.

 If attempts to reach the examiner by telephone are unsuccessful, the examiner’s
supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for
the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent
Application Information Retrieval (PAIR) system. Status information for published
applications may be obtained from either Private PAIR or Public PAIR. Status
information for unpublished applications is available through Private PAIR only. For
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you
have questions on access to the Private PAIR system, contact the Electronic Business
Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO
Customer Service Representative or access to the automated information system, call
800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2433


/SAMSON B LEMMA/Primary Examiner, Art Unit 2498