Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

a.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/04/2021 has been entered.
Claims 1-20 in the present application, filed on or after March 16, 2013, are being examined under the first inventor to file provisions of the AIA .
	- claims 1, 6, and 16 are amended
b.	This is a first action on the merits based on Applicant’s claims submitted on 01/04/2021.


Information Disclosure Statement

	The information disclosure statement (IDS) submitted on 12/08/2020 and 01/07/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments

Regarding claims 1, 2, 6, and 16 previously rejected under 35 U.S.C. § 112(b), claims 1, 2, 6, and 16 have been amended according to the examiner's recommendation and thus the previous rejection has been withdrawn.
Regarding claims 1-20 previously rejected under 35 U.S.C. § 103, Applicant's arguments, see “Therefore, Applicant respectfully submits that the combination of references fails to teach or suggest one or more computing devices to obtain, via one or more programmatic interfaces, (a) a request for a packet processing pipeline to be implemented for at least a subset of packets sent from or to a first isolated virtual network, the first isolated virtual network configured on behalf of a first client of a network-accessible service, wherein the request does not indicate fast path packet processing nodes to be used for the pipeline and (b) an indication of an exception path target configured to perform at least one operation on a packet sent from or to the first isolated virtual network which does not satisfy a criterion for fast path processing at the packet processing pipeline, as claimed.” on page 14, filed on 01/04/2021, with respect to Morrow (US Patent No. 7522601) (hereinafter “Morrow”), in view of Chitalia et al (US Publication No. 20190386891) (hereinafter “Chitalia”), and further in view of Modelski et al (US Publication No. 20020083297) (hereinafter “Modelski”) and of Brandwine et al (US Patent No. 9384029) (hereinafter “Brandwine”), have been fully considered but are moot, over the limitations of “according to the obtained criterion for fast path processing and the obtained one or more security requirements of the first isolated virtual network” and “a subset of packets sent from or to a first isolated virtual network”. Said limitations are newly added to the amended Claims 1, 6, and 16 and have been addressed in instant office action, as shown in section 35 USC 103 rejection below, with newly identified prior art teachings from newly identified disclosures in previously applied references Chitalia and Modelski, thus rendering said Applicant’s arguments moot.
Regarding claims 1-20 previously rejected under 35 U.S.C. § 103, Applicant's arguments, see “Like Morrow, Chitalia discloses nodes that perform both fast path and slow path processing and fails to disclose a node that transmits a packet to an exception path target responsive to determining that the packet does not satisfy the criterion for fast path processing, as claimed.” on page 12, filed on 01/04/2021, have been fully considered but they are not persuasive.
According to the instant application's Specification ¶ [0037] which recites: "As indicated earlier, slower-path packet processing operations (such as making decisions in response to cache misses at FPPNs) may be referred to as exception-path operations (as they are primarily intended for less frequent or “exceptional” scenarios, for which higher latencies may be acceptable) in some embodiments, and SPPNs may also be referred to as exception path nodes.". Therefore, clearly, Morrow and Chitalia teach both fast path and slow path (i.e. exception path) processing.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claims 1-14 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Morrow US Patent 7522601 (hereinafter “Morrow”), and in view of Chitalia et al. US Pub 2019/0386891 (hereinafter “Chitalia”), and further in view of Modelski et al. US Pub 2002/0083297 (hereinafter “Modelski”). 
Regarding claim 1 (Currently Amended)
Morrow discloses a system (“FIG. 5 is a schematic diagram of a packet-based communication system showing routing for an information packet using the invention.” Col. 4, lines 1-3), comprising:
one or more computing devices (“network processor” col. 2, lines 61-67; “signaling processor” col. 3, lines 4-14);
wherein the one or more computing devices include instructions that upon execution on or across one or more processors cause the one or more computing devices to:
obtain, via one or more programmatic interfaces (“processing an information packet on an interface.” [Claim 12 txt]), (a) a request for a packet processing pipeline to be implemented for fast path processing (“Network processors handle the basic routing functions by quickly processing (sometimes called "parsing") address header information in the information packet and then forwarding the information packet to the next hop destination as specified by an address stored in a route cache entry in the processor.  This lower-level processing and forwarding of an information packet is sometimes referred to as the "fast-path" processing.” Col. 3, lines 1-3) or for exception path processing (equivalent to “slow path processing”; “If an information packets header address is not found in the route cache, higher-level processing may be required for matching the address with the routing table and forwarding the packet from the signaling processor. Additionally, some information packets require more extensive processing due to security, quality of service, or other control functions that require processing and/or implementation prior to forwarding of the information packet. This higher-level processing and forwarding of information packets is sometimes referred to as the "slow-path" processing.” Col. 3, lines 4-14).
wherein the request does not indicate fast path packet processing nodes to be used for the pipeline, (b) an indication of an exception path target (“The presence of the filtered router flag value identifies the information packet as possibly requiring a slow-path routing technique.  The flag value could also identify the router type or conditions that actually require slow-path routing techniques.  A router identifying the filtered router flag value will forward the information packet to the signal processor for slow-path processing.  A router not finding the filtered router flag value will forward the information packet directly on the appropriate output for transmission onto the network.” [Abstract]) configured to perform at least one operation on the first isolated virtual network (“The "G" flag 322 switches the information packet to the slow-path for further inspection when the router being traversed is acting as a security gateway.  The "G" flag 322 is used with nodes of a Virtual Private Network (VPN) for signaling with the security gateway when the exact address is not known or the discovery is deemed too inefficient.” Col. 6, lines 33-38) which does not satisfy a criterion for fast path processing (“Additionally, some information packets require more extensive processing due to security, quality of service, or other control functions that require processing and/or implementation prior to forwarding of the information packet. This higher-level processing and forwarding of information packets is sometimes referred to as the "slow-path" processing.” Col. 3, lines 4-14);
Morrow does not specifically teach packet processing pipeline, packets sent from or to a first isolated virtual network, the first isolated virtual network configured on behalf of a first client of a network-accessible service.
In an analogous art, Chitalia discloses obtain, via one or more interfaces (“User interface device 129 may be implemented as any suitable computing system, such as a mobile or non-mobile computing device operated by a user and/or by administrator 24.  User interface device 129 may, for example, represent a workstation, a laptop or notebook computer, a desktop computer, a tablet computer, or any other computing device that may be operated by a user and/or present a user interface in accordance with one or more aspects of the present disclosure.” [0042]), (a) a request for a packet processing to be implemented for at least a subset of packets sent from or to a first isolated virtual network (“Packets received by NICs 106 from the underlying physical network fabric for the virtual networks may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for one of NICs 106. The outer header may include not only the physical network address but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance 122.” [0120]), the first isolated virtual network (“FIG. 4 is a block diagram illustrating an example computing device that executes a virtual router for virtual networks” [0016]) configured on behalf of a first client of a network-accessible service (e.g. “User interface device 129” in Fig. 1; [0042]), wherein the request does not indicate fast path packet processing nodes to be used (“If a matching flow table entry does not exist for the packet, the packet may represent an initial packet for a new packet flow and virtual router forwarding plane 128 may request VN agent 35 to install a flow table entry in the flow table for the new packet flow.  This may be referred to as "slow-path" packet processing for initial packets of packet flows and is represented in FIG. 4 by slow path 140.” [0122]), and (c) one or more security requirements of the first isolated virtual network (“the plurality of categories include applications executing within VMs 36, deployments, application tiers, geographic sites, virtual networks, VMs 36, interfaces, projects, security requirements, quality requirements, users, or compliance requirements.” [0086]);
identify a collection of fast path packet processing nodes (e.g. “SDN controller”, “servers 12A-12X”) to implement at least a portion of the packet processing (“virtual router forwarding plane 128 attempts to match packets processed by routing instance 122A to one of the flow table entries of flow table 126A.  If a matching flow table entry exists for a given packet, virtual router forwarding plane 128 applies the flow actions specified in a policy to the packet.  This may be referred to as "fast-path" packet processing.” [0122]);
in response to obtaining the request, identify a collection of fast path packet processing nodes to implement at least a portion of the packet processing (“SDN controller 132 implements high-level requests from orchestration engine 130 by configuring physical switches, e.g. TOR switches 16, chassis switches 18, and switch fabric 20; physical routers; physical service nodes such as firewalls and load balancers; and virtual services such as virtual firewalls in a VM.  SDN controller 132 maintains routing, networking, and configuration information within a state database.” [0044]) according to the obtained criterion for fast path processing (“If a matching flow table entry exists for a given packet, virtual router forwarding plane 128 applies the flow actions specified in a policy to the packet.  This may be referred to as "fast-path" packet processing.” [0122] and the obtained one or more security requirements of the first isolated virtual network (“Orchestration engine 130 may implement a security policy across a group of VMs or to the boundary of a tenant's network.” [0043] and furthermore “SDN controller 132 manages the network and networking services such load balancing, security, and allocate resources from servers 12 to various applications via southbound API 133.” [0044]);
in response to (a) receiving a first packet at the collection of fast path packet processing nodes (“FIG. 4 is a block diagram illustrating an example computing device that executes a virtual router for virtual networks” [0016]) and (b) determining by the collection of fast path processing nodes (“SDN controller 132 manages the network and networking services such load balancing, security, and allocate resources from servers 12 to various applications via southbound API 133.” [0044]) that the first packet satisfies the one or more security requirements (“Orchestration engine 130 may implement a security policy across a group of VMs or to the boundary of a tenant's network.” [0043] and furthermore “the one or more policy rules describe security or firewall rules, and based on the one or more security or firewall rules, each policy agent 139 may allow or deny network traffic between categories described by the one or more tags.  In other examples, each of the one or more policy rules describe one or more firewall, network, application, or global policy rules.” [0090]) and the criterion for fast path processing (i.e. matched flow table entries), perform one or more packet processing operations of the packet processing pipeline at one or more fast path packet processing nodes of the collection (“Each of flow tables 126 includes flow table entries that each match one or more flows that may traverse virtual router forwarding plane 128 and include a forwarding policy for application to matching flows.  For example, virtual router forwarding plane 128 attempts to match packets processed by routing instance 122A to one of the flow table entries of flow table 126A.  If a matching flow table entry exists for a given packet, virtual router forwarding plane 128 applies the flow actions specified in a policy to the packet.  This may be referred to as "fast-path" packet processing.” [0122]); and
in response to (a) receiving a second packet at the collection (“Packets received by virtual router 30A of server 12A” [0047]; Fig. 1) and (b) determining by the collection that the second packet satisfies the one or more security requirements (allowed by policy rules) and does not satisfy the criterion for fast path processing (“VN agent 35 further applies slow-path packet processing for the first (initial) packet of each new flow traversing virtual router forwarding plane 128 and installs corresponding flow entries to flow tables 126 for the new flows for fast path processing by virtual router forwarding plane 128 for subsequent packets of the flows.” [0123]),
transmit, from a particular fast path packet processing node of the collection, the second packet to the exception path processing target (“policy agent 139 allows or blocks network traffic destined for or originating from interfaces 146 of VMs 110 by matching tags of one or more policy rules to tags applied to interfaces 146.” [0125]).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Morrow’s filtered router flag value in an information packet for packet-based communication networks to include Chitalia’s method for monitoring and improving performance of cloud data centers and computer networks in order to maximize virtualization efficiency (Chitalia [0004]).
Morrow and Chitalia do not specifically teach a packet processing pipeline.
In an analogous art, Modelski discloses obtain, via one or more programmatic interfaces (“BAP 10 is operationally connected to each of the above described elements of the multi-thread packet processor.  BAP 10 supports accesses to and from a generic host and peripheral devices.  The multi-thread packet processor may be configured as the arbiter of the BAP bus.  Each element is capable of interfacing via one or more GABs 108,110,112,114,116,118.  Each AM 42,56,70,84 may be configured with 32 independent threads used for packet processing.” [0015] and furthermore “Private Data GAB 112 provides an interface from an AM to a second IME 122,152 -that is used for storage of structures directly needed for fast path processing.  Private Data GAB 112 connects AMs 42,56,70,84 to an IME.  The IME is capable of reads, writes, and atomic/statistic arithmetic operations into its memory.” [0204]), (a) a request for a packet processing pipeline to be implemented (“The multi-thread packet processor includes an analysis machine having multiple pipelines, wherein one pipeline is dedicated to directly manipulating individual data bits of a bit field, a packet task manager, a packet manipulator, a global access bus including a master request bus and a slave request bus separated from each other and pipelined, an external memory engine, and a hash engine.” [Abstract]; [0047]) for at least a subset of packets sent from or to a first isolated virtual network (“Methods and apparatuses consistent with the principles of the present invention, as embodied and broadly described herein, provide for a multi-thread packet processor which processes data packets using a multi-threaded pipelined machine, wherein no instruction depends on a preceding instruction because each instruction in the pipeline is executed for a different thread.  The multi-thread packet processor transfers a data packet from a flexible data input buffer to a packet task manager, dispatches the data packet from the packet task manager to a multi-threaded pipelined analysis machine, classifies the data packet in the analysis machine, modifies and forwards the data packet in a packet manipulator.” [0007])
in response to obtaining the request (“The arbiters take the respective requests, readies, and the arbitration algorithm and grant a master (MRB) or slave (SRB) access to the split portion of the bus.” [0165]), identify a collection of fast path packet processing nodes to implement at least a portion of the packet processing pipeline (“Private Data GAB 112 provides an interface from an AM to a second IME 122,152 -that is used for storage of structures directly needed for fast path processing.” [0204]) according to the obtained criterion for fast path processing and the obtained one or more security requirements of the first isolated virtual network (as previously taught by Chitalia);
in response to (a) receiving a first packet at the collection of fast path packet processing nodes (“A method for routing a data packet comprising: receiving the packet at a first device;  producing at least one thread associated with routing the packet, the thread including a sequence of instructions;  assigning a thread identifier (TID) to each of the threads and maintaining an activity status for each thread;  for each instruction, selecting a pipeline from a plurality of processing pipelines such that no instruction in the selected pipeline depends on a preceding instruction because every instruction in the selected pipeline is associated with a different thread;  executing the instructions in the selected pipelines;  and transmitting the packet from the first device to a second device.” [Claim 1 txt]) and (b) determining that the first packet satisfies the one or more security requirements and the criterion for fast path processing (“In addition to enhancing processor throughput, improvements in routing performance may be achieved by partitioning the routing process into two processing classes: fast path processing and slow path processing.  Partitioning the routing process into these two classes allows for network routing decisions to be based on the characteristics of each process.  Routing protocols, such as, Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP), have different requirements than the fast-forwarding Internet Protocol (FFIP).” [0005]), perform one or more packet processing operations of the packet processing pipeline (“The multi-thread packet processor includes an analysis machine having multiple pipelines, wherein one pipeline is dedicated to directly manipulating individual data bits of a bit field, a packet task manager, a packet manipulator, a global access bus including a master request bus and a slave request bus separated from each other and pipelined, an external memory engine, and a hash engine.” [Abstract]) at one or more fast path packet processing nodes of the collection (“The present invention generally relates to communication system architecture and, more particularly, to packet processing architecture employed within a communication network that provides fast path processing and enhanced flexibility/adaptability of packet processors.  The inventive packet processing architecture will hereinafter be referred to as route switch packet architecture.” [0013])
	Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Morrow’s filtered router flag value in an information packet for packet-based communication networks, as modified by Chitalia, to include Modelski’s multi-thread packet processor which processes data packets using a multi-threaded pipelined machine in order to establish an efficient pipeline for fast path packet processing “This invention generally relates to the field of data communications and data processing architectures.  More particularly, the present invention relates to a novel multi-thread packet processor for rapidly processing data packets. " Modelski [0001]. Thus, a person of ordinary skill would have appreciated the ability to incorporate multi-thread packet processor which processes data packets using a multi-threaded pipelined machine into Morrow’s filtered router flag value in an information packet since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Regarding claim 2
Morrow, as modified by Chitalia and Modelski, previously discloses the system as recited in claim 1, 
Chitalia further discloses wherein the first isolated virtual network is configured at one or more data centers (i.e. “data center 10A” in Fig. 1), wherein the collection of fast path processing nodes (e.g. VMs) is configured within a second isolated virtual network (i.e. “server 12A” in Fig. 1), and wherein the exception path target comprises one or more of: (a) a computing device in a third isolated virtual network (i.e. “server 12B-12X” in Fig. 1), or (b) a computing device located at a premise external to the one or more data centers (e.g. “data centers 10B-10X” in Fig. 1).

Regarding claim 3
Morrow, as modified by Chitalia and Modelski, previously discloses the system as recited in claim 1, wherein the second packet belongs to a particular packet flow (e.g. “fast-path processing” packets), and wherein the one or more computing devices include further instructions that upon execution on or across one or more processors further cause the one or more computing devices to:
Morrow further discloses obtain, at a particular fast path packet processing node (“Each of the transit routers R1 10, R2 20, R3 30, R4 40, R5 50, R6 60, and R7 70 can use either fast-path or slow-path routing techniques.  Typically, information packets received at a transit router are processed only using the fast-path to retrieve address header data.” Col. 4, lines 41-43; see Figs. 1 and 3) subsequent to the transmission of the second packet, an indication (i.e. “filtered router flag”) of one or more additional packet processing operations to be performed (“The presence of the filtered router flag value identifies the information packet as possibly requiring a slow-path routing technique.  The flag value could also identify the router type or conditions that actually require slow-path routing techniques.  A router identifying the filtered router flag value will forward the information packet to the signal processor for slow-path processing.  A router not finding the filtered router flag value will forward the information packet directly on the appropriate output for transmission onto the network.” [Abstract]) for subsequent packets of the particular packet flow (e.g. “fast-path processing” packets);
cache (“route cache entry”), at the particular fast path packet processing node (“Each of the transit routers R1 10, R2 20, R3 30, R4 40, R5 50, R6 60, and R7 70 can use either fast-path or slow-path routing techniques.  Typically, information packets received at a transit router are processed only using the fast-path to retrieve address header data.” Col. 4, lines 41-43; see Figs. 1 and 3), an executable version of the one or more additional packet processing operations (“Network processors handle the basic routing functions by quickly processing (sometimes called "parsing") address header information in the information packet and then forwarding the information packet to the next hop destination as specified by an address stored in a route cache entry in the processor.  This lower-level processing and forwarding of an information packet is sometimes referred to as the "fast-path" processing.” Col. 2, lines 61-67); and
perform, at the particular fast path packet processing node using the executable version, the one or more additional packet processing operations on one or more subsequent packets of the particular packet flow (“Using an information packet containing a Filtered Router Alert Hop-by-Hop Option, the information packet is transmitted from H1 405 to R1 410, where the packet is processed using the fast-path processing technique.  R1 410 does not need slow-path processing, so none of the bitmap flags in the information packet match any of the flags in the provisioned data field on R1 410.  Because slow-path processing is not requested, the fast-path processing technique is used in R1 410.  The information packet is forwarded to R2 420 only using fast-path routing.” Col. 8, lines 41-50).

Regarding claim 4
Morrow, as modified by Chitalia and Modelski, previously discloses the system as recited in claim 1, 
Chitalia further discloses wherein a fast path packet processing node of the collection has a resource usage limit (“Policy controller 23 obtains the usage metrics and metrics related to communication links between servers 12 from policy agents 35, and constructs a dashboard 203 (e.g., a set of user interfaces) to provide visibility into operational performance and infrastructure resources of data center 10A.” [0054]), and wherein the exception path target is configured to perform a packet processing operation whose resource usage exceeds the resource usage limit (“By identifying processes that may be adversely affecting the operation of other processes, policy controller 23 of data center 10A may take steps to address how such processes operate or use shared resources, and as a result, improve the aggregate performance of virtual machines, containers, and/or processes executing on any given server, and/or improve the operation of all servers 12 collectively.  Accordingly, as a result of identifying processes adversely affecting the operation of other processes and taking appropriate responsive actions, virtual machines 36 may perform computing operations on servers 12 more efficiently, and more efficiently use shared resources of servers 12.  By performing computing operations more efficiently and more efficiently using shared resources of servers 12, data center 10A may perform computing tasks more quickly and with less latency.” [0074]. One skilled in the art can easily set up a predetermined policy/rule to select an exception path target configured to perform a packet processing operation whose resource usage exceeds the resource usage limit).
Morrow also suggests manipulating the P flag 326 to circumvent a packet processing operation whose resource usage exceeds the resource usage limit (“The "P" flag bit 326 switches the information packet to the slow-path for further inspection when a per-flow function is provisioned for an interface. Such an interface may exist between an over-provisioned Local Area Network (LAN) and WAN or any bandwidth-constrained shared link.  The "P" flag bit 326 is used by network analysis tools and per-flow resource management.” Col. 6, lines 43-60).

Regarding claim 5
Morrow, as modified by Chitalia and Modelski, previously discloses the system as recited in claim 1, 
Morrow further discloses wherein the exception path target is configured to perform one or more of: (a) a decryption operation on a packet (“the destination communication device decodes the transmitted information into the original information transmitted by the originating device according to the applicable communication protocol.” Col. 2, lines 11-15) or (b) an encryption operation on the packet (“Information packets use an encoding format of "1" and "0" data bits to build a data stream that a computer or other communication device can interpret.” Col. 4, lines 51-55).

Regarding claim 6 (Currently Amended)
 	Morrow discloses a method (“Applications that can benefit from the Filtered Router Alert Hop-by-Hop Option include congestion avoidance mechanisms, communications with NAT and firewall devices, per-flow resource management, aggregate resource management, and network security association establishment.” Col. 7, lines 35-39), comprising:
performing, at one or more computing devices:
obtaining (a) an indication (“The presence of the filtered router flag value identifies the information packet as possibly requiring a slow-path routing technique.  The flag value could also identify the router type or conditions that actually require slow-path routing techniques.  A router identifying the filtered router flag value will forward the information packet to the signal processor for slow-path processing.  A router not finding the filtered router flag value will forward the information packet directly on the appropriate output for transmission onto the network.” [Abstract]) of an exception path target of a packet processing (“If an information packets header address is not found in the route cache, higher-level processing may be required for matching the address with the routing table and forwarding the packet from the signaling processor. Additionally, some information packets require more extensive processing due to security, quality of service, or other control functions that require processing and/or implementation prior to forwarding of the information packet. This higher-level processing and forwarding of information packets is sometimes referred to as the "slow-path" processing.” Col. 3, lines 4-14), 
Morrow does not specifically teach wherein the packet processing pipeline is to be implemented for at least a subset of packets sent from or to a resource group and (b) one or more configuration settings of the resource group.
In an analogous art, Chitalia discloses wherein the packet processing is to be implemented for at least a subset of packets sent from or to (“Policy controller 23 may also analyze internal processor metrics received from policy agents 35, and classify one or more virtual machines 36 based on the extent to which each virtual machine uses shared resources of servers 12 (e.g., classifications could be CPU-bound, cache-bound, memory-bound).” [0059]) a resource group (“Aspects include grouping the servers of a computer network into a plurality of aggregates, each aggregate comprising one or more servers.” [Abstract]) and (b) one or more configuration settings of the resource group (“metrics associated with the communications between various resources of virtualization infrastructure.  In some examples, the resources depicted in the graphical user interfaces include the physical devices, such as servers (also referred to herein as "nodes," "compute nodes," and "hosts"), that communicate via an underlay computer network that transports communications among the resources.  In some examples, one or more of the resources depicted in the graphical user interfaces include virtual resources, such as one or more virtual servers and/or one or more virtual routers.” [0032]);
in response to (a) receiving a first packet at a collection of fast path packet processing nodes (“Packets received by virtual router 30A of server 12A” [0047]; Fig. 1) configured for the packet processing pipeline and (b) determining by the collection of fast path processing nodes (“SDN controller 132 manages the network and networking services such load balancing, security, and allocate resources from servers 12 to various applications via southbound API 133.” [0044]) that the first packet satisfies one or more requirements of the configuration settings (“the one or more policy rules describe security or firewall rules, and based on the one or more security or firewall rules, each policy agent 139 may allow or deny network traffic between categories described by the one or more tags.  In other examples, each of the one or more policy rules describe one or more firewall, network, application, or global policy rules.” [0090]) and a criterion for fast path processing (“Each of flow tables 126 includes flow table entries that each match one or more flows that may traverse virtual router forwarding plane 128 and include a forwarding policy for application to matching flows.  For example, virtual router forwarding plane 128 attempts to match packets processed by routing instance 122A to one of the flow table entries of flow table 126A.  If a matching flow table entry exists for a given packet, virtual router forwarding plane 128 applies the flow actions specified in a policy to the packet.  This may be referred to as "fast-path" packet processing.” [0122]); and
in response to (a) receiving a second packet at the collection (“Packets received by virtual router 30A of server 12A” [0047]; Fig. 1), performing one or more packet processing operations of the packet processing at one or more fast path packet processing nodes of the collection (“Each of flow tables 126 includes flow table entries that each match one or more flows that may traverse virtual router forwarding plane 128 and include a forwarding policy for application to matching flows.  For example, virtual router forwarding plane 128 attempts to match packets processed by routing instance 122A to one of the flow table entries of flow table 126A.  If a matching flow table entry exists for a given packet, virtual router forwarding plane 128 applies the flow actions specified in a policy to the packet.  This may be referred to as "fast-path" packet processing.” [0122]); and
in response to (a) receiving a second packet at the collection of fast path packet processing nodes and (b) determining by the collection of fast path processing nodes  (“SDN controller 132 manages the network and networking services such load balancing, security, and allocate resources from servers 12 to various applications via southbound API 133.” [0044]) that the second packet does not satisfy the criterion for fast path processing (“If a matching flow table entry does not exist for the packet, the packet may represent an initial packet for a new packet flow and virtual router forwarding plane 128 may request VN agent 35 to install a flow table entry in the flow table for the new packet flow.  This may be referred to as "slow-path" packet processing for initial packets of packet flows and is represented in FIG. 4 by slow path 140.” [0122]), transmitting by one of fast path packet processing nodes (e.g. “SDN controller”, “servers 12A-12X”) the second packet to the exception path target (“If a matching flow table entry does not exist for the packet, the packet may represent an initial packet for a new packet flow and virtual router forwarding plane 128 may request VN agent 35 to install a flow table entry in the flow table for the new packet flow.  This may be referred to as "slow-path" packet processing for initial packets of packet flows and is represented in FIG. 4 by slow path 140.” [0122]).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Morrow’s filtered router flag value in an information packet for packet-based communication networks to include Chitalia’s method for monitoring and improving performance of cloud data centers and computer networks in order to maximize virtualization efficiency (Chitalia [0004]).
Morrow and Chitalia do not specifically teach a packet processing pipeline.
In an analogous art, Modelski discloses in response to (a) receiving a first packet at a collection of fast path packet processing nodes configured for the packet processing pipeline (“A method for routing a data packet comprising: receiving the packet at a first device;  producing at least one thread associated with routing the packet, the thread including a sequence of instructions;  assigning a thread identifier (TID) to each of the threads and maintaining an activity status for each thread;  for each instruction, selecting a pipeline from a plurality of processing pipelines such that no instruction in the selected pipeline depends on a preceding instruction because every instruction in the selected pipeline is associated with a different thread;  executing the instructions in the selected pipelines;  and transmitting the packet from the first device to a second device.” [Claim 1 txt]) and (b) determining by the collection of fast path packet processing nodes (“Methods and apparatuses consistent with the principles of the present invention, as embodied and broadly described herein, provide for a multi-thread packet processor which processes data packets using a multi-threaded pipelined machine, wherein no instruction depends on a preceding instruction because each instruction in the pipeline is executed for a different thread.  The multi-thread packet processor transfers a data packet from a flexible data input buffer to a packet task manager, dispatches the data packet from the packet task manager to a multi-threaded pipelined analysis machine, classifies the data packet in the analysis machine, modifies and forwards the data packet in a packet manipulator.” [0007]) that the first packet satisfies one or more requirements of the configuration settings and a criterion for fast path processing (“In addition to enhancing processor throughput, improvements in routing performance may be achieved by partitioning the routing process into two processing classes: fast path processing and slow path processing.  Partitioning the routing process into these two classes allows for network routing decisions to be based on the characteristics of each process.  Routing protocols, such as, Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP), have different requirements than the fast-forwarding Internet Protocol (FFIP).” [0005]); and
in response to (a) receiving a second packet at the collection, performing one or more packet processing operations of the packet processing pipeline (“The multi-thread packet processor includes an analysis machine having multiple pipelines, wherein one pipeline is dedicated to directly manipulating individual data bits of a bit field, a packet task manager, a packet manipulator, a global access bus including a master request bus and a slave request bus separated from each other and pipelined, an external memory engine, and a hash engine.” [Abstract]; [0047]) at one or more fast path packet processing nodes of the collection (“A method for routing a data packet comprising: receiving the packet at a first device;  producing at least one thread associated with routing the packet, the thread including a sequence of instructions;  assigning a thread identifier (TID) to each of the threads and maintaining an activity status for each thread;  for each instruction, selecting a pipeline from a plurality of processing pipelines such that no instruction in the selected pipeline depends on a preceding instruction because every instruction in the selected pipeline is associated with a different thread;  executing the instructions in the selected pipelines;  and transmitting the packet from the first device to a second device.” [Claim 1 txt]); and
in response to (a) receiving a second packet at the collection of fast path packet processing nodes and (b) determining by the collection of fast path packet processing nodes (“multi-thread packet processor which processes data packets using a multi-threaded pipelined machine,” [0007]) that the second packet does not satisfy the criterion for fast path processing (“In addition to enhancing processor throughput, improvements in routing performance may be achieved by partitioning the routing process into two processing classes: fast path processing and slow path processing.  Partitioning the routing process into these two classes allows for network routing decisions to be based on the characteristics of each process.” [0005]), transmitting by one of fast path processing nodes (“The present invention generally relates to communication system architecture and, more particularly, to packet processing architecture employed within a communication network that provides fast path processing and enhanced flexibility/adaptability of packet processors.  The inventive packet processing architecture will hereinafter be referred to as route switch packet architecture.” [0013]) the second packet to the exception path target (“Routing protocols, such as, Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP), have different requirements than the fast-forwarding Internet Protocol (FFIP).” [0005]).
	Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Morrow’s filtered router flag value in an information packet for packet-based communication networks, as modified by Chitalia, to include Modelski’s multi-thread packet processor which processes data packets using a multi-threaded pipelined machine in order to establish an efficient pipeline for fast path packet processing “This invention generally relates to the field of data communications and data processing architectures.  More particularly, the present invention relates to a novel multi-thread packet processor for rapidly processing data packets. " Modelski [0001]. Thus, a person of ordinary skill would have appreciated the ability to incorporate multi-thread packet processor which processes data packets using a multi-threaded pipelined machine into Morrow’s filtered router flag value in an information packet since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Regarding claim 7
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, wherein the second packet belongs to a particular packet flow, the method further comprising performing, at the one or more computing devices:
obtaining, at the particular fast path packet processing node from the exception path target, subsequent to said transmitting the second packet, an indication of one or more additional packet processing operations to be performed for subsequent packets of the particular packet flow;
caching, at the particular fast path packet processing node, an executable version of the one or more additional packet processing operations; and
performing, at the particular fast path packet processing node using the executable version, the one or more additional packet processing operations on one or more subsequent packets of the particular packet flow.
The scope and subject matter of method claim 7 is drawn to the method of using the corresponding apparatus claimed in claim 3. Therefore method claim 7 corresponds to apparatus claim 3 and is rejected for the same reasons of obviousness as used in claim 3 rejection above.

Regarding claim 8
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, 
Chitalia further discloses wherein a packet processing node of the collection has a resource usage limit (“By monitoring internal processor metrics to identify resources shared within the processor of a server as consumed by elements including software processes executing on hardware cores internal to the processor, policy controller 23 of data center 10A may identify virtual machines 36, containers, and/or processes that are consuming shared resources in manner that may adversely affect the performance of other virtual machines 36, containers, and/or processes executing on that server.” [0074]), and wherein the exception path target is configured to perform a packet processing operation whose resource usage exceeds the resource usage limit (“By identifying processes that may be adversely affecting the operation of other processes, policy controller 23 of data center 10A may take steps to address how such processes operate or use shared resources, and as a result, improve the aggregate performance of virtual machines, containers, and/or processes executing on any given server, and/or improve the operation of all servers 12 collectively.  Accordingly, as a result of identifying processes adversely affecting the operation of other processes and taking appropriate responsive actions, virtual machines 36 may perform computing operations on servers 12 more efficiently, and more efficiently use shared resources of servers 12.  By performing computing operations more efficiently and more efficiently using shared resources of servers 12, data center 10A may perform computing tasks more quickly and with less latency.” [0074]. One skilled in the art can easily set up a predetermined policy/rule to select an exception path target configured to perform a packet processing operation whose resource usage exceeds the resource usage limit).
Morrow also suggests manipulating the P flag 326 to circumvent a packet processing operation whose resource usage exceeds the resource usage limit (“The "P" flag bit 326 switches the information packet to the slow-path for further inspection when a per-flow function is provisioned for an interface. Such an interface may exist between an over-provisioned Local Area Network (LAN) and WAN or any bandwidth-constrained shared link.  The "P" flag bit 326 is used by network analysis tools and per-flow resource management.” Col. 6, lines 43-60).

Regarding claim 9
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 8, 
Chitalia further discloses wherein the resource usage limit comprises one or more of: (a) a memory limit, (b) a compute resource limit, or (c) a program instruction count limit (“each virtual machine uses shared resources of servers 12 (e.g., classifications could be CPU-bound, cache-bound, memory-bound).” [0059] and furthermore “Policy agent 35A may determine, based on the monitored metrics, that one or more values exceed a threshold set by or more policies 202 received from policy controller 23.  For instance, policy agent 35A may determine whether CPU usage exceeds a threshold set by a policy (e.g., server 12A CPU usage&gt;50%).  In other examples policy agent 35A may evaluate whether one or more metrics is less than a threshold value (e.g., if server 12A available disk space&lt;20%, then raise an alert), or is equal to a threshold value (e.g., if the number of instances of virtual machines 36 equals 20, then raise an alert).” [0068]).

Regarding claim 10
 	Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, further comprising performing, by the one or more computing devices:
Morrow further discloses accessing, by the exception path target a security artifact (i.e. “security key”) to perform one or more operations associated with the second packet (“The "S" flag 327 allows key exchange and security associations to be established by leveraging the trust relationship and security associations of the routing system itself, facilitating the establishment of security associations between an arbitrary set of endpoints along a path using a single roundtrip message exchange.” Col. 6, lines 61-67), wherein the security artifact is inaccessible at the one or more fast path packet processing nodes (where the security S flag 327 is used in conjunction with the P flag for example).

Regarding claim 11
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, further comprising performing, at the one or more computing devices:
Morrow further discloses examining, at the exception path target, contents of a body of the second packet, wherein packet processing operations performed at the one or more fast path packet processing nodes (a) include reading contents of one or more headers of network packets (i.e. “address header information in the information packet”) and (b) do not include reading contents of bodies of network packets (“Network processors handle the basic routing functions by quickly processing (sometimes called "parsing") address header information in the information packet and then forwarding the information packet to the next hop destination as specified by an address stored in a route cache entry in the processor.  This lower-level processing and forwarding of an information packet is sometimes referred to as the "fast-path" processing.” col. 2, lines 61-67.

Regarding claim 12
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, further comprising performing, at the one or more computing devices:
Chitalia further discloses automatically instantiating, by a control plane component of a packet processing service (“Virtual router forwarding plane 128 executes the "forwarding plane" or packet forwarding functionality of the virtual router 120 and VN agent 35 executes the "control plane" functionality of the virtual router 120.” [0121]; [0083]) based on analysis of one or more metrics, an additional exception path target resource (“By monitoring internal processor metrics to identify resources shared within the processor of a server as consumed by elements including software processes executing on hardware cores internal to the processor, policy controller 23 of data center 10A may identify virtual machines 36, containers, and/or processes that are consuming shared resources in manner that may adversely affect the performance of other virtual machines 36, containers, and/or processes executing on that server.” [0074]).

Regarding claim 13
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, 
Morrow further discloses wherein determining that the second packet does not satisfy the criterion for fast path processing comprises determining that a cache stored at the one or more fast path packet processing nodes does not include an entry indicating an executable program to be implemented to perform a packet processing operation (“Some routers are comprised of two types of components.  The first type of component is the network processor.  Network processors handle the basic routing functions by quickly processing (sometimes called "parsing") address header information in the information packet and then forwarding the information packet to the next hop destination as specified by an address stored in a route cache entry in the processor.  This lower-level processing and forwarding of an information packet is sometimes referred to as the "fast-path" processing. The second type of component in a router is signaling processors.  If an information packets header address is not found in the route cache, higher-level processing may be required for matching the address with the routing table and forwarding the packet from the signaling processor. Additionally, some information packets require more extensive processing due to security, quality of service, or other control functions that require processing and/or implementation prior to forwarding of the information packet. This higher-level processing and forwarding of information packets is sometimes referred to as the "slow-path" processing.” Col. 2, line 60 thru col. 3, line 32).

Regarding claim 14
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, further comprising performing, at the one or more computing devices:
Morrow further discloses obtaining, via a programmatic interface (“processing an information packet on an interface.” [Claim 12 txt]), program code representing a packet processing operation of the one or more packet processing operations performed with respect to the first packet at a fast path processing node (“The information packet 100 also contains a variable length data field (DF) 120 that contains the actual information being transmitted from the originating device to the destination device.  Address data in the address header 110 can be retrieved by routers using fast-path processing” col. 4, lines 63-67).
Modelski further discloses obtaining, via a programmatic interface, program code representing a packet processing operation of the one or more packet processing operations performed with respect to the first packet at a fast path processing node (“As each 64-bit word of packet data moves down the pipeline, an associated micro-instruction is read from the instruction memory.  This instruction follows the word through each stage of the pipeline, controlling the hardware at each stage.  The pipeline stages include alignment, Job Packet data merge, Info Store data merge, arithmetic operations, checksum checking, and generation.  When PM 126 finishes processing a packet, the packet is passed on to FDOB 162, and requests for statistics updates are sent to an IME 122,152.” [0244]).

Regarding claim 16 (Currently Amended)
One or more non-transitory computer-accessible storage media storing program instructions that when executed on or across one or more processors cause one or more computer systems to:
obtain (a) an indication of one or more packet processing operations to be implemented for at least a subset of packets sent from or to a resource group and (b) one or more configuration settings of the resource group;
in response to (a) receiving a first packet at a collection of fast path packet processing nodes configured for the resource group, (b) determining by the collection of fast path packet processing nodes that the first packet satisfies one or more requirements indicated in the one or more configuration settings and (c) determining by the collection of fast path packet processing nodes that the first packet satisfies a criterion for fast path processing, perform the one or more packet processing operations at one or more fast path packet processing nodes of the collection; and
in response to (a) receiving a second packet at the collection of fast path packet processing nodes and (b) determining by the collection of fast path packet processing nodes that the second packet does not satisfy the criterion for fast path processing, transmitting by one of fast path packet processing nodes the second packet to an exception path target.
The scope and subject matter of non-transitory computer readable medium claim 16 is drawn to the computer program product of using the corresponding method claimed in claim 6. Therefore computer program product claim 16 corresponds to method claim 6 and is rejected for the same reasons of obviousness as used in claim 6 rejection above.

Regarding claim 17
The one or more non-transitory computer-accessible storage media as recited in claim 16, storing further program instructions that when executed on or across one or more processors further cause one or more computer systems to:
obtain, at the particular fast path packet processing node from the exception path target, subsequent to transmitting the second packet, an indication of one or more additional packet processing operations to be performed for subsequent packets of a particular packet flow to which the second packet belongs;
cache, at the particular fast path packet processing node, an executable version of the one or more additional packet processing operations; and
perform, at the particular fast path packet processing node using the executable version, the one or more additional packet processing operations on one or more subsequent packets of the particular packet flow.
The scope and subject matter of non-transitory computer readable medium claim 17 is drawn to the computer program product of using the corresponding method claimed in claim 7. Therefore computer program product claim 17 corresponds to method claim 7 and is rejected for the same reasons of obviousness as used in claim 7 rejection above.

Regarding claim 18
The one or more non-transitory computer-accessible storage media as recited in claim 16, wherein a fast path packet processing node of the collection has a resource usage limit, and wherein the exception path target is configured to perform a packet processing operation whose resource usage exceeds the resource usage limit.
The scope and subject matter of non-transitory computer readable medium claim 18 is drawn to the computer program product of using the corresponding method claimed in claim 8. Therefore computer program product claim 18 corresponds to method claim 8 and is rejected for the same reasons of obviousness as used in claim 8 rejection above.

Regarding claim 19
The one or more non-transitory computer-accessible storage media as recited in claim 16, wherein the exception path target is configured to access a security artifact used for processing associated with the second packet, wherein the security artifact is inaccessible at the one or more fast path packet processing nodes.
The scope and subject matter of non-transitory computer readable medium claim 19 is drawn to the computer program product of using the corresponding method claimed in claim 10. Therefore computer program product claim 19 corresponds to method claim 10 and is rejected for the same reasons of obviousness as used in claim 10 rejection above.

Regarding claim 20
The one or more non-transitory computer-accessible storage media as recited in claim 16, storing further program instructions that when executed on or across one or more processors further cause one or more computer systems to:
examine, at the exception path target, contents of a body of the second packet, wherein packet processing operations performed at the one or more fast path packet processing nodes (a) include reading contents of one or more headers of network packets and (b) do not include reading contents of bodies of network packets.
The scope and subject matter of non-transitory computer readable medium claim 20 is drawn to the computer program product of using the corresponding method claimed in claim 11. Therefore computer program product claim 20 corresponds to method claim 11 and is rejected for the same reasons of obviousness as used in claim 11 rejection above.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Morrow, in view of Chitalia and Modelski, and further in view of Brandwine et al. US Patent 9384029 (hereinafter “Brandwine”). 
Regarding claim 15
Morrow, as modified by Chitalia and Modelski, previously discloses the method as recited in claim 6, further comprising performing, at the one or more computing devices:
Morrow, Chitalia, and Modelski do not specifically teach causing, at the exception path target, execution of at least a portion of one or more of: (a) a custom routing algorithm, (b) a network address translation algorithm, (c) a multicast algorithm, (d) a source substitution algorithm, (e) an algorithm for transmitting packets from one isolated virtual network of a virtualized computing service to another isolated virtual network, (f) an algorithm for transferring data securely to or from a virtual private network, (g) an intrusion detection algorithm, (h) a bandwidth usage tracking algorithm, (i) a load balancing algorithm, (j) an algorithm for secure transmission of data between a provider network data center and a premise external to the provider network, (k) a data exfiltration detection algorithm, (1) a secure session termination protocol, or (1) a proprietary algorithm implementing business logic of an application.
In an analogous art, Brandwine discloses a variety of packets routing algorithms (“the Route Manager module determines virtual network routes based on the user configuration and/or network configuration data.  In some embodiments, routing protocols or the route determination algorithms of the routing protocols, such as BGP, OSPF, RIP, EIGRP or the like, can be used to determine virtual routes.” Col. 14, lines 1-6).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Morrow’s filtered router flag value in an information packet for packet-based communication networks, as modified by Chitalia and Modelski, to include Brandwine’s method for the management of virtual machine instances in order to efficiently maximize virtualization of resources “With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware rather than actual routers.  As the scale and scope of data centers has increased, provisioning and managing the physical and virtual computing resources of a data center has become increasingly complicated. Specifically, in one aspect, a third party data center provider may host a number of virtual machine instances on a single physical computing device in which at least some of the virtual machine instances are associated with different third party users, or customers.  As such, it may be possible that some virtual machine instances may expose other, non-associated virtual machine instances to disruptive, prohibited, or otherwise non-approved actions/behavior." Brandwine, col. 1, lines 37-50 . Thus, a person of ordinary skill would have appreciated the ability to incorporate Brandwine’s method for the management of virtual machine instances into Morrow’s filtered router flag value in an information packet since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHUONG M NGUYEN whose telephone number is (571)272-8184.  The examiner can normally be reached on M-F 8:00am - 4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Andrew Lai can be reached on 571-272-9741.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHUONG M NGUYEN/Patent Examiner, Art Unit 2411

/ANDREW LAI/Supervisory Patent Examiner, Art Unit 2411