DETAILED ACTION
This office action is a response to a communication made on 12/18/2020.
Claims 1-9, and 11-20 are currently amended.
Claims 1-20 are pending for this application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. 15946213, filed on 04/17/2017.


Response to Arguments
Applicant: Applicant’s arguments, see remarks on page 9-10, filed 12/18/2020, applicant argues that, “Sandhir cannot establish an encrypted layer-2 communication with a remote device based on a MACsec protocol, and operating two different engines for the MACsec protocol while operating as the same port access entity (PAE) requires specific implementation of the MACSec protocol” recited in claims 1, 5 and 8.
Examiner: Applicant's arguments filed 12/18/2020 have been fully considered but they are not persuasive. Examiner respectfully disagree. Tony teaches an encrypted layer-2 communication with a remote device based on a MACsec protocol because the network and link layers (i.e. encrypted layer 2) 26 of the reference model accommodate many different real networks, subnetworks, and links with the 
Sandhir teaches secondary engine as a failover in the event the primary routing engine fails, however, secondary engine of Sandhir is not the encrypted layer-2 communication.  Tony teaches operate the MACsec capable device as a same port access entity (PAE) of the MACsec protocol for the encrypted layer-2 communication because port access entity (PAE): The protocol entity associated with a Port. It can support the protocol functionality associated with the Authenticator, the Supplicant, or both, page-8, II. 30-31, the value of MAC_Enabled for the Controlled Port is the same as that of the controlledPortEnabled parameter set by the PAE, see page-30, section 6.4.3 –PAC management, The network and link layers (i.e. encrypted layer 2) 26 of the reference model accommodate many different real networks, subnetworks, and links with the requirements for bandwidth, multiplexing, security, and other aspects of communication differing from network to network. A given service, e.g. the MAC Service, is often provided by a number of protocols, layered to achieve the desired result and the data link layer (i.e. encrypted layer 2), as originally envisaged by the OSI reference model, contained no addressing and caused some involved in its development to reject the idea of LANs at the link layer, page-196, Section D.4 Service access points, interface stacks, and ports,  establishing a secure encrypted association between multiple MAC entities, wherein encrypted layer-2 communication is secure encrypted association between multiple MAC entities, page 198, Section D.8.


Applicant: Applicant’s arguments, see remarks on page 10-11, filed 12/18/2020, applicant argues that, “Sandhir does not disclose an implementation of the MACSec protocol, Sandhir cannot suggest how such a state machine can be maintained by routing engines 22 and 32 of Sandhir… applicant respectfully submits that, unless a router implements a primary routing machine and a backup routing machine specifically for the MACSec protocol, it is technically infeasible to implement a standard designed for a single routing engine on a routing device operating on two routing engines...” recited in claims 1, 5 and 8.
Examiner: Applicant's arguments filed 12/18/2020 have been fully considered but they are not persuasive. Examiner respectfully disagree. Sandhir teaches network device such as Router 20 as security device which is MACSec device, see Fig. 2.  Sandhir also teaches router 20 may be a multi-chassis router in which multiple routing nodes are physically coupled and configured to operate as a single routing node, see Col-7, II. 34-37. So, when both primary and secondary routing engines configured to manage protocol stack 44 and 46 as MACsec protocols, and operate the router device as MACSec capbale device. The differences between Sandhir and the current application is if secondary engine would work as same PAE, however; secondary engine of Sandhir is not the PAE for the encrypted layer-2 communication. Tony teaches The network and link layers (i.e. encrypted layer 2) 26 of the reference model accommodate many different real networks, subnetworks, and links with the 
Therefore,  it would be obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Sandhir’s system with operate the MACsec capable device (i.e. router 20) as a same port access entity (PAE) of the MACsec protocol for the encrypted layer-2 communication of Tony, in order to MACsec provides secure encryption at Layer 2 level by ensuring complete data confidentiality and the router will especially use for a particular purpose for the MACsec protocol to enable the same Port access entity (PAE).  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sandhir et al. (US 7940650B1), hereinafter “Sandhir” in view of Tony Jefree et al. (“IEEE Computer Society, "802.1X-2010 - IEEE Standard for Local and metropolitan area networks-Port-Based Network Access Control", Revision . 

With respect to claim 1, Sandhir discloses a method comprising: 
establishing, by a Media Access Control (MAC) Security (MACsec) capable device (Fig. 2, network device such as Router 20 as security device, Col-7, II. 65-66, i.e. One or more routing protocols implemented by routing process 26 establish peer routing sessions with other routers), wherein the MACsec capable device comprises a primary MACsec management engine and a secondary MACsec management engine (see Fig. 2, primary routing engine 22 as primary management engine and secondary routing engine 32 as secondary management engine), both of which configured to manage the MACsec protocol (Fig. 2, see protocols 44 and 46), wherein the secondary MACsec management engine is configured to operate as a failover component for the primary MACsec management engine (Col-5, II. 32-36, “one or more standby routing engines.In the event of a Switchover, i.e. when the primary routing engine of router 6A fails or otherwise needs to be shut down, one of the standby routing engines assumes control over routing resources and routing functionality generally.);
synchronizing data related to the parameter with the secondary MACsec management engine (Col-5, II. 36-40, i.e. Prior to the Switchover, the primary and standby routing engines Synchronize their respective state information to allow the standby routing engine to assume control of the router resources without having to relearn state information), thereby allowing the secondary MACsec management engine to remain in a state as the primary MACsec management engine (Col-5, II. 36-40, i.e. the primary and standby routing engines Synchronize their respective state information to allow the standby routing engine to assume control of the router resources without having to relearn state information);


Sandhir teaches layer 2 communication as data link layer 72 and data link layer 92 each receive and send packets from switch 48 at the data link layer, see Fig. 3, Col-11, II. 14-16, network device as router, see fig. 2. However, Sandhir remain silent on MACsec security capable device, operate the MACsec capable device as a same port access entity (PAE) of the MACsec protocol for the encrypted layer-2 communication, an encrypted layer-2 communication with a remote MAC sec capable device based on a MACsec protocol, determining whether a parameter related to the MACsec protocol has changed; in response to the determination that the parameter related to the MACsec protocol has changed, and operate the MACsec capable device as the same PAE, and PAE of the MACsec protocol in the MACsec capable device.

Tony discloses, MACsec security capable devices (page 68, section 9.6 (Use of MACsec), i.e. The 'MACsec desired' parameter is provided to allow a network administrator to deploy MACsec capable systems, to verify their operation), 

an encrypted layer-2 communication with a remote MAC sec capable device based on a MACsec protocol (page-196, Section D.4 Service access points, interface stacks, and ports, i.e. The network and link layers (i.e. encrypted layer 2) 26 of the reference model accommodate many different real networks, subnetworks, and links with the requirements for bandwidth, multiplexing, security, and other aspects of communication differing from network to network. A given service, e.g. the MAC Service, is often provided by a number of protocols, layered to 
determining whether a parameter related to the MACsec protocol has changed (page 73, Section 9.11 (connectivity change detection) i.e. Changes in CA membership represent changes in the topology of a network that would be accompanied by link level indications, if the connectivity association represented by the CA were a LAN supported directly by media access method specific procedures, modeled by changes in the MAC_ Operational and OperPointToPointMAC status parameters (IEEE Std 802.lD, IEEE Std 802.lQ). The SecY that operates MACsec detects some of the conditions that cause such topology changes, and notifies the client of its Controlled Port through changes in the status parameters);
in response to the determination that the parameter related to the MACsec protocol has changed (See page 73, Section 9.11 (connectivity change detection);
operate the MACsec capable device as the same PAE (Page-20, II. 34-35, i.e. The PAEs agree the cryptographic keys to be used by their respective MAC Security Entities (SecY’s) that secure communication to and from their Controlled Ports, page 30, Section-6.4.3 PAC management,  i.e. MAC_Enabled for the Controlled Port is the same as that of the controlledPortEnabled parameter set by the PAE see, 6.3 Port Access Entity (PAE));
PAE of the MACsec protocol in the MACsec capable device (page-8, II. 30-31, i.e. port access entity (PAE): The protocol entity associated with a Port.)



For claim 5, it is an apparatus claim corresponding to the method of claim 1. Therefore claim 5 is rejected under the same ground as claim 1. 

For claim 8, it is a non-transitory machine-readable storage medium claim corresponding to the method of claim 1. Therefore claim 8 is rejected under the same ground as claim 1. 

With respect to claim 2, Sandhir in view of Tony discloses the method of claim 1, further comprising: 
determining, from a keepalive packet received from a peer MACsec capable device (Sandhir, Col-6, II. 9-11, “the secondary routing engine detects the event (e.g., by way of heartbeat or keep alive signal or explicit message from the primary)”), whether a second parameter related to the MACsec protocol on the peer MACsec capable device has changed (Tony, page 73, Section 9.11 (connectivity 
in response to a change to the second parameter in the peer MACsec capable device (Tony, page 73, Section 9.11 (connectivity change detection), synchronizing data related to the second parameter with the secondary MACsec management engine (Sandhir, Col-5, II. 36-40, i.e. Prior to the Switchover, the primary and standby routing engines Synchronize their respective state information to allow the standby routing engine to assume control of the router resources without having to relearn state information).


With respect to claim 3, Sandhir in view of Tony discloses the method of claim 1, wherein the synchronization comprises: 
storing the data related to the parameter in a first database associated with the primary MACsec management engine (Sandhir, see fig. 2, routing database 24 as the first database, Tony, page 68, section 9.6 (Use of MACsec) ); and 
synchronizing the first database associated with the primary MACsec management engine with a second database associated with the secondary MACsec management engine (Sandhir, Col-5, II. 36-40, i.e. the primary and standby routing engines Synchronize their respective state information (i.e. 
wherein the recreation of the latest state further comprises accessing the second database to retrieve the data related to the parameter (Sandhir, fig. 2, routing database 34 as the second database, Col-7, II. 24-27, Tony, page 68, section 9.6 (Use of MACsec), Col-6, II. 7-12, i).

With respect to claim 4, Sandhir in view of Tony discloses the method of claim 1, wherein the synchronization comprises: storing the data related to the parameter in a database accessible from the primary MACsec management engine and the secondary MACsec management engine (Sandhir, Col-14, II. 17-21) ; and
wherein the recreation of the latest state further comprises accessing the database to retrieve the data related to the parameter (Tony, page-65, section 9.4.2 (Member identification and message numbers), i.e. participant to attempt to recover or retrieve that data from its peers when an attacker has to be assumed to be active, page -76, Section 9.16 MKA management i.e. The PAE management process controls and monitors the operation of the KaY and MKA participants, providing access for network management through the LMI, see page 73, Section 9.11 (connectivity change detection) i.e. notifies the client of its Controlled Port through changes in the status parameters, Sandhir, Col-6, II. 7-12).

With respect to claim 6, Sandhir in view of Tony discloses the system of claim 5, wherein the parameter is associated with the PAE and includes one or more of: a controlledPortEnabled, an electedSelf, a Secure Association Key (SAK) Use parameter set, and a Live Peer List (Tony, page 29, section (port Acess Controller (PAC)), i.e. the PAE using the LMI to set the PAC's controlledPortEnabled variable, See page 115, Figure 12-2-CP state machine, i.e. electedSelf, page 2, section 1.3 (Introduction), 

With respect to claims 7 and 9, Sandhir in view of Tony discloses the system of claim 5, wherein the recreation of the latest state further comprises recreating a Controlled Port (CP) State machine state on the MACsec capable device (Tony, page-73, Section 9.11 Connectivity Change detection, i.e. The SecY that operates MACsec detects some of the conditions that cause such topology changes, and notifies the client of its Controlled Port through changes in the status parameters).

With respect to claim 10, Sandhir in view of Tony discloses the storage medium of claim 9, wherein the instructions to recreate the CP State machine state on the MACsec capable device include instructions to: 
determine a status of a controlledPortEnabled parameter (Tony, page-73, Section 9.11 Connectivity Change detection, i.e. notifies the client of its Controlled Port through changes in the status parameters); 
in response to the status of the controlledPortEnabled parameter being true, enable the Controlled Port (CP) State machine state to a Secure state (Tony, page-110, section 12.1 Model of operation, i.e. The CP also controls the port Valid signal, setting it true ,when communication through the port is secured by MACsec ); 
generate a transmit secure channel (SC) (Tony, page 20, II. 8-9, i.e. a secure channel that can be used to communicate authorization data to the access controlled port and its clients); and  


With respect to claim 11, Sandhir in view of Tony discloses the storage medium of claim 10, further comprising instructions to: 
determine whether an old Secure Association Key (SAK) is transmitting (Tony, page-166, II. 23-24, i.e. The key number assigned by the key server to the oldest SAK currently being used for reception); and 
in response to the old SAK is transmitting (Tony, page-166, II. 23-24, i.e. The key number assigned by the key server to the oldest SAK currently being used for reception), generate a secure association (SA) on the transmit secure channel using the old SAK (Tony, Page-2, section 1.3 Introduction, i.e. specifies the generation of the Secure Association Keys (SAKs) used by MACsec).

With respect to claim 12, Sandhir in view of Tony discloses the storage medium of claim 11, further comprising instructions to: 
determine whether the old SAK is transmitting but not receiving (Tony, page-72, section 9.10.1 MKPDU application data i.e. Old SAKs were not necessarily distributed by the same Key Server ; and 
in response to the old SAK is transmitting but not receiving, enable the CP State machine state to an Assert state (Tony, page-72, section 9.10.1 MKPDU application data i.e. to enable transition from one SAK to the next without frame loss, although only one will be transmitting at any instant, page-110, section 12.1 Model of operation i.e.  The Controlled Port (CP) state machine (Figure 12-2) is responsible for asserting the controlledPortEnabledsignal (IEEE Std 802.lAE-2006, 10.7.5) that the PAE uses to control the MAC Operational status of the Controlled Port).


in response to the old SAK is receiving, generate secure associations on receive secure channels using the old SAK ((Tony, Page-2, section 1.3 Introduction, i.e. specifies the generation of the Secure Association Keys (SAKs) used by MACsec, see page-72, section 9.10.1 MKPDU application data, page-110, section 12.1 Model of operation).

With respect to claim 14, Sandhir in view of Tony discloses the storage medium of claim 10, further comprising instructions to: 
in response the old SAK is not transmitting, determine a state of a new SAK (Tony, page 68, II. 13-14, i.e. The CP state machine (Figure 12-2) ensures that a new SAK is not distributed until the Key Server is receiving and transmitting using a single SAK, page -72, section 9.10.1 (MKPDU application data), i.e. The Latest and Old SAKs were not necessarily distributed by the same Key Server, or by the current Key Server. Both can be receiving at the same time).

With respect to claim 15, Sandhir in view of Tony discloses the storage medium of claim 14, further comprising instructions to: 
transition the CP State machine state to a Receiving state (Tony, page 115, See Figure 12-2-CP state machine, see page-110, section  12.1 Model of operation); and 
in response to the new SAK is receiving, generate secure associations for each receive secure channel using a new key (Tony, page-70, II. 5-7, i.e. The Key Server observes the Lowest Acceptable PN (LLPN) for the Latest Key in use, as transmitted by each CA member, and distributes a fresh SAK whenever a participant advertises an LKl that matches the KI of the key currently being distributed).


determine whether the new SAK is transmitting (Tony, page-112, section 12.2 (KaY interfaces) i.e. newSAK: Set when the Key Server has distributed an SAK to the principal actor); 
in response to the new SAK is not transmitting, determine a status of a electedSelf parameter (Tony, page 68, II. 1-3, see page 115, Figure 12-2-CP state machine); and 
in response to the electedSelf parameter being true, wait for an allReceiving status (Tony, page 115, See Figure 12-2-CP state machine).

With respect to claim 17, Sandhir in view of Tony discloses the storage medium of claim 16, further comprising instructions to: in response to the status of the electedSelf parameter being false, wait for a serverTransmitting status (Tony, page 115, See Figure 12-2-CP state machine).

With respect to claim 18, Sandhir in view of Tony discloses the storage medium of claim 16, further comprising instructions to: 
transition the CP State machine state to a Transmitting state (Tony, page 115, See Figure 12-2-CP state machine and 12.4.1 CP state machine variables and timer ); and 
in response to the new SAK is transmitting, generate a secure association on the transmit secure channel, (Tony, page-70, II. 5-7, i.e. The Key Server observes the Lowest Acceptable PN (LLPN) for the Latest Key in use, as transmitted by each CA member, and distributes a fresh SAK whenever a participant advertises an LKl that matches the KI of the key currently being distributed):

With respect to claim 19, Sandhir in view of Tony discloses the storage medium of claim 8, wherein the data related to the parameter is part of a keepalive message of a MACsec Key Agreement 

With respect to claim 20, Sandhir in view of Tony discloses the storage medium of claim 8, further comprising instructions to: in response to recreating the latest state associated with the PAE of MACsec protocol at the secondary MACsec management engine (Sandhir, Col-12, II. 50-53, i.e. When routing process 26 creates a new socket (i.e. latest state associated with port or socket) for a routing session, Socket layer 60 creates a corresponding socket structure. Once the TCP session is established with the peer, routing process may enable socket replication on this socket, Tony, page -20, II. 13-14, see page-73, section 9.11 (Connectivity Change detection), see page -100, Figure 11-10-MACsec SAK Use parameter set), send MKA keepalive packets from the MACsec capable device (Sandhir, Col-6, II. 9-11, i.e. the secondary routing engine detects the event (e.g., by way of heartbeat or keep alive signal or explicit message from the primary).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GOLAM MAHMUD whose telephone number is (571)270-0385.  The examiner can normally be reached on Mon-Fri 8.00-5.00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kevin Bates can be reached on 5712723980.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/GOLAM MAHMUD/Examiner, Art Unit 2458                                                                                                                                                                                                        


/KEVIN T BATES/Supervisory Patent Examiner, Art Unit 2458