Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/05/2020 has been entered.
 
	This Allowance is in response to the amendment filed 10/05/2020 (amending claims 1, 4, 5, 8, 11, 12, 15, 17, and 18) and the Examiner’s Amendment (amending claims 1, 5, 8, 12, 15, and 18) detailed below.  Claims 1-5, 8-12, and 15-18 are pending.  Claims 1 (a method), 8 (a machine), and 15 (a non-transitory CRM) are independent.


EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Jun Li (Reg. No. 70,074) on 4/29/2021.




1.	(Currently Amended)  A method, comprising:
	configuring a firewall at a first computing device, wherein, in response to determining that a data packet received from a second computing device is unencrypted and that the data packet comprises a particular destination port, the firewall is configured to initiate the first computing device to establish a secured connection with the second computing device; 
	detecting, at the first computing device, the data packet received from the second computing device; 
	in response to determining the data packet being unencrypted and the data packet comprising the particular destination port, establishing the secured connection between the first computing device and the second computing device; and
	in response to establishing the secured connection between the first computing device and the second computing device, communicating encrypted data packets with the second computing device using the secured connection, wherein the communicating encrypted data packets with the second computing device using the secured connection comprises:
receiving, an encrypted data packet from the second computing device;
determining that associates with a security parameter index (SPI), wherein the SPI indicates a security association (SA) associated with the secured connection, the first tag indicates that the second computing device has a verified identity, and the first tag is different than the SPI; and
accepting the encrypted data packet based on matching the first tag with a pre-configured second tag.

2.	(Original) The method of claim 1, wherein the firewall is configured in an operating system of the first computing device.



4.	(Previously Presented) The method of claim 3, wherein establishing the secured connection includes generating the SA for the secured connection; wherein the method further comprising:
	determining that the second computing device has the verified identity based on information exchanged during Internet Key Exchange (IKE) of the IPsec; and 
	in response to determining that the second computing device has the verified identity, associating the first tag with the SA to indicate the verified identity of the second computing device. 

5.	(Currently Amended) The method of claim 4, 
	wherein the firewall is further configured to include [[a]] the second tag, and the firewall accepts the encrypted data packet in response to determining that the first tag matches the second tag configured in the firewall.

6-7.	(Cancelled) 
	
8.	(Currently Amended) A first computing device, comprising:
a memory; and 
at least one hardware processor communicatively coupled with the memory and configured to:
		configure a firewall at the first computing device, wherein, in response to determining that a data packet received from a second computing device is unencrypted and that the data packet comprises a particular destination port, the firewall is configured to initiate the first computing device to establish a secured connection with the second computing device; 
		detect the data packet at the first computing device, wherein the data packet is received from the second computing device; 

in response to establishing the secured connection between the first computing device and the second computing device, communicate encrypted data packets with the second computing device using the secured connection, wherein the at least one hardware processor is configured to:
receive, an encrypted data packet from the second computing device;
determinethat associates with a security parameter index (SPI), wherein the SPI indicates a security association (SA) associated with the secured connection, the first tag indicates that the second computing device has a verified identity, and the first tag is different than the SPI; and
accept the encrypted data packet based on matching the first tag with a pre-configured second tag.

9.	(Original) The first computing device of claim 8, wherein the firewall is configured in an operating system of the first computing device.

10.	(Original) The first computing device of claim 8, wherein the secured connection is established using Internet Protocol Security (IPsec).

11.	(Previously Presented) The first computing device of claim 10, wherein establishing the secured connection includes generating the SA for the secured connection; wherein the at least one hardware processor is further configured to:
	determine that the second computing device has the verified identity based on information exchanged during Internet Key Exchange (IKE) of the IPsec; and 
	in response to determining that the second computing device has the verified identity, associate the first tag with the SA to indicate the verified identity of the second computing device. 

12.	(Currently Amended) The first computing device of claim 11, wherein 
	the firewall is further configured to include [[a]] the second tag, and the firewall accepts the encrypted data packet in response to determining that the first tag matches the second tag configured in the firewall.

13-14.	(Cancelled) 

15.	(Currently Amended) A non-transitory computer-readable medium containing instructions which, when executed, cause a first computing device to perform operations comprising:
	configuring a firewall at a first computing device, wherein, in response to determining that a data packet received from a second computing device is unencrypted and that the data packet comprises a particular destination port, the firewall is configured to initiate the first computing device to establish a secured connection with the second computing device; 
	detecting the data packet at the first computing device, wherein the data packet is received from the second computing device; 
	in response to determining the data packet being unencrypted and the data packet comprising the particular destination port, establishing the secured connection between the first computing device and the second computing device; and
	in response to establishing the secured connection between the first computing device and the second computing device, communicating encrypted data packets with the second computing device using the secured connection, wherein the communicating encrypted data packets with the second computing device using the secured connection comprises:
receiving, an encrypted data packet from the second computing device;
determining that associates with a security parameter index (SPI), wherein the SPI indicates a security association (SA) associated with the secured connection, the first tag indicates that the 
accepting the encrypted data packet based on matching the first tag with a pre-configured second tag.

16.	(Original)  The non-transitory computer-readable medium of claim 15, wherein the secured connection is established using Internet Protocol Security (IPsec).
17.	(Previously Presented)  The non-transitory computer-readable medium of claim 16, wherein establishing the secured connection includes generating the SA for the secured connection; wherein the operations further comprise:
	determining that the second computing device has the verified identity based on information exchanged during Internet Key Exchange (IKE) of the IPsec; and 
	in response to determining that the second computing device has the verified identity, associating the first tag with the SA to indicate the verified identity of the second computing device.  

18.	(Currently Amended)  The non-transitory computer-readable medium of claim 17, wherein 
	the firewall is further configured to include [[a]] the second tag, and the firewall accepts the encrypted data packet in response to determining that the first tag matches the second tag configured in the firewall.

19-20.	(Cancelled)  





Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: Applicant’s remarks filed 10/05/2020 are persuasive.  The features of Windows 2000 as disclosed by the various NPL references (“Step-by-Step Guide to Internet Protocol Security (IPSec) and “Securing Windows 2000 Communications with IP Security Filters”) do not disclose the amended claims filed 10/05/2020.  Significantly, the references do not disclose a tag separate from the security parameter index.  Further, the Examiner’s amendment accepted on 4/29/2021 clarified aspects of the tag is also not shown by the Windows 2000 NPL references.  An updated search was performed which discovered references of relevance, See PTO-892, specifically:
Keromytis, Angelos “Tagging Data in the Network Stack: mbuf_tags” discloses the mbuf_tags interface of OpenBSD, where the tags are stated to be assigned to packet flows and thereafter to be used in filtering decisiosn.
Karrer, Roger “EC: an edge-based architecture against DDos attacks and malware spread” discloses adding session-specific tags to IP headers of authenticated packets for filtering decisions.
Buer et al., US 2004/0143734, discloses a system where a flow tag has been used to identify the unique "flow" for a packet".
Raleigh et al., US 2014/0140213, discloses flow tagging and later making service decisions based on the flow tag.

However, none of the newly cited references alone or in combination with those previously made of record anticipate or reasonably render obvious the combination of .

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/MICHAEL W CHAO/Examiner, Art Unit 2492