DETAILED ACTION
This Office Action is in response to the response filed March 10, 2021, for application 16/146,713.
Claims 1-16 are currently pending; claims 11, 12, and 15 have been amended; claims 1, 11, and 16 are an independent claim; claims 1-16 have been examined.  
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Action is made FINAL.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/4/2021 and 3/10/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements have been considered by the examiner.
Response to Arguments
The objection to claims 12 and 15 is removed in light of Applicant’s amendment of these claims.  
Claims 11-15 remain interpreted under 35 U.S.C. § 112, Sixth Paragraph / 35 U.S.C. § 112(f)
Applicants’ arguments in the instant Amendment, filed on 3/10/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant argues as follows:  The Office Action stated that Sivaramakrishnan discloses each of the limitations of claim 1 but fails to explicitly disclose:  wherein the host OS networking stack includes an encryption module that executes in kernel space on the first computing device; receiving the forwarded packet at the encryption module and encrypting the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; returning the encapsulated packet to the virtual router. Applicant respectfully submits that this is incorrect. Sivaramakrishnan also fails to disclose either “to the virtual router” or “forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device.”  Sivaramakrishnan cannot disclose “to the virtual router” without providing the context of what is being transmitted to the virtual router. Here Applicant teaches, and recites in claim 1, that the host OS networking stack returns “the encapsulated packet to the virtual router.” The section cited by the Office Action describes the existence of a virtual router and no more. As such, Sivaramakrishnan fails to disclose “to the virtual router.”  Sivaramakrishnan also fails to disclose “forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device.” The section cited in the Office Action for supporting this assertion instead describes the operation of a virtual network stack, which in Sivaramakrishnan does not need to transfer packets between stacks since there is only one stack.
Examiner respectfully disagrees.  Sivaramakrishnan, in col. 8, line 66, through col. 9, line 21, discloses to the virtual router where each virtual router 30 may execute within a hypervisor, a host operating system or other component of each of servers 12.  A router inherently routes.  Route means to send or forward.  FIG. 2, referenced, in col. 8, line 66, through col. 9, line 21, shows virtual router communicatively coupled to switch fabric 14 and virtual networks 34 and virtual machines 36.  Sivaramakrishnan, in col. 9, line 52, through col. 10, line 24, discloses forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device by disclosing Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  A virtual router within the host operating system and encapsulating packets by the virtual router at least suggests that the virtual router forwards packets to the host operating system from the vantage point of the virtual router disposed within a host operating system.
Applicant argues as follows:  Jain describes a virtual network in which the encryption/decryption function is placed in each virtual router (VPN client 130) instead of at the edge 110 of the datacenter 100, as shown in Jain’s Fig. 1. Applicant notes that Sivaramakrishnan shows a similar configuration in virtual router 120 of FIG. 3. As such, Jain adds little to the disclosure of Sivaramakrishnan and fails to address the deficiencies of Sivaramakrishnan detailed above. Neither Sivaramakrishnan nor Jain show, alone or in combination: forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device, wherein the host OS networking stack includes an encryption module that executes in 
Examiner respectfully disagrees.  Sivaramakrishnan, in col. 9, line 52, through col. 10, line 24, discloses forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device by disclosing Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  A virtual router within the host operating system and encapsulating packets by the virtual router at least suggests that the virtual router forwards packets to the host operating system from the vantage point of the virtual router disposed within a host operating system.  Sivaramakrishnan discloses, in col. 8, lines 45-65, wherein the host OS networking stack is connected to the switch fabric operating as an underlay fabric for one or more of the virtual networks by disclosing an overlay network that extends switch fabric 14 from "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network and different layers of the virtual network protocol stack. Jain discloses, in paragraph 0030, receiving the forwarded packet at the encryption module and encrypting the forwarded packet to form an encapsulated packet that preserves the source and encrypt and decrypt data where, under Broadest Reasonable Interpretation, data encompasses source address and destination address.  Jain discloses, in paragraph 0030, returning the encapsulated packet to the virtual router by disclosing “the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.”  Jain discloses, in paragraph 0031 and 0106, wherein the host OS networking stack includes an encryption module that executes in kernel space on the second server by disclosing the encryption/decryption is handled at the host machine 113; having encryption/decryption handled by the host machines; and hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface.
Applicant argues as follows:  That is, neither reference, alone or in combination shows “forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device;” “receiving the forwarded packet at the encryption module [within the host OS networking stack];” “encrypting the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; [and] returning the encapsulated packet to the virtual router,” as described by Applicant and as illustrated in FIG. 5 above.
Examiner respectfully disagrees.  Sivaramakrishnan, in col. 9, line 52, through col. 10, line 24, discloses forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  A virtual router within the host operating system and encapsulating packets by the virtual router at least suggests that the virtual router forwards packets to the host operating system from the vantage point of the virtual router disposed within a host operating system.  Jain discloses, in paragraph 0030, receiving the forwarded packet at the encryption module and encrypting the forwarded packet to form an encapsulated packet that preserves the source and destination addresses by disclosing the host machine 113 uses the key 150 to encrypt and decrypt data where, under Broadest Reasonable Interpretation, data encompasses source address and destination address.  Jain discloses, in paragraph 0030, returning the encapsulated packet to the virtual router by disclosing “the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.”  The test for obviousness is what the combination of references cited by the Examiner teaches or suggests to one of ordinary skill in the art. See In re Merck & Co., 800 F.2d 1091, 1097 (Fed. Cir. 1986).

Applicant argues as follows:  Nakil fails, for instance, to show, alone or in combination with Sivaramakrishnan and/or Jain, “receiving the forwarded packet includes trapping the forwarded packet; and wherein encrypting the packet to form an encapsulated packet includes encrypting the packet using an IPSec kernel and transforming the encrypted packet using Encapsulated Security Payload (ESP),” as recited in claim 3, since 
Examiner respectfully disagrees.  Nakil discloses, in paragraph 0160, wherein receiving the forwarded packet includes trapping the forwarded packet by disclosing virtual network switch 174 may also trap interesting layer 2 (L2) packets, broadcast packets, and/or implement proxy for the packets.  Jain discloses, in paragraph 0076, wherein encrypting the packet to form an encapsulated packet includes encrypting the packet using an IPSec kernel by disclosing in paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated; in paragraph 0059, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  processes the packet into an IPSec packet with IPSec header.”; and in paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  Jain discloses, in paragraph 0076, 0029, 0073, and 0074, transforming the encrypted packet using Encapsulated Security Payload (ESP) by disclosing the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated
Applicant argues as follows:  Similarly, Nakil fails to show, alone or in combination with Sivaramakrishnan and/or Jain, “wherein forwarding the packet includes ... writing the VXLAN packet to the encryption module via an encryption module interface,” as recited in claim 7.
Examiner respectfully disagrees.  Jain discloses, in paragraph 0081, to the encryption module via an encryption module interface by disclosing the VTEP module serves only as a controller interface for VXLAN encapsulation, while the encapsulation and decapsulation of VXLAN packets is accomplished at the uplink module 1070.  Nakil discloses, in paragraph 0189, wherein forwarding the packet includes: creating an IP/MPLS packet Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.  Nakil discloses, in paragraph 0189, writing the IP/MPLS packet  to the encryption module via an encryption module interface “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”  The test for obviousness is what the combination of references cited by the Examiner teaches or suggests to one of ordinary skill in the art. See In re Merck & Co., 800 F.2d 1091, 1097 (Fed. Cir. 1986).
The Examiner respectfully suggests that the claim be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


Claims 11-15  are interpreted under 35 U.S.C. 112(f) as reciting means-plus functions
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 

(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
virtual network controller configured to configure and manage  and first server is configured to receive, forward, receive, return, and transmit in claim 11;  the first server is further configured to create in claim 12;  the first server is further configured to trap in claim 13;  wherein the second server is configured to: receive; forward; receive; return; and transmit in claim 14; wherein the second server is configured to: receive; receive and decrypt; return; and transmit in claim 15.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.  Paragraph 0115 of the specification discloses “The techniques described herein, including in the preceding any of sections, may be implemented in hardware, software, firmware, or any combination thereof. Various features described as modules, units or components may be implemented together in an integrated logic device or separately as discrete but interoperable logic devices or other hardware devices. In some cases, various features of electronic circuitry may be implemented as one or more integrated circuit devices, such as an integrated circuit chip or chipset.”
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing 
Claims 1, 2, 11, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sivaramakrishnan (US9356866), filed March 26, 2014, in view of Jain (US20170033924), filed July 31, 2015.
Regarding claim 1, Sivaramakrishnan discloses a method comprising: receiving a packet at a virtual router (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”);
the virtual router executing in kernel space of a first computing device in a virtual network stack connected to a virtual network fabric (Sivaramakrishnan, col. 12, line 23, through col. 13, line 4, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Eth0 114A and Eth1 114B represent devices according to a software device model and provide device driver software routines for handling packets for receipt/transmission by corresponding NICs 106.  Packets received by NICs 106 from the underlying physical network fabric for the virtual networks may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for one of NICs 106.”), 
the packet including a source address and a destination address, the destination address associated with a virtual machine executing on a second computing device (Sivaramakrishnan, col. 10, lines 25-33, “For example, virtual machine 36 VM1 sends a packet 41, an "inner packet," virtual router 30A by an internal link.  Virtual router 30A uses NFT.sub.1 to look up a virtual network destination network address for packet 41.  NFT.sub.1 specifies an outbound interface for virtual router 30A and encapsulation for packet 41.  Virtual router 30A applies the encapsulation to add a tunnel header to generate outer packet 43 and outputs outer packet 43 on the outbound interface, in this case toward TOR switch 16A.”; col. 22, lines 5-22, “In this case, flow table entries 304 have symmetric field pairs source IP address 308A and destination IP address 308B as well as source port 308C and destination port 308D.  Accordingly, e.g., destination IP address 308B of flow table entry 304D for the reverse flow is the source IP address 308A of flow table entry 304C and source IP address 308A of flow table entry 304D for the reverse flow is the destination IP address 308A of flow table entry 304C.  Virtual router agent 104 may determine a separate policy, P2, for the reverse flow and specify the policy in policy field 308E for flow table entry 304D matching the reverse flow.”);
forwarding the packet from the virtual router to a host operating system (OS) networking stack associated with a host OS operating on the first computing device (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
wherein the host OS networking stack is connected to a physical network fabric operating as an underlay fabric for the virtual network fabric (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
to the virtual router (Sivaramakrishnan, col. 8, line 66, through col. 9, line 21, “Each virtual router 30 may execute within a hypervisor, a host operating system or other component of each of servers 12.  Each of servers 12 may represent an x86 or other general-purpose or special-purpose server capable of executing virtual machines 36.  In the example of FIG. 2, virtual router 30A executes within hypervisor 31, also often referred to as a virtual machine manager (VMM), which provides a virtualization platform that allows multiple operating systems to concurrently run on one of servers 12.”);
transmitting the encapsulated packet from the virtual router to the virtual machine associated with the destination address via the physical network fabric (Sivaramakrishnan, col. 9, lines 52, through col. 10, line 6, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.”).
Sivaramakrishnan discloses to the virtual router, but does not explicitly disclose wherein the host OS networking stack includes an encryption module that executes in kernel space on the first computing device; receiving the forwarded packet at the encryption module and encrypting the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; returning the encapsulated packet to the virtual router.
However, in an analogous art, Jain discloses wherein the host OS networking stack includes an encryption module that executes in kernel space on the first computing device (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
receiving the forwarded packet at the encryption module and encrypting the forwarded packet to form an encapsulated packet that preserves the source and destination addresses (Jain, paragraph 0030, “Likewise, the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  As illustrated, the application 120 produces a packet 170.  A crypto engine 160 in the VPN client 130 encrypts the packet 170 into an encrypted packet 172 by using the encryption key 150.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.  The host machine 113 has a crypto engine 165 that uses the encryption key 150 to decrypt the routed encrypted packet 172 into a decrypted packet 176 for the VM 143, which is running the application 123.”);
returning the encapsulated packet to the virtual router (Jain, paragraph 0030, “Likewise, the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  As illustrated, the application 120 produces a packet 170.  A crypto engine 160 in the VPN client 130 encrypts the packet 170 into an encrypted packet 172 by using the encryption key 150.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.  The host machine 113 has a crypto engine 165 that uses the encryption key 150 to decrypt the routed encrypted packet 172 into a decrypted packet 176 for the VM 143, which is running the application 123.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jain with the system/method/ non-transitory computer readable medium of Sivaramakrishnan to include wherein the host OS networking stack includes an encryption module that executes in kernel space on the first computing device; receiving the forwarded packet at the encryption module and encrypting the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; returning the encapsulated packet to the virtual router. 
One would have been motivated to provide users with the benefits of being provided external access to computer and networking resources (Jain: paragraph 0005)
Regarding claim 2, Sivaramakrishnan and Jain disclose the method of claim 1.  Sivaramakrishnan and Jain disclose wherein the method further comprises: receiving the encapsulated packet at a virtual router of the second computing device (Sivaramakrishnan, col. 11, lines 22-45, “FIG. 3 is a block diagram illustrating a computing device that executes an example virtual router for virtual networks according to techniques described herein.  Computing device 100 may represent any of servers 12 of FIGS. 1-2 or other device, such as any of TOR switches 16.     Computing device 100 includes in this example a system bus 142 coupling hardware components of a computing device 100 hardware environment.  System bus 142 couples memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 having a plurality of processing cores 108A-108J (collectively, "processing cores 108").  Network interface cards 106 include interfaces configured to exchange packets using links of an underlying physical network.”);
the virtual router executing in kernel space of the second computing device in a virtual network stack connected to the virtual network fabric (Sivaramakrishnan, col. 12, line 23, through col. 13, line 4, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Eth0 114A and Eth1 114B represent devices according to a software device model and provide device driver software routines for handling packets for receipt/transmission by corresponding NICs 106.  Packets received by NICs 106 from the underlying physical network fabric for the virtual networks may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for one of NICs 106.”);
forwarding the encapsulated packet from the virtual router of the second computing device to a host operating system (OS) networking stack associated with a host OS operating on the second computing device (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”);
wherein the host OS networking stack includes an encryption module that executes in kernel space on the second computing device (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
wherein the host OS networking stack is connected to the physical network fabric (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
receiving the forwarded encapsulated packet at the encryption module and (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”);
decrypting the forwarded encapsulated packet to form a decrypted packet that preserves the source and destination addresses (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”; paragraph 0061, “At the first stage labeled `1`, the VM 231 produces the packet 770, which includes the application data 771 and IP header data 772.  In some embodiments, such header can includes destination IP address, source IP addresses, source port, destination port, source MAC address, and destination MAC address.”);
returning the decrypted packet to the virtual router of the second computing device (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”); and
transmitting the decrypted packet from the virtual router of the second computing device to the virtual machine of the second computing device associated with the destination address of the decrypted packet (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”) (Jain, paragraphs 0010, 0029)
Regarding claim 11, Sivaramakrishnan discloses a network system comprising (Sivaramakrishnan, col. 4, lines 7-34, “In another example, a network system includes a switch fabric comprising a plurality of switches interconnected to form a physical network.  The network system also includes a virtual network controller device configured to configure and manage one or more virtual networks within the physical network.  The network system also includes a plurality of servers interconnected by the switch fabric, wherein each of the servers comprises an operating environment executing one or more virtual machines in communication via the one or more virtual networks, and wherein the servers execute at least one virtual router configured to extend the one or more virtual networks to the operating environments of the virtual machines.  The network system also includes a network interface card of a server of the plurality of servers configured to receive a tunnel packet associated with a virtual network of the plurality of virtual networks, wherein the tunnel packet comprises an outer header associated with the physical network, the outer header encapsulating an inner packet comprising an inner header associated with the virtual network and a payload.  The network system also includes a second processing core of a plurality of processing cores of the server, and a first processing core of the plurality of processing cores of the server configured to perform, based at least on one of the outer header and inner header of the tunnel packet, a first packet steering operation to identify the second processing core, wherein the second processing core is configured to forward the inner packet to a virtual machine of the virtual machines.”);
a switch fabric comprising a plurality of switches interconnected to form a physical network (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
a virtual network controller configured to configure and manage one or more virtual networks within the physical network (Sivaramakrishnan, col. 10, lines 7-24, “As noted above, virtual network controller 22 provides a logically centralized controller for facilitating operation of one or more virtual networks within data center 10.  Virtual network controller 22 may, for example, maintain a routing information base, e.g., one or more routing tables that store routing information for the physical network as well as one or more overlay networks of data center 10.”);
(Sivaramakrishnan, col. 8, line 66, through col. 9, line 26, “Each virtual router 30 may execute within a hypervisor, a host operating system or other component of each of servers 12.  Each of servers 12 may represent an x86 or other general-purpose or special-purpose server capable of executing virtual machines 36.  In the example of FIG. 2, virtual router 30A executes within hypervisor 31, also often referred to as a virtual machine manager (VMM), which provides a virtualization platform that allows multiple operating systems to concurrently run on one of servers 12.  In the example of FIG. 2, virtual router 30A manages virtual networks 34, each of which provides a network environment for execution of one or more virtual machines (VMs) 36 on top of the virtualization platform provided by hypervisor 31.  Each VM 36 is associated with one of the virtual networks VN0-VN1 and may represent tenant VMs running customer applications such as Web servers, database servers, enterprise applications, or hosting virtualized services used to create service chains.  In some cases, any one or more of servers 12 or another computing device may host customer applications directly, i.e., not as virtual machines.  Virtual machines as referenced herein, e.g., VMs 36, 110, and servers 12 or a separate computing device that hosts a customer application may alternatively referred to as "hosts."”);
in a virtual network stack connected to one or more of the virtual networks (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”; col. 12, line 23, through col. 13, line 4, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Eth0 114A and Eth1 114B represent devices according to a software device model and provide device driver software routines for handling packets for receipt/transmission by corresponding NICs 106.  Packets received by NICs 106 from the underlying physical network fabric for the virtual networks may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for one of NICs 106.”);
wherein each virtual router is configured to extend the one or more virtual networks to the operating environments of the virtual machines (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
wherein the first server is configured to: receive, at the virtual router of the first server, a packet sent from one of the one or more virtual machines executing on the first server (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”), 
(Sivaramakrishnan, col. 10, lines 25-33, “For example, virtual machine 36 VM1 sends a packet 41, an "inner packet," virtual router 30A by an internal link.  Virtual router 30A uses NFT.sub.1 to look up a virtual network destination network address for packet 41.  NFT.sub.1 specifies an outbound interface for virtual router 30A and encapsulation for packet 41.  Virtual router 30A applies the encapsulation to add a tunnel header to generate outer packet 43 and outputs outer packet 43 on the outbound interface, in this case toward TOR switch 16A.”; col. 22, lines 5-22, “In this case, flow table entries 304 have symmetric field pairs source IP address 308A and destination IP address 308B as well as source port 308C and destination port 308D.  Accordingly, e.g., destination IP address 308B of flow table entry 304D for the reverse flow is the source IP address 308A of flow table entry 304C and source IP address 308A of flow table entry 304D for the reverse flow is the destination IP address 308A of flow table entry 304C.  Virtual router agent 104 may determine a separate policy, P2, for the reverse flow and specify the policy in policy field 308E for flow table entry 304D matching the reverse flow.”),
forward the packet from the virtual router of the first server to a host OS networking stack associated with the host OS executing in kernel space of the first, server (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”);
wherein the host OS networking stack is connected to the switch fabric operating as an underlay fabric for one or more of the virtual networks (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
to the virtual router (Sivaramakrishnan, col. 8, line 66, through col. 9, line 21, “Each virtual router 30 may execute within a hypervisor, a host operating system or other component of each of servers 12.  Each of servers 12 may represent an x86 or other general-purpose or special-purpose server capable of executing virtual machines 36.  In the example of FIG. 2, virtual router 30A executes within hypervisor 31, also often referred to as a virtual machine manager (VMM), which provides a virtualization platform that allows multiple operating systems to concurrently run on one of servers 12.”);and 
transmit the encapsulated packet from the virtual router to the destination address via the switch fabric (Sivaramakrishnan, col. 9, lines 52, through col. 10, line 6, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.”).
Sivaramakrishnan discloses in a virtual network stack connected to one or more of the virtual networks and to the virtual router, but does not explicitly disclose wherein a virtual router executes in kernel space on each server in a virtual network stack connected to one or more of the virtual networks; wherein the host OS networking stack includes an encryption module that executes in kernel space on the first server; receive the forwarded packet at the encryption module and encrypt the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; return the encapsulated packet to the virtual router.
However, in an analogous art, Jain discloses wherein a virtual router executes in kernel space on each server in a virtual network stack connected to one or more of the virtual networks  (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
wherein the host OS networking stack includes an encryption module that executes in kernel space on the first server (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”) and;
receive the forwarded packet at the encryption module and encrypt the forwarded packet to form an encapsulated packet that preserves the source and destination addresses (Jain, paragraph 0030, “Likewise, the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  As illustrated, the application 120 produces a packet 170.  A crypto engine 160 in the VPN client 130 encrypts the packet 170 into an encrypted packet 172 by using the encryption key 150.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.  The host machine 113 has a crypto engine 165 that uses the encryption key 150 to decrypt the routed encrypted packet 172 into a decrypted packet 176 for the VM 143, which is running the application 123.”),
return the encapsulated packet to the virtual router (Jain, paragraph 0030, “Likewise, the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  As illustrated, the application 120 produces a packet 170.  A crypto engine 160 in the VPN client 130 encrypts the packet 170 into an encrypted packet 172 by using the encryption key 150.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.  The host machine 113 has a crypto engine 165 that uses the encryption key 150 to decrypt the routed encrypted packet 172 into a decrypted packet 176 for the VM 143, which is running the application 123.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jain with the system/method/ non-transitory computer readable medium of Sivaramakrishnan to include wherein a virtual router executes in kernel space on each server in a virtual network stack connected to one or more of the virtual networks; wherein the host OS networking stack includes an encryption module that executes in kernel space on the first server; receive the forwarded packet at the encryption module and encrypt the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; return the encapsulated packet to the virtual router. 
 (Jain: paragraph 0005).
Regarding claim 15, Sivaramakrishnan and Jain disclose the network system of claim 11, wherein the second server is configured to receive the encapsulated packet at the virtual router of the second server (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”);
forward the packet from the virtual router of the second server to a host OS networking stack associated with the host OS executing in kernel space of the second server (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”);
wherein the host OS networking stack includes an encryption module that executes in kernel space on the second server (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
and wherein the host OS networking stack is connected to the switch fabric operating as an underlay fabric for one or more of the virtual networks (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
receive the forwarded encapsulated packet at the encryption module (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”);
(Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”; paragraph 0061, “At the first stage labeled `1`, the VM 231 produces the packet 770, which includes the application data 771 and IP header data 772.  In some embodiments, such header can includes destination IP address, source IP addresses, source port, destination port, source MAC address, and destination MAC address.”);
return the decrypted packet to the virtual router of the second server (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”); and 
transmit the decrypted packet from the virtual router of the second server to the virtual machine of the second server device associated with the destination address of the decrypted packet (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 16, Sivaramakrishnan discloses a non-transitory computer-readable medium comprising instructions for causing one or more programmable processors of a computing device to  (Sivaramakrishnan, col. 7, lines 4-22, “In some examples, the computer-readable storage media may comprise non-transitory media.  The term "non-transitory" may indicate that the storage medium is not embodied in a carrier wave or a propagated signal.  In certain examples, a non-transitory storage medium may store data that can, over time, change (e.g., in RAM or cache).”):
receive, at a virtual router executing within a virtual network stack in kernel space of the computing device (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”; col. 12, line 23, through col. 13, line 4, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Eth0 114A and Eth1 114B represent devices according to a software device model and provide device driver software routines for handling packets for receipt/transmission by corresponding NICs 106.  Packets received by NICs 106 from the underlying physical network fabric for the virtual networks may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for one of NICs 106.”), 
a packet from a virtual machine executing on the computing device, the packet including a source address and a destination address, wherein the virtual network stack includes an interface to a virtual network fabric (Sivaramakrishnan, col. 10, lines 25-33, “For example, virtual machine 36 VM1 sends a packet 41, an "inner packet," virtual router 30A by an internal link.  Virtual router 30A uses NFT.sub.1 to look up a virtual network destination network address for packet 41.  NFT.sub.1 specifies an outbound interface for virtual router 30A and encapsulation for packet 41.  Virtual router 30A applies the encapsulation to add a tunnel header to generate outer packet 43 and outputs outer packet 43 on the outbound interface, in this case toward TOR switch 16A.”; col. 22, lines 5-22, “In this case, flow table entries 304 have symmetric field pairs source IP address 308A and destination IP address 308B as well as source port 308C and destination port 308D.  Accordingly, e.g., destination IP address 308B of flow table entry 304D for the reverse flow is the source IP address 308A of flow table entry 304C and source IP address 308A of flow table entry 304D for the reverse flow is the destination IP address 308A of flow table entry 304C.  Virtual router agent 104 may determine a separate policy, P2, for the reverse flow and specify the policy in policy field 308E for flow table entry 304D matching the reverse flow.”);
forward the packet from the virtual router executing within the virtual network stack to a host operating system (OS) networking stack associated with a host OS operating on the computing device (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”),
wherein the host OS networking stack includes an encryption module that executes in kernel space on the computing device (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”), 
wherein the host OS networking stack includes an interface to a physical network fabric operating as an underlay fabric for the virtual network fabric (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
to the virtual router (Sivaramakrishnan, col. 8, line 66, through col. 9, line 21, “Each virtual router 30 may execute within a hypervisor, a host operating system or other component of each of servers 12.  Each of servers 12 may represent an x86 or other general-purpose or special-purpose server capable of executing virtual machines 36.  In the example of FIG. 2, virtual router 30A executes within hypervisor 31, also often referred to as a virtual machine manager (VMM), which provides a virtualization platform that allows multiple operating systems to concurrently run on one of servers 12.”); 
transmit the encapsulated packet from the virtual router to the virtual machine associated with the destination address via the physical network fabric (Sivaramakrishnan, col. 9, lines 52, through col. 10, line 6, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.”).
Sivaramakrishnan discloses to the virtual router, but does not explicitly disclose receive the forwarded packet at the encryption module and encrypt the forwarded packet to form an encapsulated packet that preserves the source and destination addresses; return the encapsulated packet to the virtual router.
However, in an analogous art, Jain discloses receive the forwarded packet at the encryption module and encrypt the forwarded packet to form an encapsulated packet that (Jain, paragraph 0030, “Likewise, the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  As illustrated, the application 120 produces a packet 170.  A crypto engine 160 in the VPN client 130 encrypts the packet 170 into an encrypted packet 172 by using the encryption key 150.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.  The host machine 113 has a crypto engine 165 that uses the encryption key 150 to decrypt the routed encrypted packet 172 into a decrypted packet 176 for the VM 143, which is running the application 123.”); 
return the encapsulated packet to the virtual router (Jain, paragraph 0030, “Likewise, the host machine 113 uses the key 150 to encrypt and decrypt data to and from the VPN connection 195 for the application 123.  As illustrated, the application 120 produces a packet 170.  A crypto engine 160 in the VPN client 130 encrypts the packet 170 into an encrypted packet 172 by using the encryption key 150.  The encrypted packet 172 travels through the Internet to reach the edge 110 of the datacenter 100.  The edge 110 forwards the encrypted packet 172 to the host machine 113 by e.g., routing and/or encapsulating the encrypted packet.  The host machine 113 has a crypto engine 165 that uses the encryption key 150 to decrypt the routed encrypted packet 172 into a decrypted packet 176 for the VM 143, which is running the application 123.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jain with the system/method/ non-transitory computer readable medium of Sivaramakrishnan to include 
One would have been motivated to provide users with the benefits of being provided external access to computer and networking resources (Jain: paragraph 0005).

Claims 3-9 and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Sivaramakrishnan (US9356866), filed March 26, 2014, in view of Jain (US20170033924), filed July 31, 2015, and further in view of Nakil (US20150244617), 371 date December 5, 2014.
Regarding claim 3, Sivaramakrishnan and Jain disclose the method of claim 1.
Jain discloses wherein encrypting the packet to form an encapsulated packet includes encrypting the packet using an IPSec kernel  (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”) and 
transforming the encrypted packet using Encapsulated Security Payload (ESP) (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP)”) (Jain, paragraphs 0029, 0073, 0074).
Sivaramakrishnan and Jain do not explicitly disclose wherein receiving the forwarded packet includes trapping the forwarded packet.
However, in an analogous art, Nakil discloses wherein receiving the forwarded packet includes trapping the forwarded packet (Nakil, paragraph 0160, “Virtual network switch 174 may also trap interesting layer 2 (L2) packets, broadcast packets, and/or implement proxy for the packets, e.g. using one of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), etc.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Nakil with the system/method/ non-transitory computer readable medium of Sivaramakrishnan and Jain to include wherein receiving the forwarded packet includes trapping the forwarded packet. 
 (Nakil: paragraphs 0076 and 0160).
Regarding claim 4, Sivaramakrishnan and Jain disclose the method of claim 1.  Jain discloses to the encryption module via an encryption module interface (Jain, paragraph 0081,”The VTEP at the destination host decapsulates the packet and forwards only the original inner data packet to the destination VM.  In some embodiments, the VTEP module serves only as a controller interface for VXLAN encapsulation, while the encapsulation and decapsulation of VXLAN packets is accomplished at the uplink module 1070.”).
Sivaramakrishnan and Jain disclose to the encryption module via an encryption module interface, but do not explicitly disclose wherein forwarding the packet includes: creating an IP/MPLS packet and writing the IP/MPLS packet to the encryption module via an encryption module interface.
However, in an analogous art, Nakil discloses wherein forwarding the packet includes: creating an IP/MPLS packet (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”); and
writing the IP/MPLS packet  to the encryption module via an encryption module interface (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Nakil with the system/method/ non-transitory computer readable medium of Sivaramakrishnan and Jain to include wherein forwarding the packet includes: creating an IP/MPLS packet and writing the IP/MPLS packet to the encryption module via an encryption module interface. 
One would have been motivated to provide users with the benefits of trapping packets to facilitate rapid response to events of interest (Nakil: paragraphs 0076 and 0160).
Regarding claim 5, Sivaramakrishnan, Jain, and Nakil disclose the method of claim 4.  Nakil discloses wherein receiving the forwarded packet includes trapping the forwarded IP/MPLS packet(Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”) (Nakil, paragraph 0160, “Virtual network switch 174 may also trap interesting layer 2 (L2) packets, broadcast packets, and/or implement proxy for the packets, e.g. using one of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), etc.”); and
wherein encrypting the packet to form an encapsulated packet includes encrypting the IP/MPLS (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”) (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”).  
Jain discloses packet using an IPSec kernel (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”) and 
 (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP)”) (Jain, paragraphs 0029, 0073, 0074).
The motivation is the same as that of the claim from which this claim depends.
Regarding claim 6, Sivaramakrishnan, Jain, and Nakil disclose the method of claim 5.  Sivaramakrishnan, Jain and Nakil disclose 
receiving the encapsulated packet at a virtual router of the second computing device (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”)
the virtual router executing in kernel space of the second computing device in a virtual network stack connected to the virtual network fabric (Sivaramakrishnan, col. 12, line 23, through col. 13, line 4, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Eth0 114A and Eth1 114B represent devices according to a software device model and provide device driver software routines for handling packets for receipt/transmission by corresponding NICs 106.  Packets received by NICs 106 from the underlying physical network fabric for the virtual networks may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for one of NICs 106.”);
forwarding the encapsulated packet from the virtual router of the second computing device to a host operating system (OS) networking stack associated with a host OS operating on the second computing device (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”);
wherein the host OS networking stack includes an encryption module that executes in kernel space on the second computing device (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
wherein the host OS networking stack is connected to the physical network fabric (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
receiving the forwarded encapsulated packet at the encryption module (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”); and 
decrypting the forwarded encapsulated packet to form a decrypted packet that preserves the source and destination addresses (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”; paragraph 0061, “At the first stage labeled `1`, the VM 231 produces the packet 770, which includes the application data 771 and IP header data 772.  In some embodiments, such header can includes destination IP address, source IP addresses, source port, destination port, source MAC address, and destination MAC address.”);
returning the decrypted packet to the virtual router of the second computing device (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”); and 
transmitting the decrypted packet from the virtual router of the second computing device to the virtual machine of the second computing device associated with the destination address of the decrypted packet (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”).
The motivation is the same as that of the claim from which this claim depends.
Regarding claim 7, Sivaramakrishnan and Jain disclose the method of claim 1.  Jain discloses writing the VXLAN packet to the encryption module via an encryption module interface (Jain, paragraph 0081,”The VTEP at the destination host decapsulates the packet and forwards only the original inner data packet to the destination VM.  In some embodiments, the VTEP module serves only as a controller interface for VXLAN encapsulation, while the encapsulation and decapsulation of VXLAN packets is accomplished at the uplink module 1070.”).
Sivaramakrishnan and Jain do not explicitly disclose wherein forwarding the packet includes: creating a VXLAN packet.
However, in an analogous art, Nakil discloses wherein forwarding the packet includes: creating a VXLAN packet (Nakil, paragraph 0187, “A VxLAN Tunnel End Point is a tunnel endpoint that generates VxLAN packet 280 to include tunnel header 296, which includes an outer IP header composed of source IP address 282 ("SRC IP 282"), destination IP address 284 ("DST IP 284"), Time-to-Live field 286 having a value for multiple instances of VxLAN packet 280 incrementally increasing according to techniques described above with respect to, e.g., FIG. 6, and IP protocol field 287 that defines the protocol used in the data portion of the IP datagram (here, UDP); an outer UDP header composed of source UDP port 288 ("SRC PORT 288") and destination UDP port 290 ("DST PORT 290"); and a VxLAN header that includes VxLAN network identifier (VNI) 292 ("VNI 292") (alternatively referred to as a VxLAN segment identifier).”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Nakil with the system/method/ non-transitory computer readable medium of Sivaramakrishnan and Jain to include wherein forwarding the packet includes: creating a VXLAN packet. 
One would have been motivated to provide users with the benefits of trapping packets to facilitate rapid response to events of interest (Nakil: paragraphs 0076 and 0160).
Regarding claim 8, Sivaramakrishnan, Jain, and Nakil disclose the method of claim 7.  Sivaramakrishnan, Jain, and Nakil disclose wherein receiving the forwarded packet includes trapping the forwarded VXLAN packet (Nakil, paragraph 0160, “Virtual network switch 174 may also trap interesting layer 2 (L2) packets, broadcast packets, and/or implement proxy for the packets, e.g. using one of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), etc.”); and 
wherein encrypting the packet to form an encapsulated packet includes encrypting the VXLAN packet using an IPSec kernel (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”) and 
transforming the encrypted packet using Encapsulated Security Payload (ESP) (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP)”).  The motivation is the same as that of the claim from which this claim depends.

Regarding claim 9, Sivaramakrishnan, Jain, and Nakil disclose the method of claim 8.  Sivaramakrishnan, Jain, and Nakil disclose wherein the method further comprises: 
receiving the encapsulated packet at a virtual router of the second computing device (Sivaramakrishnan, col. 11, lines 22-45, “FIG. 3 is a block diagram illustrating a computing device that executes an example virtual router for virtual networks according to techniques described herein.  Computing device 100 may represent any of servers 12 of FIGS. 1-2 or other device, such as any of TOR switches 16.     Computing device 100 includes in this example a system bus 142 coupling hardware components of a computing device 100 hardware environment.  System bus 142 couples memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 having a plurality of processing cores 108A-108J (collectively, "processing cores 108").  Network interface cards 106 include interfaces configured to exchange packets using links of an underlying physical network.”), 
the virtual router executing in kernel space of the second computing device in a virtual network stack connected to the virtual network fabric (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
forwarding the encapsulated packet from the virtual router of the second computing device to a host operating system (OS) networking stack associated with a host OS operating on the second computing device (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”);
wherein the host OS networking stack includes an encryption module that executes in kernel space on the second computing device (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”);
wherein the host OS networking stack is connected to the physical network fabric (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
receiving the forwarded encapsulated packet at the encryption module (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”); and 
decrypting the forwarded encapsulated packet to form a decrypted packet that preserves the source and destination addresses (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”; paragraph 0061, “At the first stage labeled `1`, the VM 231 produces the packet 770, which includes the application data 771 and IP header data 772.  In some embodiments, such header can includes destination IP address, source IP addresses, source port, destination port, source MAC address, and destination MAC address.”);
returning the decrypted packet to the virtual router of the second computing device (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”); and
transmitting the decrypted packet from the virtual router of the second computing device to the virtual machine of the second computing device associated with the destination address of the decrypted packet  (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”).
The motivation is the same as that of the claim from which this claim depends.
Regarding claim 12, Sivaramakrishnan and Jain disclose the network system of claim 11.  
Jain discloses to an encryption module interface (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”; paragraph 0081,”The VTEP at the destination host decapsulates the packet and forwards only the original inner data packet to the destination VM.  In some embodiments, the VTEP module serves only as a controller interface for VXLAN encapsulation, while the encapsulation and decapsulation of VXLAN packets is accomplished at the uplink module 1070.”).  The motivation is the same as that of the claim from which this claim depends.
Sivaramakrishnan discloses while forwarding the packet from the virtual router of the first server to a host OS networking stack associated with the host OS executing in kernel space of the first server (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”).
Sivaramakrishnan and Jain disclose to an encryption module interface, but do not explicitly disclose wherein the first server is further configured to create an IP/MPLS or VXLAN packet and writing the IP/MPLS or VXLAN packet to an encryption module interface.
However, in an analogous art, Nakil discloses wherein the first server is further configured to create an IP/MPLS or VXLAN packet (Nakil, paragraph 0187, “A VxLAN Tunnel End Point is a tunnel endpoint that generates VxLAN packet 280 to include tunnel header 296, which includes an outer IP header composed of source IP address 282 ("SRC IP 282"), destination IP address 284 ("DST IP 284"), Time-to-Live field 286 having a value for multiple instances of VxLAN packet 280 incrementally increasing according to techniques described above with respect to, e.g., FIG. 6, and IP protocol field 287 that defines the protocol used in the data portion of the IP datagram (here, UDP); an outer UDP header composed of source UDP port 288 ("SRC PORT 288") and destination UDP port 290 ("DST PORT 290"); and a VxLAN header that includes VxLAN network identifier (VNI) 292 ("VNI 292") (alternatively referred to as a VxLAN segment identifier).”; paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”)
and writing the IP/MPLS or VXLAN packet to an encryption module interface (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jain with the system/method/ non-transitory computer readable medium of Sivaramakrishnan to include wherein the first server is further configured to create an IP/MPLS or VXLAN packet and writing the IP/MPLS or VXLAN packet to an encryption module interface. 
One would have been motivated to provide users with the benefits of trapping packets to facilitate rapid response to events of interest (Nakil: paragraphs 0076 and 0160).
Regarding claim 13, Sivaramakrishnan, Jain, and Nakil disclose the network system of claim 12.  Sivaramakrishnan, Jain, and Nakil disclose wherein the first server is further configured to trap the forwarded EP/MPLS or VXLAN packet (Nakil, paragraph 0160, “Virtual network switch 174 may also trap interesting layer 2 (L2) packets, broadcast packets, and/or implement proxy for the packets, e.g. using one of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), etc.”) (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”; paragraph 0081,”The VTEP at the destination host decapsulates the packet and forwards only the original inner data packet to the destination VM.  In some embodiments, the VTEP module serves only as a controller interface for VXLAN encapsulation, while the encapsulation and decapsulation of VXLAN packets is accomplished at the uplink module 1070.”)
 written to the encryption module interface when receiving the forwarded IP/MPLS (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”) or 
(Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”; paragraph 0081,”The VTEP at the destination host decapsulates the packet and forwards only the original inner data packet to the destination VM.  In some embodiments, the VTEP module serves only as a controller interface for VXLAN encapsulation, while the encapsulation and decapsulation of VXLAN packets is accomplished at the uplink module 1070.”),
wherein encrypting the packet to form an encapsulated packet includes encrypting the IP/MPLS  (Nakil, paragraph 0189, “Although described above with respect to MPLS-in-GRE- and VxLAN-based network virtualization, the techniques of this disclosure may applicable to other network virtualization encapsulation types, including MPLS-in-IP, Network Virtualization using Generic Routing Encapsulation (NVGRE), and others.”) or VXLAN packet using an IPSec kernel (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP).”; paragraph 0059, “As mentioned above by reference to FIGS. 1 and 2, in order to send data packets from its originating application/VM to its destination application/VM through VPN connection and tunnels, the packet has to go through a series of processing operations such as encryption, encapsulation, decryption, and de-capsulation.  In some embodiments, when a packet is generated by an application at a particular datacenter or site, the host machine running the application encrypts the packet with VPN encryption key and then encapsulates the packet (using overlay such as VXLAN) in order to tunnel the to the edge.  The edge in turn processes the packet into an IPSec packet with IPSec header.”; paragraph 0107, “One of ordinary skill in the art will recognize that while the specification refers to VMs, the examples given could be any type of DCNs, including physical hosts, VMs, non-VM containers, and hypervisor kernel network interface modules.  In fact, the example networks could include combinations of different types of DCNs in some embodiments.”) and 
transforming the encrypted packet using Encapsulated Security Payload (ESP) (Jain, paragraph 0076, “Next, the process encapsulates (950) packets based on the identified VNI.  In some embodiments, the encrypted payload of the IPSec is encapsulated under VXLAN format based on the earlier identified information (e.g., destination VNI and VTEP)”).
The motivation is the same as that of the claim from which this claim depends.
Regarding claim 14, Sivaramakrishnan, Jain, and Nakil disclose the network system of claim 13.  Sivaramakrishnan, Jain, and Nakil disclose wherein the second server is configured to: receive the encapsulated packet at the virtual router of the second server (Sivaramakrishnan, col. 7, lines 4-22, “Packets received by the virtual router of server 12A, for instance, from the underlying physical network fabric may include an outer header to allow the physical network fabric to tunnel the payload or "inner packet" to a physical network address for a network interface of server 12A that executes the virtual router.  The outer header may include not only the physical network address of the network interface of the server but also a virtual network identifier such as a VxLAN tag or Multiprotocol Label Switching (MPLS) label that identifies one of the virtual networks as well as the corresponding routing instance executed by the virtual router.”); 
forward the packet from the virtual router of the second server to a host OS networking stack associated with the host OS executing in kernel space of the second server  (Sivaramakrishnan, col. 9, line 52, through col. 10, line 24, “In one example, network packets, e.g., layer three (L3) IP packets or layer two (L2) Ethernet packets generated or consumed by the instances of applications executed by virtual machines 36 within the virtual network domain may be encapsulated in another packet (e.g., another IP or Ethernet packet) that is transported by the physical network.  The packet transported in a virtual network may be referred to herein as an "inner packet" while the physical network packet may be referred to herein as an "outer packet" or a "tunnel packet." Encapsulation and/or de-capsulation of virtual network packets within physical network packets may be performed within virtual routers 30, e.g., within the hypervisor or the host operating system running on each of servers 12.  Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”; col. 12, lines 23-48, “Memory 144, network interface cards (NICs) 106A-106B (collectively, "NICs 106"), storage disk 107, and multi-core computing environment 102 provide an operating environment for a software stack that executes a virtual router 120 and one or more virtual machines 110A-110K (collectively, "virtual machines 110").  Virtual machines 110 may represent example instances of any of virtual machines 36 of FIG. 2.”);
wherein the host OS networking stack includes an encryption module that executes in kernel space on the second server (Jain, paragraph 0031, “The application 123 is running on the host machine 113, and the encryption/decryption is handled at the host machine 113 rather than at the edge node 110 (which negotiated the encryption key 150).  Having encryption/decryption handled by the host machines rather than by the edge has the advantage of freeing the edge node from having to perform encryption and decryption for all VPN traffic in and out of the datacenter.”; paragraph 0104, “However, virtual machines are merely one example of data compute nodes (DCNs) or data compute end nodes, also referred to as addressable nodes.  DCNs may include non-virtualized physical hosts, virtual machines, containers that run on top of a host operating system without the need for a hypervisor or separate operating system, and hypervisor kernel network interface modules.”; paragraph 0105, “VMs, in some embodiments, operate with their own guest operating systems on a host using resources of the host virtualized by virtualization software (e.g., a hypervisor, virtual machine monitor, etc.).  The tenant (i.e., the owner of the VM) can choose which applications to operate on top of the guest operating system.  In some embodiments, the host operating system uses name spaces to isolate the containers from each other and therefore provides operating-system level segregation of the different groups of applications that operate within different containers.”; paragraph 0106, “Hypervisor kernel network interface modules, in some embodiments, is a non-VM DCN that includes a network stack with a hypervisor kernel network interface and receive/transmit threads.  One example of a hypervisor kernel network interface module is the vmknic module that is part of the ESXi.TM.  hypervisor of VMware, Inc.”)
and wherein the host OS networking stack is connected to the switch fabric operating as an underlay fabric for one or more of the virtual networks (Sivaramakrishnan, col. 8, lines 45-65, “FIG. 2 is a block diagram illustrating an example implementation of data center 10 of FIG. 1 in further detail.  In the example of FIG. 2, data center 10 includes an overlay network that extends switch fabric 14 from physical switches 16, 18 to software or "virtual" switches 30A-30X (collectively, "virtual routers 30").  Virtual routers 30 dynamically create and manage one or more virtual networks 34 usable for communication between application instances.  In one example, virtual routers 30 execute the virtual network as an overlay network, which provides the capability to decouple an application's virtual address from a physical address (e.g., IP address) of the one of servers 12A-12X ("servers 12") on which the application is executing.”; col. 10, lines 7-24, “Similarly, switches 16, 18 and virtual routers 30 maintain routing information, such as one or more routing and/or forwarding tables.  In one example implementation, virtual router 30A of hypervisor 31 implements a network forwarding table (NFT) 32 for each virtual network 34.  In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where data packets are to be forwarded and whether the packets are to be encapsulated in a tunneling protocol, such as with a tunnel header that may include one or more headers for different layers of the virtual network protocol stack.”);
receive the forwarded encapsulated packet at the encryption module (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”)
and decrypt the forwarded encapsulated packet to form a decrypted packet that preserves the source and destination addresses (Jain, paragraph 0068, “FIG. 8 illustrates using partial decryption of the VPN encrypted packet to identify the packet's rightful destination.  The figure illustrates the forwarding of a VPN encrypted packet 870 by the edge 220 of the datacenter 202.”; paragraph 0070, “The edge 220 in turn uses the identified key 252 to decrypt a portion of the encrypted payload 871 of the packet 870, revealing the first few bytes (e.g., the header portion) 873 of the payload.  In some embodiment, the edge 220 would halt the decryption operation once these first few bytes are revealed in some embodiments.  Based on the revealed bytes, the edge determines the identity of the destination and encapsulates the encrypted payload 871 into an encapsulated packet 874 by adding an overlay header 876.  In some embodiments, this encapsulation is for tunneling in overlay logical network such as VXLAN.  The encapsulated packet 874 is tunneled to the destination host machine 222.”; paragraph 0071, “Once the encapsulated packet 874 reaches the host machine 222, the host machine uses the VPN encryption key 252 to decrypt the encrypted payload 871.  The decryption results in a decrypted payload 875, which is provided to the destination VM 262.”; paragraph 0061, “At the first stage labeled `1`, the VM 231 produces the packet 770, which includes the application data 771 and IP header data 772.  In some embodiments, such header can includes destination IP address, source IP addresses, source port, destination port, source MAC address, and destination MAC address.”);
(Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”); and 
transmit the decrypted packet from the virtual router of the second server to the virtual machine of the second server device associated with the destination address of the decrypted packet (Jain, paragraph 0040, “Both the encrypted packet 381 and 382 reaches site D through the edge 313, which forwards the encrypted packet to the host machine 333.  The host machine 333 has a crypto engine 362 that uses the key 350 to decrypt the packets 381 and 382 for a VM 343, which is running the application 339”).
The motivation is the same as that of the claim from which this claim depends.
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Sivaramakrishnan (US9356866), filed March 26, 2014, in view of Jain (US20170033924), filed July 31, 2015, and further in view of Hardman (US20070283339), filed July 22, 2003.
Regarding claim 10, Sivaramakrishnan and Jain disclose the method of claim 1.  Jain discloses that traps packets forwarded to the encryption module (Jain, paragraph 0029) (Nakil, paragraph 0160, “Virtual network switch 174 may also trap interesting layer 2 (L2) packets, broadcast packets, and/or implement proxy for the packets, e.g. using one of Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), etc.”)
(Sivaramakrishnan, col. 13, lines 46-65, “Control information may include, virtual network routes, low-level configuration state such as routing instances and forwarding policy for installation to configuration data 134, VRFs 136, and policies 138.  Virtual router agent 104 may also report analytics state, install forwarding state to FIBs 124 of virtual router forwarding plane 128, discover VMs 110 and attributes thereof.”). The motivation is the same as that of the claim from which this claim depends.  
Sivaramakrishnan and Jain do not explicitly disclose provisioning the host OS to create an IPSec kernel that traps packets forwarded to the encryption module based on states and policies.
However, in an analogous art, Hardman discloses provisioning the host OS to create an IPSec kernel that traps packets forwarded to the encryption module based on states and policies (Hardman, paragraph 0020, “Many other kernel configuration options exist but are not generally relevant to this particular Specification.  Complete configuration and build and install the kernel and kernel modules.  Reboot to the new kernel to test operability.  If the kernel works, build and install the FreeS/WAN IPSEC package which will rebuild the kernel and install the rebuilt kernel.  Reboot to the new kernel to test the kernel, and make a "boot floppy" from this new IPSEC-capable kernel, Unpack, configure, build and install the "PCMCIA-CS" package in a manner appropriate to the intended destination machine and relevant kernel configuration options”; paragraph 0008, “We chose the Linux operating system as it is very robust, and used the Slackware version 7 distribution with a version 2.4.17 kernel rebuilt to incorporate the "FreeSWAN" IPSEC IP-security system for authentication and encryption.”).

One would have been motivated to provide users with the benefits of very rapid installation of operating systems (Hardman: abstract).


Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439   



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439