DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Ira Matsil on 06/09/2021.

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.


1-23.	(Canceled)

24.	(Currently amended) A method of providing secure communication over end-to-end data paths in a timed deterministic packet network, method comprising: 
	operating a plurality of packet engines including a first processor structured to perform packet handling; 
	centrally controlling, by a cipher engine and key manager (CEKM) including a second processor, a plurality of cipher engines, each cipher engine of the 
	performing, by the plurality of cipher engines, at least one cyber security function.

25.	(Currently amended) The method of claim 24, further comprising[[:]] setting up, by a centralized packet flow path manager (PFPM) endpoint nodes and intermediate transit nodes of the end-to-end data paths of the time deterministic packet network.

26.	(Currently amended) The method of claim 25, further comprising[[:]] selecting, by a first cipher engine of the plurality of cipher engines, bits from a data packet using a programmable bit window, wherein the bits selected according to the programmable bit window identify data packets that are to be processed by the cipher engine, wherein information exchanged between the CEKM and the PFPM is used for configuring the bit window.

27.	(Previously presented) The method of claim 26, wherein the bit window is different at an entry node and an exit node of an end-to-end data path.

28.	(Previously presented) The method of claim 25, wherein the PFPM is communicatively connected to all endpoint nodes and intermediate transit nodes of the time deterministic packet network.

29.	(Previously presented) The method of claim 25, wherein the CEKM is executed on a first server and the PFPM is executed on a second server different from the first server.

30.	(Currently amended) The method of claim 25, further comprising[[:]] restricting information provided by the CEKM to the PFPM.

31.	(Previously presented) The method of claim 29, further comprising: 
	discovering, by the CEKM, hardware defined identifiers of the plurality of cipher engines, and 
	providing, by the CEKM, the hardware defined identifiers to the PFPM, wherein the CEKM provides only the hardware defined identifiers and alarms to the PFPM.

32.	(Currently amended) The method of claim 25, wherein the CEKM receives information relating to a data flow topology of an end-to-end data path from the PFPM for configuring the plurality of cipher engines.

33.	(Previously presented) The method of claim 25, wherein the CEKM and the PFPM communicate via a secure channel.

34.	(Previously presented) The method of claim 24, wherein the CEKM is communicatively connected to each one of the plurality of cipher engines and communicates with each one of the plurality of cipher engines via a secure protocol for configuring the plurality cipher engines or for notification.

35.	(Currently amended) The method of claim 24, further comprising[[:]] pre-shaping, by a packet engine, data packets entering a first cipher engine of the plurality of cipher engines to assure that positions of the data packets in a traffic flow remain unchanged upon passage through the first cipher engine, wherein the data packets are pre-shaped such that time stamping information of the data packets entering the first cipher engine is still valid when the data packets leave the first cipher engine.

36.	(Previously presented) The method of claim 35, wherein the pre-shaping comprises enlarging, by the packet engine, an inter-packet gap before a flow of data packets enters the cipher engine.



Currently amended) The method of claim 24, wherein the plurality of packet engines and the plurality of cipher engines use a common global information identity to assure a global identification of data packets belonging to the same traffic flow.

38.	(Previously presented) The method of claim 24, wherein data packets are encrypted by a first cipher engine of the plurality of cipher engines immediately after leaving an associated packet engine, or wherein data packets decrypted by the first cipher engine immediately before entering the associated packet engine.

39.	(Previously presented) The method of claim 24, wherein the plurality of cipher engines performs message authentication.

40.	(Currently amended) The method of claim 24, further comprising[[:]] propagating, by a first cipher engine of the plurality of cipher engines, traffic loss information to an interface of the associated packet engine to trigger a traffic switch-over, wherein propagating the traffic loss information is triggered by a failure of an optical data connection detected by a wide area network (WAN) facing line interface.

41.	(Currently amended) The method of claim 24, further comprising[[:]] monitoring a health of a data flow, comprising sending an additional stream of data packets, 

42.	(Previously presented) The method of claim 24, wherein the packet engines perform time stamping, and the plurality of cipher engines are non-time-aware and non-topology-aware.

43.	(Previously presented) The method of claim 24, wherein the time deterministic packet network is a packet network for automation of high voltage lines.

44.	(Currently amended) A cipher engine and key manager (CEKM) for securing communication over end-to-end data paths in a timed deterministic packet network having packet engines that perform packet handling, the time deterministic packet network including a packet flow path manager (PFPM)that configures traffic flow nodes of the time deterministic packet network, the CEKM comprising: 
	a first interface operative to receive information on a data flow topology of an end-to-end data path from the PFPM; 
	a second interface operative to provide configuration information to a plurality of cipher engines that are each associated with and provided separately from a respective packet engine, the plurality of cipher engines being configured to perform at least one cyber security function; and 


45.	(Currently amended) The cipher engine and key manager of claim 44, the CEKM being operative to exchange information with the PFPM over the first interface to set up bit windows that identify data packets that are to be processed by the plurality of cipher engines.

46.	(Previously presented) The cipher engine and key manager of claim 44, wherein the CEKM is operative to discover hardware defined identifiers of the plurality of cipher engines and to provide only the hardware defined identifiers and alarms to the PFPM.

47.	(Currently amended) A cipher engine, comprising: 
	a first interface operative to be directly connectable to a packet engine that performs packet handling for a timed deterministic packet network; 
	a second interface operative to be connectable to a network facing port of an endpoint node or a first transit node connected to the endpoint node; and 
	a third interface operative to receive configuration information from a cipher engine and key manager (CEKM), 
	wherein the cipher engine is operative to perform a cyber security function on data packets of a traffic flow through the cipher engine based on the configuration information received from the CEKM, and
	wherein the cipher engine is operative to select bits from a data packet using a programmable bit window, wherein the bits selected according to the programmable bit window identify data packets that are to be processed by the cipher engine.

48.	(Canceled) 

49.	(Currently amended) The cipher engine of claim 47, wherein the cipher engine is operative to perform the cyber security function without having information on a topology of [[the]]an end-to-end path for which the cyber security function is performed and without using time stamping information of the data packets.

50.	(Currently amended) A timed deterministic packet network, comprising: 
	a plurality of packet engines structured to perform packet handling; 
	a packet flow path manager (PFPM) structured to provide configuration information to traffic flow nodes of the time deterministic packet network; 
	a plurality of cipher engines, each cipher engine being structured to receive data packets of a traffic flow from an associated packet engine of the plurality of packet engines or to provide data packets of the traffic flow to the associated packet engine of the plurality of packet engines, each cipher engine including: 
		a first interface operative to be directly connectable to a packet engine that performs packet handling for a timed deterministic packet network, 

		a third interface operative to receive configuration information from a cipher engine and key manager (CEKM), 
	wherein the CEKM is coupled to the PFPM and the plurality of cipher engines, and includes: 
		a fourth interface operative to receive information on a data flow topology of an end-to-end data path from the PFPM; 
		a fifth interface operative to provide configuration information to the plurality of cipher engines that are each associated with and provided separately from a respective packet engine, and 
		at least one processor operative to generate the configuration information based on the data flow topology, and 
	wherein the cipher engine is operative to perform a cyber security function on data packets of a traffic flow through the cipher engine based on the configuration information received from the CEKM.

51.	(New) The method of claim 32, wherein the information relating to the data flow topology comprises a tunnel-identifier, an MPLS label, and a direction.

52.	(New) The method of claim 37, wherein the common global information identity indicates a Multiprotocol Label Switching (MPLS) tunnel.

Allowable Subject Matter
Claims 24-47 and 49-52 allowed.

The following is an examiner’s statement of reasons for allowance: Independent claim 24, combination of limitations including centrally controlling by a cipher engine and key manager a plurality of cipher engines associated with a respective packet engine is not found in the art of record. Independent claim 44, the combination of limitations including the time deterministic packet network including a packet flow path manager that configures traffic flow nodes with a second interface providing configuration information to a plurality of cipher engines that are each associated with and provided separately from a respective packet engine is not found in the art of record. Independent claim 47, the combination of limitations including a packet engine that performs packet handling for a timed deterministic packet network, wherein the cipher engine is operative to perform a cyber security function on data packets of a traffic flow and the bit window being programmable is not found in the art of record. Independent claim 50, including the combination of limitations, a plurality of cipher engines receiving data packets of a traffic flow from an associated packet engine with an interface to receive configuration information from a cipher engine and key manager which is coupled to the packet flow manager is not found in the art of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589.  The examiner can normally be reached on M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433