DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 09/16/2019, in which, claim(s) 1-20 are pending. Claim(s) 1, 15 and 16 are independent.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/16/2019 and 12/22/2020, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 09/16/2019 are accepted by The Examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 15 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 
Claim 15 recites “A system” in the preamble and "a key server”, “an L3VPN manager” and “a cyberthreat remediator”, in the claim body. As recited in the body of the claim, the claimed system lacks a structural component because the server, the manager and the remediator can be implemented as software only. Therefore, Claim 15 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101 such as “a hardware processor and a memory comprising software instructions executed to”.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1, 2, and 10-17 are rejected under 35 U.S.C. 103 as being unpatentable over Haseeb Niazi et al. (“Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide”, August 2018, cited by the applicant in the 09/16/2019 IDS) in view of Asati et al. (US 2008/0047011 A1).
Regarding Claims 1, and 16, Niazi discloses A method for securely connecting a main network to one or more subnetworks in an enterprise network through a group of enterprise routers (figure 32, page 117, figure 34, page 120), the method comprising: 
configuring a key server with an Internet Protocol (IP) address for each router in the group of enterprise routers, a group security association (SA) value for the group of enterprise routers, and a group profile for the group of enterprise routers (1.1 “Key GETVPN Benefits” & 1.2 “Technology Overview”, “group IPsec security paradigm”, key server with the GETVPN solution, group members (GMs, routers) and group security association, page 4, 5, key server configuration, page 12, figure 34, key server KS, see item 4.2.1.1.1 KS Placement); 
configuring each router in the group of enterprise routers with an Internet Protocol (IP) address for the key server and the group security association (SA) and the group profile (see 2.3 GM (routers) configuration, 2.3.2 “Configuring GDOI Group”, “A GM is configured using the same group identity defined on the KS and the address of the KS”, page 22); 
creating an encrypted virtual private network (VPN) tunnel between the main network and a subnetwork (“Enterprises must implement the any-to-any connectivity model provided by IP virtual private networks (VPNs)”, “several IPsec tunnel-based encryption solutions”, page 3); 
routing all data traffic between the main network and the subnetwork through the encrypted virtual private network (VPN) tunnel (“Enterprises must encryption solutions”, page 3); 
Niazi does not explicitly teach but Asati teaches
monitoring for a cyberthreat indication in the enterprise network ([0037], “The NHRP throttling rate monitoring, combined with other events, could provide a means to detect a DoS attack”, [0041], “receiving an indication at a hub router that a spoke router site having a spoke router in communication with the hub router has an infection. The infection may be caused by a Worm/DoS attack”); and 
remediating a cyberthreat based on the cyberthreat indication ([0038], “While a spoke router site is infected and the prevention of the infection propagation is being pursued”), 
wherein remediating the cyberthreat comprises modifying a policy in a firewall or one of the group of enterprise routers to stop routing exchange or cease encryption or transmission of data between the main network and the one or more subnetworks ([0038], “While a spoke router site is infected and the prevention of the infection propagation is being pursued, the IPSec SAs between the spoke router of the infected spoke router site and other spoke routers are immediately torn down by the spoke router of the infected spoke router site, and the NHRP cache information for the infected spoke router site doesn't exist anymore. The remote spoke routers will not try to establish sessions” as the router policy being modified).
Niazi and Asati are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Asati with 

Regarding Claims 2, and 17, the combined teaching of Niazi and Asati teaches classifying a community of network users in a Virtual Routing and Forwarding (VRF) domain that includes all routes between the main network and the one or more subnetworks into a User-U instance, a User-SP1 instance and a User-SP2 instance, where the User-U instance represents network users in the main network and the User-SP1 and User-SP2 instances represent network users in two subnetworks (Niazi, 3.9 VRF-Aware GETVPN, Virtual Routing infrastructure, Virtual Routing and Forwarding (VRF) domain, see Figure 23, 28 & 29 in pages 90-99; 4.2.1.2.1 GM Placement, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 35, 39).

Regarding Claim 10, the combined teaching of Niazi and Asati teaches wherein the group profile comprises a Group Domain of Interpretation (GDOI) profile (Niazi, “gdoi-profile”, page 18, line 11).

Regarding Claim 11, the combined teaching of Niazi and Asati teaches classifying users in the enterprise network with different Virtual Routing and Forwarding (VRF) using MultiProtocol Label Switching into a User-U instance, a User-SP1 instance and a User-SP2 instance, where the User-U instance represents users in the main network and the User-SP1 and User-SP2 instances represent users in two subnetwork (Niazi, 3.9 VRF-Aware GETVPN, Virtual Routing infrastructure, Virtual Routing and Forwarding (VRF) domain, see Figure 23, 28 & 29 in pages 90-99; 4.2.1.2.1 GM Placement, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 35, 39).

Regarding Claim 12, the combined teaching of Niazi and Asati teaches wherein the User-SP1 and User-SP2 instances are private isolated Virtual Routing and Forwarding (VRF) instances that comprise respective ports on said one of the group of enterprise routers facing the two subnetworks and an interface in a router hosting the firewall (Niazi, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 23, “Each VRF will require a unique WAN interface/sub-interface”, “firewalls to enforce access control policy based on the classification”, pages 91, 106).

Regarding Claim 13, the combined teaching of Niazi and Asati teaches wherein the firewall is positioned in the main network where all data traffic requiring to cross from one user group to another user group in the User-U, User-SP1 or User-SP2 instances must pass through the firewall (Niazi, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 23, “Each VRF will require a unique WAN interface/sub-interface”, “firewalls to enforce access control policy based on the classification”, pages 91, 106).

Regarding Claim 14, the combined teaching of Niazi and Asati teaches wherein the firewall comprises a policy that determines whether to allow routes exchanges between User-U, User-SP1 or User-SP2 instances (Niazi, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 23, “Each VRF will require a unique WAN interface/sub-interface”, “firewalls to enforce access control policy based on the classification”, pages 91, 106).

Regarding Claim 15, Niazi discloses A system for securely connecting a main network to one or more subnetworks in an enterprise network through a group of enterprise routers, including a router that creates a virtual private network (VPN) tunnel between the main network and a subnetwork (figure 32, page 117, figure 34, page 120), the system comprising: 
a key server having a GETVPN unit that includes an Internet Protocol (IP) address for each router in the group of enterprise routers, a group security association (SA) value for the group of enterprise routers, and a group profile for the group of enterprise routers (1.1 “Key GETVPN Benefits” & 1.2 “Technology Overview”, “group IPsec security paradigm”, key server with the GETVPN solution, group members (GMs, routers) and group security association, page 4, 5, key server configuration, page 12, figure 34, key server KS, see item 4.2.1.1.1 KS Placement), 
an L3VPN manager that works with the GETVPN unit to configure each router in the group of enterprise routers with an Internet Protocol (IP) address for the key server and the group security association (SA) and the group profile (see , 
Niazi does not explicitly teach but Asati teaches
a cyberthreat remediator that listens for a cyberthreat indication and, upon receiving a cyberthreat notification, modifies a policy in a firewall or said router to stop routing exchange or cease encryption or transmission of data between the main network and the subnetwork ([0037], “The NHRP throttling rate monitoring, combined with other events, could provide a means to detect a DoS attack”, [0041], “receiving an indication at a hub router that a spoke router site having a spoke router in communication with the hub router has an infection. The infection may be caused by a Worm/DoS attack”, [0038], “While a spoke router site is infected and the prevention of the infection propagation is being pursued, the IPSec SAs between the spoke router of the infected spoke router site and other spoke routers are immediately torn down by the spoke router of the infected spoke router site, and the NHRP cache information for the infected spoke router site doesn't exist anymore. The remote spoke routers will not try to establish sessions” as the router policy being modified).
Niazi and Asati are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Asati with the disclosure of Niazi. The motivation/suggestion would have been to prevent the DMVPN melt-down, to isolate a worm-infected spoke router site from the rest of the DMVPN and to restrict the spread of the worm within the DMVPN network (Asati, [0056]).

Claims 3-4, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Haseeb Niazi et al. (“Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide”, August 2018, cited by the applicant in the 09/16/2019 IDS) in view of Asati et al. (US 2008/0047011 A1) further in view of Huang et al. (US 2013/0074174 A1).
Regarding Claim 3, the combined teaching of Niazi and Asati does not explicitly teach but Huang teaches defining a set of Border Gateway Protocol (BGP) extended community attributes ([0009], “border gateway protocol (BGP) associates many attributes to a group of IP addresses”).
Niazi, Asati and Huang are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Huang with the combined teaching of Niazi and Asati. The motivation/suggestion would have been for firewall access control (Huang, [0003]).

Regarding Claims 4 and 18, the combined teaching of Niazi and Asati does not explicitly teach but Huang teaches defining a Border Gateway Protocol (BGP) extended community attribute, wherein the BGP extended community attribute comprise a number value that identifies a unicast route originated from one of the User-U, User-SP1 or User-SP2 instances ([0009], “border gateway protocol (BGP) associates many attributes to a group of IP addresses (e.g., autonomous system (AS) number or community and the like)” as a number value for the unicast route).
.

Claims 5-6, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Haseeb Niazi et al. (“Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide”, August 2018, cited by the applicant in the 09/16/2019 IDS) in view of Asati et al. (US 2008/0047011 A1) further in view of Huang et al. (US 2013/0074174 A1) and further in view of Paredes et al. (US 2012/0151057 A1).
Regarding Claims 5 and 19, the combined teaching of Niazi, Asati and Huang teaches the BGP extended community attribute (Huang, [0009], “border gateway protocol (BGP) associates many attributes”),
The combined teaching of Niazi, Asati and Huang does not explicitly teach but Paredes teaches defining a router policy in said one of the group of enterprise routers using MultiProtocol Label Switching (MPLS) Virtual Routing and Forwarding (VRF) route import or export policies, wherein the router policy instructs said one of the group of enterprise routers to export all routes of User-SP1 and User-SP2 instances to the User-U instance ([0024], “provide private network access across its network between two or more customer locations (e.g., via a Virtual Private Network "VPN", such as Layer 2 or Layer 3 Multiprotocol Label Switching MPLS" VPNs)”, [0026], “provide scalability by enabling…Virtual Routing and Forwarding ("VRF", for example, importing and exporting)”).
Niazi, Asati, Huang and Paredes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Paredes with the combined teaching of Niazi, Asati and Huang. The motivation/suggestion would have been for private delivery of virtualized cloud services (Paredes, [0002]).

Regarding Claims 6 and 20, the combined teaching of Niazi, Asati and Huang teaches the BGP extended community attribute (Huang, [0009], “border gateway protocol (BGP) associates many attributes”),
The combined teaching of Niazi, Asati and Huang does not explicitly teach but Paredes teaches defining a router policy in said one of the group of enterprise routers using MultiProtocol Label Switching (MPLS) Virtual Routing and Forwarding (VRF) route import or export policies, wherein the router policy instructs said one of the group of enterprise routers to export all routes of the User-U instance to the User-SP1 and User-SP2 instances ([0024], “provide private network access across its network between two or more customer locations (e.g., via a Virtual Private Network "VPN", such as Layer 2 or Layer 3 Multiprotocol Label Switching "MPLS" VPNs)”, [0026], “provide scalability by enabling…Virtual Routing and Forwarding ("VRF", for example, importing and exporting)”).
.

Claims 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Haseeb Niazi et al. (“Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide”, August 2018, cited by the applicant in the 09/16/2019 IDS) in view of Asati et al. (US 2008/0047011 A1) further in view of Paredes et al. (US 2012/0151057 A1).
Regarding Claim 7, the combined teaching of Niazi and Asati does not explicitly teach but Paredes teaches defining a router policy in said one of the group of enterprise routers using MultiProtocol Label Switching (MPLS) Virtual Routing and Forwarding (VRF) route import or export policies ([0024], “provide private network access across its network between two or more customer locations (e.g., via a Virtual Private Network "VPN", such as Layer 2 or Layer 3 Multiprotocol Label Switching "MPLS" VPNs)”, [0026], “provide scalability by enabling…Virtual Routing and Forwarding ("VRF", for example, importing and exporting)”).
Niazi, Asati and Paredes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings 

Regarding Claim 8, the combined teaching of Niazi and Asati teaches where the User-U instance represents network users in the main network and the User-SP1 and User-SP2 instances represent network users in two subnetworks (Niazi, 4.2.1.2.1 GM Placement, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 35, 39),
The combined teaching of Niazi and Asati does not explicitly teach but Paredes teaches wherein the router policy instructs said one of the group of enterprise routers to export all routes of User-SP1 and User-SP2 instances to a User-U instance ([0024], “provide private network access across its network between two or more customer locations (e.g., via a Virtual Private Network "VPN", such as Layer 2 or Layer 3 Multiprotocol Label Switching "MPLS" VPNs)”, [0026], “provide scalability by enabling…Virtual Routing and Forwarding ("VRF", for example, importing and exporting)”).
Niazi, Asati and Paredes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Paredes with the combined teaching of Niazi and Asati. The motivation/suggestion would have been for private delivery of virtualized cloud services (Paredes, [0002]).

Regarding Claim 9, the combined teaching of Niazi and Asati teaches where the User-U instance represents network users in the main network and the User-SP1 and User-SP2 instances represent network users in two subnetworks (Niazi, 4.2.1.2.1 GM Placement, Figure 32, “SP-1”, “SP-2” (page 117), and Figures 35, 39),
The combined teaching of Niazi and Asati does not explicitly teach but Paredes teaches wherein the router policy instructs said one of the group of enterprise routers to export all routes of a User-U instance to User-SP1 and User-SP2 instances ([0024], “provide private network access across its network between two or more customer locations (e.g., via a Virtual Private Network "VPN", such as Layer 2 or Layer 3 Multiprotocol Label Switching "MPLS" VPNs)”, [0026], “provide scalability by enabling…Virtual Routing and Forwarding ("VRF", for example, importing and exporting)”).
Niazi, Asati and Paredes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Paredes with the combined teaching of Niazi and Asati. The motivation/suggestion would have been for private delivery of virtualized cloud services (Paredes, [0002]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497