DETAILED ACTION
 	 Claims 1-10, 18-26, and 28  are presented for examination on the merits.

Notice of Pre-AIA  or AIA  Status
 	The present application is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
 	The information disclosure statement (IDS) submitted on and 04/08/2019, 04/16/2019, and 04/15/2020 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Drawings
The drawings filed on 03/19/2019 are accepted by the examiner.
Priority
 	The application is filed on 03/26/2019 and which is 371 of PCT/JP2016/004289 filed on 09/20/2016. 
Claim Rejections - 35 USC § 112
1.	The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), fourth paragraph:
Subject to the [fifth paragraph of 35 U.S.C. 112 (pre-AIA )], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

2.  	Claim 10 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject 
 				Claim Rejections - 35 USC § 103
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

6.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
7.	Claims 1-7, 9-10, 19-22, and 25-26, and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Williams  et al. (US 20150188943 A1, hereinafter, Williams) in view of Jain et al. (US 20180375646 A1, hereinafter, Jain).
 	Regarding claim 1, Williams  discloses a communication apparatus comprising: a processor; and a memory storing program instructions executable by the processor; wherein the processor is configured to perform a monitoring process configured to verify authentication information of a packet received (Paragraph 0084: By tracking the host IDs encoded in received packets, the non-load-balanced endpoint is able to intelligently select the host ID to encode in packets it transmits such that the load balancer is able to identify the machine that should receive each packet without requiring authentication or decryption of the tunneled packet headers); and 
 	[a rule verification process configured to verify authentication information of a rule that matches the packet] (Paragraph 0070: IPsec Security Associations (SAs) are 
 	the monitoring process generates authentication information for a packet to be forwarded according to the rule having authentication information thereof verified (Paragraph 0037: The header describes the packet's destination, which Internet routers use to pass the packet along until it arrives at its final destination. The body contains the application data. Typically, IP packets travel over Transmission Control Protocol (TCP), which provides reliable in-order delivery of a stream of bytes. TCP rearranges out-of-order packets, minimizes network congestion, and re-transmits discarded packets).  
 	Williams does not explicitly states but Jain from the same or similar fields of endeavor teaches creating a protected key to be used by a select processor on behalf of an entity unauthorized to use the protected key (Paragraphs 0052, 0056: policies in some embodiments establishes rules for each flow or for each VNI/L2 segment (e.g., the conditions for rejecting or accepting packets). The controller directs the edge to negotiate the keys based on these policies for certain flows or VNIs)
  	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to create a protected key to be used by a select processor on behalf of an entity unauthorized to use the protected key as taught by Jain in the teachings of Williams for the advantage of negotiating keys according to security policies of the tenant and thus, the edge is in turn tasked with forwarding the incoming encrypted VPN traffic to their rightful destinations (Jain Paragraph 0010).

 	Regarding claim 2, the combination of Williams and Jain discloses the communication apparatus according to claim 1, wherein the processor is configured to provide an isolated execution environment in the communication apparatus and execute at least one of the monitoring process and the rule verification 
 	Regarding claim 3, the combination of Williams and Jain discloses the communication apparatus according to
 	Regarding claim 4, the combination of Williams and Jain discloses the communication apparatus according to claim 1, wherein the processor is further
 	Regarding claim 5, the combination of Williams and Jain discloses the communication apparatus according to claim 4, wherein the processor is configured to provide an isolated execution environment in the communication apparatus and execute the packet modification 
 	Regarding claim 6, the combination of Williams and Jain discloses  the communication apparatus according to
 	Regarding claim 7, the combination of Williams and Jain discloses  the communication apparatus according to claim 6, wherein the rule database stores a plurality of rules, with overlapping between one and other rules being removed (Jain, Paragraphs 0066, 0030: the edge negotiates such a key based on the security policies that is applicable to the data traffic (e.g., based on the flow/L4 connection of the packets, or based on L2 segment/VNI of the packets).  
Regarding claim 9, the combination of Williams and Jain discloses   the communication apparatus according to
 	Regarding claim 10; Claim 10 is similar in scope to claim 1, and is therefore rejected under similar rationale.
 	Regarding claim 19, the combination of Williams and Jain discloses the communication system according to claim 10, wherein the controller computes authentication information of a packet to be injected and sends the packet along with the authentication information to a first network element out of the network elements (Williams, Paragraph 0064: multiple overlay network customers can use the overlay network platform 1200 with the network appliances 1202 at their various locations after establishing the secure VPN tunnel, such as tunnel 1204, to their nearby edge region(s) 1206. In this embodiment, distinct encryption secrets per customer are maintained.), 
 	the first network element forwarding the packet along with the authentication information to a second network element out of the network elements without generating authentication information of the packet, the second network element 
 	Regarding claim 20, the combination of Williams and Jain discloses the communication system according to claim 10, comprising: an edge network element connected to an end host, with at least one of a link between the edge network element and the end host being encrypted, and a link between the edge network element and a neighboring network element being encrypted (Williams Paragraphs 0073, 0075: multiple intermediary transport protocol segments. The first encryption context protects data flow end-to-end between the first appliance and the second appliance, and the second encryption context protects transport and network protocol layer headers).  
 	Regarding claim 21, the combination of Williams and Jain discloses the communication system according to claim 10, comprising an end host connected an edge network element and configured to perform end- to-end encryption (E2EE) (Williams Paragraphs 0068-0070: End-to-End Data Security).  
 	Regarding claim 22, the combination of Williams and Jain discloses the communication system according to claim 10, comprising 15Docket No. J-18-0347 a box deployed between an edge network element and an end host facing the edge network element (Williams Paragraph 0057, 0037: . In MPLS, a specific path (identified by a 
 	the box including a monitoring unit configured to verify authentication information of a packet received from the edge network element, and generate authentication information of the packet (Williams Paragraphs 0010, 0061, 0066: packet headers (on the other), the customer's data is protected from being accessed unencrypted as it traverses the public Internet (on which the overlay is built and runs). The overlay may also implement additional authentication and encryption protections to prevent discovery (e.g., from packets that traverse the public Internet) of details about the customer's internal network).  
 	Regarding claim 25; Claim 25 is similar in scope to claim 1, and is therefore rejected under similar rationale.
 	Regarding claim 26; Claim 26 is similar in scope to claim 4, and is therefore rejected under similar rationale.
 	Regarding claim 28; Claim 26 is similar in scope to claim 1, and is therefore rejected under similar rationale.
8.	Claims 18 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Williams  et al. (US 20150188943 A1, hereinafter, Williams) in view of Liu et al. (US 20080244739 A1, hereinafter, Liu)
	Regarding claim 18, Williams  discloses the communication system according to
 	wherein the processor is configured to perform a key generation process configured to generate a secret key shared by a pair of network elements respectively forming a sender and a receiver of a packet (Paragraphs 0064: multiple overlay network customers can use the overlay network platform 1200 with the network appliances 1202 at their various locations after establishing the secure VPN tunnel, such as tunnel 1204, to their nearby edge region(s) 1206. In this embodiment, distinct encryption secrets per customer are maintained) and
 	 [used for generation and verification of authentication information of the packet by the sender and the receive]  (Paragraph 0073: The first encryption context is defined by a first cryptographic key (or "first key") 1602 that is shared between the network appliances 1604 and 1606 across which the end-to-end tunnel 1600 is established), respectively, 
 	the key generation process configured to generate a secret key shared by the controller and the network element respectively forming a sender and a receiver of a rule and used for generation and verification of authentication information of the rule by the controller and the network element respectively (Paragraphs 0054, 0086: IPsec uses a 64-bit sequence number for replay protection…although the high-order 32 bits are included when the integrity check value is computed for the packet. In other words, the high-order 32 bits are a value that must be known by both the sender and the receiver.. the packets are received by a server in the gateway region 404, where 
 	a rule generation process configured to generate a rule for the network element; a rule management process configured to generate authentication information for the generated rule using the secret key shared by the controller and the network element (Paragraph 0087: sharing the security association. For this reason, preferably each individual machine in the region and the non-load-balanced endpoint maintains sequence numbers that are unique for each of the host-specific SPI values);  
 	and a rule delivery process that sends the rule along with the authentication information of the rule to the network element (Paragraphs 0073-0075: segmented tunnel delivering packets (across the routing overlay) end-to-end, but wherein split security contexts are enforced for particular portions of each data …traffic is delivered across the overlay, those delivery optimizations may be applied (on a segment-by-segment basis)).  
 	Williams does not explicitly states but Liu from the same or similar fields of endeavor teaches generation and verification of authentication information of the packet by the sender and the receiver (Liu Abstract, Paragraphs 0071, 0073: generating a signature (e.g., a message authentication code ( MAC)) using a secret key shared between each node on a forwarding path and a sink)
  	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include generation and verification of authentication information of the packet by the sender and the receiver as taught by Liu 
   	Regarding claim 23; Claim 23 is similar in scope to claim 18, and is therefore rejected under similar rationale.
Allowable Subject Matter 
9.	Claims 8 and 24 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 
Conclusion
10. 	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Shimonishi et al. (US 20120158938 A1) discloses a service providing system includes a control server and a physical resource(s) controlled by the control server. The control server has a virtual device providing unit(s) that provides at least one virtual object for controlling a physical resource(s), and a virtual infrastructure.
Sonoda et al. (US 9215237 B2) discloses a communication system includes an information acquisition unit that acquires information for determining an isolation level to which a user terminal belongs, from the user terminal; an isolation level determination unit that determines an isolation level to which the user terminal belongs, based on the acquired information
11.	In an effort to advance compact prosecution, with respect to any amendments to the claimed invention, the applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.  
Moreover with respect to advancing compact prosecution, if the applicant intends to make numerous amendments, the examiner respectfully requests that applicant submit a clean copy of the claims in addition to the marked up copy of the claims in order to expedite the examination process by allowing for accurate optical character recognition (OCR) of the claims.
The prior art made of record and not relied upon, if any, is considered pertinent to applicant’s disclosure and would be listed under PTO-Form 892.
12.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHFUZUR RAHMAN whose telephone number is (571)270-7638.  The examiner can normally be reached on Monday thru Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-88788593.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 
/MAHFUZUR RAHMAN/Primary Examiner, Art Unit 2498