Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hooda (US 20180159957 A1 ) in view of Behera (US 20160191361 A1), further in view of Haalen (US 20070223372 A1).
	For claim 1, Hooda discloses a computer-implemented method for enabling a service virtual machine to provide one or more services for a plurality of tenants (one of “Virtual eXtensible Local Area Network ("VXLAN") is a technique for providing a Layer 2 ("L2") overlay on an L3 network. In particular, VXLAN is used to address the need for overlay networks within virtualized data centers accommodating multiple tenants … VMs within the same VXLAN segment are within the same L2 domain. Each VXLAN segment is identified by a 24-bit segment identifier ("ID")”, [0038] in view of FIG. 1, secure fabric), the method comprising:
inserter (suggested by “FIG. 2 is a schematic diagram of a network service header of a packet”, [0006]; note that the “service inserter” is interpreted as a part of an AP/router that processes a packet); 
	based on metadata received along with the packet, identifying, by the service inserter, a tenant identifier (suggested by [0032], such as “the AP can support multitenancy. The forwarding table 152 can include context information that includes an identifier of a tenant. In the example shown in FIG. 1B, three tenants are shown in the forwarding table: Company1, Company2, and Company3. Each context entry (i.e., company identifier) corresponds to a destination network location. In this example, company1 forwards to company1 router and is encapsulated for the fabric interconnect. When the client 130 of company1 attaches to the AP1 104, the AP1 104 can authenticate client 130 as being associated with company1 using an authentication server 122 and can receive information about company1 from the wireless controller 116. The AP1 104 can encapsulate incoming packets from client 130 with the context information, such as the company1 identifier, the forwarding information, and the encapsulation information”, and “Context information can include group information, client identification information, session information, such as service set identifier (SSID), or other context information for the client1 130”, [0024]); 
inserter, a plurality of attributes of the packet (“FIG. 2 is a schematic diagram of a header 202 of a packet 200 … the AP1 104 can augment the packet header 202 with a group_ID and with virtual network identifier information. Other context information can also be added to the packet header 202, such as SSID, client identifier, destination router IP address, and the IP address of the client device. The data packet 200 can also include an inner packet 204 that can include packet payload, source IP information, as well as other packet information”, [0031]); 
	based on the tenant identifier and the plurality of attributes of the packet, retrieving an action for the packet from a rule table (“The forwarding table 152 can include context information that includes an identifier of a tenant. In the example shown in FIG. 1B, three tenants are shown in the forwarding table: Company1, Company2, and Company3. Each context entry (i.e., company identifier) corresponds to a destination network location”, [0032]);
	based on the action, determining, by the service inserter, whether at least one service is to be applied to the packet (“The forwarding table 106 can identify a context for client1 130 and for each context, can identify a next-hop destination, and a virtual network identifier”, [0025]); 
the least one service is to be applied to the packet (“The forwarding table 106 can identify a context for client1 130 and for each context, can identify a next-hop destination, and a virtual network identifier”, [0025] and “FIG. 2 is a schematic diagram of a network service header of a packet”, [0006]);
	generating, by the service inserter, an encapsulated packet by encapsulating the packet with the tenant identifier (“The virtual network identifier information can inform the AP1 104 how to encapsulate the packet from client1 130 for transmission through the fabric overlay 102”, [0025] in view of FIG. 2); 
	directing, by the service inserter, the encapsulated packet to a service machine that is configured to provide the at least one service to the encapsulated packet (“FIG. 2 is a schematic diagram of a network service header of a packet”, [0006]);
	upon receiving, by the service inserter, a result from the service machine providing the at least one service to the encapsulated packet (“The virtual network identifier information can inform the AP1 104 how to encapsulate the packet from client1 130 for transmission through the fabric overlay 102”, [0025] in view of FIG. 2);
 	determining, by the service inserter, based on the result, whether to forward the packet toward a packet destination (“Based on the information in the base ”, [0048]); 
	in response to determining that the packet is to be forwarded toward the packet destination or drop the packet, forwarding, by the service inserter, the packet toward the packet destination (“The forwarding table 152 can include context information that includes an identifier of a tenant. In the example shown in FIG. 1B, three tenants are shown in the forwarding table: Company1, Company2, and Company3. Each context entry (i.e., company identifier) corresponds to a destination network location”, [0032]); and
	Hooda is silent on the service inserter is implemented in a hypervisor that is a software layer that supports an execution of one or more service machines. Behera, in the same field of endeavor of network virtualization, discloses hypervisor that is a software layer that supports an execution of one or more service machines (“The host 101 includes virtualization software (sometimes referred to as a hypervisor). The virtualization software is representative of the various types of virtualization software that may operate on hosts in such a virtualized infrastructure (e.g., virtual machine monitor, etc.)”, [0027] in view of FIG. 1 wherein the host 101 includes a plurality of VMs 110 which may provide services for customer and some of these VMs may form a virtual network [0028] “The VMs of each tenant form a logical network (also referred to as private network or virtual network). The logical network is identified by a logical network ”). Therefore, “the virtual network infrastructure” in Hooda ([0027]) can be considered as a hypervisor which includes a “service inserter”. 
	Therefore, it would be obvious to an ordinary skilled in the art at the time when the application was filed to replace the virtual network infrastructure disclosed by Hooda with the hypervisor taught by Behera for the benefit of implementing virtual networks to provide services for customers/tenants ([0003] and [0028] of Behera).
Hooda in view of Behera does not specifically disclose but Haalen in response to determining that the packet is to be dropped, dropping, by the service inserter, the packet  (“determining which packets are dropped in response to packet drop conditions”, [0078]). OOSA would be motivated to apply the known technique of Haalen to the known method by Hooda in view of Behera to result a predictable result of dropping unwanted packets (see MPEP 2143(D).
Therefore, it would be obvious to an ordinary skilled in the art at the time when the application was filed to apply the teaching of Haalen to the method by Hooda in view of Behera for the benefit of dropping unwanted packets ([0078] of Haalen).
	Independent claims 8 and 15 are rejected because they are the corresponding non-transitory computer-readable storage media and hypervisor claims that perform the method of claim 1, and each has the same subject matter of claim 1.
	As to claims 2, 9 and 16, Hooda in view of Behera and Haalen discloses claims 1, 8 and 15, Behera further discloses wherein the tenant identifier is determined based on a port identifier of a port on which the packet was received (“each flow port identifier”, [0073] and “the LFE is also defined by a logical forwarding element identifier (LFEID) that is added to headers of packets belong to one entity, such as a user, department, tenant, or enterprise. The LFEID is also referred to as a tenant identifier, a network identifier, a virtual extensible local area network (VXLAN) identifier, or a tunnel key, in some embodiments. The virtual LAN (VLAN) tag is used as the LFEID in some embodiments”, [0050]).
	As to claims 3, 10 and 17, Hooda in view of Behera and Haalen discloses claims 1, 8 and 15, Behera further discloses the tenant identifier is identified based on a property table maintained by a virtual network interface card (“VNIC”) that received the packet (“wherein a logical interface comprises one of a virtual network interface card (VNIC) connecting a data compute node (DCN) to physical or logical forwarding element”, claim 9); and wherein the metadata that includes the tenant identifier is added to the packet once the packet is detected in the hypervisor (“the logical view 295 shows the LFE 275. In some embodiments, the LFE is defined to create a virtual network for several network hosts that are related to one another. The network hosts may be related because they belong to (or used by) the same user, department, tenant, or enterprise. The LFE is defined at least partially by several flows that allow the related network hosts to communicate with one another. In some embodiments, the LFE is also defined by a logical forwarding element identifier (LFEID) that is added to headers of packets belong to one entity, such as a user, department, tenant, or enterprise. The LFEID is also referred to as a tenant identifier, a network identifier, a virtual extensible local area network (VXLAN) identifier, or a tunnel key, in some embodiments. The virtual LAN (VLAN) tag is used as the LFEID in some embodiments”, [0050]).
	As to claims 4, 11 and 18, Hooda in view of Behera and Haalen discloses claims 1, 8 and 15, Behera further discloses the plurality of attributes of the packet comprises a source address, a destination address, and a protocol identifier; wherein the action for the packet is retrieved from a rule table maintained by the service inserter; and wherein the action for the packet indicates any of: forward the packet to the service machine, route/allow the packet, or drop the packet  (“To process packets, the PFE (215 or 220) of some embodiments maintains a number of flows in a flow table, memory (e.g., content-addressable memory (CAM) or ternary CAM (TCAM)), or a datapath cache (245 or 250). Each flow is essentially a rule that specifies how the PFE should process each packet with certain header field values. The flow includes a set of match fields and at least one action to perform on each packet that has a set of header values that match the set of match field values. Typically, the action specifies dropping the packet or outputting the packet to one or more of the PFE's output ports. For instance, when the PFE 215 receives a packet, it performs a ”, [0040]).
	As to claims 5, 12 and 19, Hooda in view of Behera and Haalen discloses claims 1, 8 and 15, Hooda further discloses redirecting the encapsulated packet to a service machine that is configured to provide the at least one service to the packet causes the service machine to perform: parsing the encapsulated packet to extract, from the encapsulated packet, the tenant identifier, the source address, the destination address, and the protocol identifier determining the result for the packet based on the tenant identifier, the source address, the destination address, the protocol identifier, and based on service profiles maintained by the service machine; and providing the result to the service inserter (“To process packets, the PFE (215 or 220) of some embodiments maintains a number of flows in a flow table, memory (e.g., content-addressable memory (CAM) or ternary CAM (TCAM)), or a datapath cache (245 or 250). Each flow is essentially a rule that specifies how the PFE should process each packet with certain header field values. The flow includes a set of match fields and at least one action to perform on each packet that has a set of header values that match the set of match field values. Typically, the action specifies dropping the packet or outputting the packet to one or more of the PFE's output ports. For instance, when the PFE 215 receives a packet, it performs a packet classification operation (e.g., a hash-based lookup ”, [0040]). 
	As to claims 6, 13 and 20, Hooda in view of Behera and Haalen discloses claims 1, 8 and 15, Behera further discloses a software defined networking (“SDN”) manager provides data for generating a property table that includes the tenant identifier for packets detected by the VNIC, and that is maintained by the VNIC; wherein the SDN manager provides data for generating the rule table that includes actions to be performed on packets, that is indexed using a plurality of tenant identifiers and attributes of packets, and that is maintained by the service inserter; and wherein the SDN manager provides data for generating the service profiles that include rules for servicing packets, that are indexed using a plurality of tenant identifiers and attributes of the packets, and that are maintained by the service machine ([0077]-[0096], such as “the NVP manager 805 of some embodiments provides a user interface to access various services that the NVP controller provides. The NVP manager can also include logic that is not included in the NVP controller”, [0093] and  “8 illustrates an example system 800 with such a scalable framework. As shown, the system includes a network virtualization platform (NVP) 895 and a physical forwarding element (PFE) 815. The main components of the framework is the flow stats explorer 825 that operates on the PFE 815 and the aggregator 810 that operates on the NVP 895”, [0077]). 
	As to claims 7 and 14, Hooda in view of Behera and Haalen discloses claims 1 and 8, Behera further discloses: 
	in response to determining that no service is to be applied to the packet: determining whether the packet is to be dropped; in response to determining that the packet is not to be dropped, determining whether the packet is to be allowed; and in response to determining that the packet is to be allowed, routing the packet toward its destination (“To process packets, the PFE (215 or 220) of some embodiments maintains a number of flows in a flow table, memory (e.g., content-addressable memory (CAM) or ternary CAM (TCAM)), or a datapath cache (245 or 250). Each flow is essentially a rule that specifies how the PFE should process each packet with certain header field values. The flow includes a set of match fields and at least one action to perform on each packet that has a set of header values that match the set of match field values. Typically, the action specifies dropping the packet or outputting the packet to one or more of the PFE's output ports. For instance, when the PFE 215 receives a packet, it performs a packet classification operation (e.g., a hash-based lookup operation) to find a matching flow from the datapath cache 245, and outputs the packet to a particular port (e.g., port 1 or port 2) according to the matching flow's action”, [0040]; note that outputting the packet suggests the packet is not to be dropped, and outputting the packet to specified output port(s) suggests routing the packet toward its destination).
Response to Arguments
Applicant's arguments filed 7/16/21 have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JIANYE WU whose telephone number is (571)270-1665.  The examiner can normally be reached on M-TH 8am-6pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yemane Mesfin can be reached on (571) 272-3927.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JIANYE WU/Primary Examiner, Art Unit 2462