DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 06/15/2021. After the examiner’s amendment shown below, claims 1, 9, 17 and 25 are independent. Claims 5-6, 13-14 and 21 are cancelled. Claims 1, 4, 9, 12, 17, 20, 22 and 25 are amended. Thus, claims 1-4, 7-12, 15-20 and 22-25 are pending and being considered.

Terminal Disclaimer
The terminal disclaimer, filed on 06/15/2021, has been reviewed and approved on 06/16/2021. Therefore, the double patenting rejection has been waived/withdrawn.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with the applicant’s representative- Mr. Ankur Garg (Reg. No. 62,463) on 08/11/2021. The summary of the interview is attached.

Amendments to the Claims
The application has been amended as followed:
1. (Currently Amended)          A method for processing encapsulated encrypted data packets at a virtual network interface card (VNIC) on a host machine, comprising:
receiving at the VNIC an encapsulated encrypted data packet, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of a source tunnel endpoint, a destination IP address of a destination tunnel endpoint, and a security parameter index (SPI) value corresponding to a security association between a source endpoint and a destination endpoint, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint; 
determining a packet type of the encapsulated encrypted data packet based on an IP protocol number included in the first header of the encapsulated encrypted data packet;
in response to the determined packet type indicating the encapsulated encrypted data packet is a type of packet having the SPI value, calculating a hash value based at least in part on the SPI value; and 
assigning the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value, wherein each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to process packets in the corresponding VNIC RSS queue, wherein each virtual CPU corresponds to resources of one or more physical CPUs of the host machine. 

2. (Original)	The method of claim 1, wherein the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint.  

3. (Original)	The method of claim 1, wherein the hash value is further calculated based on a second hash value calculated by a physical network interface card (PNIC) on the host machine for the encapsulated encrypted data packet.  

4. (Currently Amended)	The method of claim 1, wherein the determined packet type is an encapsulating security payload type 

5. (Cancelled).  

6. (Cancelled).  

7. (Original)	The method of claim 1, further comprising: 
receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; and 
calculating a second hash value based at least in part on the second SPI value; and 


8. (Original)	The method of claim 1, further comprising: 
receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; 
calculating a second hash value based at least in part on the second SPI value; 
assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value; and 
processing the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet.  

9. (Currently Amended)	A non-transitory computer readable medium comprising instructions to be executed in a computer system, wherein the instructions when executed in the computer system perform a method for processing encapsulated encrypted data packets at a virtual network interface card (VNIC) on a host machine, the method comprising: 
receiving at the VNIC an encapsulated encrypted data packet, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of a source tunnel endpoint, a destination IP 
determining a packet type of the encapsulated encrypted data packet based on an IP protocol number included in the first header of the encapsulated encrypted data packet;
in response to the determined packet type indicating the encapsulated encrypted data packet is a type of packet having the SPI value, calculating a hash value based at least in part on the SPI value; and 
assigning the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value, wherein each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to process packets in the corresponding VNIC RSS queue, wherein each virtual CPU corresponds to resources of one or more physical CPUs of the host machine.  

10. (Original)	  The non-transitory computer readable medium of claim 9, wherein the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint.  

11. (Original)	  The non-transitory computer readable medium of claim 9, wherein the hash value is further calculated based on a second hash value calculated by a physical 

12. (Currently Amended)	  The non-transitory computer readable medium of claim 9, wherein the determined packet type is an encapsulating security payload type 

13. (Cancelled).  

14. (Cancelled).

15. (Original)   The non-transitory computer readable medium of claim 9, wherein the method further comprises: 
receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; and  
calculating a second hash value based at least in part on the second SPI value; and 
redirecting the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet.  

16. (Original)   The non-transitory computer readable medium of claim 9, wherein the method further comprises: 
receiving at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; 
calculating a second hash value based at least in part on the second SPI value; 
assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value; and 
processing the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet.  

17. (Currently Amended)   A computer system, comprising: 
a memory; and 
one or more processors coupled to the memory, the one or more processors being configured to: 
receive at a virtual network interface card (VNIC) an encapsulated encrypted data packet, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of a source tunnel endpoint, a destination IP address of a destination tunnel endpoint, and a security parameter index (SPI) value corresponding to a security association between a source endpoint and a destination endpoint, the 
determine a packet type of the encapsulated encrypted data packet based on an IP protocol number included in the first header of the encapsulated encrypted data packet;
in response to the determined packet type indicating the encapsulated encrypted data packet is a type of packet having the SPI value, calculate a hash value based at least in part on the SPI value; and
assign the encapsulated encrypted data packet to a first VNIC receive side scaling (RSS) queue of a plurality of VNIC RSS queues associated with the VNIC based on the hash value, wherein each of the plurality of VNIC RSS queues is associated with a different virtual CPU configured to process packets in the corresponding VNIC RSS queue.  

18. (Original)   The computer system of claim 17, wherein the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint.  

19. (Original)   The computer system of claim 17, wherein the hash value is further calculated based on a second hash value calculated by a physical network interface card (PNIC) on the computer system for the encapsulated encrypted data packet.  

20. (Currently Amended)   The computer system of claim 17, wherein the determined packet type is 

21. (Cancelled).  

22. (Currently Amended)   The computer system of claim [[21]] 17, wherein each virtual CPU corresponds to resources of one or more of the one or more processors.  

23. (Original)   The computer system of claim 17, wherein the one or more processors are further configured to: 
receive at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth header comprising the source IP address of the source endpoint and the destination IP address of the destination endpoint; 
calculate a second hash value based at least in part on the second SPI value; and 
redirect the second encapsulated encrypted data packet to the first VNIC RSS queue based on the source IP address of the source endpoint and the destination IP address of the destination endpoint being included in the second encapsulated encrypted data packet.  

24. (Original)   The computer system of claim 17, wherein the one or more processors are further configured to:  
receive at the VNIC a second encapsulated encrypted data packet comprising a third header comprising a second SPI value different than the SPI value and a fourth 
calculate a second hash value based at least in part on the second SPI value; 
assigning the second encapsulated encrypted data packet to a second VNIC RSS queue of the plurality of VNIC RSS queues based on the second hash value; and 
process the encapsulated encrypted data packet prior to processing the second encapsulated encrypted data packet.  

25. (Currently Amended)   A method for processing encapsulated encrypted data packets at a physical network interface card (PNIC) on a computing device, comprising: 
receiving at the PNIC an encapsulated encrypted data packet, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of a source tunnel endpoint, a destination IP address of a destination tunnel endpoint, and a security parameter index (SPI) value corresponding to a security association between a source endpoint and a destination endpoint, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint; 
determining a packet type of the encapsulated encrypted data packet based on an IP protocol number included in the first header of the encapsulated encrypted data packet;
in response to the determined packet type indicating the encapsulated encrypted data packet is a type of packet having the SPI value, calculating a hash value based at least in part on the SPI value; and
, wherein the hash value is further calculated based on the source IP address of the source tunnel endpoint and the destination IP address of the destination tunnel endpoint.

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 
After further search and consideration, the claims 1-4, 7-12, 15-20 and 22-25 are allowed over the cited prior art(s) of record. 
The following references/prior arts disclose the general subject matter recited in the independent claims 1, 9, 17 and 25 before/after the current amendment is made and/or submitted.
A.	Yang; Li-Jau (Steven) et al. (US 7,003,118 B1), discloses that the IPSEC standard defines an encapsulated payload (ESP) as the mechanism used to transfer encrypted data (packets) and to provide security operations or data processing in a virtual private network. A high performance IPSEC accelerator that is installed on a Network Interface Card (NIC) of a host machine on a network which assists the host in performing various security services for inbound and outbound traffic at the IP layer. Such as the NIC receives the ESP inbound packet from the network. Wherein, the ESP inbound packet includes an IPv4 base header/AH header fields are that classified as a source (IP) address, destination (IP) address and SPI (which is being extracted from the ESP/AH header to generate the SA look-up index SA-ID).  Furthermore, for each IPSEC 
B.	Halme, Matti et al. (US 2002/0097724 A1), disclosure relates to secure communications and especially IPSec tunnels is described in more detail. A receiving entity selects a value for SPI during IKE Phase II negotiations. In a method according to the invention, typically more than one IPSec tunnels are established between a network element cluster and another VPN network element. Each of these IPSec tunnels has a unique SPI value (or values, if many unidirectional Security Associations pointing towards the network element cluster are relating to the same IPSec tunnel). When the receiving entity (i.e. the network element cluster) selects a value for the SPI, it already knows the details of the Security Association. The details indicate values for header fields in outbound data packets. It may, therefore, select an SPI value so that a hash value, calculated using certain known fields of the outbound data packets, is equal to a hash value calculated using said SPI value. This way inbound data packets and outbound data packets relating to a certain IPSec tunnel are processed in the same node of a network element cluster. Typically the hash functions used in calculating a hash value for an outbound data packet and a hash value for an 
C.	SAEKI; Shuichi (US 2017/0063979 A1), discloses to distribute reception packets over the respective reception packet queues in the (physical) NIC, and in functions of the queue selector 14 in the (physical) NIC 11, an encapsulated user IP address located in the payload of a reception packet is detected and, by referring to the determination table 13, a queue in the (physical) NIC, into which the reception packet is to be stored, is determined in accordance with a hash value of the user IP address and the like. Further, the network relay device, when receiving packets, holds the packets in the reception waiting queue temporarily. The lower-level flow identification unit picks out a packet from the reception waiting queue, calculates a hash function by using, for example, header information, such as a source IP address and a destination IP address in the IP header, and, in accordance with the calculated hash function, assign the packet into an upper-level flow identification waiting queue with respect to each lower-level flow.
D.	Jeongseok Son (Protego: Cloud-Scale Multitenant IPsec Gateway; July 12-14, 2017 at USENIX ATC ’17), this paper presents to seamlessly incorporate remote virtual networks into existing on-premises networks, tenants establish site-to-site VPN connections between the gateways. For site-to-site VPN connections, IPsec is typically used to have secure communication between on-
E.	Bouchard et al. (US 7,814,310 B2), discloses a method and apparatus for optimizing IPsec processing by providing execution units with windowing data during pre-fetch and managing coherency of security association data by management of security association accesses. Providing execution units with windowing data allows initial parallel processing of IPsec packets. The security association access ordering apparatus serializes access to the dynamic section of security association data according to packet order arrival while otherwise allowing parallel processing of the IPsec packet by multiple execution units in a security processor. 

G.	Raghu; Jagannath N. (US 2015/0052525 A1), as a first step in IPsec tunnel transmission, the datagram is encrypted, as shown by arrow and cross-hatched encrypted datagram 1836. An encryption key associated with the IPsec tunnel is employed to encrypt the datagram. Next, as shown in FIG. 18D, the encrypted datagram 1836 is packaged within a carrier datagram 1838 for transmission through the Internet to the remote cloud computing facility. The carrier datagram 1838 includes a header that, in turn, includes a destination address 1840 and a source address 1842. The destination address "A200" directs the carrier datagram to organization edge appliance 1804 in the remote cloud-computing facility and the source address “A100” indicates that organization edge appliance 1802 the source of the carrier datagram. In FIG. 18E, the carrier datagram has been transmitted through the Internet to organization edge appliance 1804, where, as indicated by arrow 1846, encrypted datagram 1836 is extracted from the carrier datagram 1838. Encrypted datagram 
H.	Mao; Yuhong et al. (US 9,755,972 B1), particularly discloses to compute a RSS hash from the RSS hash M-tuple vector; select, based on the RSS hash, a particular queue from a set of destination queues identified for the packet; and deliver the packet to the selected particular queue.
I.	See the other cited prior arts.
However, the above prior arts of record including the rest of the cited prior arts either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application that is taken as a whole recited in the independent claims 1, 9, 17 and 25. 
For this reason, the specific claim limitations recited in the independent claims 1, 9, 17 and 25 taken as whole are allowed. 
The dependent claims 2-4, 7-8, 10-12, 15-16, 18-20 and 22-24 which are dependent on the above independent claim(s) being further limiting to the independent claims, definite and enabled by the specification are also allowed.
Furthermore, the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). The grounds of claim rejection was reconsidered and withdrawn based on the substance of applicant’s 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submission should be clearly labeled “Comments on Statement of Reasons for Allowance.” In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control Branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB’s Customer service if any questions at (703) 305-8497.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose contact number is 571-272-1239. The examiner can normally be reached on Mon-Fri: 8AM – 4PM. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 

/ALI CHEEMA/
Examiner, Art Unit 2433	

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498