Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-4, 6-17, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatenable by Lin US 8949978 in view of Counterman US 20120240211 further in view of Pinheiro US 20130155948

1.    A method, operational at a gateway in a network, comprising:
receiving, at the gateway, over a user-plane, a first packet from a client device (Lin: fig. 5, unit 502, 6, 602 - HTTP request); 
determining if a network token is requested by evaluating the first packet (Lin: fig. 5, unit 504-512, fig. 6, 604-614, fig. 7, unit 704 - generate token); 

token is derived based on a [[subscription profile]] of the client device that is maintained by a core network and reflects a policy enforced by the core network with respect to the client device (Lin: fig. 5, unit 504-512, fig. 6, 604-614 - The validation server token is generated by applying a hash function to the combination of a secret value in the gateway and an identifier of the end-point server (i.e., the server connected to the end-point computer from which the HTTP request was received));
including the network token with the first packet if the network token is requested (Lin: fig. 5, unit 504-512, fig. 6, 604-614 - The validation server token is generated by applying a hash function to the combination of a secret value in the gateway device and an identifier of the end-point server (i.e., the server connected to the end-point computer from which the HTTP request was received)); and
sending the first packet and the network token to an application server (Lin: fig. 5, unit 514, fig. 6, unit 616, fig. 7, unit 706-707 - transmit token).
Lin merely discloses the term subscription profile 
	Counterman further teaches wherein receiving, at the gateway, over a user-plane, a first packet from a client device (Counterman: fig. 3, unit 320, fig. 11-12, unit 1110, 1210 [0105, 0109] receiving a request to authenticate a user device and/or an end user based on use of an application); 
determining if a network token is requested by evaluating the first packet (Counterman: fig. 3, unit 320, fig. 11-12, unit 1240 [0105-0107, 0109-0112] evaluating policies for the application and end user identifiers to determine what and if authentication is required….); 

token is derived based on a subscription profile of the client device that is maintained by a core network and reflects a policy enforced by the core network with respect to the client device (Counterman: fig. 3, unit 320 fig. 11-12, unit 1280 [0112] receiving, from the authentication enabler, a response indicating that the application/end user is or is not authenticated);
including the network token with the first packet if the network token is requested (Counterman: fig. 12, unit 1290 [0112] creating a token and expiration value (if the authentication is successful) and providing the response to the application server) and
sending the first packet and the network token to a destination an application server (Counterman: fig. 12, unit 1290 [0112] creating a token and expiration value (if the authentication is successful) and providing the response to the application server) in order to receive a level of assurance for that identification and to form trust relationships [0002].
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to receive a level of assurance for that identification and to form trust relationships [0002], as taught by Counterman.
Pinheiro further teaches receiving, at the gateway, over a user-plane, a first packet from a client device (Pinheiro: [0085] fig. 3, unit 310-312, fig. 5 - when an EPS bearer is established, a bearer context is created in EPS nodes that handle the user plane data) in order to identify each bearer [0085].
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to identify each bearer [0085], as taught by Pinheiro.

2.    The method of claim 1, wherein the network token is an uplink network token to use with uplink user-plane data (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

3.    The method of claim 1, wherein the network token is a downlink network token to use with downlink user-plane data. (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

4.    The method of claim 1, wherein the network token is an uplink network token to use with uplink user-plane data and the method further includes: sending the uplink network token to the client device (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

6.    The method of claim 1, wherein the network token is two token comprising an uplink network token and a downlink network token, the uplink network token being different from the downlink network token (Lin: fig. 5, unit 512, fig. 6, unit 608-610, 614).

7.    The method of claim 1, wherein the first packet and the network token are sent to the destination over the user-plane (Lin: fig. 7, unit 706-707).

8.    The method of claim 1, wherein the network token is derived at the gateway device with a function having a set of input parameters including a secret key that is known to the gateway device and unknown to the device (Lin: fig. 7, unit 704).



10.    The method of claim 9, wherein the class index defines fields used for network token derivation (Lin: fig. 4-7)

11.    The method of claim 9, wherein the network token is a concatenation of the class index and an output of the function (Lin: fig. 4-7 – An entity must have the server token, the end-point server identifier, the URL, and the particular hash function).

12.   The method of claim 1, wherein the network token is associated with a first user-plane data flow of a set of one or more user-plane data flows associated with an application service associated with an application server (Lin: fig. 5-7).

13.    The method of claim 1, wherein the gateway is a packet data network (PDN) gateway (P-GW) (Lin: fig. 5-7).

14.    The method of claim 1, wherein the first packet includes an explicit request for the network token (Lin: fig. 5-7 – HTTP request).



16.    The method of claim 1, wherein determining if the network token is requested is based on determining if an application server to which the first packet is to be sent, or from which the first packet is received, requires the network token (Lin: fig. 5-7, unit 602-614).

Regarding claims 17, 19-20, the independent claim and each dependent claim are related to the same limitation set for hereinabove in claims 1-16, where the difference used is a “gateway device” (Lin: fig. 1) and the wordings of the claims were interchanged within the claim itself or some of the claims were presented as a combination of two or more previously presented limitations. This change does not affect the limitation of the above treated claims. Adding these phrases to the claims and interchanging the wording did not introduce new limitations to these claims. Therefore these claims were rejected for similar reasons as stated above.

21. The gateway of claim 17, wherein the network token is an uplink network token to use with uplink user-plane data, further comprising: sending the uplink network token to the client device (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12);
receiving a second packet including the uplink network token from the client device; verifying the received uplink network token (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12); and sending the second packet to the application server if the uplink network token is verified (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12).

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatented by Lin- Counterman- Pinheiro in view of Reddy US 20160294803

5.    The method of claim 4, further comprising: receiving, at the gateway, a [[second]] packet including the uplink network token from the client device (Lin: fig. 6, unit 602; Counterman: fig. 12, [0095, 0110]);
verifying the uplink network token; (Lin: fig. 6, unit 602; Counterman: fig. 12, [0095, 0110]); and 
sending [[the second packet]] to the application server if the uplink network token is verified (Lin: fig. 6, unit 616; Counterman: fig. 12, [0095, 0110]).
Lin merely discloses the term receiving a second packet
Reddy further teaches a second packet (Reddy: fig. 3, step 46-48 [0048-0049]) in order to add or establish a data flow [0049]
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to add or established a data flow [0049], as taught by Reddy.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-4, 6-17, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatenable by Lin US 8949978 in view of Counterman US 20120240211 further in view of Jouppi US 20050053070

1.    A method, operational at a gateway in a network, comprising:
receiving, at the gateway, over a user-plane, a first packet from a client device (Lin: fig. 5, unit 502, 6, 602 - HTTP request); 
determining if a network token is requested by evaluating the first packet (Lin: fig. 5, unit 504-512, fig. 6, 604-614, fig. 7, unit 704 - generate token); 
obtaining the network token if the network token is requested, wherein the network
token is derived based on a [[subscription profile]] of the client device that is maintained by a core network and reflects a policy enforced by the core network with respect to the client device (Lin: fig. 5, unit 504-512, fig. 6, 604-614 - The validation server token is generated by applying a hash function to the combination of a secret value in the gateway and an identifier of the end-point server (i.e., the server connected to the end-point computer from which the HTTP request was received));
including the network token with the first packet if the network token is requested (Lin: fig. 5, unit 504-512, fig. 6, 604-614 - The validation server token is generated by applying a hash function to the combination of a secret value in the gateway device and an identifier of the end-point server (i.e., the server connected to the end-point computer from which the HTTP request was received)); and
sending the first packet and the network token to an application server (Lin: fig. 5, unit 514, fig. 6, unit 616, fig. 7, unit 706-707 - transmit token).
Lin merely discloses the term subscription profile 
	Counterman further teaches wherein receiving, at the gateway, over a user-plane, a first packet from a client device (Counterman: fig. 3, unit 320, fig. 11-12, unit 1110, 1210 [0105, 0109] receiving a request to authenticate a user device and/or an end user based on use of an application); 
determining if a network token is requested by evaluating the first packet (Counterman: fig. 3, unit 320, fig. 11-12, unit 1240 [0105-0107, 0109-0112] evaluating policies for the application and end user identifiers to determine what and if authentication is required….); 
obtaining the network token if the network token is requested, wherein the network
token is derived based on a subscription profile of the client device that is maintained by a core network and reflects a policy enforced by the core network with respect to the client device (Counterman: fig. 3, unit 320 fig. 11-12, unit 1280 [0112] receiving, from the authentication enabler, a response indicating that the application/end user is or is not authenticated);
including the network token with the first packet if the network token is requested (Counterman: fig. 12, unit 1290 [0112] creating a token and expiration value (if the authentication is successful) and providing the response to the application server) and
Counterman: fig. 12, unit 1290 [0112] creating a token and expiration value (if the authentication is successful) and providing the response to the application server) in order to receive a level of assurance for that identification and to form trust relationships [0002].
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to receive a level of assurance for that identification and to form trust relationships [0002], as taught by Counterman.
Jouppi further teaches receiving, at the gateway, over a user-plane, a first packet from a client device (Jouppi: [0024, 0038-0041] fig. 3-6, the mobile station sends 604, to the gateway GPRS support node GGSN, an activate PDP context request) in order to determines the appropriate P-CSCF on the basis of the authorization token [0041].
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to determines the appropriate P-CSCF on the basis of the authorization token [0041], as taught by Jouppi.

2.    The method of claim 1, wherein the network token is an uplink network token to use with uplink user-plane data (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

3.    The method of claim 1, wherein the network token is a downlink network token to use with downlink user-plane data. (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).



6.    The method of claim 1, wherein the network token is two token comprising an uplink network token and a downlink network token, the uplink network token being different from the downlink network token (Lin: fig. 5, unit 512, fig. 6, unit 608-610, 614).

7.    The method of claim 1, wherein the first packet and the network token are sent to the destination over the user-plane (Lin: fig. 7, unit 706-707).

8.    The method of claim 1, wherein the network token is derived at the gateway device with a function having a set of input parameters including a secret key that is known to the gateway device and unknown to the device (Lin: fig. 7, unit 704).

9.    The method of claim 8, wherein the set of input parameters further includes, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI) (Lin: fig. 5-7 – URL/ identifier).

10.    The method of claim 9, wherein the class index defines fields used for network token derivation (Lin: fig. 4-7)



12.   The method of claim 1, wherein the network token is associated with a first user-plane data flow of a set of one or more user-plane data flows associated with an application service associated with an application server (Lin: fig. 5-7).

13.    The method of claim 1, wherein the gateway is a packet data network (PDN) gateway (P-GW) (Lin: fig. 5-7).

14.    The method of claim 1, wherein the first packet includes an explicit request for the network token (Lin: fig. 5-7 – HTTP request).

15.    The method of claim 1, wherein the first packet is representative of an implicit request for the network token (Lin: fig. 5-7, unit 702 – HTTP request).

16.    The method of claim 1, wherein determining if the network token is requested is based on determining if an application server to which the first packet is to be sent, or from which the first packet is received, requires the network token (Lin: fig. 5-7, unit 602-614).

Regarding claims 17, 19-20, the independent claim and each dependent claim are related to the same limitation set for hereinabove in claims 1-16, where the difference used is a 

21. The gateway of claim 17, wherein the network token is an uplink network token to use with uplink user-plane data, further comprising: sending the uplink network token to the client device (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12);
receiving a second packet including the uplink network token from the client device; verifying the received uplink network token (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12); and sending the second packet to the application server if the uplink network token is verified (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12).

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatented by Lin- Counterman- Jouppi in view of Reddy US 20160294803

5.    The method of claim 4, further comprising: receiving, at the gateway, a [[second]] packet including the uplink network token from the client device (Lin: fig. 6, unit 602; Counterman: fig. 12, [0095, 0110]);
verifying the uplink network token; (Lin: fig. 6, unit 602; Counterman: fig. 12, [0095, 0110]); and 
the second packet]] to the application server if the uplink network token is verified (Lin: fig. 6, unit 616; Counterman: fig. 12, [0095, 0110]).
Lin merely discloses the term receiving a second packet
Reddy further teaches a second packet (Reddy: fig. 3, step 46-48 [0048-0049]) in order to add or establish a data flow [0049]
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to add or established a data flow [0049], as taught by Reddy.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-4, 6-17, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatenable by Lin US 8949978 in view of Counterman US 20120240211 further in view of Widegren US 20020036983


receiving, at the gateway, over a user-plane, a first packet from a client device (Lin: fig. 5, unit 502, 6, 602 - HTTP request); 
determining if a network token is requested by evaluating the first packet (Lin: fig. 5, unit 504-512, fig. 6, 604-614, fig. 7, unit 704 - generate token); 
obtaining the network token if the network token is requested, wherein the network
token is derived based on a [[subscription profile]] of the client device that is maintained by a core network and reflects a policy enforced by the core network with respect to the client device (Lin: fig. 5, unit 504-512, fig. 6, 604-614 - The validation server token is generated by applying a hash function to the combination of a secret value in the gateway and an identifier of the end-point server (i.e., the server connected to the end-point computer from which the HTTP request was received));
including the network token with the first packet if the network token is requested (Lin: fig. 5, unit 504-512, fig. 6, 604-614 - The validation server token is generated by applying a hash function to the combination of a secret value in the gateway device and an identifier of the end-point server (i.e., the server connected to the end-point computer from which the HTTP request was received)); and
sending the first packet and the network token to an application server (Lin: fig. 5, unit 514, fig. 6, unit 616, fig. 7, unit 706-707 - transmit token).
Lin merely discloses the term subscription profile 
	Counterman further teaches wherein receiving, at the gateway, over a user-plane, a first packet from a client device (Counterman: fig. 3, unit 320, fig. 11-12, unit 1110, 1210 [0105, 0109] receiving a request to authenticate a user device and/or an end user based on use of an application); 
determining if a network token is requested by evaluating the first packet (Counterman: fig. 3, unit 320, fig. 11-12, unit 1240 [0105-0107, 0109-0112] evaluating policies for the application and end user identifiers to determine what and if authentication is required….); 
obtaining the network token if the network token is requested, wherein the network
token is derived based on a subscription profile of the client device that is maintained by a core network and reflects a policy enforced by the core network with respect to the client device (Counterman: fig. 3, unit 320 fig. 11-12, unit 1280 [0112] receiving, from the authentication enabler, a response indicating that the application/end user is or is not authenticated);
including the network token with the first packet if the network token is requested (Counterman: fig. 12, unit 1290 [0112] creating a token and expiration value (if the authentication is successful) and providing the response to the application server) and
sending the first packet and the network token to a destination an application server (Counterman: fig. 12, unit 1290 [0112] creating a token and expiration value (if the authentication is successful) and providing the response to the application server) in order to receive a level of assurance for that identification and to form trust relationships [0002].
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to receive a level of assurance for that identification and to form trust relationships [0002], as taught by Counterman.
Widegren further teaches receiving, at the gateway, over a user-plane, a first packet from a client device (Jouppi: [0045, 0051, 0064-0072] fig. 9, 13, 15, the MS sends a PDP message to the SGSN to activate the PDP context) in order make the SGSN/GGSN to sort an admission check [0072].
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date of the claim invention to add the above recited limitation in to the Lin’s invention in order to make the SGSN/GGSN to sort an admission check [0072], as taught by Widegren.

2.    The method of claim 1, wherein the network token is an uplink network token to use with uplink user-plane data (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

3.    The method of claim 1, wherein the network token is a downlink network token to use with downlink user-plane data. (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

4.    The method of claim 1, wherein the network token is an uplink network token to use with uplink user-plane data and the method further includes: sending the uplink network token to the client device (Lin: fig. 7, unit 706-707; Counterman: fig. 3-4, 10-12).

6.    The method of claim 1, wherein the network token is two token comprising an uplink network token and a downlink network token, the uplink network token being different from the downlink network token (Lin: fig. 5, unit 512, fig. 6, unit 608-610, 614).



8.    The method of claim 1, wherein the network token is derived at the gateway device with a function having a set of input parameters including a secret key that is known to the gateway device and unknown to the device (Lin: fig. 7, unit 704).

9.    The method of claim 8, wherein the set of input parameters further includes, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI) (Lin: fig. 5-7 – URL/ identifier).

10.    The method of claim 9, wherein the class index defines fields used for network token derivation (Lin: fig. 4-7)

11.    The method of claim 9, wherein the network token is a concatenation of the class index and an output of the function (Lin: fig. 4-7 – An entity must have the server token, the end-point server identifier, the URL, and the particular hash function).

12.   The method of claim 1, wherein the network token is associated with a first user-plane data flow of a set of one or more user-plane data flows associated with an application service associated with an application server (Lin: fig. 5-7).



14.    The method of claim 1, wherein the first packet includes an explicit request for the network token (Lin: fig. 5-7 – HTTP request).

15.    The method of claim 1, wherein the first packet is representative of an implicit request for the network token (Lin: fig. 5-7, unit 702 – HTTP request).

16.    The method of claim 1, wherein determining if the network token is requested is based on determining if an application server to which the first packet is to be sent, or from which the first packet is received, requires the network token (Lin: fig. 5-7, unit 602-614).

Regarding claims 17, 19-20, the independent claim and each dependent claim are related to the same limitation set for hereinabove in claims 1-16, where the difference used is a “gateway device” (Lin: fig. 1) and the wordings of the claims were interchanged within the claim itself or some of the claims were presented as a combination of two or more previously presented limitations. This change does not affect the limitation of the above treated claims. Adding these phrases to the claims and interchanging the wording did not introduce new limitations to these claims. Therefore these claims were rejected for similar reasons as stated above.


receiving a second packet including the uplink network token from the client device; verifying the received uplink network token (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12); and sending the second packet to the application server if the uplink network token is verified (Lin: fig. 6, unit 602; Counterman: fig. 3-4, 10-12).

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatented by Lin- Counterman-Widegren in view of Reddy US 20160294803

5.    The method of claim 4, further comprising: receiving, at the gateway, a [[second]] packet including the uplink network token from the client device (Lin: fig. 6, unit 602; Counterman: fig. 12, [0095, 0110]);
verifying the uplink network token; (Lin: fig. 6, unit 602; Counterman: fig. 12, [0095, 0110]); and 
sending [[the second packet]] to the application server if the uplink network token is verified (Lin: fig. 6, unit 616; Counterman: fig. 12, [0095, 0110]).
Lin merely discloses the term receiving a second packet
Reddy further teaches a second packet (Reddy: fig. 3, step 46-48 [0048-0049]) in order to add or establish a data flow [0049]



Response to Amendment
Applicant's arguments with respect to claim(s) 1-17, 19-21 have been considered but are moot in view of the new ground(s) of rejection.
Remark: 
The examiner stresses that the claims are too broad and require detail or specialization of the steps as recited in the claims. Alone and as claimed, the limitations are too open. 

           Examiner has cited particular portions of the references as applied to each claim limitation for the convenience of the applicant. Although the specified citations are representative of the teachings of the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
           
Conclusion


/SULAIMAN NOORISTANY/
Primary Examiner, Art Unit 2415