DETAILED ACTION
Claims 1-20 are pending in this application.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/27/2019, 04/07/2020 and 02/23/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-5 and 11-14 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrating into practical application or significantly more.
Regarding claims 1 and 11, claims 1 and 11 are rejected under 35 USC
101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.

Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application.
It's noted that the claims recite additional elements (i.e., switching engine, encryption engine). However, said additional elements are recited at a high-level of generality (i.e., a switching engine and encryption engine performing a generic computer function “receive, perform generate (switching engine),” and “secure, (encryption engine)” such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
Therefore, the claims are not integrated into a practical application.
The claims do not include additional elements that are sufficient to amount to
significantly more than the judicial exception because the additional elements
when considered both individually and as an ordered combination do not amount
to significantly more than the abstract idea. As mentioned above, although the
claims recite additional elements, said elements taken individually or as a combination,
do not result in the claim amounting to significantly more than the abstract idea because
as the additional elements perform generic computer “generate,” and “secure,” functions routinely used in information technology field. None of the steps recited in claims 1 and 11 transform the nature of the claim into patent-eligible subject matter. As a result, the 

Regarding claims 2-4 and 12-14 are also rejected under 35
U.S.C 101 as being directed to non-statutory subject matter for the same reasons
addressed above as the claims are directed to abstract idea without being integrated into a practical application nor being significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claims 1, 5, 11 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) and further in view of Cisco (“Cisco IOS VPN Configuration Guide, Pages 1-131, 2005). 

Regarding claim 1, Sankaran discloses a method for modifying network traffic data, comprising:
receiving a network traffic data unit by a switching engine; (Sankaran, 602, FIG 6 receive, by a media access control security (MACSec) capable device, a data packet from a host device for tunneling to a controller in a network; Also see Col. 7, Lines 20-49 which describe FIG 6; Col. 2, Line 57 describes the MACsec capable device may be a network switch)
performing an analysis on the network traffic data unit to obtain network tunnel information; (Sankaran, Col. 4, Lines 1-32 describe port information and a lookup a table maintained on a MACsec capable device that stores a mapping between the destination MAC address reserved for the controller and the encryption key corresponding to the controller [performing an analysis]; Figures 2-4 describe network tunnel information in the header; 602, 604, 606, 608, FIG 6 shows performing an analysis on the data packet to obtain network tunnel information for a GRE tunnel; Also see Col. 7, Lines 20-49 which describe FIG 6)
Sankaran fails to explicitly disclose generating encryption information based on the network tunnel information; 
 (Cisco, Pages 3-9 to 3-10, IPSec can be configured in tunnel mode. IPSec tunnel mode can be used as an alternative to a GRE tunnel or in conjunction with GRE tunnel. In IPSec tunnel mode, the entire IP datagram is encrypted and it becomes the payload in a new IP packet. This mode allows a network device such as  router to act as an IPSec proxy. That is the router perfoms encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system; Page 3-22 describes configuring IPSec Tunnel Mode on a specific port [tunnel information]; Page 3-23 describes defining a transform set with an encryption type as esp-des or esp-sha-hmac] to configure the IPSec Tunnel mode; also see Section 3-2 to 3-28)
 securing the network traffic data unit, by an encryption engine, based on the encryption information (Cisco, Page 2-2, First Paragraph, in each scenario, a tunnel is constructed, encryption is applied to the tunnel, different traffic types are either permitted or denied access to the tunnel. This controls the level of access the remote office and business partner have to the corporate tunnel and secures the data exchanged between the sites; FIG 2-1 shows an IPSec tunnel between the headquarters and business partner; Pages 3-9 to 3-10, IPSec can be configured in tunnel mode. IPSec tunnel mode can be used as an alternative to a GRE tunnel or in conjunction with GRE tunnel. In IPSec tunnel mode, the entire IP datagram is encrypted and it becomes the payload in a new IP packet. This mode allows a network device such as  router to act as an IPSec proxy. That is the router perfoms encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system; Page 3-22 describes configuring IPSec Tunnel Mode on a specific port [tunnel information]; Page 3-23 describes defining a transform set with an encryption type as esp-des or esp-sha-hmac] to configure the IPSec Tunnel mode; also see Section 3-2 to 3-28) 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Cisco with the method and system of Sankaran to include securing the network traffic data unit, by an encryption engine, based on the encryption information. One would have been motivated to protect against traffic analysis such than an attacker can only determine the tunnel endpoints and not the true source and destination of packets passing through the tunnel even if they are the same as the tunnel endpoints (Cisco, Page 3-10, first paragraph).  

Regarding claim 5, Sankaran and Cisco disclose the method of claim 1. 
Sankaran further discloses wherein the switching engine and the encryption engine are both hardware components of a same device, (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57). 

Regarding claim 11, Sankaran discloses a network device for modifying network traffic data, comprising:
a switching engine, configured to: (Sankaran, Col. 2, Line 57, network switch)
receive a network traffic data unit; (Sankaran, Col. 2, Lines 15-16 & 55-56, receive a data packet [network traffic data unit])
perform an analysis on the network traffic data unit to obtain network tunnel information; (Sankaran, Col. 4, Lines 1-32 describe port information and a lookup a table maintained on a MACsec capable device that stores a mapping between the destination MAC address reserved for the controller and the encryption key corresponding to the controller [perfoming an analysis]; Figures 2-4 describe network tunnel information in the header; 602, 604, 606, 608, FIG 6 shows performing an analysis on the data packet to obtain network tunnel information for a GRE tunnel; Also see Col. 7, Lines 20-49 which describe FIG 6)  and
Sankaran fails to explicitly disclose generate encryption information based on the network tunnel information; and an encryption engine, configured to: secure the network traffic data unit based on the encryption information. 
However, in an analogous art, Cisco discloses generate encryption information based on the network tunnel information; (Cisco, Pages 3-9 to 3-10, IPSec can be configured in tunnel mode. IPSec tunnel mode can be used as an alternative to a GRE tunnel or in conjunction with GRE tunnel. In IPSec tunnel mode, the entire IP datagram is encrypted and it becomes the payload in a new IP packet. This mode allows a network device such as  router to act as an IPSec proxy. That is the router perfoms encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system; Page 3-22 describes configuring IPSec Tunnel Mode on a specific port [tunnel information]; Page 3-23 describes defining a transform set with an encryption type as esp-des or esp-sha-hmac] to configure the IPSec Tunnel mode; also see Section 3-2 to 3-28)
and an encryption engine, configured to: secure the network traffic data unit based on the encryption information. (Cisco, Page 2-2, First Paragraph, in each scenario, a tunnel is constructed, encryption is applied to the tunnel, different traffic types are either permitted or denied access to the tunnel. This controls the level of access the remote office and business partner have to the corporate tunnel and secures the data exchanged between the sites; FIG 2-1 shows an IPSec tunnel between the headquarters and business partner; Pages 3-9 to 3-10, IPSec can be configured in tunnel mode. IPSec tunnel mode can be used as an alternative to a GRE tunnel or in conjunction with GRE tunnel. In IPSec tunnel mode, the entire IP datagram is encrypted and it becomes the payload in a new IP packet. This mode allows a network device such as  router to act as an IPSec proxy. That is the router perfoms encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system; Page 3-22 describes configuring IPSec Tunnel Mode on a specific port [tunnel information]; Page 3-23 describes defining a transform set with an encryption type as esp-des or esp-sha-hmac] to configure the IPSec Tunnel mode; also see Section 3-2 to 3-28) 


Regarding claim 15, Sankaran and Cisco disclose the network device of claim 11. 
Sankaran further discloses wherein the switching engine and the encryption engine are both hardware components of a same device, (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57).

Claims 2-3, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) in view of Cisco (“Cisco IOS VPN Configuration Guide, Pages 1-131, 2005) and further in view of Zhang et al (“Zhang,” US 20090204850)

Regarding claim 2, Sankaran and Cisco disclose the method of claim 1. 

performing a lookup to identify a destination; (Sankaran, Col. 4, Lines 26-32, the MACsec engine may identify the destination MAC address from the encapsulation header in the encapsulated data packet, and then look up a database (table) maintained on MACsec capable device that stores a mapping between the destination MAC address reserved for the controller and the encryption key corresponding to the controller)
making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; (Sankaran, 602-614, Col. 7, Lines 20-49 which describe FIG 6 describes making a determination that a packet is to cross a GRE tunnel based on the destination)
and appending the network tunnel information to the network traffic data unit based on the first determination, (Sankaran, FIG 4 shows adding the GRE tunnel information the data packet based on the first determination)
Sankaran and Cisco fail to explicitly disclose wherein the network tunnel information indicates termination at a device that comprises a decryption engine.
However, in an analogous art, Zhang discloses wherein the network tunnel information indicates termination at a device that comprises a decryption engine, (Zhang, [0007] describes receiving tunnel packet that indicates a termination device that performs decryption)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang with the method and system of Sankaran and Cisco to include wherein the network tunnel 

Regarding claim 3, Sankaran and Cisco disclose the method of claim 2. 
Sankaran further discloses wherein generating the encryption information comprises:
making a second determination that the network tunnel requires encryption; (Sankaran, Col. 7, Lines 20-49 which describe FIG 6 describes making determinations that the GRE tunnel requires encryption)
appending the encryption information to the network traffic data unit based on the second determination, wherein the encryption information specifies an encryption type, (Sankaran, Figures 2-4 and 7 describe adding the encryption information to the data packet based on the determinations, wherein the encryption information specifies MACsec). 

Regarding claim 12, Sankaran and Cisco disclose the network device of claim 11. 
Sankaran further discloses wherein the analysis comprises:
performing a lookup to identify a destination; (Sankaran, Col. 4, Lines 26-32, the MACsec engine may identify the destination MAC address from the encapsulation header in the encapsulated data packet, and then look up a database (table) maintained on MACsec capable device that stores a mapping between the destination MAC address reserved for the controller and the encryption key corresponding to the controller)
making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; (Sankaran, 602-614, Col. 7, Lines 20-49 which describe FIG 6 describes making a determination that a packet is to cross a GRE tunnel based on the destination) and
appending the network tunnel information to the network traffic data unit based on the first determination, (Sankaran, FIG 4 shows adding the GRE tunnel information the data packet based on the first determination)
Sankaran and Cisco fail to explicitly disclose wherein the network tunnel information indicates termination at a device that comprises a decryption engine,
However, in an analogous art, Zhang discloses wherein the network tunnel information indicates termination at a device that comprises a decryption engine, (Zhang, [0007] describes receiving tunnel packet that indicates a termination device that performs decryption)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang with the method and system of Sankaran and Cisco to include making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; and appending the network tunnel information to the network traffic data unit based on the first determination, wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been 

Regarding claim 13, Sankaran, Cisco and Zhang disclose the network device of claim 12. 
Sankaran further discloses wherein generating the encryption information comprises:
making a second determination that the network tunnel requires encryption; (Sankaran, Col. 7, Lines 20-49 which describe FIG 6 describes making determinations that the GRE tunnel requires encryption)
and
appending the encryption information to the network traffic data unit based on the second determination, wherein the encryption information specifies an encryption type, (Sankaran, Figures 2-4 and 7 describe adding the encryption information to the data packet based on the determinations, wherein the encryption information specifies MACsec). 

Claim 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), Cisco (“Cisco IOS VPN Configuration Guide, Pages 1-131, 2005), Zhang et al (“Zhang,” US 20090204850) in view of Saraf et al (“Saraf,” US 20170366508) and further in view of Hunn et al (“Hunn,” US 20160117449).  

Regarding claim 4, Sankaran, Cisco and Zhang disclose the method of claim 3. 
Sankaran further discloses wherein encrypting the network traffic data unit comprises:
making a third determination that the encryption information is valid; (Sankaran, Col. 5, Lines 23-30 describes making multiple determinations that the encryption data is valid such that the action performed by the controller is authentication, access control, policy enforcement, and firewall inspection)
Sankaran does disclose is based on the encryption type (See Col. 7, Lines 20-49 which describes the encryption type to be MACsec). 
Sankaran, Cisco and Zhang fail to explicitly disclose modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit is based on the encryption type; 
However, in an analogous art, Saraf discloses modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit; (Saraf, [0050], modifying the plurality of application network connection packets; [0042] & [0064], encryption). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saraf with the method and system of Sankaran, Cisco and Zhang to include modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit. One would have been motivated to use operating system redirection for network stream transformation operations (Saraf, [0042]). 

However, in an analogous art, Hunn discloses and after the modifying: 
removing the encryption information; (Hunn, [0043] describes removing the encryption key)
and appending decryption information (Hunn, [0063] describes keeping a decryption key for added security)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hunn with the method and system of Sankaran and Cisco to include and after the modifying: removing the encryption information; and appending decryption information. One would have been motivated to provide added security to prevent unauthorized duplication of the data structure (Hunn, [0063]). 

Regarding claim 14, Sankaran, Cisco and Zhang disclose the network device of claim 13. 
Sankaran further discloses wherein encrypting the network traffic data unit comprises:
making a third determination that the encryption information is valid; (Sankaran, Col. 5, Lines 23-30 describes making multiple determinations that the encryption data is valid such that the action performed by the controller is authentication, access control, policy enforcement, and firewall inspection)
 (See Col. 7, Lines 20-49 which describes the encryption type to be MACsec). 
Sankaran, Cisco and Zhang fail to explicitly disclose modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit. 
 However, in an analogous art, Saraf discloses modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit (Saraf, [0050], modifying the plurality of application network connection packets; [0042] & [0064], encryption).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saraf with the method and system of Sankaran, Cisco and Zhang to include modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit.. One would have been motivated to use operating system redirection for network stream transformation operations (Saraf, [0042]).
However, in an analogous art, Hunn discloses and after the modifying: removing the encryption information; (Hunn, [0043] describes removing the encryption key)
and appending decryption information (Hunn, [0063] describes keeping a decryption key for added security)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hunn with the method and system of Sankaran, Cisco, Zhang and Saraf to include and after the modifying: removing the encryption information; and appending decryption information. . 


Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chiquito (“Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856) and further in view of Gluck et al (“Gluck,” US 20130091350). 

Regarding claim 6, Chiquito discloses a method for modifying network traffic data, comprising:
receiving an encrypted network traffic data unit, by the decryption engine, (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is tcpdump/Wireshark it allows you to see what is actually happening at the network level and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter; Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
comprising: 
(Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information; (Chiquito, Pages 7-8 shows decrypted information)
obtaining the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet  with length) and
Chiquito fails to explicitly disclose generating post-decryption information based on the decrypting.
However, in an analogous art, Gluck discloses generating post-decryption information based on the decrypting, (Gluck, [0029], describes adding post-decryption information for decryption based on a second determination).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Chiquito to include making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; and appending the network tunnel information to the network traffic data unit based on the first determination, wherein the network tunnel information indicates termination at a 

Regarding claim 16, Chiquito discloses a network device for modifying network traffic data, comprising:
a decryption engine, configured to: (Chiquito, Page 6 shows a software display where to detect/decode encrypted ESP payloads)
receive an encrypted network traffic data unit, (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is tcpdump/Wireshark it allows you to see what is actually happening at the network level and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter; Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
comprising:
network tunnel information; (Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information; (Chiquito, Pages 7-8 shows decrypted information)
obtain an encryption type based on the decryption information; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet  with length)
decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet  with length)  and
Chiquito fails to explicitly disclose generate post-decryption information based on the decrypted network traffic data unit. 
However, in an analogous art, Gluck discloses generate post-decryption information based on the decrypted network traffic data unit (Gluck, [0029]-[0030], [0034]-[0035] & [0039] describes creating post-decryption information based on the decrypted network packet)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Chiquito to include generate post-decryption information based on the decrypted network traffic data unit. One would have been motivated to .

Claims 7-10 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chiquito (“Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856), in view of Gluck et al (“Gluck,” US 20130091350) and further in view of Sankaran et al (“Sankaran,” US 10,708,245). 

Regarding claim 7, Chiquito and Gluck disclose the method of claim 6. 
Chiquito further discloses and performing an analysis on the decryption information to obtain the encryption type, based on the first determination (Chiquito, Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet with length)  
Chiquito and Gluck fail to explicitly disclose making a first determination that the network tunnel information specifies a device that comprises the decryption engine. 
However, in an analogous art, Sankaran discloses making a first determination that the network tunnel information specifies a device that comprises the decryption engine, (Sankaran, Col. 5, Lines 44-67 describes making a first determination that the GRE tunnel information specifies a ingress interface of a MACSec engine that’s on a device, where the encrypted processed data packet may be decrypted to generate the processed data packet). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito and Gluck to include wherein the method further comprises: transmitting the decrypted network traffic data unit to a switching engine; wherein switching engine and the decryption engine are both hardware components in a same device. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 8, Chiquito, Gluck and Sankaran disclose the method of claim 7. 
Chiquito further discloses wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; (Chiquito, Page 6 shows software where the encrypted network traffic data unit is modified based on encryption type such as AES-CBC) and
authenticating a payload of the encrypted network traffic data unit, (Chiquito, Page 6 shows a checkbox where the user can attempt to check ESP Authentication of the payload)
Gluck further discloses appending post-decryption information that indicates a successful decryption, based on the second determination, (Gluck, [0029] describes adding post-decryption information for a decryption process based on another determination [second determination]). 


Regarding claim 9, Chiquito, Gluck and Sankaran disclose the method of claim 8. 
Gluck further discloses wherein generating the post-decryption information comprises:
making a second determination that the decrypting and the authenticating was successful; (Gluck, [0030] & [0034]-[0035] & [0039] descries making a second determination that the decrypting  and the authenticating was successful was successful) and
appending post-decryption information that indicates a successful decryption, based on the second determination, (Gluck, [0029], describes adding post-decryption information for decryption based on a second determination).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with 

Regarding claim 10, Chiquito and Gluck disclose the method of claim 6. 
Chiquito and Gluck fail to explicitly disclose wherein the method further comprises: transmitting the decrypted network traffic data unit to a switching engine; wherein switching engine and the decryption engine are both hardware components in a same device. 
However, in an analogous art, Sankarin discloses wherein the method further comprises: transmitting the decrypted network traffic data unit to a switching engine; (Sankaran, Col. 5, Lines 44-67 describe sending the decrypted processed data packet to a network switch as described in Col. 2, Line 57) and
wherein switching engine and the decryption engine are both hardware components in a same device, (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankarn with 

Regarding claim 17, Chiquito and Gluck disclose the network device of claim 16. 
Chiquito further discloses performing an analysis on the decryption information to obtain the encryption type, based on the first determination, (Chiquito, Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet  with length)  
Chiquito and Gluck fail to explicitly disclose wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine. 
However, in an analogous art, Sankaran discloses wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine (Sankaran, Col. 5, Lines 44-67 describes making a first determination that the GRE tunnel information specifies a ingress interface of a MACSec engine that’s on a device, where the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito and Gluck to include wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 18, Chiquito, Gluck and Sankaran disclose the network device of claim 17. 
Chiquito further discloses wherein decrypting the encrypted network traffic data unit comprises:
modifying the encrypted network traffic data unit based on the encryption type; (Chiquito, Page 6 shows software where the encrypted network traffic data unit is modified based on encryption type such as AES-CBC) and
authenticating a payload of the encrypted network traffic data unit, (Chiquito, Page 6 shows a checkbox where the user can attempt to check ESP Authentication of the payload)

Regarding claim 19, Chiquito, Gluck and Sankaran disclose the network device of claim 18. 
(Gluck, [0030] & [0034]-[0035] & [0039] descries making a second determination that the decrypting  and the authenticating was successful was successful) and
appending post-decryption information that indicates a successful decryption, based on the second determination (Gluck, [0029], describes adding post-decryption information for decryption based on a second determination). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Chiquito to include disclose wherein generating the post-decryption information comprises: making a second determination that the decrypting and the authenticating was successful; and appending post-decryption information that indicates a successful decryption, based on the second determination and appending post-decryption information that indicates a successful decryption, based on the second determination. One would have been motivated to communicate data provided by users or other external systems between an application server and a client via a proxy (Gluck, [0002]). 

Regarding claim 20, Chiquito and Gluck disclose the network device of claim 16. 

However, in an analogous art, Sankaran further discloses wherein:
the network device further comprises a switching engine; (Sankaran, Col. 2, Line 57, network switch) and
the decryption engine is further configured to transmit the decrypted network traffic data unit to the switching engine, (Sankaran, Col. 5, Lines 44-67 describe sending the decrypted processed data packet to a network switch as described in Col. 2, Line 57)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito and Gluck to include wherein: the network device further comprises a switching engine; and the decryption engine is further configured to transmit the decrypted network traffic data unit to the switching engine. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774.  The examiner can normally be reached on M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES J WILCOX/Examiner, Art Unit 2439                                                                                                                                                                                                        
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439