Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the original claims filed 9/06/2019.  Claims 1-20 are pending.  Claims 1 (a machine), 8 (a method), and 15 (a non-transitory CRM) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-4, 7-11, and 14-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claim(s) recite(s) a mental process or a method of organizing human activities. For example, the collection of features set forth in independent claims 1, 8, and 15 is akin to a security guard or event registration worker taking a person’s information, verifying said information is registered on some list, and providing a name tag or other badge to an entrant for entry to a premises or event. This judicial exception is not integrated into a practical application because the actions of receiving and sending to clients/servers are merely applying the abstract idea to general purpose computers. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than 
Dependent claims 2-4, 7, 9-11, 14, and 16-18 are similarly rejected as being an abstract idea for the reasons detailed above.
Note that dependent claims 5, 6, 12, 13, 19, and 20 are omitted from this rejection as VPN/VRFs and IPSEC/SSL connections are not abstract ideas.


	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5, 8, 9, 12, 15, 16, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Antich, US 2015/0271102 (filed 2014-04).
	As to claims 1, 8, and 15, Antich discloses a machine/method/CRM comprising:
one or more processors; and 
one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, (Antich figure 3, a processor and memory storing instructions, Antich ¶ 91) cause the apparatus to perform operations comprising: 
… from a remote access client within a network; (“the service node receives a request from an access node for a targeted LDP session (382). In response to receiving the request, the service node sends a message to the central server requesting assignment of a service node for the targeted LDP session (384). The message may be an authentication message (e.g., in accordance with the RADIUS protocol) that also requests subscriber authentication.” Antich ¶ 109.) 
communicating the user credential (“the service node receives a request from an access node for a targeted LDP session (382). In response to receiving the request, the service node sends a message to the central server requesting assignment of a service node for the targeted LDP session (384). The message may be an authentication message (e.g., in accordance with the RADIUS protocol) that also requests subscriber authentication.” Antich ¶ 109. See also Antich ¶ 53) to an authentication, authorization and accounting (AAA) server within the network; (“VLANs can be dynamically authenticated and created using information received from an AAA on central server 14” Antich ¶ 14. See also ¶¶ 101-102)
receiving a user attribute from the AAA server; (“The service node receives from the central server a message (e.g., a RADIUS message including a VSA) with service resource information for the targeted LDP session to be created (386). In some examples, the RADIUS message may be an authentication reply message that confirms subscriber authentication, and also includes a VSA specifying the service resource information. ” Antich ¶ 109)
generating a contextual label based on the user attribute, (“If the central server assigns the requesting service node, then that service node can then proceed to The label mapping message may be generated based on information that was specified in the RADIUS VSA received from the central server.” Antich ¶ 109) wherein the contextual label comprises routing instructions associated with traffic behavior within the network; and (“service node 10B may distribute a LDP label mapping message to access node 36 along an IGP primary path to establish a targeted LDP session 38 between access node 36 and service node 10B” Antich ¶ 46)
advertising a control message to the remote access client, wherein the control message comprises the contextual label. (“If the central server assigns the requesting service node, then that service node can then proceed to complete setup of the targeted LDP session with the access node, such as by sending an LDP label mapping message to the access node (388). The label mapping message may be generated based on information that was specified in the RADIUS VSA received from the central server.” Antich ¶ 109)

Antich does not disclose:
a user credential [from a remote access client]. 

However, Antich does disclose that a user credential is sent (“For example, after validating the RADIUS Authorization-Request message against user profile database (not shown) using the subscriber credentials,” Antich ¶ 53), without describing where the subscriber credentials are obtained.  



	As to claims 2, 9, and 16 Antich discloses a machine/method/CRM of claims 1, 8, and 15 and further discloses:
the operations further comprising receiving a policy from an SD-WAN controller, (“central server 14 may be a software-defined networking (SDN) controller that provides a high-level controller for configuring and managing routing and switching infrastructure of service provider network 2 (e.g., gateway 8, core network 7 and service nodes 10).” Antich ¶ 39) wherein generating the contextual label is further based on the policy received from the SD-WAN controller. (“If the central server assigns the requesting service node, then that service node can then proceed to complete setup of the targeted LDP session with the access node, such as by sending an LDP label mapping message to the access node (388). The label mapping message may be generated based on information that was specified in the RADIUS VSA received from the central server.” Antich ¶ 109)


As to claims 5, 12, and 19 Antich discloses a machine/method/CRM of claims 1, 8, and 15 and further discloses:
wherein the routing instructions associated with the traffic behavior within the network direct traffic to one or more Virtual Private Network (VPN) routing/forwarding (VRF) instances. (“service node 10B may distribute a LDP label mapping message to access node 36 along an IGP primary path to establish a targeted LDP session 38 between access node 36 and service node 10B” Antich ¶ 46. “ Packet data network 12 may comprise, for instance, a local area network (LAN), a wide area network (WAN), the Internet, a virtual LAN (VLAN), an enterprise LAN, a layer 3 virtual private network (VPN)” Antich ¶ 23. “Service provider core network 7 may comprise an Internet Protocol (IP) network that uses Multi-Protocol Label Switching (MPLS) mechanisms to encapsulate packets of various network protocols for transport across network 10. MPLS protocols, such as the Label Distribution Protocol (LDP)” Antich ¶ 45)


Claims 3, 4, 10, 11, 17, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Antich, US 2015/0271102 (filed 2014-04), in view of Haddad et al., US 2017/0155724, filed 2015-12)

wherein the user credential is associated with one or more of the following: a username; a password; a cookie; or a certificate.

Haddad discloses:
wherein the user credential is associated with one or more of the following: a username; a password; a cookie; or a certificate. (“the AAA server can be implemented either locally on the ND or on a remote electronic device coupled with the ND. Authentication is the process of identifying and verifying a subscriber. For instance, a subscriber might be identified by a combination of a username and a password or through a unique key.” Buddhikot ¶ 62).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Antich with Haddad by utilizing the AAA authentication types of Haddad, such as username and password, for the subscriber credentials validated in Antich ¶ 109.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Antich with Haddad in order to utilize known user authentication credentials in the system of Antich, thereby allowing the subscriber to be authenticated using known methods so as to prevent unauthorized subscribers from accessing the system and to provide ease of use for subscriber authentication. 


wherein the user attribute is associated with one or more of the following: a security group; a quality of service (QoS) profile; or a Network Address Translation (NAT) profile.

Haddad discloses:
wherein the user attribute is associated with one or more of the following: a security group; a quality of service (QoS) profile; or a Network Address Translation (NAT) profile. (“The AAA server can determine the authentication, accounting, lawful intercept, line Quality of Service (QoS), quotas and similar policies and metrics. The AAA determination is then returned to the virtual router and switch.” Haddad ¶ 43)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Antich with Haddad by providing QOS policies and metrics to the service node in the VSA specifying the service resource information of Antich ¶ 109.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Antich with Haddad in order to provide information to set up the routing of Antich that includes QoS information so as to allow differentiated services by guaranteeing or limiting subscriber traffic in the network, thereby allowing service tiers to be provided.  



Claims 6, 13, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Antich, US 2015/0271102 (filed 2014-04), in view of Buddhikot et al., US 2005/0102529 (filed 2003-10).
As to claims 6, 13, and 20 Antich discloses a machine/method/CRM of claims 1, 8, and 15 but does not disclose:
the operations further comprising establishing an IP Security (IPsec) or Secure Socket Layer (SSL) session with the remote access client prior to generating the contextual label.

Buddhikot discloses:
the operations further comprising establishing an IP Security (IPsec) or Secure Socket Layer (SSL) session with the remote access client prior to generating the contextual label.
(“The AAA server 204 can be operated in the stand-alone server mode or relay mode. In the stand-alone mode, it supports standardized authentication protocols such as TLS, MD5, and One-Time Password (OTP) and the like. In the relay mode, the AAA server 204 relays the RADIUS packets to the remote H-AAA 45 via a AAA broker network or a pre-established pairwise security association. The gateway 40 also supports a web based authentication service that in Simple IP mode of operation allows it to authenticate mobile users using a simple web based form served over a secure SSL web connection to the web server 212.” Buddhikot ¶ 68. See also ¶ 66)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Antich with Buddhikot by incorporating an SSL web connection in the service node of Anitch to receive authentication data from the subscriber access node.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to provide SSL in the system of Antich in order to encrypt and secure the subscriber authentication data, thereby preventing intermediary network nodes or other MitM from intercepting and stealing the subscribers authentication data. 

Claims 7 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Antich, US 2015/0271102 (filed 2014-04), in view of Pai et al., US 2019/0349268, (filed 2017-02).
As to claims 7 and 14, Antich discloses a machine/method/CRM of claims 1, 8, and 15 but does not disclose:
the operations further comprising: determining that the user attribute has changed; 
and withdrawing the contextual label in response to determining that the user attribute has changed.

Pai discloses:
the operations further comprising: determining that the user attribute has changed; (“the BNG 100 reauthorizes the subscriber to receive updated information pertaining to the service chain associated with the subscriber (or the downstream service chain associated with the subscriber) in response to a determination that a change of authorization has occurred for the subscriber.” Pai ¶ 63) 
and withdrawing the contextual label in response to determining that the user attribute has changed. (“The service chain for a subscriber is determined when the subscriber session is created and can subsequently be reauthorized with a new service chain.” Pai ¶ 64)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Antich with Pai by incorporating the ability to update the LDP session in response to a change of authorization, as done in Pai ¶ 63.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Antich with Pai in order to allow the system to accommodate changes in authorization and service offerings in a granular manner without disrupting traffic, Pai ¶ 64.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Smith et al., US 2017/0346722, discloses an SDN controller that configures routing paths in a network. 
Mehta et al., US 2019/0052558, discloses an SDN controller to monitor connections and configure routes.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492