Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s Appeal Brief filed on 02 October 2021. The Examiner contacted the Applicant's representative on 19 November 2021 and presented proposed claim amendments to place the application in better condition for an allowance by amending all independent claims to overcome the prior art and incorporate the claim language recited in dependent claims 10 and 20 – “identifying an entry of the mapping table for the logical network first source address, identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry, and determining whether the third source address matches the second source address” and remove the claim language located in the preamble for independent claims 1 and 12 - “performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network” and place the claim language within the body of the claim, preferably after the last claim limitation beginning with “when the logical network first source address….”.  After conducting an interview, the proposal was accepted and authorization was given for an Examiner’s Amendment on 15 December 2021. Claims 10 and 20 have been canceled. Claims 1 and 11-12 have been amended. Claims 1-9 and 11-19 remain pending. 
Information Disclosure Statement
4.	The Information Disclosure Statements respectfully submitted on 17 March 2021, 12 May 2021, and 17 August 2021 have been considered by the Examiner.

Response to Arguments
5.	In response to Applicant’s arguments, as disclosed in the Appeal Brief, filed
on 02 October 2021, with respect to the prior art not expressly disclosing performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network have been fully considered and are persuasive in view of applicant's arguments, see for example pages 6-14. Therefore, the 35 U.S.C. 103 rejection in view of Shen et al., Kwan, and in further view of Bansal et al. for claims 1-20 has been withdrawn and amending all independent claims to overcome the prior art and incorporate the claim language recited in dependent claims 10 and 20 – “identifying an entry of the mapping table for the logical network first source address, identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry, and determining whether the third source address matches the second source address” and remove the claim language located in the preamble for independent claims 1 and 12 - “performing spoof guarding to ensure that packets do not use invalid network addresses for the logical network” and place the claim language within the body of the claim, preferably after the last claim limitation beginning with “when the logical network first source address….” placed the application in better condition for an allowance. 
EXAMINER’S AMENDMENT
6.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Attorney Mani Adeli, Reg. No. 39,585 on 15 December 2021. The application has been amended as follows: 
Please amend the following claims:
Claim 1.	(Currently Amended) For a managed forwarding element (MFE) executing on a data compute node (DCN) that operates on a host computer in a public datacenter, the MFE implementing a logical network that connects a plurality of DCNs within the public datacenter, a method of performing spoof guarding 
receiving a packet directed to the DCN, wherein the packet (i) has a logical network first source address and (ii) is encapsulated with a second source address associated with an underlying public datacenter network;
performing the spoof guarding operation by (i) determining whether the logical network first source address is a valid source address for the logical network for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses[[;]], and (ii) based on a determination that as the packet uses an invalid network address for the logical network, said determining comprising:
	identifying an entry of the mapping table for the logical network first source address;
	identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry; and
	determining that the third source address does not match the second source address.

Claim 2.	(Original) The method of claim 1, wherein the host computer is a first host computer, wherein the first host computer receives the mapping table from a network controller that (i) operates on a second host computer in the public datacenter and (ii) configures the MFE to implement the logical network.

Claim 3.	(Original) The method of claim 2, wherein the network controller distributes the mapping table to a controller agent executing on the first DCN, said controller agent directly configuring the MFE to implement the logical network and to use the mapping table.

Claim 4.	(Original) The method of claim 2, wherein the network controller operating on the second host computer is a first network controller that manages a plurality of MFEs operating in the public datacenter to implement the logical network, 

Claim 5.	(Original) The method of claim 4, wherein:
the second network controller has access to and provides configuration data for managed forwarding elements operating in virtualization software of a plurality of host computers of the second datacenter, and
the second network controller does not have access to forwarding elements operating in virtualization software of the first and second host computers of the first datacenter.

Claim 6.	(Previously Presented) The method of claim 1, wherein:
the DCN is a first DCN,
the logical network first source address is a logical network address for applications executing on a second DCN, and
the second source address is an address assigned to the second DCN by the public datacenter.

Claim 7.	(Original) The method of claim 1, wherein a workload application executes on the DCN alongside the MFE, wherein the packet is directed to the workload application.



Claim 9.	(Previously Presented) The method of claim 7, wherein when the logical network first source address is a valid source address for the packet, the MFE forwards the packet to the workload application.

Claim 10.	(Canceled) 

Claim 11.	(Currently Amended) The method of claim [[10]] 1, wherein the third source address is an Internet Protocol (IP) address assigned by the public datacenter to a second DCN, wherein the packet is received from a third DCN that has been compromised by an attacker and is impersonating the second DCN to direct traffic to the first DCN.

Claim 12.	(Currently Amended) A non-transitory machine readable medium storing a managed forwarding element (MFE) which when executed on a data compute node (DCN) operating on a host computer in a public datacenter implements a logical network that connects a plurality of DCNs within the public datacenter, the program comprising sets of instructions for:

performing the spoof guarding operation by (i) determining whether the logical network first source address is a valid source address for the logical network for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses[[;]], and (ii) based on a determination that as the packet uses an invalid network address for the logical network, said determining comprising:
	identifying an entry of the mapping table for the logical network first source address;
	identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry; and
	determining that the third source address does not match the second source address.

Claim 13.	(Original) The non-transitory machine readable medium of claim 12, wherein the host computer is a first host computer, wherein the first host computer receives the mapping table from a network controller that (i) operates on a second host computer in the public datacenter and (ii) configures the MFE to implement the logical network.


Claim 15.	(Original) The non-transitory machine readable medium of claim 13, wherein:
the network controller operating on the second host computer is a first network controller that manages a plurality of MFEs operating in the public datacenter to implement the logical network;
the first network controller receives logical network configuration data from a second network controller operating in a second datacenter;
the second network controller has access to and provides configuration data for managed forwarding elements operating in virtualization software of a plurality of host computers of the second datacenter; and
the second network controller does not have access to forwarding elements operating in virtualization software of the first and second host computers of the first datacenter.

Claim 16.	(Original) The non-transitory machine readable medium of claim 12, wherein: 
the DCN is a first DCN, 

the second source address is an address assigned to the second DCN by the public datacenter.

Claim 17.	(Original) The non-transitory machine readable medium of claim 12, wherein a workload application executes on the DCN alongside the MFE, wherein the packet is directed to the workload application.

Claim 18.	(Original) The non-transitory machine readable medium of claim 17, wherein the packet has a first logical network destination address associated with the workload application, and wherein the encapsulation includes a second destination address associated with the DCN on the underlying public datacenter network.

Claim 19.	(Original) The non-transitory machine readable medium of claim 17, wherein when the first source address is a valid source address for the packet, the MFE forwards the packet to the workload application.

Claim 20.	(Canceled) 



Allowable Subject Matter
7.	Claims 1-9 and 11-19 are allowed.
8.	The following is an examiner’s statement of reasons for allowance: The present invention is directed towards a method for a managed forwarding element (MFE) executing on a data compute node (DCN) for detecting invalid packet addresses. Claims 1 and 12 identifies the uniquely distinct features “performing the spoof guarding operation by (i) determining whether the logical network first source address is a valid source address for the logical network for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses, and (ii) based on a determination that  the logical network first source address is not a valid source address for the packet, dropping the packet as the packet uses an invalid network address for the logical network, said determining comprising: identifying an entry of the mapping table for the logical network first source address; identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry; and determining that the third source address does not match the second source address”.
The closest prior art, Bansal et al. (Pub No. 2017/0317972) discloses a method of providing a set of network addresses associated with a managed forwarding element (MFE) in a logical network that includes a set of data compute nodes (DCNs). The DCNs are hosted on a set of physical hosts. Each DCN is connected to an MFE on the corresponding host. The method receives a request to translate an MFE into a set of network addresses, the request comprising an identification of the MFE. The method 
However, Bansal et al. fail to anticipate or render obvious the claimed limitations of performing the spoof guarding operation by (i) determining whether the logical network first source address is a valid source address for the logical network for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses, and (ii) based on a determination that  the logical network first source address is not a valid source address for the packet, dropping the packet as the packet uses an invalid network address for the logical network, said determining comprising: identifying an entry of the mapping table for the logical network first source address; identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry; and determining that the third source address does not match the second source address.
The closest prior art, Shen et al. (Pub No. 2017/0163599) discloses a method for a first managed forwarding element (MFE). The method receives a packet from a data compute node that connects to the MFE. The packet has a destination address that corresponds to a data compute node in a remote network. The method determines (i) a group of MFEs that form a bridge cluster for sending packets to the remote network and (ii) multiple tunnel endpoints for the group of MFEs, wherein each MFE in the group has at least one of the plurality of tunnel endpoints. The method selects one of the plurality 
However, Shen et al. fail to anticipate or render obvious the claimed limitations of performing the spoof guarding operation by (i) determining whether the logical network first source address is a valid source address for the logical network for the packet based on a mapping table that maps logical network addresses to underlying public datacenter network addresses, and (ii) based on a determination that  the logical network first source address is not a valid source address for the packet, dropping the packet as the packet uses an invalid network address for the logical network, said determining comprising: identifying an entry of the mapping table for the logical network first source address; identifying a third source address associated with the underlying public datacenter network that is a valid source address for the logical network first source address according to the mapping table entry; and determining that the third source address does not match the second source address.
The closest prior art, Kwan (Pub No. 2009/0254973) discloses a system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets.

9.	Therefore, claims 1 and 12 and the respective dependent claims 2-9, 11, and 13-19 are in condition for allowance.

Conclusion
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        December 15, 2021
/KENDALL DOLLY/Primary Examiner, Art Unit 2436