Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This Allowance is in response to the amendment filed 12/27/2021.  Claims 1-7, 21-27 and 31-36 are pending.  Claims 1, 5, 21 and 25 are amended below in this Examiner’s amendment and claims 31-36 are newly presented.  Claims 1 (a method), 21 (a machine), and 36 (a non-transitory CRM) are independent.

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Natalya Dvorson (Reg. No. 56,616) on 1/21/2022.


The application has been amended as follows: 

	



(Currently Amended) A method comprising:
	initiating, by a first Internet Key Exchange (IKE) node from among a plurality of IKE nodes, a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by a second IKE node from among the plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic, wherein the first IKE node and the second IKE node both participate in the IPsec communication session on behalf of the client device; 
	obtaining, by the first IKE node from a key value store, information about the IPSec communication session; and 
	performing, by the first IKE node, the second IKE node 


(Original) The method of claim 1, wherein obtaining, by the first IKE node from the key value store, the information about the IPSec communication session includes:
	retrieving, by the first IKE node from the key value store, the first encryption key, 
	installing locally, by the first IKE node, the IPSec communication session based on the information about the IPSec communication session, and
	publishing, by the first IKE node to the key value store, an event message indicating that the IPSec communication session is installed locally on the first IKE node so that the IPSec communication session is removed from the second IKE node.

(Previously Presented) The method of claim 2, wherein performing, by the first IKE node, the part of the rekeying process in which the first encryption key is replaced with the second encryption key for the IPSec communication session includes:
	providing, by the first IKE node to the client device, an IKE control message using the first encryption key indicating that the second encryption key is generated, and


(Original) The method of claim 3, further comprising: 
	receiving, by the first IKE node from the client device, a response message indicating that the client device generated the second encryption key for the IPSec communication session; and
	in response to the response message, encrypting, by the first IKE node, the traffic of the IPSec communication session using the second encryption key.

(Currently Amended) The method of claim 3, further comprising:
	continuing the IPsec communication session using the second encryption key based on receiving, from the client device, a response message indicating that the second encryption key is generated for the IPSec communication session, 
	wherein the response message is hashed to the second 

(Original) The method of claim 1, wherein the IPSec communication session is one of an IKE session or an encapsulating security payload (ESP) session.  

(Original) The method of claim 1, further comprising:
	prior to completing the rekeying process, removing, by the first IKE node, the IPSec communication session that is locally installed on the first IKE node. 

8. – 20.   (Canceled).

21.	(Currently Amended) An apparatus comprising:
a memory;
a network interface configured to enable network communications; and 
a processor, wherein the processor is configured to perform operations comprising:
, wherein the apparatus and the IKE node both participate in the IPsec communication session on behalf of the client device; 
	obtaining, from a key value store, information about the IPSec communication session; and 
	performing a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session and another part of the rekeying process is handled by the IKE node 


(Previously Presented) The apparatus of claim 21, wherein the IKE node is a first IKE node and the apparatus is a second IKE node from among the plurality of IKE nodes and the processor is configured to perform the operation of obtaining the information about the IPSec communication session by:
	retrieving, from the key value store, the first encryption key, 
	installing locally the IPSec communication session based on the information about the IPSec communication session, and
	publishing, to the key value store, an event message indicating that the IPSec communication session is installed locally on the apparatus so that the IPSec communication session is removed from the first IKE node.

(Previously Presented) The apparatus of claim 22, wherein the processor is configured to perform at least the part of the rekeying process by:
	providing, to the client device, an IKE control message using the first encryption key indicating that the second encryption key is generated, and


(Previously Presented) The apparatus of claim 23, wherein the processor is further configured to perform: 
	receiving, from the client device, a response message indicating that the client device generated the second encryption key for the IPSec communication session; and
	in response to the response message, encrypting the traffic of the IPSec communication session using the second encryption key.


(Currently Amended) The apparatus of claim 23, wherein the processor is further configured to perform:
	continuing the IPsec communication session using the second encryption key based on receiving, from the client device, a response message indicating that the second encryption key is generated for the IPSec communication session, 
	wherein the response message is hashed to the 

(Previously Presented) The apparatus of claim 21, wherein the IPSec communication session is one of an IKE session or an encapsulating security payload (ESP) session.  

(Previously Presented) The apparatus of claim 21, wherein the processor is further configured to perform:
	prior to completing the rekeying process, removing the IPSec communication session that is locally installed on the apparatus. 

-30. (Canceled).


	initiating a rekeying process for an Internet Protocol Security (IPSec) communication session established with a client device and serviced by an IKE node from among a plurality of IKE nodes, and in which a first encryption key is used to encrypt traffic, wherein the processor and the IKE node both participate in the IPsec communication session on behalf of the client device; 
	obtaining, from a key value store, information about the IPSec communication session; and 
	performing a part of the rekeying process in which the first encryption key is replaced with a second encryption key for the IPSec communication session and another part of the rekeying process is handled by the IKE node.

32.	(New) The one or more non-transitory computer readable storage media according to 31, wherein the processor obtains, from the key value store, the information about the IPSec communication session by:
	retrieving, from the key value store, the first encryption key, 
	locally installing the IPSec communication session based on the information about the IPSec communication session, and
	publishing, to the key value store, an event message indicating that the IPSec communication session is installed locally so that the IPSec communication session is removed from the IKE node.

33.	(New) The one or more non-transitory computer readable storage media according to claim 32, wherein the processor performs the part of the rekeying process in which the first encryption key is replaced with the second encryption key for the IPSec communication session by:
	providing, to the client device, an IKE control message using the first encryption key indicating that the second encryption key is generated, and


34.	(New) The one or more non-transitory computer readable storage media according to claim 33, wherein the processor is further configured to perform additional operations comprising: 
	receiving, from the client device, a response message indicating that the client device generated the second encryption key for the IPSec communication session; and
	in response to the response message, encrypting the traffic of the IPSec communication session using the second encryption key.

35.	(New) The one or more non-transitory computer readable storage media according to claim 33, wherein the processor is further configured to perform additional operations comprising:
	continuing the IPsec communication session using the second encryption key based on receiving, from the client device, a response message indicating that the second encryption key is generated for the IPSec communication session, 
	wherein the response message is hashed to the IKE node.

36.	(New) The one or more non-transitory computer readable storage media according to claim 31, wherein the IPSec communication session is one of an IKE session or an encapsulating security payload (ESP) session.  




REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance: Applicant’s remarks filed 12/27/2021 are persuasive.  The cited references Hashmi, US 11,025,483, and Kaufman “Internet Key Exchange Protocol Version 2” do not disclose the claimed: 
Specifically, in Hashmi the rekeying is done entirely by one of the VPN endpoint virtual machines.  An updated search was performed, see PTO-892 and the references noted below.  The closest art with respect to the amended feature is McAlister, US 2012/0096269, in which a plurality of IKE nodes are resident on an elastic gateway.  However, McAlister assigns a rekeying process to a single vKEY instance and all subsequent requests are sent to the assigned vKEY instance.  As such, although structurally similar, there is no IKE node other than the first IKE node to handle another part of the rekeying process.
None of the art of record anticipates or reasonably renders obvious the combination of features set forth in independent claims 1 and 21.  Thus, claims 1-10 and 21-30 are ALLOWED.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:

Vajaranta et al., “IPsec and IKE as Functions in SDN Controlled Network”, discloses an IKE orchestrator and IKE function that is separated from other IPSEC processing.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/MICHAEL W CHAO/Examiner, Art Unit 2492