PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 15/803,364
Filing Date: 3 Nov 2017
Appellant(s): Raman et al.



__________________
Mani Adeli (Reg. No. 39,585)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 12/29/2021.


(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 06/08/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”


(2) Response to Argument
	
	§ IV.A (Claims 1, 7, 17, and 19)
	On page 7 of the App. Br., Appellant states: 
“[t]he cited references do not disclose or suggest using the service tag to identify a service rule that identifies a set of at least two service containers to perform the specified set of at least two middlebox service operations on the data message.”

	Examiner responds that Raman in view of Cooper and Wagner, as cited in the Office Action mailed 6/08/2021, hereafter OA, pp. 9-12 and 14-20, discloses:
	“using the service tag (Flow ID/LSC ID, Cooper ¶¶ 29, 31, and 33) to identify a service rule (multiple operations identified by a table lookups using a Flow ID or LSC ID, Cooper ¶¶ 33 and 40. See Cooper Fig. 4 showing the Flow ID, LSC ID, and service mappings.) that identifies a set of at least two service 
	Examiner notes the OA, p. 13, which cites to Wagner as disclosing the structural configuration of the “containers”. Specifically, Wagner Co. 3, ll. 5-22.

	On page 7 of the App. Br., Appellant further states that there is “one SVM”, “one service tag”, and “one service rule”.  
Cooper discloses each of these elements as discussed by Appellant; however, the transitional phrase of the claim “comprising” is open ended and does not exclude a plurality of SVMs, service tags, or service rules from disclosing the claimed limitations, see MPEP 2111.03.I.  Thus, claim 1 as appealed does not require that any element of the claim is limited to only one of said element.  Thus, the claim does not require there be only “one SVM”, “one service tag”, and “one service rule”.

On page 7 of the App. Br., Appellant states: 
“The cited references do not even have an SVM with multiple service containers executing on the SVM to perform multiple services.”
	Examiner Responds that Raman, in view of Cooper and Wagner, as cited in the OA, pp. 9-13 and 14-20, discloses: “an SVM (SVM, Raman ¶ 52) with multiple service containers executing on the SVM (see the plurality of containers instantiated on a VM of Wagner) to perform multiple services” (multiple virtual appliances executing in a service chain, Cooper ¶¶ 40 and 47-48).

	On page 7 of the App. Br., Appellant states: 
“the cited references do not disclose an SVM that has a message processing module that uses the service tag to identify a service rule, and then passes the data message successively to the service containers specified by the identified service rule.”
Examiner Responds that Raman, in view of Cooper and Wagner, as cited in the OA, pp. 7-13 and 14-20, discloses: “an SVM that has a message processing module (SVM, Raman ¶ 52) that uses the service tag to identify a service rule, (flow table maps flow ID to LSC ID/LSC tag, Cooper ¶ 33, that specifies service rules in Cooper ¶ 40 and Figure 4) and then passes the data message successively to the service containers (see the plurality of containers instantiated on a VM of Wagner) specified by the identified service rule (“multiple operations are performed for each virtual appliance in a local service chain … as explicitly identified by an Flow ID/LSC ID in a LSC tag” Cooper ¶¶ 33 and 40, see also Cooper Figure 2)”

	On page 8 of the App. Br., Appellant states: 
“the cited references do not disclose or suggest using a set of header values extracted from a data message to identify the service tag from multiple service tags stored in a data store on the host computer.”
Examiner Responds that Raman, in view of Cooper and Wagner, as cited in the OA, pp. 7-13 and 14-20, discloses: “a set of header values extracted from a data message to identify the service tag (“In a block 206 flow classification of the packet is performed. This will usually involve inspecting applicable header fields in a packet  a packet flow that a received packet belongs to (if any).” Cooper ¶ 29) from multiple service tags stored in a data store on the host computer (“As further depicted in block 206, the flow ID is used as a lookup into a flow table 148, which is depicted as being part of virtual switch 109. In one embodiment, the flow table contains a column of flow ID's and a column of vNIC Rx port IDs such that given an input flow ID, the lookup will return a corresponding vNIC Rx port ID. Flow table 148 may also contain an LSC ID that may be used for an LSC tag” cooper ¶ 33. See Cooper Fig. 4 for the multiple LSC IDs or service tags).”

§ IV.A (Claim 8)
On page 8 of the App. Br., Appellant states: 
“the cited references do not disclose … retrieving the service tag from an identified security profile.”
Examiner Responds that Raman, in view of Cooper and Wagner, as cited in the OA, pp. 20-21, discloses the limitations of claim 8: As previously cited, Cooper discloses: “retrieving the service tag from an identified security profile” (“In a block 206 flow classification of the packet is performed. This will usually involve inspecting applicable header fields in a packet header or headers to identify a packet flow that a received packet belongs to (if any). As described in further detail below, in some embodiments packet flow information may be explicitly defined in a packet header field. Packet flow classification may also be performed using data in multiple fields, such as through use of well-known N-tuple packet classification techniques.” Cooper ¶ 29.  Where the packet flow matching is the “security profile” matching. “The result of (flow ID) for the packet.”  Cooper ¶ 31. The flow ID is used to lookup the LSC ID in Cooper ¶ 33)

§ IV.A (Claim 9)
On page 8 of the App. Br., Appellant states: 
“the cited references do not disclose … retrieving identity of the set of services from the identified security profile and generating the service tag based on the retrieved identity of the set of services.”
	Examiner Responds that Raman, in view of Cooper and Wagner, as cited in the OA, pp. 22-24, discloses the limitations of claim 9: “retrieving identity of the set of services from the identified security profile (“LSCs used on a per-flow implementation may be either preconfigured by SDN controller 114, or determined when a flow first appears. For example, in accordance with the OpenFlow protocol, packet flows and corresponding LSCs may be determined during run-time operations.” Cooper ¶ 50. The flow identifying the services to perform.) and generating the service tag based on the retrieved identity of the set of services” (“Each of Table1, Table2 and TableN include an LSC ID column, a Next Port column, and a Services column. In one embodiment, the table data for each of tables 148, Table1, Table2, and TableN is managed by SDN controller 114. Generally, the table data may be populated during initialization of the compute platform and/or during run-time operations.” Cooper ¶ 51. LSC ID determined during run-time, when the flow first appears per Cooper ¶ 50)


§ IV.A (Claims 14 and 23)
	On page 8, of the App. Br., Appellant states: 
“the cited references do not disclose or suggest that the data message is discarded in response to the middlebox service operations performed on the data message.”
	Examiner Responds that Raman, in view of Cooper and Wagner, as cited in the OA, p. 25, discloses the limitations of claims 14 and 23: “the data message is discarded in response to the middlebox service operations performed on the data message” (“When the process 800 identifies (at 810) an entry in the connection state data storage 125 that matches the received packet attribute set (e.g., identifies a hash value that matches the computed hash value), the process returns (at 815) to the port the action of the identified entry (e.g., the Allow or Deny).” Raman ¶ 80. Note Raman ¶ 47 “a “deny” to drop the packet”)
	
§ IV.A (Claims 20)
On page 8, of the App. Br., Appellant states: 
“the cited references do not disclose or suggest that the message processing module identifies a second set of at least two middlebox services to be performed on a second data message”.
	Examiner Responds that claim 20 repeats steps performed on the first data message for a second data message.  In other words, claim 20 a statement that the system operates on multiple data messages.


§ IV.C (Claims 1, 7, 17, and 19)
On pages 10-11, of the App. Br., Appellant states: 
“The Office Action inconsistently maps various limitations of the independent claims …. 
(1) maps the SVM to Raman … (2) maps associating the service tag to Cooper … (3) maps the service containers executing on the SVM to Wagner … (4) maps the SVM directing the set of service containers to cooper….
However, in other parts … the Office Action maps the service containers executing on the SVM to Cooper …”
Examiner responds that Appellant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
In other words, it is the combination of Raman, in view of Cooper and Wagner that render the limitations of claims 1, 7, 17, and 19 obvious, so of course it is necessary to cite to each reference for its respective teachings, see OA pp. 7-13 (discussing claims 1 and 17) and OA pp. 14-20 (discussing claims 7 and 19).

	Examiner respectfully submits that the OA is clear as evidenced by Appellant’s discussion thereof in the App. Br. pp. 10-11.

§ IV.D.i (Claims 1, 7, 17, and 19)
On page 13, of the App. Br., Appellant states: 
“the Office Action must show that the cited references disclose or suggest one SVM that uses one service tag to identify one service rule that identifies two or more service containers to perform two or more middlebox service operations on a data message.” (Emphasis Appellants)
Cooper discloses each of these elements as discussed by Appellant; however, the transitional phrase of the claim “comprising” is open ended and does not exclude a plurality of SVMs, service tags, or service rules from disclosing the claimed limitations, see MPEP 2111.03.I.  Representative claim 1 as appealed does not require that any element of the claim is limited to only one of said element.   Thus, the claim does not require there be only “one SVM”, “one service tag”, or “one service rule”.

On pages 14 of the App. Br., Appellant states: 
“Cooper does not disclose a single component that identifies at least two service containers that perform at least two middlebox service operations”
	Examiner responds that Appellant’s argument does not reflect the appealed claims.  Representative claim 1 requires: 
“the message processing module (i) using the service tag to identify a service rule that identifies a set of at least two service containers to perform the specified set of at least two middlebox service operations on the data message.”
	Claim 1 requires that the message processing module (a component of the SVM) determine a service tag that identifies a service rule.  How or when the service rule identifies service containers is not specified or required by the claim.  In other words, the message processing module does not identify the set of at least two containers.
	As cited in the OA, pp, 7-20: “the message processing module (i) using the service tag (“in block 206, the flow ID is used as a lookup into a flow table 148, …. Flow table 148 may also contain an LSC ID that may be used for an LSC tag” Cooper ¶ 33. and Fig. 4) to identify a service rule that identifies a set of at least two (“multiple operations are performed for each virtual appliance in a local service chain associated with a given packet flow (or alternatively, as explicitly identified by an LSC ID in a LSC tag, packet header or wrapper).” Cooper ¶ 40) service containers (network service element containers of Cooper ¶ 21) to perform the specified set of at least two middlebox services” (“upon completion of the operations performed by a given virtual appliance, a determination is made to where the packet data is to be forwarded so it can be accessed by either the next virtual appliance in the LSC ….” Cooper ¶ 42 describing Fig. 2.).  In other words, Cooper discloses the argued features by determining a service 
Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claims 1, 7, 17, and 19.

	On page 14 of the App. Br., Appellant further states: 
“Cooper discloses that each virtual appliance uses their own local flow table to determine the next virtual appliance in the LSC”.
	As discussed above, the claim only requires that the service tag/service rule identify multiple service containers; See Cooper ¶¶ 40, 42 and Fig. 2 featuring step 212 “Lookup flow ID or LSC in local flow Table to identify [the next virtual appliance]”.  Step 212 being performed by the successive appliances on completion of their respective services.  Cooper discloses: 
“a service rule (identified by flow ID or LSC ID, see Cooper Fig. 4) that identifies a set of at least two service containers (first appliance, Cooper ¶ 52, next virtual appliances, Cooper ¶ 42).  Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claims 1, 7, 17, and 19.

On pages 14-15 of the App. Br., Appellant further states: 
“Cooper does not disclose one operation performed by one message processing module on one SVM that identifies more than one service container to perform more than one middlebox service operation on one data message.” (Emphasis Appellants’)
Examiner reiterates that the appealed claims to not require the argued features.  Specifically, claims 1, 7, 17, and 19 do not require that the message processing module identify service containers.  The message processing module identifies a service rule, how or when the service containers are determined from the service rule is unclaimed.  Should Appellant desire the claims to be interpreted in accordance with the above argument, the claims should be amended to feature limitations analogous to those argued.  See e.g. OA p. 5, ll. 11-15.

	On page 15 of the App. Br., Appellant further states: 
“a recitation of a list of service containers is not necessary to the claims, as they already recite that one SVM identifies one service rule, and that one service rule identifies at least two service containers…. No portion in any of Cooper discloses one component that identifies at least two service containers … by identifying one service rule specifying those at least two service containers.” (emphasis Appellants’)
	Examiner reiterates that the limitations of representative claim 1: 
“message processing module (i) using the service tag to identify a service rule that identifies a set of at least two service containers” 
does not require that the message processing module identify a set of at least two containers.  Rather, claim 1 requires that a “service rule that identifies a set of at least two service containers”.  When and how that service rule is used to identify said containers is not stated or required by the claim.  This argument is directed to In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).

§ IV.D.ii (Claims 1, 7, 17, and 19)
On pages 15-16 of the App. Br., Appellant states: 
“The Office Action does not identify any reference that has multiple service containers executing on one SVM, as recited in all of the independent claims.”
Examiner responds by referencing OA, pp. 7-20 discussing the combination of Raman in view of Cooper and Wagner.  Specifically, that Raman discloses an SVM, Cooper discloses multiple services/containers performing operations on a packet, and Wagner discloses that multiple containers may be instantiated within a single virtual machine. Appellant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
On pages 15-16 of the App. Br., Appellant states: 
“the Office Action does not identify any reference as disclosing supplying the data message along with the service tag to a message processing module (executing on the claimed multi-container SVM), which then uses the service tag to identify a service rule that specifies multiple service containers for processing the data message.”
Examiner responds by referencing OA, pp. 7-20 discussing the combination of Raman in view of Cooper and Wagner.  Specifically, that Raman discloses supplying In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
On page 16 of the App. Br., Appellant states: 
“the firewall SVM 135 disclosed in Raman is only described as performing a firewall check for a packet when called upon by the firewall engine 115.  There is no portion of Raman that describes a message processing module executing on an SVM, …. There is also no portion in any of Raman that discloses the SVM performing multiple middlebox service operations…. Raman discloses an SVM that performs a firewall check but fails to disclose multiple service containers that execute on the SVM and that perform multiple middlebox service operations…. Neither Wagner nor Raman discloses or suggests multiple service containers executing on a single SVM that perform multiple middlebox service operations.” (Emphasis Appellants’).
Examiner responds by referencing OA, pp. 7-20 discussing the combination of Raman in view of Cooper and Wagner.  Specifically, that Raman discloses an SVM, Cooper discloses multiple services/containers performing operations on a packet, and Wagner discloses that multiple containers may be instantiated within a single virtual machine.  Appellant’s arguments against the references individually, one cannot show In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
On page 18 of the App. Br., Appellant states: 
“Cooper does not disclose a single SVM that hosts multiple service containers that perform multiple services for one data message.”
Examiner responds by referencing OA, pp. 7-20 discussing the combination of Raman in view of Cooper and Wagner.  Specifically, that Raman discloses an SVM, Cooper discloses multiple services/containers performing operations on a packet, and Wagner discloses that multiple containers may be instantiated within a single virtual machine. Appellant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
On page 19 of the App. Br., Appellant states: 
“Wagner does not disclose service containers in any context, or multiple service containers that execute on a single SVM.”
Examiner responds by referencing OA, pp. 7-20 discussing the combination of Raman in view of Cooper and Wagner.  Specifically, that Raman discloses an SVM, Cooper discloses multiple services/containers performing operations on a packet, and Wagner discloses that multiple containers may be instantiated within a virtual machine. Appellant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

§ IV.D.iii (Claims 1, 7, 17, and 19)
	On page 19 of the App. Br., Appellant states: 
“Cooper does not disclose a message processing module executing on an SVM that is able to successively pass a data message to each of the at least two service containers identified by the service rule.”
Examiner responds by referencing OA, pp. 7-20 discussing the combination of Raman in view of Cooper and Wagner, and that Appellant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Specifically, Raman was cited as disclosing the SVM.
On pages 18-19 of the App. Br., Appellant states: 
“claims 1 and 17 …. Cooper is unable to show one component that identifies (1) the multiple service containers that perform the multiple middlebox service operations and then (2) successively passes the data message to the multiple service containers.”
	Examiner responds by noting that (1) was addressed above in § IV.D.i by noting that the claims do not state or require “one component that identifies multiple service containers”.  This is unclaimed subject matter, although the claims are interpreted in In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
	In response to (2), Examiner references OA pp. 10-12, which cites Cooper ¶¶ 40, 42, 52 and Fig. 1.
	(“From the flow ID the ingress port of the VM hosting the first virtual appliance in the service chain can be determined.” Cooper ¶ 52. The Rx is the port of the appliance. See also Cooper Fig. 4)
(“upon completion of the operations performed by a given virtual appliance, a determination is made to where the packet data is to be forwarded so it can be accessed by either the next virtual appliance in the LSC, the local flow table points to the vNIC Rx port (or Rx FIFO queue) for the VM hosting the next virtual appliance in the LSC.” Cooper ¶ 42.)

    PNG
    media_image2.png
    1125
    809
    media_image2.png
    Greyscale



	As can be seen in Cooper ¶¶ 40, 42, 52 and Fig. 1.  The packet (IP 140) is passed successively through VM 1, VM 2 through to VM N.  This is accomplished vNIC Rx ports on the respective VMs which are implemented via Hypervisor 110, shared memory 134, and Virtual Switch 109.  Cooper necessarily discloses a message processing module that “(2) successively passes the data message to the multiple service containers.”  This is because the service containers (VM 1, VM 2, VM N) could not pass the data between themselves because each container is isolated, requiring higher level software constructs (e.g. the Rx ports, hypervisor, and Virtual Switch) illustrated in Cooper Fig. 1.  In other words, the message processing module comprises elements (e.g. the Rx ports, hypervisor, and Virtual Switch) that allow it to pass the packets between the respective service containers. 
	Appealed claim 1 does not describe how the successive passing is performed and Cooper discloses said features as mapped in the OA pp. 7-20. Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claims 1 and 17.
	
On page 19 of the App. Br., Appellant states: 
“claims 7 and 19 recite that the SVM directs a set of service containers to perform the set of services identified by the service tag on the data message…. Cooper merely discloses that each virtual appliance in the LSC performs its own operation to determine the next virtual appliance in the LSC.”

Examiner further notes that in claims 7 and 19 the containers are executing on the SVM.  Therefore, even under Appellant’s interpretation of “Cooper merely discloses that each virtual appliance in the LSC performs its own operation to determine the next virtual appliance”, the actions of the actions of the virtual appliances in Cooper may be attributed to the SVM as the virtual appliances are contained within the SVM in the combination of Raman in view of Cooper and Wagner. Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claims 7 and 19.

§ IV.D.iii (Claims 1, 7, 17, and 19)
On page 20 of the App. Br., Appellant states: 
“Cooper disclose inspecting header fields in a packet header to identify a packet flow to which the received packet belongs and associating the packet with a flow ID.  The header field values of packets in Cooper are to classify the packet to a packet flow.  They are not used to identify a service tag that specifies a set of services to perform on a data message.”


    PNG
    media_image3.png
    899
    874
    media_image3.png
    Greyscale

	Cooper Fig. 4, showing a flow ID referencing a service tag (LSC ID) which in turn references a plurality of services (VNIC ports and Services of Flow tables 148 and 150). 

	On pages 20-21 of the App. Br., Appellant states: 
“There is no portion of Cooper that discloses a data store storing multiple service tags from which a service tag is identified for a received data message.”
	Examiner responds by referencing OA pp. 10-11, specifically Cooper ¶¶ 31, 32, 40, 52, and Fig. 4, describe looking up a stored a service tag flow ID/LSC ID from among a plurality of flow ID/LSC IDs.  Particularly, Cooper Fig. 4 shows an illustration of flow ID/LSC ID stored by the system in tables.  Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claims 1, 7, 17, and 19.

Examiner respectfully submits that Raman in view of Cooper and Wagner, as cited in the OA, renders obvious the features of claims 1, 7, 17, and 19 argued above in §§ IV.A and IV.D, and that the grounds of rejection in the OA should be upheld.

§ IV.E.i (Claim 8)
	On page 22 of the App. Br., Appellant states: 
“Claim 8 recites that the service tag is retrieved from the identified security profile.  Cooper does not disclose that the LSC ID is retrieved from the flow ID.  Cooper discloses that the flow ID is used in a flow table 148 (which may also include an LSC ID column)…..  Cooper does not disclose the identification of a flow ID for the purpose of identifying an LSC ID.”

As cited in p. 20 of the OA: 
retrieving the service tag from the identified security profile before associating the service tag to the data message. (“the flow ID is used as a lookup into a flow table 148, which is depicted as being part of virtual switch 109. …Flow table 148 may also contain an LSC ID that may be used for an LSC tag” Cooper ¶ 33.  The service tag is the LSC ID, looked up with the flow ID.)
Recall that the OA on pp. 9 and 10 that:
(“an LSC ID in a LSC tag,” Cooper ¶ 40.”)
(“Next, in a block 207 a flow ID tag or LSC tag is attached to the packet data.” Cooper ¶ 39)
As can be seen throughout Cooper, packet classification is performed to obtain a flow ID (Cooper ¶ 31) where the flow ID “is used as a lookup into a flow table … [that] contain an LSC ID that may be used for an LSC tag or … otherwise associated with the packet …” (Cooper ¶ 33). “a flow ID tag or LSC tag is attached to the packet data” (Cooper ¶ 39, attaching the LSC tag determined in Cooper ¶ 33).  Thus, Cooper does disclose the identification of a flow ID (identifier of a security profile) for the purpose of identifying an LSC ID (a service tag).  Where the flow ID tables is shown in Cooper Fig. 4 item 148. Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claim 8.




§ IV.E.ii (Claim 9)
On page 23 of the App. Br., Appellant states: 
“like claim 8, claim 9 recites that the identity of the set of services is retrieved from the identified security profile, and Cooper does not disclose that the LSC ID is retrieved from the flow ID.”
Examiner responds by referencing the response in § IV.E.i.

On page 23 of the App. Br., Appellant states: 
“Nothing in these portions relates to retrieving the identity of a set of services from a security profile that was identified by comparing matching criteria of the security profile with a data message’s set of header attributes”
Examiner responds by noting OA pp. 22-24.  Specifically, Cooper discloses:
comparing a set of header attributes of the data message with a set of matching criteria for each of a plurality of security profiles; (“In a block 206 flow classification of the packet is performed. This will usually involve inspecting applicable header fields in a packet header or headers to identify a packet flow that a received packet belongs to (if any). As described in further detail below, in some embodiments packet flow information may be explicitly defined in a packet header field. Packet flow 
identifying a security profile that has a set of matching criteria that matches the data message's set of header attributes; (“The result of flow classification returns a flow identifier (flow ID) for the packet.”  Cooper ¶ 31)
retrieving identity of the set of services from the identified security profile; and (“LSCs used on a per-flow implementation may be either preconfigured by SDN controller 114, or determined when a flow first appears. For example, in accordance with the OpenFlow protocol, packet flows and corresponding LSCs may be determined during run-time operations.” Cooper ¶ 50).

Cooper determines a flow ID from the packet header fields (Cooper ¶¶ 29 and 31) and the flow ID is then used to determine the LSC ID based on a table lookup (Cooper ¶ 50, note Cooper ¶ 33).  Thus, Cooper discloses: “retrieving the identity of a set of services (LSC ID) from a security profile (flow table 148 depicted in Figures 1 and 4) that was identified by comparing matching criteria of the security profile with a data message’s set of header attributes (matching the header to obtain a flow ID in Cooper ¶¶ 29 and 31).” Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claim 9.

On page 23 of the App. Br., Appellant states: 
“Cooper does not disclose generating the service tag based on the retrieved identity of the set of services…. Cooper’s LSC ID is not used to generate a service tag.”
Examiner responds by noting OA pp. 10 and 23.  Specifically, Cooper discloses:
(Cited in claim 1, OA p. 10, for the service tag: “Flow table 148 may also contain an LSC ID that may be used for an LSC tag” Cooper ¶ 33.
“Next, in a block 207 a flow ID tag or LSC tag is attached to the packet data.” Cooper ¶ 39)
generating the service tag based on the retrieved identity of the set of service operations. (“Each of Table1, Table2 and TableN include an LSC ID column, a Next Port column, and a Services column. In one embodiment, the table data for each of tables 148, Table1, Table2, and TableN is managed by SDN controller 114. Generally, the table data may be populated during initialization of the compute platform and/or during run-time operations.” Cooper ¶ 51.  LSC ID determined during run-time, when the flow first appears per Cooper ¶ 50).
	Cooper, as cited in pp. 10, and 23 of the OA, discloses a service tag (LSC tag, Cooper ¶ 33) that includes the LSC ID (Cooper ¶¶ 33 and 39) where the LSC ID is determined at run-time (Cooper ¶¶ 50 and 51).  Raman in view of Cooper and Wagner discloses the argued limitations of claim 9.

Examiner respectfully submits that Raman in view of Cooper and Wagner, as cited in the OA, renders obvious the features of claim 9 argued above in §§ IV.A and IV.E.ii, and that the grounds of rejection in the OA should be upheld.


§ IV.E.iii (Claims 14 and 23)
On page 24 of the App. Br., Appellant states: 
“the cited portion of Raman relates to operations performed by the firewall engine 115 and not the firewall SVM 135…. No portion of Raman discloses the firewall engine 115 performing any middlebox services, and the cited action is not in response to middlebox services being performed by the firewall SVM 135.  Additionally, even when the firewall SVM 135 performs a firewall check, it performs a single operation for a packet (i.e., the firewall check).  There is no portion in any of Raman that discloses a single SVM that performs at least two middlebox service operations on a data message, resulting in discarding of the data message.” (Emphasis Examiner’s).
	Examiner responds by referencing OA, pp. 7, 10, 11 and 25 discussing the combination of Raman in view of Cooper and Wagner.  Representative claim 14 requires:
	“wherein the data message is discarded in response to the middlebox service operations performed on the data message.”
	Claim 14 requires: (1) that the message is discarded and (2) that the middlebox service operations somehow influence the discarding.  There is no requirement that the SVM discards the message.
	As Appellant acknowledges, Raman utilizes a “the firewall SVM 135 performs a firewall check, it performs a single operation for a packet”.  See also Raman ¶¶ 2 and 52 discussing the “firewall SVM” and Raman ¶ 47 that defines a “deny” as dropping the packet.
 firewall services, packet-processing services, WAN Optimization, Virtual Private Network Gateway, Video Transcoding, Content Distribution Network services, etc.” Cooper ¶ 40. See also Cooper ¶ 52 and Fig. 1)”.
Raman was not cited for performing multiple operations on a single packet, see OA p. 9, ll. 3-9. Appellant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
	Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claims 14 and 23.

Examiner respectfully submits that Raman in view of Cooper and Wagner, as cited in the OA, renders obvious the features of claims 14 and 23 argued above in §§ IV.A and IV.E.iii, and that the grounds of rejection in the OA should be upheld.

§ IV.E.iv (Claim 20)
On page 25 of the App. Br., Appellant reiterates the arguments directed to claims 1, 7, 17, and 19 and further states: 
“[Cooper does not disclose] one component that does this for first and second different data messages to identify first and second sets of service containers that perform first and second sets of middlebox service operations.”
	 Examiner responds by referencing OA, p. 26 where it is noted that:
(“firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs.” Raman ¶ 34, plural packets)
(“a given Appliance may be configured to perform different services for different packet flows.” Cooper ¶ 40.)
As noted in the above citations, the combination of Raman in view of Cooper and Wagner contemplates performing the method of representative claim 1 (claim 19 being similar in scope) on a plurality of packets (Raman ¶ 34 and Cooper ¶ 40).  Examiner reiterates the response presented in § IV.D.(i-iv) discussing Appellant’s arguments with respect to claims 1, 7, 17, and 19 and references OA p. 26 describing the combination of Raman in view of Cooper and Wagner operating on a plurality of packets. Thus, Raman in view of Cooper and Wagner discloses the argued limitations of claim 20.

Examiner respectfully submits that Raman in view of Cooper and Wagner, as cited in the OA, renders obvious the features of claim 20 argued above in §§ IV.A and IV.E.iv, and that the grounds of rejection in the OA should be upheld.




Respectfully submitted,
/MICHAEL W CHAO/Examiner, Art Unit 2492    
                                                                                                                                                                                                    Conferees:
/ERIC W SHEPPERD/Primary Examiner, Art Unit 2492                                                                                                                                                                                                        /SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492                                                                                                                                                                                                        {


Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.