DETAILED ACTION
This Office action is in response to a non-provisional utility patent application filed by Applicant on 9/25/2019.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-11, 13, 16-19 rejected under 35 U.S.C. 103 as being unpatentable over Kumar (U.S. Pat. App. Pub. 2009/0241170 A1) in view of Judge (U.S. Pat. 9,509,616 B1).
Regarding claims 1 and 9, Kumar discloses: a method comprising: identifying application types associated with applications executing on [virtual] nodes in a computing environment (identify the registered applications of currently executing processes to determine which of the registered applications are authorized to access particular resources. Kumar para. 0032.); for each application type of the application types, identifying a token associated with the (upon user authentication, globally unique application identifier is assigned to each configured registered application and application profiles are downloaded by the security node. Kumar para. 0033.); providing at least one token of the tokens to each of the virtual nodes based on at least one application type of the application types executing on the virtual node (globally unique application identifier (AID) is assigned to each configured registered application. Kumar para. 0033.); [in a virtual node of the virtual nodes], identifying a communication from an application executing on the [virtual] node (security node acts as a security gateway that examines incoming packets from a sending node in the network. Kumar para. 0025. The security node manages packet flow between sending node and one or more resources on the network. Kumar para. 0039. Security node’s packet processor determines the application identifier inserted in each received packet. Kumar para. 0041.); generating a packet to support the communication, wherein the packet comprises a token associated with the application type for the application (program processor determines each currently executing process and inserts an application identifier into each packet. Kumar para. 0036.); communicating the packet via a [virtual] network interface associated with the virtual node (sending unit sends the packets destined for resources external to the sending node. Kumar para. 0037.); and in a firewall for the virtual nodes, determining a forwarding action for the packet based at least in part on the token (security node or gateway receives the packets and the processor scans the embedded application identifier in each packet to match with known identifiers and determines whether the user associated with the identifier is authorized to use the specific application. Kumar paras. 0042-0043. If authorized, the packet is forwarded to the resource. If not authorized, the packet is blocked. Kumar para. 0043.).
Kumar does not disclose: virtual nodes in a virtual network environment.
However, Judge does disclose: virtual nodes in a virtual network environment (managing network traffic in a virtualized environment implementing specific identifiers or tags (which can classify packets based on application type) to encapsulated packets for traffic management between virtualized nodes. Judge Fig. 2 and col. 3, ll. 21-46, col. 4, ll. 43-67, and col 20, ll. 15-41.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the verification and matching of packet traffic with known and trusted application instances by use of assigned application identifiers of Kumar with the tagging and encapsulation of data packets associated with application type for network communication in a virtual environment based upon the teachings of Judge. The motivation being to manage network traffic congestion across service providers which include virtualized hosts. Judge col. 2, l. 55 – col. 3, l. 20.
Regarding claims 2 and 10, Kumar in view of Judge discloses the limitations of claim 1 and claim 9, respectively, wherein the virtual nodes comprise virtual machines (the computer instances 220 may each comprise a virtual machine with its own operating system comprising a networking software stack and multiple such instances may be hosted on a given physical host 242 at a service provider network data center. Judge col. 6, ll. 47-63.).  
Regarding claims 3 and 11, Kumar in view of Judge discloses the limitations of claim 1 and claim 9, respectively, wherein the virtual nodes comprise containers (the computer instances 220 may each comprise a virtual machine, which comprise containers with their own operating system comprising a networking software stack and multiple such instances may be hosted on a given physical host 242 at a service provider network data center. Judge col. 6, ll. 47-63.).  
Regarding claims 5 and 13, Kumar in view of Judge discloses the limitations of claim 1 and claim 9, respectively, wherein the communication comprises a first packet, and wherein the packet encapsulates the first packet with the token (including the application identifier in the packet, which would be placed in header information. Kumar para. 0087. Packet encapsulation amounts to an additional header field values in such a way that the routing components of the network combine the packet elements for communication. Judge col. 7, l. 53 – col. l.43.).
Regarding claims 8 and 16, Kumar in view of Judge discloses the limitations of claim 1 and claim 9, respectively, wherein the forwarding action for the packet comprises blocking the packet or permitting the packet (determination as to whether the user is authorized to use the specific application identified by the application identifier in the request and may block or prevent the packet flow associated with the non-authorization. Kumar para. 0043.).
Regarding claim 17, Kumar discloses an apparatus comprising: a storage system; program instructions stored on the storage system that, when executed by a processing system, direct the processing system to: obtain a token from a network management service, wherein the token corresponds to an application executing in a [virtual] node (globally unique application identifier (AID) is assigned to each configured registered application. Kumar para. 0033.); identify a communication from the application (security node acts as a security gateway that examines incoming packets from a sending node in the network. Kumar para. 0025. The security node manages packet flow between sending node and one or more resources on the network. Kumar para. 0039. Security node’s packet processor determines the application identifier inserted in each received packet. Kumar para. 0041.); generate a packet to support the communication, wherein the packet comprises the communication and the token (program processor determines each currently executing process and inserts an application identifier into each packet. Kumar para. 0036.); and communicate the packet via a [virtual] network interface associated with the [virtual] node (sending unit sends the packets destined for resources external to the sending node. Kumar para. 0037.).  
Kumar does not disclose: virtual nodes in a virtual network environment.
However, Judge does disclose: virtual nodes in a virtual network environment (managing network traffic in a virtualized environment implementing specific identifiers or tags (which can classify packets based on application type) to encapsulated packets for traffic management between virtualized nodes. Judge Fig. 2 and col. 3, ll. 21-46, col. 4, ll. 43-67, and col 20, ll. 15-41.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the verification and matching of packet traffic with known and trusted application instances by use of assigned application identifiers of Kumar with the tagging and encapsulation of data packets associated with application type for network communication in a virtual environment based upon the teachings of Judge. The motivation being to manage network traffic congestion across service providers which include virtualized hosts. Judge col. 2, l. 55 – col. 3, l. 20.
Regarding claim 18, Kumar in view of Judge discloses the limitations of claim 17, wherein the virtual node comprises a virtual machine or a container (the computer instances 220 may each comprise a virtual machine, which comprise containers with their own operating system comprising a networking software stack and multiple such instances may be hosted on a given physical host 242 at a service provider network data center. Judge col. 6, ll. 47-63.).  
Regarding claim 19, Kumar in view of Judge discloses the limitations of claim 17, wherein the communication from the application comprises a first packet (sending unit sends the packets with identifiers destined for resources external to the sending node. Kumar para. 0037.).  

Claims 4, 12 rejected under 35 U.S.C. 103 as being unpatentable over Kumar in view of Judge in view of Wallis (U.S. Pat. 9,542,546 B1).
Regarding claims 4 and 12, Kumar in view of Judge discloses the limitations of claim 1 and claim 9. Kumar in view of Judge does not disclose: respectively, further comprising: identifying an expiration of the tokens associated with the application types; in response to the expiration and for each application type of the application types, identifying a second token associated with the application type; and providing at least one token of the second tokens to each of the virtual nodes based on at least one application type of the application types executing on the virtual node.
However, Wallis does disclose: respectively, further comprising: identifying an expiration of the tokens associated with the application types (pre-determined length of time before the application token expires. Wallis col. 6, ll. 41-54. The server may require the application to re-send the application token after the pre-determined period of time elapses. Wallis col. 6, ll. 41-54.); in response to the expiration and for each application type of the application types, identifying a second token associated with the application type; and providing at least one token of the second tokens to each of the virtual nodes based on at least one application type of the application types executing on the virtual node (receiving the application token in every request from the application incorporated into the hosting system. Wallis col. 6, ll. 25-54. The application token is required to be updated after each pre-determined period of time. Wallis col. 6, ll. 25-54.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the verification and matching of packet traffic with known and trusted application instances by use of assigned application identifiers of Kumar with updating application tokens when it is determined that token expiry periods have elapsed based upon the teachings of Wallis. The motivation being to protect secure resources from queries originating from requestors without valid security tokens. Wallis col. 1, ll. 57-63. 

Claims 6, 14, 20 rejected under 35 U.S.C. 103 as being unpatentable over Kumar in view of Judge in view of Jain (U.S. Pat. App. Pub. 2017/0064749 A1).
Regarding claims 6 and 14, Kumar in view of Judge discloses the limitations of claim 5 and claim 13, respectively. Kumar in view of Judge does not disclose: wherein the packet comprises a Generic Network Virtualization Encapsulation (GENEVE) packet or a Virtual Extensible Local Area Network Generic Protocol Extension (VXLAN GPE) packet.
However, Jain does disclose: wherein the packet comprises a Generic Network Virtualization Encapsulation (GENEVE) packet or a Virtual Extensible Local Area Network Generic Protocol Extension (VXLAN GPE) packet (routing of data packets in a GENEVE or VXLAN network tunnel based upon packet headers including application identifiers. Jain para. 0053 and 0067). 
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the verification and matching of packet traffic with known and trusted application instances by use of assigned application identifiers of Kumar with the packet comprising a GENEVE packet based upon the teachings of Jain. The motivation being to be able, in a secure tunnel, to  insert flow-based metadata in the tunnel header. Jain para. 0067.
Regarding claim 20, Kumar in view of Judge discloses the limitations of claim 19. Kumar in view of Judge does not disclose: wherein the packet comprises a Generic Network Virtualization Encapsulation (GENEVE) packet or a Virtual Extensible Local Area Network Generic Protocol Extension (VXLAN GPE) packet.
However, Jain does disclose: wherein the packet comprises a Generic Network Virtualization Encapsulation (GENEVE) packet or a Virtual Extensible Local Area Network Generic Protocol Extension (VXLAN GPE) packet (routing of data packets in a GENEVE or VXLAN network tunnel based upon packet headers including application identifiers. Jain para. 0053 and 0067).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the verification and matching of packet traffic with known and trusted application instances by use of assigned application identifiers of Kumar with the packet comprising a GENEVE packet based upon the teachings of Jain. The motivation being to be able, in a secure tunnel, to  insert flow-based metadata in the tunnel header. Jain para. 0067.

Claims 7, 15 rejected under 35 U.S.C. 103 as being unpatentable over Kumar in view of Judge in view of Krause (U.S. Pat. App. Pub. 2014/0032975 A1).
Regarding claims 7 and 15, Kumar in view of Judge discloses the limitations of claim 1 and claim 9, respectively. Kumar in view of Judge do not disclose: wherein the tokens comprise Secure Production Identity Framework for Everyone (SPIFFE) Verifiable Identity Documents (SVIDs).
However, Krause does disclose: wherein the tokens comprise Secure Production Identity Framework for Everyone (SPIFFE) Verifiable Identity Documents (SVIDs) (each data flow identifier may be associated with one or more fields contained in the Ethernet frame, such as the source MAC address, destination MAC address, Virtual LAN Identifier (VID), Service VLAN ID (SVID). Krause para. 0031. The flow identifier is an opaque handle, which may be encoding or created using information including the application identifier. Krause para. 0037.). 
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the verification and matching of packet traffic with known and trusted application instances by use of assigned application identifiers of Kumar with SVID is among the identifiers included in the communication header information based upon the teachings of Krause. The motivation being to accommodate the specific configuration of the data flow lookup table depending on the particular implementation. Krause para. 0031. 



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Assarpour (U.S. Pat. App. Pub. 2014/0003434 A1), adding identifiers to packet headers in a virtualized network; Wilson (U.S. Pat. 9,491,098 B1), encapsulating data for transmission within a virtual environment; Yoshiuchi (U.S. Pat. App. Pub. 2005/0198197 A1), communications data packet including application type information; Shore (U.S. Pat. App. Pub. 2006/0098663 A1), communications data packet including application type information.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VANCE M LITTLE whose telephone number is (571) 270-0408.  The examiner can normally be reached on Monday - Friday 9:30am - 5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung (Jay) Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/VANCE M LITTLE/Examiner, Art Unit 2493