DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Amendment filed on 1/7/2022.
In the instant Amendment, claims 1, 8 and 15 have been amended; claims 1, 8 and 15 are independent claims. Claims 1-20 have been examined and are pending. This Action is made Final. 

Response to Arguments
The rejections of Claims 15-20 under 35 U.S.C. § 101 are withdrawn as the claims have been amended.
Applicants’ arguments with respect to Claims 1-20 under 35 U.S.C. 102/103 have been fully considered but are not persuasive.
Applicant Argues: “Applicant has followed the Examiner's suggestion during the interview to further amend the claims to recite the terminal device is "of a type that performs data interaction with a user plane function entity." Thus, amended claim 1 requires receiving a data packet of a terminal device of a type that performs data interaction with a user plane function entity, the data packet carrying a first token and a service identifier including an identifier of a server that provides the type of service identified by the service identifier; generating a second token based on first input information comprising an identifier of the terminal device and the service identifier including the server identifier; and sending the data packet in response to the first token being the same as the second token. See e.g., Figure 2 S22, S23 & specification ¶51. 
The Office Action alleges that Lee et al anticipates claim 1, relying on Lee ¶¶18, 50, 51 - and in particular on Lee's disclosure of deriving a network token from parameters including "a destination IP address ... and/or a quality of service class identifier (QCI)."However, Lee does not disclose that the destination IP address is for a server that provides a service identified by Lee's "quality of service class identifier (QCI)." Rather, Lee's QCI parameter defines a quality of packet communication provided by the LTE network. QCI for example takes into account constraints on priority, delay, user data rate and packet loss allowing the LTE network to transport particular types of network traffic such as voice, video, real time gaming, etc. See e.g., Mamman et al, "Quality of service class identifier (QCI) radio resource allocation algorithm for LTE downlink," January 25, 2019.
Lee's QCI thus does not inherently identify a service provided by a server, and Lee's "destination IP address" does not inherently identify a server that provides a service identified by QCI. Amended claim 1 is not anticipated by Lee for at least this reason. The similarly amended independent claims 8 & 15 are not anticipated for this same reason.”
Examiner’s Response:   In light of the amendments presented the examiner has revised the rejection of Lee.  The examiner respectfully notes that as amended Lee still anticipates Applicant’s claimed features; more specifically:  Lee teaches in [0048] - The aspects described herein generally relate to the derivation, provisioning, and use of uplink and downlink network tokens. The network tokens may be transported with packets in the user-plane. An uplink network token or a downlink network token may be embedded in, or otherwise included with, one or more packets and used for network policy enforcement and/or traffic steering (e.g., steering of one or more user-plane messages).  Thus Lee anticipates the feature of “receiving a data packet of a terminal device of a type that performs data interaction with a user plane function entity”.  Further Lee teaches in [0018] - Obtaining the network token may be achieved by deriving the network token at the gateway device. The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0048] and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header and [0076] - In the aspects described herein, IP flows, data flows, or flows, need not be limited to bearers as presented in the exemplary illustration of FIG. 2. A client device may operate or run one or more applications. Each client application may be mapped to an application service operating or running on an application server. The application server can be associated with one or more application services. A flow may therefore be defined based on the application operating in the device and on the application server and [0077] - For example, a client device may use one service offered by one provider on a server. The server typically has one IP address. However, the service may host multiple applications on the server. The multiple applications may include, for example, a mapping application, an information search application, and a social networking application. The multiple applications therefore have the same destination IP address, so from the perspective of a gateway of a core network (e.g., a P-GW), the multiple applications can be considered as a single flow instead of multiple flows. Accordingly, a single flow can be mapped to multiple services and [0086]).  Thus, as constructed the destination IP address is still constructed to represent a service identifier as Lee states that “The application server can be associated with one or more application services. A flow may therefore be defined based on the application operating in the device and on the application server.  A flow may be defined as a path that packets take between the application running at the client device and the application service running at the application server.,” in [0076].  Further, as constructed, as each server typically has one IP address, see [0077], thus the destination IP address also represents the identifier of a server that provides that indicated type of service (i.e., A flow may be defined as a path that packets take between the application running at the client device and the application service running at the application server).   Therefore the examiner finds these arguments not persuasive.  
Applicant Argues: The Office Action concedes that Lee et al does not disclose dependent claim 4's limitation of "the second input information further comprises a random number, and the first input information further comprises the random number" or the random number limitations of dependent claim 5, but relies on Burch et al for the missing teachings. But in Burch et al, the late binding authenticator both generates and authenticates the LBT token including the random number the late binding authenticator generates. Burch et al does not disclose how first input information and second input information as claimed in claim 4 could both comprise the same random number. See e.g., ¶60 of the present specification describing the "salt".
Examiner’s Response:  The examiner respectfully disagrees.  The examiner noted Lee further discloses wherein the second input information further comprises [parameters], and the first input information further comprises the [parameters] ([0018] and [0050]-[0051]).  The examiner sought to combine Burch to teach, known concepts, of wherein the ... input information further comprises a random number (Burch, col. 5, lines 35-38 - In an embodiment, at 221, the late-binding authenticator creates the LBT to include: a random number, an identifier for the service, and a HMAC produced over the random number and the identifier and Claim 1).  Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  As Burch was combined to the second input [parameters] and the first input [parameters] of Lee to include wherein the ... input information further comprises a random number.  It is the combination of elements that discloses the aforementioned limitation.  Therefore the examiner finds this argument not persuasive. 







Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-3, 6-10, 13-17 and 20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Lee et al. (US 2016/0248682 A1).

Regarding Claim 1;
Lee discloses a data packet verification method (Abstract - A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful), comprising: 
receiving a data packet of a terminal device of a type that performs data interaction with a user plane function entity ([0048] and [0093] - FIG. 6 is an exemplary call flow 600 illustrating network token derivation, provisioning, and use in connection with one or more user-plane messages in accordance with aspects described herein and [0094] - I n the exemplary call flow of FIG. 6, the device 602 sends 618 a request to initiate an application service with the application server 616 via the P-GW 610. The request may be accompanied by or may include an application identifier (App ID). As will be understood by those of skill in the art, the request provided to the application server 616 from the device 602 is different from, and should not be confused with, any type of connection request to establish or reestablish a connection between the device and a network. In the former case, the device is requesting a service from the application server (the service may even be a connectionless service), while in the latter case, the device is requesting a connection to the network and [0095] - The implicit request for use of the downlink network token may be recognized by sending an initial packet from the device 702 to the application server 716 to the via the P-GW 710), wherein the data packet carries a first token and a service identifier, and the service identifier is used to indicate a type of a service to which the data packet belongs, ([0048] - The aspects described herein generally relate to the derivation, provisioning, and use of uplink and downlink network tokens. The network tokens may be transported with packets in the user-plane. An uplink network token or a downlink network token may be embedded in, or otherwise included with, one or more packets and used for network policy enforcement and/or traffic steering (e.g., steering of one or more user-plane messages) and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header), and the service identifier is used to indicate a type of a service to which the data packet belongs ([0018] - Obtaining the network token may be achieved by deriving the network token at the gateway device. The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header)), wherein the service identifier including an identifier of a server that provides the indicated type of service ([0018] - Obtaining the network token may be achieved by deriving the network token at the gateway device. The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0048] and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header and [0077] - For example, a client device may use one service offered by one provider on a server. The server typically has one IP address. However, the service may host multiple applications on the server. The multiple applications may include, for example, a mapping application, an information search application, and a social networking application. The multiple applications therefore have the same destination IP address, so from the perspective of a gateway of a core network (e.g., a P-GW), the multiple applications can be considered as a single flow instead of multiple flows. Accordingly, a single flow can be mapped to multiple services);
 obtaining first input information based on the data packet, and generating a second token based on the first input information ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0050]-[0051] - According to aspects described herein, a packet including a copy of a previously derived original network token may be received at a P-GW... The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet), wherein the first input information comprises an identifier of the terminal device and the service identifier  ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and; and 
sending the data packet in response to the first token being the same as the second token ([0051] - The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet. The newly received packet associated with the copy of the original network token is different from the packet associated with the original network token; however, there are parameters that can be obtained from the newly received packet that are the same as those obtained from the original packet. These common parameters may be used in the cryptographic function to derive the duplicate network token. If the duplicate network token is equal to the copy of the original network token, then the just-received copy of the original network token may be considered successfully verified. Upon successful verification, the packet may be sent to its destination. If the verification is not successful, the packet can be discarded).



Regarding Claim 2;
Lee discloses the method to Claim 1.
	Lee wherein the service identifier comprises service type indication information and an identifier of a server ([0018]) wherein the identifier of the server is used to indicate the server that provides the service for the terminal device ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function), and the service type indication information is used to indicate the type of the service to which the data packet belongs ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function).






Regarding Claim 3;
Lee discloses the method to Claim 1.
Lee further discloses wherein before the receiving a data packet of a terminal device, the method further comprises: obtaining second input information, wherein the second input information comprises the identifier of the terminal device and the service identifier (([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function)); generating the first token based on the second input information ([0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services); and sending the first token to the terminal device and the server that provides the service for the terminal device ([0050] - However, the P-GW may not directly send the just-derived network token to the entity that requested the network token. Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header. A processing circuit, at the destination, prepares a response to the connection request (e.g., a connection response) and includes the network token in or with the packet that includes the connection response. The packet may be sent via the user-plane, to the source of the request for the network token and initiator of the connection request. Thereafter, when the source has additional packets to send to the destination, the source may include a copy of the network token in (or with) one or more of the additional packets.).

Regarding Claim 6;
Lee discloses the method to Claim 1.
Lee further discloses wherein the method further comprises: discarding the data packet in response to the first token is different from the second token ([0051] - The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet. The newly received packet associated with the copy of the original network token is different from the packet associated with the original network token; however, there are parameters that can be obtained from the newly received packet that are the same as those obtained from the original packet. These common parameters may be used in the cryptographic function to derive the duplicate network token. If the duplicate network token is equal to the copy of the original network token, then the just-received copy of the original network token may be considered successfully verified. Upon successful verification, the packet may be sent to its destination. If the verification is not successful, the packet can be discarded).



Regarding Claim 7;
Lee discloses the method to Claim 3.
wherein after the generating the first token based on the second input information, the method further comprises: storing the first token ([0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services); and the generating a second token based on the first input information comprises: in response to the stored first token is the same as the first token carried in the data packet, generating the second token based on the first input information ([0051] - According to aspects described herein, a packet including a copy of a previously derived original network token may be received at a P-GW. The copy of the previously derived original network token may be an uplink network token or a downlink network token. The P-GW may verify the copy of the previously derived original network token. The verification process may include deriving a duplicate of the original network token. The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet. The newly received packet associated with the copy of the original network token is different from the packet associated with the original network token; however, there are parameters that can be obtained from the newly received packet that are the same as those obtained from the original packet. These common parameters may be used in the cryptographic function to derive the duplicate network token. If the duplicate network token is equal to the copy of the original network token, then the just-received copy of the original network token may be considered successfully verified. Upon successful verification, the packet may be sent to its destination. If the verification is not successful, the packet can be discarded).


Regarding Claim(s) 8-10 and 13-14; claim(s) 8-10, 13, and 14 is/are directed to a/an apparatus associated with the method claimed in claim(s) 1-3, 6, and 7. Claim(s) 8-10, 13, and 14 is/are similar in scope to claim(s) 1-3, 6, and 7, and is/are therefore rejected under similar rationale.

Regarding Claim(s) 15-17 and 20; claim(s) 15-17 and 20 is/are directed to a/an medium associated with the method claimed in claim(s) 1-3, and 7. Claim(s) 15-17 and 20 is/are similar in scope to claim(s) 1-3, and 7, and is/are therefore rejected under similar rationale.











Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 4, 5, 11, 12, 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2016/0248682 A1) in view of Burch et al. (US 9,654,462 B2).

Regarding Claim 4
Lee discloses the method to Claim 3.
([0018] and [0050]-[0051]).
Lee fails to explicitly disclose:
wherein the second input information further comprises a random number, and the first input information further comprises the random number; or 
the second input information further comprises a third token, the first input information further comprises the third token, and the third token is generated by the terminal device; 
or the second input information further comprises a fourth token, the first input information further comprises the fourth token, and the fourth token is generated by the server; 
or the second input information further comprises the third token and the fourth token, and the first input information further comprises the third token and the fourth token; 
or the second input information further comprises the random number, the third token, and the fourth token, and the first input information further comprises the random number, the third token, and the fourth token; or 
the second input information further comprises the random number and the third token, and the first input information further comprises the random number and the third token; or 
the second input information further comprises the random number and the fourth token, and the first input information further comprises the random number and the fourth token.
However, in an analogous art, Burch teaches wherein the ... input information further comprises a random number (Burch, col. 5, lines 35-38 - In an embodiment, at 221, the late-binding authenticator creates the LBT to include: a random number, an identifier for the service, and a HMAC produced over the random number and the identifier and Claim 1).

One would have been motivated to combine the teachings of Burch to Lee to do so as it provides / allows passing credentials and secrets without comprising the security of those devices (Burch, col. 1, lines 26-30). 

Regarding Claim 5;
Lee and Burch disclose the method to Claim 4.
Burch further teaches wherein the method further comprises: 
obtaining the random number based on the identifier of the terminal device; or 
obtaining the random number based on the service identifier (Burch, col. 5, lines 35-38 - In an embodiment, at 221, the late-binding authenticator creates the LBT to include: a random number, an identifier for the service, and a HMAC produced over the random number and the identifier and Claim 1).

Regarding Claim(s) 11 and 12; claim(s) 11 and 12 is/are directed to a/an apparatus associated with the method claimed in claim(s) 4 and 5. Claim(s) 11 and 12 is/are similar in scope to claim(s) 4 and 5, and is/are therefore rejected under similar rationale.

Regarding Claim(s) 18 and 19; claim(s) 18 and 19 is/are directed to a/an medium associated with the method claimed in claim(s) 4 and 5. Claim(s) 18 and 19 is/are similar in scope to claim(s) 4 and 5, and is/are therefore rejected under similar rationale.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439