DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 have been examined.
Priority
Applicant's claims priority to provisional U.S. Patent Application Serial No.: 62/937,594 filled on November 19th, 2019 is acknowledged.

Information Disclosure Statement
The IDS received on 12/09/2020, 09/23/2021, 12/22/2021 and 03/10/2022 have been entered and references cited within carefully considered.

Drawings
The drawings are filled on 05/11/2020 are accepted. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Claims 1-3, 5-7, 8-10, 12-14, 15-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Beukema et al. (US Patent No.:6,978,300) in view of Makhervaks et al. (US Pub. No.:2016/0072871 A1). 
Regarding claim 1, Beukema discloses a system [Fig. 1, col. 23-31] for providing RDMA (remote direct memory access) read requests as a restricted feature in a high-performance computing environment [Fig. 1, col. 7, lines 63-67 and col. 8, lines 1-29], comprising: one or more microprocessors [col. 4, lines 36-50, col. 5, lines 17-21]; and a first subnet, the first subnet comprising a plurality of switches (The SAN 100 in FIG. 1 includes Switch 112, Switch 114, Switch 146, and router 117. A Switch is a device that connects multiple links together and allows routing of packets from one link to another link within a Subnet using a small header Destination Local Identifier (DLID) field. A router is a device that connects multiple Subnets together and is capable of routing frames from one link in a first Subnet to a plurality of host channel adapters, wherein each of the host channel adapters comprise at least one host channel adapter port, and wherein the plurality of host channel adapters are interconnected via the plurality of switches (In SAN 100 as illustrated in FIG. 1, host processor node 102, host processor node 104, and I/O chassis 108 include at least one channel adapter (CA) to interface to SAN 100. In one embodiment, each channel adapter is an endpoint that implements the channel adapter interface in Sufficient detail to source or sink packets transmitted on SAN fabric 100. Host processor node 102 contains channel adapters in the form of host channel adapter 118 and host channel adapter 120. Host processor node 104 contains host channel adapter 122 and host channel adapter 124. Host processor node 102 also includes central processing units 126-130 and a memory 132 interconnected by bus system 134. Host processor node 104 Similarly includes central processing units 136-140 and a memory 142 interconnected by a bus system 144. Host channel adapters 118 and 120 provide a connection to Switch 112 while host channel adapters 122 and 124 provide a connection to switches 112 and 114 [col. 4, lines 36-53]).
Although Beukema discloses everything as applied above, Beukema does not explicitly discloses a plurality of end nodes, including a plurality of virtual machines; wherein a host channel adapter is associated with a selective RDMA restriction; and wherein a virtual machine of the plurality of virtual machines is hosted at the host channel adapter that comprises a selective RDMA restriction. However, these concepts are well known in the art as taught by Makhervaks.
a plurality of end nodes [Fig. 2, Computer Node 220-220d], including a plurality of virtual machines (Middleware machine system 220 includes a plurality of compute nodes of which four are shown 220a, 220b, 220c, and 220d. A typical system will include a large number of similar compute nodes. The compute nodes host applications (not shown) running in virtual machines. Each of the virtual machines can be assigned to a particular tenant in a multitenant environment. There can be a plurality of virtual machines (and applications) running on each compute node. Eight virtual machines are shown VM 221a, VM 222a, VM 221b, VM 222b, VM 221c, VM 222c, VM 221d, and VM 222d. A typical system will include a large number of similar virtual machines running on each compute node and on many additional compute nodes. Each virtual machine is associated with an identifier VMID 223a, VMID 224a, VMID 223b, VMID 224b, VMID 223c, VMID 224c, VMID 223d, and VMID 224d, by the hardware of the compute node hosting the virtual machine under control of the subnet manager 214. The VMs on compute nodes 220a, 220b, 220c, 220d can communicate with the plurality of database nodes 260 over the storage access partition 202 using a connection based reliable protocol. In a preferred embodiment the VMs on compute nodes 220a, 220b, 220c, and 220d can communicate with the plurality of database nodes 260 over InfiniBand fabric 206 [Para. 0044]); wherein a host channel adapter is associated with a selective RDMA restriction (Database node 360 hosts one or more database processes in an application layer 370. The database processes can include for example one or more OCI server application 372 which uses the Oracle® Call Interface to communicate with the  compute nodes. Application layer 370 can also host a plurality of database process instances (three shown) PDB 374a, 374b, 374c. The OCI server application can send and receive data using remote direct memory access (RDMA) via direct access stack 376 and HCA 366 using Single Root I/0 Virtualization (SR-IOV) Technology. Data can be sent directly to and from memory associated with particular virtual machines of the application layer. An Open Fabric Enterprise Distribution (OPED) Stack 377 provides for connection control for the RDMA switched fabric (in this case the InfiniBand fabric 206). In embodiments of the present invention, access control can be implemented in various components of the database nodes including for example, OPED Stack 377, HCA 366 and OS Stack 378 based on access control lists [Para. 0052]); and wherein a virtual machine of the plurality of virtual machines is hosted at the host channel adapter that comprises a selective RDMA restriction (Thus, where the VM networking stack is untrusted, there is no trusted software intermediary to intercept and filter networking traffic. Thus, in order to fully utilize SR-IOV technology while providing access control, a secure VM Identifier (VMID) is made visible on the network and access control is mediated by the external entity or Service Provider (Database) as described herein. As shown in FIG. 3, database node 360 includes a host channel adapter (HCA) 366, a CPU 368 which can include one or more microprocessors each having one or more cores, and memory-RAM 369 which can comprise four of more Gigabytes of memory. Database node 360 hosts one or more database processes in an application layer 370. The database processes can include for example one or more OCI server application 372 which uses the Oracle® Call  compute nodes. Application layer 370 can also host a plurality of database process instances (three shown) PDB 374a, 374b, 374c. The OCI server application can send and receive data using remote direct memory access (RDMA) via direct access stack 376 and HCA 366 using Single Root I/0 Virtualization (SR-IOV) Technology. Data can be sent directly to and from memory associated with particular virtual machines of the application layer. An Open Fabric Enterprise Distribution (OPED) Stack 377 provides for connection control for the RDMA switched fabric (in this case the InfiniBand fabric 206). In embodiments of the present invention, access control can be implemented in various components of the database nodes including for example, OPED Stack 377, HCA 366 and OS Stack 378 based on access control lists [Para. 0052]).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to include Makhervaks method into Beukema invention. One of ordinary skill in the art would have been motivated to providing secure access to one or more service provider instances running on said one or more service provider nodes, for one or more virtual machines (VMs) on said one or more service consumer nodes [Makhervaks, Para. 0015].

Regarding claim 2, Beukema/Makhervaks disclose everything as discuss above. 
Although Beukema discloses everything as applied above, Beukema does not explicitly discloses wherein the selective RDMA restriction comprises a trusted end node restriction.  However, these concepts are well known in the art as taught by Makhervaks.
In the same field of endeavor, Makhervaks discloses wherein the selective RDMA restriction comprises a trusted end node restriction (As shown in FIG. 1, the multi-tenant environment 100 can rely on the database node 102 for performing firewall functions and for providing secure communication between the virtual machines 111 and 112 on the compute node 101 and the database instance 113 on database node 102. The database node 102, which is considered as a trusted security domain, tends to be securer than the virtual machines on compute node 101. Additionally, the multi-tenant environment 100 can isolate the storage cells 103 from the virtual machines on compute node 101, i.e. the storage cells 103 may only be accessible by the database nodes 102 and is not be accessible by the virtual machines on compute node 101 [Para. 0032]).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to include Makhervaks method into Beukema invention. One of ordinary skill in the art would have been motivated to enables direct connection of database servers and application servers via an InfiniBand network providing firewall functionality without requiring a separate intermediary firewall appliance or security node [Makhervaks, Para. 0013].

Regarding claim 3, Beukema/Makhervaks disclose everything as discuss above. 

.  However, these concepts are well known in the art as taught by Makhervaks.
In the same field of endeavor, Makhervaks discloses wherein the trusted end node restriction restricts issuance of RDMA read requests to those nodes that are flagged as trusted within the selective RDMA restriction [Para. 0056].  
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to include Makhervaks method into Beukema invention. One of ordinary skill in the art would have been motivated to enables direct connection of database servers and application servers via an InfiniBand network providing firewall functionality without requiring a separate intermediary firewall appliance or security node [Makhervaks, Para. 0013].

Regarding claim 5, Beukema/Makhervaks disclose responses to RDMA read requests issued from the virtual machine as discuss above, Beukema further discloses wherein the selective RDMA restriction comprises an ingress bandwidth restriction ORA200246-US-NP-1ORACL-05966US1ORACLE CONFIDENTIAL [col. 4, lines 1-11].

Regarding claim 6, Beukema/Makhervaks disclose everything as discuss above, Beukema further discloses wherein upon issuing receiving a response to a RDMA read request issued from the virtual machine of the plurality of virtual machines (With reference now to FIG. 3, a diagram of a host channel adapter is depicted in accordance with a preferred embodiment of the present invention. Host channel adapter 300 shown in FIG. 3 includes a set of queue pairs (QPs) 302-310, which are used to transfer messages to the host channel adapter ports 312-316. Buffering of data to host channel adapter ports 312-316 is channeled through virtual lanes (VL) 318-334 where each VL has its own flow control. Subnet manager configures channel adapters with the local addresses for each physical port, i.e., the port's LID. Subnet manager agent (SMA) 336 is the entity that communicates with the Subnet manager for the purpose of configuring the channel adapter. Memory translation and protection (MTP) 338 is a mechanism that translates virtual addresses to physical addresses and validates access rights. Direct memory access (DMA) 340 provides for direct memory access operations using memory 340 with respect to queue pairs 302–310 [col. 6, lines 46-63]), the response its restricted by the ingress bandwidth restriction of the selective RDMA restriction (SAN 100 handles data communications for I/O and inter processor communications. SAN 100 supports high bandwidth and scalability required for I/O and also supports the extremely low latency and low CPU overhead required for inter processor communications. User clients can bypass the operating system kernel process and directly access network communication hardware, such as host channel adapters, which enable efficient message passing protocols. SAN 100 is suited to current computing models and is a building block for new forms of I/O and computer cluster communication. Further, SAN 100 in FIG. 1 allows I/O adapter nodes to communicate among themselves or communicate with any or all of the processor   

Regarding claim 7, Beukema/Makhervaks disclose everything as discuss above, Beukema further discloses wherein the first subnet further comprises a subnet manager (The message in FIG. 9 is assumed to be transmitted with a reliable transport Service. Switches (and routers) that relay the request and acknowledgement data packets do not generate any data packets themselves. Rather, only the Source and destination host channel adapters generate request data packets and acknowledgement data packets, respectively. Each device in a Subnet, including channel adapters, must have a Management Agent function which has all of the capabilities required for it to communicate with a Subnet Manager. A Subnet manager communicates over the Subnet utilizing packets called Management Datagrams (MADS). There are numerous management Services that a Subnet manager and Subnet Administrator provide to allow it to discover, configure, and manage a Subnet, much of which is beyond the scope of this invention. However, the following definitions will be helpful in understanding the following Sections of this document: General Management Packets (GMPs) are MADs that allow management operations between a Subnet Manager and SAN devices and management operations between SAN devices themselves [col. 12, lines 37-58]. LIDS are addresses assigned to a port by the Subnet manager, unique within the Subnet, and used for directing packets within a Subnet. There also is a Source Local  and wherein the subnet manager sets [col. 14, lines 41-45] the ingress bandwidth restriction of the selective RDMA restriction (SAN 100 contains the communications and management infrastructure Supporting both I/O and inter processor communications (IPC) within a distributed computer system. The SAN 100 shown in FIG. 1 includes a Switched communications fabric 116, which allows many devices to concurrently transfer data with high-bandwidth and low latency in a Secure, remotely managed environment. End nodes can communicate over multiple ports and utilize multiple paths through the SAN fabric. The multiple ports and paths through the SAN shown in FIG. 1 can be employed for fault tolerance and increased bandwidth data transfers. The SAN 100 in FIG. 1 includes Switch 112, Switch 114, Switch 146, and router 117. A Switch is a device that connects multiple links together and allows routing of packets from one link to another link within a Subnet using a small header Destination Local Identifier (DLID) field. A router is a device that connects multiple Subnets together and is capable of routing frames from one link in a first Subnet to another link in a Second Subnet using a large header Destination Globally Unique Identifier (DGUID) [col. 4, lines 11-20]). 

Regarding claims 8-10 and 12-14, they are substantially the same as claims 1-3 and 5-7, except claims 8-10 and 12-14 are in method claim format.  Because the same 

Regarding claims 15-17 and 19-20, they are substantially the same as 1-3 and 5-7, except claims 15-17 and 19-20 are in non-transitory computer readable storage media claim format. Because the same reasoning applies, claims 15-17 and 19-20 are rejected under the same reasoning as claim 1-3 and 5-7, where Beukema further discloses a non-transitory computer readable storage medium [Fig. 1, memory 132, 142, 170] having instructions thereon for providing RDMA (remote direct memory access) read requests as a restricted feature in a high performance computing environment, which when read and executed [Fig. 1, CPU’s 126, 128…130, 136, 138…140, 168] cause a computer to perform steps [Fig. 1, col. 7, lines 63-67 and col. 8, lines 1-29].

Allowable Subject Matter
Claims 4, 11 and 18 are objected to as being dependent upon a rejected base claims, but would be allowable if rewritten in in independent form including all of the limitation of the base claim and nay intervening claims

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. (1) Faibiish et al. (US Patent No.: US 9,336,166 B1) teaches a burst buffer appliance is adapted for coupling between a computer system and a file system. The burst buffer appliance comprises a first memory, at least one additional .
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DHARMESH J PATEL whose telephone number is (571)272-2690.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marsha D Banks-Harold can be reached on (571) 272-7905.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



DHARMESH J. PATEL
Examiner
Art Unit 2465


/DHARMESH PATEL/
Examiner, Art Unit 2465

	
/MARSHA D BANKS HAROLD/Supervisory Patent Examiner, Art Unit 2465