Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner’s Note	
	Examiner called Applicant and discussed amendment to claims 1 & 7 and claim 13. Examiner told the Applicant to amend claims 1 & 7 by incorporating certain limitations from claims 2, 3 & 4 and proposed amending claim 13 by incorporating limitations of claim 14. The Applicant agreed to consider the proposition and the Applicant finally, emailed Examiner the proposed amendment as discussed during interview, followed by other short discussions over phone for further clarifications. Please see the attached "Email from the Applicant" for details. 
The case has now been placed in allowable condition.
EXAMINER’S AMENDMENT
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given via email from Letao Qin (Reg. No.64,359) on 03/09/2022. 
AMENDMENTS TO THE CLAIMS:
          The following listing of claims will replace all prior versions and listings of claims in this application.
LISTING OF CLAIMS
1. (Currently Amended) An authentication method, wherein the authentication 
determining, by the first network device, a first digest based on a fixed part field and a mandatory part field, wherein the first NHRP registration request message comprises the fixed part field and the mandatory part field; 
encrypting, by the first network device, the first digest by using a first private key, to obtain the first digital signature, wherein the first private key is symmetric to the first public key;
sending, by the first network device, a first NHRP registration request message to the second network device, wherein the first NHRP registration request message is used to request the second network device to perform digital certificate authentication on the first network device, and the first NHRP registration request message comprises first public key infrastructure (PKI) certificate information; and

receiving, by the first network device, a second NHRP registration request message sent by the second network device, wherein the second NHRP registration request message is used to request the first network device to perform digital certificate authentication on the second network device, and the second NHRP registration request message comprises second PKI certificate information, wherein the second PKI certificate information comprises a second digital certificate, a second digital signature, and a second public key;
determining, by the first network device, a second digest based on a fixed part field and a mandatory part field that are carried in the second NHRP registration request message;
decrypting, by the first network device, the second digital signature based on the second public key, to obtain a third digest; and
determining, by the first network device, that the second digest is the same as the third digest, and determining that the second digital certificate comprised in the second PKI certificate information and the first PKI certificate information stored in the first network device belong to a same certificate chain.
2. (Currently Amended) The method according to claim 1, wherein the first PKI certificate information comprises a first digital certificate, a first digital signature, and a first public key, the first NHRP registration request message comprises a first authentication extension field and a first certificate extension field, the first authentication extension field comprises the first digital signature, the first certificate extension field comprises the first digital certificate and the first public key, and before the sending, by the first network device, a first NHRP registration request message to the second network device, the method further comprises:
receiving, by the first network device, a first NHRP registration reply message sent by the second network device, wherein the first NHRP registration reply message indicates that the digital certificate authentication performed by the second network device on the first network device succeeds;



3. (Currently Amended) The method according to claim 2, wherein the method further comprises:


sending, by the first network device, a second NHRP registration reply message to the second network device, wherein the second NHRP registration reply message indicates that the digital certificate authentication performed by the first network device on the second network device succeeds.
4. (Cancelled) 



5. (Original) The method according to claim 4, wherein the second NHRP registration request message comprises a second authentication extension field and a second certificate extension field, the second authentication extension field comprises the second digital signature, and the second certificate extension field comprises the second digital certificate and the second public key.
6. (Original) The method according to claim 3, wherein the second NHRP registration request message and the first NHRP registration reply message are a same message.
7. (Currently Amended) A first network device, wherein the first network device is in  a next hop resolution protocol (NHRP) network, the NHRP network further comprises a second network device, and the first network device comprises:

determine a first digest based on a fixed part field and a mandatory part field, wherein the first NHRP registration request message comprises the fixed part field and the mandatory part field; 
encrypt the first digest by using a first private key, to obtain the first digital signature, wherein the first private key is symmetric to the first public key;
generate a first NHRP registration request message, wherein the first NHRP registration request message is used to request the second network device to perform digital certificate authentication on the first network device, and the first NHRP registration request message comprises first public key infrastructure (PKI) certificate information;
a transmitter, configured to send the first NHRP registration request message to the second network device; and
a receiver, configured to receive a second NHRP registration request message sent by the second network device, wherein the second NHRP registration request message is used to request the first network device to perform digital certificate authentication on the second network device, and the second NHRP registration request message comprises second PKI certificate information wherein the second PKI certificate information comprises a second digital certificate, a second digital signature, and a second public key;
wherein the processor is further configured to 
determine a second digest based on a fixed part field and a mandatory part field that are carried in the second NHRP registration request message;
decrypt the second digital signature based on the second public key, to obtain a third digest; and
determine that the second digest is the same as the third digest, and determining that the second digital certificate comprised in the second PKI certificate information and the first PKI certificate information stored in the first network device belong to a same certificate chain.
8. (Currently Amended) The first network device according to claim 7, wherein the first PKI certificate information comprises a first digital certificate, a first digital signature, and a first public key, the first NHRP registration request message comprises a first authentication extension field and a first certificate extension field, the first authentication extension field comprises the first digital signature, the first certificate extension field comprises the first digital certificate and the first public key, and the receiver 
receive a first NHRP registration reply message sent by the second network device, wherein the first NHRP registration reply message indicates that the digital certificate authentication performed by the second network device on the first network device succeeds


9. (Currently Amended) The first network device according to claim 8, wherein


the transmitter is further configured to send a second NHRP registration reply message to the second network device, wherein the second NHRP registration reply message indicates that the digital certificate authentication performed by the first network device on the second network device succeeds.
10. (Cancelled) 




11. (Original) The first network device according to claim 10, wherein the second NHRP registration request message comprises a second authentication extension field and a second certificate extension field, the second authentication extension field comprises the second digital signature, and the second certificate extension field comprises the second digital certificate and the second public key.
12. (Original) The first network device according to claim 9, wherein the second NHRP registration request message and the first NHRP registration reply message are a same message.
13. (Currently Amended) A second network device, wherein the second network device is in a next hop resolution protocol (NHRP) network, the NHRP network further comprises a first network device, and the second network device comprises:
a receiver, configured to receive a first NHRP registration request message sent by the first network device, wherein the first NHRP registration request message is used to request the second network device to perform digital certificate authentication on the first network device, and the first NHRP registration request message comprises first public key infrastructure (PKI) certificate information;

a transmitter, configured to send a first NHRP registration reply message to the first network device, wherein the first NHRP registration reply message indicates that the digital certificate authentication performed by the second network device on the first network device succeeds;
wherein the first PKI certificate information comprises a first digital certificate, a first digital signature, and a first public key, the first NHRP registration request message comprises a first authentication extension field and a first certificate extension field, the first authentication extension field comprises the first digital signature, the first certificate extension field comprises the first digital certificate and the first public key, and when the processor is configured to determine, based on the first PKI certificate information, that the digital certificate authentication performed on the first network device succeeds, the processor is specifically configured to:
determine a first digest based on a fixed part field and a mandatory part field that are carried in the first NHRP registration request message;
decrypt the first digital signature based on the first public key, to obtain a second digest; and
determine that the first digest is the same as the second digest, and determine that the first digital certificate comprised in the first PKI certificate information and a second digital certificate stored in the second network device belong to a same certificate chain.
14. (Cancelled) 



15. (Original) The second network device according to claim 13, wherein
the transmitter is further configured to send a second NHRP registration request message to the first network device, wherein the second NHRP registration request message is used to request the first network device to perform digital certificate authentication on the second network device, and the second NHRP registration request message comprises second PKI certificate information; and
the receiver is further configured to receive a second NHRP registration reply message sent by the first network device, wherein the second NHRP registration reply 
16. (Original) The second network device according to claim 15, wherein the second NHRP registration request message and the first NHRP registration reply message are a same message.

Allowable Subject Matter
Claims 1-3, 5-9 & 11-13 & 15-16 are allowed.
		The following is an examiner’s statement of reasons for allowance:
Regarding claims 1 & 7, although the prior art of record teaches an authentication method, wherein the authentication method is applied to a next hop resolution protocol (NHRP) network, the NHRP network comprises a first network device and a second network device, none of the prior art, alone or in combination teaches determining, by the first network device, a first digest based on a fixed part field and a mandatory part field, wherein the first NHRP registration request message comprises the fixed part field and the mandatory part field; encrypting, by the first network device, the first digest by using a first private key, to obtain the first digital signature, wherein the first private key is symmetric to the first public key; receiving, by the first network device, a second NHRP registration request message sent by the second network device, wherein the second NHRP registration request message is used to request the first network device to perform digital certificate authentication on the second network device, and the second NHRP registration request message comprises second PKI certificate information, wherein the second PKI certificate ; in view of other limitations of claims 1 & 7.
Regarding claim 13, although the prior art of record teaches a second network device, wherein the second network device is in a next hop resolution protocol (NHRP) network, the NHRP network further comprises a first network device, and the second network device,  none of the prior art, alone or in combination teaches wherein the first PKI certificate information comprises a first digital certificate, a first digital signature, and a first public key, the first NHRP registration request message comprises a first authentication extension field and a first certificate extension field, the first authentication extension field comprises the first digital signature, the first certificate extension field comprises the first digital certificate and the first public key, and when the processor is configured to determine, based on the first PKI certificate information, that the digital certificate authentication performed on the first network device succeeds, the processor is specifically configured to: determine a first digest based on a fixed part field and a mandatory part field that are carried in the first NHRP registration request message; decrypt the first digital signature based on the first public key, to obtain a  in view of other limitations of claim 13.
	The closest prior art (patent publications) made of records are: 
Horikawa (US5822320 as mentioned in IDS 07/01/2020) teaches an ATM terminal transmits an NHRP packet to an NHS based on an ANYCAST address thereof. A NHRP configuration server may be placed in the ATM network to hold NHS information in order to store the configuration, acquire an IP address and an ATM address of the NHS, and transmit the NHRP packet based on the acquired address. Each NHS is allowed to register its own information in the NHRP configuration server at a regular interval or when the information has been updated. When the NHS receives an NHRP register packet from an ATM terminal that is not managed thereby, the NHRP register packet is transferred to another NHS that manages the ATM terminal. The NHS may also execute authentication operation with respect to the NHRP register packet transferred from the ATM terminal that is managed thereby.
Blair (US20170012870 as mentioned in IDS dated 7/01/2020) teaches in one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication 
 Wiget (CA2367397A1- copy attached) teaches a Multicast-Enabled Address Resolution Protocol (ME-ARP) is disclosed. This ME-ARP allows the building of independent IP based Virtual Private LAN segments (VPLS) over a multicast enabled IP backbone using stateless tunnels and optimal VPLS traffic forwarding. Each VPLS has an associated IP subnet which is completely independent from other VPLS or the underlying IP backbone itself. Each Customer Premises Equipment (CPE) device needs only to be configured with a VPLS identifier and its serving IP subnet per VPLS designated interface.
Luciani (US20040095947) discloses  system, device, and method for supporting multiple virtual private networks in an MPOA/NHRP communication network involves encoding a Virtual Private Network (VPN) identifier in certain MPOA/NHRP control messages in order to associate those MPOA/NHRP control messages with a particular VPN, and using an in-band signaling technique to add/remove VPNs to/from a connection. Packets from multiple VPNs are multiplexed over the connection. Each packet is associated with a particular VPN. If packets do not inherently include information from which the VPN can be ascertained, then a VPN identifier is encoded in the packet. The VPN identifier may be encoded in the packet via a tagging mechanism, in which each VPN is associated with a unique tag, and a tag is included in each packet. The VPN identifier may alternatively be encoded in the packet by including the VPN identifier in the packet, for example, in a header (such as an LLC/SNAP header) within the packet.
Asati (US20070206597) discloses that a system transmits, to a hub from a first spoke, first routing information associated with the first spoke. The system receives, at the first spoke, from the hub, second routing information associated with a plurality of spokes in communication with the hub. The plurality of spokes includes a second spoke. The system resolves, at the first spoke, a next hop determination for the packet based on the second routing information received from the hub. The system routes the packet from the first spoke to the second spoke using the next hop determination.
Sullenberger (US7447901) teaches a process is disclosed in which a security policy is associated with a virtual private network (VPN) interface at a first device, for example, a router. Input is received specifying an association of a VPN endpoint address to a corresponding routable network address of a second device. A message is issued to a security module at the first device, the message including the routable network address of the second device and the security policy. Encryption state information is generated for network traffic from the first device to the second device, based on the message. The process is applicable to a hub-and-spoke network architecture that utilizes a point-to-multipoint GRE tunnel and the IPsec protocol for security. The process is dynamic in that the encryption state is generated for traffic over a VPN link, in response to notification of a virtual address-to-real address mapping, i.e., the association. In an embodiment, the association is an NHRP mapping.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER KHAN whose telephone number is (571)272-8574.  The examiner can normally be reached on Monday-Friday-8:00am - 5:00pm (EST).If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571-270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497