DETAILED ACTION
This Office Action is in response to the amendment filed 12/14/2021. 
In the instant amendment, claims 1-4, 6, 9, 11, 16 and 19 are amended; claims 5, 10, 15 and 20 are cancelled; claims 1, 6, 11 and 16 are independent claims. Claims 1-4, 6-9, 11-14 and 16-19 are pending in this application.  THIS ACTION IS MADE FINAL. 

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/18/2021 and 12/14/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Response to Arguments
The 35 U.S.C. 101 rejection to claim 1-5 and 11-14 for being an abstract idea has been withdrawn as per amendment filed 12/14/2021. 
Applicant’s arguments with respect to claim(s) 1, 6, 11 and 16 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) and further in view of Elzur et al (“Elzur,” US 20080126559).    

Regarding claim 1, Sankaran discloses a method for modifying network traffic data, comprising:
receiving a network traffic data unit by a switching engine; (Sankaran, 602, FIG 6 receive, by a media access control security (MACSec) capable device, a data packet from a host device for tunneling to a controller in a network; Also see Col. 7, Lines 20-49 which describe FIG 6; Col. 2, Line 57 describes the MACSec capable device may be a network switch)
performing an analysis, by the switching engine, on the network traffic data unit to obtain network tunnel information; (Sankaran, Col. 4, Lines 1-32 describe port information and a lookup a table maintained on MACSec capable device that stores a mapping between the destination MAC address reserved for the controller an the encryption key corresponding to the controller [performing an analysis]; Figures 2-4 describe network tunnel information in the header; 602, 604, 606, 608, FIG 6 shows performing an analysis on the data packet to obtain network tunnel information for a GRE tunnel; Also see Col. 7, Lines 20-49 which describe FIG 6)
wherein the switching engine and the encryption engine are both hardware
components of a same device, (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57).
Sankaran fails to explicitly disclose generating encryption information, by the switching engine, based on the network tunnel information, wherein the encryption information specifies an encryption type, encryption key, and which portion of the network traffic data unit to encrypt;  appending, by the switching engine, the encryption information to the network traffic data unit as a tag: securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag, and transmitting the secured network traffic data unit through a network tunnel based on the network tunnel information.
However, in an analogous art, Elzur discloses wherein the encryption information specifies an encryption type, (Elzur, [0037], [0072] & [0074] describes wherein the encryption information specifies an encryption type which can be IPsec or MACSec) 
(Elzur, [0072], [0074], [0084], FIG 1E, FIG 1F describes an encryption key, and which portion of the network packet to encrypt) 
appending, by the switching engine, the encryption information to the network traffic data unit as a tag: (Elzur, [0016], Figures 1E, 1F and 218, FIG 2C describe appending by a switch, the encryption information to the network packet as a tag called SECTag as described in [0061])
securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag, (Elzur, [0037], [0016], Figures 1E, 1F and 218, FIG 2C describe securing the packet by an encryption engine based on encryption information in the SECTag as described in [0061] )
 and transmitting the secured network traffic data unit through a network tunnel based on the network tunnel information (Elzur, [0037], [0072], [0074], [0098]-[0100], describe and transmitting the secured network packet through the network tunnel based on the network tunnel information )
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran to include wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to secure a network utilizing IPsec and MACsec protocols (Elzur, [0003]).  


Regarding claim 11, Sankaran discloses a network device for modifying network traffic data, comprising:
a switching engine, configured to: (Sankaran, Col. 2, Line 57, network switch)
receive a network traffic data unit; (Sankaran, Col. 2, Lines 15-16 & 55-56, receive a data packet [network traffic data unit]). 
perform an analysis on the network traffic data unit to obtain network tunnel
information; (Sankaran, Col. 4, Lines 1-32 describe port information and a lookup a
table maintained on a MACsec capable device that stores a mapping between the
destination MAC address reserved for the controller and the encryption key
corresponding to the controller [perfoming an analysis]; Figures 2-4 describe network
tunnel information in the header; 602, 604, 606, 608, FIG 6 shows performing an
analysis on the data packet to obtain network tunnel information for a GRE tunnel; Also
see Col. 7, Lines 20-49 which describe FIG 6) and
wherein the switching engine and the encryption engine are both hardware components of a same device, (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57).
Sankaran fails to explicitly disclose generate encryption information based on the network tunnel information, wherein the encryption information specifies an encryption type; and an encryption engine, configured to: secure the network traffic data unit based on the encryption information, and transmit the secured network traffic data unit through a network tunnel based on the network tunnel information
(Elzur, [0037], [0072], [0074], [0089] describe generating encryption information based on network tunnel information)
wherein the encryption information specifies an encryption type; (Elzur, [0037], [0072] & [0074] describes wherein the encryption information specifies an encryption type which can be IPsec or MACSec)
and an encryption engine, configured to: (Elzur, [0037], [0068], [0072] & [0074] describe encryption circuitry [encryption engine])
secure the network traffic data unit based on the encryption information, (Elzur, [0037], [0016], Figures 1E, 1F and 218, FIG 2C describe securing the packet by an encryption engine based on encryption information in the SECTag as described in [0061])
and transmit the secured network traffic data unit through a network tunnel based on the network tunnel information (Elzur, [0037], [0072], [0074], [0098]-[0100], describe and transmitting the secured network packet through the network tunnel based on the network tunnel information)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran to include generate encryption information based on the network tunnel information, wherein the encryption information specifies an encryption type; and an encryption engine, configured to: secure the network traffic data unit based on the encryption information, and transmit the secured network traffic data unit through a network tunnel based on the network tunnel information. One would have .   

Claims 2-3, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) in view of Elzur et al (“Elzur,” US 20080126559) and further in view of Zhang et al (“Zhang,” US 20090204850)

Regarding claim 2, Sankaran and Elzur disclose the method of claim 1. 
Sankaran further discloses wherein the analysis comprises:
performing a lookup to identify a destination; (Sankaran, Col. 4, Lines 26-32, the MACsec engine may identify the destination MAC address from the encapsulation header in the encapsulated data packet, and then look up a database (table) maintained on MACsec capable device that stores a mapping between the destination MAC address reserved for the controller and the encryption key corresponding to the controller)
making a first determination that the network traffic data unit is to traverse the network tunnel based on the destination; (Sankaran, 602-614, Col. 7, Lines 20-49 which describe FIG 6 describes making a determination that a packet is to cross a GRE tunnel based on the destination)
and appending the network tunnel information to the network traffic data unit based on the first determination, (Sankaran, FIG 4 shows adding the GRE tunnel information the data packet based on the first determination)

However, in an analogous art, Zhang discloses wherein the network tunnel information indicates termination at a device that comprises a decryption engine, (Zhang, [0007] describes receiving tunnel packet that indicates a termination device that performs decryption)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang with the method and system of Sankaran and Elzur to include wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to report the error of each level of tunnel data packet in a communication network (Zhang, [0001]). 

Regarding claim 3, Sankaran and Elzur disclose the method of claim 2. 
Sankaran further discloses wherein generating the encryption information comprises:
making a second determination that the network tunnel requires encryption; (Sankaran, Col. 7, Lines 20-49 which describe FIG 6 describes making determinations that the GRE tunnel requires encryption)
appending the encryption information to the network traffic data unit based on the second determination, (Sankaran, Figures 2-4 and 7 describe adding the encryption information to the data packet based on the determinations, wherein the encryption information specifies MACsec). 
Regarding claim 12, Sankaran and Elzur disclose the network device of claim 11. 
Sankaran further discloses wherein the analysis comprises:
performing a lookup to identify a destination; (Sankaran, Col. 4, Lines 26-32, the MACsec engine may identify the destination MAC address from the encapsulation header in the encapsulated data packet, and then look up a database (table) maintained on MACsec capable device that stores a mapping between the destination MAC address reserved for the controller and the encryption key corresponding to the controller)
making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; (Sankaran, 602-614, Col. 7, Lines 20-49 which describe FIG 6 describes making a determination that a packet is to cross a GRE tunnel based on the destination) and
appending the network tunnel information to the network traffic data unit based on the first determination, (Sankaran, FIG 4 shows adding the GRE tunnel information the data packet based on the first determination)
Sankaran and Elzur fail to explicitly disclose wherein the network tunnel information indicates termination at a device that comprises a decryption engine,
However, in an analogous art, Zhang discloses wherein the network tunnel information indicates termination at a device that comprises a decryption engine, (Zhang, [0007] describes receiving tunnel packet that indicates a termination device that performs decryption)


Regarding claim 13, Sankaran, Elzur and Zhang disclose the network device of claim 12. 
Sankaran further discloses wherein generating the encryption information comprises: making a second determination that the network tunnel requires encryption; (Sankaran, Col. 7, Lines 20-49 which describe FIG 6 describes making determinations that the GRE tunnel requires encryption)
and
appending the encryption information to the network traffic data unit based on the second determination, wherein the encryption information specifies an encryption type, (Sankaran, Figures 2-4 and 7 describe adding the encryption information to the data packet based on the determinations, wherein the encryption information specifies MACsec). 

Claim 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), Elzur et al (“Elzur,” US 20080126559), Zhang et al (“Zhang,” US 20090204850) in view of Saraf et al (“Saraf,” US 20170366508) and further in view of Hunn et al (“Hunn,” US 20160117449).  

Regarding claim 4, Sankaran, Elzur and Zhang disclose the method of claim 3. 
Sankaran further discloses wherein securing the network traffic data unit comprises:
making a third determination that the encryption information is valid; (Sankaran, Col. 5, Lines 23-30 describes making multiple determinations that the encryption data is valid such that the action performed by the controller is authentication, access control, policy enforcement, and firewall inspection)
Sankaran does disclose is based on the encryption type (See Col. 7, Lines 20-49 which describes the encryption type to be MACsec). 
Sankaran, Elzur and Zhang fail to explicitly disclose modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit is based on the encryption type; 
However, in an analogous art, Saraf discloses modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit; (Saraf, [0050], modifying the plurality of application network connection packets; [0042] & [0064], encryption). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saraf with 
Sankaran, Elzur, Zhang and Saraf fail to explicitly disclose and after the modifying: removing the encryption information; and appending decryption information.
However, in an analogous art, Hunn discloses and after the modifying: 
removing the encryption information; (Hunn, [0043] describes removing the encryption key)
and appending decryption information (Hunn, [0063] describes keeping a decryption key for added security)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hunn with the method and system of Sankaran and Elzur to include and after the modifying: removing the encryption information; and appending decryption information. One would have been motivated to provide added security to prevent unauthorized duplication of the data structure (Hunn, [0063]). 

Regarding claim 14, Sankaran, Elzur and Zhang disclose the network device of claim 13. 
Sankaran further discloses wherein encrypting the network traffic data unit comprises:
(Sankaran, Col. 5, Lines 23-30 describes making multiple determinations that the encryption data is valid such that the action performed by the controller is authentication, access control, policy enforcement, and firewall inspection)
Sankaran does disclose is based on the encryption type (See Col. 7, Lines 20-49 which describes the encryption type to be MACsec). 
Sankaran, Cisco and Zhang fail to explicitly disclose modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit. 
 However, in an analogous art, Saraf discloses modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit (Saraf, [0050], modifying the plurality of application network connection packets; [0042] & [0064], encryption).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saraf with the method and system of Sankaran, Elzur and Zhang to include modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit. One would have been motivated to use operating system redirection for network stream transformation operations (Saraf, [0042]).
However, in an analogous art, Hunn discloses and after the modifying: removing the encryption information; (Hunn, [0043] describes removing the encryption key)
and appending decryption information (Hunn, [0063] describes keeping a decryption key for added security)
. 

Claims 6-9 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chiquito (“Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856), Gluck et al (“Gluck,” US 20130091350) and further in view of Elzur et al (“Elzur,” US 20080126559) and further Sankaran et al (“Sankaran,” US 10,708,245).

Regarding claim 6, Chiquito discloses a method for modifying network traffic data, comprising:
receiving an encrypted network traffic data unit, by a decryption engine, (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is
tcpdump/Wireshark it allows you to see what is actually happening at the network level
and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter;
Page 2 describes running a command to retrieve encryption keys; Page 3, there are two
sets of keys one for the inbound connection and another for the outbound connection;
Page 6 shows a display where to deteci/decode encrypted ESP payloads; the next
screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
comprising:
network tunnel information; (Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information; (Chiquito, Pages 7-8, shows decrypted information)
Chiquito fails to explicitly disclose obtaining, by the decryption engine, an encryption type based on the decryption information;  decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; generating post-decryption information based on the decrypting;  appending, by the decryption engine, the post-decryption information to the network traffic data unit:  transmitting the decrypted network traffic data unit to a switching engine; determining, by the switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information: converting, by the switching engine, the decrypted network traffic data unit into
converted network traffic data unit;  and transmitting, by the switching engine, the converted network traffic data unit to a destination device. 
However, in an analogous art, Elzur discloses obtaining, by the decryption engine, an encryption type based on the decryption information;  (Elzur, FIG 5, [0068], [0072]-[0074] describe obtaining by the decryption engine, an encryption type as either IPSec or MACSec based on the decryption information)
decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; (Elzur, [0072]-[0074] describe decrypting by the decryption engine, the encrypted network packet to obtain a decrypted packet based on either IPSec or MACSec)
generating post-decryption information based on the decrypting;  (Elzur, [0072]-[0074] & FIG 5 describe generating post-decryption information based on the decrypting)
appending, by the decryption engine, the post-decryption information to the network traffic data unit:  (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe appending by the decryption engine, the post-decryption information to the packet)
transmitting the decrypted network traffic data unit to a switching engine; (Elzur, [0037], [0072], [0074], [0098]-[0100] describe transmitting the decrypted packet to the switch; also see  FIG 2C, FIG 5, FIG 6 and FIG 7)
determining, by the switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information: (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe determining by the switch that decrypting the encrypted network packet was successful based on encryption type [post-decryption information]). 
converting, by the switching engine, the decrypted network traffic data unit into converted network traffic data unit;  (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe converting by the switch the decrypted packet into a converted packet)
and transmitting, by the switching engine, the converted network traffic data unit to a destination device, (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe and transmitting by the switch the converted packet to a destination device)

Chiquito and Elzur fail to explicitly disclose wherein the switching engine and the encryption engine are both hardware components of a same device. 
However, in an analogous art, Sankaran discloses wherein the switching engine and the encryption engine are both hardware components of a same device, (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito, Gluck and Elzur to include wherein the switching engine and the encryption engine are both hardware components of a same device. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 7, Chiquito, Gluck, Elzur and Sankaran disclose the method of claim 6. 
Chiquito further discloses and performing an analysis on the decryption information to obtain the encryption type, based on the first determination (Chiquito, Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet with length)  
Sankaran further discloses making a first determination that the network tunnel information specifies a device that comprises the decryption engine, (Sankaran, Col. 5, Lines 44-67 describes making a first determination that the GRE tunnel information specifies a ingress interface of a MACSec engine that’s on a device, where the encrypted processed data packet may be decrypted to generate the processed data packet). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito, Gluck and Elzur to include wherein the method further comprises: transmitting the decrypted network traffic data unit to a switching engine; wherein switching engine and the decryption engine are both hardware components in a same device. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 8, Chiquito, Gluck, Elzur and Sankaran disclose the method of claim 7. 
Chiquito further discloses wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the (Chiquito, Page 6 shows software where the encrypted network traffic data unit is modified based on encryption type such as AES-CBC) and
authenticating a payload of the encrypted network traffic data unit, (Chiquito, Page 6 shows a checkbox where the user can attempt to check ESP Authentication of the payload)
Gluck further discloses appending post-decryption information that indicates a successful decryption, based on the second determination, (Gluck, [0029] describes adding post-decryption information for a decryption process based on another determination [second determination]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Chiquito to include making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; and appending the network tunnel information to the network traffic data unit based on the first determination, wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to communicate data provided by users or other external systems between an application server and a client via a proxy (Gluck, [0002]).

Regarding claim 9, Chiquito, Gluck, Elzur and Sankaran disclose the method of claim 8. 
Gluck further discloses wherein generating the post-decryption information comprises:
(Gluck, [0030] & [0034]-[0035] & [0039] descries making a second determination that the decrypting  and the authenticating was successful was successful) and
the appended post-decryption information indicates a successful decryption, based on the second determination, (Gluck, [0029], describes adding post-decryption information for decryption based on a second determination).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Cisco to include making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; and appending the network tunnel information to the network traffic data unit based on the first determination, wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to communicate data provided by users or other external systems between an application server and a client via a proxy (Gluck, [0002]). 

Regarding claim 16, Chiquito discloses a network device for modifying network traffic data, comprising:
a decryption engine, configured to: (Chiquito, Page 6 shows a software display where to detect/decode encrypted ESP payloads)
receive an encrypted network traffic data unit, comprising: (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is tcpdump/Wireshark it allows you to see what is actually happening at the network level and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter; Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to deteci/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
network tunnel information; (Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information; (Chiquito, Pages 7-8 shows decrypted information)
obtain an encryption type based on the decryption information; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the encryption key; Page 7 shows a screen with decrypted traffic where line one shows Protocol, Length, Info with encrypted packet and length)
decrypt the encrypted network traffic data unit to obtain a decrypted network
traffic data unit, based on the encryption type; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, wth encrypted packet with length) and
Chiquito fails to explicitly disclose generate post-decryption information based on the decrypted network traffic data unit
However, in an analogous art, Gluck discloses generate post-decryption information based on the decrypted network traffic data unit (Gluck, [0029] describes adding post-decryption information for decryption based on a second determination). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Gluck with
the method and system of Chiquito to include making a first determination that the
network traffic data unit is to traverse a network tunnel based on the destination; and
appending the network tunnel information to the network traffic data unit based on the
first determination, wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to
communicate data provided by users or other external systems between an application
server and a client via a proxy (Gluck, [0002]).
Chiquito and Gluck fail to explicitly disclose appending, by the decryption engine, the post-decryption information to the network traffic data unit; and transmit the decrypted network traffic data unit to a switching engine, a switching engine, configured to: determine that decrypting the encrypted network traffic data unit was
successful: convert the decrypted network traffic data unit into converted network traffic
data unit; and transmit the converted network traffic data unit to a destination device, wherein the switching engine 
(Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe joining by the decryption engine the post-decryption information which is the encryption type as either IPSec or MACSec information to the packet)
and transmit the decrypted network traffic data unit to a switching engine, (Elzur, (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe transmitting the decrypted packet to the switch)
a switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful: (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe a switch configured to determine that the decrypting the encrypted network packet was successful)
convert the decrypted network traffic data unit into converted network traffic
data unit; (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe converting the decrypted network packet into a converted packet)
and transmit the converted network traffic data unit to a destination device, (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe and transmit the converted network packet to a destination device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Chiquito and Gluck to include and after the modifying: removing the encryption information; and appending decryption information. One would 
Chiquito, Gluck and Elzur fail to explicitly disclose wherein the switching engine and the encryption engine are both hardware components of a same device.
However, in an analogous art, Sankaran discloses wherein the switching engine and the encryption engine are both hardware components of a same device (Sankaran, Col. 2, Lines 21-35 describes the MACsec engine on the MACsec capable device which are hardware components and the MACsec capable device can be a network switch according to Col. 2, Line 57).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito, Gluck and Elzur to include wherein the method further comprises: transmitting the decrypted network traffic data unit to a switching engine; wherein switching engine and the decryption engine are both hardware components in a same device. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 17, Chiquito, Gluck and Elzur disclose the network device of claim 16. 
Chiquito further discloses performing an analysis on the decryption information to obtain the encryption type, based on the first determination, (Chiquito, Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet  with length)  
Chiquito, Gluck and Elzur fail to explicitly disclose wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine. 
However, in an analogous art, Sankaran discloses wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine (Sankaran, Col. 5, Lines 44-67 describes making a first determination that the GRE tunnel information specifies a ingress interface of a MACSec engine that’s on a device, where the encrypted processed data packet may be decrypted to generate the processed data packet). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito, Gluck and Elzur to include wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 18, Chiquito, Gluck, Elzur and Sankaran disclose the network device of claim 17. 
Chiquito further discloses wherein decrypting the encrypted network traffic data unit comprises:
(Chiquito, Page 6 shows software where the encrypted network traffic data unit is modified based on encryption type such as AES-CBC) and
authenticating a payload of the encrypted network traffic data unit, (Chiquito, Page 6 shows a checkbox where the user can attempt to check ESP Authentication of the payload)

Regarding claim 19, Chiquito, Gluck, Elzur and Sankaran disclose the network device of claim 18. 
Gluck further discloses disclose wherein generating the post-decryption information comprises: making a second determination that the decrypting and the authenticating was successful; and appending post-decryption information that indicates a successful decryption, based on the second determination; (Gluck, [0030] & [0034]-[0035] & [0039] descries making a second determination that the decrypting  and the authenticating was successful was successful) and
appending post-decryption information that indicates a successful decryption, based on the second determination (Gluck, [0029], describes adding post-decryption information for decryption based on a second determination). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Chiquito to include disclose wherein generating the post-decryption information comprises: making a second determination that the decrypting and the authenticating was successful; and appending post-decryption information that .


Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439