Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
	This action is in response to the amendment filed 4/05/2022. Claims 1-6 and 15-20 are pending. Claims 1-4 and 15-18 are amended.  Claims 1 (a non-transitory CRM) and 15 (a method) are independent. 

Response to Arguments
Applicant's arguments filed 4/05/2022 have been fully considered but they are not persuasive. With respect to the § 101 abstract idea rejection of claims 1, 3-6, 15, 17-20, Applicant’s remarks are not persuasive.  Although independent claims 1 and 15 have been amended to require: “a network topology protocol to discover”, this is distinct from performing “OpenFlow Topology Discovery Protocol (OFDP)”.  OFDP is a known protocol with defined data structures, message flows, and responses that is performed by computers.  Conversely, “a network topology discovery protocol” has no known message flows, data structures, or responses and could be performed by simply following the physical wires between hardware components to trace a network, by a human.  

Applicant’s arguments, see page 9, filed 4/05/2022, with respect to the rejection(s) of claim(s) 1 and 15 under Moghe in view of Denton have been fully considered and are persuasive.  Moghe discloses bypassing firewalls but does not disclose differing policies among the firewalls.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Tran et al., “A Network Topology-aware Selectively Distributed Firewall Control in SDN”, in view of Denton, US 2007/0157313.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 3-6, 15, and 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a mental process.  Independent claims 1 and 15 recite collecting information about a network (topology) and then forming a “plan” for network configuration; this is an abstract idea mental process, see MPEP 2106.04(a)(2)(III)(B) noting that the performance of a mental process on a generic computer or computing environment may be an abstract idea.  This judicial exception is not integrated into a practical application because the claims only exception to the mental process steps is the sending/receiving of data and the claims themselves do not improve a computer, MPEP 2106.05(a)(I). The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because receiving and transmitting data is a well-understood, routine, and conventional activity and does not constitute significantly more than the other mental process steps for 35 U.S.C. § 101 purposes. MPEP 2106.05(d)(II).
Dependent claims 2 and 16 are not viewed as an abstract idea as the utilization of OpenFlow Topology Discovery would not be practically performed in a human mind. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-5, 15 and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tran et al., “A Network Topology-aware Selectively Distributed Firewall Control in SDN” (published 2015), in view of Denton, US 2007/0157313 (filed 2006-01).
As to claims 1 and 15 Tran discloses a CRM/method comprising: 
…
performing a network topology protocol to discover a network topology for a network branch, (“controller has to maintain a topology data. In this firewall solution with POX controller, we use a plugin module named “openflow.discovery”. Every time a new host connects to a network switch, a new “Connection_Up” event will be send to controller to notify a topology change.” Tran § III.A) the network branch including a plurality of access points including a first access point, (See Tran Figure 2, hosts connected to switches, that are access points.) the first access point having an interface to a network, (See Tran Figure 2, multiple switches forming a network to forward packets between hosts, e.g. host 1 and discussion in Tran § III.B) …
performing a host discovery service to discover one or more host devices that are connected by wireless or wired connections to one or more access points of the plurality of access points in the network branch; (“controller has to maintain a topology data. In this firewall solution with POX controller, we use a plugin module named “openflow.discovery”. Every time a new host connects to a network switch, a new “Connection_Up” event will be send to controller to notify a topology change.” Tran § III.A)
generating a firewall coordination plan for the network branch based on the discovered network topology and the discovered one or more host devices; and (“installing similar firewall rule in every hardware device like the solutions in [2] [3] [4] could be redundant. To solve this problem, we propose the selective firewall installing method. The idea here is only install the firewall rule in the switch that directly connects to the host has the MAC address in source MAC address of firewall rule.” Tran § III.A)
applying a firewall policy for a second access point to which a first host device is attached (“The controller will look up, find which switch connects directly to that host 1, and install the firewall rule in that switch only, in this case is switch 1. This method guarantees that the firewall-violated packets will be filtered out at the first forwarding device handling that packet” Tran § III.A) and bypassing (i.e. not installing the firewall rule in other switches. Tran Figure 4, showing firewall rules and flow entry rules.  Having the necessary flow entry rule without a matching firewall rule is an indication for host devices for which firewalling is not required. “Traffics in SDN environment are handled flow-based. Controller instructs the forwarding devices by installing flow rules in their flow tables.  One flow rule contains multiple matching fields, action set, and counters. Each incoming packet to the forwarding devices will be analyzed…. The general actions in action set include … PORT – send out the packet on specific port (normal switching case with known route)” Tran § I.) one or more other firewall policies for access points (“in the forwarding process, only switch 1 have to maintain the firewall rule in its flow table and only the traffics going through that switch will be matched against the firewall rule. Omitting this firewall rule in switches 2 and 3 also means one less flow entry these two switches have to keep in their flow tables and one less matching process every time a packet go through these switches.” Tran § III.A) in a connection between the first host and the network, (See Tran Figure 2, multiple switches forming a network to forward packets between hosts, e.g. host 1 and discussion in Tran § III.B) wherein the firewall policy for the second access point is based on the generated firewall coordination plan. (“only install the firewall rule in the switch that directly connects to the host has the MAC address in source MAC address of firewall rule.” Tran § III.A)

Tran does not disclose:
One or more non-transitory computer-readable storage mediums having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
discovery of the network topology including identifying any access point of the plurality of access points that is linked to the first access point directly or via one or more intermediary access points;

Denton discloses:
One or more non-transitory computer-readable storage mediums having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: (Denton ¶ 20)
discovery (“access to a network is based on known topologies by using self-discovery methods to mine for new or modified network assets and building a database that includes all such network assets.” Denton ¶ 17.  “Passive network discovery includes methods such as, for example, "sniffing," a daemon, or residing on a switch and listening to network traffic to identify assets.” Denton ¶ 26) of the network topology including identifying any access point of the plurality of access points that is linked to the first access point directly or via one or more intermediary access points; (“computer network device 110 (e.g., a client, workstation, server, or wireless device)” Denton ¶ 23. “Newly installed or modified devices are listed in the assets database as discovered. Unknown assets, or those not meeting the requirements of the policy database, are quarantined until they can authenticate or verify compliance.” Denton ¶ 47)

	A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Tran with Denton by including the physical structures and network access point (switches and server) discovery of Denton in the distributed firewall configuration of Tran.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Tran with Denton in order to gain knowledge on the topology of the system so as to allow the distributed firewall of Tran to configure the appropriate switches/access points; knowing the location an topology of the switches/access points being necessary to accomplish the configuration, Tran § III.A.  Additionally, Denton provides policy implementations to secure the network resources, Denton ¶ 47; thereby securing the network from fraudulent users or undesired uses. 

As to claims 3 and 17, Tran in view of Denton discloses the CRM/method of claims 1 and 15 and further discloses: 
wherein the performing a host discovery service to discover the one or more host devices that are connected by wireless or wired connections to the one or more access points comprises: 
receiving and processing messages from one or more access points regarding one or more host devices connected by wireless connection; and (“Every time a new host connects to a network switch, a new “Connection_Up” event will be send to controller to notify a topology change.” Tran § III.A)

Tran in view of Denton does not disclose:
receiving and processing authentication requests from one or more access points regarding one or more host devices connected by wired connections.

Denton further discloses:
receiving and processing authentication requests from one or more access points regarding one or more host devices connected by wired connections. (“the client has the ability only to send information concerning its identity to an authentication server.” Denton ¶ 5.  Where the authentication goes through the switch/access point as it is the client’s connection to the network.  Also, “The assets database 130 may include identifying information regarding a device on the network. ... [0038] whether the wireless device is authorized to access the network;” Denton ¶ 28. “Thus, a device is only granted an IP address and authorized access to the network if it can prove it is both known and in compliance.” Denton ¶ 47. The assets database is the topology database, updated with authentication status.)

	A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Tran in view of Denton with Denton by including the physical structures and network access point (switches and server) discovery of Denton in the distributed firewall configuration of Tran.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Tran in view of Denton with Denton in order to gain knowledge on the topology of the system so as to allow the distributed firewall of Tran to configure the appropriate switches/access points; knowing the location an topology of the switches/access points being necessary to accomplish the configuration, Tran § III.A.  Additionally, Denton provides policy implementations to secure the network resources, Denton ¶ 47; thereby securing the network from fraudulent users or undesired uses. 

As to claims 4 and 18, Tran in view of Denton discloses the CRM/method of claims 1 and 15 and further discloses: 
further comprising executable computer program instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: (see physical structure of Denton ¶ 20)
generating and transmitting a firewall optimization message to a particular access point of the plurality of access points, (“The controller will look up, find which switch connects directly to that host 1, and install the firewall rule in that switch only, in this case is switch 1. This method guarantees that the firewall-violated packets will be filtered out at the first forwarding device handling that packet” Tran § III.A) the firewall optimization message to identify one or more host devices for which a firewall is not required at the particular access point, wherein the firewall optimization message is based on the generated firewall coordination plan. (Tran Figure 4, showing firewall rules and flow entry rules.  Having the necessary flow entry rule without a matching firewall rule is an indication for host devices for which firewalling is not required. “Traffics in SDN environment are handled flow-based. Controller instructs the forwarding devices by installing flow rules in their flow tables.  One flow rule contains multiple matching fields, action set, and counters. Each incoming packet to the forwarding devices will be analyzed…. The general actions in action set include … PORT – send out the packet on specific port (normal switching case with known route)” Tran § I.)


As to claims 5 and 19, Tran in view of Denton discloses the CRM/method of claims 4 and 18 and further discloses: 
wherein a firewall is to be applied at an access point to which the identified one or more host devices are attached, the access point to which the identified one or more host devices are attached being a downlink access point from the particular access point receiving the firewall optimization message. (“installing similar firewall rule in every hardware device like the solutions in [2] [3] [4] could be redundant. To solve this problem, we propose the selective firewall installing method. The idea here is only install the firewall rule in the switch that directly connects to the host has the MAC address in source MAC address of firewall rule.” Tran § III.A.  See Tran Figure 2)

Claims 2 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tran et al., “A Network Topology-aware Selectively Distributed Firewall Control in SDN” (published 2015), in view of Denton, US 2007/0157313 (filed 2006-01), and Gao et al., US 2015/0003259 (filed 2012-01).
As to claims 2 and 16, Tran in view of Denton discloses the CRM/method of claims 1 and 15 but does not disclose: 
Wherein discovering the network topology includes application of a OpenFlow Topology Discovery Protocol (OFPDP).

Gao discloses: 
Wherein discovering the network topology includes application of a OpenFlow Topology Discovery Protocol (OFPDP).
(“In the open flow network, the controller (OFC) uses topology discovery protocol such as LLDP (Link Layer Discovery Protocol) and OFDP (OpenFlow Discovery Protocol) to collect connection data between neighbor switches (OFSs). Note that OFDP is the topology detection protocol in the open flow network for the extended LLDP.” Gao ¶ 13.  Note that Applicant’s specification ¶ 34 notes the use of OFDP)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Tran in view of Denton with Gao by utilizing OpenFlow and OpenFlow Discovery Protocol to manage the network of Tran in view of Denton.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Tran in view of Denton with Gao in order to use a known network control and topology discovery protocol to implement the topology discovery of Tran in view of Denton, thereby reducing the amount of programming required to implement the system and easing adoption of the system. 

Claims 6 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tran et al., “A Network Topology-aware Selectively Distributed Firewall Control in SDN” (published 2015), in view of Denton, US 2007/0157313 (filed 2006-01), and Dykeman et al., US 7,177,951 (filed 2000-07).
As to claims 6 and 20, Tran in view of Denton discloses the CRM/method of claims 1 and 15 but does not disclose: 
removing one or more host devices from a database of discovered host devices upon expiration of a period of time since a message regarding the host device has been received from an access point.

Dykeman discloses:
removing one or more host devices from a database of discovered host devices upon expiration of a period of time since a message regarding the host device has been received from an access point. (“if a PTSE's lifetime expires without the PTSE being refreshed, the PTSE is no longer considered valid topology information and is removed, or "flushed" from the topology database.” Dykeman col. 2, ln. 15)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Tran in view of Denton with Dykeman by using expiration lifetimes for topology information and removing said information from the topology database upon expiration.  It would have been obvious to a person of ordinary skill in the art to combine Tran in view of Denton with Dykeman in order to update the topology database to reflect the current state of the network (Denton ¶ 27) by removing stale topology information that is no longer valid and could lead to routing errors if utilized. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
	Singla et al., US 11,310,106, discloses cloud control of an wifi access point mesh network with firewall capabilities. 
	Neginhal et al., US 11,252,024, discloses configuring multiple levels of logical routers. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492