DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
In response to the arguments filed 5/3/2022:
Referring to the arguments of the 35 U.S.C. 103 rejections (arguments: pages 7-8):  Refer to the updated rejection below in view of amendments.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Raj et al. (US Patent No. 10,715,427) in view of Ermagan et al. (US PG Pub 2017/0026417, cited on IDS dated 3/12/2021) in view of U.S. Publication No. 20160135045 to Lee et al, and in further view of U.S. Publication No. 20200236042 to Gafni et al.
Referring to claim 1, Raj et al. teach a method comprising, by a first network apparatus configured to operate at a first site of a network: 
Receiving, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, …
…
…
…, receiving, from the second network apparatus, a response comprising the identifier of the second group. 
…
Applying, to the data packet, one or more policies determined based on … the destination group; and causing the data packet to be routed to the second host [Raj, column 3, lines 23-40, “In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each be present at the head office or a branch office.  In the example of FIG. 1, network nodes 104, 106, 108, 110, may each be present at a head office, network nodes 112 and 114 may each be present at a first branch office, and network nodes 116 and 118 may each be present at a second branch office. Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include a routing agent (not shown).  Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each communicate with controller 102 via a protocol.  In an example, a routing agent may allow the abstraction of a network node so that it can be managed by controller 102. In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include an edge device, which, in an example, may represent overlay endpoints for each of the network sites of an enterprise.  For example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each represent an endpoint for an SD-WAN”, The routers of the SD-WAN are configured by the controller (see element 102) to connect edge devices in different branch/head offices (or sites, see fig. 1 and column 1, lines 40-56). SD-WAN is an overlay technology to control packet routing (see column 1, lines 57-67). Routing decisions are for connecting particular endpoints (or hosts within sites) in the SD-WAN network (see column 2, lines 12-24). Route calculation is determined based on a destination (see column 5, lines 18-23). The generation engine (see fig. 1, element 154) generates polices to be used with the routing information (see column 6, lines 32-40).].

Raj et al do not disclose wherein the data packet from the first host comprises an identifier of a first group that … the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group.
However, Ermagan et al. teach wherein the data packet comprises an identifier of a first group to which the first host belongs as a source group, and wherein the one or more policies are associated with the source group [Ermagan, ¶ 0056, “The service orchestrator 404 can provide policies for how source and destination forwarding states should be applied on a per VPN basis or on a per tenant basis (or both).  The VPN policy resolver 406 can resolve forwarding state information for mapping server 408”, Policies may be applied based on the source address included in the data packet. The data packet is received by the router, and the router then sends the request to the mapping server (see ¶ 0061).]  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Raj et al also do not explicitly teach sending, to a second network apparatus, a request for an identifier of a second group that … the second host is to be associated with, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receiving, from the second network apparatus, a response comprising the identifier of the second group; determining, based on the received identifier, that the second group is a destination group.
However, Ermagan et al. teach sending, to a second network apparatus, a request for an identifier of a second group to which the second host belongs, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receiving, from the second network apparatus, a response comprising the identifier of the second group; determining, based on the received identifier, that the second group is a destination group [Ermagan, ¶ 0061, “The mapping server 408 can receive a request from a router 410 that is attempting to reach another router 412.  The request can include the RLOC of the requesting router 410 can apply a policy associated with the router 410 to use router x 424 as an intermediate hop router between router A 410 and router B 412”, The mapping server (see fig. 6, element 408) may receive a request from a router seeking a destination address for a packet. The mapping table (element 420) produces a RLOC (routing locator) from endpoint ID (a second host address, see ¶ 0056). The service orchestrator (element 4040) can implement policies for how the mapping table is configured (see ¶ 0060). A response may be sent to the requesting router, including the RLOC (see fig. 12, element 1206, see ¶s 0110 and 0111).].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Raj et al also do not disclose receiving, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, wherein each host is configured to be associated with a group of hosts by a corresponding authentication server, wherein the data packet from the first host comprises an identifier of a first group that a first authentication server configured the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group; … ; sending, to a second network apparatus, a request for an identifier of a second group that a second authentication server configured the second host is to be associated with, wherein the request comprises an address of the second host.
Lee et al disclose in Figures 1-12 wherein a plurality of nodes 115 are divided into groups, and each group of nodes 115 is associated with a respective authentication server 130.  Each node 115 of a group requests authentication from the respective authentication server.   Refer to Sections 0035-0113.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include receiving, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, wherein each host is configured to be associated with a group of hosts by a corresponding authentication server, wherein the data packet from the first host comprises an identifier of a first group that a first authentication server configured the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group; … ; sending, to a second network apparatus, a request for an identifier of a second group that a second authentication server configured the second host is to be associated with, wherein the request comprises an address of the second host.  One would have been motivated to do so so that a respective authentication server can authenticate the nodes of a respective group of nodes.
Raj et al also do not disclose applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group.
Gafni et al disclose in Figures 1-7 a system wherein entities 14 are each grouped within one group A, group B, or group C in the network and entities 14 transmits packets to one another via network device.  Each packet includes a source identifier and a destination identifier.  Network device includes a memory that stores several routing tables including: a source-group mapping table 30 that maps source identifiers to source-groups, a destination-group mapping table 32 that maps destination identifiers to destination-groups, and an intergroup access-control list 34 that maps source-destination-group pairs to forwarding rules.  Upon receiving a data packet, network device determines the source identifier of the packet, and maps the source identifier to a source group according to the source-group mapping table 30 (claimed “wherein the data packet comprises an identifier of a first group that the first host is associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group”).  Network device then determines the destination identifier and the corresponding destination group of the data packet.  Network device then determines a forwarding rule for a source-destination pair including the found source-group and the found destination-group for the packet in the intergroup access-control list 34 (claimed “applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group”).  Refer to Sections 0043-0071.  By applying Gafni to Raj et al:  The system of Raj et al can use both the source group and the destination group to determine how to forward a packet.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group.  One would have been motivated to do so to forward a packet based on the source group and destination group, thereby facilitating data routing.
Referring to claim 2, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. also teach wherein the first network apparatus is a Wide Area Network (WAN)-edge router connected to the network, and wherein the network is a Software- Defined (SD)-WAN comprising a plurality of sites [Raj, column 3, lines 36-42, “In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include an edge device, which, in an example, may represent overlay endpoints for each of the network sites of an enterprise.  For example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each represent an endpoint for an SD-WAN controlled Layer 3 Virtual Private Network (L3VPN) overlay based on Internet Protocol Security (IPsec) tunneling”, Fig. 1 shows a SD-WAN comprising a number of sites. Element 116, for example, is an edge router (see column 3, lines 14-17).].
Referring to claim 4, Raj et al. in view of Ermagan et al. teach the method of Claim 3. Raj et al. do not explicitly teach wherein a switch connected to the first host adds the identifier of the first group to the data packet, and wherein the switch connected to the first host learns the identifier of the first group during an authentication process of the first host.
However, Ermagan et al. teach a switch connected to the first host adds the identifier of the first group, and wherein the switch connected to the first host learns the identifier of the first group during an authentication process of the first host [Ermagan, ¶ 0051, “The CPE 222 can boot and register with autoconfiguration server 214.  The CPE can provide IP, serial number, model number, capabilities, etc. The CPE 222 can be authenticated and authorized.  The autoconfiguration server can provide the CPE 222 with appropriate zero day configuration.  The zero day configuration includes IP addresses of corresponding mapping servers 208 and key management severs 210”, A switch (or router) connected to the host learns the identifier (or IP address) of the host based on a zero day configuration used during the authentication process.].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration, authentication, and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Referring to claim 5, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. also teach wherein the one or more policies comprise at least one of an admission control, a routing-path selection [Raj, column 2, lines 39-46, “Software defined networking (SDN) is networking paradigm in which control is decoupled from networking equipment and resides on a device called an SDN controller.  The SDN controller is aware of devices and their points of interconnection in a SDN network and may perform various functions such as routing, policy implementation, receiving unknown flow packets, path resolution, flow programming, etc”, SD-WAN controller policies include routing-path selection.], a security policy, or a Quality of Service (QoS) policy.
Referring to claim 6, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. also teach wherein the one or more policies comprise a traffic policing, and wherein a pre-determined maximum data rate is enforced [Raj, column 2, lines 1-11, “Examples described herein propose a customized central route calculation solution for an SDN overlay network managed by a SD-WAN controller for IP traffic.  A proposed solution may aggregate route calculations in a central SD-WAN controller for overlay network end points, allow a prefix-based priority calculation, and dynamically update a forwarding table on each node depending on network changes.  A proposed solution describes a customized routing solution for the overlay endpoints in an SDN overlay network that may accommodate customer policies, and priorities”, A customer policy (or agreement) is readily understood to include a maximum data rate.].
Referring to claim 7, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. do not explicitly teach further comprising: determining that the identifier of the second group is not available at the first network apparatus.
However, Ermagan et al. teach determining that the identifier of the second group is not available at the first network apparatus [Ermagan, ¶ 0018 and 0120, “The mapping service network element can based on determining that the mapping comprises a traffic engineering format compare an ingress tunneling router locator field in the mapping request with a locator address of the mapping (1408).  The mapping service network element can determine whether a match exists between the ingress tunneling router locator field and the locator address of the mapping (1410)...If a match does not exist between the ingress tunneling router locator field and the locator address of the mapping, return, to the first tunneling router, a first hop locator as a single locator in the map reply message (1414)”, The mapping service performs a table lookup (or comparison) using the ingress tunneling router locator (see element 410). If no match is found (see element 1412), a first hop response is sent (see element 1416).].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Referring to claim 8, Raj et al. in view of Ermagan et al. teach the method of Claim 7. Raj et al. do not explicitly teach wherein determining that the identifier of the second group is not available comprises searching a local database at the first network apparatus.
However, Ermagan et al. teach wherein determining that the identifier of the second group is not available comprises searching a local database at the first network apparatus [Ermagan, ¶ 0018 and 0120, “The mapping service network element can based on determining that the mapping comprises a traffic engineering format compare an ingress tunneling router locator field in the mapping request with a locator address of the mapping (1408).  The mapping service network element can determine whether a match exists between the ingress tunneling router locator field and the locator address of the mapping (1410)...If a match does not exist between the ingress tunneling router locator field and the locator address of the mapping, return, to the first tunneling router, a first hop locator as a single locator in the map reply message (1414)”, The mapping service performs a table lookup (or comparison) using the ingress tunneling router locator (see element 410). If no match is found (see element 1412), a first hop response is sent (see element 1416).].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Referring to claim 9, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. do not explicitly teach wherein the request is a control message sent over Overlay Management Protocol (OMP).
However, Ermagan et al. teach wherein the request is a control message sent over Orderly Management Protocol (OMP) [Ermagan, ¶ 0045, “As shown in FIG. 2, VPN edge routers (e.g., 222 and 224) are interconnected by IP overlay tunnels 226 established over an underlying IP or MPLS transport network 202”, The connection between the routers and the mapping server are managed by an overlay protocol.].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Referring to claim 11, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. do not explicitly teach wherein the second network apparatus is a WAN fabric control plane, and wherein the second network apparatus maintains group identifiers associated with hosts in the network.
However, Ermagan et al. teach wherein the second network apparatus is a WAN fabric control plane, and wherein the second network apparatus maintains group identifiers associated with hosts in the network [Ermagan, ¶ 0061, “The mapping server 408 can receive a request from a router 410 that is attempting to reach another router 412.  The request can include the RLOC of the requesting router 410 can apply a policy associated with the router 410 to use router x 424 as an intermediate hop router between router A 410 and router B 412”, The mapping server (see fig. 6, element 408) may receive a request from a router seeking a destination address for a packet. The mapping table (element 420) produces a RLOC (routing locator) from endpoint ID (a second host address, see ¶ 0056). The service orchestrator (element 4040) can implement policies for how the mapping table is configured (see ¶ 0060).].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Referring to claim 12, Raj et al. in view of Ermagan et al. teach the method of Claim 1, wherein the second network apparatus is a WAN-edge router configured to operate at the second site [Raj, column 2, lines 56-61, “Controller 102 may be any server, computing device, dedicated hardware, virtualized device, or the like.  In an example, controller 102 may store and execute a computer application (machine-executable instructions).  In an example, controller may include a network device (for example, a network switch)”, Fig. 1 shows a SD-WAN comprising a number of sites. The controller (element 102) may reside in an edge device.].
Referring to claim 13, Raj et al. in view of Ermagan et al. teach the method of Claim 12. Raj et al. also teach wherein the second network apparatus determines the identifier of the second group by communicating with a local fabric control plane associated with the second site [Raj, column 5, lines 41-44, “Generation engine 154 may generate a Prefix tree based on the routing and link information received by topology engine 152.  As used herein, the Prefix tree may refer to a data structure that may be used to perform IP lookup”, The controller (or second network apparatus) receives topology information from different routers representing different groups/locations (see fig. 1).].
Referring to claim 14, Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. also teach further comprising: receiving, from the second host, a second data packet destined to the first host; identifying a source group identifier based on a source group identifier field in the second data packet; determining that the source group identifier is not identical to the identifier of the second group in a local database; and in response to the determination, updating the identifier of the second group in the record with the source group identifier [Raj, column 3, lines 30-31, “Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include a routing agent (not shown)”, A network router is readily understood to contain a local routing table, which it may update on its own accord.].
Referring to claim 15, Raj et al. teach a first network apparatus that is configured to operate at a first site of a network comprising: one or more processors; and one or more computer-readable non-transitory storage media coupled to one or more of the processors and comprising instructions operable when executed by one or more of the processors to cause the first network apparatus [Raj, column 2, lines 56-60, “Controller 102 may be any server, computing device, dedicated hardware, virtualized device, or the like.  In an example, controller 102 may store and execute a computer application (machine-executable instructions).  In an example, controller may include a network device (for example, a network switch)”] to: 
receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different…
…
…
… , receive, from the second network apparatus, a response comprising the identifier of the second group.
…
Apply, to the data packet, one or more policies determined based on … the destination group; and cause the data packet to be routed to the second host [Raj, column 3, lines 23-40, “In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each be present at the head office or a branch office.  In the example of FIG. 1, network nodes 104, 106, 108, 110, may each be present at a head office, network nodes 112 and 114 may each be present at a first branch office, and network nodes 116 and 118 may each be present at a second branch office. Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include a routing agent (not shown).  Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each communicate with controller 102 via a protocol.  In an example, a routing agent may allow the abstraction of a network node so that it can be managed by controller 102. In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include an edge device, which, in an example, may represent overlay endpoints for each of the network sites of an enterprise.  For example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each represent an endpoint for an SD-WAN”, The routers of the SD-WAN are configured by the controller (see element 102) to connect edge devices in different branch/head offices (or sites, see fig. 1 and column 1, lines 40-56). SD-WAN is an overlay technology to control packet routing (see column 1, lines 57-67). Routing decisions are for connecting particular endpoints (or hosts within sites) in the SD-WAN network (see column 2, lines 12-24). Route calculation is determined based on a destination (see column 5, lines 18-23). The generation engine (see fig. 1, element 154) generates polices to be used with the routing information (see column 6, lines 32-40).].
Raj et al do not disclose wherein the data packet comprises an identifier of a first group that … the first host is to be associated with; determine, based on the identifier of the first group in the data packet, that the first group is a source group.
However, Ermagan et al. teach wherein the data packet comprises an identifier of a first group to which the first host belongs as a source group, and wherein the one or more policies are associated with the source group [Ermagan, ¶ 0056, “The service orchestrator 404 can provide policies for how source and destination forwarding states should be applied on a per VPN basis or on a per tenant basis (or both).  The VPN policy resolver 406 can resolve forwarding state information for mapping server 408”, Policies may be applied based on the source address included in the data packet. The data packet is received by the router, and the router then sends the request to the mapping server (see ¶ 0061).]  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Raj et al. also do not explicitly teach send, to a second network apparatus, a request for an identifier of a second group that … the second host is to be associated with, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receive, from the second network apparatus, a response comprising the identifier of the second group; determine, based on the received identifier, that the second group is a destination group.
However, Ermagan et al. teach send, to a second network apparatus, a request for an identifier of a second group to which the second host belongs, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receive, from the second network apparatus, a response comprising the identifier of the second group; determine, based on the received identifier, that the second group is a destination group [Ermagan, ¶ 0061, “The mapping server 408 can receive a request from a router 410 that is attempting to reach another router 412.  The request can include the RLOC of the requesting router 410 can apply a policy associated with the router 410 to use router x 424 as an intermediate hop router between router A 410 and router B 412”, The mapping server (see fig. 6, element 408) may receive a request from a router seeking a destination address for a packet. The mapping table (element 420) produces a RLOC (routing locator) from endpoint ID (a second host address, see ¶ 0056). The service orchestrator (element 4040) can implement policies for how the mapping table is configured (see ¶ 0060). A response may be sent to the requesting router, including the RLOC (see fig. 12, element 1206, see ¶s 0110 and 0111).].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Raj et al also do not disclose receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, wherein each host is configured to be associated with a group of hosts by a corresponding authentication serve, wherein the data packet from the first host comprises an identifier of a first group that a first authentication server configured the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group; … ; sending, to a second network apparatus, a request for an identifier of a second group that a second authentication server configured the second host is to be associated with, wherein the request comprises an address of the second host.
Lee et al disclose in Figures 1-12 wherein a plurality of nodes 115 are divided into groups, and each group of nodes 115 is associated with a respective authentication server 130.  Each node 115 of a group requests authentication from the respective authentication server.   Refer to Sections 0035-0113.  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, wherein each host is configured to be associated with a group of hosts by a corresponding authentication serve, wherein the data packet from the first host comprises an identifier of a first group that a first authentication server configured the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group; … ; sending, to a second network apparatus, a request for an identifier of a second group that a second authentication server configured the second host is to be associated with, wherein the request comprises an address of the second host.  One would have been motivated to do so so that a respective authentication server can authenticate the nodes of a respective group of nodes.
Raj et al also do not disclose applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group.
Gafni et al disclose in Figures 1-7 a system wherein entities 14 are each grouped within one group A, group B, or group C in the network and entities 14 transmits packets to one another via network device.  Each packet includes a source identifier and a destination identifier.  Network device includes a memory that stores several routing tables including: a source-group mapping table 30 that maps source identifiers to source-groups, a destination-group mapping table 32 that maps destination identifiers to destination-groups, and an intergroup access-control list 34 that maps source-destination-group pairs to forwarding rules.  Upon receiving a data packet, network device determines the source identifier of the packet, and maps the source identifier to a source group according to the source-group mapping table 30 (claimed “wherein the data packet comprises an identifier of a first group that the first host is associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group”).  Network device then determines the destination identifier and the corresponding destination group of the data packet.  Network device then determines a forwarding rule for a source-destination pair including the found source-group and the found destination-group for the packet in the intergroup access-control list 34 (claimed “applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group”).  Refer to Sections 0043-0071.  By applying Gafni to Raj et al:  The system of Raj et al can use both the source group and the destination group to determine how to forward a packet.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group.  One would have been motivated to do so to forward a packet based on the source group and destination group, thereby facilitating data routing.
Referring to claim 16, Raj et al. in view of Ermagan et al. teach the first network apparatus of Claim 15. Raj et al. also teach wherein the first network apparatus is a WAN-edge router connected to the network, and wherein the network is a SD-WAN comprising a plurality of sites [Raj, column 3, lines 36-42, “In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include an edge device, which, in an example, may represent overlay endpoints for each of the network sites of an enterprise.  For example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each represent an endpoint for an SD-WAN controlled Layer 3 Virtual Private Network (L3VPN) overlay based on Internet Protocol Security (IPsec) tunneling”, Fig. 1 shows a SD-WAN comprising a number of sites. Element 116, for example, is an edge router (see column 3, lines 14-17).].
Referring to claim 17, Raj et al. in view of Ermagan et al. teach the first network apparatus of Claim 15. Raj et al. also teach wherein the one or more policies comprise at least one of an admission control, a routing-path selection [Raj, column 2, lines 39-46, “Software defined networking (SDN) is networking paradigm in which control is decoupled from networking equipment and resides on a device called an SDN controller.  The SDN controller is aware of devices and their points of interconnection in a SDN network and may perform various functions such as routing, policy implementation, receiving unknown flow packets, path resolution, flow programming, etc”, SD-WAN controller policies include routing-path selection.], a security policy, or a Quality of Service (QoS) policy.
Referring to claim 18, Raj et al. in view of Ermagan et al. teach the first network apparatus of Claim 15. Raj et al. also teach wherein one or more of the processors are further operable when executing the instructions to: receive, from the second host, a second data packet destined to the first host; identify a source group identifier based on a source group identifier field in the second data packet; determine that the source group identifier is not identical to the identifier of the second group in a local database; and in response to the determination, update the identifier of the second group in the record with the source group identifier [Raj, column 3, lines 30-31, “Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include a routing agent (not shown)”, A network router is readily understood to contain a local routing table, which it may update on its own accord.]..
Referring to claim 19, Raj et al. teach one or more computer-readable non-transitory storage media embodying software that is operable on a first network apparatus configured to operate at a first site of a network when executed to: 
receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different…
…
…
…, receive, from the second network apparatus, a response comprising the identifier of the second group.
…
Apply, to the data packet, one or more policies determined based on … the destination group; and cause the data packet to be routed to the second host [Raj, column 3, lines 23-40, “In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each be present at the head office or a branch office.  In the example of FIG. 1, network nodes 104, 106, 108, 110, may each be present at a head office, network nodes 112 and 114 may each be present at a first branch office, and network nodes 116 and 118 may each be present at a second branch office. Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include a routing agent (not shown).  Network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each communicate with controller 102 via a protocol.  In an example, a routing agent may allow the abstraction of a network node so that it can be managed by controller 102. In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include an edge device, which, in an example, may represent overlay endpoints for each of the network sites of an enterprise.  For example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each represent an endpoint for an SD-WAN”, The routers of the SD-WAN are configured by the controller (see element 102) to connect edge devices in different branch/head offices (or sites, see fig. 1 and column 1, lines 40-56). SD-WAN is an overlay technology to control packet routing (see column 1, lines 57-67). Routing decisions are for connecting particular endpoints (or hosts within sites) in the SD-WAN network (see column 2, lines 12-24). Route calculation is determined based on a destination (see column 5, lines 18-23). The generation engine (see fig. 1, element 154) generates polices to be used with the routing information (see column 6, lines 32-40).].
Raj et al do not disclose wherein the data packet comprises an identifier of a first group that … the first host is to be associated with; determine, based on the identifier of the first group in the data packet, that the first group is a source group.
However, Ermagan et al. teach wherein the data packet comprises an identifier of a first group to which the first host belongs as a source group, and wherein the one or more policies are associated with the source group [Ermagan, ¶ 0056, “The service orchestrator 404 can provide policies for how source and destination forwarding states should be applied on a per VPN basis or on a per tenant basis (or both).  The VPN policy resolver 406 can resolve forwarding state information for mapping server 408”, Policies may be applied based on the source address included in the data packet. The data packet is received by the router, and the router then sends the request to the mapping server (see ¶ 0061).]  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Raj et al also do not explicitly teach send, to a second network apparatus, a request for an identifier of a second group that … the second host is to be associated with, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receive, from the second network apparatus, a response comprising the identifier of the second group; determine, based on the received identifier, that the second group is a destination group.
However, Ermagan et al. teach send, to a second network apparatus, a request for an identifier of a second group to which the second host belongs, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receive, from the second network apparatus, a response comprising the identifier of the second group; determine, based on the received identifier, that the second group is a destination group [Ermagan, ¶ 0061, “The mapping server 408 can receive a request from a router 410 that is attempting to reach another router 412.  The request can include the RLOC of the requesting router 410 can apply a policy associated with the router 410 to use router x 424 as an intermediate hop router between router A 410 and router B 412”, The mapping server (see fig. 6, element 408) may receive a request from a router seeking a destination address for a packet. The mapping table (element 420) produces a RLOC (routing locator) from endpoint ID (a second host address, see ¶ 0056). The service orchestrator (element 4040) can implement policies for how the mapping table is configured (see ¶ 0060). A response may be sent to the requesting router, including the RLOC (see fig. 12, element 1206, see ¶s 0110 and 0111).].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the mapping process as taught by Ermagan et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN of Raj et al. to further include the service orchestration and address mapping based on a router request as taught by Ermagan et al., the benefits of providing security and agility to the network architecture (see Ermagan, ¶ 0034) are achieved. 
Raj et al also do not disclose receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, wherein each host is configured to be associated with a group of hosts by a corresponding authentication server, wherein the data packet from the first host comprises an identifier of a first group that a first authentication server configured the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group; … ; sending, to a second network apparatus, a request for an identifier of a second group that a second authentication server configured the second host is to be associated with, wherein the request comprises an address of the second host.
Lee et al disclose in Figures 1-12 wherein a plurality of nodes 115 are divided into groups, and each group of nodes 115 is associated with a respective authentication server 130.  Each node 115 of a group requests authentication from the respective authentication server.   Refer to Sections 0035-0113.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, wherein each host is configured to be associated with a group of hosts by a corresponding authentication server, wherein the data packet from the first host comprises an identifier of a first group that a first authentication server configured the first host is to be associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group; … ; sending, to a second network apparatus, a request for an identifier of a second group that a second authentication server configured the second host is to be associated with, wherein the request comprises an address of the second host.  One would have been motivated to do so so that an authentication server can authenticate the nodes of a group of nodes.
Raj et al also do not disclose applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group.
Gafni et al disclose in Figures 1-7 a system wherein entities 14 are each grouped within one group A, group B, or group C in the network and entities 14 transmits packets to one another via network device.  Each packet includes a source identifier and a destination identifier.  Network device includes a memory that stores several routing tables including: a source-group mapping table 30 that maps source identifiers to source-groups, a destination-group mapping table 32 that maps destination identifiers to destination-groups, and an intergroup access-control list 34 that maps source-destination-group pairs to forwarding rules.  Upon receiving a data packet, network device determines the source identifier of the packet, and maps the source identifier to a source group according to the source-group mapping table 30 (claimed “wherein the data packet comprises an identifier of a first group that the first host is associated with; determining, based on the identifier of the first group in the data packet, that the first group is a source group”).  Network device then determines the destination identifier and the corresponding destination group of the data packet.  Network device then determines a forwarding rule for a source-destination pair including the found source-group and the found destination-group for the packet in the intergroup access-control list 34 (claimed “applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group”).  Refer to Sections 0043-0071.  By applying Gafni to Raj et al:  The system of Raj et al can use both the source group and the destination group to determine how to forward a packet.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include applying, to the data packet, one or more policies determined based on a combination of the source group and the destination group.  One would have been motivated to do so to forward a packet based on the source group and destination group, thereby facilitating data routing.
Referring to claim 20, Raj et al. in view of Ermagan et al. teach the media of Claim 19. Raj et al. also teach wherein the first network apparatus is a WAN-edge router connected to the network, and wherein the network is a SD-WAN that comprises a plurality of sites [Raj, column 3, lines 36-42, “In an example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each include an edge device, which, in an example, may represent overlay endpoints for each of the network sites of an enterprise.  For example, network nodes 104, 106, 108, 110, 112, 114, 116, and 118 may each represent an endpoint for an SD-WAN controlled Layer 3 Virtual Private Network (L3VPN) overlay based on Internet Protocol Security (IPsec) tunneling”, Fig. 1 shows a SD-WAN comprising a number of sites. Element 116, for example, is an edge router (see column 3, lines 14-17).].
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Raj et al. (US Patent No. 10,715,427) in view of Ermagan et al. (US PG Pub 2017/0026417, cited on IDS dated 3/12/2021) in further view of U.S. Publication No. 20160135045 to Lee et al in view of U.S. Publication No. 20200236042 to Gafni et al, and in further view of Hedge et al (US PG Pub 2020/0076683). 
Raj et al. in view of Ermagan et al. teach the method of Claim 1. Raj et al. do not explicitly teach wherein the request is a control message sent over Web Socket.
	However, Hedge et al. teach wherein the request is a control message sent over Web Socket [Hedge, ¶ 0033, “FIGS. 2A and 2B together comprise a single flow diagram 200 depicting an operational methodology of an SDWAN infrastructure such as infrastructure 100.  First, as represented by block 202 in FIG. 2A, BoC 126 obtains Internet Protocol (IP) settings to establish a websocket connection with provisioning server 146.  As is known, a websocket is a computer communications protocol providing full-duplex communication channels over a transmission control protocol (TOP) connection and is the primary interface for connecting to a server and then sending and receiving data on the connection.  Such IP websocket settings may be obtained, for example, from a broadband router (not shown) providing broadband link 124 between branch 112 and the Internet 106”, The branch office controller (BoC) communicates with a SD-WAN provisioning server using the Web Socket Protocol.].  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the Web Socket protocol as taught by Hedge et al. into Raj et al. By modifying the routers and controller used in the SD-WAN controlled L3 VPN as taught by the combined teachings of Raj et al. and Ermagan et al. to further include the using the Web Socket protocol for provisioning SD-WAN settings at a branch office as taught by Hedge et al., the benefits of preventing logical breakdown between a branch and central office (see Hedge, ¶s 0019 and 0020) are achieved. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
The reference Sundararajan et al. (US PG Pub 2021/0112034), teaches receiving a request for a WAN optimized connection between a first and second host (see fig. 5).
The reference, Moreno et al. (US PG Pub 2021/0044565), teaches performing a lookup request for a source seeking a destination address (see fig. 7).
The reference, Sethi et al. (US Patent No. 10,862,758), teaches generating a SD-WAN configuration and configuring impacted nodes (see fig. 4).
The reference, Theogaraj et al. (US Patent No. 10,855,575), teaches dynamically routing traffic in a SD-WAN (see fig. 3).
The reference, Khan et al. (US Patent No. 9,467,478), teaches an overlay management protocol for secure routing (see fig. 6).
The reference, Dunbar et al. (NPL on PTO-892), teaches border gateway protocol (BGP) usage in SDWAN overlay networks.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTINE Y NG whose telephone number is (571)272-3124.  The examiner can normally be reached on M-F 12pm-9pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ricky Ngo can be reached on 5712723139.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Christine Ng/
Examiner, AU 2464
May 10, 2022