DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 04/22/2022 and 05/08/2020 have been placed in record and considered by the examiner.

Summary
This action is in reply to Applicant’s Amendments and Remarks filed on 04/19/2022.
Claims 1-25 are pending.

Response to Arguments
Applicant’s arguments filed on 04/19/2022 with respect to claim 15 has been considered but they are moot as they are not applicable for the references used in this office action.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. (US20170149648, of record, hereinafter ‘YANG’) in view of Jayawardena et al. (US20210067489, of record, hereinafter ‘JAYAWARDENA’) and with further in view of Kim et al. (US20190182367, hereinafter ‘KIM’).
Regarding claim 15, YANG teaches for a gateway datapath that executes on a gateway device to implement logical routers for a set of logical networks and process traffic between the logical networks and an external network (Fig. 1, [0040] virtual router cluster (100) includes a gateway 110 and at least one virtual router 121 to 123 interconnected with the gateway. (Fig. 2 [0055]) flowchart 200 of a data forwarding method), a method comprising:
receiving a data message at the gateway device (Fig. 2, step 210, [0058] Step 210: Receive an externally transmitted data packet);
to process the data message, executing a set of processing stages comprising a processing stage for a particular logical router ([0061] In some optional implementations, step 220 of selecting the first virtual router corresponding to the data packet based on the Open Shortest Path First protocol may be implemented by performing the following steps: [0062] Step 221: Acquire address information of the data packet; and [0063] Step 222: Select the first virtual router (a particular logical router) corresponding to the data packet based on a hash value of the address information); and
as part of the processing stage for the particular logical router:
using an access control list (ACL) table to determine whether the data message is defined for the particular logical router ([0059] Step 220: Select a first virtual router (a particular logical router) corresponding to the data packet based on the Open Shortest Path First protocol; [0061] In some optional implementations, step 220 of selecting the first virtual router corresponding to the data packet based on the Open Shortest Path First protocol may be implemented by performing the following steps:  [0062] Step 221: Acquire address information of the data packet; and [0063] Step 222: Select the first virtual router (the particular logical router) corresponding to the data packet based on a hash value of the address information (indicating an ACL Table for a virtual router based on hash value));
determining whether to allow the data message for the particular logical router ([0059] Step 220: Select a first virtual router (a particular logical router) corresponding to the data packet based on the Open Shortest Path First protocol; and [0060] Step 230: Forward the data packet to the first virtual router corresponding to the data packet. [0063] Step 222: Select the first virtual router (the particular logical router) corresponding to the data packet based on a hash value of the address information).
YANG is silent about using an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router; only when the data message is subject to rate limiting controls, determining whether to allow the data message according to a rate limiting mechanism for the particular logical router, wherein when the data message is subject to the rate limiting controls, the subsequent data messages are also subject to the rate limiting controls, wherein a first data message is allowed by the rate limiting mechanism and a particular subsequent second data message belonging to the same data flow as the first data message is not allowed by the rate limiting mechanism.
In an analogous art, JAYAWARDENA teaches using an access control list (ACL) table to determine whether the data message is subject to rate limiting controls defined for the particular logical router (Fig. 1A carrier-grade router (e.g., any of the IGRs 116A-N), Fig. 3, [0057] the scrubbing service 130 can construct, establish, and/or maintain the scrubbed IP domain 140 by generating a distributed scrubbing scheme, such as a distributed scrubbing scheme (“DSS”) 160 (an access control scheme). [0067] carrier-grade routers that have instances of the scrubbing client 152 that can be configured as machine-learning modules which can communicate with other instances of the scrubbing client on other devices inside the SPN 114. The scrubbing service 130 can directly convey detected probe traffic flow characteristics between two or more instances of the scrubbing client 152 so as to match against incoming probe traffic and provide instructions for operations to perform at a particular designated scrubbing point via an updated and/or reconfigured DSS 160, where scrubbing actions may include dropping probe traffic, rerouting flow traffic (e.g., to another designated scrubbing point despite the current designated scrubbing point detecting that the probe traffic could be scrubbed prior to being resource to the next hop), rate-limiting the probe traffic, implementing a scrubbing sequence along the network path. [0088] From operation 304, the method 300 can proceed to operation 306, where the scrubbing service 130 can instruct the SPN 114 to automatically allow all traffic flows to be routed to the exposed application 132 during the observation time period 148. the scrubbing service 130 can, in some embodiments, identify network nodes of the SPN 114 and/or the datacenters 120A-N that handle traffic flows from one or more internet connections, such as from any of the Tier 1 ISP networks 110A-N. The scrubbing service 130 can identify network nodes that can potentially serve as designated scrubbing points, such as but not limited to, at least one of a carrier-grade router (e.g., any of the IGRs 116A-N));
only when the data message is subject to rate limiting controls, determining whether to allow the data message according to a rate limiting mechanism for the particular logical router (Fig. 1A, [0027] scrubbed IP domain can enable virtual tenant applications to be on-boarded to a particular virtual machine. [0057] traffic flow validation input that indicates and/or identifies instances of the detected traffic flows (e.g., instances of the dynamic traffic flows 112A-N detected by the exposed application 132 and/or another network device of the SPN 114 and/or the datacenters 120A-N) which are associated with a valid, authentic source, and thus should be allowed to proceed to the scrubbed IP domain 140 (virtual tenant applications on virtual machine); input of probe traffic indications that identify particular detected traffic flows that have source IP addresses which should be designated as a source of unauthorized probe traffic, and thus subsequently detect traffic flows treated as an instance of the probe traffic flow 108. [0067] the scrubbing service 130 can directly convey detected probe traffic flow characteristics between two or more instances of the scrubbing client 152 so as to match against incoming probe traffic and provide instructions for operations to perform at a particular designated scrubbing point via an updated and/or reconfigured DSS 160, where scrubbing actions may include dropping probe traffic, rerouting flow traffic (e.g., to another designated scrubbing point despite the current designated scrubbing point detecting that the probe traffic could be scrubbed prior to being resource to the next hop), rate-limiting the probe traffic, implementing a scrubbing sequence along the network path. [0088] one or more of the designated scrubbing points may authorize the probe traffic to be delivered and routed to the exposed application 132. The exposed application 132 can enable identification of traffic flows (including probe traffic which may be potentially nefarious and/or harmful) that are targeting the exposed application 132 by revealing various attributes of the probe traffic (e.g., the source IP addresses of the probe traffic, country of origin, attributes of a peering router that serves as an entry point to the SPN 114—referred to as an entry point peering router, etc.). The traffic flows can be monitored, recorded, identified, and/or analyzed in a dynamic, ongoing manner, while maintaining isolation of the traffic flows to the exposed application 132 and preventing probe traffic flows from reaching and/or otherwise communicating with one or more (or any other) virtual machine, virtual service, virtual application, and/or virtual service provided by a data center),
wherein when the data message is subject to the rate limiting controls, the subsequent data messages are also subject to the rate limiting controls ([0088] one or more of the designated scrubbing points may authorize the probe traffic to be delivered and routed to the exposed application 132. The exposed application 132 can enable identification of traffic flows (including probe traffic which may be potentially nefarious and/or harmful) that are targeting the exposed application 132 by revealing various attributes of the probe traffic (e.g., the source IP addresses of the probe traffic, country of origin, attributes of a peering router that serves as an entry point to the SPN 114—referred to as an entry point peering router, etc.). The traffic flows can be monitored, recorded, identified, and/or analyzed in a dynamic, ongoing manner, while maintaining isolation of the traffic flows to the exposed application 132 and preventing probe traffic flows from reaching and/or otherwise communicating with one or more (or any other) virtual machine, virtual service, virtual application, and/or virtual service provided by a data center).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to take the technique of traffic scrubbing of JAYAWARDENA to the packet forwarding technique of YANG in order to take the advantage of a method enabling detection of probe traffic and any other unwanted traffic flows (JAYAWARDENA: [0027]).
The combination of YANG and JAYAWARDENA are silent about wherein a first data message is allowed by the rate limiting mechanism and a particular subsequent second data message belonging to the same data flow as the first data message is not allowed by the rate limiting mechanism.
In an analogous art, KIM teaches wherein a first data message is allowed by the rate limiting mechanism and a particular subsequent second data message belonging to the same data flow as the first data message is not allowed by the rate limiting mechanism ([0099] in some embodiments the HFEs (Hardware Forwarding Element) can perform congestion control on a per-packet or per-flow basis by using the locally available state information (i.e., the queue depth information). This can be further improved by having each HFE embed its own information, which the subsequent HFEs can then use. HFEs can implement, e.g., fair queuing mechanisms or can actively drop packets to reduce downstream congestion in different embodiments. (indicating HFEs can drop or not allowing a subsequent packets of flow to be forwarded for congestion control)).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to take the technique of traffic congestion control of KIM to the packet forwarding technique of YANG and JAYAWARDENA in order to take the advantage of a method to reduce downstream congestion (KIM: [0099]).

 

Regarding claim 25, is interpreted and rejected same as claim 12.


Allowable Subject Matter
Claims 1-14 and 16-25 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:
Regarding claim 1, YANG, JAYAWARDENA, CHIN, SUNDARARAJAN, TUBALTSEV, ZHOU, RAMALINGAM, HOLBROOK and KIM either alone or in combination fails to teach for a gateway datapath that executes on a gateway device to implement first and second logical routers for a set of logical networks and process traffic between the set of logical networks and an external network, a method comprising: receiving a plurality of data messages at the gateway device; to process each of a set of data messages, executing a set of processing stages comprising a processing stage for the first logical router or the second logical router; and as part of the processing stage for each of the first or second logical router: using a first or second access control list (ACL) table to determine whether each data message processed for the first or second logical router is subject to rate limiting controls defined for the first or second logical router; only when the data message is subject to rate limiting controls, determining whether to allow the data message according to a rate limiting mechanism for the first or second logical router, the first ACL table associated with the first logical router and storing a first plurality of ACL rules for the first logical router, and the second ACL table associated with the second logical router and storing a second plurality of ACL rules for the second logical router, at least two ACL rules in each table specifying two different rate limiting controls for two different data message flows processed by the processing stage of the table's associated logical router.

Claim 21 with similar features as in claim 1 is also allowed for the same reason as claim 1.
Dependent claims 2-14, 16-20 and 22-25 being dependent on claims 1 and 22 are also allowed. 



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAH M RAHMAN whose telephone number is (571)272-8951. The examiner can normally be reached 9:30AM-5:30PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, UN C CHO can be reached on 571-272-7919. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAH M RAHMAN/Primary Examiner, Art Unit 2413