DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are being considered on the merits. The following claims 1-20 have been examined and are pending.
Terminal Disclaimer
The terminal disclaimer filed on 05/13/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 11,165,701 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

	
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 11/13/2019, 02/04/2020, 06/18/2020, 07/31/2020, 10/13/2020, 07/20/2021, and 12/21/2021 were filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Examiner Comments

Claim 15 is directed towards a computer-readable storage medium and has been analyzed for 35 USC 101. The claim comprises having instructions for causing a programmable processor to perform. No 35 USC 101 deemed necessary since specification states: “...a computer-readable storage medium, such as memory 16, which may be non-transitory computer-readable mediums including a storage device (e.g., a disk drive, or an optical drive) and/or a memory such as random-access memory (RAM) (including various forms of dynamic RAM (DRAM), e.g., DDR2 SDRAM, or static RAM (SRAM)) ...” (para 0036). Further, “...term "computer-readable storage media" refers to physical storage media, and not signals, carrier waves, or other transient media” (para 0132). Therefore, the computer-readable storage medium is statutory.
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given via E-Mail from Mr. Guanyao Cheng (Reg. No. 58,555) on 05/12/2022. The application has been amended as follows:
Please replace claim 1 with:
1.	(Currently Amended) A method comprising:
receiving, by a network device from a first network, one or more fragments of a first network packet of a first network packet type, wherein the one or more fragments of the first network packet are part of a fragment flow, and wherein the first network packet encapsulates a second network packet of a second network packet type;
in response to determining that the network device has not yet received a fragment of the first network packet that includes indications of a source network address and a source port for the second network packet, buffering, by the network device, the one or more fragments;
	in response to receiving the fragment of the first network packet that includes the indications of the source network address and the source port for the second network packet, performing, by the network device, an anti-spoof check of the fragment flow based at least in part on the source network address and the source port for the second network packet without assembling the first network packet; 
	subsequent to performing the anti-spoof check on the fragment flow, receiving, by the network device, a second one or more fragments of the first network packet;
based on the fragment flow passing the anti-spoof check, buffering, by the network device, the second one or more fragments of the first network packet in the fragment buffer without performing the anti-spoof check on any of the second one or more fragments of the first network packet; and
based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet:
assembling, by the network device, the first network packet,
decapsulating, by the network device, the second network packet from the assembled first network packet, and
forwarding by the network device to a second network, the second network packet.
Please cancel claim 2:
2.	(Canceled).
Please replace claim 8 with:
8.	(Currently Amended) A network device comprising:
one or more network interfaces configured to receive, from a first network, one or more fragments of a first network packet of a first network packet type, wherein the one or more fragments of the first network packet are part of a fragment flow, and wherein the first network packet encapsulates a second network packet of a second network packet type; and
one or more processors configured to: 
in response to determining that the one or more network interfaces has not yet received a fragment of the first network packet that includes indications of a source network address and a source port for the second network packet, buffer the one or more fragments;
in response to the one or more network interfaces receiving the fragment of the first network packet that includes the indications of the source network address and the source port for the second network packet, perform an anti-spoof check of the fragment flow based at least in part on the source network address and the source port for the second network packet without assembling the first network packet;
wherein the one  or more network interfaces are further configured to, subsequent to the one or more processors performing the anti-spoof check on the fragment flow, receive a second one or more fragments of the first network packet;
wherein the one or more processors are further configured to:
based on the fragment flow passing the anti-spoof check, buffer the second one or more fragments of the first network packet in the fragment buffer without performing the anti-spoof check on any of the second one or more fragments of the first network packet; and
based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet:
assemble the first network packet, and
decapsulate the second network packet from the assembled first network packet;
wherein the one or more network interfaces are further configured to forward the second network packet to a second network.
Please cancel claim 9:
9.	(Canceled).
Please replace claim 15 with:
15.	(Currently Amended) A computer-readable medium comprising instructions for causing a programmable processor to:
receive, from a first network, one or more fragments of a first network packet of a first network packet type, wherein the one or more fragments of the first network packet are part of a fragment flow, and wherein the first network packet encapsulates a second network packet of a second network packet type;
in response to determining that a fragment of the first network packet that includes indications of a source network address and a source port for the second network packet has not yet been received, buffer the one or more fragments;
	in response to receiving the fragment of the first network packet that includes the indications of the source network address and the source port for the second network packet, perform an anti-spoof check of the fragment flow based at least in part on the source network address and the source port for the second network packet without assembling the first network packet; 
subsequent to performing the anti-spoof check on the fragment flow, receive a second one or more fragments of the first network packet;
based on the fragment flow passing the anti-spoof check, buffer the second one or more fragments of the first network packet in the fragment buffer without performing the anti-spoof check on any of the second one or more fragments of the first network packet; and
based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet:
assemble the first network packet,
decapsulate the second network packet from the assembled first network packet, and
forward, to a second network, the second network packet.
Please cancel claim 16:
16.	(Canceled).
Allowable Subject Matter
Claims 1, 3-8, 10-15, and 17-20 are allowed.
The following is an examiner's statement of reasons for allowance:
The closest prior art, as previously recited, Julien 20090110003 A1, Asati 20160014071 A1, and Afek, Network Anti-Spoofing with SDN plane/IEEE are also generally directed to are also generally directed to receiving, by a network device from a first network, one or more fragments of a first network packet of a first network packet type, wherein the one or more fragments of the first network packet are part of a fragment flow, and wherein the first network packet encapsulates a second network packet of a second network packet type; [Julien, ¶0032 0045-0045 and Fig. 4]; in response to determining that the network device has not yet received a fragment of the first network packet that includes indications of a source network address and a source port for the second network packet, buffering, by the network device, the one or more fragments; [Julien, ¶0032 0045-0045 and Fig. 4]; in response to receiving the fragment of the first network packet that includes the indications of the source network address and the source port for the second network packet  [Julien, ¶0034 0046-0047 and Fig. 4], performing, by the network device, an anti-spoof check of the fragment flow based at least in part on the source network address 
and the source port for the second network packet assembling; [Afek, Network Anti-Spoofing with SDN plane/IEEE, p. 1, Abstract and col 2, ¶4: an efficient spoofed SYN flood mitigator; col 1, p. 3, ¶1: anti-SYN-spoofing and anti-DNS spoofing methods;  p. 2, Section II. Related Work, ¶4]; decapsulating, by the network device, [Asati, ¶¶0034 and 0037: CPE router-sent IPv4 packets 140 a to convert them into IPv6 packets using the IPv6 prefix (from above) via the stateless MAP function; IPv4-in-IPv6 decapsulation] and forwarding by the network device to a second network. [Asati, ¶¶0034-0035: CPE router-sent IPv4 packets 140 a to convert them into IPv6 packets using the IPv6 prefix (from above) via the stateless MAP function; PE device, upon receiving the IPv6 packet (from the BR), ...link-layer address and forwards the IPv4 packet 440-4 towards the CPE device 110].
However, none of Julien, Afek, and Asati teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 8, and 15.  For example, none of the cited prior art teaches or suggest subsequent to performing the anti-spoof check on the fragment flow, receiving, by the network device, a second one or more fragments of the first network packet; based on the fragment flow passing the anti-spoof check, buffering, by the network device, the second one or more fragments of the first network packet in the fragment buffer without performing the anti-spoof check on any of the second one or more fragments of the first network packet; and based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet: assembling, by the network device, the first network packet, decapsulating, by the network device, the second network packet from the assembled first network packet, and forwarding by the network device to a second network, the second network packet, in view of other limitations of claims 1, 8, and 15.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." 8.	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB's Customer Service if any questions at (703) 305-8497.
The closest prior art made of record are:
Julien (20090110003 A1) teaches Internet Protocol datagram fragmentation are solved by creating a session context for the datagram fragments without actually reassembling the datagram from its fragments. The session context enables treatment of the datagram without actually reassembling it. Processing fragments can be followed by forwarding the processed fragments to another node that can further fragment the IP datagram. (Fig. 4 and ¶0034 0046-0047).
Kommareddy et al (20080028467 A1) teaches a denial-of-service network attack detection system is deployable in single-homed and multi-homed stub networks. The detection system maintains state information of flows entering and leaving the stub domain to determine if exiting traffic exceeds traffic entering the system. Monitors perform simple processing tasks on sampled packets at individual routers in the network at line speed and perform more intensive processing at the routers periodically. The monitors at the routers form an overlay network and communicate pertinent traffic state information between nodes. The state information is collected and analyzed to determine the presence of an attack. (¶0008 0014-0027 0063-0070 0073-0097).
Kloberdans et al (20200128114 A1) teaches obtain from a subscriber premises gateway, a data packet having a header field including a unique identifier for a combination of the gateway and a connected subscriber IP device. Transport the data packet through an internal network of a broadband service provider. Remove the header field after the transporting and prior to the data packet exiting the internal network of the broadband service provider to an external network. Store, in a subscriber internet protocol device data repository of the broadband service provider, data, including the header field, representing transport of the data packet through the internal network of the broadband service provider to the external network. Detect, based on the data repository, at least one of an internal and an external anomaly associated with the data packet. Initiate at least one mitigation action in response to the detecting of the at least one of an internal and an external anomaly. (¶0130).
Berg (20170012873 A1) teaches mapping of Address and Port (MAP) provisioning of a device to enable exchange of Internet Protocol version 4 (IPv4) packets with an IP version 6 (IPv6) domain is contemplated. The MAP provisioning may be sufficient to facilitate provisioning of a router to process IPv4 packets for exchange with the IPv6 domain of an associated modem. (¶0002 0007 0012 0034-0037 ).
Asati et al (20160014071 A1) teaches a provider edge (PE) device in a computer network determines an IPv4 address and link-layer address for each adjacent customer premise equipment (CPE) device, and assigns each CPE device a unique IPv6 address. The PE device stores a key-pair mapping between the unique IPv6 address and combined IPv4 and link-layer address for each adjacent CPE, the mapping bound by a CPE session context, and uses the CPE session context to convert between IPv4 and IPv6 for all network traffic to and from a particular CPE device. (¶0002 0010-0015 0032-0038). 
Bouvet et al (20190319924 A1) teaches a monitoring method implemented by an access point for a network that can maintain an address association table is described. The method can include selecting at least two entries in the address association table, storing at least one predetermined characteristic obtained over a predefined period of time for each inflow and each outflow associated with the selected entries, and comparing, for at least one pair of selected entries, at least one stored characteristic for an inflow associated with one of the entries of the pair with the at least one corresponding stored characteristic for an outflow associated with the other entry of the pair. If, for at least one pair of entries, the comparison step indicates that an inflow associated with one of the entries of the pair transports an application content of the same nature as an outflow associate (¶0130-0134 and 0156).
Morris (20190149449 A1) teaches a non-transitory computer-readable media is provided storing computer instructions that, when executed by one or more processors of a first node in a network, cause the first node to: receive an Internet Protocol (IP) packet that includes a first identifier and further includes an outside-scope second identifier that, for the first node, identifies a first region that does not include the first node and that is communicatively coupled to the first node via a second node; select, based on the outside-scope second identifier and based on at least one of a policy, a metric, or a routing table, an outgoing network interface included in at least one path segment of a plurality of path segments that communicatively couple the first node and at least one other node communicatively coupled to the first region, the plurality of path segments including at least one multi-hop path segment; and forward, via the outgoing network interface and to the second node, data received in the IP packet. (¶1409).
Chinni et al (20160050140 A1) teaches network element of a software-defined networking (SDN) system forwards IP packet fragments without reassembly is disclosed. The network element receives an IP packet fragment and determines whether the fragment is the first fragment of an original IP packet. If the fragment is the first fragment, then fields in the first fragment that are associated with open systems interconnection layers (OSI) 4-7 are retrieved and placed in an entry in a fragment information table so that the entry is associated with the original IP packet. If the received fragment is not the first fragment, then a matching entry in the fragment information table is to be identified and the associated OSI layers 4-7 information is retrieved for processing the non-first fragment. (¶0037-0042 and 0063).
Pfister et al (20170324849 A1) teaches a decapsulating network device receives a plurality of encapsulated packet fragments of an original packet, and decapsulates them into respective decapsulated packet fragments. The decapsulating network device caches an inner header of the original packet from one of the decapsulated packet fragments, and in response to caching the inner header, and for each particular decapsulated packet fragment as it is received and decapsulated: prepends the inner header and fragmentation information to the particular decapsulated packet fragment; and forwards the particular decapsulated packet fragment with the prepended inner header and fragmentation information from the decapsulating network device toward a destination of the original packet. (¶0027 0029 0056).
Boucadair et al (20110110374 A1) teaches a method of receiving a data packet from an IPv4 domain in an IPv6 domain, said data packet comprising an IPv4 destination address and a destination port number. The method comprises the following steps: constructing an IPv6 destination address by concatenating an operator prefix, said IPv4 address, and the destination port number; generating an IPv6 data packet from the IPv6 constructed destination address and the received IPv4 data packet; and routing the generated IPv6 data packet in the IPv6 domain using the IPv6 constructed destination address, said constructed address belonging to a range of IPv6 addresses routable to an interconnection equipment of the IPv6 domain with the IPv4 destination address. (¶0022-0023 0031 0035 0047 0071 0115)
Afek et al, Network Anti-Spoofing with SDN Data plane teaches traditional DDoS anti-spoofing scrubbers require dedicated middleboxes thus adding CAPEX, latency and complexity in the network. This paper starts by showing that the current SDN match-and-action model is rich enough to implement
a collection of anti-spoofing methods. Secondly we develop and utilize advance methods for dynamic resource sharing to distribute the required mitigation resources over a network of switches.
None of the earlier attempts to implement anti-spoofing in SDN actually directly exploited the match and action power of the switch data plane. They required additional functionalities on top of the match-and-action model, and are not implementable on an SDN switch as is. Our method builds on the premise that an SDN data path is a very fast and efficient engine to perform low level primitive operations at wire speed. The solution requires a number of flow-table rules and switch-controller messages proportional to the legitimate traffic. To scale when protecting multiple large servers the flow tables of multiple switches are harnessed in a distributed and dynamic network based solution. We have fully implemented all our methods in either Open-Flow1.5 in Open-vSwitch and in P4. The system mitigates spoofed
attacks on either the SDN infrastructure itself or on downstream servers. (p. 536/Intro/par 3: mechanisms to detect/filter out spoofed packets; p. 537/ paras 1-2: stop a source AS network as part of anti-spoofing mechanism).
Aishwarya et al, Intrusion Detection System- An Efficient way to Thwart against Dos/DDos Attack in the Cloud Environment  teaches One of the emerging and glooming technologies in the IT is Cloud computing where the information is permanently stored in the third party cloud servers and cached temporarily on
clients that include different devices like desktops, entertainment centers, table computers, notebooks, wall computers, sensors, etc. Internet connection is the basic requirement for accessing the cloud. Virtualization technology is another technology which goes along with the cloud environment which is used most widely to reduce the cost purchasing the hardware infrastructures in organizations. Henceforth, the Cloud Computing Systems can be easily intruded by various types of cyber attacks including Denial of Serv-ice (DoS) attack and Distributed Denial of Service (DDoS) attack which utilize the entire resources like CPU, Memory, etc. and makes the server to starve. This creates a major impact reducing the efficiency of the virtual machines. In the proposed method, attack can be overcome by Transmission Control Protocol (TCP) Mitigation Strategy which uses the SYN
Cookie to prevent the attack in the cloud to prevent the attack in which the server ignores the connection packets when it does not receive the correct Acknowledgement (ACK) from the client which requested the connection. The server here has rules to be check whether it is a legitimate client or the spoofed one using the first layer of security for hop count filtering mechanism and second layer of security is encoding the sequence number of the
SYN packet so that only a legitimate client can decode it. Additionally security is also provided for the data packets using the Message Authentication Code (MAC) and thus client is authenticated. 
Bremler-Barr, Spoofing Prevention Method teaches a new approach for filtering spoofed IP packets, called Spoofing Prevention Method (SPM), is proposed. The
method enables routers closer to the destination of a packet to verify the authenticity of the source address of the packet. This stands in contrast to standard ingress filtering which is effective mostly at routers next to the source and is ineffective otherwise. In the proposed method a unique temporal key is associated with each ordered pair of source destination networks (AS's, autonomous systems). Each packet leaving a source network S is tagged with the key K(S, D), associated with (S, D), where Dis
the destination network. Upon arrival at the destination network the key is verified and removed. Thus the method verifies the authenticity of packets carrying the address s which belongs to network S. An efficient implementation of the method, ensuring not to m·erload the routers, is presented. The major benefits of the method are the strong incentive it provides to network operators to implement it, and the fact that the method lends itself to stepwise deployment, since it benefits networks deploying the method even if it is implemented only on parts of the Internet. These
two properties, not shared by alternative approaches, make it an attractive and viable solution to the packet spoofing problem.
	
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Sakinah White Taylor/           Primary Examiner, Art Unit 2497