Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 13-25 are presented for examination.

Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/3/2021 and 2/27/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 21 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 21 recites “the data transport layer tunnel”.   The term “the data transport layer tunnel” is unclear and has no prior reference.  The closest prior reference is “a transport layer” or “a data link layer tunnel” in claim 13.  There is no definition in the specification of a data transport layer tunnel.  Due to the potential confusion between transport layers (OSI layer 4) and data link layers (OSI layer 2), the subject matter is not distinctly claimed.  The claim is interpreted as “the data link layer tunnel”  This is interpreted based on the absence of a transport layer tunnel in claim 13 and on dependent claim 22 which recites “the data link layer tunnels”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 13-17, 21  and 23-25 are rejected under 35 U.S.C. 103 as being unpatentable over Gerlach (EP 2464059) in view of Wu (US 2016/0050141).  (Machine translation of EP2464059 was used.)

Regarding claim 13, Gerlach teaches
a method for checking datagrams transmitted within an industrial automation system comprising a plurality of automation cells which are interconnected via an industrial communications network (Gerlach, [0001] The invention relates to a switching network node for a communication network, an automation system [0027] automation cell 100, See Fig. 2) and which each comprise a firewall interface (Gerlach, [0005] each automation cell 100 is also assigned a security component “Security device” 104.) and a plurality of automation appliances, (Examiner Note: devices connected to automation cell) datagrams to be checked being transmitted from the plurality of automation cells via a respective firewall interface for checking to a firewall system connected at least indirectly to the industrial communications network and being checked at the firewall system in a rule-based manner, (Gerlach [0006] security device 104 is a firewall  [0040] In addition to the firewall and VPN functionality of the security hardware components)
Gerlach teaches a firewall within a data processing system comprising a plurality of computer units, (Gerlach [0006] [0040]) but does not teach the firewall system being formed by at least one virtual machine.
However Wu teaches being checked at the firewall system in a rule-based manner, the firewall system being formed by at least one virtual machine (Wu [0187]  Generally, a firewall function may be installed on many servers, for example, a virtual machine VM  [0193] The processing unit 72 is configured to: determine in policy information stored in the storage unit 74 and according to a first filtering rule that matches the first packet,)
(Examiner Note: The preamble is reciting purpose or intended use see MPEP 2111.02 II, it does not result in a manipulative difference in the datagrams.  However for compact prosecution, the preamble is mapped to Gerlach and Wu)
Gerlach teaches the communication flow from a firewall interface to a firewall (Gerlach [0040] In addition to the firewall and VPN functionality of the security hardware components in routing mode (i.e. for connecting subnets), the firewall and VPN functionality can also be provided for coupling with the same subnet … Since only one communication to be protected participants has to be routed through the hardware security components [0003] secured via upstream security components …The entire traffic must always flow through this component be checked)
Gerlach does not explicitly teach establishing a data link layer tunnel
However Wu teaches
establishing a data link layer tunnel between each respective firewall interface and the firewall system to transmit the datagrams to be checked; (Wu [0239] The service routing trigger 1 acquires the service identifier 10 from the source MAC address field of the service packet returned by the service node 1, and sends the user service packet whose source MAC address carries the service identifier 10 to the service routing trigger 2 by using a pre-established VxLAN tunnel.  [0083] The service node mentioned in the embodiments of the present disclosure may be a physical entity device, for example, a network device such as a router, a switch, or a server, or may be a logical functional entity or an application, for example, a firewall,)  (Examiner Note: VxLAN tunnel satisfies data link layer tunnel) 
transmitting at least successfully checked datagrams along with datagrams to be checked within the respective data link layer tunnel; and  (Wu [0194] The first filtering rule may include one or multiple of: a source address, a destination address, a source port, a destination port, and a protocol number that are of the first packet. For example, a first packet flow corresponding to the first packet may be identified by using 5-tuple information (a source address, a destination address, a source port, a destination port, and a protocol number) of the first packet.) (Examiner Note: Wu’s filtering is a firewall function)
encapsulating each datagram transmitted within the data link layer tunnels into a tunnel datagram which comprises a network layer header and a transport layer header along with the respective datagram, and transmitting each encapsulated datagram transmitted within the data link layer tunnels via a transport layer connection between the respective firewall interface and the firewall system (Wu [0245] It is assumed that a firewall value-added service is needed for processing when hosts or virtual machines between different subnets of a same tenant interwork with each other, and each service node device in FIG. 11 has a function of processing of a firewall value-added service, [0239] using a pre-established VxLAN tunnel) (Examiner Note: VxLAN tunnel encapsulates layer two frames with a layer 4 UDP datagram which satisfies a network and transport layer)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Wu’s traffic classifier system with Gerlach’s integrated safety network because doing so improves the network by reducing processing of problem packets (Wu, [0004] An objective of embodiments of the present disclosure is to provide a traffic classifier, a service routing trigger, and a packet processing method and system, so as to resolve a problem of service processing on a packet.)

Regarding claim 14, Gerlach and Wu teach
the method as claimed in claim 13, wherein the firewall interfaces are each integrated into a controller or router of the respective automation cell (Gerlach, [0017] a single integrated security component can be internally virtualized in such a way that it appears to the user as if several security components have been integrated)

Regarding claim 15, Gerlach and Wu teach
the method as claimed in claim 13, wherein the industrial communications network comprises a first subnetwork which is secured against access from a second IP-based subnetwork and is connected via a router to the second subnetwork (Wu, [0262] After completing firewall value-added service processing, the source MAC address of the service packet returned by the service node 1 to the service routing trigger 1 carries the service identifier 100, and a VLAN identifier field carries the VLAN identifier 101. It is determined, according to the second policy information, that the service node sequence ends; then, according to a correspondence between the tenant identifier 100 and the VLAN identifier 101 in the second policy information, the VLAN identifier field is removed, the VxLAN tunnel is encapsulated, the tenant identifier 100 is encapsulated into the VxLAN tenant identifier of the VxLAN tunnel ID, and then routing and forwarding to another subnet of the tenant are performed.)
Wu is combined with Gerlach for the same reasons as claim 13.  

Regarding claim 16, Gerlach and Wu teach
the method as claimed in claim 14, wherein the industrial communications network comprises a first subnetwork which is secured against access from a second IP-based subnetwork and is connected via a router to the second subnetwork (Wu, [0262] After completing firewall value-added service processing, the source MAC address of the service packet returned by the service node 1 to the service routing trigger 1 carries the service identifier 100, and a VLAN identifier field carries the VLAN identifier 101. It is determined, according to the second policy information, that the service node sequence ends; then, according to a correspondence between the tenant identifier 100 and the VLAN identifier 101 in the second policy information, the VLAN identifier field is removed, the VxLAN tunnel is encapsulated, the tenant identifier 100 is encapsulated into the VxLAN tenant identifier of the VxLAN tunnel ID, and then routing and forwarding to another subnet of the tenant are performed.)
Wu is combined with Gerlach for the same reasons as claim 13.  

Regarding claim 17, Gerlach and Wu teach
the method as claimed in claim 15, wherein the data processing system which the virtual machine forming the firewall system provides is connected to the second subnetwork (Wu, [0262] After completing firewall value-added service processing, the source MAC address of the service packet returned by the service node 1 to the service routing trigger 1 carries the service identifier 100, and a VLAN identifier field carries the VLAN identifier 101. It is determined, according to the second policy information, that the service node sequence ends; then, according to a correspondence between the tenant identifier 100 and the VLAN identifier 101 in the second policy information, the VLAN identifier field is removed, the VxLAN tunnel is encapsulated, the tenant identifier 100 is encapsulated into the VxLAN tenant identifier of the VxLAN tunnel ID, and then routing and forwarding to another subnet of the tenant are performed.)
Wu is combined with Gerlach for the same reasons as claim 13.  

Regarding claim 21, Gerlach and Wu teach
the method as claimed in claim 13, wherein the datagrams are each transmitted within the data transport layer tunnel via an unsecured transport layer connection between the respective firewall interface and the firewall system (Wu [0239] The service routing trigger 1 acquires the service identifier 10 from the source MAC address field of the service packet returned by the service node 1, and sends the user service packet whose source MAC address carries the service identifier 10 to the service routing trigger 2 by using a pre-established VxLAN tunnel. [0109] It should be noted that a service node generally has a reachable address, where the address of the service node may be an IP address or a MAC address.) (Examiner Note: Wu is not requiring encrypted/secured transport)
Wu is combined with Gerlach for the same reasons as claim 13.  

Regarding claim 23, Gerlach and Wu teach
the method as claimed in claim 13, wherein the data link layer tunnels between the respective firewall interface and the firewall system are set up in accordance with Internet Engineering Task Force (IETF) Request for Comments (RFC) 7348 (Wu, [0239] The service routing trigger 1 acquires the service identifier 10 from the source MAC address field of the service packet returned by the service node 1, and sends the user service packet whose source MAC address carries the service identifier 10 to the service routing trigger 2 by using a pre-established VxLAN tunnel.  [0260] The traffic classifier performs classification according to the flow filtering rule “subnet interworking filtering rule of the tenant 100”, which is in the first policy information, of the service routing sequence 100; encapsulates the service identifier 100 into a source MAC address field of a user service packet that is classified by the traffic classifier and belongs to the service node sequence 100; performs encapsulation of a VxLAN tunnel on a user service packet into which the service identifier 100 is encapsulated; encapsulates the tenant identifier 100 into a VxLAN tenant identifier of the VxLAN tunnel; and finally, sends, to the service routing trigger 1, a user service packet into which the service identifier 100 and the tenant identifier 100 are encapsulated.) (Examiner Note: RFC 7348 is for Virtual eXtensible Local Area Network)
Wu is combined with Gerlach for the same reasons as claim 13.  

Claim 25 is an apparatus claim for the method claim 13 and is rejected for the same reasons as claim 13.

Claims 18, 19, 22 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Gerlach (EP 2464059) in view of Wu (US 2016/0050141) in view of Korunsky (US 2011/0214157).

Regarding claim 18, Gerlach and Wu teach
the method as claimed in claim 13. 
Gerlach-Wu teach load balancing but do not teach redundantly configured and is connected to the firewall system in accordance with a Virtual Router Redundancy Protocol.
However Korunsky teaches redundantly configured and is connected to the firewall system in accordance with a Virtual Router Redundancy Protocol (Korunsky, [0154] The implementation of the flow processing facility 102 may include fully redundant elements and features that support complete redundancy. These elements and features may include the fans 222; the power supplies 220; the passive backplane 224; data-switch fabrics; control-switch fabrics; control processor module 208 with RAID-1 mirrored hard drives; active/active failover configuration between two switches; logical interface redundancy (such as and without limitation as may be provided by VRRP) … In one example, a data flow may be routed to a firewall application,)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Korunsky’s redundancy with Gerlach’s switching network node because doing so supports failover (Korunsky [0462] Systems built according to the architecture may support redundancy and/or failover with respect to elements of the systems.) 

Regarding claim 19, Gerlach, Wu and Korunsky teach
the method as claimed in claim 13, wherein the plurality of automation cells are each redundantly connected to the industrial communications network in accordance with one of (i) a Rapid Spanning Tree Protocol, (ii) High-availability Redundancy Protocol and (iii) Media Redundancy Protocol (Korunsky, [0617] In an embodiment, a data flow processor may be configured to execute one or more applications for performing a spanning tree protocol for a network.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Korunsky’s spanning tree with Gerlach’s switching network node because doing so supports dynamic reconfiguring (Korunsky [0463] the systems that comply with the architecture may dynamically reconfigure themselves in response to a variety of factors.  Some of these factors, without limitation, may include a power failure, equipment failure, device failure, element failure, software failure, network failure)

Regarding claim 22, Gerlach and Wu teach
the method as claimed in claim 21, wherein the datagrams are each transmitted within the data link layer tunnels between the respective firewall interface and the firewall system in accordance with a User Datagram Protocol (Wu [0239] The service routing trigger 1 acquires the service identifier 10 from the source MAC address field of the service packet returned by the service node 1, and sends the user service packet whose source MAC address carries the service identifier 10 to the service routing trigger 2 by using a pre-established VxLAN tunnel. [0095] The service node may be an application in OSI layer 3 to layer 7, for example, a firewall, or an NAT (Network Address Translation) device; the service node may be a service node instance; or the service node may be a network device such as a router, a switch, or a server.)  (Examiner Note: Wu teaches the service node application includes a firewall)
Wu is combined with Gerlach for the same reasons as claim 13.  
Gerlach does not explicitly teach User Datagram Protocol.  While the use of connection (TCP) or connectionless (UDP) communication is application dependent, and Wu teaches a firewall and VxLAN tunneling, in the interest of compact prosecution Korunsky is cited to teach UDP communication.
However Korunsky teaches User Datagram Protocol (Korunsky,  [0192] In the preferred embodiment, the data flow 444 is composed of an IP-packet sequence, such as may be associated with a connection-oriented protocol (e.g., TCP/IP) or a connectionless protocol (e.g., UDP/IP).)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Korunsky’s firewall processing of UDP packets with Gerlach’s switching network node because doing so improves secure network flow (Korunsky, [0010] The methods and systems disclosed herein for securing a computer resource include methods systems for providing a flow processing facility for processing a data flow,)

Regarding claim 24, Gerlach, Wu and Korunsky teach
the method as claimed in claim 13, wherein the firewall system checks datagrams transmitted by the firewall interfaces of the automation cells based on defined security rules, transmits successfully checked datagrams back to one of (i) a respective firewall interface and (Korunsky [0154] In one example, a data flow may be routed to a firewall application, then to an anti-virus application, then to a URL filter, then back to the firewall.) (ii) a firewall interface of a destination automation cell and rejects datagrams which do not comply with the defined security rules (Korunsky [0458] The flow processing facility 102 may facilitate content inspection as applied in a unified threat management application at the network layer. ... A network layer packet with such a violation may be acted upon by the UTM application to prevent the packet from reaching the network, and any and all connection or data flow 444 associated with the packet may be terminated or dropped.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Korunsky’s firewall processing with Gerlach’s switching network node because doing so improves secure network flow (Korunsky, [0010] The methods and systems disclosed herein for securing a computer resource include methods systems for providing a flow processing facility for processing a data flow,)

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Gerlach (EP 2464059) in view of Wu (US 2016/0050141) in view of Edsall (US 2018/0115548).

Regarding claim 20, Gerlach and Wu teach 
the method as claimed in claim 13, 
Gerlach teaches encryption (Gerlach [0007] applications that require encryption of the data traffic … the security device is designed as a VPN) but does not teach datagram  … encryption.  
However Edsall teaches the datagrams are each transmitted within the data link layer tunnels in encrypted form (Edsall  [0009] FIG. 3 is a flow chart depicting example egress operations to generate InsSec packets by encrypting VxLAN based packets in accordance with an embodiment;  [0017]  in which VxLAN packets 100 are transformed into InsSec packets 200 and routed over an InsSec tunnel.  [0023] In accordance with the present disclosure, various InsSec egress techniques are described herein in which the format of a received VxLAN packet 100 is manipulated to generate an InsSec packet 200.  … The VxLAN header 110 and the encapsulated packet payload 112 of the VxLAN packet 100 are encrypted using MACSec, thereby generating a MACSec payload 213 comprising an encrypted VxLAN header 210 and an encrypted encapsulated packet payload 212.) 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Edsall’s VxLAN encryption with Gerlach-Wu’s VPN and tunnels because doing so improved data security (Edsall, [0013] Techniques are provided herein to achieve data security and integrity using the cryptographic machinery of IEEE MACSec for TCP or UDP packets, for example, VxLAN, iVxLAN, and VxLAN-GPE packet.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRUCE S ASHLEY/Examiner, Art Unit 2494