DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
	Applicant’s remarks, see pg. 8, filed 09/10/2021, with respect to the double patenting rejection of claims 21, 24, 28, 31, 35, and 37 as being unpatentable over claims 1 and 7 of U.S. Patent No. 10,412,008 B2 in view of previously cited reference McDyson et al. (US 2011/0161416 A1) has been considered. Particularly, “Applicant respectfully requests these (double patenting) rejections be held in abeyance until the claims are otherwise determined to be allowable, at which time Applicant will either file a terminal disclaimer or provide arguments regarding the claims not being obvious over the cited references”. However, “A complete response to a nonstatutory double patenting (NSDP) rejection is either a reply by applicant showing that the claims subject to the rejection are patentably distinct from the reference claims or the filing of a terminal disclaimer in accordance with 37 CFR 1.321 in the pending application(s) with a reply to the Office action (see MPEP § 1490 for a discussion of terminal disclaimers). Such a response is required even when the nonstatutory double patenting rejection is provisional.” (MPEP 804). The Examiner will consider the amendment of the claims filed 05/16/2022 as an attempt by the Applicant to overcome the double patenting rejection. Therefore, and in view of the amendment, the double patenting rejection made on 06/24/2021 to the claims is withdrawn.
	Applicant’s corrections filed 05/16/2022 with respect to claim objections for claim(s) 35 made on 02/15/2022 has been considered and the objection to the claims is withdrawn.
	Applicant’s corrections filed 05/16/2022 with respect to claim rejection under 112(b) for claim(s) 25 and 32 made on 02/15/2022 has been considered and the rejection under 112(b) to the claims are withdrawn.
	Applicant’s arguments filed 05/16/2022 with respect to claim(s) 21, 28, and 35 have been considered but are moot in view of the new ground(s) of rejection. 	Applicant’s argument:	On pgs. 9-11, Applicant argues that previously cited prior arts McDyson et al. (US 2011/0161416 A1) in view of Chen et al. (US 8,584,199 B1) and Sharma et al. (US 2013/0163594 A1) does not teach the amended claims, i.e., the limitations “ingress flow entry comprises … a processing network element indication, … the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet, … determining, by the ingress network element, a processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry”. 	Examiner’s response:	Examiner provides a new rejection based on previously cited prior art McDyson et al. (US 2011/0161416 A1) in view of new reference Khalid et al. (US 2010/0080226 A1) and previously cited prior art Chen et al. (US 8,584,199 B1) and submits that Khalid teaches the above limitations, as outlined below. Therefore, Applicant’s arguments against the previous rejection (McDyson in view of Chen and Sharma) is moot because Examiner provides a new rejection where the new reference Khalid teaches the above limitations. 

Claim Rejections - 35 USC § 103
 	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claim(s) 21-23, 26, 28-30, 33, 35-36, and 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over McDyson et al. (US 2011/0161416 A1) in view of Khalid et al. (US 2010/0080226 A1) and Chen et al. (US 8,584,199 B1).

Regarding claim 21, McDyson discloses A method, comprising:
receiving, by an ingress network element, an ingress flow entry from a control network element (Fig. 3A, [0033]: access router 120 (=ingress network element) receives provisioning information 308 (=ingress flow entry) from NMS 130 (=control network element)), wherein the ingress flow entry comprises flow description information, an encapsulation flow identifier ([0033]: provisioning information 308 (=ingress flow entry) includes information for ACL table 302, AFL table 304, and routing table 306, i.e., [0030]-[0032]: NMS 130 provisions IP SA (=flow description information) to ACL table 302 and tunnel headers (=encapsulation flow identifier) to routing table 306. [0038]: AFL may also be configured with tunnel headers by routing table 306. Note: the provisioning information 308 (=ingress flow entry) includes IP SA (=flow description information) and tunnel headers (=encapsulation flow identifier) because the NMS provides the provisioning information 308 to ACL 302 that includes IP SA and TH (see [0030] and Fig. 4A), AFL table 304 that includes IP DA and TH (see [0031] and Fig. 4A), and routing table 306 that includes routing information on specific tunnels using THs (see [0032])), and wherein the flow description information is usable to perform matching with a to-be-processed data packet to identify a matching to-be-processed data packet (Fig. 4A, [0047]-[0048]: ACL table 302 is used to match received packets (=to-be-processed packets) with entries of the ACL table 302, see IP SA field 402 includes IP SA values (=flow description information) (provisioned by NMS, see [0030]), i.e., a received packet 318 with IPH 320 that includes IP SA of “D” is matched to IP SA of “D” in IP SA field 402), the encapsulation flow identifier indicates a service flow to which the matching to-be-processed data packet belongs ([0030], [0032]: tunnel header (=encapsulation flow identifier) is associated with a tunnel on which the packet may be routed to a feature peer, i.e., FP 150-1 (=service flow). [0017]: feature peers 150 provide different features and/or services. Fig. 4A, [0047]-[0048]: tunnel headers are determined to packet 318 that have been matched with an entry in the IP SA field 402 of the ACL table 302);
receiving, by the ingress network element, a first data packet (Fig. 3B, [0037]: access router 120 receives packet 318); and
in response to determining that the first data packet matches the flow description information (Fig. 4A, [0037], [0047]-[0048]: access router 120 uses ACL table 302 to match packet 318 that includes IPH 320 with IP SA of “D” to an entry in IP SA 402, i.e., IP SA of “D”), attaching, by the ingress network element, the encapsulation flow identifier to the first data packet (Fig. 4A, [0048]: access router 120 adds TH.1 (=encapsulation flow identifier) to packet 318), and sending the first data packet to the processing network element after attaching the encapsulation flow identifier (Fig. 4A, [0048]: access router 120 forwards packet 318 with TH.1 (=after the attaching the encapsulation flow identifier) to FP 150-1 (=processing network element)).
McDyson does not disclose the provisioning information 308 (=ingress flow entry) comprises a processing network element indication and an encapsulation indication; and the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet, and the encapsulation indication indicates attaching the encapsulation flow identifier to the matching to-be-processed data packet; and determining, by the ingress network element, a processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry, and attaching, to the first data packet, a context indication indicating the context processing to be performed on the first data packet by the processing network element; and sending the first data packet … after attaching the context indication.
However, Khalid discloses in Fig. 1 and [0015] multiple components in a service system 10 that may be combined into a router including a service classifier 20 (=ingress network element) and in [0025] the service classifier 20 receives from a service broker 30 (=control network element) service information (=ingress flow entry). Khalid further discloses the service information includes a processing network element indication ([0025]: service information includes a service header, next-hop information, and tunnel information (=processing network element indication)); and the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet ([0027]-[0030]: the service header includes or defines a service chain (=context processing) for passing a packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services); and 
determining, by the ingress network element, a processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry ([0037]: the service classifier 20 determines and transmits packet 11 (=first data packet) to a first hop service node 50, i.e., firewall 1 (=processing network element that is to process the first data packet) based on a first hop address of the first hop service node 50 and the service chain (=context processing) included in the service information (ingress flow entry). [0026], [0028]: service information includes the service header that defines the service chain and the next hop information. [0031]: the next hop information indicates the address of the service node 50), and 
attaching, to the first data packet, a context indication indicating the context processing to be performed on the first data packet by the processing network element ([0019]: service classifier 20 receives packet 11 (=first data packet). [0025], [0026]: service classifier 20 receives service information that includes the service header. [0028]-[0030]: the service header (=context indication) is added to packet 11 and includes or defines the service chain (=context processing) for passing the packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services); and 
sending the first data packet … after attaching the context indication ([0037]: service classifier 20 transmits the packet 11 to a service node 50. [0028]: packet 11 has service header added to it).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the provisioning information 308 that the access router receives, as taught by McDyson, to further include a service header, next-hop information, and tunnel information, wherein the service header defines a service chain for passing a packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services, so that the service classifier/router determines a first hop service node for performing firewall based on a first hop address and the service chain, and adds the service header to the packet before sending it to the service node, as taught by Khalid.
Doing so provides a service system that routes packets of data to optimal service nodes based on the behavior or performance of the service nodes by using a service chain, i.e., a service classifier provides automated assistance (Khalid: [0009], [0018]). 
McDyson in view of Khalid does not disclose the provisioning information 308 (=ingress flow entry) comprises an encapsulation indication; and the encapsulation indication indicates attaching the encapsulation flow identifier to the matching to-be-processed data packet.
However, Chen discloses a security policy 402 (=ingress flow entry) comprises an encapsulation indication (col. 8 ll. 54-66: corporate directory 470 (=control network element), which may be a code running on a computer or residing on a server, provides security policy 402 to a security gateway 150 (=ingress network element). Col. 11 ll. 23-39 and 57-63: security policy 402 includes packet routing policy 652 (=ingress flow entry) comprising host network address 661, i.e., IP address (=flow description information), application network address 663, i.e., IP address (=processing network element indication), and forwarding interface 665 (=encapsulation indication) for indicating modification, i.e., add tunnel header, to data packets 439); and 
the encapsulation indication indicates attaching the encapsulation flow identifier to any identified matching to-be-processed data packets (col. 11 ll. 52-65: forwarding interface 665 indicates to add a tunnel header (=encapsulation flow identifier) to data packet 439 prior to transmission, and security gateway 150 applies the addition of the tunnel header to data packet 439 when there is a match of the data packet 439 (=identified matching to-be-processed data packet) and send the modified data packet 439).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the provisioning information 308, as taught by McDyson, to further include forwarding interface 665 indicating to add a tunnel header to a matched data packet, as taught by Chen.
Doing so allows the security gateway to add an IP-IP tunnel header, a L2TP tunnel header, a IPSec tunnel header, or a layer 2 tunnel header prior to transmission of a received and matched data packet (Chen: col. 11 ll.52-63); and thus, the security gateway applies packet routing policy (Chen: col. 11 ll. 40) which solves the need for a security driven packet forwarding solution (Chen: col. 2 ll. 13-15).

Regarding claim 28, McDyson discloses An ingress network element (Fig. 3A: access router 120. [0017]: access router 120 may include a gateway and a switch), comprising:
a processor (Fig. 2, [0023]-[0024]: access router 120 includes processing unit 220); and
a computer readable storage medium storing programming for execution by the processor, the programming including instructions to (Fig. 2, [0023]-[0024]: access router 120 includes main memory 230 storing instructions for execution by processing unit 220):
receive an ingress flow entry from a control network element (Fig. 3A, [0033]: access router 120 receives provisioning information 308 (=ingress flow entry) from NMS 130 (=control network element)), wherein the ingress flow entry comprises flow description information, an encapsulation flow identifier ([0033]: provisioning information 308 (=ingress flow entry) includes information for ACL table 302, AFL table 304, and routing table 306, i.e., [0030]-[0032]: NMS 130 provisions IP SA (=flow description information) to ACL table 302 and tunnel headers (=encapsulation flow identifier) to routing table 306. [0038]: AFL may also be configured with tunnel headers by routing table 306. Note: the provisioning information 308 (=ingress flow entry) includes IP SA (=flow description information) and tunnel headers (=encapsulation flow identifier) because the NMS provides the provisioning information 308 to ACL 302 that includes IP SA and TH (see [0030] and Fig. 4A), AFL table 304 that includes IP DA and TH (see [0031] and Fig. 4A), and routing table 306 that includes routing information on specific tunnels using THs (see [0032])), and wherein the flow description information is usable to perform matching with a to-be-processed data packet to identify a matching to-be-processed data packet (Fig. 4A, [0047]-[0048]: ACL table 302 is used to match any received packets (=to-be-processed packets) with entries of the ACL table 302, see IP SA field 402 includes IP SA values (=flow description information) (provisioned by NMS, see [0030]), i.e., a received packet 318 with IPH 320 that includes IP SA of “D” is matched to IP SA of “D” in IP SA field 402), the encapsulation flow identifier indicates a service flow to which the matching to-be-processed data packet belongs ([0030], [0032]: tunnel header (=encapsulation flow identifier) is associated with a tunnel on which the packet may be routed to a feature peer, i.e., FP 150-1 (=service flow). [0017]: feature peers 150 provide different features and/or services. Fig. 4A, [0047]-[0048]: tunnel headers are determined to packet 318 that have been matched with an entry in the IP SA field 402 of the ACL table 302);
receive a first data packet (Fig. 3B, [0037]: access router 120 receives packet 318); and
in response to determining that the first data packet matches the flow description information (Fig. 4A, [0037], [0047]-[0048]: access router 120 uses ACL table 302 to match packet 318 that includes IPH 320 with IP SA of “D” to an entry in IP SA 402, i.e., IP SA of “D”), attach the encapsulation flow identifier to the first data packet (Fig. 4A, [0048]: access router 120 adds TH.1 (=encapsulation flow identifier) to packet 318), and send the first data packet to the processing network element after attaching the encapsulation flow identifier (Fig. 4A, [0048]: access router 120 forwards packet 318 with TH.1 (=after the attaching the encapsulation flow identifier) to FP 150-1 (=processing network element)).
McDyson does not disclose the provisioning information 308 (=ingress flow entry) comprises a processing network element indication and an encapsulation indication; and the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet, and the encapsulation indication indicates attaching the encapsulation flow identifier to the matching to-be-processed data packet; and determine a processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry, and attach, to the first data packet, a context indication indicating the context processing to be performed on the first data packet by the processing network element; and send the first data packet … after attaching the context indication.
However, Khalid discloses in Fig. 1 and [0015] multiple components in a service system 10 that may be combined into a router including a service classifier 20 (=ingress network element) and in [0025] the service classifier 20 receives from a service broker 30 (=control network element) service information (=ingress flow entry). Khalid further discloses the service information includes a processing network element indication ([0025]: service information includes a service header, next-hop information, and tunnel information (=processing network element indication)); and the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet ([0027]-[0030]: the service header includes or defines a service chain (=context processing) for passing a packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services); and 
determine a processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry ([0037]: the service classifier 20 determines and transmits packet 11 (=first data packet) to a first hop service node 50, i.e., firewall 1 (=processing network element that is to process the first data packet) based on a first hop address of the first hop service node 50 and the service chain (=context processing) included in the service information (ingress flow entry). [0026], [0028]: service information includes the service header that defines the service chain and the next hop information. [0031]: the next hop information indicates the address of the service node 50), and 
attach, to the first data packet, a context indication indicating the context processing to be performed on the first data packet by the processing network element ([0019]: service classifier 20 receives packet 11 (=first data packet). [0025], [0026]: service classifier 20 receives service information that includes the service header. [0028]-[0030]: the service header (=context indication) is added to packet 11 and includes or defines the service chain (=context processing) for passing the packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services); and 
send the first data packet … after attaching the context indication ([0037]: service classifier 20 transmits the packet 11 to a service node 50. [0028]: packet 11 has service header added to it).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the provisioning information 308 that the access router receives, as taught by McDyson, to further include a service header, next-hop information, and tunnel information, wherein the service header defines a service chain for passing a packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services, so that the service classifier/router determines a first hop service node for performing firewall based on a first hop address and the service chain, and adds the service header to the packet before sending it to the service node, as taught by Khalid.
Doing so provides a service system that routes packets of data to optimal service nodes based on the behavior or performance of the service nodes by using a service chain, i.e., a service classifier provides automated assistance (Khalid: [0009], [0018]). 
McDyson in view of Khalid does not disclose the provisioning information 308 (=ingress flow entry) comprises an encapsulation indication; and the encapsulation indication indicates attaching the encapsulation flow identifier to the matching to-be-processed data packet.
However, Chen discloses a security policy 402 (=ingress flow entry) comprises an encapsulation indication (col. 8 ll. 54-66: corporate directory 470 (=control network element), which may be a code running on a computer or residing on a server, provides security policy 402 to a security gateway 150 (=ingress network element). Col. 11 ll. 23-39 and 57-63: security policy 402 includes packet routing policy 652 (=ingress flow entry) comprising host network address 661, i.e., IP address (=flow description information), application network address 663, i.e., IP address (=processing network element indication), and forwarding interface 665 (=encapsulation indication) for indicating modification, i.e., add tunnel header, to data packets 439); and 
the encapsulation indication indicates attaching the encapsulation flow identifier to any identified matching to-be-processed data packets (col. 11 ll. 52-65: forwarding interface 665 indicates to add a tunnel header (=encapsulation flow identifier) to data packet 439 prior to transmission, and security gateway 150 applies the addition of the tunnel header to data packet 439 when there is a match of the data packet 439 (=identified matching to-be-processed data packet) and send the modified data packet 439).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the provisioning information 308, as taught by McDyson, to further include forwarding interface 665 indicating to add a tunnel header to a matched data packet, as taught by Chen.
Doing so allows the security gateway to add an IP-IP tunnel header, a L2TP tunnel header, a IPSec tunnel header, or a layer 2 tunnel header prior to transmission of a received and matched data packet (Chen: col. 11 ll.52-63); and thus, the security gateway applies packet routing policy (Chen: col. 11 ll. 40) which solves the need for a security driven packet forwarding solution (Chen: col. 2 ll. 13-15).

Regarding claim 35, McDyson discloses A packet processing system (Fig. 3A: network portion 300 which is part of network 100), comprising:
a processing network element (Fig. 3A: FP 150-1); and
an ingress network element (Fig. 3A: access router 120. [0017]: access router 120 may include a gateway and a switch), comprising a processor and a non-transitory storage medium storing a program that is executable by the processor (Fig. 2, [0023]-[0024]: access router 120 includes processing unit 220 and main memory 230 storing instructions for execution by processing unit 220), the program including instructions to:
receive an ingress flow entry from a control network element (Fig. 3A, [0033]: access router 120 receives provisioning information 308 (=ingress flow entry) from NMS 130 (=control network element)), wherein the ingress flow entry comprises flow description information, an encapsulation flow identifier ([0033]: provisioning information 308 (=ingress flow entry) includes information for ACL table 302, AFL table 304, and routing table 306, i.e., [0030]-[0032]: NMS 130 provisions IP SA (=flow description information) to ACL table 302 and tunnel headers (=encapsulation flow identifier) to routing table 306. [0038]: AFL may also be configured with tunnel headers by routing table 306. Note: the provisioning information 308 (=ingress flow entry) includes IP SA (=flow description information) and tunnel headers (=encapsulation flow identifier) because the NMS provides the provisioning information 308 to ACL 302 that includes IP SA and TH (see [0030] and Fig. 4A), AFL table 304 that includes IP DA and TH (see [0031] and Fig. 4A), and routing table 306 that includes routing information on specific tunnels using THs (see [0032])), and wherein the flow description information is usable to perform matching with a to-be-processed data packet to identify a matching to-be-processed data packet (Fig. 4A, [0047]-[0048]: ACL table 302 is used to match any received packets (=to-be-processed packets) with entries of the ACL table 302, see IP SA field 402 includes IP SA values (=flow description information) (provisioned by NMS, see [0030]), i.e., a received packet 318 with IPH 320 that includes IP SA of “D” is matched to IP SA of “D” in IP SA field 402), the encapsulation flow identifier indicates a service flow to which the matching to-be-processed data packet belongs ([0030], [0032]: tunnel header (=encapsulation flow identifier) is associated with a tunnel on which the packet may be routed to a feature peer, i.e., FP 150-1 (=service flow). [0017]: feature peers 150 provide different features and/or services. Fig. 4A, [0047]-[0048]: tunnel headers are determined to packet 318 that have been matched with an entry in the IP SA field 402 of the ACL table 302);
receive a first data packet (Fig. 3B, [0037]: access router 120 receives packet 318); and
in response to determining that the first data packet matches the flow description information (Fig. 4A, [0037], [0047]-[0048]: access router 120 uses ACL table 302 to match packet 318 that includes IPH 320 with IP SA of “D” to an entry in IP SA 402, i.e., IP SA of “D”), attach the encapsulation flow identifier to the first data packet (Fig. 4A, [0048]: access router 120 adds TH.1 (=encapsulation flow identifier) to packet 318), and send the first data packet to the processing network element after attaching the encapsulation flow identifier (Fig. 4A, [0048]: access router 120 forwards packet 318 with TH.1 (=after the attaching the encapsulation flow identifier) to FP 150-1 (=processing network element)).
McDyson does not disclose the provisioning information 308 (=ingress flow entry) comprises a processing network element indication and an encapsulation indication; and the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet, and the encapsulation indication indicates attaching the encapsulation flow identifier to the matching to-be-processed data packet; and determine a processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry, and attach, to the first data packet, a context indication indicating the context processing to be performed on the first data packet by the processing network element; and send the first data packet … after attaching the context indication.
However, Khalid discloses in Fig. 1 and [0015] multiple components in a service system 10 that may be combined into a router including a service classifier 20 (=ingress network element) and in [0025] the service classifier 20 receives from a service broker 30 (=control network element) service information (=ingress flow entry). Khalid further discloses the service information includes a processing network element indication ([0025]: service information includes a service header, next-hop information, and tunnel information (=processing network element indication)); and the processing network element indication indicates a context processing to be performed on the matching to-be-processed data packet ([0027]-[0030]: the service header includes or defines a service chain (=context processing) for passing a packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services); and 
determining the processing network element that is to process the first data packet based on a correspondence between the processing network element and the context processing indicated by the ingress flow entry ([0037]: the service classifier 20 determines and transmits packet 11 (=first data packet) to a first hop service node 50, i.e., firewall 1 (=processing network element that is to process the first data packet) based on a first hop address of the first hop service node 50 and the service chain (=context processing) included in the service information (ingress flow entry). [0026], [0028]: service information includes the service header that defines the service chain and the next hop information. [0031]: the next hop information indicates the address of the service node 50), and 
attach, to the first data packet, a context indication indicating the context processing to be performed on the first data packet by the processing network element ([0019]: service classifier 20 receives packet 11 (=first data packet). [0025], [0026]: service classifier 20 receives service information that includes the service header. [0028]-[0030]: the service header (=context indication) is added to packet 11 and includes or defines the service chain (=context processing) for passing the packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services); and 
send the first data packet … after attaching the context indication ([0037]: service classifier 20 transmits the packet 11 to a service node 50. [0028]: packet 11 has service header added to it).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the provisioning information 308 that the access router receives, as taught by McDyson, to further include a service header, next-hop information, and tunnel information, wherein the service header defines a service chain for passing a packet through a firewall, an IPS, and a QoS device for performing firewall, IPS, and QoS services, so that the service classifier/router determines a first hop service node for performing firewall based on a first hop address and the service chain, and adds the service header to the packet before sending it to the service node, as taught by Khalid.
Doing so provides a service system that routes packets of data to optimal service nodes based on the behavior or performance of the service nodes by using a service chain, i.e., a service classifier provides automated assistance (Khalid: [0009], [0018]). 
McDyson in view of Khalid does not disclose the provisioning information 308 (=ingress flow entry) comprises an encapsulation indication; and the encapsulation indication indicates attaching the encapsulation flow identifier to the matching to-be-processed data packet.
However, Chen discloses a security policy 402 (=ingress flow entry) comprises an encapsulation indication (col. 8 ll. 54-66: corporate directory 470 (=control network element), which may be a code running on a computer or residing on a server, provides security policy 402 to a security gateway 150 (=ingress network element). Col. 11 ll. 23-39 and 57-63: security policy 402 includes packet routing policy 652 (=ingress flow entry) comprising host network address 661, i.e., IP address (=flow description information), application network address 663, i.e., IP address (=processing network element indication), and forwarding interface 665 (=encapsulation indication) for indicating modification, i.e., add tunnel header, to data packets 439); and 
the encapsulation indication indicates attaching the encapsulation flow identifier to any identified matching to-be-processed data packets (col. 11 ll. 52-65: forwarding interface 665 indicates to add a tunnel header (=encapsulation flow identifier) to data packet 439 prior to transmission, and security gateway 150 applies the addition of the tunnel header to data packet 439 when there is a match of the data packet 439 (=identified matching to-be-processed data packet) and send the modified data packet 439).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the provisioning information 308, as taught by McDyson, to further include forwarding interface 665 indicating to add a tunnel header to a matched data packet, as taught by Chen.
Doing so allows the security gateway to add an IP-IP tunnel header, a L2TP tunnel header, a IPSec tunnel header, or a layer 2 tunnel header prior to transmission of a received and matched data packet (Chen: col. 11 ll.52-63); and thus, the security gateway applies packet routing policy (Chen: col. 11 ll. 40) which solves the need for a security driven packet forwarding solution (Chen: col. 2 ll. 13-15).

Regarding claims 22 and 29, McDyson in view of Khalid and Chen discloses all feature of claims 21 and 28 as outlined above. 
McDyson further discloses wherein the flow description information comprises ([0030]: IP SA (=flow description information)):
a source media access control (MAC) address;
a destination MAC address;
a source internet protocol (IP) address ([0030], [0048]: IP SA is IP source address and may include IP SA of “D”);
a destination IP address;
a source port number; or
a destination port number.

Regarding claims 23, 30, and 36, McDyson in view of Khalid and Chen discloses all features of claims 21, 28, and 35 as outlined above. 
McDyson further discloses wherein the ingress flow entry further comprises an ingress context processing indication, and the method further comprises ([0033]: provisioning information 308 (=ingress flow entry) includes information enabling the access router 120 to handle packets, i.e., the information instructs ACL table 302 to map packets to AFL table 304 using information from routing table 306):
in response to determining that the first data packet matches the flow description information (Fig. 4A, [0037], [0047]-[0048]: access router 120 uses ACL table 302 to match packet 318 that includes IPH 320 with IP SA of “D” to an entry in IP SA 402, i.e., IP SA of “D”), performing a context processing indicated by the ingress context processing indication on the first data packet (Fig. 4A, [0048]: access router 120 then maps the TH.1 of TH field 404 from the ACL table 302 to TH.1 of IP DA field 406 of the AFL table as instructed of the information in [0033]: the information instructs ACL table 302 to map packets to AFL table 304 using information from routing table 306. [0032]: routing table 306 includes tunnel header information).

Regarding claims 26, 33, and 39, McDyson in view of Khalid and Chen discloses all features of claims 21, 28, and 35 as outlined above. 
McDyson further discloses wherein the processing network element indication is a media access control (MAC) address, an internet protocol (IP) address, a domain name, or a self-defined identifier of the processing network element ([0031], [0048]: IP DA (=processing network element indication) is IP destination address with a next hop, i.e., FP 150-1 (=processing network element), to which the packet is to be routed).

	Claim(s) 25, 32, and 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over McDyson et al. (US 2011/0161416 A1) in view of Khalid et al. (US 2010/0080226 A1), Chen et al. (US 8,584,199 B1), and Sharma et al. (US 2013/0163594 A1).

Regarding claims 25 and 32, McDyson in view of Khalid and Chen discloses all features of claims 21 and 28 as outlined above. 
While Chen discloses in col. 11 ll. 60-63 to add a tunnel header such as an IP-IP tunnel header, a L2TP tunnel header, a IPSec tunnel header, or a layer 2 tunnel header, McDyson in view of Khalid and Chen does not disclose, but Sharma discloses wherein the attaching the encapsulation flow identifier is based on a protocol encapsulation manner ([0047]: the adding of the service overlay tunnel encapsulation 115 is one or more transport tunnel encapsulation headers using Dot1Q, MPLS, IP, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to program the access router 120 when adding a tunnel header, as taught by McDyson, to add the tunnel header based as a service overlay tunnel encapsulation using Dot1Q, MPLS, IP, etc., as taught by Sharma.
Doing so provides an overlay-based traffic steering technique where the service classifier sends encapsulated packets to a service virtualization endpoint 145 for determining one or more service nodes to perform the desired services (Sharma: Fig. 3, [0013], [0019], [0029]-[0030], [0053], [0055], [0057]), wherein the overlay-based traffic steering technique provides one or more advantages over conventional techniques, such as consistent services interception, redirection, and chaining approach across a variety of services, etc. (Sharma: [0074]).

Regarding claim 38, McDyson in view of Khalid and Chen discloses all features of claim 35 as outlined above. 
While Chen discloses in col. 11 ll. 60-63 to add a tunnel header such as an IP-IP tunnel header, a L2TP tunnel header, a IPSec tunnel header, or a layer 2 tunnel header, McDyson in view of Khalid and Chen does not disclose, but Sharma discloses wherein the program further includes instructions to attach the encapsulation flow identifier to the first data packet based on a protocol encapsulation manner ([0047]: the adding of the service overlay tunnel encapsulation 115 (=encapsulation flow identifier) is one or more transport tunnel encapsulation headers using Dot1Q, MPLS, IP, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to program the access router 120 when adding a tunnel header, as taught by McDyson, to add the tunnel header based as a service overlay tunnel encapsulation using Dot1Q, MPLS, IP, etc., as taught by Sharma.
Doing so provides an overlay-based traffic steering technique where the service classifier sends encapsulated packets to a service virtualization endpoint 145 for determining one or more service nodes to perform the desired services (Sharma: Fig. 3, [0013], [0019], [0029]-[0030], [0053], [0055], [0057]), wherein the overlay-based traffic steering technique provides one or more advantages over conventional techniques, such as consistent services interception, redirection, and chaining approach across a variety of services, etc. (Sharma: [0074]).

Conclusion
 	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to THE HY NGUYEN whose telephone number is (571)270-3813.  The examiner can normally be reached on Mo-Fr: 8am-4pm. 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Avellino, can be reached on (571) 272-3905.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THE HY NGUYEN/               Examiner, Art Unit 2478