Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s amendment filed 5/16/2022 has been entered.  Applicant’s amendment to the specification has overcome the objection in the Non-Final office action mailed 2/14/2022.  No claims were amended.  Claims 1-21 are presented for examination.

Response to Arguments
Applicant's arguments filed  5/16/2022 have been fully considered but they are not persuasive.
On page 12, fourth ¶, Applicant argues that Hashmi and Kantecki do not teach the features of claim 1 and there is no motivation to combine the references to provide the features.  Examiner respectfully disagrees.
On page 13, first ¶, Applicant argues that in Hashmi there are no multiple processing units that include the first and second processing unit and that Hashmi teaches a south aggregator.  In the second ¶, Applicant recites Hashmi col 13, lines 53-59, and argues that the destination IP address is previously configured into the south aggregator.
First, it is the §103 combination of Hashmi and Kantecki that teach claim 1.  The Hashmi-Kantecki combination teaches the first and second processing units.  Second, the cited section of Hashmi is an embodiment where the destination address of the tunnel packet may be the south aggregator (Hashmi, Col 13, lines 53-59, The destination IP address in the newly formed tunnel packet may be the IP address of the south aggregator).  Hashmi teaches a virtual private network endpoint where the packets are destined to virtual IP addresses of one or more virtual machines, thus arguing a single destination IP address (south aggregator) is not persuasive (Hashmi Col 2, lines 46-48, forwards the reordered decrypted packets to the customer’s virtual machine, Col 4, lines 27—33, Each of the host computers that implement the customer's VPN may include a communication manager that may modify outgoing packets destined for a virtual IP address of another virtual machine within the customer's virtual private network based on the physical IP addresses used within provider network.)
On page 13, last ¶,  Applicant argues that Kantecki cannot be combined with Hashmi and cites MPEP 2143.01 (VI) THE PROPOSED MODIFICATION CANNOT CHANGE THE PRINCIPLE OF OPERATION OF A REFERENCE as the reason.  Hashmi’s principle of operation is not changed.  Hashmi remains a Secure Tunnel with a virtual private network endpoint node and incoming packets are still distributed across a plurality of crypto units for decryption1.  Kantecki remains a load balancing technique of decrypting packets and distributing processing among multiple cores.2  Thus the principle of operation is not changed.
On page 14, first full ¶, Applicant argues that Hashmi’s crypto units are preconfigured with the address of one (and only one) south aggregator and therefore Hashmi has no reason to look inside the decrypted packed.  Hashmi’s invention transmits the packets to virtual machines (Hashmi Col 13, lines 63-66 The south aggregator also may perform packet reordering (218), a process which may include buffering packets of a given communication flow before transmitting them to the corresponding VPN virtual machine 112)  To obtain the destination VPN address, Hashmi must look inside the decrypted packet, since that is where the destination address can be found after removal of the tunnel.
On page 14, ¶2, Applicant argues that Hashmi’s south aggregator would have to be redesigned because it has a preconfigured address.  Applicant argues that Hashmi’s crypto units would need to perform further processing.  The south aggregator is not the final destination, it is an intermediate processing point.  The packets are forwarded to the destination virtual machine, and that operation remains unchanged.  Forwarding IP Packets is a routine practice and an IP packet may travel though many paths.  Part of the packet path will include crypto units for the outer packet and cores for the inner packet.   Hashmi’s crypto units will continue to perform cryptographic operations.  Again, this argument does not consider the §103 combination of Hashmi and Kantecki.   Kantecki decrypts packets, processes the unencrypted packets and also forwards them.  Hashmi with Kantecki’s modification can still send the processed packet through to an aggregator.  Both the invention and Hashmi-Kantecki will transmit processed packets out an interface.
For the above reasons, the §103 rejection is maintained.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/16/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7, 8-11, 14, 15-18 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hashmi (10,498,529) in view of Kantecki (2016/0182509).

Regarding claim 1, Hashmi teaches
a method for a computer system to perform receive-side processing for encapsulated encrypted packets, wherein the method comprises: 
in response to receiving, over a tunnel, a first encapsulated encrypted packet that includes a first encrypted inner packet and a first outer header, (Hashmi, col 5, lines 31-37, The functionality of each of the cryptographic units 124a-n is to decrypt a packet it receives that has an encrypted payload and to encrypt a packet that it receives in plaintext (i.e., unencrypted) form. The cryptographic units 124a-n thus perform both encryption and decryption functions in support of the network traffic across the secure tunnel 140. In some embodiments, all of the cryptographic units 124a-124n of a given VPN endpoint node 120 are identical in terms of their software load and performance. )
generating a first decrypted inner packet by performing decryption on the first encrypted inner packet and decapsulation to remove the first outer header; and (Hashmi, Col 6, lines 33-44, The selected cryptographic unit 124a-n receives the encrypted packet from the packet aggregator as indicated at 125. The cryptographic unit may unpack the encrypted packet to extract the encrypted payload, which itself may be a fully formed packet (i.e., header, payload, etc.). … The cryptographic unit decrypts the encrypted packet payload.)
in response to receiving, over the tunnel, a second encapsulated encrypted packet that includes a second encrypted inner packet and a second outer header, (Hashmi, col 5, lines 31-37,)
generating a second decrypted inner packet by performing decryption on the second encrypted inner packet and decapsulation to remove the second outer header; and (Hashmi, Col 1, lines 53-60, By decoupling the cryptographic operations from the underlying packet forwarding functions, individual cryptographic units (which may execute on separate host computers from the packet forwarding nodes) can be added to the system and operated in parallel. By parallelizing multiple cryptographic units, multiple packets can be encrypted and/or decrypted concurrently thereby increasing the overall data rate through the cryptographic part of the communication protocol.)  (Examiner Note: Hashmi’s multiple units and packets satisfies first and second packet)
Hashmi does not teach based on content of the first decrypted inner packet, assigning the first decrypted inner packet to a first processing unit.
However Kantecki teaches
based on content of the first decrypted inner packet, assigning the first decrypted inner packet to a first processing unit; and (Kantecki, [0040] The core 455a may then use the header hash to select one of the multiple cores 455 to perform further processing on the decrypted packet. It may be that such a selection of one of the multiple cores 455 to perform the further processing may be limited to one of the cores 455b through 455x, [0063] At 2130, the processor component of the decryption controller (e.g., the processor component 550 of the decryption controller 500) generates a header hash from one or more pieces of information included within the header of the encrypted packet as the processor component of the decryption controller decrypts the encrypted packet to generate a decrypted packet [0070] At 2240, the processor component of the decryption controller uses the header hash to select which core of multiple cores provided by one or more of the main processor components is to be the core to perform further processing on the decrypted packet. At 2250, the processor component of the decryption controller provides at least the decrypted packet to the selected one of the cores. )
based on content of the second decrypted inner packet, assigning the second decrypted inner packet to a second processing unit, thereby distributing post-cryptography processing over multiple processing units that include the first processing unit and second processing unit (Kantecki, [0017] The header hashes generated for each of the packets during their decryption may be used as if they are random numbers for selecting which core each decrypted packet is provided to for processing. [0040] The core 455a may then use the header hash to select one of the multiple cores 455 to perform further processing on the decrypted packet. It may be that such a selection of one of the multiple cores 455 to perform the further processing may be limited to one of the cores 455b through 455x,)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Kantecki’s post decryption processing with Hashmi’s decryption processing because doing so improves load balancing (Kantecki, [0014] It may be deemed desirable to balance the load of such processing among those cores and/or to use those cores to at least identify the destination device towards which the distribution device is to route each packet.)

Regarding claim 2, Hashmi and Kantecki teach
the method of claim 1, wherein generating the first decrypted inner packet comprises:
performing decryption on the first encrypted inner packet based on a security association (SA) associated with the tunnel and identified by the first outer header, wherein the second outer header identifies the same SA (Hashmi, Col 14, lines 51-55, In some embodiments such as those described herein, the tunnel is a secure tunnel over which encrypted packets are transmitted. The encryption and decryption of the packets may be part of the security protocol used to implement the secure tunnel 140. In some security protocols, such as IPSec, the security keys may be regenerated on a configurable periodic basis, on demand, or in accordance with other criteria.) (Examiner Note: security protocol used for the secure tunnel satisfies security association)

Regarding claim 3, Hashmi and Kantecki teach
the method of claim 1, wherein assigning the first decrypted inner packet to the first processing unit comprises: 
selecting, from the multiple processing units, the first processing unit based on header information of the first decrypted inner packet (Kantecki, [0038] FIG. 2A depicts an example in which a decrypted packet and header hash may be provided by the decryption controller 500 to one of the cores 455 more specifically designated as the core 455a to enable that core 455a to use the header hash to select one of the multiple cores 455 to perform further processing. FIG. 2B depicts an example in which the header hash may, instead, be used by the decryption controller 500 to itself select one of the multiple cores 455 to perform further processing.)

Regarding claim 4, Hashmi and Kantecki teach
the method of claim 3, wherein assigning the first decrypted inner packet to the first processing unit comprises: 
calculating a hash value based on one or more of the following header information: source address information, destination address information, source port number, destination port number and protocol information; and (Kantecki [0047] As the processor component 550 is caused to access the header of the encrypted packet 232 as part of executing the decryption component 542 to decrypt the encrypted packet 232, the processor component 550 may also be caused by execution of the hash component 544 to use those accesses to the fields of the header during decryption to retrieve one or more pieces of information stored within one or more of those fields. [0050] In still other embodiments, the hash component 544 may dynamically change what pieces of information are used to generate the header hash 534 per packet based on any of a variety of criterion concerning each packet, including and not limited to, which of the source devices 100 it originated at, what type of data is conveyed within each packet, etc.)
selecting the first processing unit based on the hash value (Kantecki, [0052] Turning more specifically to FIG. 2B, following decryption of the encrypted packet and generation of the header hash, the processor component 550 may then, itself, use the header hash to select one of the multiple cores 455 to perform further processing on the decrypted packet.  [0069] At 2230, the processor component of the decryption controller (e.g., the processor component 550 of the decryption controller 500) generates a header hash from one or more pieces of information included within the header of the encrypted packet as the processor component of the decryption controller decrypts the encrypted packet to generate a decrypted packet. Again, how many and/or which pieces of information in the header of the encrypted packet are to be included in the header hash may be configurable.)

Regarding claim 7, Hashmi and Kantecki teach
the method of claim 1, wherein the method further comprises: 
performing, using the first processing unit, post-cryptography processing on the first decrypted inner packet to forward the first decrypted inner packet towards a first destination; and (Hashmi, Col 2, line 43-47, The crypto units decrypt the encrypted packets distributed to them, and the south aggregator upon receive of the decrypted packets reorders, if appropriate, the received decrypted packets and forwards the reordered decrypted packets to the customer's virtual machine)
performing, using the second processing unit, post-cryptography processing on the second decrypted inner packet to forward the second decrypted inner packet towards a second destination (Hashmi, Col 6, lines 53-58, In some embodiments, the plaintext packet generated by the decryption process may be encapsulated with a preconfigured tunneling header that includes the extracted sequence number in a field within the header, as well as another header to enable the packet to be transmitted to the correct destination IP address
Col 8, lines 1-5, Whether the packets are reordered or not, the packet aggregator 122 forwards each plaintext packet to the destination virtual machine 112 within the VPN 110 designated by the destination IP address within the packet.
Col 5, lines 7-17,  Any one or more of the virtual machines 112 within a virtual network 110 may establish a communication flow with a remote node 150. A communication flow includes packets that are transmitted back and forth across network 145 between the virtual machine 112 within the virtual network 110 and the remote node 150. Each communication flow may be between corresponding applications attempting to communicate with one another to perform a coordinated task. As a virtual network 110 may include multiple virtual machines 112, each such virtual machine may establish its own communication flow with the remote node 150)  
(Examiner Note: Kantecki teaches multiple virtual machines 112, and forwarding designated by the destination IP address which satisfies the limitation for a first and second destination)

Claims 8-11 and 14 are medium claims for the method claims 1-4 and 7 and are rejected for the same reasons as claims 1-4 and 7.

Claims 15-18 and 21 are system claims for the method claims 1-4 and 7 and are rejected for the same reasons as claims 1-4 and 7.


Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hashmi (10,498,529) in view of Kantecki (2016/0182509) in view of Hu (2016/0057108).

Regarding claim 5, Hashmi and Kantecki teach
the method of claim 3, wherein assigning the first decrypted inner packet to the first processing unit comprises: 
Hashmi-Kantecki teach load balancing, but do not teach selecting, from the multiple processing units, the first processing unit based on a load level associated with the first processing unit.
However Hu teaches selecting, from the multiple processing units, the first processing unit based on a load level associated with the first processing unit (Hu, [0018] In various embodiments, the control module 126 receives management information indicative of availability, utilization level, capacity and so on associated with one or more of the IPsec processing units 124. This management information may be received from other elements within the gateway 120, from a Network Management System (NMS), Elements Management System (EMS) or other network entity aware of such information.
[0019] The appropriate IPsec processing unit for a particular IPsec packet is indicated to the load balancer 122 via the mapping list. In various embodiments the selection methodology utilizes operating information associated with the various IPsec processing units to distribute the load of processing the various IPsec tunnels across the available processing units.
[0033] At step 230, the control module selects an available IPsec processing unit to receive/process IPsec packets/traffic associated with a new tunnel request. Referring to box 235, the IPsec processing unit may be selected using any of a number of allocation methodologies, such as a weighted Round Robin algorithm, a random assignment algorithm or some other methodology. For example, various factors such as a current and/or expected processing load associated with each PU may be evaluated within the context of a PU allocation or selection algorithm.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Hu’s packet processing load balancing with Hashmi’s packet processing because doing so improves system efficiency and resiliency (Hu, [0002] IP Security Protocol (IPsec) traffic and other types of traffic are typically load-balancing among the various network entities processing such traffic to maintain system efficiency, resiliency and so on. That is, it is desirable to distribute IPsec traffic among a plurality of IPsec processing units (IPsec PUs) available to process such traffic.)

Claim 12 is a medium claim for the method claim 5 and is rejected for the same reasons as claim 5.

Claim 19 is a system claim for the method claim 5 and is rejected for the same reasons as claim 5.

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hashmi (10,498,529) in view of Kantecki (2016/0182509) in view of Tsirkin (2018/0241655).

Regarding claim 6, Hashmi and Kantecki teach 
the method of claim 1, wherein assigning the first decrypted inner packet and the second decrypted inner packet comprises: 
Hashmi-Kantecki teach assigning decrypted inner packets to first and second processing units Kantecki, [0070] At 2240, the processor component of the decryption controller uses the header hash to select which core of multiple cores provided by one or more of the main processor components is to be the core to perform further processing on the decrypted packet. At 2250, the processor component of the decryption controller provides at least the decrypted packet to the selected one of the cores. )
Hashmi does not teach assigning a packet in the form of a first poll mode driver thread.
However Tsirkin teaches assigning the first … packet to the first processing unit in the form of a first poll mode driver (PMD) thread and 
assigning the second … packet to the second processing unit in the form of a second PMD thread for post-cryptography processing (Tsirkin [0021] An example application may include one or more driver threads and one or more forwarding threads. In an example, the application 170A may include a Data Plane Development Kit (DPDK) 210. The DPDK 210 may be a set of data plane libraries and network interface controller drivers that may enable packets to bypass the kernel for fast packet processing. In an example, the DPDK 210 may include a poll mode driver configured to poll the NIC 155 (i.e., scanning the NIC 155 whether packets arrived or not) or the receive queue 157 without using interrupts. In an example, the driver thread 220 and the forwarding threads 230A-C may be a thread of the DPDK 210. In this case, the driver thread 220 may be a thread of the poll mode driver.
  [0022] When a new packet arrives in the system, the new packet may be placed in the receive queue 157 of the NIC 155. Then, the driver thread 220 may retrieve the packet from the receive queue 157. The DPDK 210 may pass the incoming packet from the driver thread 220 to one of the forwarding threads 230A-C.)
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Tsirkin’s poll mode driver for processing packets in a DPDK with Hashmi’s packet processing because doing so reduces system call overhead (Tsirkin [0009] using a Data Plane Development Kit (DPDK), may pass incoming packets from a driver thread to multiple forwarding threads, depending on the contents of the packets. The forwarding thread may typically block (i.e., the CPU on which the forwarding thread was running may be halted and enter into a lower power state) when there are no packets to handle. In order to block, the forwarding thread may need to issue a system call. When a system call is issued, the CPU on which the forwarding thread is running, may switch a context from a user space mode to a kernel space mode to process the instruction (e.g., block instruction) in a privileged mode, and this context switch may be a source of system latency. In order to wake up the forwarding thread, the driver thread may need to issue another system call when a new packet arrives for the forwarding thread. This may increase the system call overhead, which is not be affordable for a system with demanding workloads, such as an NFV system. One way to reduce the system call overhead may be to have the forwarding threads poll (i.e., continuously check) the user space memory, which is updated by the driver thread when a new packet arrives.)

Claim 13 is a medium claim for the method claim 6 and is rejected for the same reasons as claim 6.

Claim 20 is a system claim for the method claim 6 and is rejected for the same reasons as claim 6.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        5-31-2022


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Hashmi Abstract A virtual private network (VPN) endpoint node is implemented  …The packet aggregator is configured to distribute incoming encrypted packets from a secure tunnel across the plurality of cryptographic units. Each cryptographic unit is configured to decrypt incoming encrypted packets from the packet aggregator and to encrypt outgoing plaintext packets for transmission across the secure tunnel.  Col 1, lines 53-57 By decoupling the cryptographic operations from the underlying packet forwarding functions, individual cryptographic units (which may execute on separate host computers from the packet forwarding nodes) can be added to the system and operated in parallel.
        2 Kantecki [0011] Various embodiments are generally directed to techniques to distribute encrypted network packets among multiple cores in a load-balanced manner for further processing and/or routing to destination devices. [0012] Alternatively or additionally, any of a variety of types of processing may be performed by the distribution device on the data making up the payload of at least some of the packets following decryption and before routing the packets onward.