Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	The present Application is a continuation application of U.S. Patent Application 14/929,405, filed November1, 2015. U.S. Patent Application 14/929,405, filed November
1,2015, now published as U.S. Patent Publication 2017/0063794. U.S. Patent Application
14/929,405 claims benefit of U.S. Provisional Patent Application 62/211,677, filed 08/28/2015.
DETAILED ACTION
	This Office Action is in response to an amendment application received on 03/17/2022. In the amendment, applicant has amended claims 22-23, 29, 31-32 and 36. Claims 24-28, 30, 33-35 and 37-41 remain original. Claims 1-21 remain cancelled. 
	For this Office Action, claims 22-41 (total of 20 claims) have been received for consideration and have been examined. 
Response to Arguments
Claim Rejection – 35 USC § 112
	Applicant’s amendments to claims 22, 29, 31, 32 and 36 have been reviewed by the examiner and appear to overcome the 35 USC § 112(b) rejection. Therefore this rejection has been withdrawn. 
Claim Rejection – 35 USC § 102
	Applicant’s remarks regarding claim rejection under 35 USC § 102 have been reviewed by the examiner, however, they are unpersuasive. After review, applicant’s remarks have been summarized as follows:
Rejection of Claims 22 and 24-35 (Page # 9-10)1. Applicant alleges that Ramasamy fails to disclose or suggest a service operation performed, based on an identified RD attribute set, on the same data message that has the RDM attribute set inserted into its header (Page # 9). 
2. Furthermore, Ramasamy does not disclose or suggest forwarding the data message and inserting the identified RDM attribute set in a tunnel header for identifying a service operation to perform on the data message at a set of one or more network elements within the network (Page # 9-10).
Examiner’s Response
	Regarding remark # 1, examiner respectfully disagree that Ramasamy fails to disclose that service operation is not performed on the same message and instead being performed on the subsequently received packets as alleged by the applicant. Ramasamy clearly illustrates in light of FIG. 3 flowchart that an interceptor receives traffic (which is construed as ‘a data message’) from a client in step 30. The interceptor examines (which is construed as ‘identifying step’) the flow information associated with the received traffic in step 32 and when the flow information is found in step 34, the interceptor forwards the traffic [the data message] in stpep 36 to the identified service device (which is construed as ‘a particular network element’) found in the flow information (See [0027]). Therefore, applicant’s statement is incorrect that Ramasamy is performing the operation on subsequent data packets and not on the same data packet. 
	Regarding remark # 2, examiner respectfully disagree that Ramasamy fails to disclose forwarding the data message and inserting the identified RDM attribute set in a tunnel header for identifying a service operation to perform on the data message at a set of one or more network elements within the network. Ramasamy discloses forwarding the data message as described in response to remark # 1. Ramasamy also teaches updating/encapsulating packet header with session information which is eventually used by the interceptor to further forward the packet to the destination identified in the packet. Ramasamy further teaches that updating/encapsulating steps can be performed through Layer 3 or Layer 2 tunneling protocols (See [0033-0035]). 
Rejection of Claim 23 (Page # 10-11)
Applicant’s arguments with respect to claim 23 have been considered but are moot because applicant’s amendments to claim 23 has changed ground of rejection that does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Rejection of Claims 36-41 (Page # 11-13)
Applicant’s arguments with respect to claim 36-41 have been considered but are moot because applicant’s amendments to claim 36 has changed ground of rejection that does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.	

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 22, 24-27 and 35 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Ramasamy et al., (US20130073743A1).
Regarding claim 22, Ramasamy discloses:
A method for processing remote-device data messages entering a network, the method comprising: 
receiving a data message (See FIG.3; i.e. interceptor 16 receive traffic from client 10) sent by a remote device (See FIG.3; i.e. client 10) (See FIG. 1; i.e. client 10) (See [0027] FIG. 3 is a flowchart illustrating an overview of a process for services controlled session based flow interception … At step 30, the interceptor 16 receives traffic from client 10); 
identifying a set of remote device management (RDM) attributes (See [0031] where flow identifier may include any combination of source node identifier, destination node identifier, and protocol. The source and destination node identifiers may include, for example, an IP address or IP address and port) (See FIG. 2; flow table 28 and [0023] For example, the memory 24 may store one or more flow tables 28 for use in identifying traffic and flows associated with a specific session and directing the traffic to one of the service devices 18) associated with the received data message (See FIG. 3 and FIG. 4A-C; [0019] As shown in FIG. 1, packets 15 are transmitted on communication paths between the client 10 and server 12, and between the interceptor 16 and service devices 18. A flow is a sequence of packets sent from a source to a destination that the source desires to label as a flow. The flow may be identified, for example, by a five tuple {protocol, source IP address, destination IP address, source port, destination port}; [0027] As described above with respect to FIG. 1, the traffic interceptor 16 is in communication with a plurality of service devices 18 and stores session information received from the service devices. The session information identifies flows associated with a session and the service device associated with the session (e.g., the service device transmitting the session information; [0031] The flow identifier may include any combination of source node identifier, destination node identifier, and protocol. The source and destination node identifiers may include, for example, an IP address or IP address and port)); and 
based on the RDM attribute set, forwarding the data message to a particular network element (See FIG. 3; i.e. service node/device 18 as particular network device) (See FIG.3; [0017] For simplification, only two service nodes 18 are shown in FIG. 1, however, the interceptor 16 may be in communication with any number of service nodes and any number of clusters of service nodes, with each cluster providing a different service; [0027] The session information may be received directly from the service device 18 or from another traffic interceptor 16. At step 30, the interceptor 16 receives traffic from client 10 (FIGS. 1 and 3). The interceptor 16 searches the session information for a flow associated with the received traffic (step 32). For example, the interceptor 16 may perform a lookup in flow table 28 using information contained in a received packet. If a match is found, the packet is forwarded to the service device 18 identified in the flow table (steps 34 and 36)) within the network via a tunnel ([0022] For example, non-IP protocols may be used and encapsulation (e.g., IP GRE, IP-in-IP, L2 tunnels) may also be used; [0035] Upon receiving the packet from the service device 18, the interceptor 16 strips the header ((a)-(f)) and forwards the packet to the destination identified in the packet. The encapsulation shown above is for an L3 (Layer 3) GRE tunnel) and 
inserting the identified RDM attribute set in a header of the tunnel ([0022] the protocols discussed herein are only examples and other protocols may be used without departing from the scope of the embodiments. For example, non-IP protocols may be used and encapsulation (e.g., IP GRE, IP-in-IP, L2 tunnels) may also be used; [0033] In one embodiment, a header containing the session information is added to a packet; [0034] The portion of the frame labeled (a)-(f) is the additional header/encapsulation that is added to the packet by the service node 18 to provide session information to the interceptor 16. The portion labeled (g) is the original header and payload of the packet. In the example shown above, the new header includes: (a) MAC address of interceptor; (b) IP header for GRE (Generic Routing Encapsulation); (c) GRE header; (d) Service Wire TLV (type length value) header and Inter-WAAS TLV; (e) session information (corresponds to X bytes in length); and (f) optional egress information (corresponds to Y part in length)); 
said inserted RDM attribute set in the tunnel header for identifying a service operation (i.e. data added as per identified session oriented protocols) to perform on the data message at a set of one or more network elements within the network ([0035] Upon receiving the packet from the service device 18, the interceptor 16 strips the header ((a)-(f)) and forwards the packet to the destination identified in the packet; [0041] In order to handle session oriented protocols, the firewall can add additional flow entries to handle future sessions. In this case, five tuples may be used to identify flows that need to be sent to the same service device 18. Examples include FTP (File Transfer Protocol) (control and data connections need to be sent to the same service device 18), DCE RPC (EPM (End Point Mapper) and data connections), RSH (remote shell) (data connection is from client to server, error connection is from server to client), RTSP (Real Time Streaming Protocol) (control (TCP) and two data connections (UDP) need to be sent to the same service device).
Regarding claim 24, Ramasamy discloses:
The method of claim 22, wherein the particular network element is a device that performs a middlebox service operation (i.e. performing firewall services) on the forwarded data message based on the identified RDM attribute set ([0028] a service device 18 configured for performing firewall services identifies the transformation applied to a packet and informs the interceptor 16 about the {protocol, src-ip, src-port, dst-ip, dst-port} corresponding to before network address translation flow and after network address translation flow so that the interceptor can send the packets that match these flows to the same service device).
Regarding claim 25, Ramasamy discloses:
The method of claim 24, wherein the device performs the middlebox service operation by using the inserted RDM attribute set to identify a service rule (i.e. flow entries in FIGS. 4A-4C) that specifies the service operation to perform on the forwarded data message (See FIG. 3; and FIG. 4A-C; [0032] FIGS. 4A-4C illustrate examples of flow tables for storing session information. The interceptor 16 may include a five tuple flow table 50 (FIG. 4A), a four tuple flow table 52 (FIG. 4B), a three tuple flow table 54 (FIG. 4C), or any combination thereof. In the example shown in FIG. 4A, the table 50 includes a plurality of entries each comprising a five tuple and a corresponding service device (e.g., A, B, . . . ). The flow entries may identify, for example, a flow before network address translation and a flow after network address translation, both of which belong to the same session and are assigned to the same service device 18. As shown in FIG. 4B, the interceptor 16 may maintain a four tuple flow table 52 with source port variable. The interceptor 16 may also maintain a three tuple flow table 54 (FIG. 4C) with protocol and source port variable. When packets are received at the interceptor 16, a lookup is performed in all of the tables and the lookup result from the most specific table is used to identify the source device 18 to which the interceptor redirects the flow).
Regarding claim 26, Ramasamy discloses:
The method of claim 22, wherein the particular network element executes a middlebox service node that performs a middlebox service operation on the forwarded data message based on the identified RDM attribute set (See FIG. 3; and FIG. 4A-C; [0032] FIGS. 4A-4C illustrate examples of flow tables for storing session information. The interceptor 16 may include a five tuple flow table 50 (FIG. 4A), a four tuple flow table 52 (FIG. 4B), a three tuple flow table 54 (FIG. 4C), or any combination thereof. In the example shown in FIG. 4A, the table 50 includes a plurality of entries each comprising a five tuple and a corresponding service device (e.g., A, B, . . . ). The flow entries may identify, for example, a flow before network address translation and a flow after network address translation, both of which belong to the same session and are assigned to the same service device 18. As shown in FIG. 4B, the interceptor 16 may maintain a four tuple flow table 52 with source port variable. The interceptor 16 may also maintain a three tuple flow table 54 (FIG. 4C) with protocol and source port variable. When packets are received at the interceptor 16, a lookup is performed in all of the tables and the lookup result from the most specific table is used to identify the source device 18 to which the interceptor redirects the flow).
Regarding claim 27, Ramasamy discloses:
The method of claim 26, wherein the middlebox service operation comprises one of a firewall operation, a load balancing operation, a logical network segmentation operation, and a destination network address translation operation on the data message based on the inserted RDM attribute set ([0028] a service device 18 configured for performing firewall services identifies the transformation applied to a packet and informs the interceptor 16 about the {protocol, src-ip, src-port, dst-ip, dst-port} corresponding to before network address translation flow and after network address translation flow so that the interceptor can send the packets that match these flows to the same service device).
Regarding claim 35, Ramasamy discloses:
The method of claim 22, wherein the set of network element comprises the particular network element ([0017] For simplification, only two service nodes 18 are shown in FIG. 1, however, the interceptor 16 may be in communication with any number of service nodes and any number of clusters of service nodes, with each cluster providing a different service).


Claim 23 rejected under 35 U.S.C. 102(a)(2) as being anticipated by Yong et al., (US20140086253A1).
Regarding claim 23, Ramasamy discloses:
	A method for processing remote-device data messages entering a network, the method comprising: 
receiving a data message (i.e., FIG. 8; step 810) sent by a remote device (i.e., remote Tenant System (TS)) through a first tunnel (i.e., FIG. 2; Tunnel 140 b between NVE 120a and OVG 220) that connects the remote device to the network ([0041] a pair of NVEs (e.g. NVE 120 a and NVE 120 c) supports different encapsulation types and require an OVG 220 to perform encapsulation translation; [0051] FIG. 8 illustrates a flowchart of an example embodiment of a method 800 for routing data traffic at an NVE, which may be implemented by an NVE 120, as shown in FIG. 2. Method 800 may begin with receiving a data packet at step 810); 
identifying (i.e., encapsulation translation by OVG 220 to find out that packet is destined for NVE 120 c) a set of remote device management (RDM) attributes (i.e., IP address of destination NVE 120 C) associated with the received data message ([0045] When OVG 220 receives a VXLAN encapsulated packet from NVE 120 a, OVG 220 may perform encapsulation translation from VXLAN to NVGRE; Also see FIG. 8; [0053] discloses in step 835 determining IP address of destination node [NVE 120 c]); and 
based on the RDM attribute set (i.e., by determining header for destination IP address information), forwarding the data message to a particular network element (i.e., NVE 120 C) within the network via a second tunnel (i.e., Tunnel 140 d between OVG 220 and NVE 120 C) ([0045] FIG. 5 illustrates an example embodiment of a packet header 500 of a packet forwarded from OVG 220 to NVE 120 c over overlay tunnel 140 d as shown in FIG. 2) and
inserting the identified RDM attribute set in a tunnel header ([0045] That is, OVG 220 may remove the original VXLAN encapsulation header 320 and add a new NVGRE encapsulation header 520. OVG 220 may also set the destination IP address in the outer address field 310 to NVE 120 c's IP address 511 and keep the source IP address in the outer address field 310 as NVE 120 a's IP address 312), 
N195.07.C1 (NCRA.P0392C)-- 3 --said inserted RDM attribute set in the tunnel header for identifying a service operation (i.e., Service function Type mentioned in packet headers depicted in FIG. 11) to perform on the data message at a set of one or more network elements within the network ([0064] The supported service function message value 1330 may include service function types, such as firewall, intrusive protection service, intrusive detection service, load balancing, network address translation (NAT), and other service function types).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 28-31 are rejected under 35 U.S.C. 103 as being unpatentable over Ramasamy et al., (US20130073743A1) in view of Yong., (US20140086253A1).
Regarding claim 28, Ramasamy fails to disclose:
	The method of claim 27 further comprising performing, at a VPN gateway, a load balancing operation to select the particular network element from a plurality of service network elements that perform the service operation, wherein the VPN gateway forwards data messages to at least two different service network elements along at least two different tunnels.
However, Yong discloses:
	performing, at a VPN gateway (See FIG. 2; i.e. Overlay Virtual Gateway 220 (OVG) or an Network Virtual Edge (NVEs)), a load balancing operation (See [0039] i.e. load balancing ) to select the particular network element (See [0038] i.e. selecting appropriate next hop NVE node(s) which support different data plane encapsulations) from a plurality of service network elements that perform the service operation, wherein the VPN gateway forwards data messages to at least two different (See FIG.2; #1 OVG 220 and #2 NVE 120 c) service network elements (See FIG. 2; i.e. NVE 120 a forwarding data packet to OVG 220 through tunnel 140 b destined for NVE 120 c and when OVG 220 receives the packet from NVE 120 a destined for NVE 120 c, OVG 220 re-encapsulate the packet and forward it to NVE 120 c through tunnel 140 d) along at least two different tunnels (See FIG. 2; i.e. tunnel 140 b and tunnel 140 d) ([0038] FIG. 2 illustrates an example of another embodiment of an overlay network system 200 comprising an OVN 230 with different data plane encapsulations. In overlay network system 200, NVEs 120 a and 120 b may support VXLAN encapsulation, and NVE 120 c may support NVGRE encapsulation but not VXLAN encapsulation … NVE 120 a may need to forward the data packets to an OVG 220 via an overlay tunnel 140 b that can support both VXLAN and NVGRE encapsulation. Similarly, NVE 120 b may forward packets destined to NVE 120 c to OVG 220 via an overlay tunnel 140 c. When OVG 220 receives a VXLAN encapsulated packet destined to NVE 120 c from NVE 120 a, OVG 220 may perform encapsulation translation from VXLAN to NVGRE. An overlay tunnel 140 d may be built between OVG 220 and NVE 120 c so that OVG 220 may forward the NVGRE encapsulated packets to NVE 120 c; [0039] In one example embodiment, a DC operator may configure several OVGs 220 in a network overlay instance for load balancing. OVGs 220 in an OVN 230 may establish tunnels between each other and may perform load balancing on one or more OVGs 220).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Ramasamy reference and include a method and system of creating a network of multiple overlay virtual network (OVN) devices, as disclosed by Yong.
	The motivation of creating a network of multiple overlay virtual network (OVN) devices is to facilitate multiple data plane encapsulation using different tunnels supporting different encapsulation protocols (See Yong: [0005]).
Regarding claim 29, Ramasamy fails to disclose:
	The method of claim 22, wherein the tunnel is a first tunnel, the method further comprising: receiving, at a virtual private network (VPN) gateway, the data message sent by the remote device through a second tunnel that connects the remote device to the network; intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to a destination within the network; and encapsulating the data message with a tunnel header for the first tunnel to forward the intercepted data message along the first tunnel to the particular node.
However, Yong discloses:
	wherein the tunnel is a first tunnel (See FIG. 2; i.e. tunnel 140 b), the method further comprising:
receiving (See FIG. 9 step 910), at a virtual private network (VPN) gateway (See FIG. 2; i.e. OVG 220), the data message sent by the remote device (See FIG. 2; i.e. NVE 120 a) through a second tunnel (See Fig. 2; 140 d) that connects the remote device to the network ([0038] NVE 120 b may forward packets destined to NVE 120 c to OVG 220 via an overlay tunnel 140 c. When OVG 220 receives a VXLAN encapsulated packet destined to NVE 120 c from NVE 120 a, OVG 220 may perform encapsulation translation from VXLAN to NVGRE;  [0055] FIG. 9 illustrates a flowchart of an example embodiment of a method 900 for performing data plane functions at an OVG. Method 900 may be implemented by an OVG 220, as described in FIG. 2. Method 900 may begin with receiving an overlay data packet via an overlay tunnel as shown in step 910);
intercepting the data message from an egress path of the VPN gateway as the VPN gateway forwards the data message to a destination within the network ([0038] NVE 120 a may need to forward the data packets to an OVG 220 via an overlay tunnel 140 b that can support both VXLAN and NVGRE encapsulation. Similarly, NVE 120 b may forward packets destined to NVE 120 c to OVG 220 via an overlay tunnel 140 c; See FIG. 9; [0055] At step 920, method 900 may decapsulate (i.e. removing the encapsulation header) the data packet according to the encapsulation type used by the ingress NVE); and 
encapsulating the data message with a tunnel header for the first tunnel to forward the intercepted data message along the first tunnel to the particular node (See [0005] i.e. destination Tenant System) (See FIG. 9; [0056] At step 930, method 900 may retrieve an address mapping table entry with a mapping of the destination TS address to its associated NVE address (i.e. egress NVE address) … At step 940, method 900 may retrieve a forwarding table entry based on the egress NVE's IP address, where the forwarding table entry may comprise the egress NVE's route and supported encapsulation type. At step 950, method 900 may encapsulate the data packet (i.e. adding an encapsulation header) according to the encapsulation type supported at the egress NVE. At step 960, method 900 may update the tunnel header of the data packet by setting the destination IP address to the egress NVE's IP address and keeping the source IP address as the ingress NVE's IP address … At step 970, method 900 may send the data packet to the egress NVE).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Ramasamy reference and include a method and system of creating a network of multiple overlay virtual network (OVN) devices, as disclosed by Yong.
	The motivation of creating a network of multiple overlay virtual network (OVN) devices is to facilitate multiple data plane encapsulation using different tunnels supporting different encapsulation protocols (See Yong: [0005]).
Regarding claim 30, Ramasamy fails to disclose:
The method of claim 22, wherein the tunnel is a first tunnel, the method further comprises receiving, at a virtual private network (VPN) gateway, the data message sent by the remote device through a second tunnel that connects the remote device to the network, and the particular network element and the VPN gateway operate on two different physical devices.
However, Yong discloses:
	wherein the tunnel is a first tunnel, the method further comprises receiving, at a virtual private network (VPN) gateway, the data message sent by the remote device through a second tunnel that connects the remote device to the network ([0055] FIG. 9 illustrates a flowchart of an example embodiment of a method 900 for performing data plane functions at an OVG. Method 900 may be implemented by an OVG 220, as described in FIG. 2. Method 900 may begin with receiving an overlay data packet via an overlay tunnel as shown in step 910 … At step 920, method 900 may decapsulate (i.e. removing the encapsulation header) the data packet according to the encapsulation type used by the ingress NVE; [0056] At step 930, method 900 may retrieve an address mapping table entry with a mapping of the destination TS address to its associated NVE address (i.e. egress NVE address) … At step 940, method 900 may retrieve a forwarding table entry based on the egress NVE's IP address, where the forwarding table entry may comprise the egress NVE's route and supported encapsulation type. At step 950, method 900 may encapsulate the data packet (i.e. adding an encapsulation header) according to the encapsulation type supported at the egress NVE. At step 960, method 900 may update the tunnel header of the data packet by setting the destination IP address to the egress NVE's IP address and keeping the source IP address as the ingress NVE's IP address … At step 970, method 900 may send the data packet to the egress NVE), and 
the particular network element (See FIG. 2; i.e. NVE 120 c) and the VPN gateway (See FIG. 2; i.e. OVG 220) operate on two different physical devices ([0038] In overlay network system 200, NVEs 120 a and 120 b may support VXLAN encapsulation, and NVE 120 c may support NVGRE encapsulation but not VXLAN encapsulation. In order to facilitate communications among NVEs 120 a-c, an OVG 220 that supports both VXLAN and NVGRE encapsulations may be used to translate encapsulation semantics between the different encapsulations).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Ramasamy reference and include a method and system of creating a network of multiple overlay virtual network (OVN) devices, as disclosed by Yong.
	The motivation of creating a network of multiple overlay virtual network (OVN) devices is to facilitate multiple data plane encapsulation using different tunnels supporting different encapsulation protocols (See Yong: [0005]).
Regarding claim 31, Ramasamy fails to disclose:
The method of claim 22, wherein the tunnel is a first tunnel, the method program further comprising: receiving, at a virtual private network (VPN) gateway, the data message sent by the remote device through a second tunnel that connects the remote device to the network; and receiving at least a subset of the RDM attribute set in a header of the second tunnel.
However, Yong discloses:
	wherein the tunnel is a first tunnel, the method program further comprising:
receiving, at a virtual private network (VPN) gateway, the data message sent by the remote device through a second tunnel that connects the remote device to the network ([0055] FIG. 9 illustrates a flowchart of an example embodiment of a method 900 for performing data plane functions at an OVG. Method 900 may be implemented by an OVG 220, as described in FIG. 2. Method 900 may begin with receiving an overlay data packet via an overlay tunnel as shown in step 910 … At step 920, method 900 may decapsulate (i.e. removing the encapsulation header) the data packet according to the encapsulation type used by the ingress NVE; [0056] At step 930, method 900 may retrieve an address mapping table entry with a mapping of the destination TS address to its associated NVE address (i.e. egress NVE address) … At step 940, method 900 may retrieve a forwarding table entry based on the egress NVE's IP address, where the forwarding table entry may comprise the egress NVE's route and supported encapsulation type. At step 950, method 900 may encapsulate the data packet (i.e. adding an encapsulation header) according to the encapsulation type supported at the egress NVE. At step 960, method 900 may update the tunnel header of the data packet by setting the destination IP address to the egress NVE's IP address and keeping the source IP address as the ingress NVE's IP address … At step 970, method 900 may send the data packet to the egress NVE); and
receiving at least a subset of the RDM attribute set (See FIG. 4 & FIG 8; i.e. packet header containing IP address and type of encapsulation supported at the ingress NVE) in a header of the second tunnel ([0044] FIG. 4 illustrates an example embodiment of a packet header 400 of a packet destined to NVE 120 c that is sent from NVE 120 a to OVG 220 over the overlay tunnel 140 b as shown in FIG. 2. The packet header 400 may be similar to packet header 300, except the destination IP address in the outer address field 310 is set to OVG 220 IP address 411 by OVG 220; [0051] At step 834, method 800 may encapsulate the data packet according to the encapsulation type supported at the ingress NVE (e.g. adding an encapsulation header as shown in FIG. 4)).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Ramasamy reference and include a method and system of creating a network of multiple overlay virtual network (OVN) devices, as disclosed by Yong.
	The motivation of creating a network of multiple overlay virtual network (OVN) devices is to facilitate multiple data plane encapsulation using different tunnels supporting different encapsulation protocols (See Yong: [0005]).

Claims 32-34 are rejected under 35 U.S.C. 103 as being unpatentable over Ramasamy et al., (US20130073743A1) in view of Yong., (US20140086253A1) and further in view of Jacobsen et al., (US9894099B1).
Regarding claim 32, the combination of Ramasamy and Yong discloses:
	The method of claim 22, wherein the tunnel is a first tunnel, the program further comprising:
at a virtual private network (VPN) gateway, receiving the data message sent by the remote device through a second tunnel that connects the remote device to the network (Yong: [0038] NVE 120 b may forward packets destined to NVE 120 c to OVG 220 via an overlay tunnel 140 c. When OVG 220 receives a VXLAN encapsulated packet destined to NVE 120 c from NVE 120 a, OVG 220 may perform encapsulation translation from VXLAN to NVGRE;  [0055] FIG. 9 illustrates a flowchart of an example embodiment of a method 900 for performing data plane functions at an OVG. Method 900 may be implemented by an OVG 220, as described in FIG. 2. Method 900 may begin with receiving an overlay data packet via an overlay tunnel as shown in step 910);
receiving at least a subset of the RDM attribute set (Yong: [0044] FIG. 4 illustrates an example embodiment of a packet header 400 of a packet destined to NVE 120 c that is sent from NVE 120 a to OVG 220 over the overlay tunnel 140 b as shown in FIG. 2. The packet header 400 may be similar to packet header 300, except the destination IP address in the outer address field 310 is set to OVG 220 IP address 411 by OVG 220; [0051] At step 834, method 800 may encapsulate the data packet according to the encapsulation type supported at the ingress NVE (e.g. adding an encapsulation header as shown in FIG. 4)).
The combination of Ramasamy and Yong fails to disclose:
receiving the RDM attribute set from an RDM server that the VPN gateway uses to authenticate a request from the remote device to establish a VPN session.
However, Jacobsen discloses:
	receiving the RDM attribute set from an RDM server (See FIG. 1; i.e. Mobile Device Management (MDM) Server) that the VPN gateway (See FIG.1; i.e. Access Gateway 126) uses to authenticate a request from the remote device to establish a VPN session (Col. 14, Line # 55-67; In some embodiments, the MDM service can be configured to automatically send HIP data for managed mobile devices to one or more of the access/VPN gateways for the enterprise (e.g., to selected access/VPN gateways based on various criteria/parameter(s), such as described herein). For example, the gateways and the MDM server can mutually authenticate (e.g., verify the full certificate chain). In some embodiments, the MDM server verifies that HIP data is sent only to an authorized access/VPN gateway and not any arbitrary gateway (e.g., HIP data for mobile devices for ACME Company is only sent the gateways that belong to ACME Company and have been authorized by ACME Company)).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Ramasamy and Yong references and include mobile device management (MDM) service to automatically send mobile device authentication data to network gateway, as disclosed by Jacobsen.
	The motivation to include MDM service automatically send mobile device authentication data to network gateway is to ensure Host Information Profile (HIP) data is sent only to an authorized Virtual Private Network (VPN) gateway and not any arbitrary gateway device (See Jacobsen: Col. 14, Line # 55-67).
Regarding claim 33, the combination of Ramasamy, Yong and Jacobsen discloses:
	The method of claim 32, wherein receiving the RDM attribute subset comprises receiving the RDM attribute subset as part of an authentication approval from the RDM server (Jacobsen: Col. 14, Line # 55-67; In some embodiments, the MDM service can be configured to automatically send HIP data for managed mobile devices to one or more of the access/VPN gateways for the enterprise (e.g., to selected access/VPN gateways based on various criteria/parameter(s), such as described herein). For example, the gateways and the MDM server can mutually authenticate (e.g., verify the full certificate chain). In some embodiments, the MDM server verifies that HIP data is sent only to an authorized access/VPN gateway and not any arbitrary gateway (e.g., HIP data for mobile devices for ACME Company is only sent the gateways that belong to ACME Company and have been authorized by ACME Company)).
Regarding claim 34, the combination of Ramasamy, Yong and Jacobsen discloses:
The method of claim 32 further comprising receiving an authentication approval from the RDM server, wherein receiving the RDM attribute subset comprises receiving the RDM attribute subset in a communication from the RDM server that is separate from the authentication approval (Jacobsen: Col. 14, Line # 55-67; In some embodiments, the MDM service can be configured to automatically send HIP data for managed mobile devices to one or more of the access/VPN gateways for the enterprise (e.g., to selected access/VPN gateways based on various criteria/parameter(s), such as described herein). For example, the gateways and the MDM server can mutually authenticate (e.g., verify the full certificate chain). In some embodiments, the MDM server verifies that HIP data is sent only to an authorized access/VPN gateway and not any arbitrary gateway (e.g., HIP data for mobile devices for ACME Company is only sent the gateways that belong to ACME Company and have been authorized by ACME Company)).

Claims 36-41 are rejected under 35 U.S.C. 103 as being unpatentable over Ramasamy et al., (US20130073743A1) in view of Jacobsen et al., (US9894099B1).
Regarding claim 36, Ramasamy discloses:
A non-transitory machine readable medium storing a program for processing remote- device data messages entering a network, the program comprising sets of instructions for:
receiving a data message (See FIG.3; i.e. interceptor 16 receive traffic from client 10) sent by a remote device (See FIG.3; i.e. client 10) (See FIG. 1; i.e. client 10) (See [0027] FIG. 3 is a flowchart illustrating an overview of a process for services controlled session based flow interception … At step 30, the interceptor 16 receives traffic from client 10); 
identifying a set of remote device management (RDM) attributes (See [0031] where flow identifier may include any combination of source node identifier, destination node identifier, and protocol. The source and destination node identifiers may include, for example, an IP address or IP address and port) (See FIG. 2; flow table 28 and [0023] For example, the memory 24 may store one or more flow tables 28 for use in identifying traffic and flows associated with a specific session and directing the traffic to one of the service devices 18) associated with the received data message (See FIG. 3 and FIG. 4A-C; [0019] As shown in FIG. 1, packets 15 are transmitted on communication paths between the client 10 and server 12, and between the interceptor 16 and service devices 18. A flow is a sequence of packets sent from a source to a destination that the source desires to label as a flow. The flow may be identified, for example, by a five tuple {protocol, source IP address, destination IP address, source port, destination port}; [0027] As described above with respect to FIG. 1, the traffic interceptor 16 is in communication with a plurality of service devices 18 and stores session information received from the service devices. The session information identifies flows associated with a session and the service device associated with the session (e.g., the service device transmitting the session information; [0031] The flow identifier may include any combination of source node identifier, destination node identifier, and protocol. The source and destination node identifiers may include, for example, an IP address or IP address and port)); and 
based on the RDM attribute set, forwarding the data message to a particular network element (See FIG. 3; i.e. service device 18 as particular network device) (See FIG.3; [0027] The session information may be received directly from the service device 18 or from another traffic interceptor 16. At step 30, the interceptor 16 receives traffic from client 10 (FIGS. 1 and 3). The interceptor 16 searches the session information for a flow associated with the received traffic (step 32). For example, the interceptor 16 may perform a lookup in flow table 28 using information contained in a received packet. If a match is found, the packet is forwarded to the service device 18 identified in the flow table (steps 34 and 36)) within the network via a tunnel ([0022] For example, non-IP protocols may be used and encapsulation (e.g., IP GRE, IP-in-IP, L2 tunnels) may also be used; [0035] Upon receiving the packet from the service device 18, the interceptor 16 strips the header ((a)-(f)) and forwards the packet to the destination identified in the packet. The encapsulation shown above is for an L3 (Layer 3) GRE tunnel) and 
inserting the identified RDM attribute set in a header of the tunnel ([0022] the protocols discussed herein are only examples and other protocols may be used without departing from the scope of the embodiments. For example, non-IP protocols may be used and encapsulation (e.g., IP GRE, IP-in-IP, L2 tunnels) may also be used; [0033] In one embodiment, a header containing the session information is added to a packet; [0034] The portion of the frame labeled (a)-(f) is the additional header/encapsulation that is added to the packet by the service node 18 to provide session information to the interceptor 16. The portion labeled (g) is the original header and payload of the packet. In the example shown above, the new header includes: (a) MAC address of interceptor; (b) IP header for GRE (Generic Routing Encapsulation); (c) GRE header; (d) Service Wire TLV (type length value) header and Inter-WAAS TLV; (e) session information (corresponds to X bytes in length); and (f) optional egress information (corresponds to Y part in length)); 
said inserted RDM attribute set in the tunnel header for identifying a service operation (i.e. data added as per identified session oriented protocols) to perform on the data message at a set of one or more network elements within the network ([0035] Upon receiving the packet from the service device 18, the interceptor 16 strips the header ((a)-(f)) and forwards the packet to the destination identified in the packet; [0041] In order to handle session oriented protocols, the firewall can add additional flow entries to handle future sessions. In this case, five tuples may be used to identify flows that need to be sent to the same service device 18. Examples include FTP (File Transfer Protocol) (control and data connections need to be sent to the same service device 18), DCE RPC (EPM (End Point Mapper) and data connections), RSH (remote shell) (data connection is from client to server, error connection is from server to client), RTSP (Real Time Streaming Protocol) (control (TCP) and two data connections (UDP) need to be sent to the same service device).
Ramasamy fails to disclose:
	attributes (Host Information Profile (HIP) data) specified by RDM system (mobile device management (MDM) service) that manages the remote (host) device.
However, Jacobsen discloses:
	attributes (Host Information Profile (HIP) data) specified by RDM system (mobile device management (MDM) service) that manages the remote (host) device (Col. 4, Line # 17-31; In some embodiments, a mobile device management (MDM) server (e.g., an MDM appliance and/or other appliances/servers that provide an MDM service) is provided to manage and configure mobile devices (e.g., for an enterprise). In some embodiments, the MDM server collects Host Information Profile (HIP) data from mobile devices. In some embodiments, the MDM server also collects and/or receives mobile app related analysis data from the cloud security service (e.g., a list of malware apps), and compiles this information to create HIP reports. For example, such HIP reports can be provided to one or more access gateways as well as the MDM server(s) for implementing HIP-based policies (e.g., enforcing a security policy using HIP information for mobile devices); Col. 8; Line # 57-61: the system includes an MDM service (e.g., one or more MDM servers/appliances) that facilitates collecting and forwarding device state information for mobile devices and/or for managing and configuring mobile devices for an enterprise).
	It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Ramasamy reference and include a mobile device management service to manage and configure mobile devices, as disclosed by Jacobsen.
	The motivation to include the mobile device management service to manage and configure mobile devices is to enforce mobile device management policies on the mobile devices. 
Regarding claim 37, the combination of Ramasamy and Jacobsen discloses:
The non-transitory machine readable medium of claim 36, wherein the set of instructions for receiving the remote device data message comprises a set of instructions for receiving the data message sent by the remote device through a tunnel that connects the remote device to the network (Ramasamy: [0022] the protocols discussed herein are only examples and other protocols may be used without departing from the scope of the embodiments. For example, non-IP protocols may be used and encapsulation (e.g., IP GRE, IP-in-IP, L2 tunnels) may also be used; [0034] The portion of the frame labeled (a)-(f) is the additional header/encapsulation that is added to the packet by the service node 18 to provide session information to the interceptor 16. The portion labeled (g) is the original header and payload of the packet. In the example shown above, the new header includes: (a) MAC address of interceptor; (b) IP header for GRE (Generic Routing Encapsulation); (c) GRE header; (d) Service Wire TLV (type length value) header and Inter-WAAS TLV; (e) session information (corresponds to X bytes in length); and (f) optional egress information (corresponds to Y part in length)).
Regarding claim 38, the combination of Ramasamy and Jacobsen discloses:
The non-transitory machine readable medium of claim 36, wherein the particular network element is a device that performs a middlebox service operation on the forwarded data message based on the identified RDM attribute set (Ramasamy: See FIG. 3; and FIG. 4A-C; [0032] FIGS. 4A-4C illustrate examples of flow tables for storing session information. The interceptor 16 may include a five tuple flow table 50 (FIG. 4A), a four tuple flow table 52 (FIG. 4B), a three tuple flow table 54 (FIG. 4C), or any combination thereof. In the example shown in FIG. 4A, the table 50 includes a plurality of entries each comprising a five tuple and a corresponding service device (e.g., A, B, . . . ). The flow entries may identify, for example, a flow before network address translation and a flow after network address translation, both of which belong to the same session and are assigned to the same service device 18. As shown in FIG. 4B, the interceptor 16 may maintain a four tuple flow table 52 with source port variable. The interceptor 16 may also maintain a three tuple flow table 54 (FIG. 4C) with protocol and source port variable. When packets are received at the interceptor 16, a lookup is performed in all of the tables and the lookup result from the most specific table is used to identify the source device 18 to which the interceptor redirects the flow).
Regarding claim 39, the combination of Ramasamy and Jacobsen discloses:
The non-transitory machine readable medium of claim 38, wherein the device performs the middlebox service operation by using the inserted RDM attribute set to identify a service rule that specifies the service operation to perform on the forwarded data message (Ramasamy: See FIG. 3; and FIG. 4A-C; [0032] FIGS. 4A-4C illustrate examples of flow tables for storing session information. The interceptor 16 may include a five tuple flow table 50 (FIG. 4A), a four tuple flow table 52 (FIG. 4B), a three tuple flow table 54 (FIG. 4C), or any combination thereof. In the example shown in FIG. 4A, the table 50 includes a plurality of entries each comprising a five tuple and a corresponding service device (e.g., A, B, . . . ). The flow entries may identify, for example, a flow before network address translation and a flow after network address translation, both of which belong to the same session and are assigned to the same service device 18. As shown in FIG. 4B, the interceptor 16 may maintain a four tuple flow table 52 with source port variable. The interceptor 16 may also maintain a three tuple flow table 54 (FIG. 4C) with protocol and source port variable. When packets are received at the interceptor 16, a lookup is performed in all of the tables and the lookup result from the most specific table is used to identify the source device 18 to which the interceptor redirects the flow).
Regarding claim 40, the combination of Ramasamy and Jacobsen discloses:
The non-transitory machine readable medium of claim 36, wherein the particular network element executes a middlebox service node that performs a middlebox service operation on the forwarded data message based on the identified RDM attribute set (Ramasamy: See FIG. 3; and FIG. 4A-C; [0032] FIGS. 4A-4C illustrate examples of flow tables for storing session information. The interceptor 16 may include a five tuple flow table 50 (FIG. 4A), a four tuple flow table 52 (FIG. 4B), a three tuple flow table 54 (FIG. 4C), or any combination thereof. In the example shown in FIG. 4A, the table 50 includes a plurality of entries each comprising a five tuple and a corresponding service device (e.g., A, B, . . . ). The flow entries may identify, for example, a flow before network address translation and a flow after network address translation, both of which belong to the same session and are assigned to the same service device 18. As shown in FIG. 4B, the interceptor 16 may maintain a four tuple flow table 52 with source port variable. The interceptor 16 may also maintain a three tuple flow table 54 (FIG. 4C) with protocol and source port variable. When packets are received at the interceptor 16, a lookup is performed in all of the tables and the lookup result from the most specific table is used to identify the source device 18 to which the interceptor redirects the flow).
Regarding claim 41, the combination of Ramasamy and Jacobsen discloses:
The non-transitory machine readable medium of claim 40, wherein the middlebox service operation comprises one of a firewall operation, a load balancing operation, a logical network segmentation operation, and a destination network address translation operation on the data message based on the inserted RDM attribute set (Ramasamy: [0028] a service device 18 configured for performing firewall services identifies the transformation applied to a packet and informs the interceptor 16 about the {protocol, src-ip, src-port, dst-ip, dst-port} corresponding to before network address translation flow and after network address translation flow so that the interceptor can send the packets that match these flows to the same service device).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.M.A./Patent Examiner, Art Unit 2432 
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432