DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present application, filed on November 23, 2020, is accepted.
Claims 1 – 20 are being considered on the merits.

Drawings
The drawings, filed on November 23, 2020, are accepted.

Specification
The specification, filed on November 23, 2020, is accepted.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 6, 8 – 9, 14, and 16 – 17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20200259799 A1 to Li et al., (hereinafter, “Li”).
As per claim 1, Li teaches a method comprising: receiving, by a Smart Network Interface Card (SmartNIC) of a device, a packet; [Li, para. 35 discloses SmartNIC 100 can include a network interface 102, a computing unit 104, and a host interface 106. Para. 36 discloses Network interface 102 can facilitate connectivity to a network, e.g., an Ethernet network, and can be responsible for sending and receiving network packets. In some embodiments, interface 102 can be similar to a conventional network interface card (NIC) and can include at least two network ports. One network port can be used for communication with other in-group hosts or service providers within a secure network group, whereas the other port can be used in a gateway unit for communication with hosts in other network groups or a global service provider (SP) server.] analyzing, by the SmartNIC, the packet; determining, by the SmartNIC based on the analysis, to encrypt or decrypt the packet; [Li, para. 58 discloses SGX enclave 502 of the first client can communicate with SGX enclave 512 of the second client by sending an encrypted packet to SmartNIC module 506 using the s-n key (operation 522). For example, an application running in SGX enclave 502 can communicate with an application running in SGX enclave 512. SmartNIC module 506 can decrypt the packet, identify the second client as the recipient of the packet, and look up in the host-key mapping table to obtain the corresponding ephemeral key (operation 524).] encrypting or decrypting, by the SmartNIC, the packet; and forwarding, by the SmartNIC, the encrypted packet or the decrypted packet towards its destination. [Li, para. 58 SmartNIC module 506 can then encrypt the packet using the corresponding ephemeral key and send the encrypted packet to SmartNIC module 516 (operation 526). SmartNIC module 516 can then decrypt the packet using the corresponding ephemeral key (operation 528).]

As per claim 6, Li teaches the method of claim 2, further comprising: receiving, by the SmartNIC, network connectivity configuration information pertaining to the virtual network function; and storing, by the SmartNIC, the network connectivity configuration information. [Li, para. 40 discloses Remote attestation server 202 can also generate a number of encryption keys (e.g., symmetric keys) that can be distributed to the host computer after the successful attestation of the trusted platform as well as the application running on the platform. Such encryption keys can facilitate secure communication among the hosts. In some embodiments, remote attestation server 202 can distribute a set of encryption keys to each host within a trusted network to facilitate secure in-network communication. More specifically, a host can select, based on a key-mapping table, a particular key from the set of received keys for communication with a particular host. Such a key-mapping table can also be distributed by remote attestation server 202 among the hosts in the trusted network.]

As per claim 8, Li teaches the method of claim 1, further comprising: storing, by the SmartNIC, one or more security keys and one or more security algorithms, [Li, para. 47 discloses an asymmetric key pair (e.g., an RSA (Rivest-Shamir-Adleman) public/private key pair) can be initialized in the ATF module within the SmartNIC of each host (operation 302). Such a key pair can represent the identity of the SmartNIC and is protected by the ATF. More specifically, the private key of the key pair will always remain inside the ATF. Subsequently, the public key of the asymmetric key pair of the SmartNIC can be registered with the service provider (operation 304). For example, such an asymmetric key pair can be stored into a key database maintained by the service provider. Registering the public key with the service provider allows the host to establish a secure, ATF-protected communication channel with the service provider server. Various mechanisms can be used to register the public key with the service provider server, including registration via a previously established secure channel or manual registration.] and wherein the encrypting or decrypting comprises: -28-Attorney Docket No. 20200343 encrypting or decrypting, by the SmartNIC, the packet based on one of the one or more security keys and one of the one or more security algorithms. [Li, para. 19 discloses the hosts and the service provider server can exchange encryption/decryption keys in order to establish secure communication channels. More specifically, to ensure security, the key exchange process can be facilitated by the remote attestation mechanism provided by the Intel SGX. More specifically, through remote attestation, the service provider server can establish a trusted channel to the SGX enclave within the host, and can subsequently send encryption keys used among the hosts to the SGX enclave. The SGX enclave can then pass such encryption keys to the corresponding SmartNIC to allow the SmartNIC to encrypt packages exchanged among the hosts.] 

Regarding claims 9, it recites feature similar to feature in claim 1, therefore it is rejected in the same manner.

Regarding claim 14, it recites feature similar to feature in claim 6, therefore it is rejected in the same manner.

Regarding claim 16, it recites feature similar to feature in claim 8, therefore it is rejected in the same manner.

Regarding claim 17, Li teaches a non-transitory computer-readable storage medium storing instructions executable by a processor of a Smart Network Interface Card (SmartNIC), [Li, para. 92 discloses Electronic system 1000 can be a client, a server, a computer, a smartphone, a PDA, a laptop, or a tablet computer with one or more processors embedded therein or coupled thereto, or any other sort of electronic device. Such an electronic system includes various types of computer-readable media and interfaces for various other types of computer-readable media. Electronic system 1000 includes a bus 1008, processing unit(s) 1012, a system memory 1004, a read-only memory (ROM) 1010, a permanent storage device 1002, an input device interface 1014, an output device interface 1006, and a network interface 1016.] the rest of the feature are similar to the feature within claim 1, therefore, they are rejected in the same manner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2 – 4, 7, 10 – 12, 15, and 18 – 19 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200259799 A1 to Li et al., (hereinafter, “Li”) in view of US 10997106 B1 to Bandaru et al., (hereinafter, “Bandaru”).
Regarding claim 2, Li teaches the method of claim 1, but Li does not teach wherein a source of the packet or the destination of the packet includes a virtual network function of the device, and wherein the device is a host device of one or multiple virtual network functions. 
However, Bandaru does teach wherein a source of the packet or the destination of the packet includes a virtual network function of the device, and wherein the device is a host device of one or multiple virtual network functions. [Bandaru, col. 7 lines 23 – 27 discloses receiving a packet in the data plane destined for one of the other programmable IO devices; and forwarding the packet to the other programmable IO device via the virtual link. In some embodiments, each of the programmable IO devices comprises a SmartNIC. Col. 11 lines 33 – 42 discloses A physical IO device may allow multiple virtual machines to use the device concurrently through SR-IOV. In SR-IOV, a physical device may have physical functions (PFs) that allow for input/output operations and device configuration, as well as one or more virtual functions (VFs) that allow for data input/output. According to SR-IOV, a PCIe device can appear to be multiple separate physical PCIe devices. For example, a SR-IOV NIC having a single port can have up to 256 virtual functions, with each virtual function representing a respective NIC port.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Bandaru’s system with Li’s system, with a motivation to distribute SmartNIC applications across multiple NIC cards for increased aggregate throughput, improved reliability, and better performance over a single NIC. [Bandaru, col 5 lines 66 – 67 to col. 6 line 1]

Regarding claim 3, Li teaches the method of claim 2, but Li does not teach further comprising: receiving, by the SmartNIC, configuration information pertaining to encryption and decryption of traffic to and from the virtual network function; and storing, by the SmartNIC, the configuration information. 
However, Bandaru does teach further comprising: receiving, by the SmartNIC, configuration information pertaining to encryption and decryption of traffic to and from the virtual network function; [Bandaru, col. 12 lines 19 – 27 discloses The IO device 110 may provide a variety of services and/or functionality to an operating system operating as a host on computing system 120. For example, the IO device may provide network connectivity functions to the computing system, coprocessor functionality (e.g., graphics processing, encryption/decryption, database processing, etc.) and the like. The IO device 110 may interface with other components in the computing system 100 via, for example, a PCIe bus.] and storing, by the SmartNIC, the configuration information. [Bandaru, col. 14 lines 34 – 47 discloses the system may comprise a PCIe host interface. The PCIe host interface may support a bandwidth of, for example, 100 Gb/s per PCIe connection (e.g., dual PCIe Gen4×8 or single PCIe Gen3×16). A mechanism or a scheme to map resources available at the IO device to memory-mapped control regions associated with the virtual IO devices may be implemented by using a pool of configurable PCIe BARs coupled with a resource mapping table to store mapping information for each virtual IO device. The IO resources provided by the IO device may be mapped to host addresses in the framework of the PCIe standard such that the same device drivers that are utilized to communicate with physical PCIe devices may be utilized to communicate with corresponding virtual PCIe devices.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Bandaru’s system with Li’s system, with a motivation to distribute SmartNIC applications across multiple NIC cards for increased aggregate throughput, improved reliability, and better performance over a single NIC. [Bandaru, col 5 lines 66 – 67 to col. 6 line 1]

As per claim 4, Li teaches the method of claim 3, wherein the determining comprises: performing, by the SmartNIC, a lookup of the configuration information based on a source address of the packet or a destination address of the packet. [Li, para. 58 discloses an application running in SGX enclave 502 can communicate with an application running in SGX enclave 512. SmartNIC module 506 can decrypt the packet, identify the second client as the recipient of the packet, and look up in the host-key mapping table to obtain the corresponding ephemeral key (operation 524). SmartNIC module 506 can then encrypt the packet using the corresponding ephemeral key and send the encrypted packet to SmartNIC module 516 (operation 526).]

Regarding claim 7, Li teaches the method of claim 1, but Li does not teach further comprising: generating, by the SmartNIC, a registration request that includes registration information of the SmartNIC; transmitting, by the SmartNIC, the registration request to a software defined network controller that manages the device.  
	However, Bandaru does teach further comprising: generating, by the SmartNIC, a registration request that includes registration information of the SmartNIC; [Bandaru, col. 2 lines 3 – 20 discloses the programmable IO device comprises a SmartNIC. In some embodiments, the programmable IO device is installed on the host device via a peripheral component interconnect express (PCIe) interface. In some embodiments, the virtual link is established through PCIe peer-to-peer communication. In some embodiments, the virtual link is established via a shared PCIe bus. In some embodiments, the operations comprise exposing a memory bar accessible on the PCIe bus for communication to establish the virtual link. In some embodiments, an agent or a driver is installed on the host device. In some embodiments, the agent or drive configures the programmable IO device with a PCIe bus address of memory bars exposed by the other programmable IO device. In some embodiments, the operations comprise, once configured by the agent or the driver, communicating directly with the other programmable IO device through directing messages over the PCIe bus to establish the virtual link.] transmitting, by the SmartNIC, the registration request to a software defined network controller that manages the device. [Bandaru, col. 2 lines 20 – 30 discloses In some embodiments, the programable IO device comprises a management port. In some embodiments, the virtual link is established via an external cable connected to the management port. In some embodiments, the virtual link is established through a PCIe switch configured to connect PCIe interfaces and PCIe peer-to-peer traffic. In some embodiments, the programmable IO device comprises at least one advanced reduced instruction set computer (RISC) machine (ARM) core communicably coupled to at least one central processing unit (CPU) core of the host device.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Bandaru’s system with Li’s system, with a motivation to distribute SmartNIC applications across multiple NIC cards for increased aggregate throughput, improved reliability, and better performance over a single NIC. [Bandaru, col 5 lines 66 – 67 to col. 6 line 1]

Regarding claims 10 – 12, they recite feature similar to feature in claims 2 – 4, therefore, they are rejected in the same manner.

Regarding claim 15, it recites feature similar to feature in claim 7, therefore it is rejected in the same manner.

Regarding claims 18 – 19, they recite feature similar to feature in claims 2 – 3, therefore, they are rejected in the same manner.

Claims 5, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200259799 A1 to Li et al., (hereinafter, “Li”) in view of US 20130281055 A1 to Patefield-Smith et al., (hereinafter, “Smith”).
Regarding claim 5, Li teaches the method of claim 2, but Li does not teach further comprising: generating, by the SmartNIC, a certificate signing request; transmitting, by the SmartNIC, the certificate signing request to a certificate authority device; receiving, by the SmartNIC and responsive to the certificate signing request, a signed certificate; and establishing, by the SmartNIC, network connections to devices external from the device and on behalf of the virtual network function based on the signed certificate.  
However, Smith does teach further comprising: generating, by the SmartNIC, a certificate signing request; transmitting, by the SmartNIC, the certificate signing request to a certificate authority device; [Smith, para. 44 discloses the mobile device 12 continues by generating a public-private key pair 66, and generating and transmitting 66 a certification generation request to a Certificate Authority.] receiving, by the SmartNIC and responsive to the certificate signing request, a signed certificate; [Smith, para. 44 discloses The certification generation request includes the generated public key and requests that the Certificate Authority digitally sign the generated public key with its private key. The generated public key signed with the private key of the Certificate Authority constitutes a generated certificate. Next, the Certificate Authority continues by generating a certificate 68 by signing the generated public key with its private key and transmitting 68 the generated certificate to the mobile device 12.] and establishing, by the SmartNIC, network connections to devices external from the device and on behalf of the virtual network function based on the signed certificate. [Smith, para. 44 discloses By virtue of storing 72 the generated certificate in the mobile device 12, the SCE application is successfully initialized and the mobile device 12 is activated. After successfully initializing the SCE application, the mobile device 12 continues by transmitting a message to the computer 14 notifying the user 74 that the SCE application has been successfully initialized and processing ends 64.] 
 	Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Smith’s system with Li’s system, with a motivation to facilitate establishing secure communications between the mobile device 12 and the CM system 18 regardless of the communications path. More specifically, the SCE application is enabled to facilitate conducting a mutual authentication process between the mobile device 12 and the CM system 18 by causing the mobile device 12 to authenticate the CM system 18 and causing the mobile device 12 to emulate operations conducted by smart cards for authentication by the CM system 18. [Smith, para. 45]

Regarding claim 13 and 20, it recites feature similar to feature in claim 5, therefore it is rejected in the same manner.

Conclusion
Pertinent prior art made of record however not relied upon includes:
US 20200127981 A1 to Yang et al.
“A first encryption key associated with a first tenant is created. The first encryption key is configured in a host where a virtual machine associated with the first tenant is executing, the host including a network interface controller configured to have a virtual network interface function, the virtual network interface function executing on the host and being associated with the virtual machine of the first tenant. The virtual network interface function is caused to bind the first encryption key to the virtual machine of the first tenant. The virtual network interface function is caused to encrypt outgoing network traffic of the first tenant using the first encryption key. The virtual network interface function is caused to decrypt incoming network traffic for the first tenant using the first encryption key.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893. The examiner can normally be reached Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/P.P./Patent Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434