DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/17/2022 has been entered.
As per instant Amendment, claims 1, 4, 6-8, 11, 13-15, 18 and 20 have been amended; claims 2, 9 and 16 have been canceled; claims 1, 8 and 15 are independent claims. Claims 1, 3-8, 10-15 and 17-20 have been examined and are pending. This Action is made Non-Final. 
 
Response to Arguments
Applicants’ arguments with respect to Claims 1-20 under 35 U.S.C. 102/103 have been fully considered but are moot in view of new grounds of rejection and/or not persuasive.
Applicant Argues: “The Office Action equates “service type indication information” with Lee’s “destination IP address.” However, the above-quoted amended claim limitation requires two pieces of information: (a) an identifier of a server that provides the indicated type of service, and (b) a service type indicator used to indicate the type of the service to which the data packet belongs. See applicant’s specification at [0051] (“The service type indication information may be used to indicate the type of the service to which the data packet belongs, for example, used to indicate an encrypted service.”).
Lee is missing the second piece of information. In fact, Lee’s passage [0077] the Office Action quotes at 4-5 makes clear that since a server can host multiple applications, the server IP address is not the “type of the service to which the data packet belongs” but is instead simply a server address that says nothing about a type(s) of service(s) the server hosts. Given that applicant’s specification distinguishes these two pieces of information, it is incorrect for the PTO to apply an alleged “broadest reasonable interpretation” that equates the two.”
Examiner’s Response:   The examiner respectfully disagrees, as set forth in the Office Action dated on 3/22/202, along with additional explanation.  The examiner respectfully notes that as amended Lee still anticipates Applicant’s claimed features; more specifically:  Lee teaches in [0048] - The aspects described herein generally relate to the derivation, provisioning, and use of uplink and downlink network tokens. The network tokens may be transported with packets in the user-plane. An uplink network token or a downlink network token may be embedded in, or otherwise included with, one or more packets and used for network policy enforcement and/or traffic steering (e.g., steering of one or more user-plane messages).  Thus Lee anticipates the feature of “receiving a data packet of a terminal device of a type that performs data interaction with a user plane function entity”.  Further Lee teaches in [0018] - Obtaining the network token may be achieved by deriving the network token at the gateway device. The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0048] and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header and [0076] - In the aspects described herein, IP flows, data flows, or flows, need not be limited to bearers as presented in the exemplary illustration of FIG. 2. A client device may operate or run one or more applications. Each client application may be mapped to an application service operating or running on an application server. The application server can be associated with one or more application services. A flow may therefore be defined based on the application operating in the device and on the application server and [0077] - For example, a client device may use one service offered by one provider on a server. The server typically has one IP address. However, the service may host multiple applications on the server. The multiple applications may include, for example, a mapping application, an information search application, and a social networking application. The multiple applications therefore have the same destination IP address, so from the perspective of a gateway of a core network (e.g., a P-GW), the multiple applications can be considered as a single flow instead of multiple flows. Accordingly, a single flow can be mapped to multiple services and [0086]).  Thus, as constructed the destination IP address is still constructed to represent a service identifier that “includes a service type indicator” as Lee states that “The application server can be associated with one or more application services. A flow may therefore be defined based on the application operating in the device and on the application server.  A flow may be defined as a path that packets take between the application running at the client device and the application service running at the application server.,” in [0076].  Thus, as reasonably constructed Lee contemplates that one application service may be defined as a flow, thus is defined as a path that packets take between the application running at the client device and the application service running at the application server.  Thus the destination IP address can act as a service type indicator that us used to indicate a type of service as Lee states one or more application services can be defined as a flow.  Thus if there is only one application service with a defined flow it reasonably reads on the claimed limitation of a service type indicator.    Further, as constructed, as each server typically has one IP address, see [0077], thus the destination IP address also represents the identifier of a server that provides that indicated type of service (i.e., A flow may be defined as a path that packets take between the application running at the client device and the application service running at the application server).   Thus as reasonably constructed a destination IP address also represents an identifier of a server.  Therefore the examiner finds these arguments not persuasive.  
Applicant Argues: “Applicant has further amended claim 1 to require in combination: wherein generating the second token based on the first input information includes using the third token as an input parameter to generate the second token ...”.
Examiner’s Responses:  This argument is moot in view of new grounds of rejection. 





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3, 6-8, 10, 13-15, 17 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2016/0248682 A1) in view of Martin (US 2007/0118886 A1).




Regarding Claim 1;
Lee discloses a data packet verification method (Abstract - A packet including a network token may be received at a gateway. The gateway may verify the network token and send the data packet to an application server or a device if the verifying is successful), comprising: 
receiving a data packet of a terminal device of a type that performs data interaction with a user plane function entity ([0048] and [0093] - FIG. 6 is an exemplary call flow 600 illustrating network token derivation, provisioning, and use in connection with one or more user-plane messages in accordance with aspects described herein and [0094] - I n the exemplary call flow of FIG. 6, the device 602 sends 618 a request to initiate an application service with the application server 616 via the P-GW 610. The request may be accompanied by or may include an application identifier (App ID). As will be understood by those of skill in the art, the request provided to the application server 616 from the device 602 is different from, and should not be confused with, any type of connection request to establish or reestablish a connection between the device and a network. In the former case, the device is requesting a service from the application server (the service may even be a connectionless service), while in the latter case, the device is requesting a connection to the network and [0095] - The implicit request for use of the downlink network token may be recognized by sending an initial packet from the device 702 to the application server 716 to the via the P-GW 710), wherein the data packet carries a first token and a service identifier ([0048] - The aspects described herein generally relate to the derivation, provisioning, and use of uplink and downlink network tokens. The network tokens may be transported with packets in the user-plane. An uplink network token or a downlink network token may be embedded in, or otherwise included with, one or more packets and used for network policy enforcement and/or traffic steering (e.g., steering of one or more user-plane messages) and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header), and 0the service identifier includes a service type indicator used to indicate a type of a service to which the data packet belongs  ([0018] - Obtaining the network token may be achieved by deriving the network token at the gateway device. The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header)), the service identifier further including an identifier of a server that provides the indicated type of service ([0018] - Obtaining the network token may be achieved by deriving the network token at the gateway device. The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0048] and [0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services... Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header and [0077] - For example, a client device may use one service offered by one provider on a server. The server typically has one IP address. However, the service may host multiple applications on the server. The multiple applications may include, for example, a mapping application, an information search application, and a social networking application. The multiple applications therefore have the same destination IP address, so from the perspective of a gateway of a core network (e.g., a P-GW), the multiple applications can be considered as a single flow instead of multiple flows. Accordingly, a single flow can be mapped to multiple services);
 obtaining first input information based on the data packet, and generating a second token based on the first input information ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0050]-[0051] - According to aspects described herein, a packet including a copy of a previously derived original network token may be received at a P-GW... The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet), wherein the first input information comprises an identifier of the terminal device [and] the service identifier  ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function);
wherein generating the second token based on the first input information... ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function and [0050]-[0051] - According to aspects described herein, a packet including a copy of a previously derived original network token may be received at a P-GW... The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet), wherein the first input information comprises an identifier of the terminal device [and] the service identifier  ([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function);
sending the data packet in response to the first token being the same as the second token ([0051] - The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet. The newly received packet associated with the copy of the original network token is different from the packet associated with the original network token; however, there are parameters that can be obtained from the newly received packet that are the same as those obtained from the original packet. These common parameters may be used in the cryptographic function to derive the duplicate network token. If the duplicate network token is equal to the copy of the original network token, then the just-received copy of the original network token may be considered successfully verified. Upon successful verification, the packet may be sent to its destination. If the verification is not successful, the packet can be discarded).
Lee fails to explicitly disclose:
generating a second token based on ...a third token;
wherein generating the second token... includes using the third token as an input parameter to generate the second token;
However, in an analogous art, Martin teaches: 
generating a second token based on ...a third token (Martin, [0019] – In a preferred embodiment, the generator generates a second token comprising a third token associated with credentials of the user and the first token. Preferably, at least one of the first token and second token comprises an identifier associated with an environment having the first server and the second server); [and]
wherein generating the second token... includes using the third token as an input parameter to generate the second token (Martin, [0019] – In a preferred embodiment, the generator generates a second token comprising a third token associated with credentials of the user and the first token. Preferably, at least one of the first token and second token comprises an identifier associated with an environment having the first server and the second server).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Lee to the generating of Lee to include generating a second token based on ...a third token [and] wherein generating the second token... includes using the third token as an input parameter to generate the second token;
One would have been motivated to combine the teachings of Martin to Lee to do so as it provides / allows “preventing” attacks based on traffic analysis (Martin, gleaned from [0013]).

Regarding Claim 3;
Lee and Martin disclose the method to Claim 1.
Lee further discloses wherein before the receiving a data packet of a terminal device, the method further comprises: obtaining second input information, wherein the second input information comprises the identifier of the terminal device and the service identifier (([0018] - The network token may be derived using a function having a set of input parameters including a secret key known to the gateway device, a class index, a source Internet Protocol (IP) address, source port number, destination IP address, destination port number, protocol identifier (ID), application ID, priority, and/or a quality of service class identifier (QCI). The class index defines fields used for network token derivation. The network token may be a concatenation of the class index and an output of the function)); generating the first token based on the second input information ([0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services); and sending the first token to the terminal device and the server that provides the service for the terminal device ([0050] - However, the P-GW may not directly send the just-derived network token to the entity that requested the network token. Instead, it may embed, or otherwise include, the network token with the packet that carried the connection request (and the request for the network token) and send the packet (with the just-derived network token) to its destination, e.g., a destination identified from the destination address (or at least a destination address prefix) in the packet header. A processing circuit, at the destination, prepares a response to the connection request (e.g., a connection response) and includes the network token in or with the packet that includes the connection response. The packet may be sent via the user-plane, to the source of the request for the network token and initiator of the connection request. Thereafter, when the source has additional packets to send to the destination, the source may include a copy of the network token in (or with) one or more of the additional packets.).

Regarding Claim 6;
Lee and Martin disclose the method to Claim 1.
Lee further discloses wherein the method further comprises: discarding the data packet in response to the first token being different from the second token ([0051] - The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet. The newly received packet associated with the copy of the original network token is different from the packet associated with the original network token; however, there are parameters that can be obtained from the newly received packet that are the same as those obtained from the original packet. These common parameters may be used in the cryptographic function to derive the duplicate network token. If the duplicate network token is equal to the copy of the original network token, then the just-received copy of the original network token may be considered successfully verified. Upon successful verification, the packet may be sent to its destination. If the verification is not successful, the packet can be discarded).
Regarding Claim 7;
Lee and Martin disclose the method to Claim 3.
Lee further discloses wherein after the generating the first token based on the second input information, the method further comprises: storing the first token ([0050] - If, for example, a request for a network token is included with a connection request, the P-GW may derive the network token using a cryptographic function, an unshared secret key known to the P-GW, and parameters that can be obtained from the packet and parameters associated with the services); and the generating a second token based on the first input information comprises: in response to the stored first token being the same as the first token carried in the data packet, generating the second token based on the first input information ([0051] - According to aspects described herein, a packet including a copy of a previously derived original network token may be received at a P-GW. The copy of the previously derived original network token may be an uplink network token or a downlink network token. The P-GW may verify the copy of the previously derived original network token. The verification process may include deriving a duplicate of the original network token. The duplicate network token may be derived in the same way as the original network token, using the same cryptographic function, the same unshared secret key known to the P-GW, and the same other parameters that may be obtained from the packet. The newly received packet associated with the copy of the original network token is different from the packet associated with the original network token; however, there are parameters that can be obtained from the newly received packet that are the same as those obtained from the original packet. These common parameters may be used in the cryptographic function to derive the duplicate network token. If the duplicate network token is equal to the copy of the original network token, then the just-received copy of the original network token may be considered successfully verified. Upon successful verification, the packet may be sent to its destination. If the verification is not successful, the packet can be discarded).


Regarding Claim(s) 8, 10, 13 and 14; claim(s) 8, 10, 13, and 14 is/are directed to a/an apparatus associated with the method claimed in claim(s) 1, 3, 6 and 7. Claim(s) 8, 10, 13, and 14 is/are similar in scope to claim(s) 1, 3, 6 and 7, and is/are therefore rejected under similar rationale.

Regarding Claim(s) 15, 17 and 20; claim(s) 15, 17 and 20 is/are directed to a/an medium associated with the method claimed in claim(s) 1, 3, and 6. Claim(s) 15, 17 and 20 is/are similar in scope to claim(s) 1, 3 and 6, and is/are therefore rejected under similar rationale.










Claims 4, 5, 11, 12, 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 2016/0248682 A1) in view of Martin (US 2007/0118886 A1) and further in view of Burch et al. (US 9,654,462 B2).

Regarding Claim 4
Lee and Martin disclose the method to Claim 1.
Lee further discloses wherein the second input information further comprises [parameters], and the first input information further comprises the [parameters] ([0018] and [0050]-[0051]).
Lee and Martin fail to explicitly disclose:
wherein the second input information further comprises a random number, and the first input information further comprises the random number; or 
the second input information further comprises the third token, and the third token is generated by the terminal device; 
or the second input information further comprises a fourth token, the first input information further comprises the fourth token, and the fourth token is generated by the server; 
or the second input information further comprises the third token and the fourth token, and the first input information further comprises the third token and the fourth token; 
or the second input information further comprises the random number, the third token, and the fourth token, and the first input information further comprises the random number, the third token, and the fourth token; or 
the second input information further comprises the random number and the third token, and the first input information further comprises the random number and the third token; or 
the second input information further comprises the random number and the fourth token, and the first input information further comprises the random number and the fourth token.
However, in an analogous art, Burch teaches wherein the ... input information further comprises a random number (Burch, col. 5, lines 35-38 - In an embodiment, at 221, the late-binding authenticator creates the LBT to include: a random number, an identifier for the service, and a HMAC produced over the random number and the identifier and Claim 1).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Burch to the second input [parameters] and the first input [parameters] of Lee and Martin to include wherein the ... input information further comprises a random number
One would have been motivated to combine the teachings of Burch to Lee and Martin to do so as it provides / allows passing credentials and secrets without comprising the security of those devices (Burch, col. 1, lines 26-30). 

Regarding Claim 5;
Lee and Burch disclose the method to Claim 4.
Burch further teaches wherein the method further comprises: 
obtaining the random number based on the identifier of the terminal device; or 
obtaining the random number based on the service identifier (Burch, col. 5, lines 35-38 - In an embodiment, at 221, the late-binding authenticator creates the LBT to include: a random number, an identifier for the service, and a HMAC produced over the random number and the identifier and Claim 1).

Regarding Claim(s) 11 and 12; claim(s) 11 and 12 is/are directed to a/an apparatus associated with the method claimed in claim(s) 4 and 5. Claim(s) 11 and 12 is/are similar in scope to claim(s) 4 and 5, and is/are therefore rejected under similar rationale.

Regarding Claim(s) 18 and 19; claim(s) 18 and 19 is/are directed to a/an medium associated with the method claimed in claim(s) 4 and 5. Claim(s) 18 and 19 is/are similar in scope to claim(s) 4 and 5, and is/are therefore rejected under similar rationale.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439