DETAILED ACTION
The instant application having Application No. 17/200801 has a total of 20 claims pending in the application.  There are 2 independent claims and 18 dependent claims, all of which are ready for examination by the examiner.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions.

Information Disclosure Statement
The Information Disclosure Statement dated 3/15/2021 is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending.  A copy of the PTOL-1449 has been initialed.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 22 and 32 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 22, which depends from Claim 21, recites the limitation “the particular PVN identifier” in lines 4-5.  However, there is no previous recitation of a “particular PVN identifier” in either of Claims 21 or 22.  Accordingly, there is insufficient antecedent basis for this limitation in the claim.

Claim 32, which depends from Claim 31, recites the limitation “receives each of the two packets” in line 3.  However, there is no previous recitation of “two packets” in either of Claims 31 or 32.  Accordingly, there is insufficient antecedent basis for this limitation in the claim.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 21, 23, 24, 31, 33 and 34 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1 and 14 of U.S. Patent No. 9,900,410.  Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 21, 23, 24, 31, 33 and 34 of the present application are obvious based on Claims 1 and 14 of U.S. Patent No. 9,900,410 in view of Imai (US 2010/0058051).

Present application:

21. A method of defining overlay-network encapsulation headers to establish a private virtual network over a shared physical network, the method comprising:

at a filter defined on a first host computer: 

encapsulating the packet with an overlay-network encapsulation header that allows the packet to be forwarded on the private virtual network to the second machine; and

sending the encapsulated packet to the second machine over the physical network.





receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer;

US 9,900,410:

1. A system for private networking within a virtual infrastructure, the system comprising:





… a first filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the packet comprising a first header and a first payload,

a second filter in the second host that de-encapsulates the packet to extract the first header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC (i.e., the encapsulated packet is sent over the network to the second host)

Claim 1 does not recite receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer.  However, Imai teaches receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer (“The above mentioned business software can be operated by executing one or more task programs each provided for a virtual machine, and each of the set of servers can be provided with, as a virtual machine, a guest operating system” – See [0040]; “the client IP address appended to the transmission data” – See [0047]; “the guest OS 40 needs only to set the client IP address of the destination at the transmission data so that the host OS 30 performs VPN connection processing such as setting of physical IP address and encryption” – See [0052]; “by the task program executed in the client business processing module 40A of the server α, data is transmitted to a destination of a client IP address (192. 167. 0. 3) of the guest OS 40 of the server γ. In the server α, the data is sent to the host OS 30 via a virtual NIC 60 (eth0) of the guest OS 40 and via a virtual NIC (vif0) of the host OS 30” – See [0051]; See also Fig. 2; Host OS 30 (filter) receives a packet sent by guest OS 40 (first machine) which executes on server α (first host computer), wherein the packet is addressed to client IP address 192.167.0.3, which corresponds to guest OS 40 (second machine) which executes on server γ (second host computer)).  It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify Claim 1 to include receiving, by the filter, a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer in order to provide communications between different virtual machines that are executing on different physical servers (See Imai, [0051]).

23. The method of claim 21, wherein the first machine is a first virtual machine (VM) executing on the first host computer, and the second machine is a second VM executing on the second host machine.
1. … a first virtual machine (VM) in a first host, … a second VM in a second host
24. The method of claim 23, wherein each VM has an associated virtual network interface card (VNIC), and the filter is associated with a VNIC of the first VM.
1. … a first virtual machine (VM) in a first host, the first VM being associated with a first virtual network interface card (VNIC)


Claims 31, 33 and 34 are rejected based on Claim 14 of U.S. Patent No. 9,900,410 in view of Imai based on similar reasoning as given above.

Claims 21-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1-20 of U.S. Patent No. 10,951,744.  Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 21-40 of the present application are anticipated by Claims 1-20 of U.S. Patent No. 10,951,744.

Present application:

21. A method of defining overlay-network encapsulation headers to establish a private virtual network over a shared physical network, the method comprising:

at a filter defined on a first host computer: 

receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer;



encapsulating the packet with an overlay-network encapsulation header that allows the packet to be forwarded on the private virtual network to the second machine; and











sending the encapsulated packet to the second machine over the physical network.
US 10,951,744:

1. A method of defining overlay-network encapsulation headers to establish a particular private virtual network (PVN) over a shared physical network, the method comprising:

at a filter executing on a first host computer: 

receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer, the first and second machines being members of the particular PVN which also includes a plurality of other machines;

generating, for the packet, an overlay-network encapsulation header that allows the packet to be forwarded on the particular PVN to the second machine; storing, in the generated encapsulation header, an identifier that identifies the particular PVN, said particular PVN identifier stored in the encapsulation header to ensure that only machines that are members of the particular PVN have access to the messages sent along the shared physical network, the particular PVN identifier allowing multiple PVNs to be defined on the shared physical network for multiple different sets of machines; and encapsulating the packet with the encapsulating header and

forwarding the encapsulated packet to the second machine over the physical network.
22. The method of claim 21, wherein the filter executing on the first host computer is a first filter, and a second filter executes on the second host computer and with the first filter forms a distributed virtual filter that adds and removes encapsulating headers with the particular PVN identifier to allow the first and second machines to exchange packets associated with the particular PVN.
11. The method of claim 1, wherein the filter executing on the first host computer is a first filter, and a second filter executes on the second host computer and with the first filter forms a distributed virtual filter that adds and removes encapsulating headers with the particular PVN identifier to allow the first and second machines to exchange packets associated with the particular PVN.
23. The method of claim 21, wherein the first machine is a first virtual machine (VM) executing on the first host computer, and the second machine is a second VM executing on the second host machine.
2. The method of claim 1, wherein the first machine is a first virtual machine (VM) executing on the first host computer, and the second machine is a second VM executing on the second host computer.
24. The method of claim 23, wherein each VM has an associated virtual network interface card (VNIC), and the filter is associated with a VNIC of the first VM.
3. The method of claim 2, wherein each VM has an associated virtual network interface card (VNIC), and the filter is associated with a VNIC of the first VM.
25. The method of claim 23, wherein the filter is a module that executes on the first host computer outside of the first VM and that processes packets sent by the first VM.
4. The method of claim 2, wherein the filter is a module that executes on the first host computer outside of the first VM and that processes packets sent by the first VM.
26. The method of claim 21, wherein receiving the packet sent by the first machine comprises obtaining the packet as the packet passes along an egress data path from the first machine to a physical network interface card (PNIC) of the first host computer.
5. The method of claim 2, wherein receiving the packet sent by the first machine comprises obtaining the packet as the packet passes along an egress data path from the first VM to a physical network interface card (PNIC) of the first host computer.
27. The method of claim 26, wherein the packet is obtained before the packet is processed by a software switch executing on the first host computer, sending the encapsulated packet to the second machine comprises sending the packet to the software switch for forwarding to the PNIC to send the encapsulated packet to the physical network, the physical network forwarding the encapsulated packet to the second host computer, which removes the encapsulated overlay-network header, uses a destination address in an original header of the packet to identify the second machine, and passes the packet to the second machine.
6. The method of claim 5, wherein the packet is obtained before the packet is processed by a software switch executing on the first host computer, forwarding the encapsulated packet to the second VM comprises sending the packet to the software switch for forwarding to the PNIC to send the encapsulated packet to the physical network, and the physical network forwarding the encapsulated packet to the second host computer, which removes the encapsulated overlay-network header, uses a destination address in an original header of the packet to identify the second VM, and passes the packet to the second VM.
28. The method of claim 21, wherein the filter comprises a bridge table that stores addresses of destination hosts where machines of the private virtual network execute.
7. The method of claim 1, wherein the filter comprises a bridge table that stores addresses of destination hosts where machines of the particular PVN execute.
29. The method of claim 21 further comprising: when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network, fragmenting the packet into at least two packets and encapsulating each of the two packets with an overlay encapsulation header before sending the encapsulated packets over the physical network.
8. The method of claim 1 further comprising: when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network, fragmenting the packet into at least two packets and encapsulating each of the two packets with an overlay encapsulation header before sending the encapsulated packets over the physical network.
30. The method of claim 29, wherein encapsulating the packet with an overlay-network encapsulation header further comprises encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet.
9. The method of claim 8, wherein encapsulating the packet with an overlay-network encapsulation header further comprises encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet.


Claims 31-40 are rejected based on Claims 12-20 of US 10,951,744 based on similar reasoning as given above.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed in the United States before the invention by the applicant for patent or (2) a patent granted on an application for patent by another filed in the United States before the invention by the applicant for patent, except that an international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this subsection of an application filed in the United States only if the international application designated the United States and was published under Article 21(2) of such treaty in the English language.

Claims 21, 23-28, 31 and 33-38 are rejected under pre-AIA  35 U.S.C. 102(e) as being anticipated by Imai (US 2010/0058051).

Regarding Claim 21, Imai teaches a method of defining overlay-network encapsulation headers to establish a private virtual network over a shared physical network (“Hereinafter, an example in which a VPN connection is used will be described as a representative example of a communication path between virtual machines” – See [0041]; “A tunneling module 30B performs tunneling of transmission data by appending a physical IP address of a destination to the transmission data and encapsulating the transmission data” – See [0048]; Transmission data is encapsulated and a VPN (private virtual network) is established over a physical network), the method comprising:
at a filter defined on a first host computer (Host OS 30 – See Fig. 2; Host OS 30 (filter) is defined on server α (first host computer)):
receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer (“The above mentioned business software can be operated by executing one or more task programs each provided for a virtual machine, and each of the set of servers can be provided with, as a virtual machine, a guest operating system” – See [0040]; “The routing module 30A specifies tunnel information that is needed for transmitting, via a VPN connection, data received from the guest OS 40 … the client IP address appended to the transmission data” – See [0047]; “the guest OS 40 needs only to set the client IP address of the destination at the transmission data so that the host OS 30 performs VPN connection processing such as setting of physical IP address and encryption” – See [0052]; “by the task program executed in the client business processing module 40A of the server α, data is transmitted to a destination of a client IP address (192. 167. 0. 3) of the guest OS 40 of the server γ. In the server α, the data is sent to the host OS 30 via a virtual NIC 60 (eth0) of the guest OS 40 and via a virtual NIC (vif0) of the host OS 30” – See [0051]; See also Fig. 2; Host OS 30 (filter) receives a packet sent by guest OS 40 (first machine) which executes on server α (first host computer), wherein the packet is addressed to client IP address 192.167.0.3, which corresponds to guest OS 40 (second machine) which executes on server γ (second host computer));
encapsulating the packet with an overlay-network encapsulation header that allows the packet to be forwarded on the private virtual network to the second machine (“A tunneling module 30B performs tunneling of transmission data by appending a physical IP address of a destination to the transmission data and encapsulating the transmission data” – See [0048]; “FIG. 9 illustrates an example of connection relations between servers in the case of the connection plan table 10E depicted in FIG. 5, in which a solid-line arrow indicates the VPN connection without encryption and a broken-line arrow indicates the VPN connection with encryption” – See [0065];  Tunneling module 30B of host OS 30 (filter) encapsulates the packet with a tunneling header so that it can be transmitted over a VPN to guest OS 40 (second machine) located on server γ, wherein a VPN (private virtual network) connection with encryption is used between server α and server γ); and
sending the encapsulated packet to the second machine over the physical network (“Then, the transmission data is transmitted from the virtual NIC 60 (eth0) of the host OS 30 of the server α to the server γ via the physical NIC 50 (eth0) of the server α. On the other hand, in the host OS 30 of the server γ which has received the data, the received data is decoded and then the decoded data is transmitted to a destination of the guest OS 40 where the task program is to be executed, on the basis of the client IP address appended to the decoded data” – See [0051]; Host OS 30 (filter) sends the encapsulated packet over the physical network to destination guest OS 40 (second machine) on server γ).

Regarding Claim 23, Imai teaches the method of Claim 21.  Imai further teaches that the first machine is a first virtual machine (VM) executing on the first host computer, and the second machine is a second VM executing on the second host machine (See Fig. 2; Guest OS 40 of server α is the first VM executing on the first host computer and Guest OS 40 of server γ is the second VM executing on the second host computer).

Regarding Claim 24, Imai teaches the method of Claim 23.  Imai further teaches that each VM has an associated virtual network interface card (VNIC), and the filter is associated with a VNIC of the first VM (“In the server α, the data is sent to the host OS 30 via a virtual NIC 60 (eth0) of the guest OS 40 and via a virtual NIC (vif0) of the host OS 30” – See [0051]; See also Fig. 2; Guest OSes 40 on each of the servers have a VNIC 60 associated therewith, wherein the Host OS (filter) of server α is associated with VNIC 60 of the guest OS via the communication path between the host OS and the VNIC 60 of the guest OS).

Regarding Claim 25, Imai teaches the method of Claim 23.  Imai further teaches that the filter is a module that executes on the first host computer outside of the first VM and that processes packets sent by the first VM (“Host OS 30 can be configured to include the following elements: a routing module 30A, a tunneling module 30B, and an enciphering module 30C” – See [0046]; See also Fig. 2; Host OS 30 (filter) executes on server α (first host computer) outside of guest OS 40 (first VM), wherein the Host OS 30 processes packets sent by the guest OS 40 using the routing module, tunneling module, enciphering module, and so on).

Regarding Claim 26, Imai teaches the method of Claim 21.  Imai further teaches that receiving the packet sent by the first machine comprises obtaining the packet as the packet passes along an egress data path from the first machine to a physical network interface card (PNIC) of the first host computer (“Then, the transmission data is transmitted from the virtual NIC 60 (eth0) of the host OS 30 of the server α to the server γ via the physical NIC 50 (eth0) of the server α” – See [0051]; Host OS 30 obtains the packet from guest OS 40 (first VM) as it travels toward physical NIC 50 of server α (first host computer) before being transmitted to the destination).

Regarding Claim 27, Imai teaches the method of Claim 26.  Imai further teaches that the packet is obtained before the packet is processed by a software switch executing on the first host computer (“In the server α, the data is sent to the host OS 30 via a virtual NIC 60 (eth0) of the guest OS 40 and via a virtual NIC (vif0) of the host OS 30. Then, in the host OS 30, the routing module 30A obtains tunnel information corresponding to the client IP address of the destination with reference to the routing setting table in the routing module 30A” – See [0047]; Host OS 30 obtains the packet from guest OS 40 before it is processed by the routing mode 30A (software switch) executing on server α (first host computer)),
sending the encapsulated packet to the second machine comprises sending the packet to the software switch for forwarding to the PNIC to send the encapsulated packet to the physical network, the physical network forwarding the encapsulated packet to the second host computer, which removes the encapsulated overlay-network header, uses a destination address in an original header of the packet to identify the second machine, and passes the packet to the second machine (“Then, the transmission data is transmitted from the virtual NIC 60 (eth0) of the host OS 30 of the server α to the server γ via the physical NIC 50 (eth0) of the server α. On the other hand, in the host OS 30 of the server γ which has received the data, the received data is decoded and then the decoded data is transmitted to a destination of the guest OS 40 where the task program is to be executed, on the basis of the client IP address appended to the decoded data” – See [0051]; “When data is received from another server 20, the enciphering module 30C of the host OS 30 decodes the received data, the tunneling module 30B decapsulate the decoded data, and then the decapsulated data is transmitted to the guest OS 40 pointed by the client IP address that is appended to the received data by the routing module 30A” – See [0049]; The packet is sent from guest OS 40 to host OS 30/routing module 30A for forwarding to physical NIC 50, wherein the physical NIC 50 sends the packet on the physical network towards server γ (second host computer).  After receiving the packet, the server γ decapsulates/removes the encapsulated header and passes the packet to its own guest OS 40 (second machine) using the destination client IP address in the original packet header).

Regarding Claim 28, Imai teaches the method of Claim 21.  Imai further teaches that the filter comprises a bridge table that stores addresses of destination hosts where machines of the private virtual network execute (“This routing module 30A is provided with a routing setting table that includes client IP addresses of destinations and tunnel information used in VPN connection to the destinations as depicted in FIG. 3A” – See [0047]; “The tunneling module 30B is provided with a tunneling setting table in which tunnel information and a physical IP address of the opposite end of a tunnel corresponding thereto are set for each piece of tunnel information as depicted in FIG. 3B” – See [0048]; As shown in Figs. 3A and 3B, host OS 30 (filter) includes tables (bridge tables) that store physical IP address information corresponding to different servers (destination hosts) which execute different guest OSs (machines)).

Claim 31 is rejected based on reasoning similar to Claim 21.
Claim 33 is rejected based on reasoning similar to Claim 23.
Claim 34 is rejected based on reasoning similar to Claim 24.
Claim 35 is rejected based on reasoning similar to Claim 25.
Claim 36 is rejected based on reasoning similar to Claim 26.
Claim 37 is rejected based on reasoning similar to Claim 27.
Claim 38 is rejected based on reasoning similar to Claim 28.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claim 22 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Imai (US 2010/0058051) in view of Matsuhira et al. (US 2003/0088697).

Regarding Claim 22, Imai teaches the method of Claim 21.  Imai further teaches that the filter executing on the first host computer is a first filter, and a second filter executes on the second host computer (See also Fig. 2; Host OS 30 of server α is the first filter that executes on the first host computer and Host 30 of server γ is the second filter that executes on the second host computer), and
with the first filter forms a distributed virtual filter that adds and removes encapsulating headers to allow the first and second machines to exchange packets associated with the particular PVN (“A tunneling module 30B performs tunneling of transmission data by appending a physical IP address of a destination to the transmission data and encapsulating the transmission data. The tunneling module 30B is provided with a tunneling setting table in which tunnel information and a physical IP address of the opposite end of a tunnel corresponding thereto are set for each piece of tunnel information as depicted in FIG. 3B. Here, the physical IP address of the opposite end of the tunnel becomes the destination of the encapsulated transmission data” – See [0048]; “When data is received from another server 20, the enciphering module 30C of the host OS 30 decodes the received data, the tunneling module 30B decapsulate the decoded data, and then the decapsulated data is transmitted to the guest OS 40 pointed by the client IP address that is appended to the received data by the routing module 30A” – See [0049]; “By this, it becomes possible to perform VPN connection between the server α and the server γ” – See [0051]; The guest OSs (filters) add and remove (i.e., encapsulate and decapsulate) headers to allow the first and second machines to exchange packets using a VPN).
Imai does not explicitly teach that the encapsulating headers include the particular PVN identifier.
However, Matsuhira teaches encapsulating headers include the particular PVN identifier (“This VPN accommodation function portion 32 has a function of either converting a header of a packet for transmission into a header having a VPN address format, or encapsulating by including a header of the VPN address format” – See [0048]; “In the description of the present invention, a VPN address format shown in FIG. 7 is defined. A header conforming to the address format is generated by adding an ID for identifying a VPN, i.e. a VPN number 34 to an IP address 33 for use in an intranet” – See [0049]; “As the result of this comparison, if the VPN numbers are different, the packet is discarded in an IPv4 header addition portion because the packet has no relation with the VPN of interest. This enables to prevent any packet from flowing in or flowing out from/to a different VPN, thus enabling to improve security” – See [0068]; See also Fig. 7; An encapsulation header identifies the particular VPN using a VPN number which is stored in field 34 of the encapsulation header, as shown in Fig. 7.  The use of VPNs ensures that traffic for a particular VPN does not travel out of the particular VPN as well as preventing traffic from other VPNs from entering the particular VPN).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Imai such that the encapsulating headers include the particular PVN identifier.  Motivation for doing so would be to provide an identifier by which a VPN is uniquely identifiable in the scope concerned (See Matsuhira, [0023]).

Claims 29, 30, 32, 39 and 40 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Imai (US 2010/0058051) in view of Charpentier et al. (US 2009/0116490).

Regarding Claim 29, Imai teaches the method of Claim 21.  Imai teaches encapsulating IP packets for with an overlay encapsulation header before sending the encapsulated packets over the physical network, as shown above with respect to Claim 21.
Imai does not explicitly teach that when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network, fragmenting the packet into at least two packets.
However, Charpentier teaches that when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network, fragmenting the packet into at least two packets (“First of all, fragmentation may be required to transport datagrams or packets though networks whose maximum allowed datagram size or maximum transfer unit (MTU) is smaller than their size. Datagram fragmentation is typically implemented at the IP layer and is specified as the IP Fragmentation in the IPv4 or IPv6 version of the standard” – See [0011]; When the size of a packet is larger than the MTU size of the network, the packet is fragmented into a plurality of fragments).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify Imai to fragment the packet into at least two packets when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network since it is well-known in the art that fragmentation is necessary in this scenario (See Charpentier, [0010] and [0011]).

Regarding Claim 30, Imai in view of Charpentier teaches the method of Claim 29.  Imai does not explicitly teach that encapsulating the packet with an overlay-network encapsulation header further comprises encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet.
However, Charpentier further teaches encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet (“The main idea in this second class of SAR techniques is to use two one-bit flags to indicate for each SAR PDU, whether the PDU is the first, the last or a middle fragment of an SDU or whether it is a complete SAR SDU. Both flags are part of the PDU header. In some implementations (Frame Relay and PPP multilink), one distinguishes the function of the two flags as one indicating the beginning of an SDU and the other one indicating its end. The beginning fragment bit B is set to 1 on the first fragment derived from an SAR SDU and set to 0 for all other fragments from the same SDU. The ending fragment bit E is set to 1 on the last fragment and set to 0 for all other fragments. A PDU may have both the beginning and ending fragment bits set to 1. In this case, it indicates that no segmentation took place. A fragment sequence numbering is further added in order to the receiver unit to detect fragment loss and potentially to perform PDU reordering if the link does not preserve the PDU sequence. After reordering, the receiver can easily check the B and E bits to identify which SAR PDU need to be combined to re-build the original SDUs” – See [0020]; See also Fig. 4; A SDU (packet) is fragmented into a plurality of SAR PDUs (fragments), where each SAR PDU includes an encapsulation header with a 2-bit field (i.e., two 1-bit flags) which indicate whether the packet has been fragmented and a FSN (sequence number) for the fragment).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify Imai to include encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet.  Motivation for doing so would be to include information necessary for the receiver to reorder the fragments if they are received out of order and reassemble them into the original packet (See Charpentier, [0020]).

Regarding Claim 32, Imai teaches the non-transitory machine readable medium of Claim 31.  Imai further teaches the filter executing on the first host computer is a first filter, and a second filter executing on the second host computer (See also Fig. 2; Host OS 30 of server α is the first filter that executes on the first host computer and Host 30 of server γ is the second filter that executes on the second host computer).
Imai does not explicitly teach that the second filter (i) receives each of the two packets, (ii) identifies each of the two packets as fragments based on the 2-bit field and fragment sequence number found in the encapsulation headers of each of the two packets, and (iii) combines the fragments to reconstruct the original encapsulated packet.
However, Charpentier teaches (i) receiving each of the two packets, (ii) identifying each of the two packets as fragments based on the 2-bit field and fragment sequence number found in the encapsulation headers of each of the two packets, and (iii) combining the fragments to reconstruct the original encapsulated packet (“A fragment sequence numbering is further added in order to the receiver unit to detect fragment loss and potentially to perform PDU reordering if the link does not preserve the PDU sequence. After reordering, the receiver can easily check the B and E bits to identify which SAR PDU need to be combined to re-build the original SDUs” – See [0020]; The receiver receives a plurality of fragmented packets.  It uses the B and E bits (2-bit field) and fragment sequence number to reorder the received fragments and combine the fragments to rebuild/reconstruct the original SDU (original encapsulated packet)).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to modify Imai such that the second filter (i) receives each of the two packets, (ii) identifies each of the two packets as fragments based on the 2-bit field and fragment sequence number found in the encapsulation headers of each of the two packets, and (iii) combines the fragments to reconstruct the original encapsulated packet for the same reasons as those given with respect to Claim 29. 

Claim 39 is rejected based on reasoning similar to Claim 29.
Claim 40 is rejected based on reasoning similar to Claim 30.

Conclusion
The prior art made of record but not relied upon is considered pertinent to Applicant’s disclosure for teaching general concepts from the claimed invention such as virtual machines, virtual private networks, encapsulation, and so on.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Scott M Sciacca whose telephone number is (571)270-1919. The examiner can normally be reached Monday thru Friday, 7:30 A.M. - 5:00 P.M. EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Avellino can be reached on (571) 272-3905. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SCOTT M SCIACCA/               Primary Examiner, Art Unit 2478