DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/06/2022 is being considered by the examiner.

Claim Objections
Claims 6-7 are objected to because of the following informalities:  
In claim 6, line 2, where it says “application to allocation the memory…” should be --application to allocate the memory…--.
 In claim 7, line 2, where it says “application to allocation the memory…” should be --application to allocate the memory…--.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 16-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hausauer et al. (US 2019/0102568).
With respect claim 16, Hausauer et al. teaches a processor to allocate a memory address to an application executing on the processor (see paragraph 54; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node (i.e., memory region is allocated)), the memory address of a memory across a network (see Figs. 1 and 2A-2B, and paragraph 23; a client node 101 includes an interface 120 to communicate information and data with other client nodes 101 and storage nodes 103. In one example, a client node 101 may read and write information to a storage node 103 and storage 125 using RDMA) ; 
an encryption engine comprising circuitry (see Figs. 2A-2B, and paragraphs 24; de 201 includes a computing processor 210, memory 215, and an interface 220…The interface 220 may include interface circuitry to process one or more instruction. The interface 220 may include cryptographic logic 202) to: 
obtain application data and the memory address (see paragraphs 30 and 32; RDMA logic 204 may receive the data or an indication of the received data. The RDMA logic 204 may determine a security association context related to the data and packet based on the IOPs request for the data, which may include a memory region index value); and 
encrypt the application data based on a key and a pointer to the memory address (see paragraph 25; security association context specifies a cryptographic type and a secure data key. Also in paragraph 33; DMA logic 204 may append the security association context index to the RDMA requests communicated to host memory, such as memory 215. The cryptographic logic 202 may intercept these RDMA requests, steering the packet data to the cryptographic logic 202 itself. The cryptographic logic 202 may apply cryptographic processing, e.g. encryption); and 
network interface circuitry to provide communication between the processor and the memory across the network (see paragraph 23; client node 101 includes an interface 120 to communicate information and data with other client nodes 101 and storage nodes 103. In one example, a client node 101 may read and write information to a storage node 103 and storage 125 using RDMA).

With respect claim 17, Hausauer et al. teaches wherein the network interface circuitry is to provide communication between the processor and the memory across the network via a Remote Direct Memory Access (RDMA)-based protocol (see paragraphs 23 and 24; client node 101 includes an interface 120 to communicate information and data with other client nodes 101 and storage nodes 103. In one example, a client node 101 may read and write information to a storage node 103 and storage 125 using RDMA).

With respect claim 18, Hausauer et al. teaches wherein the system includes a system-on-chip (SoC) that comprises the processor and the encryption engine (see Fig.1; and paragraph 20; system on chip).

With respect claim 19, Hausauer et al. teaches wherein the system includes a system-on-chip (SoC) that comprises the processor and an infrastructure processing unit (IPU) coupled to the SoC, the IPU comprising the encryption engine and the network interface circuitry (Figs. 1 and 2A-2B; and paragraphs 20, 23 and 27-28; node 201 includes a computing processor 210, memory 215, and an interface 220. The interface 220, such as a network interface component or device, may include additional elements to provide security mechanisms for data and information stored on a storage node. More specifically, the interface 220 may include interface circuitry to process one or more instruction. The interface 220 may include cryptographic logic 202, RDMA logic 204).

With respect claim 20, Hausauer et al. teaches wherein the system includes a first system-on-chip (SoC) that comprises the processor and a second SoC coupled to the memory, the second SoC comprising the encryption engine (see paragraphs 20 and 24; system on chip)


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hausauer et al. (US 2019/0102568) in view of Bowen (US 9,185,088).
With respect claim 1, Hausauer et al. teaches direct an application executing on the host node to allocate a memory address of the remote node (see paragraph 54 and claim 1; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node (i.e., memory region is allocated)); and
configure the selected node to encrypt the application data based on a key and a pointer to the memory address of the remote node (see paragraph 25; a security association context specifies a cryptographic type and a secure data key. Also in paragraph 33; DMA logic 204 may append the security association context index to the RDMA requests communicated to host memory, such as memory 215. The cryptographic logic 202 may intercept these RDMA requests, steering the packet data to the cryptographic logic 202 itself. The cryptographic logic 202 may apply cryptographic processing, e.g. encryption).
Even though, Hausauer et al. teaches determine a secure memory region (i.e., select a node) for a transaction, the secure memory region associated with a security association context to perform one or more of an encryption/decryption operation and an authentication operation for the transaction; perform one or more of the encryption/decryption operation and the authentication operation for the transaction based on the security association context; and cause communication of the transaction (see claim 1).
Hausauer et al. does not explicitly teach obtain device capability information for a host node and a remote node across a network from the host node, the device capability information indicating whether the node can perform pointer-based cryptographic operations; and select, based at least in part on the device capability information, one of the host node or the remote node to encrypt application data of the application.
However, Bowen teaches a source-supported algorithms list 101, an intermediary source-supported algorithms list 111 and a destination-supported algorithms list 112. Each such list includes and identifies the encryption algorithms supported by each respective component (see column 5, lines 15-19 and 45-54)… the source-to-intermediary encryption algorithm may be selected based on factors such as, for example, a determination of which encryption algorithms are best supported by the source and the intermediary collectively or individually, also determination of which encryption algorithms are best supported by the destination may also be considered; and selected destination component is determined to receive the communications from the source (i.e., encryption of devices are obtained and a device is selected) (see column 11, lines 6-24).
It would have been obvious to a person having ordinary skill in the art to which said subject matter pertains before the effective filing date of the claimed invention to have modified the media taught by Hausauer et al. to include the above mentioned to enhance efficiency for secure communications (see Bowen, column 3, lines 1-5).

With respect claim 2, Hausauer et al. does not teach wherein the instructions are to implement a dynamic load balancing policy to select one of the host node and the remote node.
However, Bowen teaches load balancer 2010 may select a particular web server 2020A-D to handle the communications from the source. The particular web server may be selected based on load balancing and any number of additional factors (see column 4, lines 28-32; and column 11, lines 5-24).
It would have been obvious to a person having ordinary skill in the art to which said subject matter pertains before the effective filing date of the claimed invention to have modified the media taught by Hausauer et al. to include the above mentioned to enhance efficiency for secure communications (see Bowen, column 3, lines 1-5).

With respect claim 3, Hausauer et al. does not teach wherein the device capability information for each node includes capability information for an infrastructure processing unit (IPU) of the node.
However, Bowen teaches a source-supported algorithms list 101, an intermediary source-supported algorithms list 111 and a destination-supported algorithms list 112. Each such list includes and identifies the encryption algorithms supported by each respective component (see column 5, lines 15-19 and 45-54)… the source-to-intermediary encryption algorithm may be selected based on factors such as, for example, a determination of which encryption algorithms are best supported by the source and the intermediary collectively or individually, also determination of which encryption algorithms are best supported by the destination may also be considered; and selected destination component is determined to receive the communications from the source (i.e., encryption of devices are obtained and a device is selected) (see column 11, lines 6-24).
It would have been obvious to a person having ordinary skill in the art to which said subject matter pertains before the effective filing date of the claimed invention to have modified the media taught by Hausauer et al. to include the above mentioned to enhance efficiency for secure communications (see Bowen, column 3, lines 1-5).
With respect claim 4, Hausauer et al. teaches wherein the instructions are to configure the IPU of the selected node to encrypt the application data (see paragraph 25; a security association context specifies a cryptographic type and a secure data key. Also in paragraph 33; DMA logic 204 may append the security association context index to the RDMA requests communicated to host memory, such as memory 215. The cryptographic logic 202 may intercept these RDMA requests, steering the packet data to the cryptographic logic 202 itself. The cryptographic logic 202 may apply cryptographic processing, e.g. encryption).

With respect claim 5, Hausauer et al. does no explicitly teach wherein the instructions are to configure the selected node via memory mapped input/output (MMIO) commands.
However, Hausauer et al. teaches determine a secure memory region for a transaction, the secure memory region associated with a security association context to perform one or more of an encryption/decryption operation and an authentication operation for the transaction; perform one or more of the encryption/decryption operation and the authentication operation for the transaction based on the security association context; and cause communication of the transaction (see claim 1).
It would have been obvious to a person having ordinary skill in the art to which said subject matter pertains before the effective filing date of the claimed invention to have modified the media to include the above mentioned to ensure data security and/or authenticity (see Hausauer et al., paragraph 22, lines 1-4).

With respect claim 6, Hausauer et al. teaches wherein the instructions are to direct the application to allocation the memory address of the remote node for core data (see paragraph 54; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node).

With respect claim 7, Hausauer et al. teaches, wherein the instructions are to direct the application to allocation the memory address of the remote node for input/output (IO) device data or code (see paragraph 54; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node).

With respect claim 8, Hausauer et al. teaches directing an application executing on the host node to allocate a memory address of the remote node (see paragraph 54 and claim 1; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node (i.e., memory region is allocated)); 
configuring the selected node to encrypt the application data based on a key and a pointer to the memory address of the remote node (see paragraph 25; a security association context specifies a cryptographic type and a secure data key. Also in paragraph 33; DMA logic 204 may append the security association context index to the RDMA requests communicated to host memory, such as memory 215. The cryptographic logic 202 may intercept these RDMA requests, steering the packet data to the cryptographic logic 202 itself. The cryptographic logic 202 may apply cryptographic processing, e.g. encryption).
Even though, Hausauer et al. teaches determine a secure memory region (i.e., select a node) for a transaction, the secure memory region associated with a security association context to perform one or more of an encryption/decryption operation and an authentication operation for the transaction; perform one or more of the encryption/decryption operation and the authentication operation for the transaction based on the security association context; and cause communication of the transaction (see claim 1).
 Hausauer et al. does not explicitly teach obtaining device capability information for a host node and a remote node across a network from the host node, the device capability information indicating whether the remote node can perform pointer-based cryptographic operations; and selecting, based at least in part on the device capability information, one of the host node or the remote node to encrypt application data of the application.
However, Bowen teaches a source-supported algorithms list 101, an intermediary source-supported algorithms list 111 and a destination-supported algorithms list 112. Each such list includes and identifies the encryption algorithms supported by each respective component (see column 5, lines 15-19 and 45-54)… the source-to-intermediary encryption algorithm may be selected based on factors such as, for example, a determination of which encryption algorithms are best supported by the source and the intermediary collectively or individually, also determination of which encryption algorithms are best supported by the destination may also be considered; and selected destination component is determined to receive the communications from the source (i.e., encryption of devices are obtained and a device is selected) (see column 11, lines 6-24).
It would have been obvious to a person having ordinary skill in the art to which said subject matter pertains before the effective filing date of the claimed invention to have modified the media taught by Hausauer et al. to include the above mentioned to enhance efficiency for secure communications (see Bowen, column 3, lines 1-5).


With respect claim 9, Hausauer et al. does not teach wherein the selection is based further on one or more of processing workloads of the host node and the remote node, a type of processor in the host node and the remote node, and a geolocation of the remote node.
However, Bowen teaches load balancer 2010 may select a particular web server 2020A-D to handle the communications from the source. The particular web server may be selected based on load balancing and any number of additional factors (see column 4, lines 28-32; and column 11, lines 5-24).
It would have been obvious to a person having ordinary skill in the art to which said subject matter pertains before the effective filing date of the claimed invention to have modified the method taught by Hausauer et al. to include the above mentioned to enhance efficiency for secure communications (see Bowen, column 3, lines 1-5).

With respect claim 10, Hausauer et al. teaches wherein the application is directed to allocate the memory address of the remote node for core data (see paragraph 54; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node).

With respect claim 11, Hausauer et al. teaches wherein the application is directed to allocate the memory address of the remote node for input/output (IO) device data or code (see paragraph 54; ending a put request to a remote storage node from an interface. In some instances, the put request may be an RDMA Send command including an SGE pointing to a created secure memory region to store the data to be written to the remote storage node).

With respect claim 12, Hausauer et al. teaches wherein the host node is selected, and the method further comprises encrypting the application data at the host node and transmitting the encrypted application data to the remote node for storage at the allocated memory address (see paragraph 29 and claim 3; determine the transaction is a write transaction to put data in a remote storage coupled via a network interconnect; perform the encryption/decryption operation using information from the security association context to encrypt the data generating encrypted data; and cause communication of the encrypted data to the remote storage).

With respect claim 13, Hausauer et al. teaches wherein the encryption is performed by an infrastructure processing unit (IPU) of the host node, the IPU comprising a processor and a network interface (see Figs. 1 and 2A-2B; and paragraphs 20, 23 and 27-28; node 201 includes a computing processor 210, memory 215, and an interface 220. The interface 220, such as a network interface component or device, may include additional elements to provide security mechanisms for data and information stored on a storage node. More specifically, the interface 220 may include interface circuitry to process one or more instruction. The interface 220 may include cryptographic logic 202, RDMA logic 204).

Allowable Subject Matter
Claims 14 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Durham et al. (US2020/0125501). Durham et al. teaches a pointer based data encryption.
Barsness et al. (US 2017/0171223). Barsness et al. teaches management of encryption within processing elements.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARACELIS RUIZ whose telephone number is (571)270-1038. The examiner can normally be reached Monday-Friday 11:00am-7:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Reginald G. Bragdon can be reached on (571)272-4204. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ARACELIS RUIZ/Primary Examiner, Art Unit 2139