Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The instant application having Application No. 16/654,160 is presented for examination by the examiner.  Claims 3 and 11 are cancelled.  Claims 1, 9, 10, 16, and 17 are amended.  Claims 1-2, 4-10, and 12-20 are pending.  The request for interview on 6/22/22 was granted.  Examiner was unable to reach Applicant’s representative via email or phone to confirm the interview.  Examiner will grant an interview in the future if requested again.  

Response to Amendment

Specification
	Objection to the Specification is overcome by amendment.


Claim Rejections - 35 USC § 101
 Rejection under this statute are overcome by amendment.


Claim Rejections - 35 USC § 112

Claims 1-15 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 

As per claims 1 and 9, it is unclear what is meant by provisioning a trusted network edge with the key.  Previously, in the claim, the key was sent to the external segmentation orchestrator.  Is the step of provisioning the key separate from sending the key to the external segmentation orchestrator or does that happen automatically because the external segmentation orchestrator has possession of the key and provides the network’s edge to devices outside the network?  Or does the external segmentation orchestrator send the key to a separate trusted network edge and if so is that network hardware?   It is unclear if the claims are meant to infer that the trusted edge is separate device on the network or a place on the network.  Appropriate correction is required.


Response to Arguments
Applicant’s arguments with accompanying amendments, with respect to 35 USC §101 have been fully considered and are persuasive.  The rejection under this statute of has been withdrawn. 
Applicant's arguments filed 6/3/22 with respect to 35 USC §102 & §112 have been fully considered but they are not persuasive. 
First Applicant points out that Examiner mapped both the internal and external segmentation orchestrators to the same router.  Due to a typo in some of the mapping explanations is apparent why Applicant asserts this.  However, as some claims indicate, the intention was to map the external segmentation orchestrator to router nearest the untrusted device.  The router is depicted as 115 and 220 in Figures 1 and 2, respectively.  The referenced numeral 285 is indeed the outward facing port of router 115/220 and constitutes the trusted network’s edge.  It is unclear if the claims are meant to infer that the trusted edge is separate device or a place. Examiner mapped the internal segmentation orchestrator to the routers nearest the trusted servers of the network, i.e. 122 and 235.  
Applicant alleges there is no separate mentioning of a key.  Applicant points paragraph 0069 but details about the key were provided in the explanations and citation in the previous limitations of the independent claims.  Provisioning a key is broad action.  It can mean simply to supply a key.  Paragraph 0069 captures the point of the security of Gai with the teaching that the flow of packets from devices is controlled at the network edge.  The rejection already explained that the routers have the keys they need to encrypt/decrypt packets that include the SGT (0044).  The SGT and key are clearly different.  The SGT is for access control and the key is for privacy.
As explained above the step of provisioning even with the new amendment subject matter is unclear.  If the external segmentation orchestrator is on the edge of the trusted network (as taught by Gai), the fact that it has the key needed to secure communication, one could argue the external segmentation orchestrator is provisioning the trusted edge because it can handle ingress traffic to the trusted network.  
As per claim 17, the amended transmitting step now specifies that the external orchestrator transmits.  This changes the mapping slightly of the prior art.  It should be noted that only the first and last steps specify which entity is performing the action.  Step 1 is mapped to the teaching that router 215 (external) needs the public key of router 240 (internal) in order to encrypt packets sent to 240.  Also, it is noted that the key is not further used in claim 17.  Step 2 is mapped to the teaching (Fig. 7 and 0079 and 0080) of when a packet destined for the untrusted host (705), includes the SGT when it arrives at 725 from 730 (internal).  Step 3 is mapped to the teaching that messages in the system are encrypted including the SGT (0042).  Step 4 is mapped to when router 725 received the packet from 730 and forwarded it to host 705 (0079 and 0080) for the embodiment where the encrypted packet is can be decrypted by the host (0045).  The last part of step 4 is considered intended use, although once a host device is able to send and receive packets using SGT, the host is then a part of a segment of the trusted network by being able to utilize the outward facing port 726 of router 725.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-2, 4-10, and 12-17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP Application Publication 2005/0190758 to Gai et al., hereinafter Gai.

As per claims 1 and 9, Gai teaches generating, by an internal segmentation orchestrator [internal router], a key to cipher/decipher [public key to be used by router 215/220; 0044] a cryptographic segmentation tag [SGT] used by an untrusted device (Fig 3. 280); 
transmitting the key to an external segmentation orchestrator [router 215/220 | the sending router (215/220) needs public key of 240 to encrypt the packet with the SGT to internal routers so key exchange must occur; 0042, 0044, and 0074]; 
transmitting the cryptographic segmentation tag to the external segmentation orchestrator [host device can insert the SGT into packet that is transmitted its nearest router; “SGT could be applied by visitor device 205”; 0071; alternatively and in the case of claim 9, the packets, received at 220 from 240 and destined for 280 include an encrypted SGT; (0045, 0079, and 0080)]; and 
provisioning, via the external segmentation orchestrator, a trusted network edge with the key [traffic coming in can be encrypted with the key (0102) and forwarded on per network role; 0069) wherein the internal segmentation orchestrator and the trusted network edge are within a trusted network [220 and its outward facing ports, constituting an edge, and 240 are in the same network 201].

As per claim 17, Gai teaches receiving, from an internal orchestrator [internal router near servers] and at an external orchestrator [215/220], a key sending router (220) needs public key of 240 to encrypt the packet with the SGT to forward to internal routers so key exchange must occur; 0042, 0044, and 0074] to cipher/decipher a cryptographic segmentation tag [SGT encrypted; 0042] used by an untrusted device (Fig. 3, 280); 
receiving a segmentation tag from the internal orchestrator [(Fig. 7 and 0079 and 0080) of when a packet destined for the untrusted host (705), includes the SGT when it arrives at 725 from 730 (internal)]; 
applying a cipher to the segmentation tag to yield a ciphered segmentation tag [messages in the system that contain an SGT are encrypted (0042 and 0102)]; and 
transmitting, from the external orchestrator, the ciphered segmentation tag to the untrusted device for use in onboarding the untrusted device to a segment of a trusted network at a trusted network edge [router 725 received the packet from 730 and forwarded it to host 705 (0079 and 0080) for the embodiment where the encrypted packet is can be decrypted by the host (0045). The last part of step 4 is considered intended use, although once a host device is able to send and receive packets using SGT, the host is then a part of a segment of the trusted network by being able to utilize the outward facing port 726 of router 725].
As per claims 2 and 10, Gia teaches onboarding, based on the key and the cryptographic segmentation tag, the untrusted device, wherein the untrusted device receives the cryptographic segmentation tag from the external segmentation orchestrator [interpreted one of two ways; the untrusted device receives the tag by that fact that its encrypted message has the SGT embedded into it (0074) or the device applies the SGT itself as suggested in 0071.]

As per claims 4 and 12, Gia teaches onboarding the untrusted device into a segment of a trusted network comprises receiving, at the trusted network edge, the cryptographic segmentation tag associated with the segment (“SGT could be applied by visitor device 205”; 0071).
As per claims 5 and 13, Gia teaches the cryptographic segmentation tag is configured for one of macro segmentation, micro-segmentation, or both macro-segmentation and micro-segmentation (0069; defines groups having roles).
As per claims 6 and 14, Gia teaches the cryptographic segmentation tag is carried in a specific data-plane between the untrusted device and the trusted network edge (0095, 0099, and 0102).

As per claims 7 and 15, Gia teaches a signature for the cryptographic segmentation tag is applied (0043).
As per claims 8 and 16, Gia teaches provisioning the trusted network edge with the cryptographic segmentation tag (0062-0063 and 0105).

As per claim 18, Gai teaches the ciphered segmentation tag is used to onboard, based on the key, the untrusted device (0074).
As per claim 19, Gia teaches the internal segmentation orchestrator and the trusted network edge are within a trusted network (0069).
As per claim 20, Gia teaches onboarding the untrusted device into a segment of a trusted network comprises receiving, at the trusted network edge, the cryptographic segmentation tag associated with the segment (0074).

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431