Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

a.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/25/2022 has been entered.
Claims 1-20 in the present application, filed on or after March 16, 2013, are being examined under the first inventor to file provisions of the AIA .
	- claims 1, 8, 15, and 16 are amended
b.	This is a first action on the merits based on Applicant’s claims submitted on 07/25/2022.

Information Disclosure Statement

	The information disclosure statement (IDS) submitted on 05/13/2022 and 09/01/2022 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments

Regarding claims 1, 8, 15, and 16 previously objected for minor informalities, claims 1, 8, 15, and 16 have been amended according to the examiner's recommendation and thus the previous objection has been withdrawn.
Regarding Independent claims 1, 8, and 15 previously rejected under 35 U.S.C. § 103, Applicant's arguments, see “To further prosecution, Applicant has amended Claim 1 to further define that the inner headers of packet are stored, and the packet is encapsulated after the inner headers of the packet are stored (thereafter, a hash is performed on the stored inner headers of the packet to select a particular CPU to process the encapsulated packet).” on page 9, filed on 07/25/2022, with respect to U.S. Patent Application Publication No. 2019/0173851 (Jain) in view of U.S. Patent Application Publication No. 2013/0201989 (Hu), further in view of U.S. Patent No. 9,674,088 (Sivaramakrishnan), have been fully considered but are moot, over the limitations of “encapsulating the packet after storing the one or more inner headers of packet”. Said limitations are newly added to the amended Claims 1, 8, and 15 and have been addressed in instant office action, as shown in section 35 USC 103 rejection below, with new teaching from newly identified reference Parry et al. US Pub 2007/0098006 (hereinafter “Parry”), in combination with previously applied references Jain, Hu, and Sivaramakrishnan, thus rendering said Applicant’s arguments moot.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claims 1-4, 5-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jain et al. US Pub 2019/0173851 (hereinafter “Jain”), in view of Hu et al. US Pub 2013/0201989 (hereinafter “Hu”) and of Sivaramakrishnan et al. US Patent 9674088 (hereinafter “Sivaramakrishnan”), and further in view of Parry et al. US Pub 2007/0098006 (hereinafter “Parry”). 
Regarding claim 1 (Currently Amended)
Jain discloses a computer-implemented method for load balancing of traffic (“the encryption-parameter-set identifier for a particular encryption tunnel is chosen based on a load-balancing algorithm or method.  In some embodiments, each new encryption tunnel is assigned an encryption-parameter-set identifier based on a current load of each processor.”; [0090]) over multiple IPsec VPN tunnels (“The method, in some embodiments, configures a set of encryption  tunnels (e.g., internet protocol security (IPSec) protocol tunnels” [0003]), the method comprising:
receiving, by the gateway, a packet (“FIG. 3 conceptually illustrates a process for configuring processors of a gateway computer to use specific tunnels for transmitting data messages.” [0015]);
selecting, by a logical router, a virtual tunnel interface (“VTI’’) from a plurality of VTIs (“the VTI used is based on a hash of packet attributes (e.g., header values such as a 5-tuple).  Using a consistent hash of packet attributes ensures that data messages belonging to the same flow will be marked with the same VTI, and ultimately sent over the same tunnel using the same encryption parameters.” [0053]);
relaying, by the logical router (“forwarding elements (FE 1-6) such as switches, routers, bridges, etc., which may implement logical forwarding elements” [0033]; Fig. 2), the packet to the selected VTI (“In order to mark the data messages, the process adds (at 320) a virtual tunnel interface (VTI) key corresponding to each pair of tunnel endpoints.  The VTI in some embodiments acts as a packet destination device that serves to mark a data message with the key value of the VTI device.  As discussed above, the VTI and its associated key value (e.g., mark) are used to distinguish data messages requiring encryption using a particular tunnel from data messages either requiring encryption using a different tunnel or not requiring encryption at all.” [0050]);
forwarding the packet via an IPsec VPN tunnel of the plurality of IPsec VPN tunnels, the IPsec VPN tunnel corresponding to the selected VTI (“The process then uses (at 450) a set of encryption parameters (e.g., a security association (SA) in IPSec) that match the data message and the mark associated with the VTI to encrypt the data message… Once the data message is encrypted, the process (at 460) transmits the encrypted data message over the tunnel specified by the encryption parameters identified.  The encrypted data message, in some embodiments, includes an unencrypted portion specifying the remote tunnel endpoint and the encryption key identification (e.g., an SPI for IPSec).” [0058-0059]);
Jain does not specifically teach load balancing of L2VPN traffic over multiple IPsec VPN tunnels..
In an analogous art, Hu discloses method for load balancing of L2VPN traffic (“load balancing systems and methods”, “L2VPN”; [0024], [0044]) over multiple IPsec VPN tunnels (“internet protocol security (IPsec)” [0031])
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier to include Hu’s method for stateless load balancing of network traffic flows in multi-node systems, in order to achieve better load balancing for L2VPN traffic (Hu [0083]).
Jain and Hu do not specifically teach storing one or more inner headers of the packet; encapsulating the packet; accessing the stored one or more inner headers; generating a hash value from the stored one or more inner headers; and based at least on the generated hash, selecting a particular central processing unit (CPU) to process the encapsulated packet.
In an analogous art, Sivaramakrishnan discloses storing one or more inner headers of the packet (“The method also includes forwarding, by the second processing core, the inner packet to a virtual machine (i.e. store in virtual machine) of the virtual machines.” Col. 4, lines 9-11); and furthermore “a virtual router may, as described herein, buffer (i.e. store) and aggregate multiple tunneled packets received from the underlying physical network fabric prior to delivery to the appropriate routing instance for the packets. In some examples, the virtual router aggregates multiple packets according to matching criteria that includes the virtual network identifier of the outer header as well as one or more fields of the inner header.” Col. 2, lines 12-19);
accessing the stored one or more inner headers (the designated core retrieves the inner header from the virtual machine “the designated processor core applies a hash function to an inner header of each received packet” col. 2, lines 61-62);
generating a hash value from the stored one or more inner headers; and based at least on the generated hash value, selecting a particular central processing unit (CPU) (i.e. “mapped processor core”) to process the encapsulated packet (“the designated processor core applies a hash function to an inner header of each received packet to determine a corresponding hash value that maps to one of the processor cores of the server and directs the received packet to the mapped processor core for processing.” Col. 2, lines 61-65).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier, as modified by Hu, to include Sivaramakrishnan’s techniques for enhancing operations of virtual networks, in order to achieve better load balancing (“In another example of enhancing the operation of the virtual routers, techniques are described for steering received packets among multiple processor cores to facilitate packet processing load balancing among the cores.” Sivaramakrishnan, Col. 2, lines 50-53).
Jain, Hu, and Sivaramakrishnan do not specifically teach encapsulating the packet after storing the one or more inner headers of packet.
In an analogous art, Parry discloses encapsulating the packet after storing the one or more inner headers of packet (“It is possible to hash on fields retrieved from the inner (customer) header: such as the Destination and Source Ethernet addresses 73, 74. Alternatively a hash function can be performed on the so-called 5-way IP match using fields retrieved from the inner IP header 75 and UDP header 80.” [0039]).
Examiner’s Notes: in an analogous art, Veeraiyan (US Pub 2014/0059111) also discloses encapsulating the packet after storing the one or more inner headers of packet (“During operation, the physical network interface hashes a 5 tuple of a VXLAN encapsulated packet's outer source/destination IP addresses, source/destination UDP ports, and protocol to produce a hash result, and uses this hash result to distributed the received VXLAN encapsulated packets to multiple RSS receive queues. Because a VXLAN encapsulated packet's source UDP port is based on a hash of its inner TCP/IP header, packets destined for the same VM (or the same UDP flow) would be redirected to the same RSS receive queue and thus maintain the order of packet delivery. Hence, multi-core processing can be achieved for VXLAN encapsulated packets while maintaining in-order delivery of specific VM/flow packets.” [0008]).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier, as modified by Hu and Sivaramakrishnan, to include Parry’s method for traffic tunneling, in order to achieve better load balancing (Parry [0012]). Thus, a person of ordinary skill would have appreciated the ability to incorporate Parry’s method for traffic tunneling into Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Regarding claim 2
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the computer-implemented method of Claim 1, 
Hu further discloses wherein the hash value for the packet is determined based on a 5-tuple included in the one or more inner headers (“The hashing module 316 may perform a hash function using one or more header fields such as VLAN, IPv4/v6 5-tuple, MPLS labels, source IP address, destination IP address, UDP/TCP ports, MAC addresses, EtherType, GTP-U, GTP-C, SPI, SIP, and/or other header fields.” [0040]; [0045]); and
Jain further discloses wherein the hash value for the packet is determined by applying an XOR operator to elements of the 5-tuple (“hash of packet attributes (e.g., header values such as a 5-tuple)” [0053]).

Regarding claim 3
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the computer-implemented method of Claim 1, 
Sivaramakrishnan previously discloses the use of inner headers in afore-mentioned claim 1 discussion.
Hu further discloses wherein the hash value for the packet is determined based on contents of an inner VLAN header of the packet (“The hashing module 316 may perform a hash function using one or more header fields such as VLAN” [0040]; [0011]).

Regarding claim 4
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the computer-implemented method of Claim 1, 
Jain further discloses wherein the IPsec VPN tunnel of the plurality of IPsec VPN tunnels is associated with a corresponding VPN session (“In embodiments using an IPSec protocol, these policies may be defined in a security association (SA) along with an encryption algorithm, an encryption key, and a destination address (e.g., an IP address of a destination tunnel endpoint)” [0007]) and is defined at least by two endpoints (“the term tunnel refers to a connection between two tunnel endpoints (e.g., IP addresses).” [0031]), each of the endpoints having a unique underlay VPN address (“a hash of a set of unencrypted header values (e.g., the unencrypted locally-unique identifier and/or tunnel endpoint network address) can be used to distribute encrypted data messages among the processors of the destination computer.” [0009]); and
wherein a VTI of the plurality of VTIs has an associated VTI address (step 330 in Fig. 3; [0051]) which is uniquely mapped onto one of two VPN addresses of an IPsec VPN tunnel (step 320 in Fig. 3; [0050]) of the plurality of IPsec VPN tunnels (“Each interface has a unique network (e.g., IP) address that is used to address the interface, and each tunnel is therefore defined by the pair of network addresses of the tunnel endpoint interfaces.  In some embodiments, the interfaces include both hardware and virtual interfaces, while in other embodiments only one of hardware or virtual interfaces is used.” [0034]).

Regarding claim 5
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the computer-implemented method of Claim 1, further comprising:
Hu further discloses before relaying the packet on a gateway output port associated with the selected VTI (“the method determines an egress port for returning the packet to the network.  The method also includes decapsulating the encapsulated packet to obtain a recovered packet that is identical to the received packet, and forwarding the recovered packet through the egress port to the network.” [0005]);
determining one or more outer headers for the packet; and encapsulating the packet with the one or more outer headers (“The method further includes hashing at least one of the fields of the one or more original headers to generate a hash value, indexing a hashing table using the hash value to identify a processing resource within the system for processing the received packet, and encapsulating the received packet to produce an encapsulated packet with an outer header that includes at least an indication of the port through which the received packet was received.  The encapsulated packet maintains, without any modification, the one or more original headers as received from the network in the received packet.” [0004]).
Sivaramakrishnan further discloses determining one or more outer headers for the packet; and encapsulating the packet with the one or more outer headers (“For instance, for a received packet, the designated processor core may apply the hash function to the outer header of the received packet to identify a processor core of the server with which to apply a hash function to the inner header of the received packet.” Col. 3, lines 1-5)

Regarding claim 6
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the computer-implemented method of Claim 1, further comprising:
Jain further discloses detecting the packet (i.e. step 1110 in Fig. 11; [0086]);
parsing the packet to determine whether a network identifier (i.e. “source subnet, “destination subnet”; “Each processor 502 of gateway computer 501A is configured to use a particular interface 503 (i.e., tunnel) by having the routing table for each processor configured to mark data messages with a particular VTI as described above in relation to FIG. 3.  Each encryption tunnel in the depicted embodiment is configured to encrypt data messages from any source subnet (0.0.0.0/0) to any destination subnet (0.0.0.0/0) that are marked with a key value specific to that tunnel.” [0061]) included in the packet indicates that the packet is intended to a stretched network implemented in a remote site (“The configuration for each tunnel includes, in some embodiments, specifying the network (e.g., IP) addresses of the tunnel endpoints (i.e., the local tunnel endpoint and the remote tunnel endpoint), a source subnet (e.g., a "rightsubnet"), a destination subnet (e.g., a "leftsubnet"), and an optional mark value that can be used to select a particular tunnel when two tunnels are configured with the same source subnet and destination subnet.” [0036]; Fig. 3); and
in response to determining that the network identifier included in the packet indicates that the packet is intended to the stretched network implemented in the remote site (i.e. “remote tunnel endpoint”), relaying the packet on a logical router port of a logical router (“Other elements of the datacenter include forwarding elements (FE 1-6) such as switches, routers, bridges, etc., which may implement logical forwarding elements, and data compute nodes such as virtual machines, servers, containers, etc. (not shown), that are sources of data message traffic between the datacenters.  The forwarding elements (either physical or logical), in some embodiments, define subnets (e.g., 192.168.100.0/24) which may be used to specify an encryption-based tunneling protocol policy.” [0033]) communicatively coupled to the gateway (e.g. “gateway computer 201” in Fig. 2) and indicating that the packet is to be communicated via the particular IPsec VPN tunnel of the plurality of IPsec VPN tunnels to the remote site (“FIG. 3 conceptually illustrates a process 300 for configuring processors of a gateway computer to use specific tunnels for transmitting data messages.  The process begins by configuring (at 310) tunnels for an encryption-based protocol (e.g., IPSec).  The configuration for each tunnel includes, in some embodiments, specifying the network (e.g., IP) addresses of the tunnel endpoints (i.e., the local tunnel endpoint and the remote tunnel endpoint), a source subnet (e.g., a "rightsubnet"), a destination subnet (e.g., a "leftsubnet"), and an optional mark value that can be used to select a particular tunnel when two tunnels are configured with the same source subnet and destination subnet.” [0036]; Fig. 3).

Regarding claim 7
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the computer-implemented method of Claim 6, further comprising:
Jain further discloses in response to determining that the network identifier included in the packet indicates that the packet is not intended to the stretched network implemented in the remote site (i.e. source and destination subnets are the same), relaying the packet on the logical router port of the logical router (“Other elements of the datacenter include forwarding elements (FE 1-6) such as switches, routers, bridges, etc., which may implement logical forwarding elements, and data compute nodes such as virtual machines, servers, containers, etc. (not shown), that are sources of data message traffic between the datacenters.  The forwarding elements (either physical or logical), in some embodiments, define subnets (e.g., 192.168.100.0/24) which may be used to specify an encryption-based tunneling protocol policy.” [0033]) communicatively coupled to the gateway (e.g. “gateway computer 201” in Fig. 2) and indicating that the packet is to be conventionally communicated via an IPsec VPN tunnel to the remote site (as taught by Hu in step 614 in Fig. 6; [0051]).

Regarding claim 8 (Currently Amended)
Jain discloses one or more non-transitory computer-readable storage media storing one or more computer instructions (“computer program instructions in a machine-readable or computer-readable medium” [0099]) which, when executed by one or more processors, cause the one or more processors to perform:
receiving a packet (“FIG. 3 conceptually illustrates a process for configuring processors of a gateway computer to use specific tunnels for transmitting data messages.” [0015]);
selecting a VTI device from available VTIs (“the VTI used is based on a hash of packet attributes (e.g., header values such as a 5-tuple).  Using a consistent hash of packet attributes ensures that data messages belonging to the same flow will be marked with the same VTI, and ultimately sent over the same tunnel using the same encryption parameters.” [0053]);
relaying, by the logical router (“forwarding elements (FE 1-6) such as switches, routers, bridges, etc., which may implement logical forwarding elements” [0033]; Fig. 2), the packet to the selected VTI (“In order to mark the data messages, the process adds (at 320) a virtual tunnel interface (VTI) key corresponding to each pair of tunnel endpoints.  The VTI in some embodiments acts as a packet destination device that serves to mark a data message with the key value of the VTI device.  As discussed above, the VTI and its associated key value (e.g., mark) are used to distinguish data messages requiring encryption using a particular tunnel from data messages either requiring encryption using a different tunnel or not requiring encryption at all.” [0050]);
forwarding the packet via an IPsec VPN tunnel of the plurality of IPsec VPN tunnels, the Ipsec VPN tunnel corresponding to the selected VTI (“The process then uses (at 450) a set of encryption parameters (e.g., a security association (SA) in IPSec) that match the data message and the mark associated with the VTI to encrypt the data message… Once the data message is encrypted, the process (at 460) transmits the encrypted data message over the tunnel specified by the encryption parameters identified.  The encrypted data message, in some embodiments, includes an unencrypted portion specifying the remote tunnel endpoint and the encryption key identification (e.g., an SPI for IPSec).” [0058-0059]).
Jain does not specifically teach storing one or more inner headers of the packet; encapsulating the packet; accessing the stored one or more inner headers; generating a hash value from the stored one or more inner headers; and based at least on the generated hash, selecting a particular central processing unit (CPU) to process the encapsulated packet.
In an analogous art, Sivaramakrishnan discloses storing one or more inner headers of the packet (“The method also includes forwarding, by the second processing core, the inner packet to a virtual machine (i.e. store in virtual machine) of the virtual machines.” Col. 4, lines 9-11); and furthermore “a virtual router may, as described herein, buffer (i.e. store) and aggregate multiple tunneled packets received from the underlying physical network fabric prior to delivery to the appropriate routing instance for the packets. In some examples, the virtual router aggregates multiple packets according to matching criteria that includes the virtual network identifier of the outer header as well as one or more fields of the inner header.” Col. 2, lines 12-19);
accessing the stored one or more inner headers (the designated core retrieves the inner header from the virtual machine “the designated processor core applies a hash function to an inner header of each received packet” col. 2, lines 61-62);
generating a hash value from the stored one or more inner headers; and based at least on the generated hash, selecting a particular central processing unit (CPU) (i.e. “mapped processor core”) to process the encapsulated packet (“the designated processor core applies a hash function to an inner header of each received packet to determine a corresponding hash value that maps to one of the processor cores of the server and directs the received packet to the mapped processor core for processing.” Col. 2, lines 61-65).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier, to include Sivaramakrishnan’s techniques for enhancing operations of virtual networks in order to achieve better load balancing (“In another example of enhancing the operation of the virtual routers, techniques are described for steering received packets among multiple processor cores to facilitate packet processing load balancing among the cores.” Sivaramakrishnan, Col. 2, lines 50-53). 
Jain, Hu, and Sivaramakrishnan do not specifically teach encapsulating the packet after storing the one or more inner headers of packet.
In an analogous art, Parry discloses encapsulating the packet after storing the one or more inner headers of packet (“It is possible to hash on fields retrieved from the inner (customer) header: such as the Destination and Source Ethernet addresses 73, 74. Alternatively a hash function can be performed on the so-called 5-way IP match using fields retrieved from the inner IP header 75 and UDP header 80.” [0039]).
Examiner’s Notes: in an analogous art, Veeraiyan (US Pub 2014/0059111) also discloses encapsulating the packet after storing the one or more inner headers of packet (“During operation, the physical network interface hashes a 5 tuple of a VXLAN encapsulated packet's outer source/destination IP addresses, source/destination UDP ports, and protocol to produce a hash result, and uses this hash result to distributed the received VXLAN encapsulated packets to multiple RSS receive queues. Because a VXLAN encapsulated packet's source UDP port is based on a hash of its inner TCP/IP header, packets destined for the same VM (or the same UDP flow) would be redirected to the same RSS receive queue and thus maintain the order of packet delivery. Hence, multi-core processing can be achieved for VXLAN encapsulated packets while maintaining in-order delivery of specific VM/flow packets.” [0008]).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier, as modified by Hu and Sivaramakrishnan, to include Parry’s method for traffic tunneling, in order to achieve better load balancing (Parry [0012]). Thus, a person of ordinary skill would have appreciated the ability to incorporate Parry’s method for traffic tunneling into Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Regarding claim 9
The one or more non-transitory computer-readable storage media of Claim 8,
wherein the hash value for the packet is determined based on a 5-tuple included in the one or more inner headers; and
wherein the hash value for the packet is determined by applying an XOR operator to elements of the 5-tuple;
The scope and subject matter of non-transitory computer readable medium claim 9 is drawn to the computer program product of using the corresponding method claimed in claim 2. Therefore computer program product claim 9 corresponds to method claim 2 and is rejected for the same reasons of obviousness as used in claim 2 rejection above.

Regarding claim 10
The one or more non-transitory computer-readable storage media of Claim 8, wherein the hash value for the packet is determined based on contents of an inner VLAN header of the packet.
The scope and subject matter of non-transitory computer readable medium claim 10 is drawn to the computer program product of using the corresponding method claimed in claim 3. Therefore computer program product claim 10 corresponds to method claim 3 and is rejected for the same reasons of obviousness as used in claim 3 rejection above.

Regarding claim 11
The one or more non-transitory computer-readable storage media of Claim 8, wherein an IPsec VPN tunnel of the plurality of IPsec VPN tunnels is associated with a corresponding VPN session and is defined at least by two endpoints, each of the endpoints having a unique underlay VPN address; and
wherein a VTI of the plurality of VTIs has an associated VTI address which is uniquely mapped onto one of two VPN addresses of an IPsec VPN tunnel of the plurality of IPsec VPN tunnels.
The scope and subject matter of non-transitory computer readable medium claim 11 is drawn to the computer program product of using the corresponding method claimed in claim 4. Therefore computer program product claim 11 corresponds to method claim 4 and is rejected for the same reasons of obviousness as used in claim 4 rejection above.

Regarding claim 12
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the one or more non-transitory computer-readable storage media of Claim 8, storing additional instructions which, when executed by the one or more processors cause the one or more processors to perform:
Sivaramakrishnan further discloses wherein the hash is computed from L3/L4 headers of the packet (“an inner L3 header (these are described more fully below with respect to FIG. 4)” col. 15, lines 35-36 and see also Fig. 4).

Regarding claim 13
The one or more non-transitory computer-readable storage media of Claim 8, storing additional instructions which, when executed by the one or more processors cause the one or more processors to perform:
detecting the packet;
parsing the packet to determine whether a network identifier included in the packet indicates that the packet is intended to a stretched network implemented in a remote site; and in response to determining that the network identifier included in the packet indicates that the packet is intended to the stretched network implemented in the remote site, 
relaying the packet on a logical router port of a logical router communicatively coupled to the gateway and indicating that the packet is to be communicated via the particular IPsec VPN tunnel of the plurality of IPsec VPN tunnels to the remote site.
The scope and subject matter of non-transitory computer readable medium claim 13 is drawn to the computer program product of using the corresponding method claimed in claim 6. Therefore computer program product claim 13 corresponds to method claim 6 and is rejected for the same reasons of obviousness as used in claim 6 rejection above.

Regarding claim 14
The one or more non-transitory computer-readable storage media of Claim 13, storing additional instructions which, when executed by the one or more processors cause the one or more processors to perform:
in response to determining that the network identifier included in the packet indicates that the packet is not intended to the stretched network implemented in the remote site,
relaying the packet on the logical router port of the logical router communicatively coupled to the gateway and indicating that the packet is to be conventionally communicated via an IPsec VPN tunnel to the remote site.
The scope and subject matter of non-transitory computer readable medium claim 14 is drawn to the computer program product of using the corresponding method claimed in claim 7. Therefore computer program product claim 14 corresponds to method claim 7 and is rejected for the same reasons of obviousness as used in claim 7 rejection above.

Regarding claim 15 (Currently Amended)
Jain discloses an edge service gateway (“FIG. 3 conceptually illustrates a process for configuring processors of a gateway computer to use specific tunnels for transmitting data messages.” [0015]) implemented in a computer network and configured to implement mechanisms for load balancing of L2VPN traffic over multiple IPsec VPN tunnels, the edge service gateway comprising:
one or more processors; one or more memory units; and
one or more non-transitory computer-readable storage media storing one or more computer instructions which, when executed by the one or more processors, cause the one or more processors to perform:
receiving a packet,
storing one or more inner headers of the packet;
encapsulating the packet after storing the one or more inner headers of packet;
selecting a VTI from available VTIs;
relaying the packet on a gateway output port that is associated with the selected VTI to allow forwarding of the packet via a particular IPsec VPN tunnel of a plurality of IPsec VPN tunnels;
accessing the stored one or more inner headers;
generating a hash value from the stored one or more inner headers; and
based at least on the generated hash, selecting a particular central processing unit (CPU) to process the encapsulated packet.
The scope and subject matter of apparatus claim 15 is drawn to the apparatus of using the corresponding method claimed in claim 1. Therefore apparatus claim 15 corresponds to method claim 1 and is rejected for the same reasons of obviousness as used in claim 1 rejection above.

Regarding claim 16 (Currently Amended)
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the edge service gateway of Claim 15, 
Sivaramakrishnan already discloses wherein the hash value is associated with the inner header (as afore-mentioned in claim 1 discussion)
Sivaramakrishnan further discloses wherein the hash value is based on the L3 header of the packet or both the L4 header and the L3 header of the packet (“Consequently, GRO 113 may view the multiple, tunnel packets as L2 packets, and GRO 113 can be leveraged to aggregate received packets having a common virtual network identifier and other common L3/L4 fields of the inner packet and return an aggregated packet having the common virtual network identifier as part of an L2 header for the aggregated packet.” col. 14, lines 64-67 and see also Fig. 4).

Regarding claim 18
The edge service gateway of Claim 15, wherein an IPsec VPN tunnel of the plurality of IPsec VPN tunnels is associated with a corresponding VPN session and is defined at least by two endpoints, each of the endpoints having a unique underlay VPN address; and
wherein a VTI of the plurality of VTIs has an associated VTI address which is uniquely mapped onto one of two VPN addresses of an IPsec VPN tunnel of the plurality of IPsec VPN tunnels.
The scope and subject matter of apparatus claim 18 is drawn to the apparatus of using the corresponding method claimed in claim 4. Therefore apparatus claim 18 corresponds to method claim 4 and is rejected for the same reasons of obviousness as used in claim 4 rejection above.

Regarding claim 19
The edge service gateway of Claim 15, storing additional instructions which, when executed by the one or more processers, cause the one or more processors to perform:
before relaying the packet on the gateway output port associated with the selected VTI: 
determining one or more outer headers for the packet; and 
encapsulating the packet with the one or more outer headers.
The scope and subject matter of apparatus claim 19 is drawn to the apparatus of using the corresponding method claimed in claim 5. Therefore apparatus claim 19 corresponds to method claim 5 and is rejected for the same reasons of obviousness as used in claim 5 rejection above.

Regarding claim 20
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the edge service gateway of Claim 15, storing additional instructions which, when executed by the one or more processers, cause the one or more processors to perform:
Sivaramakrishnan further discloses detecting a second packet (“Computing device 100 receives multiple inbound tunnel packets via NICs 106 from an underlying physical network, e.g., IP fabric 20 of a data center 10 of FIG. 1 (202).” Col. 16, lines 66-67; Fig. 5);
generating a second hash value from contents of one or more inner headers of the second packet (“for each of the packets, one of cores 108 to apply a second hash to the inner header of the packet.” Col. 18, lines 57-59);
based on the second hash value, selecting a second VTI, wherein the second hash value is different than the hash value, and wherein the selected second VTI is different than the selected VTI (“FIG. 7 is a block diagram illustrating the tunnel packet format of FIG. 4 and annotated to indicate example fields of the outer and inner header for first and second hash operations for receive packet steering according to techniques described herein.  In this example, a first one of cores 108 of computing device 242 is configured to apply a first hash function to fields 164, 166 of outer header 152 and a second one of cores 108 is selected, based on the first hash, to apply a second hash function to fields 174, 176, 178, 180, and 182 of inner header 158.” Col. 20, lines 61-67. One skilled in the art knows since the hash values computed from the content of the inner headers are most likely different for different packet flows, the hash-based approach allows selecting different slave VTIs for different flows.);
Jain further discloses forwarding the second packet via a third IPsec VPN tunnel of the plurality of IPsec VPN tunnels, the third IPsec VPN tunnel corresponding to the selected second VTI (“The process then uses (at 450) a set of encryption parameters (e.g., a security association (SA) in IPSec) that match the data message and the mark associated with the VTI to encrypt the data message… Once the data message is encrypted, the process (at 460) transmits the encrypted data message over the tunnel specified by the encryption parameters identified.  The encrypted data message, in some embodiments, includes an unencrypted portion specifying the remote tunnel endpoint and the encryption key identification (e.g., an SPI for IPSec).” [0058-0059]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Jain, in view of Hu, Sivaramakrishnan, and Parry, and further in view of Ramachandran US Pub 2019/0342266 (hereinafter “Ramachandran”). 
Regarding claim 17
Jain, as modified by Hu, Sivaramakrishnan, and Parry, previously discloses the edge service gateway of Claim 15,
Jain, Hu, Sivaramakrishnan, and Parry do not specifically teach wherein the particular IPsec VPN tunnel and the second IPsec VPN tunnel are redundant.
In an analogous art, Ramachandran discloses wherein the particular IPsec VPN tunnel (i.e. “IPsec VPN tunnels 222”) and the second IPsec VPN tunnel (i.e. “IPsec VPN tunnels 228”) are redundant (“As such a secondary IPsec VPN tunnel originating from Enterprise customer 214 may now be established to the cloud network at datacenter 204. Thus secondary VPN connection to the cloud may serve as a failover backup cloud connection providing cloud connectivity redundancy for Enterprise Customer 214. Therefore the IPsec VPN tunnels 222 and 228 belonging to the same enterprise customer 214 are distinguished based on the corresponding location of the terminating datacenter, as expressed by their dynamically configured SNN.” [0042; Fig. 2).
Before the effective filling date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier, as modified by Hu, Sivaramakrishnan, and Parry, to include Ramachandran’s scalable Virtual Private Network (VPN), in order to improve network flexibility (Ramachandran [0010]). Thus, a person of ordinary skill would have appreciated the ability to incorporate Ramachandran’s scalable Virtual Private Network (VPN) into Jain’s method of using IPsec encryption-based tunneling protocol and encryption identifier since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHUONG M NGUYEN whose telephone number is (571)272-8184. The examiner can normally be reached M-F 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Derrick Ferris can be reached on 571-272-3123. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHUONG M NGUYEN/Patent Examiner, Art Unit 2411   

/DERRICK W FERRIS/Supervisory Patent Examiner, Art Unit 2411