Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the amendment filed 07/28/2022.  
In the instant amendment, claims 1-2, 4, 6, 7, 11-14 and 16-18 are amended; claims 3, 5, 9, 10, 15, 19 and 20 are cancelled; claims 21-27 are new, claims 1, 11, 23, 25 are independent claims. Claims 1-2, 4, 6-8, 11-14, 16-18 and 21-27 are pending in this application.  

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/28/2022 has been entered.
 
Response to Arguments
Applicant’s arguments with respect to claim(s) 1 and 11 in regard to the limitations “appending the network tunnel information to the network traffic data unit; determining that encryption is required;  generating encryption information, by the first switching engine, based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information, wherein the first switching engine and the encryption engine are both hardware components of a common first network device,” which have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Arguments in the instant Amendment, filed on 07/28/2022 with respect to the limitations below, have been fully considered but they are not persuasive. 
Applicant argues that on (pages 16-17) that Zhang provides no motivation for providing a decryption engine as a termination device as recited in claims 2-3, 12 and 13. 

In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Zhang which is a reference in computer security discloses receiving a tunnel packet that indicates a termination device that performs decryption (see Zhang, [0007]). The purpose is to report the error of each level of tunnel packet data in the communication network. Further applicant’s specification nor the claims state what the purpose is.
Applicant argues that on (page 17) that Saraf provides no motivation for modifying a packet based on encryption type. 

In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Saraf which is a reference in computer security discloses modifying the plurality of application network connection packets based on a determination (see Saraf, [0050], [0042] and [0064]). The purpose is to provide redirection for network stream transformation operations (e.g. modifications). Further applicant’s specification nor the claims state what the purpose is.

Applicant argues that on (page 18) that Hunn is non-analogous art and is not equivalent to the claimed encryption information, that specifies an encryption type, an encryption key and a portion of the network traffic data unit to encrypt and uses different keys. 

In response to applicant's argument that Hunn is nonanalogous art, it has been held that a prior art reference must either be in the field of applicant’s endeavor or, if not, then be reasonably pertinent to the particular problem with which the applicant was concerned, in order to be relied upon as a basis for rejection of the claimed invention.  See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992).  In this case, Hunn which is in the field of network security discloses removing an encryption key and keeping a decryption key for added security. The motivation is to prevent unauthorized access (see Hunn, [0043], [0063]). 

Applicant argues that on (page 18) that Chiquito is silent to any structure of the device, and thus does not explicitly disclose a decryption engine. 

The Examiner respectfully disagrees with the applicant. Chiquito discloses a decryption engine which refers a computer including a processor with circuitry that executes instructions to carry out a decryption algorithm for decrypting information (see Chiquito, Pages 1-8). 

Applicant argues that on (page 18) that Elzur fails to disclose a decryption engine and a switching engine. 

The Examiner respectfully disagrees with the applicant. Elzur discloses both a decryption engine and a switching engine (see Elzur, [0037], [0072]-[0074], [0098]-[0100]; also see FIG 2C, FIG 5, FIG 6 and FIG 7). 

Applicant argues that on (page 18) that there is no motivation to combine Elzur with Chiquito. 

In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Elzur which is a prior art reference in network security discloses obtaining by a decryption engine, an encryption type as either IPSec or MACSec based on the decryption information, decrypting by the decryption engine, the encrypted network packet to obtain a decrypted packet based on either IPSec or MACSec; generating post-decryption information based on the decrypting; appending by the decryption engine, the post-decryption information to the packet; transmitting the decrypted packet to the switch; determining by the switch that decrypting the encrypted network packet was granted based on encryption type [post-decryption] information; converting by the switch the decrypted packet into a converted packet; sending by the switch the converted packet to the destination device (See Elzur, [0072]-[0074], FIG’s 2C, 5-7). The motivation to combine would secure a network using IPSec and MACsec protocols (See Elzur, [0003). 
Applicant argues that on (page 18) Chiquito fails to disclose a decryption engine or thereby obtaining an encryption type by a decryption engine.
 The Examiner respectfully disagrees with the applicant. Chiquito discloses a decryption engine which refers a computer including a processor with circuitry that executes instructions to carry out a decryption algorithm for decrypting information (see Chiquito, Pages 1-8). Chiquito discloses on Page 6 the encryption type is found as AES-CBC. 

Applicant argues that on (page 18) there is no motivation to combine Gluck with Chiquito for discloses the limitation of appending post-decryption information that indicated a successful decryption. Gluck also fails to disclose a decryption engine or thereby obtaining an encryption type by a decryption engine. 

In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Gluck which is a prior art reference in network security discloses adding post-decryption information for a decryption process based on another determination. The motivation was to communicate data provided by external systems (See Gluck, [0002]). 
Therefore, in view of the above reasons, the Examiner maintains the rejection with the cited prior art. 





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 11 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) view of Smith et al (“Smith,” US 10,721,218). 

Regarding claim 1, Sankaran discloses a method for modifying network traffic data, comprising:
obtaining a network traffic data unit by a first switching engine; (Sankaran, 602, FIG 6; Col. 7, Lines 20-49 that describe FIG 6; Col. 2, Line 57 describes obtaining a packet [network traffic data unit] by a first switching engine)
performing an analysis, by the first switching engine, on the network traffic data unit to obtain network tunnel information comprising: (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describes performing an analysis, by the first switch on the packet [network traffic data unit] to obtain network tunnel information)
performing a lookup to identify a destination, (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describe performing a lookup to identify a destination) and 
determining that the network traffic data unit is to traverse a network tunnel based on the destination; (Sankaran, 614, FIG 6, Col. 4, Lines 23-44, describes determining that the packet is to traverse a network tunnel based on the destination)
Sankaran fails to explicitly disclose appending the network tunnel information to the network traffic data unit; determining that encryption is required;  generating encryption information, by the first switching engine, based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information, wherein the first switching engine and the encryption engine are both hardware components of a common first network device. 
However, in an analogous art, Smith discloses appending the network tunnel information to the network traffic data unit; (Smith, Col. 10, Lines 10-15; FIG 4 shows network tunnel information such as a port number is added to the packet)
determining that encryption is required;  (Smith, FIG 4 shows rules that determine that encryption is needed)
generating encryption information, by the first switching engine, based on the network tunnel information, (Smith, Col. 9, Lines 33-34; Col. 4, Line 40, FIG 4 shows port information [network tunnel information])
wherein the encryption information specifies an encryption type, (Smith, Col. 4, Lines 43-61 describes wherein the encryption information specifies an encryption type)
an encryption key, (Smith, Col. 4, Lines 43-61 describes an encryption key)
and a portion of the network traffic data unit to encrypt; (Smith, FIG 3A, FIG 3B, FIG 4 describes and a portion of the packet to encrypt)
appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; (Smith, Col. 4, Lines 30 & 43-61 describes appending, by the first switching engine, the encryption information to the network traffic data unit as a tag)
securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, (Smith, FIG 3A, Col. 9, Lines 13-32; Col. 10, Lines 6-27 describe securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit)
and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information, (Smith, FIG 3A, FIG 3B, FIG 4 describe and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information)
wherein the first switching engine and the encryption engine are both hardware components of a common first network device, (Smith, Col. 4, Lines 29-30; Col. 7, Lines 23-35; FIG 2, FIG 3A, FIG 3B, FIG 6 describe wherein the first switching engine and the encryption engine are both hardware components of a common first network device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include appending the network tunnel information to the network traffic data unit; determining that encryption is required;  generating encryption information, by the first switching engine, based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information, wherein the first switching engine and the encryption engine are both hardware components of a common first network device. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26). 

Regarding claim 11, Sankaran discloses a system for modifying network traffic data, comprising: 
a first network device comprising: (Sankaran, Col. 2, Line 56, network device)
a first switching engine, configured to: (Sankaran, Col. 2, Line 57, a first switch)
receive a network traffic data unit; (Sankaran, Col. 2, Lines 15-16 & 55-56 describe receiving a packet [network traffic data unit]). 
perform an analysis on the network traffic data unit to obtain network tunnel information; (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describes perform an analysis on the network traffic data unit to obtain network tunnel information)
Sankaran fails to explicitly disclose generate encryption information based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; and appending the encryption information to the network traffic data unit as a tag; and 
an encryption engine, configured to: secure the network traffic data unit based on the encryption information to create an encrypted network traffic data unit, and transmit the encrypted network traffic data unit through a network tunnel based on the network tunnel information, wherein the first switching engine and the encryption engine are both hardware components of the first network device. 
However, in an analogous art, Smith discloses generate encryption information based on the network tunnel information, (Smith, Col. 9, Lines 33-34; describe generating encryption information; Col. 4, Line 40, FIG 4 shows port information [network tunnel information])
wherein the encryption information specifies an encryption type, (Smith, Col. 4, Lines 43-61 describes wherein the encryption information specifies an encryption type)
an encryption key, (Smith, Col. 4, Lines 43-61 describes an encryption key)
and a portion of the network traffic data unit to encrypt; (Smith, FIG 3A, FIG FIG 4 describes and a portion of the packet to encrypt)
and appending the encryption information to the network traffic data unit as a tag; (Smith, Col. 4, Lines 30 & 43-61 describes appending, by the first switching engine, the encryption information to the network traffic data unit as a tag)
and an encryption engine, configured to: (Smith, FIG 3A, Col. 9, Lines 13-32; Col. 10, Lines 6-27 describe and an encryption engine)
secure the network traffic data unit based on the encryption information to create an encrypted network traffic data unit, (Smith, FIG 3A, Col. 9, Lines 13-32; Col. 10, Lines 6-27 describe securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit)
and transmit the encrypted network traffic data unit through a network tunnel based on the network tunnel information, (Smith, FIG 3A, FIG 3B, FIG 4 describe and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information)
wherein the first switching engine and the encryption engine are both hardware components of the first network device, (Smith, Col. 4, Lines 29-30; Col. 7, Lines 23-35; FIG 2, FIG 3A, FIG 3B, FIG 6 describe wherein the first switching engine and the encryption engine are both hardware components of a common first network device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include generate encryption information based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; and appending the encryption information to the network traffic data unit as a tag; and an encryption engine, configured to: secure the network traffic data unit based on the encryption information to create an encrypted network traffic data unit, and transmit the encrypted network traffic data unit through a network tunnel based on the network tunnel information, wherein the first switching engine and the encryption engine are both hardware components of the first network device. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).

Regarding claim 25, Sankaran discloses a method for modifying network traffic data, comprising:
obtaining a network traffic data unit by a first switching engine; (Sankaran, 602, FIG 6; Col. 7, Lines 20-49 that describe FIG 6; Col. 2, Line 57 describes obtaining a packet [network traffic data unit] by a first switching engine)
performing an analysis, by the first switching engine, on the network traffic data unit to obtain network tunnel information comprising: (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describes performing an analysis, by the first switch on the packet [network traffic data unit] to obtain network tunnel information)
performing a lookup to identify a destination, and (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describe performing a lookup to identify a destination) 
determining that the network traffic data unit is to traverse a network tunnel
based on the destination; (Sankaran, 614, FIG 6, Col. 4, Lines 23-44, describes determining that the packet is to traverse a network tunnel based on the destination)
Sankaran fails to explicitly disclose appending the network tunnel information to the network traffic data unit; determining if encryption is required; if encryption is required, generating encryption information, by the first switching engine, based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; transmitting the network traffic data unit to an encryption engine; securing the network traffic data unit, by the encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information to a decryption engine.
However, in an analogous art, Smith discloses appending the network tunnel information to the network traffic data unit; (Smith, Col. 10, Lines 10-15; FIG 4 shows network tunnel information such as a port number is added to the packet)
if encryption is required, (Smith, FIG 4 shows rules that determine that encryption is needed)
generating encryption information, by the first switching engine, based on the network tunnel information, (Smith, Col. 9, Lines 33-34; Col. 4, Line 40, FIG 4 shows port information [network tunnel information])
wherein the encryption information specifies an encryption type, (Smith, Col. 4, Lines 43-61 describes wherein the encryption information specifies an encryption type)
an encryption key, (Smith, Col. 4, Lines 43-61 describes an encryption key)
and a portion of the network traffic data unit to encrypt; (Smith, FIG 4 describes and a portion of the packet to encrypt)
appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; (Smith, Col. 4, Lines 30 & 43-61 describes appending, by the first switching engine, the encryption information to the network traffic data unit as a tag)
transmitting the network traffic data unit to an encryption engine; (Smith, FIG 3A, FIG 3B, FIG 4 describe and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information)
securing the network traffic data unit, by the encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, (Smith, FIG 3A, Col. 9, Lines 13-32; Col. 10, Lines 6-27 describe securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit)
and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information to a decryption engine, (Smith, FIG 3A, FIG 3B, FIG 4 describe and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information to a decryption engine)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include appending the network tunnel information to the network traffic data unit; determining if encryption is required; if encryption is required, generating encryption information, by the first switching engine, based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; appending, by the first switching engine, the encryption information to the network traffic data unit as a tag; transmitting the network traffic data unit to an encryption engine; securing the network traffic data unit, by the encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit, and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information to a decryption engine. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).




Claims 2, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) in view of Smith et al (“Smith,” US 10,721,218) and further in view of Zhang et al (“Zhang,” US 20090204850)

Regarding claim 2, Sankaran and Smith disclose the method of claim 1. 
Sankaran and Smith fail to explicitly disclose wherein the network tunnel information indicates termination at a device that comprises a decryption engine.
However, in an analogous art, Zhang discloses wherein the network tunnel information indicates termination at a device that comprises a decryption engine, (Zhang, [0007] describes receiving tunnel packet that indicates a termination device that performs decryption)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang with the method and system of Sankaran and Smith to include wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to report the error of each level of tunnel data packet in a communication network (Zhang, [0001]). 

Regarding claim 12, Sankaran and Smith disclose the system of claim 11. 
Sankaran further discloses wherein the analysis comprises:
performing a lookup to identify a destination; (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describe performing a lookup to identify a destination)
determining that the network traffic data unit is to traverse a network tunnel based on the destination; (Sankaran, 614, FIG 6, Col. 4, Lines 23-44, describes determining that the packet is to traverse a network tunnel based on the destination) and
Smith further discloses appending the network tunnel information to the network traffic data unit, (Smith, Col. 10, Lines 10-15; describes appending; FIG 4 shows network tunnel information such as a port number is added to the packet)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include appending the network tunnel information to the network traffic data unit. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).
Sankaran and Smith fail to explicitly disclose wherein the network tunnel information indicates termination at a device that comprises a decryption engine,
However, in an analogous art, Zhang discloses wherein the network tunnel information indicates termination at a device that comprises a decryption engine, (Zhang, [0007] describes receiving tunnel packet that indicates a termination device that performs decryption)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang with the method and system of Sankaran and Smith to include making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; and appending the network tunnel information to the network traffic data unit based on the first determination, wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to report the error of each level of tunnel data packet in a communication network (Zhang, [0001]). 

Regarding claim 13, Sankaran, Smith and Zhang disclose the system of claim 11. 
Smith further discloses wherein generating the encryption information comprises: determining that the network tunnel requires encryption; (Smith, FIG 4 describe rules that determine that the network tunnel requires encryption)
and
appending the encryption information to the network traffic data unit, (Smith, Col. 4, Lines 55-61 describes appending encryption information to the packet) 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include wherein generating the encryption information comprises: determining that the network tunnel requires encryption; appending the network tunnel information to the network traffic data unit. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), in view of Smith et al (“Smith,” US 10,721,218) and Saraf et al (“Saraf,” US 20170366508) and further in view of Hunn et al (“Hunn,” US 20160117449).  

Regarding claim 4, Sankaran, Smith and Zhang disclose the method of claim 1. 
Smith further discloses wherein securing the network traffic data unit comprises:
determining that the encryption information is valid; (Smith, Col. 4, Lines 55-61 describes securing the packet comprises: determining that the encryption information is validated)
	Smith further discloses from the network traffic data unit and to the network traffic data unit (Smith, FIG 2, 3A, 3B, 4, 5 and 6 describe from the network traffic data unit and to the network traffic data unit)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include wherein securing the network traffic data unit comprises: determining that the encryption information is valid from the network traffic unit and to the network traffic unit. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).
Sankaran and Smith fail to explicitly disclose modifying the network traffic data unit based on the encryption type. 
However, in an analogous art, Saraf discloses modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit; (Saraf, [0050], modifying the plurality of application network connection packets; [0042] & [0064], encryption). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saraf with the method and system of Sankaran and Smith to include modifying the network traffic data unit based on the third determination, wherein modifying the network traffic data unit. One would have been motivated to use operating system redirection for network stream transformation operations (Saraf, [0042]). 
Sankaran, Smith and Saraf fail to explicitly disclose and after the modifying: removing the encryption information from the network traffic data unit; and appending decryption information to the network traffic data unit.
However, in an analogous art, Hunn discloses and after the modifying: 
removing the encryption information; (Hunn, [0043] describes removing the encryption key from the packet)
and appending decryption information, (Hunn, [0063] describes keeping a decryption key for added security to the packet)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hunn with the method and system of Sankaran, Smith and Saraf to include and after the modifying: removing the encryption information; and appending decryption information. One would have been motivated to provide added security to prevent unauthorized duplication of the data structure (Hunn, [0063]). 

Claim 6-7 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), in view of Smith et al (“Smith,” US 10,721,218) and Chiquito (“Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856) and further in view of Elzur et al (“Elzur,” 20080126559) 

Regarding claim 6, Sankaran and Smith disclose the method of claim 1.
Sankaran and Smith fail to explicitly disclose further comprising: receiving the encrypted network traffic data unit, by a decryption engine, the network tunnel information; decryption information, wherein the decryption information specifies the encryption type. 
However, in an analogous art, Chiquito disclose further comprising: receiving the encrypted network traffic data unit, by a decryption engine (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is
tcpdump/Wireshark it allows you to see what is actually happening at the network level
and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter;
Page 2 describes running a command to retrieve encryption keys; Page 3, there are two
sets of keys one for the inbound connection and another for the outbound connection;
Page 6 shows a display where to detect/decode encrypted ESP payloads; the next
screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
comprising:
the network tunnel information; (Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information, wherein the decryption information specifies the encryption type; (Chiquito, Pages 7-8, shows decrypted information)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chiquito with the method and system of Sankaran and Smith to include further comprising: receiving the encrypted network traffic data unit, by a decryption engine, the network tunnel information; decryption information, wherein the decryption information specifies the encryption type. One would have been motivated to decrypt IPSec VPN Traffic (Chiquito, Page 1). 
Sankaran, Smith and Chiquito fails to explicitly disclose obtaining, by the decryption engine, the encryption type;  decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; generating post-decryption information based on the decrypting;  appending, by the decryption engine, the post-decryption information to the network traffic data unit:  transmitting the decrypted network traffic data unit to a second switching engine; determining, by the second switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information: converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit;  and transmitting, by the second switching engine, the converted network traffic data unit to a destination device. 
However, in an analogous art, Elzur discloses obtaining, by the decryption engine, the encryption type;  (Elzur, FIG 5, [0068], [0072]-[0074] describes obtaining, by the decryption engine, the encryption type)
decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; (Elzur, [0072]-[0074] describes decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type)
generating post-decryption information based on the decrypting; (Elzur, [0072]-[0074] & FIG 5 describes generating post-decryption information based on the decrypting)
appending, by the decryption engine, the post-decryption information to the network traffic data unit: (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe appending, by the decryption engine, the post-decryption information to the network traffic data unit)
transmitting the decrypted network traffic data unit to a second switching engine; (Elzur, [0016], [0037], [0072], [0074], [0098)-[0100] describe transmitting the decrypted packet to the switch; also see FIG 2C, FIG 5, FIG 6 and FIG 7)
determining, by the second switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information: (Elzur, [0016], FIG 2C, FIG 5, FIG 6 and FIG 7 describe determining by the switch that decrypting the encrypted network packet was successful based on encryption type [post-decryption information]).
converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit; (Elzur, [0016], FIG 2C, FIG 5, FIG 6, FIG 7 describe converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit)
and transmitting, by the second switching engine, the converted network traffic data unit to a destination device, (Elzur, [0016] FIG 2C, FIG 5, FIG 6 and FIG 7 describe and transmitting, by the second switching engine, the converted network traffic data unit to a destination device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran, Smith and Chiquito to include obtaining, by the decryption engine, the encryption type; decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type; generating post-decryption information based on the decrypting;  appending, by the decryption engine, the post-decryption information to the network traffic data unit:  transmitting the decrypted network traffic data unit to a second switching engine; determining, by the second switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information: converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit; and transmitting, by the second switching engine, the converted network traffic data unit to a destination device. One would have been motivated to secure a network utilizing IPsec and MACsec protocols (Elzur, [0003]).  

Regarding claim 7, Sankaran, Smith, Chiquito and Elzur disclose the method of claim 6. 
Chiquito further discloses and performing an analysis on the decryption information to obtain the encryption type (Chiquito, Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet with length)  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chiquito with the method and system of Sankaran and Smith to include and performing an analysis on the decryption information to obtain the encryption type. One would have been motivated to decrypt IPSec VPN Traffic (Chiquito, Page 1). 
Chiquito and Elzur fail to explicitly disclose determining that the network tunnel information specifies a device that comprises the decryption engine, 
However, in an analogous art, Sankaran discloses determining that the network tunnel information specifies a device that comprises the decryption engine (Sankaran, Col. 5, Lines 44-67 describes making a first determination that the GRE tunnel information specifies a ingress interface of a MACSec engine that’s on a device, where the encrypted processed data packet may be decrypted to generate the processed data packet).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sankaran with the method and system of Chiquito and Elzur to include determining that the network tunnel information specifies a device that comprises the decryption engine. One would have been motivated to decrypt the encrypted data packet (Sankaran, Col. 5, Lines 30-36). 

Regarding claim 21, Sankaran, Smith, Chiquito and Elzur disclose the method of claim 6. 
Smith further discloses wherein the second switching engine and the decryption engine are both hardware components of a second network device, (Smith, Col. 3, Lines 6-8, Col. 4, Lines 25-30; FIG 3A and FIG 3B describe wherein the second switching engine and the decryption engine are both hardware components of a second network device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include wherein the second switching engine and the decryption engine are both hardware components of a second network device. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), in view of Smith et al (“Smith,” US 10,721,218) and Chiquito (“Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856) and further in view of Elzur et al (“Elzur,” 20080126559) and Gluck et al (“Gluck,” US 20130091350). 

Regarding claim 8, Sankaran, Smith, Chiquito and Elzur disclose the method of claim 7. 
Chiquito further discloses wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; (Chiquito, Page 6 shows software where the encrypted network traffic data unit is modified based on encryption type such as AES-CBC) and
authenticating a payload of the encrypted network traffic data unit, (Chiquito, Page 6 shows a checkbox where the user can attempt to check ESP Authentication of the payload)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chiquito with the method and system of Sankaran and Smith to include wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; authenticating a payload of the encrypted network traffic data unit. One would have been motivated to decrypt IPSec VPN Traffic (Chiquito, Page 1). 
Sankaran, Smith, Chiquito and Elzur fail to explicitly disclose appending post-decryption information that indicates a successful decryption, based on the second determination. 
However, in an analogous art, Gluck discloses appending post-decryption information that indicates a successful decryption, based on the second determination, (Gluck, [0029] describes adding post-decryption information for a decryption process based on another determination [second determination]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gluck with the method and system of Sankaran, Smith, Elzur and Chiquito to include appending post-decryption information that indicates a successful decryption, based on the second determination,. One would have been motivated to communicate data provided by users or other external systems between an application server and a client via a proxy (Gluck, [0002]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), in view of Smith et al (“Smith,” US 10,721,218), Zhang et al (“Zhang,” US 20090204850), Saraf et al (“Saraf,” US 20170366508) and further in view of Hunn et al (“Hunn,” US 20160117449).  

Regarding claim 14, Sankaran, Smith and Zhang disclose the system of claim 13. 
Smith further discloses wherein securing the network traffic data unit comprises:
determining that the encryption information is valid; (Smith, Col. 4, Lines 43-61 describes determining that the encryption information is valid)
is based on the encryption type (Smith, Col. 4, Lines 43-61 describes is based on the encryption type). 
from the network traffic data unit and to the network traffic data unit (Smith, FIG 2, 3A, 3B, 4, 5 and 6 describe from the network traffic data unit and to the network traffic data unit)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include wherein securing the network traffic data unit comprises: determining that the encryption information is valid; is based on encryption type; from the network traffic unit and to the network traffic unit. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).
Sankaran, Smith and Zhang fail to explicitly disclose modifying the network traffic data unit.
However, in an analogous art, Saraf discloses modifying the network traffic data unit (Saraf, [0050], modifying the plurality of application network connection packets; [0042] & [0064], encryption).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Saraf with the method and system of Sankaran, Smith and Zhang to include modifying the network traffic data unit. One would have been motivated to use operating system redirection for network stream transformation operations (Saraf, [0042]).
However, in an analogous art, Hunn discloses and after the modifying: removing the encryption information (Hunn, [0043] describes removing the encryption key)
and appending decryption information (Hunn, [0063] describes keeping a decryption key for added security)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hunn with the method and system of Sankaran, Smith, Zhang and Saraf to include and after the modifying: removing the encryption information; and appending decryption information. One would have been motivated to provide added security to prevent unauthorized duplication of the data structure (Hunn, [0063]). 

Claims 16-18 and 22 are rejected under 35 U.S.C. 103 as being unpatentable
over Sankaran et al (“Sankaran,” US 10,708,245), in view of Smith et al (“Smith,” US 10,721,218),  Chiquito (“Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulo-chiquito?articleId=6368187318104313856) and further in view of in view of Elzur et al (“Elzur,” 20080126559) and further in view of Gluck et al (“Gluck,” US 20130091350).

Regarding claim 16, Sankaran and Smith disclose the system of claim 11. 
Sankaran and Smith fail to explicitly disclose further comprising: a decryption engine, configured to receive the encrypted network traffic data unit, comprising the network tunnel information; decryption information, wherein the decryption information specifies the encryption type; obtain the encryption type based on the decryption information; decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type.
However, in an analogous art, Chiquito discloses further comprising: a decryption engine, configured to: (Chiquito, Page 6 shows a software display where to detect/decode encrypted ESP payloads)
receive the encrypted network traffic data unit, comprising: (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is tcpdump/Wireshark it allows you to see what is actually happening at the network level and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter; Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
the network tunnel information; (Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information, wherein the decryption information specifies the encryption type; (Chiquito, Pages 7-8 shows decrypted information)
obtain the encryption type based on the decryption information; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the encryption key; Page 7 shows a screen with decrypted traffic where line one shows Protocol, Length, Info with encrypted packet and length)
decrypt the encrypted network traffic data unit to obtain a decrypted network
traffic data unit, based on the encryption type; and (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, wth encrypted packet with length)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chiquito with the method and system of Sankaran and Smith to include further comprising: a decryption engine, configured to receive the encrypted network traffic data unit, comprising the network tunnel information; decryption information, wherein the decryption information specifies the encryption type; obtain the encryption type based on the decryption information; decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit, based on the encryption type. One would have been motivated to decrypt IPSec VPN Traffic (Chiquito, Page 1).
Sankaran, Smith and Chiquito fail to explicitly disclose a second network device comprising: appending, by the decryption engine, the post-decryption information to the network traffic data unit; and transmit the decrypted network traffic data unit to a second switching engine,  a switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful: convert the decrypted network traffic data unit into converted network traffic data unit; and transmit the converted network traffic data unit to a destination device. 
However, in an analogous art, Elzur discloses a second network device comprising: (Elzur, FIG 3B, 4 describe a second network device)
appending, by the decryption engine, the post-decryption information to the network traffic data unit; (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe appending by the decryption engine, the post-decryption information to the packet)
and transmit the decrypted network traffic data unit to a second switching engine, (Elzur, [0037], [0072], [0074], [0098)-[0100] describe transmitting the decrypted packet to the switch; also see FIG 2C, FIG 5, FIG 6 and FIG 7) 
a switching engine, configured to:  determine that decrypting the encrypted network traffic data unit was successful: (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe determining by the switch that decrypting the encrypted network packet INaS successful based on encryption type [post-decryption information]).
convert the decrypted network traffic data unit into converted network traffic data unit; (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe converting by the switch the decrypted packet into a converted packet)
and transmit the converted network traffic data unit to a destination device, (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe and transmitting by the switch the converted packet to a destination device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran, Smith and Chiquito to include a second network device comprising: appending, by the decryption engine, the post-decryption information to the network traffic data unit; and transmit the decrypted network traffic data unit to a second switching engine,  a switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful: convert the decrypted network traffic data unit into converted network traffic data unit; and transmit the converted network traffic data unit to a destination device. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).
Sankaran, Smith, Chiquito and Elzur fail to explicitly disclose generate post-decryption information based on the decrypted network traffic data unit
However, in an analogous art, Gluck discloses generate post-decryption information based on the decrypted network traffic data unit (Gluck, [0029] describes adding post-decryption information for decryption based on a second determination). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Gluck with
the method and system of Sankaran, Smith, Chiquito and Elzur to include making a first determination that the network traffic data unit is to traverse a network tunnel based on the destination; and appending the network tunnel information to the network traffic data unit based on the first determination, wherein the network tunnel information indicates termination at a device that comprises a decryption engine. One would have been motivated to communicate data provided by users or other external systems between an application server and a client via a proxy (Gluck, [0002]).

Regarding claim 17, Sankaran, Smith, Chiquito, Elzur and Gluck disclose the system of claim 16. 
Sankaran further discloses wherein obtaining the encryption type comprises: making a first determination that the network tunnel information specifies a device that comprises the decryption engine (Sankaran, Col. 5, Lines 44-67 describes making a first determination that the GRE tunnel information specifies a ingress interface of a MACSec engine that’s on a device, where the encrypted processed data packet may be decrypted to generate the processed data packet). 
Chiquito further discloses performing an analysis on the decryption information to obtain the encryption type, (Chiquito, Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, with encrypted packet  with length)  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chiquito with the method and system of Sankaran and Smith to include performing an analysis on the decryption information to obtain the encryption type. One would have been motivated to decrypt IPSec VPN Traffic (Chiquito, Page 1).

Regarding claim 18, Sankaran, Smith, Chiquito, Elzur and Gluck disclose the system of claim 17. 
Chiquito further discloses wherein decrypting the encrypted network traffic data unit comprises:
modifying the encrypted network traffic data unit based on the encryption type; (Chiquito, Page 6 shows software where the encrypted network traffic data unit is modified based on encryption type such as AES-CBC) and
authenticating a payload of the encrypted network traffic data unit, (Chiquito, Page 6 shows a checkbox where the user can attempt to check ESP Authentication of the payload)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chiquito with the method and system of Sankaran and Smith to include wherein decrypting the encrypted network traffic data unit comprises: modifying the encrypted network traffic data unit based on the encryption type; authenticating a payload of the encrypted network traffic data unit. One would have been motivated to decrypt IPSec VPN Traffic (Chiquito, Page 1).

Regarding claim 22, Sankaran, Smith, Chiquito, Elzur and Gluck disclose the system of claim 16. 
Smith further discloses wherein the switching engine and the decryption engine are both hardware components of the second network device. (Smith, Col. 3, Lines 6-8, Col. 4, Lines 25-30; FIG 3A and FIG 3B describe wherein the switching engine and the decryption engine are both hardware components of the second network device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include wherein the switching engine and the decryption engine are both hardware components of the second network device. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).

Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245) Smith et al (“Smith,” US 20080126559) and further in view of Elzur et al (“Elzur,” 20080126559)

Regarding claim 23, Sankaran discloses a system for modifying network traffic data, comprising:
a first switching engine, configured to: (Sankaran, 602, FIG 6; Col. 7, Lines 20-49 that describe FIG 6; Col. 2, Line 57 describes a first switching engine)
obtain a network traffic data unit; (Sankaran, 602, FIG 6; Col. 7, Lines 20-49 that describe FIG 6; Col. 2, Line 57 describes obtaining a packet [network traffic data unit] by a first switching engine)
perform an analysis on the network traffic data unit to obtain network tunnel
information; (Sankaran, Col. 4, Lines 1-32; Figures 2-4; 602, 604, 606, 608, FIG 6; Col. 7, Lines 20-49 which describe FIG 6 describes performing an analysis, by the first switch on the packet [network traffic data unit] to obtain network tunnel information)
Sankaran fails to explicitly disclose generate encryption information based on the network tunnel information, wherein the encryption information specifies an encryption type, an encryption key, and a portion of the network traffic data unit to encrypt; and
append the encryption information to the network traffic data unit as a tag; and
an encryption engine, configured to: secure the network traffic data unit based on the encryption information to create an encrypted network traffic data unit, and transmit the encrypted network traffic data unit through a network tunnel based 
on the network tunnel information; and a decryption engine, configured to: obtain the encrypted network traffic data unit, comprising: the network tunnel information; and
decryption information, wherein the decryption information specifies the
encryption type; based on the encryption type, decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit; and append post-decryption information to the network traffic data unit; and transmit the decrypted network traffic data unit to a switching engine, and a second switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful; convert the decrypted network traffic data unit into converted network traffic data
unit; and transmit the converted network traffic data unit to a destination device.
However, in an analogous art, Smith discloses generate encryption information based on the network tunnel information, (Smith, Col. 9, Lines 33-34; describe generating encryption information; Col. 4, Line 40, FIG 4 shows port information [network tunnel information])
wherein the encryption information specifies an encryption type, (Smith, Col. 4, Lines 43-61 describes wherein the encryption information specifies an encryption type)
an encryption key, (Smith, Col. 4, Lines 43-61 describes an encryption key)
and a portion of the network traffic data unit to encrypt; (Smith, FIG 4 describes and a portion of the packet to encrypt)
and append the encryption information to the network traffic data unit as a tag; (Smith, Col. 4, Lines 30 & 43-61 describes appending, by the first switching engine, the encryption information to the network traffic data unit as a tag)
and an encryption engine, configured to: (Smith, FIG 3A, Col. 9, Lines 13-32; Col. 10, Lines 6-27 describe and an encryption engine)
secure the network traffic data unit based on the encryption information to create an encrypted network traffic data unit, (Smith, FIG 3A, Col. 9, Lines 13-32; Col. 10, Lines 6-27 describe securing the network traffic data unit, by an encryption engine, based on the encryption information in the tag to create an encrypted network traffic data unit)
and transmit the encrypted network traffic data unit through a network tunnel based on the network tunnel information; (Smith, FIG 3A, FIG 3B, FIG 4 describe and transmitting the encrypted network traffic data unit through the network tunnel based on the network tunnel information)
and a decryption engine, configured to: (Smith, Col. 4, Lines 25-30; Col. 8, Lines 30-54; Col. 9, Lines 42-50; Col. 10, Lines 39-53 describes a decryption engine; FIG’s 4-6)
obtain the encrypted network traffic data unit, comprising: the network tunnel information; and (Smith, FIG 4; Col. 4, Lines 25-30; Col. 8, Lines 30-54; Col. 9, Lines 42-50; Col. 10, Lines 39-53 describes obtaining the encrypted packet comprising; the network tunnel information; FIG’s 4-6) 
decryption information, wherein the decryption information specifies the
encryption type; (Smith, FIG 4; Col. 4, Lines 25-30 & 43-61; Col. 8, Lines 30-54; Col. 9, Lines 42-50; Col. 10, Lines 39-53 describes decryption information, wherein the decryption information specifies the encryption type; FIG’s 4-6)
based on the encryption type, decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit; (Smith, FIG 4; Col. 4, Lines 25-30 & 43-61; Col. 8, Lines 30-54; Col. 9, Lines 42-50; Col. 10, Lines 39-53 describes based on the encryption type, decrypt the encrypted network traffic data unit to obtain a decrypted network traffic data unit; FIG’s 4-6)
Sankaran and Smith fail to explicitly disclose and append post-decryption information to the network traffic data unit; and transmit the decrypted network traffic data unit to a switching engine, and a second switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful; convert the decrypted network traffic data unit into converted network traffic data unit; and transmit the converted network traffic data unit to a destination device.
However, in an analogous art, Elzur discloses and append post-decryption information to the network traffic data unit; and (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe appending by the decryption engine, the post-decryption information to the packet) 
transmit the decrypted network traffic data unit to a switching engine; and (Elzur, [0037], [0072], [0074], [0098)-[0100] describe transmitting the decrypted packet to the
switch; also see FIG 2C, FIG 5, FIG 6 and FIG 7), 
a second switching engine, configured to: (Elzur, [0016] describes a second switching engine)
determine that decrypting the encrypted network traffic data unit was successful; (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe determining by the switch that decrypting the encrypted network packet INaS successful based on encryption type [post-decryption information]).
convert the decrypted network traffic data unit into converted network traffic data
unit; (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe converting by the switch the decrypted packet into a converted packet)
and transmit the converted network traffic data unit to a destination device, (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe and transmitting by the switch the converted packet to a destination device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran and Smith to include and append post-decryption information to the network traffic data unit; and transmit the decrypted network traffic data unit to a switching engine, and a second switching engine, configured to: determine that decrypting the encrypted network traffic data unit was successful; convert the decrypted network traffic data unit into converted network traffic data unit; and transmit the converted network traffic data unit to a destination device. One would have been motivated to secure a network utilizing IPsec and MACsec protocols (Elzur, [0003]). 

Regarding claim 24, Sankaran, Smith and Elzur disclose the system of claim 23. 
Smith further discloses wherein the encryption engine and the first switching engine are components of a first network device, (Smith, Col. 3, Lines 6-8, Col. 4, Lines 25-30; FIG 3A and FIG 3B describe wherein the encryption engine and the first switching engine are components of a first network device)
 and the decryption engine and the second switching engine are components of a second network device, (Smith, Col. 3, Lines 6-8, Col. 4, Lines 25-30; FIG 3A and FIG 3B describe and the decryption engine and the second switching engine are components of a second network device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith with the method and system of Sankaran to include wherein the encryption engine and the first switching engine are components of a first network device, and the decryption engine and the second switching engine are components of a second network device. One would have been motivated to improve security in a software defined network by allowing a user to selectively encrypt data flows (Smith, Col. 1, Lines 23-26).

Claims 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Sankaran et al (“Sankaran,” US 10,708,245), in view of Smith et al (“Smith,” US 20080126559) and further in view of Chiquito ("Decrypting IPSec VPN Traffic, March 6, 2018, Pages 1-8, retrieved from https://www.linkedin.com/pulse/decrypting-ipsec-vpn-traffic-paulochiquito? articleld=6368187318104313856) and Elzur et al (“Elzur,” 20080126559)

Regarding claim 26, Sankaran and Smith disclose the method of claim 25. 
Sankaran and Smith fail to explicitly disclose further comprising:
receiving the encrypted network traffic data unit, by the decryption engine, the encrypted network traffic data unit comprising: the network tunnel information; and
decryption information specifying the encryption type; analyzing, by the decryption engine, the decryption information to determine the encryption type; decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit; appending, by the decryption engine, post-decryption information to the network traffic data unit; transmitting the decrypted network traffic data unit to a second switching engine.
However, in an analogous art, Chiquito discloses further comprising:
receiving the encrypted network traffic data unit, (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is tcpdump/Wireshark it allows you to see what is actually happening at the network level and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter; Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
by the decryption engine, (Chiquito, Page 6 shows a software display where to detect/decode encrypted ESP payloads)
the encrypted network traffic data unit comprising: (Chiquito, Page 1, while doing network troubleshooting one of the most useful utilities is tcpdump/Wireshark it allows you to see what is actually happening at the network level and describes how to decrypt the traffic of an IPSec VPN Tunnel on a Brocade vRouter; Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key)
the network tunnel information; (Chiquito, Page 6, first and second display screen shows network tunnel information with source and destination IP, SPI, encryption and key; authentication and key) and
decryption information specifying the encryption type; (Chiquito, Pages 7-8 shows decrypted information)
analyzing, by the decryption engine, the decryption information to determine the encryption type; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the encryption key; Page 7 shows a screen with decrypted traffic where line one shows Protocol, Length, Info with encrypted packet and length)
decrypting, by the decryption engine, the encrypted network traffic data unit to obtain a decrypted network traffic data unit; (Chiquito, Page 2 describes running a command to retrieve encryption keys; Page 3, there are two sets of keys one for the inbound connection and another for the outbound connection; Page 6 shows a display where to detect/decode encrypted ESP payloads; the next screen on Page 6 shows the encryption type as AES-CBC and the Encryption Key; Page 7, shows a screen with decrypted traffic where line one shows Protocol, Length, Info, wth encrypted packet with length)
Sankaran, Smith and Chiquito fail to explicitly disclose appending, by the decryption engine, post-decryption information to the network traffic data unit; transmitting the decrypted network traffic data unit to a second switching engine.
	However, in an analogous art, Elzur discloses appending, by the decryption engine, post-decryption information to the network traffic data unit; (Elzur, FIG 2C, FIG 5, FIG 6 and FIG 7 describe appending by the decryption engine, the post-decryption information to the packet)
transmitting the decrypted network traffic data unit to a second switching engine, (Elzur, [0037], [0072], [0074], [0098)-[0100] describe transmitting the decrypted packet to the switch; also see FIG 2C, FIG 5, FIG 6 and FIG 7)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran, Smith and Chiquito to include appending, by the decryption engine, post-decryption information to the network traffic data unit; transmitting the decrypted network traffic data unit to a second switching engine. One would have been motivated to secure a network utilizing IPsec and MACsec protocols (Elzur, [0003]).  

Regarding claim 27, Sankaran, Smith, Chiquito and Elzur fail to explicitly disclose the method of claim 26. 
Elzur further discloses further comprising: determining, by the second switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information; (Elzur, [0016], FIG 2C, FIG 5, FIG 6 and FIG 7 describe determining by the switch that decrypting the encrypted network packet was successful based on encryption type [post-decryption information]).
converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit; (Elzur, [0016], FIG 2C, FIG 5, FIG 6, FIG 7 describe converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit)
and transmitting, by the second switching engine, the converted network traffic data unit to a destination device, (Elzur, [0016] FIG 2C, FIG 5, FIG 6 and FIG 7 describe and transmitting, by the second switching engine, the converted network traffic data unit to a destination device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elzur with the method and system of Sankaran, Smith and Chiquito to include further comprising: determining, by the second switching engine, that decrypting the encrypted network traffic data unit was successful based on the post-decryption information; converting, by the second switching engine, the decrypted network traffic data unit into a converted network traffic data unit; and transmitting, by the second switching engine, the converted network traffic data unit to a destination device. One would have been motivated to secure a network utilizing IPsec and MACsec protocols (Elzur, [0003]).  



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439