DETAILED ACTION

Status of Claims

This action is in reply to the application filed on 05/13/2021.
Claims 31-50 have been added in a pre-examination amendment dated 05/13/2021.
Claims 1-30 have been canceled in a pre-examination amendment dated 05/13/2021.
Claims 31-50 are currently pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Claim Interpretation
Notes regarding claim term interpretation to ensure clarity of record:
Claim term “virtual server” as used by Applicant refers to a physical computing device hosting a VM environment (see Applicant’s as-filed Specification (AppSpec) ¶0048, FIG. 2). This is particularly noted since in the virtualization arts, and the cited prior art, this entity is most typically referred to as a “physical” server/host.
Claim limitation reciting virtually wiring a virtual network interface card (vNIC) to a physical network interface card has been interpreted in view of AppSpec ¶0107 as describing the process of configuring a VM a to employ ‘direct I/O’ NIC access, also referred to as ‘hypervisor/VMM bypass’ I/O in the virtualization arts.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 31-50 are rejected under 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the applicant regards as the invention.

Claims 31, 38 and 45 recite allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine which contradicts the preceding limitation reciting sending a request to create the virtual security appliance in the virtual server and the subsequent claim language wherein the virtual security appliance performs security inspections on network packets sent from the virtual machine. In order to advance prosecution, the limitation has been interpreted as reciting allowing the virtual machine to initiate when the virtual security appliance is created in the virtual server.
Any claim listed in the rejection heading not explicitly listed in the body is rejected for being dependent upon a rejected claim.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.


Claims 31-50 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Zhu et al. (US 2014/0101656 A1) in view of Recio et al. (Automated Ethernet Virtual Bridging).

Claims 31, 38, and 45:
Zhu discloses the limitations as shown in the following rejections:
detecting a change for a virtual machine (need to migrate/move VM) in the virtual server (second host) (see at least ¶0010, 0036-0037, 0047, FIG. 3:300).
determining whether a virtual security appliance (virtual security service/firewall appliance) is configured in the virtual server; sending a request to create the virtual security appliance in the virtual server (see at least ¶0032, 0036, 0048, FIG. 3:310)
allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine, wherein the virtual security appliance performs security inspections on network packets sent from the virtual machine (see at least ¶0047-0050, 0012, 0031-0032, 0036, 0040, 0043; FIG. 2 and 3) Exemplary quotations:
“It is determined that functionality provided by the first virtual service is not available in the second host…In response to this determination, a second virtual service is instantiated in the second host (block 320) to provide functionality corresponding to that provided by the first virtual service. Instantiating the second virtual service can include sending all information necessary to reproduce the function and state of the first virtual service in the second host (¶0048)…Following the launch and optional synchronization of the virtual service in the second host, the virtual machine can be migrated and is instantiated in the second host (block 340). The step of instantiating the virtual machine in the second host can include sending instructions to a hypervisor in the second host to launch a copy of the virtual machine” (0050).



In Zhu’s disclosed embodiment (FIG. 1; ¶0042) the guest VM communications are routed (vNICs are ‘wired’ to) a hypervisor implemented virtual switch/bridge, and Zhu does not describe implementing SR-IOV or any other form of direct I/O and accordingly does not disclose virtually wiring a virtual network interface card (vNIC) to a physical network interface card.
Recio, however, discloses (pg. 1, § I, para. 1-2; pg. 7, § III and Fig. 1) alternative implementations of Virtual Ethernet Bridges (VEBs) for routing VM-to-VM network traffic for VMs residing in the same physical server including hypervisor-based VEBs, such as those of Zhu, and also discloses hardware-based VEBs including PCI network adapter (physical NIC) VEBs based on SR-IOV direct I/O where the physical NIC is configured with a plurality of virtual functions (VFs) directly connected/’wired’ to the VM’s network interface (vNIC), and including an exemplary embodiment where “security appliances are used to provide Intrusion Detection and Prevention (IDP) functions…To perform this function a virtual appliance is required to inspect VM-to-VM communications” (pg. 8, § III-2, para. 1).
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify Zhu to employ the SR-IOV adapter VEB taught by Recio to accelerate VM-to-VM communication and because “Direct sharing circumvents the resource and processing overhead inherent in Hypervisor based Ethernet bridging” (Recio pg. 7, § III, para. 3; pg. 1, § I, para. 1-2). 

Claims 32, 35, 39, 42, 46 and 49:
The combination of Zhu/Recio discloses the limitations as shown in the rejections above. Reico further discloses creating an intercept mechanism (SR-IOV adapter VEB) in the virtual server to intercept the network packets from the virtual machine…wherein the intercept mechanism includes a hardware interception of network packets based on the Single Root Input/Output Virtualization (SR-IOV) specification in at least pg. 7-8, § III; particularly “Port-Pass-Through” (pg. 8) embodiment.

Claims 33, 40, and 47:
The combination of Zhu/Recio discloses the limitations as shown in the rejections above. Reico further discloses reconfiguring logic of a virtual switch (hypervisor VEB) connected to the virtual machine to force the network packets from the virtual machine to the physical network interface card in at least pg. 7, col. 1; particularly hypervisor VEB in FIG. 1 connected to adapter VF.

Claims 34, 41, and 48:
The combination of Zhu/Recio discloses the limitations as shown in the rejections above. Reico further discloses reconfiguring (setting up) logic of the vNIC  (VM2-vNIC2) to prevent the network packets  (packets destined for VM1 from VM2) from passing through the vNIC in at least pg. 7, col. 1 describing server configuration for internal switching for VM-VM communications with an exemplary VM network of intercommunicating VMs including a three VMs (hereafter from left to right VM1, VM2, VM3) with four VM network/Ethernet interface connections (vNICs) which teaches the limitation under a number of interpretations. For example VM2’s second network interface (vNIC) is configured to prevent network packets destined for VM1 from passing through the vNIC as such packets are handled by its first vNIC.

Claims 36 and 43:
The combination of Zhu/Recio discloses the limitations as shown in the rejections above. Zhu further discloses wherein one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine in at least ¶0010, 0014, 0049. See also Reico pg. 8, § III-2, para. 1-2.


Claims 37, 44, and 50:
The combination of Zhu/Recio discloses the limitations as shown in the rejections above. Zhu further discloses sending, with a distribution manager virtual machine (cloud management entity 106), a request to create the virtual security appliance in the virtual server in at least FIG. 1 and 2 and ¶0034-0036.

Conclusion
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from the Examiner should be directed to Paul Mills whose telephone number is 571-270-5482.  The Examiner can normally be reached on Monday-Friday 11:00am-8:00pm.  If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Emerson Puente can be reached at 571-272-3652.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see  http://portal.uspto.gov/external/portal/pair .  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). Any response to this action should be mailed to:
Commissioner of Patents and Trademarks
Washington, D.C.  20231
or faxed to 571-273-8300.
Hand delivered responses should be brought to the United States Patent and Trademark Office Customer Service Window:
Randolph Building
401 Dulany Street
Alexandria, VA 22314.
/P. M./
Paul Mills
10/07/2022

/EMERSON C PUENTE/Supervisory Patent Examiner, Art Unit 2196