DETAILED ACTION

Status of Claims

This action is in reply to the application filed on 12/16/2021.
Claims 1-20 are currently pending and have been examined.

	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4-6, 9, 12-14, 16, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Koganti et al. (US 20130223449 A1) in view of Asghar et al. (US 2020/0127983 A1).

Claims 1, 13, and 20:
Koganti discloses the limitations as shown in the following rejections:
circuitry to: receive network traffic including a packet (data frame/packet) associated with a tenant (subnet) (see at least ¶0041, 0047, 0055, 0084, FIG. 6A)
a payload from the packet, wherein the payload is indicative of one or more characteristics (e.g. subnet to which the data frame belongs, required service(s) associated with the network traffic (see at least ¶0057, 0068-0069, 0085).
upon a determination, based on an evaluation of the one or more characteristics, that the network traffic is associated with a workload requesting compute from a service hosted (service is locally available) by the network platform, transmit the network traffic to the service hosted by the network platform (see at least ¶0057, 0081, 0085-0086, FIG. 6A).
Koganti does not specifically disclose the packets are encrypted and accordingly does not specifically disclose upon a determination that the packet is encrypted, retrieve a secret key associated with the tenant; decrypt, using the secret key.
Asghar, however, discloses methods to support network traffic/packet encryption in a multitenant network where upon receiving a packet, the receiver upon a determination that the packet is encrypted, retrieve a secret key associated with the tenant; decrypt, using the secret key (¶0057-0060; FIG. 2:234-238): “the system determines that the data packet is encrypted based on information in the header (¶0057)…an encryption key for the data packet is identified using the information in the header. For example, the SDN controller may store a key repository comprising a plurality of encryption keys, each of which corresponding to tenant specific information” (¶0058).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Koganti to employ Asghar’s encryption techniques because to improve site-to-site transmission of tenant packet traffic by allowing per-tenant encryption profiles (Asghar ¶0014, 0005) in addition to the well-known benefits of communication encryption such as data security.



Claims 2 and 14:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Koganti discloses upon a determination that the network traffic is not associated with a workload requesting compute from the service hosted by the network platform (not locally available), forward the network traffic to a specified destination (see at least ¶0057, 0081, 0085-0086, FIG. 6A).

Claims 4 and 16:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Koganti discloses wherein the determination based on the evaluation of the one or more characteristics that the network traffic is associated with the workload comprises to execute an accelerator function using the payload as input to determine whether the network traffic is targeting the service, see ¶0057, 0068-0069, 0085 where Koganti’s network processor determines whether the network traffic is targeting the service in view of ¶0098 disclosing the network processor can be implemented as an application-specific integrated circuit (ASIC) chip  a field-programmable gate array (FPGA) (accelerator).

Claims 5, 6, and 17:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Koganti discloses evaluate the one or more characteristics relative to one or more policies associated with the tenant….relative to at least…traffic policy associated with the tenant (see at least ¶0059, 0076-0077).



Claim 9:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Koganti discloses offload one or more tasks of the workload on the network device (¶0057-0059, 0081, 0085-0087).

Claim 12:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Koganti discloses wherein the circuitry is further to perform an address translation on the network traffic (¶0064-0066, 0069).

Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Koganti et al. (US 20130223449 A1) in view of Asghar et al. (US 2020/0127983 A1) in further view of Chakrabarti et al. (Intel® SGX Enabled Key Manager Service with OpenStack Barbican).

Claims 3 and 15:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Asghar discloses identify the tenant using an identifier included with the packet (¶0058-0060), where Asghar also discloses retrieving the key from a repository. The combination of Koganti/Asghar does not specifically disclose retrieve the secret key from a trusted execution environment of the network device.
Chakrabarti, however, discloses (pg. 1 and 6) SGX enabled key manager “Barbican” which includes   a SGX enclave (trusted execution environment) to manage key storage and retrieval.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to substitute Koganti/Asghar’s key repository with the Barbican key manager Chakrabarti to increase the security and integrity of key storage and distribution (Chakrabarti pg. 2).

Claims 7, 8, 10, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Koganti et al. (US 20130223449 A1) in view of Asghar et al. (US 2020/0127983 A1) in further view of Gember et al. (Stratos: Virtual Middleboxes as First-Class Entities).

Claims 7, 8, 10, 18, and 19:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Koganti does not disclose dividing or balancing the network processing load amongst the virtual appliances (servers) that provide the required services, and the combination of Koganti/Asghar does not disclose subdivide, based on the evaluation of the one or more characteristics relative to the one or more policies, the workload for offloading the workload to one or more servers or the remaining limitations of claims 7, 8, 10, 18, and 19.
However, network traffic/workload balancing is old and well-known, and Gember particularly discloses automated scaling for VM middleboxes (servers) equivalent to the virtual appliances of Koganti, and distributing/splitting (subdividing) the set of network flows (workload) in pg. 6-7, § 4.2 and teaches the limitations subdivide (distribute), based on the evaluation of the one or more characteristics relative to the one or more policies, the workload for offloading the workload to one or more servers…an amount of throughput required maintain a load balancing in the one or more servers, or an amount of the one or more servers (middleboxes) that are available to process the workload; and similarly forward one or more tasks (flows) of the workload to one or more service providers according to a load balancing technique. Exemplary quotation: 
“Uniform Flow Distribution. In the uniform scheme, each intermediate middlebox instance splits flows equally among all middlebox instances corresponding to the subsequent middlebox element in the chain. Figure 7a shows an example of how flows are distributed among multiple middlebox instances after scaling. The logical topology is a chain connecting IPS to RE and then RE to servers. After scaling, we have 3 IPS instances and 4 RE instances. So if N flows arrive at each IPS instance, then these N flows gets distributed equally among the RE instances” (pg. 6, § 4.2)

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Koganti/Asghar to employ the service scaling and flow distribution techniques taught by Gember in order to avoid performance degradation and reduce the likelihood of encountering network bottlenecks (Gember pg. 1, Abstract; pg. 13, § 7.2.2).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Koganti et al. (US 20130223449 A1) in view of Asghar et al. (US 2020/0127983 A1) in further view of Wright (US 20140325215 A1)

Claim 11:
The combination of Koganti/Asghar discloses the limitations as shown in the rejections above. Furthermore, Koganti discloses forward the original…network traffic to the service hosted by the network platform in at least ¶0057, 0081, 0085-0086. The combination of Koganti/Asghar does not specifically disclose retrieve a destination-specific secret key that is different from the secret key associated with the tenant; re-encrypt, using the destination-specific secret key, the network traffic.
Wright however discloses retrieve a destination-specific secret key that is different from the secret key associated with the tenant; re-encrypt, using the destination-specific secret key, the network traffic in at least ¶0045.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Koganti/Asghar to perform destination key re-encryption as taught by Wright to allow encrypted communication between two parties who do not know each other’s keys (Wright ¶0071-0073).
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure:
US 10013364 B1 is directed to per tenet encryption keys.
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from the Examiner should be directed to Paul Mills whose telephone number is 571-270-5482.  The Examiner can normally be reached on Monday-Friday 11:00am-8:00pm.  If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Emerson Puente can be reached at 571-272-3652.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see  http://portal.uspto.gov/external/portal/pair .  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). Any response to this action should be mailed to:
Commissioner of Patents and Trademarks
Washington, D.C.  20231
or faxed to 571-273-8300.
Hand delivered responses should be brought to the United States Patent and Trademark Office Customer Service Window:
Randolph Building
401 Dulany Street
Alexandria, VA 22314.
/P. M./
Paul Mills
11/02/2022

/EMERSON C PUENTE/       Supervisory Patent Examiner, Art Unit 2196