Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Response to Arguments
Applicant’s arguments with respect to the prior art rejections of the claim(s) have been considered but are moot in view of the new grounds of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Tumuluru (US Pub. No. 2018/0062875; cited on IDS) in view of Jakubik et al (US Pub. No. 2006/0227807), hereafter, “Jakubik.”

 As to claim 1, Tumuluru discloses a method for selecting between a plurality of paths for sending an encrypted packet from a source endpoint to a destination endpoint, comprising: 
selecting a first source port, of a plurality of source ports, associated with a first path of the plurality of paths for sending the encrypted packet from the source endpoint to the destination endpoint, wherein each source port of the plurality of source ports is associated with a different path of the plurality of paths for sending the encrypted packet from the source endpoint to the destination endpoint (Fig. 3, label 330 and [0028], particularly, “As discussed, at any given point in time, there are multiple tunnels (e.g., FOU tunnels) to the destination, one for each source port, and load balancer 117 is responsible for determining the best tunnel for a given traffic flow.”), and wherein the encrypted packet is encrypted based on a security association (SA) established between the source endpoint and the destination endpoint in accordance with an Internet Protocol (IP) Security (IPSec) protocol ([0016], particularly, “OU tunnels may be configured statically on both servers 110 and 120 to create the FOU tunnels. In a particular embodiment, FOU tunnels may be used to wrap Internet Protocol Security (IPsec) tunnels such that multiple IPsec tunnels can go into each FOU tunnel at server 110 and come out at server 120 (or vice versa). Performance parallelism is gained by using the multiple IPsec tunnels.”),
transmitting the encapsulated encrypted packet from the source endpoint to the destination endpoint via the first path (Fig. 3, label 330 and [0028]).
However, Tumuluru does not explicitly disclose 
based on a SA having network address translation traversal (NAT-T) enabled, encapsulating the encrypted packet with a user datagram protocol (UDP) header having the first source port associated with the first path.
But, Jakubik discloses based on a SA having network address translation traversal (NAT-T) enabled ([0032], particularly, “With reference to FIG. 3, when IKE negotiates an IPsec security association that traverses a NAPT, the TCP/IP stack is notified to create a NAPT host entry such as 302 to represent the remote client, which is represented by the NAPT. This entry contains the source IP address of the NAPT (210.1.1.1 in this example) and the source port assigned to this client by the NAPT (4501 in this example).  FIG. 3 shows a second illustrative NAPT client 304 having the same NAPT IP source address 210.1.1.1 and a different source port 4502 assigned by the NAPT. On the right side of SPMT 300 are source port entries.”), encapsulating the encrypted packet with a user datagram protocol (UDP) header having the first source port associated with the first path ([0026], particularly, “RFC 3948 describes a scheme in which the original source port number in a TCP or UDP packet is not changed by the NAPT device, since it is part of the original transport header that is now encrypted as part of the IPsec ESP payload. The port number in the UDP header that is added for UDP encapsulation is changed instead as mentioned above. When such an IPsec packet is received by a server and decrypted, the original source and destination ports of the packet are revealed.” And [0032], particularly, “FIG. 3 shows a second illustrative NAPT client 304 having the same NAPT IP source address 210.1.1.1 and a different source port 4502 assigned by the NAPT. On the right side of SPMT 300 are source port entries.”).
transmitting the encapsulated encrypted packet from the source endpoint to the destination endpoint via the first path (Abstract and Fig. 3).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Tumuluru and Jakubik in order to provide a means to reliably traverse NATs in a known manner.

As to claims 9 and 16, they are rejected by a similar rationale to that set forth in claim 1’s rejection.
  
As to claims 2, 10, and 17, the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose maintaining, for the SA, a mapping of the plurality of source ports to the plurality of paths (Tumuluru, [0028], particularly, “As discussed, at any given point in time, there are multiple tunnels (e.g., FOU tunnels) to the destination, one for each source port, and load balancer 117 is responsible for determining the best tunnel for a given traffic flow.” And Jakubik, [0032], particularly, “With reference to FIG. 3, when IKE negotiates an IPsec security association that traverses a NAPT, the TCP/IP stack is notified to create a NAPT host entry such as 302 to represent the remote client, which is represented by the NAPT. This entry contains the source IP address of the NAPT (210.1.1.1 in this example) and the source port assigned to this client by the NAPT (4501 in this example).  FIG. 3 shows a second illustrative NAPT client 304 having the same NAPT IP source address 210.1.1.1 and a different source port 4502 assigned by the NAPT. On the right side of SPMT 300 are source port entries.”).

As to claims 3, 11, and 18, the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose encapsulating the encrypted packet comprises: encapsulating the encrypted packet with the UDP header having a fixed source port subsequent to enabling the NAT-T; and replacing the fixed source port in the UDP header with the first source port (Jakubik, [0027]-[0028], particularly, “The source and destination ports in the clear text UDP header added by IPsec are set to 4500 as specified in RFC 3948… In FIG. 1, the selected source port number is illustratively changed from 4500 to 4501.).

As to claims 4, 12, and 19, the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose receiving an indication of a subset of the plurality of paths as qualified paths from the destination endpoint, the subset including the first path, wherein selecting the first source port associated with the first path is based on receiving the indication (Tumuluru, [0028], particularly, “As discussed, at any given point in time, there are multiple tunnels (e.g., FOU tunnels) to the destination, one for each source port, and load balancer 117 is responsible for determining the best tunnel for a given traffic flow.” And Fig 3).

As to claims 5, 13, and 20 the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose after transmitting the encrypted packet, determining, based on probing the plurality of paths, that a second path of the plurality of paths is more qualified than the first path; encapsulating subsequent encrypted packets with the UDP header having a second source port of the plurality of source ports associated with the second path; and transmitting the subsequent encrypted packets to the destination endpoint via the second path  (Tumuluru, [0028], particularly, “As discussed, at any given point in time, there are multiple tunnels (e.g., FOU tunnels) to the destination, one for each source port, and load balancer 117 is responsible for determining the best tunnel for a given traffic flow.” And Fig. 3 discloses it is an iterative process).

As to claims 6 and 14, the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose the encrypted packet is a first encrypted packet of a plurality of encrypted packets associated with first and second data flows, further comprising: selecting a second path of the plurality of paths; encapsulating a first set of encrypted packets of the plurality of encrypted packets that is associated with the first data flow with the UDP header having the first source port associated with the first path; encapsulating a second set of encrypted packets the plurality of encrypted packets that is associated with the second data flow with a second UDP header having a second source port associated with the second path; transmitting the first set of encapsulated encrypted packets to the destination endpoint via the first path; and transmitting the second set of encapsulated encrypted packets to the destination endpoint via the second path (Tumuluru, [0028], particularly, “As discussed, at any given point in time, there are multiple tunnels (e.g., FOU tunnels) to the destination, one for each source port, and load balancer 117 is responsible for determining the best tunnel for a given traffic flow.” And Fig. 3 discloses it is an iterative process with [0026], particularly, “RFC 3948 describes a scheme in which the original source port number in a TCP or UDP packet is not changed by the NAPT device, since it is part of the original transport header that is now encrypted as part of the IPsec ESP payload. The port number in the UDP header that is added for UDP encapsulation is changed instead as mentioned above. When such an IPsec packet is received by a server and decrypted, the original source and destination ports of the packet are revealed.” And [0032], particularly, “FIG. 3 shows a second illustrative NAPT client 304 having the same NAPT IP source address 210.1.1.1 and a different source port 4502 assigned by the NAPT. On the right side of SPMT 300 are source port entries.”).

As to claims 7 and 15, the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose selecting the first source port associated with the first path comprises: probing the plurality of paths by sending probing packets to the destination endpoint, the probing packets having a destination port number associated with the destination endpoint, and having different source port numbers associated with the plurality of source ports; and selecting the first source port associated with the first path based on the probing (Tumuluru, [0027]-[0028] and Fig 3).

As to claim 8, the teachings of Tumuluru and Jakubik as combined for the same reasons set forth in claim 1’s rejection further disclose probing the plurality of paths comprises determining a quality of each path in the plurality of paths by measuring at least one of latency, liveliness, throughput, or packet loss associated with the path (Tumuluru, [0027]-[0028] and Fig 3).

Conclusion
 Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Thomas J Dailey/
Examiner, Art Unit 2452