DETAILED ACTION

Currently pending claims are 1 – 20.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 1 – 7, 9 – 15 & 17 – 20 are rejected under 35 U.S.C.103 as being unpatentable over Twomey et al. (U.S. Patent 7,246,245), in view of Minnick et al. (U.S. Patent 7,409,542) – CN 1543131-A (Yong Du et al.) is also provided as an additional evidence enclosed in the record of 892 to further support the rationale of rejection for the clarity purpose (Pls. also see below).

As per claim 1, 11 & 19, Twomey teaches a method comprising: 
receiving, at a receiving module of a system on a chip (SoC), a packet (Twomey: Figure 2 / E-22A & 22B: receivng packets from network ports on a SOC chip); 
determining a key identifying an inbound security association (SA) for the packet (Twomey: see above & Col. 7 Line 43 – 47: an inbound security association (SA) can be identified based on a security parameter index (SPI), which constitutes as one type of keys (i.e. a search-key) pointing to an entry in a SAD table (Security Association (SA) database));
However, Twomey does not teach expressly searching a hardware look-up table for the inbound SA of the packet based at least in part on the key.
Minnick (& Twomey) teaches searching a hardware look-up table for the inbound SA of the packet based at least in part on the key (Twomey: see above) || (Minnick: Figure 5 / E-542 & 544, Col. 4 Line 41 – 48 & Col. 3 Line 45 – 50: (a) utilizing a SPI hash key from the data packet as a pointer to an entry of a SA look-up table (Minnick: Figure 5 / E-542, 544 & Col. 4 Line 41 – 48) and (b) providing a hardware implementation of a data structure of SAs that manages SA table(s) and is directed to a pair of tables such as a SA lookup table and a SA table store (Minnick: Col. 3 Line 45 – 50), wherein Examiner notes (c) in order to benefit a hardware searching speed, it would have been obvious for an ordinary skill in the art to streamline the hardware implementation of the corresponding data structure through both of the SA lookup table and the SA table/store for preventing any processing congestion caused by either one of a pair of the respective tables) – In view of that, a reference CN 1543131-A is also provided as an additional evidence enclosed in the record of 892 to further support the rationale of rejection for the clarity purpose (Du, Yong: Page 3 / 2nd Para: a routing exchange equipment can support an implementation of hardware acceleration for a look-up table to effectively improve the processig ability of a device).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of searching a hardware look-up table for the inbound SA of the packet based at least in part on the key because Du teaches to alternatively, effectively and securely utilize a SPI hash key from the data packet as a pointer to an entry of a SA (security association) look-up table and provide a hardware implementation of a data structure of SAs coupled with a SA table management which is directed to a pair of tables such as a SA lookup table and a SA table to effectively improve the processig ability of a device (see above) within the Twomey’s system of using a security parameter index (SPI) as a search-key that points to an entry in a SAD table (security association database) (see above).
determining the inbound SA of the packet based at least in part on the searching the hardware look-up table (see above); 
determining a corresponding SA memory address for the inbound SA (Twomey: see above) || (Minnick: see above & Col. 4 Line 35 – 40); and 
providing the corresponding SA memory address for the inbound SA to an internet protocol (IP) security (IPsec) engine for processing of the packet with respect to an IPsec protocol (Twomey: see above & Col. 5 Line 33 – 52 and Col. 4 Line 38 – 40: performing encryption / decrytion and authentication w.r.t. IPsec specification by utilizing an IPsec security engine according to a given SA memory address that stores various security association (SA) parameters for use in decrypting / encrypting & authentication the incoming / outgoing packets) || (Minnick: see above).  

As per claim 2 & 12, Twomey as modified teaches searching a software look-up table for the inbound SA of the packet based at least in part on (i) the key and (ii) failure to locate the inbound SA in the hardware look-up table; and locating the inbound SA in the software look-up table (Minnick: Figure 5 / E-542 & 544, Col. 4 Line 41 – 48 & Col. 2 Line 64 – 67: (a) utilizing a SPI hash key from the data packet as a pointer to an entry of a SA look-up table, and (b) wherein the look-up table can also be optionally managed in software).  

As per claim 3 – 4 & 13, Twomey as modified teaches programming all inbound SAs into the software look-up table; and programming at least some inbound SAs into the hardware look-up table based at least in part on available capacity in the hardware look-up table (Minnick: see above & Col. 4 Line 41 – 48 & Col. 2 Line 64 – 67: (a) utilizing a SPI hash key from the data packet as a pointer to an entry of a SA look-up table, and (b) wherein the look-up table can be managed in an effective combination of hardware and software as needed).  

As per claim(s) 5 & 14, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.

As per claim 6, Twomey as modified teaches the hardware look-up table comprises a hierarchical hardware look-up table (Minnick: see above & Col. 8 Line 46 – 51: the entry in the look-up table can contain necessary information to offload the received packet – Examiner notes it would be obvious for an ordinary skill in the art of a well-known data structure technique that a look-up table can be further pointed to another look-up table(s) before reaching a target (expected) data table).  

As per claim 7 & 15, Twomey as modified teaches: 
decrypting, by the IPsec engine, IPsec features of the packet (Twomey: see above & Col. 5 Line 33 – 36); 
storing, by the IPsec engine, decrypted IPsec features in a buffer (Twomey: see above: a memory store as a buffer for further processing the received packet); 
forwarding, by the IPsec engine, the packet and the buffer to a central processing unit (CPU) core (Twomey: see above & Col. 5 Line 37 – 52: a CPU as a processing unit of a security engine for further processing the received packet); and 
further processing, by the CPU core, additional features of the packet, wherein during the further processing, the decrypted IPsec features are retrieved by the CPU core from the buffer (Twomey: see above Col. 5 Line 47 – 52: further processing of the additional features of the received packet such as further authenticating the request to access the more secured data).  

As per claim 9 & 17, Twomey as modified teaches: 
performing, by the one of the one or more CPU cores, first outbound IPsec operations on the packet (Twomey: see above & Col. 5 Line 53 – 60: (e.g.) encapsulaing the outgoing packets based on the various target protocol types); 
forwarding, by the one of the one or more CPU cores, the packet to the IPsec engine (Twomey: see above & Col. 5 Line 37 – 52: a CPU as a processing unit of a security engine for further processing (encrypting) the outgoing packet);
performing, by the IPsec engine, second outbound IPsec operations on the packet, wherein the second outbound IPsec operations are provided to the IPsec engine in metadata of the packet (Twomey: see above: SA information as one typ of metadata); and 
forwarding the packet to traffic management of the SoC (Twomey: Figure 2 / E-22A & 22B and see above: the functionality of processing packets from network ports on a SOC chip as one type of traffic management of the SoC(s)).  

As per claim 10, 18 & 20, Twomey as modified teaches: 
collecting, by the IPsec engine, information related to the packet and the SA, wherein the information comprises one or more packet offsets, IPsec protocol, IPsec next protocol, or feature specific flags (Twomey: see above & Col. 5 Line 33 – 36: w.r.t. IPsec security protocol); 
storing the information in an inbound buffer as metadata (Twomey: see above: a memory store as a buffer for further processing the received packet such as SA related security information as metadata);
 forwarding the packet and the metadata to a central processing unit (CPU) core; and processing, by the CPU core, the packet (Twomey: see above & Col. 5 Line 37 – 52: a CPU as a processing unit of a security engine for further processing the received packet); 
forwarding the packet and the metadata to the IPsec engine (Twomey: see above & Col. 5 Line 33 – 36: w.r.t. IPsec security protocol); 
storing the metadata in an outbound buffer (Twomey: see above: a memory store as a buffer for storing the processing (output) results after processing the received packet such as SA related security information (metadata) for (e.g.) encrypting); and 
encrypting, by the IPsec engine, the packet, the packet including the metadata from the outbound buffer (Twomey: see above & Col. 5 Line 47 – 52: furthe encrypting the packet by the IPsec encryption engine).  

Allowable Subject Matter
Claims 8 & 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2391 – 2022
---------------------------------------------------