DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because of the the new ground of rejection presented below.

Claim Objections
Claims 4, 11 and 17 objected to because of the following informalities:  
Line 5 of claim 4 recites in part “….flow identifier from a data store”, line 4 of claim 11 recites in part “….flow identifier from a flow identifier data store” and line 4 of claim 17 recites in part “….flow identifier from a data store”. The terminologies must be consistent throughout all claims.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 5-6, 14-16 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine (US 9398121 B1) in view of Kumar et. al. (US 20150295831 A1, Kumar hereinafter).

Brandwine discloses the following:

With respect to independent claims:

Regarding claim 1, A computing system (e.g. Fig. 1), comprising:
a first network environment associated with a first customer (e.g. Fig. 1, Physical Host A 106A is considered as the first customer and the network environment of the first customer is considered as the first network. Note that the host must be connected to a network environment for communicating with other hosts) of a cloud computing environment, wherein the first network environment is a virtual private network environment (e.g. “a cloud service provider virtualizes some or all of the necessary compute resources to generate virtual private clouds of topologies specific to its customers. This virtualization allows the cloud service provider to dynamically scale hardware and software of the compute resources to meet needs and requirements of its customers. The virtual private cloud of one customer is typically isolated from a virtual private cloud of another customer of the same cloud service provider, even when the two virtual private clouds are hosted on compute resources operating in the same datacenter. The isolation protects each customer from security breaches, among other things, and renders each virtual private cloud a private network inaccessible by the other customers of the same cloud service provider” col. 1 lines 18-31. Note that the virtual private clouds of customers are associated with a cloud computing environment and the virtual private cloud of the first customer is considered as a virtual private network environment);
a second network environment (e.g. network environment associated with Physical host B 106B of Fig. 1);
a network appliance (e.g. Fig. 1, network appliance comprising Mapping Server 110); and
a stateful network routing service (e.g.  Fig. 1, a subset of Internal networking infrastructure 108 along with Edge Routers A and B is considered as the stateful network routing service) configured to route data between the first network environment and the second network environment with the policy of the network appliance (e.g. “Physical host B 106B receives the packet from physical host A 106A across internal networking infrastructure 108 and extracts the original packet from the data portion of the packet in the virtual networking framework. However, before physical host B 106B performs additional operations on the packet, it may verify with the mapping server 110 that 10.1.2.30 and 10.1.2.50 are on the same virtual cloud and permitted to communicate with each other” col. 5, lines 4-12, which verifying with the mapping server 110 is associated with routing data with the policy of the server), the stateful network routing service configured to:
receive a packet from the first network environment (e.g. aforesaid “Physical host B 106B receives the packet from physical host A 106A across internal networking infrastructure 108”, which internal networking infrastructure 108 receives the packet from physical host A of the first networking environment), the packet corresponding to a flow of network traffic between the first network environment and the second network environment (e.g. “Physical host A 106A constructs a packet using the virtual networking framework that contains a source address of 7.8.9.10 and a destination address of 1.2.3.4, and the data portion of the packet contains GNI information along with the original packet” col. 4, lines 63-67, which source address is associated with the first network environment and which destination address is associated with the second network environment, and the packet with a source address and a destination address corresponds to a flow of traffic between the first and the second network environment, wherein the flow information of the flow is considered as the first flow information which comprises the source address and the destination address), wherein the packet includes first flow information identifying the flow of network traffic (e.g. aforesaid first flow information),
transmit the packet to the second network environment, based at least in part on validating the packet (e.g. “Physical host B 106B receives the packet from physical host A 106A across internal networking infrastructure 108 and extracts the original packet from the data portion of the packet in the virtual networking framework. However, before physical host B 106B performs additional operations on the packet, it may verify with the mapping server 110 that 10.1.2.30 and 10.1.2.50 are on the same virtual cloud and permitted to communicate with each other” col. 5, lines 4-10, which verification is associated with validating the packet).

It is noted that while disclosing packet, Brandwine is silent about obtain a first flow identifier, wherein the first flow identifier is generated for the first flow information, add the first flow identifier to the packet to generate a first enriched packet, transmit the first enriched packet to the network appliance, receive a second enriched packet from the network appliance, wherein the second enriched packet includes a second flow identifier and second flow information, validate the second enriched packet by verifying that the first flow identifier of the first enriched packet matches the second flow identifier of the second enriched packet and the first flow information of the packet corresponds to the second flow information of the second enriched packet, and transmit the second enriched packet to the second network environment, based at least in part on validating the second enriched packet, which however had been known in the art before the effective filing date of the claimed invention as shown by Kumar in a disclosure “NETWORK ADDRESS TRANSLATION OFFLOAD TO NETWORK INFRASTRUCTURE FOR SERVICE CHAINS IN A NETWORK ENVIRONMENT” (Title). Kumar discloses “During operation, network infrastructure 20 may receive packet 36 (e.g., from outside network 11). Network infrastructure 20 may determine that packet 36 has not been previously seen. Network infrastructure 20 may generate NSH 30; NSH module 44 may generate cookie 24 associated with the flow of packet 36 and insert cookie 24 into NSH 30; and service chain-flow associator 46 may associate cookie 24 with the service chain and flow of packet 36 (e.g., generate a table associating cookie with the 5 tuple of the flow obtained from network header 38). Network infrastructure 20 may determine (e.g., based on flow table, service chain configuration, and other criteria) that packet 36 is to be forwarded to service node 14(1) for performing service functions 16(1) and 16(2). Network infrastructure 20 may insert NSH 30 (comprising cookie 24) in packet 36, and forward packet 36 to service node 14(1). Network infrastructure 20 may store a flow state (e.g., flow tuple) identifying the flow” [0059], wherein cookie 24 “ties the flow states before and after NAT execution” [0043] for the flow of packet 36 and is considered as the first flow identifier, packet 36 with NSH 30 (comprising cookie 24) is considered as the first enriched packet generated by adding the first flow identifier to the packet, network infrastructure 20 is considered as the stateful network routing service, and generating cookie 24 and associating the cookie with the flow of the packet 36 is considered as obtain a first flow identifier, wherein the first flow identifier is generated for the first flow information. Note that the network appliance comprises service nodes 14(1) to 14(N) of Fig. 3 and is associated with the mapping server 110 of Brandwine. Thus, the first enriched packet is transmitted to the network appliance.
Moreover, “Service function 16(1) may execute the NAT transformation on packet 36 and transform network header 38 according to pre-configured NAT policies on service node 14(1). …. Service function 16(2) may subsequently perform another service on packet 36 and send packet 36 back to network infrastructure 20. Service chain-flow associator 46 may inspect cookie 24 in NSH 30, and determine, based on cookie 24, that packet 36 is associated with a previously seen flow and service chain, even though the flow tuple of the received packet indicates a different flow (e.g., due to NAT transformation)” [0060], which received packet is considered as the second enriched packet and is received from service node 14(2) or the network appliance, wherein “At 158, network infrastructure 20 can automatically detect transformation on flow based on cookie correlation” [0065], which cookie correlation must be associated with a second flow identifier and aforesaid different flow is considered as the second flow.  Thus, the second enriched packet includes a second flow identifier and second flow information. Referring to Fig. 7, “At 152, when traffic (e.g., flows) passes through network infrastructure 20 post service delivery, network infrastructure 20 can correlate the flow associated with packet 36 to the observed flow prior to steering traffic to the service node (e.g., 14(1)) and correlate it to the service chain (e.g., 18) for that flow. At 154, re-classification of traffic may not be necessary, avoiding starting another chain for servicing transformed flow….. At 158, network infrastructure 20 can automatically detect transformation on flow based on cookie correlation” [0064]-[0065], which detection of flow transformation based on cookie correlation is associated with validation of the second enriched packet by verifying that the first flow identifier of the first enriched packet matches the second flow identifier of the second enriched packet and which correlation of the flow associated with packet 36 to the observed flow prior to steering traffic to the service node is associated with verifying that the first flow information of the packet corresponds to the second flow information of the second enriched packet. Note that “aforesaid send packet 36 back to network infrastructure 20” is associated with transmitting, from the network appliance after validation, the second enriched packet to the network infrastructure, which network infrastructure then forwards the packet to the second second network environment since the destination of the packet is in the second network environment. Thus, the second enriched packet is transmitted to the second network environment after validating the second enriched packet. 
Therefore, it would have been obvious to one of ordinary skill in the art to combine Kumar’s method of adding flow identifiers and flow information to the packet, generate a first enriched packet, receive a second enriched packet, validate the second enriched packet and transmit the second enriched packet based on validating the second enriched packet to Brandwine’s method of transmitting the packet so that a determination can be made if a received packet is associated with a previously seen flow and service chain, and transmitted accordingly in an efficient manner.

Regarding claim 5,  A system comprising (e.g. “FIG. 9 depicts an example computer architecture for a computer 900 capable of executing the above-described software components. The computer architecture shown in FIG. 9 illustrates a conventional server computer, workstation, desktop computer, laptop, tablet, network appliance, PDA, e-reader, digital cellular phone or other computing device, and may be utilized to execute any aspects of the software components presented herein described as executing within datacenters 702A-702N, on server computers 802A-802N, on the customer computing system 704 or on any other computing system mentioned herein” col. 18, lines 45-55): 
a data store including computer-executable instructions (e.g. “computer 900 may store information to mass storage device 928 by issuing instructions through storage controller 924 to alter the magnetic characteristics of a particular location within a magnetic disk drive unit, the reflective or refractive characteristics of a particular location in an optical storage unit or the electrical characteristics of a particular capacitor, transistor or other discrete component in a solid-state storage unit” col. 19 lines 54-61, which mass storage device 928 is considered as the data store. Furthermore, “Mass storage device 928 or other computer-readable storage media may also be encoded with computer-executable instructions, which, when loaded into computer 900, transforms the computer from a general-purpose computing system into a special-purpose computer capable of implementing the embodiments described herein” col. 20 lines 36-41); and 
one or more computing devices (e.g. “Computer 900 may include a baseboard, or “motherboard,” which is a printed circuit board to which a multitude of components or devices may be connected by way of a system bus or other electrical communication paths. One or more central processing units (“CPUs”) 904 may operate in conjunction with a chipset 906” col 18 lines 56-61, which one or more CPUs comprise one or more computing devices) configured to execute the computer-executable instructions (e.g. aforesaid computer-executable instructions) to implement a stateful network routing service (e.g.  Fig. 1, a subset of internal networking infrastructure 108 along with Edge Routers A and B is considered as the stateful network routing service), wherein execution of the computer-executable instructions causes the one or more computing devices to: 
receive a packet from a first computing device (e.g. “Physical host B 106B receives the packet from physical host A 106A across internal networking infrastructure 108” col. 5, lines 4-5, wherein an ingress node/router of the internal networking infrastructure receives the packet from the physical host 106A, which ingress node is considered as the first computing device), the packet corresponding to a flow of network traffic between the first computing device and a second computing device (e.g. the egress node/router of the internal networking infrastructure is considered as the second computing device which is connected to aforesaid physical host B 106 B), the stateful network routing service configured to intercept network traffic between the first computing device and the second computing device (e.g. Note that the flow information of a packet is usually provided in the header of the packet and is essential for routing the packet. Therefore, the packet must be intercepted before it can be routed), wherein the packet includes first flow information identifying the flow of network traffic (e.g. “Physical host A 106A constructs a packet using the virtual networking framework that contains a source address of 7.8.9.10 and a destination address of 1.2.3.4, and the data portion of the packet contains GNI information along with the original packet” col. 4, lines 63-67, which packet with a source address and a destination address corresponds to a flow of traffic, wherein the flow information of the flow is considered as the first flow information which comprises the source address and the destination address), 
obtain a first flow identifier, wherein the first flow identifier is generated for the first flow information, 
add the first flow identifier to the packet to generate a first enriched packet,
transmit the first enriched packet to a network appliance, 
receive a second enriched packet from the network appliance, wherein the second enriched packet includes a second flow identifier and second flow information, 
conduct a validation of the second enriched packet by determining whether the first flow identifier of the first enriched packet matches the second flow identifier of the second enriched packet and the first flow information of the packet corresponds to the second flow information of the second enriched packet, and 
determine, based at least in part on whether validation of the second enriched packet succeeded, whether to route the second enriched packet to the second computing device (e.g. Note that the remainder of this claim is similar to claim 1 above except that it is a computer-executable instructions claim and thus the same reasoning as applied to claim 1 applies here as well).

Regarding claim 15, A method implemented by one or more computing devices (e.g. “Computer 900 may include a baseboard, or “motherboard,” which is a printed circuit board to which a multitude of components or devices may be connected by way of a system bus or other electrical communication paths. One or more central processing units (“CPUs”) 904 may operate in conjunction with a chipset 906” col 18 lines 56-61) that implement a stateful network routing service (e.g.  Fig. 1, a subset of Internal networking infrastructure 108 along with Edge Routers A and B is considered as the stateful network routing service), the method comprising: 
intercepting a packet over a network (e.g. “The virtual networking framework in the host partition may intercept packets from the virtual machine instances and ensure that the identification of overlay network addresses in the packets are rewritten into identification of physical addresses. This translation may be done so that the devices of the physical network are given addresses that they understand on the physical network, and may therefore transmit the packets toward their destination” col. 2 lines 59-62. Note that the flow information of a packet is usually provided in the header of the packet and is essential for routing the packet), the packet corresponding to a flow of network traffic between a first computing device (e.g. “Physical host B 106B receives the packet from physical host A 106A across internal networking infrastructure 108” col. 5, lines 4-5, wherein an ingress node/router of the internal networking infrastructure receives the packet from the physical host 106A, which ingress node is considered as the first computing device) and a second computing device (e.g. the egress node/router of the internal networking infrastructure is considered as the second computing device which is connected to aforesaid physical host B), wherein the packet includes first flow information identifying the flow of network traffic (e.g. “Physical host A 106A constructs a packet using the virtual networking framework that contains a source address of 7.8.9.10 and a destination address of 1.2.3.4, and the data portion of the packet contains GNI information along with the original packet” col. 4, lines 63-67, which packet with a source address and a destination address corresponds to a flow of traffic, wherein the flow information of the flow is considered as the first flow information which comprises the source address and the destination address);
obtaining a first flow identifier corresponding to the first flow information;
adding the first flow identifier to the packet to generate a first enriched packet;
transmitting the first enriched packet to a network appliance;
receiving a second enriched packet from the network appliance; wherein the second enriched packet includes a second flow identifier and second flow information;
conducting a validation of the second enriched packet by determining whether the first flow identifier of the first enriched packet matches the second flow identifier of the second enriched packet and the first flow information of the packet corresponds to the second flow information of the second enriched packet; and
determining, based at least in part on whether validation of the second enriched packet succeeded, whether to route the second enriched packet to the second computing device (e.g. Note that aforesaid sending the packet 36 by the service function 16(2) of the service node 14(1) to network infrastructure 20 is associated with routing the second enriched packet to the second computing device based on validation of the second enriched packet. Note further that the remainder of this claim is similar to claim 1 above except that it is a method claim and thus the same reasoning as applied to claim 1 applies here as well).
 	
Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

 With respect to dependent claims:

Regarding claim 6, The system of claim 5, further comprising one or more additional computing devices (e.g. aforesaid “One or more central processing units (“CPUs”) 904 may operate in conjunction with a chipset 906”, which one or more CPUs are considered as one or more additional CPUs) configured to implement a second stateful network routing service (e.g. Fig. 1, a second subset, different from the subset of claim 5, of Internal networking infrastructure 108 along with Edge Routers A and B is considered as the stateful network routing service. Note that the one or more CPUs for this claim is different from the one or more CPUs of claim 5, and thus implements a second stateful network routing service different from the stateful network routing service of claim 5), wherein the one or more additional computing devices are configured to:
receive a third packet from the first computing device (e.g. “the source and destination hosts may use different capabilities when sending packets to each other. For example, the source host may use encryption when sending packets to the destination host” col. 12 lines 20-22, which packets comprise the third packet from the first computing device), the third packet corresponding to the flow of network traffic between the first computing device and the second computing device, wherein the third packet includes the first flow information (e.g. “In some embodiments, flows (e.g., a flow is a sequence of packets from a source network node to a destination network node, and is identified by a unique flow tuple (e.g., source IP address, destination IP address, source port address, destination port address, protocol)) arriving in network 11 may be classified at a classifier using a locally instantiated policy and customer or network or service profile matching of flows to service chains for identification of appropriate outbound forwarding actions“[0018]. Note that in this scenario, the third packet is for the flow with the first flow information and the flow is from the first computing device to the second computing device);
obtain the first flow identifier (e.g. Kumar: aforesaid first flow identifier associated with the first flow information);
add the first flow identifier to the third packet to generate a third enriched packet (e.g. Kumar: aforesaid “network infrastructure 20 may insert cookie 24”, which packet with cookie is considered as the third enriched packet and the network infrastructure 20 is associated with the second subset and/or the second stateful network routing service. Note that for remainder of this claim, the network infrastructure 20 is considered as the second network routing service);
transmit the third enriched packet to the network appliance (e.g. Kumar: aforesaid “Network infrastructure 20 may insert NSH 30 (comprising cookie 24) in packet 36, and forward packet 36 to service node 14(1)”);
receive a fourth enriched packet from the network appliance, wherein the fourth enriched packet includes a fourth flow identifier and fourth flow information (e.g. Kumar: “At 152, when traffic (e.g., flows) passes through network infrastructure 20 post service delivery, network infrastructure 20 can correlate the flow associated with packet 36 to the observed flow prior to steering traffic to the service node (e.g., 14(1)) and correlate it to the service chain (e.g., 18) for that flow. At 154, re-classification of traffic may not be necessary, avoiding starting another chain for servicing transformed flow….. At 158, network infrastructure 20 can automatically detect transformation on flow based on cookie correlation” [0064]-[0065], which traffic passing through the network infrastructure 20 post service delivery is associated with receiving the fourth enriched packet from the network appliance and the flow prior to steering traffic to the service node is considered as the third enriched packet. Note that just like aforesaid second enriched packet received from the network appliance includes a second flow identifier and a second flow information, the fourth enriched packet must also contain fourth flow identifier and a fourth flow information);
conduct a validation of the fourth enriched packet (e.g. Kumar: “At 158, network infrastructure 20 can automatically detect transformation on flow based on cookie correlation” [0065]), by determining whether the first flow identifier matches the fourth flow identifier (e.g. Kumar: aforesaid cookie correlation. Note that since the fourth enriched packet with fourth flow identifier is received from the network appliance due to transmission of the third enriched packet with first flow identifier to the network appliance, the cookie correlation is done by determining whether the first flow identifier matches the fourth flow identifier) and the first flow information corresponds to the fourth flow information (e.g. Kumar: aforesaid flow correlation. Note that since the fourth enriched packet with fourth flow identifier is received from the network appliance due to transmission of the third enriched packet with first flow identifier to the network appliance, the flow correlation is done by determining whether the first flow information corresponds to the fourth flow information); and
determine, based at least in part on whether validation of the fourth enriched packet succeeded, whether to route the fourth enriched packet to the second computing device (e.g. Kumar: aforesaid routing the second enriched packet to the second computing device based on validation of the second enriched packet. Note that instead of second enriched packet, the fourth enriched packet is considered in this claim).

Regarding claim 14, The system of claim 5, wherein execution of the computer-executable instructions causes the one or more computing devices to transmit the second enriched packet to the second computing device when validation of the second enriched packet succeeds (e.g. Kumar: aforesaid routing the second enriched packet to the second computing device based on validation of the second enriched packet).

Regarding claim 19, The method of claim 15 further comprising transmitting the second enriched packet to the second computing device based at least in part on the validation of the second enriched packet succeeding (e.g. Note that this claim is similar to claim 14 except that it is a method claim and thus the same reasoning as applied to claim 14 applies here as well).

Regarding claim 16, The method of claim 15, wherein obtaining the first flow identifier comprises at least:
generating a new flow identifier (e.g. Kumar: NSH module 44 may generate cookie 24 associated with the flow of the packet” [0059], which generating comprises generating a new flow identifier. Note that there are multiple options in the claim and only this option is considered here)

Claim(s) 2, 3, 13 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine in view of Kumar as applied to claim 1, 5 and 15 above, and further in view of Kuo (US 20140341030 A1, Kuo hereinafter).

Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 2, The system of claim 1, the stateful network routing service further configured to:
receive a third enriched packet from the network appliance, wherein the third enriched packet includes a third flow identifier and third flow information (e.g. Note that just like second enriched packet which is received from the network appliance, the third enriched packet must also include a flow identifier and a flow information, which flow identifier is considered as the third flow identifier and the flow information is considered as the third flow information); 
determine, based at least in part on the third flow identifier not matching the first flow identifier, that an error has occurred in the flow of network traffic; (e.g. Kumar: aforesaid correlation is associated with third flow identifier matching the first flow identifier. Thus, when the third flow identifier does not match the first flow identifier, it is considered as the occurrence of an error).

It is noted that while disclosing the third enriched packet, Brandwine in view of Kumar is silent about drop the third enriched packet based at least in part on determining that the error has occurred in the flow of network traffic, which however had been known in the art before the effective filing date of the claimed invention as shown by Kuo in a disclosure “PACKET SWITCH DEVICE AND METHOD OF THE SAME“ (Title), wherein “if the packet 11 does not match any of the flow entries of any of the flow tables, which is a mismatch condition, ……the packet 11 is directly dropped” [0042], which packet 11 is considered as the third enriched packet, flow table comprises flow identifier and flow information, and aforesaid packet 11 does not match any of the flow entries of any of the flow tables is associated with no correlation or an error has occurred in the flow of network traffic. 

Therefore, it would have been obvious to one of ordinary skill in the art to combine Brandwine in view of Kumar’s method of determining the occurrence of an error to Kuo’s method of dropping the packet so that only valid packets are forwarded and invalid packets are dropped.

Brandwine in view of Kumar and Kuo discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 3,  The system of claim 1, further comprising: 
a third network environment, wherein the third network environment is associated with a second customer (e.g. Fig. 1, customer home network 116 is considered as the third network environment associated with a second customer); and 
the stateful network routing service (e.g. aforesaid stateful network routing service) further configured to: 
receive a third enriched packet from the network appliance, wherein the third enriched packet includes a third flow identifier and third flow information (e.g. aforesaid receiving enriched packet including flow identifier and flow information from the network appliance, wherein for the third network environment the received enriched packet is a third enriched packet including third flow identifier and third flow information), wherein the third flow information identifies a flow of network traffic between the third network environment and a fourth network environment (e.g. Fig. 1, a network connected to the internet 114 is considered as the fourth network environment. Thus, the third flow information is for a flow of network traffic between the customer network 116 and the internet), 
determine, based at least in part on the third flow identifier matching the first flow identifier and the third flow information not corresponding to the first flow information, that an error has occurred (e.g. Kumar: Note that since the third flow identifier matches the first flow identifier and the third flow information does not match the first flow information there is no correlation of flow and is considered as occurrence of an error), and 
drop the third enriched packet based at least in part on determining that the error has occurred (e.g. Kuo: aforesaid dropping packet when there is an error).

Regarding claim 13, The system of claim 5, wherein execution of the computer-executable instructions further causes the one or more computing devices to:
receive a third packet from the first computing device, the third packet corresponding to the flow of network traffic between the first computing device and the second computing device, wherein the third packet includes the first flow information (e.g. Kumar: “packets belonging to a specific flow are processed according to a specific service chain” [0019], which flow is considered as the first flow of network traffic between the first computing device and the second computing device. The third packet is a packet of the first flow with first flow information, wherein a sequence of packets comprise flows);
obtain the first flow identifier (e.g. Kumar: aforesaid obtaining a first flow identifier for the first flow information);
add the first flow identifier to the third packet to generate a third enriched packet (e.g. Kumar: aforesaid adding the flow identifier to the packet to generate an enriched packet. Note that for the third packet, the first flow identifier is added to generate a third enriched packet);
transmit the third enriched packet to the network appliance (e.g. Kumar: aforesaid transmitting the enriched packet to the network appliance and for this scenario the third enriched packet is transmitted to the network appliance);
receive a fourth enriched packet from the network appliance, wherein the fourth enriched packet includes a fourth flow identifier and fourth flow information (e.g. Kumar: aforesaid receiving an enriched packet with a flow identifier and flow information from the network appliance, which enriched packet is the fourth enriched packet with a fourth flow identifier and fourth flow information);
determining, based at least in part on the fourth flow identifier not matching the first flow identifier, that an error has occurred (e.g. Kumar: Note that since the fourth flow identifier of the fourth enriched packet does not match the first flow identifier of the third enriched packet, there is no correlation of flow and is considered as occurrence of an error); and
drop the fourth enriched packet (e.g. Kuo: aforesaid dropping the packet).

Regarding claim 18, The method of claim 15 further comprising:
receiving a third packet from the first computing device, the third packet corresponding to the flow of network traffic between the first computing device and the second computing device, wherein the third packet includes the first flow information;
obtaining the first flow identifier;
adding the first flow identifier to the third packet to generate a third enriched packet;
transmitting the third enriched packet to the network appliance;
receiving a fourth enriched packet from the network appliance, wherein the fourth enriched packet includes a fourth flow identifier and fourth flow information
determining, based at least in part on the fourth flow identifier not matching the first flow identifier, that an error has occurred and 
dropping the fourth enriched packet (e.g. Note that this claim is similar to claim 13 except that it is a method claim and thus the same reasoning as applied to claim 13 applies here as well).

Claim(s)  4, 11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine in view of Kumar as applied to claims 1, 5 and 15 above, and further in view of Menon et. al (US 20170346726 A1, Menon hereinafter).

Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 4, The system of claim 1, the stateful network routing service further configured to: 
determine that the flow of network traffic between the first network environment and the second network environment has been discontinued (e.g. Note that when receiving packet associated with aforesaid flow of network traffic from the first network environment to the second network environment stops, it is determined that the flow of network traffic has been discontinued).

It is noted that while disclosing packet flow, Brandwine in view of Kumar is silent about remove the first flow identifier from a data store, which however had been known in the art before the effective filing date of the claimed invention as shown by Menon in a disclosure “Flow Modification Including Shared Context” (Title), wherein “For each session, the session manager assigns a unique identifier. …... This unique identifier is associated with the session. The session manager 1908 stores information about the session in an information base 1910” [0189], which session is considered as a flow and unique identifier associated with the session is considered as the first flow identifier. Moreover, “A last packet identifier 1920 statefully follows each session, so as to identify an end of each stream, as discussed above. As noted, in some cases, the end is signified by a final packet, such as a TCP packet with the RST flag set or a TCP ACK packet in return to a TCP packet with the FIN flag set. In other cases, the end may be signified by a timer expiring. When the end of a session is detected, the packet series manager 1908 disassociates the unique identifier from the session and deletes information about the session from the waypoint information base 2000” [0199], which information base is considered as a flow identifier data store and the information about the session comprises the first flow identifier.
Therefore, it would have been obvious to one of ordinary skill in the art to combine Menon’s method of removing the first flow identifier from a data store to Brandwine in view of Kumar’s method of transmitting the packet so that the data store is used efficiently.

Brandwine in view of Kumar and Menon further discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine): 

Regarding claim 11, The system of claim 5, wherein execution of the computer- executable instructions further causes the one or more computing devices to:
determine that the flow of network traffic been discontinued; and 
remove the first flow identifier from a flow identifier data store (e.g. Note that this claim is similar to claim 4 except that it is a computer readable instructions claim and thus the same reasoning as applied to claim 4 applies here as well).

Regarding claim 17, The method of claim 15 further comprising:
determining that the flow of network traffic between the first computing device and the second computing device has been discontinued; and
removing the first flow identifier from a data store (e.g. Note that this claim is similar to claim 4 except that it is a method claim and thus the same reasoning as applied to claim 4 applies here as well).

Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine in view of Kumar as applied to claim 5 above, and further in view of Frolund et. al (US 9047306 B1, Frolund hereinafter).

Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 7, The system of claim 5, wherein the first flow identifier is stored in a data store (e.g. Note that aforesaid data store must be storing the first flow identifier so that it can be obtained to perform the matching operation), and wherein the one or more computing devices are configured to obtain the first flow identifier from the data store.

It is noted that while disclosing packet, Brandwine in view of Kumar is silent about stored in a primary data store and a secondary data store, and wherein the one or more computing devices are configured to obtain the first flow identifier from the secondary data store when the primary data store is unavailable, which however had been known in the art before the effective filing date of the claimed invention as shown by Frolund in a disclosure “Method Of Writing Data” (Title), wherein “If the most recent version of the data is unavailable from the primary storage devices, the recover procedure obtains the most recent version from the secondary storage”, which most recent version of data is considered as the first flow identifier.
Therefore, it would have been obvious to one of ordinary skill in the art to combine Frolund’s method of using a primary and a secondary data store to Brandwine in view of Kumar’s data store so that “better scalability” is provided, col. 1 line 32.

Claim(s) 8 and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine in view of Kumar as applied to claim 5 above, and further in view Kuo (US 20140341030 A1, Kuo hereinafter).

Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 8, The system of claim 5, wherein execution of the computer- executable instructions further causes the one or more computing devices to:
compare the first flow information with the second flow information (e.g. Kumar: aforesaid comparison of first flow information of first enriched packet with the second flow information of second enriched packet); and
determine the first flow identifier for the first flow information (e.g. Kumar: the first flow identifier is determined from aforesaid first enriched packet);
wherein obtaining the first flow identifier comprises generating the first flow identifier based at least in part on the flow of network traffic (e.g. Kumar: aforesaid generating the first flow identifier for first flow information, which first flow information is associated with the flow of network traffic).

It is noted that while disclosing the first flow identifier, Brandwine in view of Kumar is silent about compare the first flow information with a plurality of flow information; and determine that the first flow identifier has not been previously generated for the first flow information based at least on comparing the first flow information with the plurality of flow information, which however had been known in the art before the effective filing date of the claimed invention as shown by Kuo in a disclosure “PACKET SWITCH DEVICE AND METHOD OF THE SAME “, wherein “In an embodiment, if the packet 11 does not match any of the flow entries of any of the flow tables, which is a mismatch condition, ……the packet 11 is directly dropped” [0042], which matching is comparing, flow entries of the tables comprise flow identifier and flow information, packet 11 is associated with first flow information and flow entries of flow tables are associated with a plurality of flow information. Note that since the flow identifier is associated with flow information, when there is no first flow information, there is no first flow identifier generated. 
Therefore, it would have been obvious to one of ordinary skill in the art to combine Brandwine in view of Kumar’s method of determining a first flow identifier to Kuo’s method of comparing with a plurality of flow tables so that only valid packets are forwarded.

Brandwine in view of Kumar and Kuo discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 9, The system of claim 5, wherein execution of the computer- executable instructions further causes the one or more computing devices to:
compare the first flow information with a plurality of flow information (e.g. Kuo: aforesaid comparing the first flow information with a plurality of flow information); and
determine that the first flow identifier has been previously generated for the first flow information based at least on comparing the first flow information with the plurality of flow information (e.g. this is the scenario when the packet 11 matches any of the flow entries of the flow tables);
wherein obtaining the first flow identifier comprises obtaining the first flow identifier from a flow identifier data store (e.g. Note that the first flow identifier must be stored in a data store or flow table to perform aforesaid matching operation, which data store is considered as the flow identifier data store).

Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine in view of Kumar as applied to claim 5 above, and further in view of Lee et. al (US 20200252239 A1, Lee hereinafter).

Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 10, The system of claim 5, wherein the first flow identifier comprises a flow identifier (e.g. aforesaid flow identifier).

It is noted that while disclosing a first flow identifier, Brandwine in view of Kumar is silent about first flow identifier comprises one or more randomly assigned numbers, which however had been known in the art before the effective filing date of the claimed invention as shown by Lee in a disclosure “MANAGING NETWORK PACKET FLOWS BASED ON DEVICE INFORMATION”, wherein “The packet flow identifier may be generated by any suitable mechanism. In one implementation, the flow identifier may be a random number generated, for example, by a random number generator or the like” [0038], which random number generator is associated with randomly assigned numbers. 

Therefore, it would have been obvious to one of ordinary skill in the art to modify Brandwine in view of Kumar’s method of generating a flow identifier to Lee’s method of using a random number generator so that the flow identifiers are random and cannot be guessed, thus improving security of the network.

Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brandwine in view of Kumar as applied to claim 5 above, and further in view of Lee et. al (US 20140337500 A1, Lee2 hereinafter).

Brandwine in view of Kumar discloses the following (e.g. Note: unless mentioned otherwise references made below draw to Brandwine):

Regarding claim 12, The system of claim 5, wherein the system is a system. 

It is noted that while disclosing a system, Brandwine in view of Kumar is silent about the system is a multi-tenant system, which however had been known in the art before the effective filing date of the claimed invention as shown by Lee2 in a disclosure “SECURE CLOUD FABRIC TO CONNECT SUBNETS IN DIFFERENT NETWORK DOMAINS” (Title), wherein “The security module creates a peripheral firewall system in a multi-tenant cloud computing environment” [0259].

Therefore, it would have been obvious to one of ordinary skill in the art to modify Brandwine in view of Kumar’s system to Lee2’s system of using a multi-tenant system so that “secure communications between two or more network domains” can be provided [0009].

Allowable Subject Matter
Claim 20 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMITRA GANGULY whose telephone number is (571)272-0813. The examiner can normally be reached 10 a.m to 6 p.m.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Derrick Ferris can be reached on 571 272 3123. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SUMITRA GANGULY/Examiner, Art Unit 2411           
/DERRICK W FERRIS/Supervisory Patent Examiner, Art Unit 2411