DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 05/25/2022, 09/07/2021 and 12/14/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 14, 21-24 and 31-33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Xiong et al., US- 20200351254-A1 (hereinafter “Xiong ‘254”) in view of Pan, US-20170374025-A1 (hereinafter “Pan ‘025”) and Liu et al., US-20120303949-A1 (hereinafter “Liu ‘949”).
Per claim 14 (independent):
Xiong ‘254 discloses: A method of configuring a first computing device to assign different processing units to use different encryption-secured tunnels to transmit data messages requiring encryption, the method comprising;
 (FIG. 1, [0023], The local networks 102 of the cloud tenant … may access the virtual private cloud network 107 of the cloud tenant via an distributed IPSec gateway 106 (a first computing device) of the cloud provider, so that an IPSec tunnel (an encryption-secured tunnel) may be established between the local network 102 of the cloud tenant and the virtual private cloud network 107 of the cloud tenant for VPN connection; [0024], In the data plane 109 (inside a first computing device), a plurality of GPNs (Gateway Processing Node) 110 (different processing units) are provided, and each GPN may be run by a VM (Virtual Machine) 111 to process data packets of incoming ESP/AH traffic and/or data packets of outgoing IP traffic of at least one IPSec tunnel; FIG. 5, [0114], The GMN 113 may be configured to generate IPsec SAs of a plurality of IPSec tunnels (different encryption-secured tunnels), and send them to the GPN 110 … and steer the incoming ESP/AH traffic and/or outgoing IP traffic between the plurality of GPNs 110 (to which different IPSec tunnels are established).);
wherein the network address rule table and the custom routing lookup table are used to select an encryption-based tunnel to transmit a data message requiring encryption ([0044], (2) traffic steering is made on a plurality of GPNs 110 of the data plane 109; [0045], the GMN 113 may generate traffic steering rules (the custom routing lookup table) … so as to achieve the traffic steering. More particularly, the traffic steering rules may include incoming ESP/AH traffic steering rules and/or outgoing IP traffic steering rules (for different encryption-secured tunnels); [0049], the outgoing IP traffic steering rules (the custom routing lookup table) may include matching relationship between network information of Traffic Selectors and IP addresses of GPNs 110 … the network information (the network address rule table) of the Traffic Selectors may include some basic information which may identify network stream, and such information may be also used to determine the outgoing IP traffic may be transferred through which IPSec tunnel, and may include, for example, quintuple information of data packet: source IP address, destination IP address, source port, destination port, and protocol type; [0099], The gateway input node 114 and the gateway output node 115 may send traffic steering rules to GMN 113, amend (for the custom routing) destination IP address of the received data packet to the IP address of corresponding GPN 110).

Xiong ‘254 does not disclose but Pan ‘025 discloses: associating a virtual tunnel interface (VTI) to each of a plurality of encryption-secured tunnels between a set of interfaces of first and second computers;
assigning a private network address to each VTI
 (FIG. 3A, [0047], a network device 1 304 (e.g., a virtual private network (VPN) gateway; a first computer) can create an IPsec interface 1 (a VTI) and associate therewith a static IP address (e.g., 192.10.11.08; a private network address) to enable a secure IP connection between network device 1 304 (on behalf of any source device 302a-n) and network device 2 306 (a second computer); [0050], Similarly, for another pair of communicating devices whose traffic needs to be routed through network device 3 308 (another second computer), an IPsec interface 2 (another VTI) with a static IP address (e.g., 168.10.00.45; another private network address) can be created between the network device 1 304 and network device 3 308.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Xiong ‘254 with the binding each IPSec interface to each corresponding IPSec tunnel by assigning IP addresses to the IPSec interfaces in order to connect a network device with a remote network device per communication requests as taught by Pan ‘025 because a network device would dynamically create additional IP tunnels and bind the created IPsec tunnels with the IPsec interfaces in response to receiving a packet when no corresponding tunnel exists for the received packet specifying a certain destination IP address [0051]. Additionally, Pan ‘025 is analogous to the claimed invention because it teaches functional modules for IPsec interface configuration and management [FIG. 2].
Pan’025 further discloses: for each processing unit, (2) creating a custom routing lookup table that identifies the private network address of at least one VTI as a next hop for a data message matching the network-address-based rule that points to the custom routing lookup table (FIG. 3B, [0052], a network device 354 (e.g., a VPN gateway; a processing unit) can create a single virtual interface with a static IP address (the private network address) to enable LAN devices 352a-c to communicate with destination devices 358a-c … For example, a secure connection can be created between a source device 358a-358c and a destination device 352a-c that is routed through network device 354 and a next hop network device (not shown) (one VTI as a next hop), by creating a new IPsec tunnel (to which another static IP address would be assigned as FIG. 3B), which can be bound to the virtual IPsec interface; FIG. 5, [0056], network devices can be configured to store an IPsec management table (creating a custom routing lookup table) … table 502 (the custom routing lookup table) that can store a mapping between source address 504, IPsec interface 506 (that identifies the private network address), and IPsec tunnel 508. In an exemplary aspect, IPsec management table 502 can be updated (for the custom routing) when a new IPsec interface is created, or when a new IPsec tunnel is created/ discarded; [0057], When a packet (data message) … be sent by a client device, an appropriate IPsec interface can be chosen through routing lookup (based on the custom routing lookup table), and from the chosen IPsec interfaces' tunnel list, SA/tunnel created for the client device communication can be selected based on the destination address of a packet (matching the network-address-based rule that points to the custom routing lookup table). Packets can be encrypted using negotiated SA, and sent out over the IPsec tunnel; It would be obvious to think that the table includes all network devices (even the next hop network device) associated with a certain packet route.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Xiong ‘254 with the mapping between device addresses and a set of IPSec interfaces and a set of IPSec tunnels via the IPSec management table for routing packets as taught by Pan ‘025 because it would efficiently manage network resources by creating and/or biding IPSec interfaces if necessary after going through routing lookup. 

Xiong ‘254 in view of Pan ‘025 does not disclose but Liu ‘949 discloses: (1) creating a rule for a desired encryption policy in a network address rule table that identifies a routing lookup table to use for data messages matching a network-address-based rule (FIG. 3, [0051], a packet transmission; [0052], 301: Determine whether a preset control policy (a network address rule) includes an IP address and a port number that are the same as a destination IP address and a destination port number (identifies a routing lookup table) of a packet to be sent; [0056], if a judgment result is no (not match), it indicates that the packet to be sent (data messages) is a packet of a public service. Because a packet of a public service does not need to be sent over SSL VPN, the packet may be directly sent (without encryption). In this case, the packet is sent without using the VPN tunnel. If the judgment result is yes (match), it indicates the packet to be sent is a packet of a protected service. As packets of protected services need to be transmitted over SSL VPN, the packet to be sent is encrypted (with encryption) and encapsulated a tunnel IP address before being sent by using the VPN tunnel.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Xiong ‘254 in view of Pan ‘025 with the turning on/off encryption for packets to be transferred based on the comparison of preset control policy to a routing lookup table as taught by Liu ‘949 because it would save network resources by encrypting only if the destination of packets is for a protected service [0056]. Additionally, Liu ‘949 is analogous to the claimed invention because it teaches the packet transmission method including SSL VPN [FIG. 3].

Per claim 21 (dependent on claim 14):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference.
Xiong ‘254 discloses: The method of claim 14, wherein the first computer implements a first gateway of a first network in a first datacenter (FIG. 1, [0023], a cloud network 101 (a first network) of a cloud provider (a first datacenter) and local networks 102 of a plurality of cloud tenants are included … The local networks 102 of the cloud tenant may access Internet 105 via an IPSec gateway 104 of the cloud tenant, and then may access the virtual private cloud network 107 of the cloud tenant via an distributed IPSec gateway 106 (a first gateway) of the cloud provider.).

Per claim 22 (dependent on claim 21):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 21 above, incorporated herein by reference.
Xiong ‘254 discloses: The method of claim 21, wherein the second computer implements a second gateway of a second network in a second datacenter (FIG. 1, [0023], a cloud network 101 of a cloud provider and local networks 102 (a second network) of a plurality of cloud tenants (a second datacenter) are included … The local networks 102 of the cloud tenant may access Internet 105 via an IPSec gateway 104 (a second gateway) of the cloud tenant, and then may access the virtual private cloud network 107 of the cloud tenant via an distributed IPSec gateway 106 of the cloud provider.).

Per claim 23 (dependent on claim 14):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference.
Xiong ‘254 discloses: The method of claim 14, wherein the tunnels are IPsec (Internet protocol security) tunnels (FIG. 1, [0023], The local networks 102 of the cloud tenant … may access the virtual private cloud network 107 of the cloud tenant via an distributed IPSec gateway 106 of the cloud provider, so that an IPSec tunnel (an encryption-secured tunnel) may be established between the local network 102 of the cloud tenant and the virtual private cloud network 107 of the cloud tenant for VPN connection).

Per claim 24 (independent):
The limitations of the claim(s) correspond(s) to features of claim 14 and the claim(s) is/are rejected for the reasons detailed with respect to claim 14.

Per claim 31 (dependent on claim 24):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 24 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 21 and the claim(s) is/are rejected for the reasons detailed with respect to claim 21.

Per claim 32 (dependent on claim 31):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 31 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 22 and the claim(s) is/are rejected for the reasons detailed with respect to claim 22.

Per claim 33 (dependent on claim 24):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 24 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 23 and the claim(s) is/are rejected for the reasons detailed with respect to claim 23.

Claim(s) 15-16 and 25-26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Xiong ‘254 in view of Pan ‘025 and Liu ‘949 as applied to claims 14 and 24 above, and further in view of WELIN et al., US-20160135074-A1 (hereinafter “WELIN ‘074”).
Per claim 15 (dependent on claim 14):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference.
Xiong ‘254 in view of Liu ‘949 does not disclose but Pan ‘025 discloses: The method of claim 14, wherein for each particular network-address-based rule, each processing unit identifies in its custom routing table a set of VTIs (FIG. 5, [0056], network devices (each processing unit) can be configured to store an IPsec management table (its custom routing lookup table) … table 502 (its custom routing lookup table) that can store a mapping between source address 504, IPsec interface 506 (a set of VTIs), and IPsec tunnel 508. In an exemplary aspect, IPsec management table 502 can be updated when a new IPsec interface is created, or when a new IPsec tunnel is created/ discarded; [0057], When a packet … be sent by a client device, an appropriate IPsec interface can be chosen through routing lookup, and from the chosen IPsec interfaces' tunnel list, SA/tunnel created for the client device communication can be selected based on the destination address of a packet (matching each particular network-address-based rule). Packets can be encrypted using negotiated SA, and sent out over the IPsec tunnel.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Xiong ‘254 in view of Liu ‘949 with the mapping between device addresses and a set of IPSec interface and a set of IPSec tunnel via the IPSec management table for routing packets as taught by Pan ‘025 because it would efficiently manage network resources by creating and/or biding IPSec interfaces if necessary after going through routing lookup. 

Xiong ‘254 in view of Pan ‘025 and Liu ‘949 does not disclose but WELIN ‘074 discloses: each processing unit identifies in its custom routing table a different, non-overlapping set of routing paths ([0140], If a hash code is calculated (by the node 50 in FIG. 2, i.e. each processing unit) based on the 5 tuple and access technology code and the hash identifier code. As the hash identifier codes in different IPsec tunnels are not the same, this will result in different hash codes from the hash code calculation in the hash function 54. Different hash codes indicate different routing paths (a different and non-overlapping set of routing paths) in the routing table 54: RT, which will have the result that IPsec tunnels comprising data packet flows of the same access technology are scheduled and routed on different routing paths.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Xiong ‘254 in view of Pan ‘025 and Liu ‘949 with the generation of different routing paths including IPsec tunnels based on the hash code calculated by the 5 tuple and access technology as taught by WELIN ‘074 because it would enhance the scheduling and routing of data packets by adaptively identifying the QoS class and the access technology according to different path routes to a destination address [0046][0120]. Additionally, WELIN ‘074 is analogous to the claimed invention because it teaches a method for controlling data packet flows, e.g. scheduling and routing or switching of IP data packets, based on AT index information [0110].

Per claim 16 (dependent on claim 15):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 and WELIN ‘074 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference.
Xiong ‘254 in view of Liu ‘949 and WELIN ‘074 does not disclose but Pan ‘025 discloses: The method of claim 15, wherein selecting an encryption-based tunnel to transmit the data message requiring encryption is based on the VTI identified using the custom routing lookup table (FIG. 5, [0056], network devices can be configured to store an IPsec management table (the custom routing lookup table) … table 502 (the custom routing lookup table) that can store a mapping between source address 504, IPsec interface 506 (the VTI), and IPsec tunnel 508 (an encryption-based tunnel). In an exemplary aspect, IPsec management table 502 can be updated when a new IPsec interface is created, or when a new IPsec tunnel is created/ discarded; [0057], When a packet … be sent by a client device, an appropriate IPsec interface can be chosen through routing lookup, and from the chosen IPsec interfaces' tunnel list, SA/tunnel created for the client device communication can be selected based on the destination address of a packet. Packets can be encrypted (the data message requiring encryption) using negotiated SA, and sent out over the IPsec tunnel.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Xiong ‘254 in view of Liu ‘949 and WELIN ‘074 with the mapping between device addresses and a set of IPSec interface and a set of IPSec tunnel via the IPSec management table for routing packets requiring encryption as taught by Pan ‘025 because it would efficiently manage network resources by creating and/or biding IPSec interfaces if necessary after going through routing lookup. 

Per claim 25 (dependent on claim 24):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 discloses the elements detailed in the rejection of claim 24 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 15 and the claim(s) is/are rejected for the reasons detailed with respect to claim 15.

Per claim 26 (dependent on claim 25):
Xiong ‘254 in view of Pan ‘025 and Liu ‘949 and WELIN ‘074 discloses the elements detailed in the rejection of claim 25 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 16 and the claim(s) is/are rejected for the reasons detailed with respect to claim 16.

Allowable Subject Matter
Claim(s) 17-20 and 27-30 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332. The examiner can normally be reached Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA can be reached on (571)272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SANGSEOK PARK/Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499