SECURITY FUNCTIONS IN SOFTWARE DEFINED NETWORKS

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This action is in response to communications filed on 10/15/2025. Claims 1-20 have been examined and are rejected. Priority This application was filed 6/23/2023. Response to Arguments Applicant’s arguments filed in the communications above have been fully considered but are moot because the arguments do not apply to the combination of references being used in the current rejection. For at least these reasons, applicant’s arguments are considered not persuasive. Claim Rejections – 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rajagopal (US 2025/0224976 A1) in view of Mestery et al. (US 2023/0269217 A1) in view of McDowall et al. (US 2022/0353240 A1). With regard to Claim 1, Rajagopal teaches: A method for processing data packets in a virtualized computing network comprising a plurality of computing nodes hosting a plurality of virtual machines and hardware-based network interface devices configured to implement a network; (system 100 comprises a plurality of compute nodes 110A through 110N such as one or more containers or virtual machines, and a smart NIC management system 102 comprising a plurality of Smart NICs 114A through 114N (i.e. hardware-based network interface devices) [Rajagopal: 0020; 0025; 0028; Fig. 1]); wherein at least some of the hardware-based network interface devices are configured to enable communications between the virtual machines within a user network of the virtualized computing network; (Smart NICs 114A through 114N can provide network interface services to multiple processors, multiple containers or to other network devices and can be instantiated as needed to support demand for network interface functionality, and can be part of a local area network, a wide area network or other network architectures [Rajagopal: 0020; 0024; Fig. 1]); the method comprising: receiving, by a hardware-based network device from a source outside of the virtualized computing network, an input data packet addressed to an endpoint hosted by a virtual machine of the user network; (the smart NIC interfaces with a public network and may receive inbound communications and utilize an address translation table to identify the container or other device or process that should receive the inbound data [Rajagopal: 0045-46]); applying, by the hardware-based network device, a security function to the input data packet, wherein the security function is disaggregated from physical dependencies on a set of the computing nodes that are hosting the virtual machines of the user network and wherein the security function is disassociated from applications running on the set of the computing nodes; (the smart NICs 114A through 114N can independently process data packets associated with the application in a predetermined manner without needing to send the packets to the compute node (such as a container or virtual machine), such as for encryption/decryption processing, firewall processing, TCP/IP processing, HTTP processing or other suitable dedicated processing, wherein system 100 disaggregates the networking component (such as the smart NICs 114A through 114N) from a compute host (such as a server or compute node 110A through 110N) that is running an associated application [Rajagopal: 0025]); and forwarding, by the hardware-based network device, the input data packet to the endpoint hosted by the virtual machine of the user network, thereby enabling the input data packet to be processed by the virtual machine without applying the security function at the virtual machine; (the smart NIC receives inbound communications and utilize an address translation table to identify the container or other device or process that should receive the inbound data [Rajagopal: 0046], wherein once the smart network interfaces are assigned to an application virtual machine (VM), container or other suitable computing construct, the application can program the smart network interface to perform tasks specific to the data plane application as if the application and smart network interface were resident on the same compute server [Rajagopal: 0012]). However, Rajagopal does not teach (where underlining indicates the portion of each limitation not taught): hardware-based network interface devices configured to implement a software defined network (SDN); wherein at least some of the hardware-based network interface devices are configured to enable communications between the virtual machines within a user network of the virtualized computing network in accordance with associated policies; receiving, by a hardware-based network device via a cloud edge node from a source outside of the virtualized computing network, an input data packet addressed to an endpoint hosted by a virtual machine of the user network; In a similar field of endeavor involving utilizing smartNICs to perform packet routing, Mestery discloses: hardware-based network interface devices configured to implement a software defined network (SDN); (an SDN controller and a plurality of smart network interface cards (smartNICs) utilizing Access Control Lists (ACLs) to implement policy as defined by an administrator in a Software Defined Network (SDN) [Mestery: 0031; 0060; Fig. 1]); wherein at least some of the hardware-based network interface devices are configured to enable communications between the virtual machines within a user network of the virtualized computing network in accordance with associated policies; (an SDN controller and a plurality of smart network interface cards (smartNICs) utilizing Access Control Lists (ACLs) to implement policy as defined by an administrator in a Software Defined Network (SDN) comprising a plurality of headend devices/components 112 such as virtual machines/containers [Mestery: 0031; 0036; 0060]); receiving, by a hardware-based network device via a cloud edge node from a source outside of the virtualized computing network, an input data packet addressed to an endpoint hosted by a virtual machine of the user network; (SDN utilizes flow-to-address/port mapping to determine policy for the flow, wherein the system architecture comprises a cloud edge/enterprise edge 102 at which flows terminate, such as one or more reverse/forward proxy headends 112 [Mestery: 0031-36; Fig. 1]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Rajagopal in view of Mestery in order utilize hardware-based network interface devices to enable communications from a cloud edge node in accordance with associated policies in a SDN in the system of Rajagopal. One of ordinary skill in the art would have been motivated to combine Rajagopal with Mestery as doing so would allow centralized network management using an SDN controller. However, Rajagopal-Mestery does not explicitly teach: determining, by the hardware-based network device, that the input data packet is associated with the user network; applying, by the hardware-based network device, one of the policies to the input data packet, the hardware-based network device configured to disaggregate enforcement of policies of the SDN from computing nodes that are hosting the virtual machines of the user network; In a similar field of endeavor involving offloading to SmartNICs, McDowall discloses: determining, by the hardware-based network device, that the input data packet is associated with the user network; (receiving a flow at a firewall of a security service, and inspecting the flow at the firewall to determine meta information associated with the flow [McDowall: 0033; 0087]); applying, by the hardware-based network device, one of the policies to the input data packet, the hardware-based network device configured to disaggregate enforcement of policies of the SDN from computing nodes that are hosting the virtual machines of the user network; (offloading the flow to an offload entity based on the meta information associated with the flow (e.g., an application identification associated with the flow determined using deep packet inspection) and based on a policy (e.g., an offload policy) [McDowall: 0033; 0088]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Rajagopal-Mestery in view of McDowall in order to determine that the input data packet is associated with the user network and apply disaggregated enforcement of policies in the system of Rajagopal-Mestery. One of ordinary skill in the art would have been motivated to combine Rajagopal-Mestery with McDowall as doing so would utilize flow policies for distributing/offloading traffic processing to different kinds of offload devices thereby improving network performance. With regard to Claim 2, Rajagopal-Mestery-McDowall teaches: The method of claim 1, wherein a plurality of the hardware-based network devices are physically distributed in the virtualized computing network and configured as a pooled resource; (smart NICs can be distributed across many servers [Rajagopal: 0010-11]). With regard to Claim 3, Rajagopal-Mestery-McDowall teaches: The method of claim 1, wherein a plurality of the security functions are executed in a plurality of the hardware-based network devices; (the smart NICs 114A through 114N can independently process data packets associated with the such as for encryption/decryption processing, firewall processing, TCP/IP processing, HTTP processing or other suitable dedicated processing [Rajagopal: 0025]). With regard to Claim 4, Rajagopal-Mestery-McDowall teaches: The method of claim 1, wherein the security functions comprise one or more of key exchange, TLS, SSL, or IPSec; (the smart NICs 114A through 114N can independently process data packets associated with the such as for encryption/decryption processing, firewall processing, TCP/IP processing, HTTP processing or other suitable dedicated processing [Rajagopal: 0025]. McDowall teaches types of network traffic that can be effectively offloaded include SSH, SSL, and IPSEC associated network traffic that is encrypted using these or other encrypted network protocols [McDowall: 0038]). With regard to Claim 5, Rajagopal-Mestery-McDowall teaches: The method of claim 1, wherein the hardware-based network device is a smart network interface card (sNIC); (smart NIC management system 102 comprising a plurality of Smart NICs 114A through 114N (i.e. hardware-based network interface devices) [Rajagopal: 0020; 0025; Fig. 1]). With regard to Claim 6, Rajagopal-Mestery-McDowall teaches: The method of claim 1, wherein the hardware-based network device is an appliance comprising a plurality of smart network interface cards (sNICs); (smart NIC management system 102 comprising a plurality of Smart NICs 114A through 114N (i.e. hardware-based network interface devices) which can be distributed across many servers and embedded in network appliances [Rajagopal: 0010; 0020; 0025; Fig. 1]). With regard to Claim 7, Rajagopal-Mestery-McDowall teaches: The method of claim 6, further comprising applying a plurality of security functions by the plurality of sNICs; (the smart NICs 114A through 114N can independently process data packets associated with the such as for encryption/decryption processing, firewall processing, TCP/IP processing, HTTP processing or other suitable dedicated processing [Rajagopal: 0025]). With regard to Claims 8-20, they appear substantially similar to the limitations recited by claims 1-7 and consequently do not appear to teach or further define over the citations provided for said claims. Accordingly, claims 8-20 are rejected for the same reasons as set forth in claims 1-7. Conclusion Applicant’s amendment necessitated any new grounds of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Nainar et al. (US 2020/0278892 A1) which teaches a system for offloading a network processing task from a virtual network function (VNF) or cloud-native network function (CNF) to a remote smart NIC [0064]. In the case of amendments, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and support, for ascertaining the metes and bounds of the claimed invention. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUSTIN J MOREAU whose telephone number is (571) 272-5179. The examiner can normally be reached Monday-Friday 9:00 - 6:00 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUSTIN J MOREAU/Primary Examiner, Art Unit 2446