DATA-PLANE APPROACH FOR POLICY CONFIGURATION

DETAILED ACTION This action is in response to communication filed on 12/13/2025. Claims 1-21 are pending. Claims 1, 8, and 15 have been amended. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/13/2025 has been entered. Response to Arguments Applicant’s arguments, see pages 11-13, filed 12/13/2025, with respect to the rejection(s) of claim(s) 1, 8, and 15 under 35 USC § 2 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Ball (US 2023/0146525) in view of Guilford et al. (US 2022/0417035). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-3, 7-10, 14-17 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Ball (US 2023/0146525) in view of Guilford et al. (US 2022/0417035). Regarding claim 1, Guilford discloses a method comprising: detecting, by a first computer system, one or more first data-plane packets for establishing a connection between (a) a first virtualized computing instance supported by the first computer system and (b) a second computer system from which a resource is accessible (Ball discloses a first computer system (e.g., computer device 12A with hypervisor 31) that supports virtualized computer instances (e.g., VMs 15 as VCIs) and detects, via a virtual node in its kernel, initials data-plane packets from its locally supported VCI for establishing a new packet flow (connection) to a remote second computer system (e.g., remote destination device hosting a resource like a database or web server). The detection involves examining packets information to determine if it’s a new flow; see [0045] “computing device 12A may host VM0 15 that provides an execution environment for an application workload. The application workload may originate a packet, e.g., packet 26, to be sent to a remote destination device (e.g., customers 11 or a remote computing device hosted in one of data centers 10B-10X in FIG. 1). Virtual node 13A running in a kernel of computing device 12A may receive packet 26 from the application workload and examine the information in packet 26 (e.g., 5-tuple and zone) to identify whether packet 26 belongs to an existing packet flow. For example, a virtual node 13A may perform a lookup of flow information (e.g., from a flow table) to determine whether keying information within packet 26 matches an entry within the flow information of NFT.sub.0 32” ); extracting, by the first computer system and from the one or more first data-plane packets, parameter information associated with the connection (Ball discloses the first computer system (computing device 12A) extracting parameter information (e.g., 5-tuple including source/destination addresses/ports/protocol, plus zone) from the initial data-plane packet received from its supported VCI, where this information is associated with the connection (packet flow) and used for flow identification and policy setup; see [0045] “Virtual node 13A running in a kernel of computing device 12A may receive packet 26 from the application workload and examine the information in packet 26 (e.g., 5-tuple and zone) to identify whether packet 26 belongs to an existing packet flow. For example, a virtual node 13A may perform a lookup of flow information (e.g., from a flow table) to determine whether keying information within packet 26 matches an entry within the flow information of NFT.sub.0 32”); based on the parameter information extracted from the one or more first data-plane packets, configuring, by the first computer system, a policy (Ball discloses configuring, by the first computer system (computing device 12A via kernel), a policy (e.g., flow action for forwarding, NAT, or firewall) based on the extracted parameters (e.g., 5-tuples, zone, L3 address) from the initial packet, where the policy controls access (e.g., allow/block forwarding) to the resource on the second system or in reverse flows; see [0046] “The kernel of computing device 12A may configure a flow action of the policy for the forward packet flow to forward packets originating from the application workload running on VM0 15. The kernel may also perform a lookup of the forwarding information in NFT.sub.0 32 with an L3 address (e.g., destination IP address) of packet 26, e.g., either with an exact match or a longest prefix match (LPM), to determine the next hop and configures the next hop for the forward packet flow as an entry within the flow information. In some examples, the kernel of computing device 12A may configure other policies to be applied to the forward packet flow, such as NAT, firewall, or other policies”); and in response to detecting a second data-plane packet to access the resource, applying the policy to allow or block forwarding of the second data-plane packet towards the second computer system, wherein the second data-plane packet originates from (a) the first virtualized computing instance or (b) a second virtualized computing instance supported by the first computer system (Ball discloses detecting subsequent packets (second data-plane packets) from the same or another local VCI supported by the first computer system (e.g., other VMs on device 12A), and applying the configured policy to allow or block forwarding toward the second system (e.g., via flow actions in fast-path processing); see [0060] “virtual node forwarding plane 328 attempts to match packets processed by routing instance 322A to one of the flow table entries of flow table 326A. If a matching flow table entry exists for a given packet, virtual node forwarding plane 328 applies the flow actions specified in a policy to the packet. This may be referred to as “fast-path” packet processing”). However, the prior art does not explicitly disclose configuring a policy that is applicable for access control of the resource. Guilford in the field of the same endeavor discloses techniques for determining network configurations through machine logic from security certificates of destination computer devices in the network. In particular, Guilford teaches the followings: configuring a policy that is applicable for access control of the resource (Guilford discloses the access control aspect by configuring rules based on extracted certificate parameters for allow/block decisions; see [0012] “the security component then configures a set of network rules for forwarding data packets to the destination computer device based on information in the security certificate of the destination computer device. Properties of the incoming data packet are compared to the set of network rules to determine whether to forward the incoming data packet to the destination computer”). Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was effectively filed to modify the prior art with the teaching of Guilford to incorporate techniques for determining network configurations through machine logic from security certificates of destination computer devices in the network. One would have been motivated because Guilford would enhance security by enabling dynamic, certificate firewall policies in virtual environment, yielding predictable results of automated and resource protection. Regarding claim 2, Ball-Guilford discloses the method of claim 1, wherein extracting the parameter information comprises: performing verification of the parameter information in the form of a digital certificate that is issued by a certificate authority, wherein the digital certificate is extractable from a particular first data-plane packet from the second computer system (see Guilford; [0060, 0063]; the allow list can be trusted as being legitimate and non-tampered with because certificates require signing by a trusted authoritative server, and therefore the content of the certificate can be trusted. Further, diagram 400 of FIG. 4 is a block diagram showing an example embodiment according to the present invention, where server A 402 attempts to connect to server b 408 through firewall 404, which will allow the connection server A 402 attempts to connect through either port 80 or 443 and has an IP address of 1.2.3.4/32, as required by certificate 406, which includes the allowed connections list. When server A 402 attempts to initiate the connection to server B 408 through firewall 404, firewall 404 checks the certificate of server B 408, shown as certificate 406, for an allowed connection list including the allowed ports and incoming IP addresses). Regarding claim 3, Ball-Guilford discloses the method of claim 2, wherein configuring the policy comprises: configuring the policy based on at least one extensions field of the digital certificate, wherein the extensions field specifies an access control list associated with the resource (see Guilford; [0060]; each server has its own x509 certificate for TLS; (x) included on the certificate in an extension field will be protocol and TCP/UDP port, (such as 80 or 443) and optional source address and mask as well as optional destination address and mask). Regarding claim 7, Ball-Guilford discloses the method of claim 1, wherein detecting the one or more first data-plane packets comprises: detecting the one or more first data-plane packets associated with a secure connection establishment process based on at least one of the following protocols: transport layer security (TLS) protocol and secure socket layer (SSL) protocol (see Guilford; [0056]; there may be another computer network rule that stipulates packets with an SSL protocol can be received on destination port 13 from any source address. Or another example computer network rule that stipulates packets with TLS protocols from source addresses 4.3.2.1. and 6.7.8.9. are allowed on ports 55 through 75). Regarding claim(s) 8-10, 14, and 15-17, 21 do(es) not teach or further define over the limitation in claim(s) 1-3, 7 respectively. Therefore claim(s) 8-10, 14, and 15-17, 21 is/are rejected for the same rationale of rejection as set forth in claim(s) 1-3, 7 respectively. Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ball (US 2023/0146525) in view of Guilford et al. (US 2022/0417035) in view of Behm et al. (US 2018/0026797). Regarding claim 4, Ball-Guilford discloses the invention substantially, however the prior art does not explicitly disclose the method of claim 2, wherein the method further comprises: generating and storing a cache entry associating the policy with a thumbprint of the digital certificate, wherein the cache entry is subsequently accessible to determine whether the policy has been configured. Behm in the field of the same endeavor discloses techniques for cryptographically protecting a client communication session by determining information usable to distinguish the session from other sessions. In particular, Behm teaches the following: generating and storing a cache entry associating the policy with a thumbprint of the digital certificate, wherein the cache entry is subsequently accessible to determine whether the policy has been configured (see Behm; [0066]; a fingerprint of the certificate that was received may be searched for in the cache and existence of the fingerprint in the cache may indicate that the authenticity of the certificate has been previously verified). Therefore, it would a have been obvious to a person of ordinary skill in the art at the time the invention was effectively filed to modify the prior art with the teaching of Behm to incorporate techniques for cryptographically protecting a client communication session. One would have been motivated because Behm techniques allows the prior to determined that a certificate health request response was both valid and had a valid digital signature, may cache the response or information derived and/or otherwise associated with the response. In this manner, the information may be used later such as when future encrypted communications sessions with the same server are established (see Behm; [0065]). Regarding claim(s) 11 and 18, do(es) not teach or further define over the limitation in claim(s) 4 respectively. Therefore claim(s) 11 and 18 is/are rejected for the same rationale of rejection as set forth in claim(s) 4 respectively. Claims 5-6, 12-13, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ball (US 2023/0146525) in view of Guilford et al. (US 2022/0417035) in view of Patil et al. (US 2020/0236086). Regarding claim 5, Ball-Guilford discloses the invention substantially, however the prior art does not explicitly disclose the method of claim 1, wherein configuring the policy comprises: configuring the policy in the form of an identity firewall rule that is applicable by a firewall engine supported by the first computer system, wherein the identity firewall rule specifies at least one group of users that is permitted to access the resource. Patil in the field of the same endeavor discloses techniques for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment. In particular, Patil teaches the following: configuring the policy in the form of an identity firewall rule that is applicable by a firewall engine supported by the first computer system, wherein the identity firewall rule specifies at least one group of users that is permitted to access the resource (see Patil; [0026]; FIG. 2 is a schematic diagram illustrating example score-based dynamic firewall rule enforcement 200 in SDN environment 100. According to mapping information (see 270), group=doctor includes members such as first user 191 (see 271) and second user 192 (see 272)). Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was effectively filed to modify the prior art with the teaching of Patil to incorporate techniques for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment. One would have been motivated because there is a risk that the user and associated VM may become rogue, which exposes other entities to malicious attacks and Patil disclosure would remedy these deficiency (see Patil; [0002-0003]). Regarding claim 6, Ball-Guilford-Patil discloses the method of claim 5, wherein applying the policy comprises: determining whether a first user associated with the first virtualized computing instance, or a second user associated with the second virtualized computing instance, is a member of the group specified by the identity firewall rule (see Patil; [0026]; a set of score-based firewall rules (see 280) may be configured for group=doctor such that they are applicable to both users 191-192. As used herein, the term “score” may refer generally to a measurable level of trust or reputation that may be used for firewall rule enforcement). Regarding claim(s) 12-13 and 19-20, do(es) not teach or further define over the limitation in claim(s) 5-6 respectively. Therefore claim(s) 12-13 and 19-20 is/are rejected for the same rationale of rejection as set forth in claim(s) 5-6 respectively. Conclusion For the reason above, claims 1-21 have been rejected and remain pending. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JIMMY H TRAN whose telephone number is (571)270-5638. The examiner can normally be reached Monday-Friday 9am-5pm PST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chris Parry can be reached at 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. JIMMY H TRAN Primary Examiner Art Unit 2451 /JIMMY H TRAN/Primary Examiner, Art Unit 2451