DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The Information Disclosure Statement (IDS) submitted on 12/30/2025 has been considered by the Examiner. The submission is in compliance with the provisions of 37 CFR 1.97.
Response to the amendment
Claims 13-19 have been canceled. Claims 21-27 have been newly added. Claim 12 and 20 have been amended. Claims 1-12 and 20-27 presented for the examination and remain pending in the application.
Response to arguments
The previous rejection of claims 1 and 20 under 35 U.S.C. 103 has been withdrawn. However, a new rejection is made in view of the new prior art of record Ji et al. (U.S. Pub. No. 2023/0106077 A1).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 5-7, 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. U.S. Pub. No. 2025/0028548 A1, (hereinafter Liu) in view of Ji et al. (U.S. Pub. No. 2023/0106077 A1).
Regarding claim 1.
Liu teaches one or more non-transitory computer readable media comprising instructions which, when executed by one or more hardware processors (Liu teaches in Para. [0011] and [0087] one or more non-transitory computer-readable storage media comprising instructions that, when executed by one or more processors of a computing system), cause performance of operations comprising:
receiving, from a virtual agent in a cloud network at a container instance control plane (Liu teaches in Para. [0020] the isolation constructs include organizations (orgs), projects, virtual private clouds (VPCs), and subnets…, permissions applied to virtual machines, pods, and/or containers running within the VPC. Since the VPC is a logical construct, “running within” could mean that the virtual machine, pod, or container is assigned to…, and further Liu teaches in Para. [0038] that data center 101 includes a container orchestrator that implements an orchestration control plane 177 (also referred to herein as “control plane 177”), such as a Kubernetes control plane, to deploy and manage applications 132 and/or services thereof on hosts 102, of a host cluster 110, using containers 130…), a request corresponding to a container instance associated with a first subnet (Liu teaches in Para. [0010] a method for assigning containerized workloads to isolated network constructs within a networking environment associated with a container-based cluster and the method generally includes receiving, at the container-based cluster, a subnet port custom resource specification to initiate creation of a subnet port object to assign a node to a subnet within the networking environment);
determining if a second subnet assigned to the virtual agent matches the first subnet associated with the container instance (Liu teaches the [Abstract] and in Para. [0010] the method generally includes, in response to receiving the subnet port custom resource specification, creating the subnet (i.e., a second subnet assigned ) port object…, the method generally includes modifying a state of the container-based cluster to match a first intended state of the container-based cluster at least specified in the subnet port object); While Liu teaches about the matching of the subnet objects in the [Abstract] and Para. [0010].Liu does not explicitly teach responsive at least to determining that the second subnet assigned to the virtual agent matches the first subnet associated with the container instance, permitting the request corresponding to the container instance; and based at least on the request being permitted, executing at least one operation corresponding to the request.
However, Ji teaches responsive at least to determining that the second subnet assigned to the virtual agent matches the first subnet associated with the container instance, permitting the request corresponding to the container instance (note that here the term “a virtual agent” executes on a virtual node of a container orchestration system per Applicant’s disclosure Page 4, under Para. [13] in lines 1-5 and thus, Ji teaches in Para. [0135] when the identifier of the new node matches the identifier or the subnet (i.e., matches the first subnet) prefix of the second access device and the subnet prefix sent to the storage unit (i.e., container) so that the storage unit stores the identifier or the subnet prefix of the second access device, compare an identifier of a new node with the identifier or the subnet prefix of the second access device before the second access device needs to access the new node, determine, by the second node, a type and an attribute of the new node based on the identifier of the new node when the identifier of the new node matches the identifier or the subnet prefix of the second access device); and
based at least on the request being permitted, executing at least one operation corresponding to the request (Ji teaches in Para. [0135] when the identifier of the new node matches the identifier or the subnet prefix of the second access device (i.e., based on the subnet match the access is permitted), and perform a fault handling operation based on the type and the attribute of the new node and the type and the attribute of the second node). Therefore, Liu and Ji are analogues arts and they are in the same field of endeavor as they both are directed to the subnet assignment process based on the match to manage in a cloud network at container instance control plane.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the
claimed invention to modify the teachings of matching a subnet prefix between nodes (i.e., virtual agents) and storage units (i.e., containers) to provide an access to the second device ([Abstract], [0010] and [0135]) as thought, by Ji into the teachings of Liu invention. One would have been motivated to do so in order to the node in the distributed storage system can quickly discover and process network abnormality, improve abnormal detection efficiency of the system so as to improve reliability of the storage system. The first switch can send different states of the first node to the second node according to need of the latter node, so that processing of the node is timely, which can reduce influence caused by state change of the former node and avoid service interruption.
Regarding claim 5.
Liu teaches wherein the operations further comprise determining the second subnet, assigned to the virtual agent, based on an identity principal corresponding to the virtual agent (Liu teaches in Para. [0010], [0020]-[0022] and [0054] about the assigning of subnets to VM Pod VMs and/or VMs may be assigned to the different subnets (i.e., note that here different subset includes the claimed “the second subnet”)).
Regarding claim 6.
Liu teaches wherein the operations further comprise receiving the identity principal, corresponding to the virtual agent, concurrently with receiving the request or prior to receiving the request (Liu teaches in Para. [0032] provided by virtual switch 142. In this context “connect to” refers to the capability of conveying network traffic, such as individual network packets, or packet descriptors, pointers, identifiers, etc., between components so as to effectuate a virtual data-path between software components).
Regarding claim 7.
Liu teaches wherein the request is permitted based further on determining that the request is received from an entity of a virtual agent type (Liu teaches in Para. [0089] various virtualization operations may be wholly or partially implemented in hardware. For example, a hardware implementation may employ a look-up table for modification of storage access requests to secure non-disk data).
Regarding claim 9.
Liu teaches wherein the virtual agent is comprised in a virtual node and wherein the container instance is in a service tenancy and executes containers corresponding to the virtual node (Liu teaches in Para. [0034] a software-defined network layer includes logical network services executing on virtualized infrastructure (e.g., of hosts 102)…, etc., as well as VM-based components, such as router control VMs, load balancer VMs, edge service VMs, etc. Logical network services include logical switches and logical routers, as well as logical firewalls, logical virtual private networks (VPNs), logical load balancers, and the like, implemented on top of the virtualized infrastructure).
Regarding claim 20.
Claim 20 incorporates substantively all the limitation of claim 1 in a system form and is rejected under the same rationale. Furthermore, regarding the claim limitation of a device including a hardware processor, the prior art of record Liu teaches in Para. [0011] and [0087].
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Ji further in view of Dong et al. U.S. Pub. No. 2025/0119422 A1, (hereinafter Dong).
Regarding claim 8. Liu in view of Ji teaches the non-transitory media of claim 1.
Liu in view of Ji does not explicitly teach wherein the request comprises a Create, Read, Update, or Delete (CRUD) request corresponding to the container instance.
However, Dong teaches wherein the request comprises a Create, Read, Update, or Delete (CRUD) request corresponding to the container instance (dong teaches in Para. [0051] created, updated, and deleted CRUD).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the
claimed invention to modify the teachings of using Create, Read, Update, or Delete (CRUD) ([Abstract], [0010] and [0135]) as thought, by Dong into the teachings of Liu in view of Ji invention. One would have been motivated to do so in order to the virtual switch enables a networking and security solution for container-based clusters to implement Kubernetes network policies in a high-performance and efficient manner. The method enables trusting communication from this network agent when using a virtual private cloud (VPC)-allocated service account and token, without performing any additional validation that is sufficient to maintain security of the system. The improved security against attacks on the network controller or a control plane in a container-based cluster are achieved. The default token for the second service account is shared in the VPC and encrypted in storage.
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Ji further in view of Goliya et al. U.S. Pub. No. 2017/0063633 A1, (hereinafter Goliya).
Regarding claim 10. Liu in view of Ji teaches the non-transitory media of Claim 1.
Liu in view of Ji does not explicitly teach wherein a management plane assigns the second subnet to the virtual agent.
However, Goliya teaches wherein a management plane assigns the second subnet to the virtual agent (Goliya teaches in Fig. 12 and Para. [0151] the management plane always assigns/31 subnets which includes the first and the second subnets. For example, the first transit logical switch 1215 has a subnet of 192.168.10.0/31, while the second transit logical switch 1220 has the next subnet 192.168.10.2/31).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the
claimed invention to modify the teachings of using management plane to assign a subnet ([01051]) as thought, by Goliya into the teachings of Liu in view of Ji invention. One would have been motivated to do so in order to the method enables providing service routers (SRs) of the logical router to handle failure of a physical machine on which an SR operates without requiring involvement of a centralized control plane or management plane.
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Ji further in view of Bai et al. U.S. Pub. No. US 2022/0091903 A1, (hereinafter Bai).
Regarding claim 11. Liu in view of Ji teaches the non-transitory media of Claim 1.
Liu in view of Ji does not explicitly teach wherein executing the at least one operation corresponding to the request is based further on endorsement of the request, permitted by a cloud network provider of the cloud network, by a customer of the cloud network provider.
However, Bai teaches wherein executing the at least one operation corresponding to the request is based further on endorsement of the request, permitted by a cloud network provider of the cloud network, by a customer of the cloud network provider (Bai teaches in Para. [0065]-[0066] sends the endorsement and cloud providers…).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the
claimed invention to modify the teachings of providing an endorsement based on a request in a cloud network environment ([0065]-[0066]) as thought, by Bai into the teachings of Liu in view of Ji invention. One would have been motivated to do so in order to the method enables providing service routers (SRs) of the logical router to handle failure of a physical machine on which an SR operates without requiring involvement of a centralized control plane or management plane.
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Ji further in view of Lee U.S. Pub. No. US 2017/0302535 A1, (hereinafter Lee).
Regarding claim 12. Liu in view of Ji teaches the non-transitory media of Claim 1.
Liu further teaches wherein the operations further comprise: receiving from a second virtual agent in the cloud network at the container instance control plane, a second request corresponding to a second container instance associated with a third subnet (Liu teaches in Para. [0053] control plane includes…, network operator 196 is configured to reconcile a subnet port custom resource specification created for each resource (e.g., VM, pod VM, etc.) in Kubernetes cluster 150…, after such resources have been connected to a particular VPC subnet, and thus assigned an IP (and/or MAC) address associated with the subnet);
Liu in view of Ji does not explicitly teach determining if a fourth subnet assigned to the second virtual agent matches the third subnet associated with the second container instance; responsive at least to determining that the fourth subnet assigned to the second virtual agent does not match the third subnet associated with the container instance, denying the request corresponding to the container instance.
However, Lee teaches determining if a fourth subnet assigned to the second virtual agent matches the third subnet associated with the second container instance (Lee teaches in Para. [0386] second physical forwarding subnet includes a sixth set of IP addresses… A position of the source IP address in the fourth set of IP addresses matches a position of the corresponding IP address in the fifth set of IP addresses…);
responsive at least to determining that the fourth subnet assigned to the second virtual agent does not match the third subnet associated with the container instance, denying the request corresponding to the container instance (Lee teaches in Para. [0303] the second subnet …, and upon receiving the address, the system automatically shows in fourth input box set 2620D a portion of the ending address range identifying the subnet (e.g., “192.16.2” (i.e., the fourth subnet)). The user can then specify an ending address…, and further in Para. [0392] if the user programs a virtual forwarding subnet that does not match with the virtual forwarding subnet programmed on the virtual enterprise gateway (EG), the virtual EG will not forward the packets properly…).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the
claimed invention to modify the teachings of comparing and matching the subnet to determine the assignment of the subnet if they do not match ([0303] and [0392]) as thought, by Lee into the teachings of Liu in view of Ji invention. One would have been motivated to do so in order to the method significantly simplifies the management of applications running in the cloud by eliminating the complexity for network and infrastructure security. The method provides the feature that helps to conserve the computing resources of the virtual network, reduce network traffic across the virtual network, and prevent bottlenecks. The method provides the architecture that helps to ensure that the system easily implemented without having to make expensive investments in upgrading, the switching capacity of the existing network.
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Ji further in view of Bonanno et al. U.S. Pub. No. US 2011/0252462 A1, (hereinafter Bonanno).
Regarding claim 27. Liu in view of Ji the non-transitory media of Claim 1.
Liu in view of Ji does not explicitly teach wherein determining if the second subnet assigned to the virtual agent matches the first subnet comprises extracting subnet information from authentication credentials associated with the virtual agent.
However, Bonanno teaches wherein determining if the second subnet assigned to the virtual agent matches the first subnet comprises extracting subnet information from authentication credentials associated with the virtual agent (Bonanno teaches in Para. [0043] each subnet lookup table may comprise a list of IP addresses and subnet masks, wherein each IP address and subnet mask entry indicates the address of a particular target subnet. Each IP address and subnet mask entry also specifies credentials associated with a target subnet…, the requesting host starts at the top of the table and applies the subnet mask to the target host address to determine if the subnet mask and target host address matches the subnet address for that table row…).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the
claimed invention to modify the teachings of using a subnet matching process and subnet lookup table to specify the credential associated with a target subnet ([0043]) as thought, by Bonanno into the teachings of Liu in view of Ji invention. One would have been motivated to do so since the requesting hosts internet protocol (IP) address is changed, there is no need to update any configuration. The cache memories can provide temporary storage of the program code in order to reduce the several times code. Hence the time codes can be retrieved from bulk storage during execution. The entities can be prevented from obtaining access to resources and information in a protected internal network.
Allowable Subject Matter
Claim 21 is allowed as is with it’s dependent claims 22-26 since includes the further limitations from previously objected claims 2, 3, 4 and 13 and 14 (i.e., canceled claims).
Claims 2, 3 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of their base independent claim 1 and any intervening claims.
The Examiner relied on prior art of record above and upon updated search found prior arts of record Liu in view of Ji further Bonanno further in view of Althaus et al. (U.S. Pat. No. 6697851 B1) and further in view of Wilson et al. (U.S. Pub. No. 2023/0109109 A1) individually or in combination do not explicitly teach the entire limitations of the above listed objected claims (i.e., 21, 2 and 3).
Response to Arguments
Applicant argues that the prior art of record Dong in view of Okamoto does not teach determining if the subnet matches, permits a request if the subnet matches and rejection improperly dissects the claim and evaluates elements in isolation. As stated in MPEP 2106.01(III)(A), it is improper to dissect a claimed invention into discrete elements and then evaluate the elements in isolation because it is the combination of claim limitations functioning together that establish the boundaries of the invention and limit its scope… This principle derives from In re Ruff, 256 F.2d 590, 118 USPQ 340 (CCPA 1958). The prior art does not recognize subnet matching as equivalent to-10-identity verification as taught by Dong or IP address correlation as taught by Okamoto. These are fundamentally different approaches serving different purposes. Moreover, MPEP 2144.06 explains that it is prima facie obvious to combine two
compositions each taught by the prior art to be useful for the same purpose. See In re Kerkhoven, 626 F.2d 846, 850, 205 USPQ 1069, 1072 (CCPA 1980). (Remarks. Pages 911).
In response to the above Applicant’s arguments with respect to claims 1, 5-12 and 20 have been considered but are moot. First, the arguments do not apply to the combination of the references being used in the current rejection for independent claims 1 and 20. Second, the new prior art of record clearly addressed the limitation in question as per the Applicant’s arguments. Third, the examiner recognizes that obviousness can only be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837F.2d 1071,5 USPQ2d 1596 (Fed. Cir. 1988) and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERHANU SHITAYEWOLDETSADIK whose telephone number is (571)270-7142. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached at 5712723865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BERHANU SHITAYEWOLDETADIK/Examiner, Art Unit 2455