DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-5, 8 and 10-13, 15 and 16 have been examined.
Response to Arguments
Applicant's arguments filed on 2/17/26 have been fully considered but they are not persuasive.
Regarding applicant’s remarks filed on 2/17/26, applicant mainly argues that the prior art of record does not explicitly disclose “retaining the first old SA to have a capability of handling traffic data encapsulated with a second old SA received from the second device until a preset condition is satisfied, wherein the preset condition comprises one or more of the following events: A) an amount of data packets encapsulated with the second new SA received, from the second device exceeds a first threshold; B) a time elapsed after receiving a data packet encapsulated with the second new SA from the second device for a first time exceeds a second threshold; and C) a data packet indicated as last one encapsulated with the second old SA at the second device is received.” However, the examiner disagrees for the following reasons.
According to the Specification, the preset conditions are set to ensure both parties communicate efficiently and to prevent data loss during rekey process; and the preset conditions may be set flexibly to adapt to various application scenarios (Specification: [0025]). As stated in the previous office action and acknowledged by the applicant (p. 8 of Response filed on 2/17/26), Mestery discloses that both the initiator node and the responder node maintain both SAs for some duration, and the old SA stops only after each node unambiguously knows that the peer is ready to start sending on the new SA for efficient communication while avoiding or preventing data loss during the rekey process (Mestery: [0025]: maintain both keys for certain duration to allow communication using both keys during rekey process; [0003]: SA should expire after a specific lifetime, which may be measured in time or quantity of data as well known in the art). The cited portions of Mestery reasonably correspond to the disputed limitations because predetermined amount of time has elapsed or amount of data has been communicated using both new and old SA keys by both entities. Therefore, applicant’s argument is not persuasive in light of above explanation.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-5, 8, 10-13, 15 and 16 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Mestery et al. U.S. 2020/0366478 (hereinafter Mestery).
As per claim 1 and 8, Mestery discloses a method/device for providing Internet Protocol Security (IPsec) communication between a first device and a second device in a network, comprising the following steps carried out by the first device:
in response to a request for updating a first old Security Association (SA) from the second device, generating a first new SA (Mestery: Fig. 2 and [0027]: responder/first device receives request to initiate rekey/generate first new SA in step 208);
sending, to the second device, an acknowledgement that the first new SA is available at the first device (Mestery: Fig. 2 and [0027]: responder/first device acknowledge the new child SA is available in step 216);
using the first old SA to encapsulate traffic data sent to the second device until receiving, from the second device, traffic data encapsulated with a second new SA generated at the second device (Mestery: Fig. 2 and [0027]: responder/first device continues to send traffic using old SA in step 218 until new communication using new SA is received from initiator/second device in step 220, in which responder starts communication using new SA); and
retaining the first old SA to have a capability of handling traffic data encapsulated with a second old SA received from the second device until a preset condition is satisfied (Mestery: [0025]: both initiator and responder continue to use old SAs until each node unambiguously know that the peer is ready to start sending on the new SA);
wherein the first new SA is identical or corresponds to the second new SA, and the first old SA is identical or corresponds to the second old SA (Mestery: [0015]: generation of second encryption key/ new key to replace first encryption key/old key for encrypting IPsec communication session, sessions keys are symmetric keys that are identical for encrypting communication sessions);
wherein the preset condition comprises one or more of the following events (Mestery: [0003] and [0025]: key expires after specific time or quantity of data communicated):
A) an amount of data packets encapsulated with the second new SA received from the second device exceeds a first threshold (Mestery: [0029]: rekey triggered by amount data communicated);
B) the time elapsed after receiving a data packet encapsulated with the second new SA from the second device for the first time exceeds a second threshold (Mestery: [0029]: timeout triggered rekey); and
C) a data packet indicated as last one encapsulated with the second old SA at the second device is received (Mestery: [0025]).
As per claim 2, Mestery discloses the method according to claim 1. Mestery further discloses
after receiving the traffic data encapsulated with the second new SA from the second device for the first time, starting to use the first new SA to encapsulate the traffic data sent to the second device (Mestery: Fig. 2 and [0027]: after receiving data from initiator/second device with new SA in step 220, start communication using new SA by the responder/first device in step 222).
As per claim 3, Mesterdy discloses the method according to claim 1. Mestery further disclose wherein the first and second device is one selected from a group consisting of router, Layer 3 switch and firewall (Mestery: [0109]).
As per claim 4, Mestery discloses the method according to claim 1. Mesterdy further discloses wherein the request for updating the first old SA is implemented as a create child SA request message (Mestery: Fig 2 and [0027]: create child SA in step 210).
As per claim 5, Mestery discloses the method according to claim 1. Mestery further discloses wherein the acknowledgement is implemented by sending to the second device a create child SA response message (Mestery: Fig 2 and [0027]: respond to the create child SA message in step 216).
As per claim 7, Mestery discloses the method according to claim 1. Mestery further discloses wherein the first or second threshold is determined on the basis of at least one of a throughput capability of the first or second device, a traffic transmission rate and an estimated communication link delay (Mestery: [0003]; [0029]).
As per claim 10 and 16, Mestery discloses a method/device for providing Internet Protocol Security (IPsec) communication between a first device and a second device in a network, comprising the following steps carried out by the second device:
sending, to the first device, a request for updating a first old Security Association (SA) (Mestery: Fig. 2 and [0027]: initiator/second device sends request to update SA at step 208) ;
receiving, from the first device, an acknowledgement that a new first SA generated at the first device is available (Mestery: Fig. 2 and [0027]: initiator/second device receives acknowledgement from responder/first device that the child SA/new first SA is available at step 210);
generating a second new SA to encapsulate traffic data sent to the first device (Mestery: Fig. 2 and [0027]: initiator/second device sends new communication using child SA/ new SA to responder/first device at step 220); and
retaining a second old SA to have a capability of handling traffic data encapsulated with the first old SA received from the first device until a preset condition is satisfied (Mestery: [0025]: use old SA until each node unambiguously know each is ready to start sending on the new SA),
wherein the first new SA is identical or corresponds to the second new SA, and the first old SA is identical or corresponds to the second old SA (Mestery: [0015]: generation of second encryption key/ new key to replace first encryption key/old key for encrypting IPsec communication session, sessions keys are symmetric keys that are identical for encrypting communication sessions);
wherein the first new SA is identical or corresponds to the second new SA, and the first old SA is identical or corresponds to the second old SA (Mestery: [0015]: generation of second encryption key/ new key to replace first encryption key/old key for encrypting IPsec communication session, sessions keys are symmetric keys that are identical for encrypting communication sessions);
wherein the preset condition comprises one or more of the following events (Mestery: [0003] and [0025]: key expires after specific time or quantity of data communicated):
A) an amount of data packets encapsulated with the second new SA received from the second device exceeds a first threshold (Mestery: [0029]: rekey triggered by amount data communicated);
B) the time elapsed after receiving a data packet encapsulated with the second new SA from the second device for the first time exceeds a second threshold (Mestery: [0029]: timeout triggered rekey); and
C) a data packet indicated as last one encapsulated with the second old SA at the second device is received (Mestery: [0025]).
As per claim 11, Mestery discloses the method according to claim 10, wherein the first and second device is one selected from a group consisting of router, Layer 3 switch and firewall (Mestery: [0109]).
AS per claim 12, Mestery discloses the method according to claim 10. Mestery further discloses wherein the request for updating the old SA is implemented as a create child SA request message (Mestery: Fig. 2 and [0027]: create child SA in steps 210 and 216).
As per claim 13, Mestery discloses the method according to claim 10. Mestery further discloses wherein the acknowledgement is implemented as a create child SA response message received from the first device (Mestery: Fig 2 and [0027]: step 216 serves as acknowledgement of creation of child SA at the first device/responder).
As per claim 15, Mestery discloses the method according to claim 14. Mestery further discloses wherein the first or second threshold is determined on the basis of at least one of a throughput capability of the first or second device, a traffic transmission rate and an estimated communication link delay (Mestery: [0003]; [0029]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Chesson et al. U.S. 7,245,724 discloses rekey operation with multiplexing capability.
Persaud et al. U.S. 2020/0099672 discloses mechanism for encryption key distribution in computer networks.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431