UNIFIED NETWORK SERVICE THAT CONNECTS MULTIPLE DISPARATE PRIVATE NETWORKS AND END USER CLIENT DEVICES OPERATING ON SEPARATE NETWORKS

§103 §112 §DP

DETAILED ACTION Claims 1-20 are pending and have been examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1, 8, 15 recite the limitations "the customer" and then introduces “a customer”, making it indefinite if intended to be the same customer. There is insufficient antecedent basis for this limitation in the claim. Claim 1, 8, 15 recite the limitations “the received traffic” and then "the received first traffic" making it indefinite if intended to be the same traffic. There is insufficient antecedent basis for this limitation in the claim. Claims 7, 14 recite the limitation “the first interface". There is insufficient antecedent basis for this limitation in the claim. This is not intended to be a complete list of such indefiniteness issues. The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above. Double Patenting Claims 1-20 are provisionally rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims of copending US patent application 18521351, and US Patent Nos. 11677717, 12101295, 12107827. Although the conflicting claims are not identical, they are not patentably distinct from each other because they are analogous and broader as “A method, comprising: receiving traffic at a first traffic interface at a first compute server of a distributed cloud computing network, wherein the first traffic interface is a layer 3 traffic interface, and wherein the received traffic is destined for a private application or service running on a server of the customer outside of the distributed cloud computing network; determining identity information associated with the received traffic including that the received first traffic is attributable to a customer of a unified network service provided through the distributed cloud computing network; determining, using one or more policies configured for the customer and the determined identity information associated with the received traffic, whether the received traffic is allowed to be transmitted to the private application or service; responsive to determining that the received traffic is allowed to be transmitted to the private application or service, determining a second traffic interface that interfaces with the server of the customer, wherein the second traffic interface is a layer 7 traffic interface, and wherein the determined second traffic interface is on a second compute server of the distributed cloud computing network; transmitting the received traffic from the first compute server to the determined second traffic interface on the second compute server; and transmitting, from the determined second traffic interface on the second compute server to the server of the customer, the received traffic” (claim 1, instant application) is analogous to “A method, comprising: receiving traffic at a traffic interface of a compute server, wherein the traffic interface is one of a Generic Routing Encapsulation (GRE) tunnel interface, an encrypted tunnel interface, a Virtual Private Network (VPN) server interface, and an Internet Protocol Security (IPsec) tunnel interface; determining identity information associated with the traffic, wherein the identity information includes at least an identifier of a first customer to which the traffic is attributable, the first customer having a first isolated network stack at the compute server; determining, using one or more egress policies configured for the first customer and the identity information, whether the traffic is allowed to be transmitted to a target destination of the traffic, wherein the target destination of the traffic is a resource of a second customer having a second isolated network stack at the compute server; responsive to determining that the traffic is allowed to be transmitted to the target destination, transmitting the traffic and the identity information to the second isolated network stack; receiving the traffic at the second isolated network stack at the compute server; determining, using one or more ingress policies configured for the second customer and the identity information, whether the traffic is allowed to be transmitted to the target destination of the traffic; and responsive to determining that the traffic is allowed to be transmitted to the target destination, transmitting the traffic to the target destination” (claim 1, copending application 18521351) and is analogous to “A method, comprising: receiving first traffic at a first traffic interface at a first compute server of a distributed cloud computing network, wherein the received first traffic is destined for a private application or service running on a server of a customer of a unified network service provided through the distributed cloud computing network, wherein the server is outside of the distributed cloud computing network, wherein the first traffic interface is an IPsec tunnel interface that interfaces with an IPsec tunnel from a router of the customer, wherein the IPsec tunnel interface is assigned an IP address that is an anycast IP address that is shared among the first compute server and a plurality of other compute servers of the distributed cloud computing network, and wherein a different one of the other compute servers of the distributed cloud computing network performed a handshake with the router including generating a set of one or more security associations for encrypting and decrypting; receiving the generated set of one or more security associations for encrypting and decrypting traffic on the IPsec tunnel interface, wherein the received first traffic is encrypted; decrypting the encrypted received first traffic using the set of one or more security associations; determining identity information associated with the received first traffic including that the received first traffic is attributable to the customer including identifying the customer based on the IPsec tunnel being associated with an account of the customer; determining, using one or more policies configured for the customer and the determined identity information associated with the received first traffic, whether the received first traffic is allowed to be transmitted to the private application or service including determining whether traffic received over the IPsec tunnel is allowed to access the private application or service; responsive to determining that the received first traffic is allowed to be transmitted to the private application or service, determining a second traffic interface that interfaces with the server of the customer, wherein the second traffic interface is a layer 7 traffic interface, and wherein the determined second traffic interface is on a second compute server of the distributed cloud computing network; transmitting the received first traffic from the first compute server to the determined second traffic interface on the second compute server; and transmitting, from the determined second traffic interface on the second compute server to the server of the customer, the received first traffic” (claim 1, patent 11677717) and is analogous to “A method, comprising: receiving an IPSec tunnel request for establishing an IPSec tunnel from a customer router to an anycast IP address of a distributed cloud computing network, wherein a same anycast IP address is shared among a plurality of compute servers of the distributed cloud computing network; performing a handshake with the customer router from a first one of the compute servers of the distributed cloud computing network, wherein performing the handshake includes generating a set of one or more security associations for encrypting and decrypting IPSec traffic; propagating the generated set of security associations to each of the other plurality of compute servers of the distributed cloud computing network; receiving a first packet destined to the customer router at a second one of the compute servers of the distributed cloud computing network, wherein the first packet is received at a first traffic interface of the second compute server, and wherein the first traffic interface is a layer 2 or layer 3 tunnel interface connected with a different customer router; encrypting the first packet at the second one of the compute servers using the propagated generated set of security associations; and transmitting the encrypted first packet from the second one of the compute servers to the customer router” (claim 1, patent 12101295) and is analogous to “A method, comprising: receiving first traffic at a first traffic interface at a first compute server of a distributed cloud computing network, wherein the received first traffic is destined for a private application or service running on a server of a customer of a unified network service provided through the distributed cloud computing network, wherein the server is outside of the distributed cloud computing network, wherein the first traffic interface is a generic routing encapsulation (GRE) interface that interfaces with a GRE tunnel from a router of the customer; determining identity information associated with the received first traffic including that the received first traffic is attributable to the customer based on the GRE tunnel being associated with an account of the customer; determining, using one or more policies configured for the customer and the determined identity information associated with the received first traffic, whether the received first traffic is allowed to be transmitted to the private application or service including determining whether traffic received over the GRE tunnel is allowed to access the private application or service; responsive to determining that the received first traffic is allowed to be transmitted to the private application or service, determining a second traffic interface that interfaces with the server of the customer, wherein the second traffic interface is a layer 7 traffic interface, and wherein the determined second traffic interface is on a second compute server of the distributed cloud computing network; transmitting the received first traffic from the first compute server to the determined second traffic interface on the second compute server; and transmitting, from the determined second traffic interface on the second compute server to the server of the customer, the received first traffic” (claim 1, patent 12107827). This is a provisional obviousness-type double patenting rejection because the conflicting claims of the instant application have not in fact been patented. The claims of the conflicting patents and/or applications contain every element of claims 1-20 of the instant application and thus anticipate the claims of the instant application. Claims 1-20 of the instant application therefore are not patently distinct from the copending application claims and as such are unpatentable for obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim. “A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species with that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001). “Claim 12 and Claim 13 are generic to the species of invention covered by claim 3 of the patent. Thus, the generic invention is “anticipated” by the species of the patented invention. Cf., Titanium Metals Corp. v. Banner, 778 F.2d 775, 227 USPQ 773 (Fed. Cir. 1985) (holding that an earlier species disclosure in the prior art defeats any generic claim) 4. This court’s predecessor has held that, without a terminal disclaimer, the species claims preclude issuance of the generic claim. In re Van Ornum, 686 F.2d 937, 944, 214 USPQ 761, 767 (CCPA 1982); Schneller, 397 F.2d at 354. Accordingly, absent a terminal disclaimer, claims 12 and 13 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Panchal (10819630), and further in view of Terzis (20100325697). Regarding claim 1, Panchal teaches A method, comprising: receiving traffic at a first traffic interface at a first compute server of a distributed cloud computing network, wherein the first traffic interface is a layer 3 traffic interface (col.1, 45-60), and wherein the received traffic is destined for a private application or service running on a server of the customer outside of the distributed cloud computing network (col. 1, 35-51, col. 7, 23-40, col. 10, 23-37); determining identity information associated with the received traffic including that the received first traffic is attributable to a customer of a unified network service provided through the distributed cloud computing network; determining, using one or more policies configured for the customer and the determined identity information associated with the received traffic, whether the received traffic is allowed to be transmitted to the private application or service (col. 27, lines 30-60); responsive to determining that the received traffic is allowed to be transmitted to the private application or service, transmitting, from the determined second traffic interface on the second compute server to the server of the customer, the received traffic (Fig. 8, col. 24, lines 38-41). Panchal does not expressly disclose, however, Terzis teaches determining a second traffic interface that interfaces with the server of the customer, wherein the second traffic interface is a layer 7 traffic interface, and wherein the determined second traffic interface is on a second compute server of the distributed cloud computing network; transmitting the received traffic from the first compute server to the determined second traffic interface on the second compute server (par. 70-74, 83-89). Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Panchal to incorporate the multilayer traffic interfaces including the layer 7 interface implementation as taught by Terzis. One of ordinary skill in the art would have been motivated to perform such a modification to achieve better network efficiency via multilayer filtering (Terzis, par.55-60). Regarding claim 2, Panchal/ Terzis teaches wherein the first traffic interface is a generic routing encapsulation (GRE) interface that interfaces with a GRE tunnel from a router of the customer, wherein determining the identity information associated with the received traffic includes identifying the customer based on the GRE tunnel being associated with an account of the customer, and wherein determining whether the received traffic is allowed to be transmitted to the private application or service includes determining whether traffic received over the GRE tunnel is allowed to access the private application or service (Panchal, col.10, 45-55). Regarding claim 3, Panchal/ Terzis teaches wherein determining the identity information associated with the received traffic further includes identifying a user transmitting the traffic over the GRE tunnel, and wherein determining whether the received traffic is allowed to be transmitted to the private application or service further includes determining whether the determined user is allowed to access the private application or service (Panchal, col. 13, line 65 - col. 14, line 10). Regarding claim 4, Panchal/ Terzis teaches wherein the first traffic interface is a virtual private network (VPN) interface that interfaces with a VPN tunnel connected to a VPN client, wherein determining the identity information associated with the received traffic includes determining a user of the VPN client, and wherein determining whether the received traffic is allowed to be transmitted to the private application or service includes determining whether the determined user is allowed to access the private application or service (Panchal, col. 40, lines 38-46). Regarding claim 5, Panchal/ Terzis teaches wherein transmitting the received traffic from the first compute server to the determined second traffic interface on the second compute server is proxied over an HTTP/2 proxy (Terzis, par.89-95). Regarding claim 6, Panchal/ Terzis teaches marking the received traffic with the determined identity information (Panchal, col. 18, lines 59-65). Regarding claims 8-13, they recite substantially the same limitations as claims 1-6, respectively, in the form of a non-transitory machine-readable storage medium with instructions for implementing the corresponding method, therefore, they are rejected under the same rationale. Regarding claims 15-20, they recite substantially the same limitations as claims 1-6, respectively, in the form of a server/system with instructions for implementing the corresponding method, therefore, they are rejected under the same rationale. Allowable Subject Matter Claims 7 and 14 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AlA), 2nd paragraph and the double patenting rejections, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to providing network layer security in cloud computing environments. Wondra (11128491) disclosed a distributed cloud computing network for providing network layer performance and security. Branch (11425216) disclosed a method and system for intelligently routing traffic in a distributed computing network implementing VPN. Teng (9948552) disclosed a cloud-based services exchange for interconnecting multiple cloud service providers with multiple cloud service customer, which enable cloud customers to bypass the public Internet to directly connect to cloud services providers to improve performance and security of the connections. Any inquiry concerning this communication or earlier communications from the examiner should be directed to David García Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI S ARMOUCHE can be reached at (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /David Garcia Cervetti/Primary Examiner, Art Unit 2409