NICIRA, INC.Download PDFPatent Trials and Appeals BoardAug 11, 20202019003102 (P.T.A.B. Aug. 11, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/050,477 02/23/2016 Donghai HAN N225.01 9748 109858 7590 08/11/2020 ADELI LLP 11859 Wilshire Blvd. Suite 408 Los Angeles, CA 90025 EXAMINER TURCHEN, JAMES R ART UNIT PAPER NUMBER 2439 NOTIFICATION DATE DELIVERY MODE 08/11/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ipadmin@vmware.com mail@adelillp.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte DONGHAI HAN Appeal 2019-003102 Application 15/050,477 Technology Center 2400 ____________ Before RICHARD M. LEBOVITZ, JASON V. MORGAN, and JOHN A. EVANS, Administrative Patent Judges. LEBOVITZ, Administrative Patent Judge. DECISION ON APPEAL The Examiner rejected the claims under 35 U.S.C. § 102 as anticipated. Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject the claims. We have jurisdiction under 35 U.S.C. § 6(b). We REVERSE. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party in interest as Nicira, Inc., which is a wholly-owned subsidiary of VMware, Inc. Appeal Br. 2. Appeal 2019-003102 Application 15/050,477 2 STATEMENT OF THE CASE This appeal is related to appeal number 2019-002910 (application number 15/050,478).2 Claims 1, 4–7, 10–13, and 16–18 stand finally rejected by the Examiner under 35 U.S.C. § 102(a)(1) as anticipated by Bhagwat et al. (US 2015/0082417 A1, published Mar. 19, 2015). Final Act. 2.3 There are three independent claims 1 on appeal, claims 1, 7, and 13. Claim 1 is directed to a method. Claim 7 is directed to non-transitory computer-readable storage medium that includes a set of instructions for carrying out a method with substantially the same steps as in claim 1. Claim 13 is directed to a host configured to implement a firewall comprising a computer-readable storage medium that includes a set of instructions for 2 Appellant failed to identify this appeal as being related to the Appeal in 2019-002910. See Appeal Br. 2. The two applications are based on the same disclosures by the same inventor. The rejected claims are similar. The arguments, although directed to different prior art, are similar. The patent practitioner filing the appeals is the same. The real parties in interest are the same. And the Notice of Appeal and Appeal Brief filings in both applications fall within the same three-month period. Appellant and Appellant’s counsel are reminded of the duty to identify all other prior . . . appeals . . . which satisfy all of the following conditions: involve an application . . . owned by the appellant or assignee, are known to appellant, the appellant’s legal representative, or assignee, and may be related to, directly affect . . . or have a bearing on the Board’s decision in the pending appeal. 37 C.F.R. § 41.37(c)(1)(ii) (2018). 3 In the Final Office Action, the Examiner rejected claims 1–18 as anticipated by Bhagwat. Final Act. 2. In the Answer, the Examiner states that the rejection of claims 2, 3, 8, 9, 14, and 15 is withdrawn. Ans. 3. Appeal 2019-003102 Application 15/050,477 3 carrying out a method with substantially the same steps as in claim 1. We select claim 1 as representative. Claim 1 reads as follows: 1. A method for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host, the method comprising: receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host, wherein the ingress packet is addressed to a destination address, and a destination virtualized computing instance supported by the destination host is associated with the destination address and a destination virtual network interface controller (VNIC); retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, wherein the PNIC- level firewall rule is applicable at the PNIC and generated based on a VNIC-level firewall rule applicable at the destination VNIC, and the VNIC-level firewall rule specifies a destination address field that matches with the destination address of the ingress packet; and in response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, dropping the ingress packet such that the ingress packet is not sent to the destination VNIC. CLAIM INTERPRETATION During patent examination proceedings, claim terms are given their “broadest reasonable meaning . . . in their ordinary usage as they would be understood by one of ordinary skill in the art, taking into account whatever enlightenment by way of definitions or otherwise that may be afforded by the written description contained in the applicant's specification.” In re Morris, 127 F.3d 1048, 1054 (Fed. Cir. 1997). The first step of the claim comprises receiving an ingress packet, “via a physical network interface controller (PNIC),” from a source host which is Appeal 2019-003102 Application 15/050,477 4 addressed to a destination address of a destination host. The destination address is associated with “a destination virtualized computing instance” and “a destination virtual network interface controller (VNIC).” The Specification discloses an example of the “destination virtualized computing instance” as a “virtual machine.” Spec. ¶ 16. In the next step of the claim, a PNIC-level firewall rule associated with the destination virtualized computing instance is received. The PNIC- rule is required by the claim to be “applicable” at the PNIC. The PNIC-rule is also required by the claim to be “generated based on a VNIC-level firewall rule applicable at the destination VNIC.” The term “applicable,” as explained in the Specification, indicates that the firewall rules “are applicable to packets detected at or received via a particular” virtual machine’s VNIC or PNIC to determine whether to allow or drop a particular packet. Spec ¶¶ 21, 25. Thus, characterizing a firewall rule as “applicable” at a VNIC or PNIC indicates that the rule is a functional firewall rule which, when present on a VNIC or PNIC, can determine whether to allow or drop a packet. In the last step of claim, the ingress packet is dropped and not sent to the destination VNIC “in response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through.” The PNIC- level firewall rule is therefore applied at the PNIC to block an ingress packet from passing through to the VNIC and destination virtualized computing instance. DISCUSSION The Examiner finds that Bhagwat, as shown in Figures 1 and 2 of Bhagat, describes PNIC-level and VNIC-level firewall rules. Ans. 5. Appeal 2019-003102 Application 15/050,477 5 Specifically, the Examiner states that object attribute manager 114 comprising table 206, IP address manager 116 comprising table 208, and NAT manager 116 comprising table 210 contain VNICs which the Examiner finds represent VNIC-level firewall rules. Id. The Examiner also finds that Bhagwat, as shown in Figure 2, describes configured firewall walls rules 214 which are PNIC-level firewall rules. Id. For clarity, each of the figures is copied below. Bhagwat’s Figure 1 is as follows: Figure 1 of Bhagwat, reproduced above, shows the firewall configuration in a virtual environment. Bhagwat ¶ 17. Virtual server 106 comprises virtual management software 108 which has object attribute manager 114, IP address manager 116, NAT manager 118, and user firewall rules manager 120. Bhagwat discloses that firewall manager 122 configures Appeal 2019-003102 Application 15/050,477 6 the firewall rules by using the tables associated with the 114, 116, 118, and 120 managers. Bhagwat ¶¶ 18, 22. The tables are shown in Figure 2 of Bhagwat, which is reproduced below: Figure 2 of Bhagwat, copied above, shows the management plane 202 which represents the virtual management server 106 shown in Figure 1. The management plane 202 is shown with tables 206, 208, 210, and 212 which are associated with managers 114, 116, 118, and 120, respectively, of Figure 1. Appellant argues that the Examiner erred because Bhagwat does not disclose that “the PNIC-level firewall rule is applicable at the PNIC and generated based on a VNIC-level firewall rule applicable at the destination VNIC” as recited in the second step of claim 1. Appeal Br. 9. Appeal 2019-003102 Application 15/050,477 7 We agree with Appellant that the Examiner did not establish that Bhagwat describes a “VNIC-level firewall rule applicable at the destination VNIC.” As discussed in the claim interpretation section above, a VNIC “applicable” rule must be a firewall rule that is functional and capable of being applied at a VNIC to determine which packets to block or pass through. The Examiner pointed to Figure 2, copied above, which comprises tables 206, 208, and 210. Each of the tables have a VNIC entry; tables 208 and 210 also have destination addresses. However, the Examiner did not establish that Bhagwat describes these tables as representing VNIC-level firewall rules. Rather, Bhagwat teaches that firewall manager 122 configures firewall rules using VM inventory objects from table 206 and then transforms the rules by replacing the VM inventory objects with associated IP addresses using IP address management table (IPAM) table 208 and network address translation (NAT) table 210. Bhagwat ¶ 19. Bhagwat teaches that firewall manager 122 “then sends the transformed firewall rules to firewall engine 102 for filtering communication from and to VMs” on host computing systems Id. As shown in Figure 1, firewall engine 102 is not part of the virtual management server, but rather is on the network and host computing system side. Similarly, the user-specified firewall rules of manager 120 and associated table 212 are transformed by firewall manager 112 into functional rules and then directed to the data engine 102 on the network side. Id. at ¶ 22. Thus, we have not been guided to a description in Bhagwat that the tables shown in Figure 2 represent VNIC firewall-level rules. Instead, Bhagwat teaches that managers 114, 116, 118, and 120, and the associated Appeal 2019-003102 Application 15/050,477 8 tables, are used by firewall manager 122 to formulate and automatically update firewalls rules. As explained in Bhagwat: The firewall engine residing in the management layer based on object representation maps it to an Internet Protocol (IP) address and automatically configures the firewall located in the data path layer based on the mapping information. Basically the technique involves formulating firewall rules using virtual machine (VM) identifiers and machine attributes, such as an IP address from a network address translation (NAT) table and a network interface card (NIC) assigned IP address from an IP address management (IPAM) table. Using this technique allows the firewall to be automatically updated anytime VMs are changed or reconfigured. Bhagwat ¶ 15 (emphasis added). The “formulating” of the firewall rules using the identifiers and machine attributes is performed by firewall manager 122 and “communicatively coupled” to firewall engine 102 on the network and computing system side. Bhagwat ¶ 18. The tables identified by the Examiner as serving as the claimed “VNIC-level firewall rule applicable at the destination VNIC” are not rules as explained above, but are used to “formulate” the firewall rules that are communicated to the fire engine wall in data plane 204 which is outside the virtual environment. To anticipate under 35 U.S.C. § 102, a publication must “disclose all elements of the claim within the four corners of the document” and “arranged as in the claim.” Net MoneyIN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1369 (Fed. Cir. 2008). Because the Examiner did not establish that Bhagwat describes the “VNIC-level firewall rule applicable at the destination VNIC,” we are compelled to reverse the anticipation rejection of Appeal 2019-003102 Application 15/050,477 9 claim 1, independent claims 7 and 13 which recite the same limitation, and dependent claim 4–6, 10–12, and 16–18. DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference Affirmed Reversed 1, 4–7, 10–13, 16–18 102 Bhagwat 1, 4–7, 10–13, 16–18 REVERSED Copy with citationCopy as parenthetical citation
