Ex Parte Donley et alDownload PDFBoard of Patent Appeals and InterferencesMar 27, 201210401919 (B.P.A.I. Mar. 27, 2012) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________________ Ex parte CHRISTOPHER J. DONLEY, ROBERT R. GILMAN, KURT H. HASERODT, and JOHN M. WALTON ____________________ Appeal 2010-000187 Application 10/401,919 Technology Center 2400 ____________________ Before HOWARD B. BLANKENSHIP, JEAN R. HOMERE, and JAMES R. HUGHES, Administrative Patent Judges. HUGHES, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal from the Examiner’s rejection of claims 104-145. Claims 1-103 have been canceled. We have jurisdiction under 35 U.S.C. § 6(b). We reverse. Representative Claims 104. A method, comprising: (a) receiving, by a destination node and from a source node, a packet comprising a header that includes a first message Appeal 2010-000187 Application 10/401,919 2 authentication code and source port and checksum fields, the header having been altered by a firewall; (b) computing, by the destination node and over the packet, a second message authentication code; and (c) applying the following rules: (cl) when the first and second message authentication codes match, the packet is authenticated successfully; and (c2) when the first and second message authentication codes do not match, the packet is not authenticated successfully; wherein each of the first and second message authentication codes is computed by the source and destination nodes, respectively, based on values for the source port and checksum fields that are different from the values for the source port and checksum fields in the packet before and after alteration by the firewall. 129. A method, comprising: (a) receiving, by a destination node and from a source node, a packet comprising a header that includes a first and second message authentication codes and source port and checksum fields, the header having been altered by a firewall; (b) computing, by the destination node and over the packet, a third message authentication code; and (c) applying the following rules: (c1) when the first and third message authentication codes match, the packet is authenticated successfully; and (c2) when the first and third message authentication codes do not match, the packet is not authenticated successfully; Appeal 2010-000187 Application 10/401,919 3 wherein the first and third message authentication codes is computed by the source and destination nodes, respectively, exclude values for the source port and checksum fields. Rejection on Appeal The Examiner rejects claims 104-145 under 35 U.S.C. § 102(b) as being anticipated by Ylonen (International Application Publication No. WO 99/35799). ISSUES 1. Does the Examiner err in finding that Ylonen discloses: wherein each of the first and second message authentication codes is computed by the source and destination nodes, respectively, based on values for the source port and checksum fields that are different from the values for the source port and checksum fields in the packet before and after alteration by the firewall within the meaning of claim 104 and the commensurate limitations of claims 113 and 120? 2. Does the Examiner err in finding that Ylonen discloses: receiving, by a destination node and from a source node, a packet comprising a header that includes a first and second message authentication codes and source port and checksum fields, the header having been altered by a firewall; [and] . . . wherein the first and third message authentication codes is computed by the source and destination nodes, respectively, exclude values for the source port and checksum fields Appeal 2010-000187 Application 10/401,919 4 within the meaning of claim 129 and the commensurate limitations of claim 138? ANALYSIS With respect to representative claim 104, we agree with Appellants that the Examiner’s construction of the disputed limitation is incorrect. (Reply Br. 2-3.) The disputed limitation does not require “that the source node which computes the first message authentication code has different values for source port and checksum fields than the second message authentication code that is computed by the destination node before and after alteration by the firewall” as interpreted by the Examiner. (Ans. 11.) Rather, the disputed limitation requires: that each of the first and second message authentication codes (“MACs”) be computed based on source port and checksum field values that are different from the values for the source port and checksum fields in the packet both before and after alteration by the firewall. In other words, each of the first and second message authentication codes is not computed using source port and checksum field values in the packet before network address translation (“NAT”) or after NAT. (Reply Br. 2.) We also agree with Appellants that Ylonen describes utilizing source port and checksum field values that are altered by a firewall (the NAT (network address translation) device) to compute a message authentication code (MAC) and transforms the MAC to compensate for changes to the data made by the NAT. (App. Br. 8-10; Reply Br. 2-3.) As explained by Appellants, “the Ylonen Reference, unlike and contrary to the claimed invention, computes the MAC using values for the source port and checksum fields as they existed in the packet before or after NAT.” (App. Br. 9.) Appeal 2010-000187 Application 10/401,919 5 As further explained by Appellants, the portion of Ylonen cited as disclosing the disputed feature (see Ans. 3-4, 9-12 (citing Ylonen, p. 16, ll. 10-24)) describes transforming the MAC: The text cited by the Examiner, namely the Ylonen Reference at page 16, lines 10-24, notes two configurations to compensate for NAT translations. In one configuration described at page 16, lines 10-13, the sending node compensates for NAT translations by applying the NAT translations to the packet header (which causes the header to be identical to the header as altered by the firewall and as seen by the receiving node) before the sending node computes the MAC (which, as noted by the Ylonen Reference, would otherwise be based on the internal packet header of the sending node prior to application of NAT by the firewall positioned along the transmission path). Thus as noted by the Ylonen Reference, the MAC is based on values for the source port number and checksum that are the same as those made after NAT and different from those in the packet transmitted by the sending node. In the second configuration described at page 16, lines 14-17, the receiving node compensates for NAT translations by applying reverse translations to the received packet before computing the MAC. In other words, the receiving node negates NAT translations by converting the packet header to be the same as the header sent by the sending node and computes the MAC over the reversely transformed header. The sending and receiving nodes therefore compute the MAC over the header before NAT translation. Thus, the MAC is based on values for the IP address and port number that are in the internal packet header before NAT. As noted above in neither configuration is the MAC based on values for the source port and checksum fields that are different from the values for the source port and checksum fields in the packet both before and after alternation by the firewall. (Reply Br. 3.) Consequently, we are constrained by the record before us to conclude that Ylonen fails to disclose the recited features of Appellants’ claim. Therefore, the rejection of claim 104 fails to establish a prima facie case of Appeal 2010-000187 Application 10/401,919 6 anticipation. Appellants’ independent claims 113 and 120 include limitations of similar scope. Dependent claims 105-112 (dependent on claim 104), 114-119 (dependent on claim 113), and 121-128 (dependent on claim 120) depend on and stand with their respective base claims. Accordingly, we reverse the Examiner’s anticipation rejection of claims 104-128. With respect to representative claim 129, the claim recites two disputed limitations: (1) “receiving, by a destination node and from a source node, a packet comprising a header that includes a first and second message authentication codes and source port and checksum fields, the header having been altered by a firewall;” and (2) “wherein the first and third message authentication codes is computed by the source and destination nodes, respectively, exclude values for the source port and checksum fields.” (Claim 129.) We agree with Appellants that the “Ylonen Reference is . . . silent on incorporating two message authentication codes in a packet header” (App. Br. 11; see Reply Br. 4-5) as required by the claim. We also agree with Appellants that Ylonen does not disclose “the use of a pseudo-header and the alteration and/or exclusion of the source and/or destination port fields and the checksum field from the MAC computation to negate, for purposes of packet authentication, packet header alterations by a firewall” (id.) – i.e., that the authentication codes are computed to “exclude values for the source port and checksum fields” as recited by claim 129. Consequently, we are constrained by the record before us to conclude that Ylonen fails to disclose the recited features of Appellants’ claim 129, and the rejection of claim 129 fails to establish a prima facie case of anticipation. Appellants’ independent claim 138 includes limitations of similar scope. Dependent claims 130-137 (dependent on claim 129) and Appeal 2010-000187 Application 10/401,919 7 139-145 (dependent on claim 138) depend on and stand with their respective base claims. Accordingly, we reverse the Examiner’s anticipation rejection of claims 129-145. CONCLUSION OF LAW Appellants have shown that the Examiner erred in rejecting claims 104-145 under 35 U.S.C. § 102(b). DECISION We reverse the Examiner’s rejections of claims 104-145 under 35 U.S.C. § 102(b). REVERSED peb Copy with citationCopy as parenthetical citation
