Ex Parte Jakubik et alDownload PDFPatent Trial and Appeal BoardDec 12, 201310907659 (P.T.A.B. Dec. 12, 2013) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ________________ Ex parte PATRICIA A. JAKUBIK, LINWOOD HUGH OVERBY, JR., JOYCE ANNE PORTER, and DAVID JOHN WIERBOWSKI1 ________________ Appeal 2011-000124 Application 10/907,659 Technology Center 2400 ________________ Before JASON V. MORGAN, JOHN G. NEW, and LYNNE E. PETTIGREW, Administrative Patent Judges. NEW, Administrative Patent Judge. DECISION ON APPEAL 1 The Real Party-in-Interest is International Business Machines Corporation. Appeal 2011-000124 Application 10/907,659 2 SUMMARY Appellants file this appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 1- 24.2 Specifically, claims 1 and 17 stand rejected as unpatentable under 35 U.S.C. § 103(a) as being obvious over the combination of Hines et al. (US 2003/0140089 A1, July 24, 2003) (“Hines”) and Crump (US 2003/0093558 A1, May 15, 2003) (“Crump”). Claims 2 and 18 stand rejected as unpatentable under 35 U.S.C. § 103(a) as being obvious over the combination of Hines, Crump, and Oguchi et al. (US 7,477,640 B2, January 13, 2009) (“Oguchi”). Claims 4 and 20 stand rejected as unpatentable under 35 U.S.C. § 103(a) as being obvious over the combination of Hines, Crump, and Perry (US 2003/0154306 A1, August 14, 2003) (“Perry”). Claims 6, 9, 14, and 22 stand rejected as unpatentable under 35 U.S.C. § 103(a) as being obvious over the combination of Hines, Crump, and Stefaan Pouseele, How to Pass IPSec Traffic Through ISA Server, http://www.isaserver.org/articles-tutorials/articles/IPSec_Passthrough.html (2003) (last visited Dec. 10, 2013) (“Pouseele”). Claims 7, 10, 15, and 23 stand rejected as unpatentable under 35 U.S.C. § 103(a) as being obvious over the combination of Hines, Crump, Pouseele and Oguchi. Claim 12 stands rejected as unpatentable under 35 U.S.C. § 103(a) as being obvious over the combination of Hines, Crump, Pouseele, and Perry. We have jurisdiction under 35 U.S.C. § 6(b). 2 The Examiner has withdrawn the rejection of Appellants’ claims 3, 5, 8, 11, 13, 16, 19, 21, and 24. Ans. 35, 37, 38. We consequently do not address Appellants’ arguments with respect to those claims. Appeal 2011-000124 Application 10/907,659 3 We AFFIRM. NATURE OF THE CLAIMED INVENTION Appellants’ invention is directed to preventing duplicate sources on a protocol connection that uses network addresses, protocols, and port numbers to identify connections that include port number translation. In response to an inbound IPsec packet from a remote source client, a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected. Abstract. GROUPING OF CLAIMS Appellants submit that claims 1, 4, 9, 12, 17, and 20 stand and fall together. App. Br. 9, 11, 13, 16. We therefore select claim 1 as representative. Claim 1 recites: 1. A method of preventing duplicate source conflicts in a network protocol that uses network addresses, protocols and port numbers to identify connections, said method being performed in a destination host computer and comprising, in response to an inbound packet on a connection at said destination host computer from a remote source client computer: determining if a port number is available within a range of port numbers that comply with a security association governing the connection; assigning an available port number to the connection, thereby avoiding a possibility of a duplicate source; and Appeal 2011-000124 Application 10/907,659 4 rejecting the packet if no port numbers are available within the range of port numbers governing the connection. App. Br. 18. Appellants submit that claims 2, 7, 10, 15, 18, and 23 stand and fall together. App. Br. 10, 14. We therefore select claim 2 as representative. Claim 2 recites: 2. The method of claim 1 further comprising maintaining a list of assignable port numbers for each remote source client computer and the assigned and unassigned states of each port number in the list. App. Br. 18. Appellants argue that claims 6, 14, and 22 stand or fall together. App. Br. 13. We therefore select claim 6 as representative. Claim 6 recites: 6. A method of preventing duplicate sources in a network protocol that uses network addresses, protocols and port numbers to identify connections between a server and remote source client computers, said method being performed in said server and comprising a) receiving a packet originating at a remote source client computer, b) determining if the packet has been translated by a network address port translator and contains an encapsulated encrypted packet, c) if the packet has been translated and contains an encapsulated encrypted packet, decrypting the encapsulated packet to obtain original connection information, Appeal 2011-000124 Application 10/907,659 5 d) determining if a port number is available within a range of port numbers that comply with a security association governing the connection, e) assigning an available port number to the connection, thereby avoiding a possibility of a duplicate source, and f) rejecting the packet if no port numbers are available within the range of port numbers governing the connection. App. Br. 19. ISSUES AND ANALYSES A. Claim 1 Issue Appellants argue that the Examiner erred in finding that the cited prior art references teach all of the limitations of claim 1. App. Br. 9. We therefore address the issue of whether the Examiner so erred. Analysis Appellants argue that neither Hines nor Crump teaches or suggests operations performed at a destination host computer for the purpose of determining whether to accept or reject a packet that has already been received over an existing connection. App. Br. 9. Moreover, argue Appellants, neither reference teaches or suggests operations for preventing duplicate source conflicts by associating a different port number with packets received over a previously established connection. Id. Appellants contend that neither reference teaches operations that are performed “in Appeal 2011-000124 Application 10/907,659 6 response to an inbound packet on a connection at a destination host computer from a remote source computer.” Id. The Examiner responds that Crump teaches that a server 206 may make “n” attempts to obtain a successful port number before issuing a message and terminating unsuccessfully. Ans. 31 (citing Crump, ¶ [0042], FIG. 2). The Examiner finds that Crump also teaches that a determination is made regarding whether a port at a calculated dynamic port number is available and, if a bind operation is not successful, that a new dynamic port number may be calculated. Ans. 31 (citing Crump, ¶ [0047]; FIG. 2; FIG 3, step 306). The Examiner finds that Crump teaches these steps may be repeated a predetermined number of times, e.g., the interval value may be added to the first number until a maximum dynamic port number value has been reached or, alternatively, the calculations and attempted bind operation may repeat a specified number of times. Ans. 31-32. The Examiner finds that the former Example taught by Crump, viz., adding an interval value to the first number until a maximum dynamic port number value has been reached, is substantively the same as “determining if a port number is available within a range of port numbers.” Ans. 32. Furthermore, finds the Examiner, Crump places no explicit restriction on the interval value that would prevent it from equaling 1 and, consequently, Crump implicitly teaches or suggests an interval value of 1 may be added to a first number until a maximum dynamic port value has been reached. The Examiner also finds that Hines teaches that an Applet Agent establishes a communication with a server (a destination host computer) and, once a connection is established, the server assigns a specific port number for that particular connection which can be accessed by no other user. Ans. Appeal 2011-000124 Application 10/907,659 7 33. The Examiner finds that this is substantively the same as claim 1’s requirement of a method of preventing duplicate source conflicts in a network protocol that uses network addresses, protocol, and port numbers to identify connections. Id. The Examiner further finds that Hines teaches that the server 800 (a destination host computer) assigns the specific port number, which is substantively the same as claim 1’s requirement of a method performed in a destination host computer that receives an inbound packet over an existing connection. We are persuaded by the Examiner’s reasoning and adopt it as our own. Crump teaches that: At step 308, a determination is made regarding whether the port at the calculated dynamic port number is available. …[S]uch a determination attempts to bind the socket to the dynamic port number (i.e., the port number is held for the particular server 206 program). If the bind operation is not successful (e.g., the return code rc=0), a new dynamic port number may be calculated at step 306. Steps 306 and 308 may be repeated a predetermined number of times. For example, the interval value may be added to the first number until a maximum dynamic port number value has been reached. Crump, ¶ [0047]. Crump thus teaches the limitation of claim 1 reciting “determining if a port number is available within a range of port numbers.” We also find that Hines teaches: At login, the Applet Agent 430 establishes a communication with the server 800. Once a connection is established, the client processor requires a port in order to connect with the server. The Applet Agent 430 establishes a socket connection with the server. The server assigns a specific port number for that Appeal 2011-000124 Application 10/907,659 8 particular session. Once the port number is established, no other user can use that port. Because only one connection has the socket, a third party cannot connect to this session, even if the third party manages to obtain the particular applet. As discussed above, this feature enhances security. Hines, ¶ 0101. Hines therefore teaches the limitations of claim 1 of a “method being performed in a destination host computer [the server]” and “assigning an available port number to the connection, thereby avoiding a possibility of a duplicate source.” We consequently conclude that the Examiner did not err, and we therefore sustain the Examiner’s rejection of claim 1. B. Claim 2 Issue Appellants argue that the Examiner erred in finding that the combination of Hines, Crump, and Oguchi teaches or suggests the limitations of claim 2. App. Br. 10. We therefore address the issue of whether the Examiner so erred. Analysis Appellants argue that: Oguchi is cited as disclosing (at Column 9, lines 44-47) a port number pool table 348 that “stores use status, port number using control apparatus address and port number using process number for each port number.” At Column 9, lines 40-41, the table 348 is described as “a table for storing port numbers that are being used by applications in the control apparatus ....” This language indicates that table 348 does not maintain “a list of assignable port numbers for each remote source client” that may be connected to a destination host computer. Appeal 2011-000124 Application 10/907,659 9 It is submitted that claim 2 is allowable over the art of record for at least the same reasons as claim 1 and further because Oguchi fails to disclose limitations added in claim 2. Id. at 10. The Examiner responds that Oguchi teaches that the Port Number Using Control Apparatus Address indicates a connection with remote source client. Ans. 35 (citing Oguchi, FIG. 9, table 348). We are not persuaded by Appellants’ argument. We agree with Appellants that Oguchi teaches that “the port number pool table 348 stores use status, port number using control apparatus address and port number using process number for each port number.” Oguchi, col. 9, ll. 45-47. However, Figure 9 of Oguchi, to which the quoted text directly refers, depicts a Table listing “Port Number,” “Usage Status,” “Port Number Using Control Apparatus Address,” and “Port Number Using Process Number.” Figure 9 of Oguchi is reproduced below: App App Figu the l remo findi C. C Issue teach conn there eal 2011-0 lication 10 re 9 of Og We find imitation o te source ng. We th laim 6 Appellan or sugge ection at a fore addre 00124 /907,659 uchi depic that the ta f claim 2 r client” and erefore su ts argue th st operatio server fro ss the issu ts an exam ble depicte eciting “a conclude stain the E at the com ns that are m a remot e of wheth 10 ple of the 348. d in Figur list of ass that the E xaminer’s bined cite performed e source c er the Exa port numb e 9 of Ogu ignable po xaminer d rejection d prior ar upon rec omputer. miner so er pool ta chi corres rt number id not err i of claim 2 t reference eiving a pa App. Br. 1 erred. ble ponds to s for each n so . s fail to cket on a 3. We Appeal 2011-000124 Application 10/907,659 11 Analysis Appellants argue that claim 6 is directed to a method performed in a server that receives an inbound packet over an existing connection; the actions at the server are for the purpose of determining whether or not to accept a packet already received on the connection. App. Br. 13. According to Appellants, Hines and Crump teach operations that are performed as part of a process of determining whether a connection can be established. Id. Appellants contend that the references do not teach or suggest operations performed at a server for the purpose of determining whether to accept or reject a packet that has already been received over an existing connection. Id. Nor, argue Appellants, do the references teach or suggest operations for preventing duplicate source conflicts by associating a different port number with packets received over a previously established connection. Id. The Examiner responds that Hines teaches a servlet initiated on an application sever whose purpose is to authenticate the user, establish a session and assign a port number. Ans. 13 (citing Hines, ¶¶ [0076], [0101], FIG. 5). The Examiner finds that if the user is authenticated, the servlet sends a message to a connection manager 115, requesting that a connection be established with the specified session on the given port number. Ans. 13- 14 (citing Hines, FIG. 5). The connection manager then initializes the agent 900 (FIG. 5) that has an established connection to the database server 1000. Ans. 14 (citing Hines, FIG. 5). The Examiner finds that Hines teaches that the server agent will service only the Applet Agent 430 with the specified session and port number, and the session and port number are only valid until the session is terminated by the user. Ans. 14 (citing Hines, FIG. 5). Appeal 2011-000124 Application 10/907,659 12 The Examiner also finds that Pouseele teaches an ISA (Internet Security and Acceleration) server that accepts remote calls (receiving a packet originating at a remote source client computer), detecting a NAPT (network address and port translation) device along a communications path. The Examiner finds that Pouseele also teaches a UDP (user datagram protocol) Encapsulated ESP (encapsulating security payload) format and de- encapsulating IP (internet protocol) Encapsulating Security Payload packets inside a UDP packet (determining if a packet has been translated by a network address port translator and contains an encapsulated encrypted packet, if the packet has been translated). Ans. 16 (citing Pouseele, section 4.2.). We are persuaded by the Examiner’s reasoning. Pouseele teaches: In platforms that support Winsock 2.0, the client is implemented as a layered service provider (LSP). On other platforms, the client setup application renames the original Winsock DLL [dynamic-link library] (wsock32.dll) and installs its own implementation of wsock32.dll. The Firewall client communicates with the Firewall service by using a dedicated connection called the Firewall client control channel. The control channel connection is established the first time it is needed. When a client application calls a Winsock function, the client DLL intercepts the call and decides, based on the specified request and the firewall service configuration files, whether the call is local or remote. Local calls are passed to the original Winsock implementation. Remote calls are redirected to the firewall service. In general, all TCP [transmission control protocol]/UDP requests for non-LAT [local address table] destinations are redirected by the Firewall client software to the Firewall service on ISA server. This is done by rewriting the original Winsock call and replacing some parameters, such as the destination IP address and destination port number, with Appeal 2011-000124 Application 10/907,659 13 those negotiated along the Firewall client control channel. Take note that the new destination IP address will be the Internal IP address of the ISA server. Pouseele, § 4.2; see also Figure, p. 9. We therefore agree with the Examiner that Pouseele teaches the required operations that are performed upon receiving a packet on a connection at a server from a remote source computer, as required by claim 6. We therefore conclude that the Examiner did not err in finding that the combined cited prior art references teach the disputed limitations of claim 6. DECISION The Examiner’s rejection of claims 1, 2, 4, 6, 7, 9, 10, 12, 14, 15, 17, 18, 20, 22, and 23 under 35 U.S.C. § 103(a) is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED hh Copy with citationCopy as parenthetical citation
