`
`In re patent of Munger et al.
`
`U.S. Patent No. 6,502,135
`
`Filed: February 15, 2000
`
`Issued: December 31, 2002
`
`Title: AGILE NETWORK PROTOCOL FOR
`SECURE COMMUNICATIONS WITH
`ASSURED SYSTEM AVAILABILITY
`
`Attorney Docket No.: 43614.92
`
`§ REQUEST FOR Inter Partes
`§ REEXAMINATION
`§
`§
`§
`§
`§
`§
`§
`§
`§
`§
`
`Customer No.: 27683
`
`Real Party in Interest:
`Cisco Systems, Inc.
`
`REQUEST FOR INTER PARTES REEXAMINATION
`
`Mail Stop Inter partes Reexam
`Hon. Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Dear Sir:
`
`Pursuant to the provisions of 35 U.S.C. §§ 311-318, David L. McCombs ("Requester")
`
`hereby requests inter partes reexamination of claims 1-18 (all of the claims) of United States
`
`Patent No. 6,502,135 ("the '135 patent," Ex. A) that issued on December 31, 2002, to Munger et
`
`al., on behalf of Cisco Systems Inc., the real party in interest.
`
`This request presents prior art references that are better than and non-cumulative of the
`
`prior art that was considered during the original prosecution of the '135 patent and during a first
`
`reexamination proceeding, Reexamination Control No. 95/001,269. Claims 1-18 (all of the
`
`claims) are invalid over these new references. Requester asks that reexamination be ordered and
`
`that all ofthe claims be rejected and ultimately canceled.
`
`The '135 patent is the subject of pending litigation, VirnetX, Inc. v. Cisco Systems, Inc.,
`
`Case No. 6:10-cv-417 (E.D. Tex. filed Aug. 11, 2010). No final decision has been entered in that
`
`case.
`
`In accordance with 37 C.P.R. 1.915(b)(7), Cisco Systems Inc. hereby certifies that the
`
`estoppel provisions of 37 C.P.R. § 1.907 do not prohibit this request for inter partes
`
`reexamination.
`
`VIRNETX EXHIBIT 2006
`New Bay Capital v. Virnetx
`Case IPR2013-00375
`
`Page 1 of 28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`TABLE OF CONTENTS
`
`I.
`
`Introduction ............................................................................................................................ 3
`
`II. Description of the '135 Patent ............................................................................................... 4
`
`III. Prosecution and Reexamination History of the '135 Patent ............................................... S
`A.
`Initial Prosecution ofthe '135 Patent.. ............................................................................. 5
`B. The Microsoft Reexamination of the' 135 Patent.. .......................................................... 6
`C. The Effective Priority Date of the Claims in the '13 5 Patent.. ........................................ 8
`
`IV. Statement Pointing Out Substantial New Questions of Patentability ................................ 8
`A. Kiuchi Presents a Substantial New Question of Patentability ......................................... 9
`B. Wesinger Presents a Substantial New Question of Patentability ................................... 10
`C. Solana Presents a Substantial New Question of Patentability ....................................... 12
`D. Aziz Presents a Substantial New Question ofPatentability ........................................... 15
`E. Summary of the Remaining Prior Art ............................................................................ 16
`(i) Sedayao .................................................................................................................. 17
`(ii) Juels ........................................................................................................................ 17
`(iii) RFC 1123 ............................................................................................................... 17
`(iv) Martin ..................................................................................................................... 17
`(v) Karr ........................................................................................................................ 18
`(vi) Denning .................................................................................................................. 18
`(vii) Dalton ..................................................................................................................... 18
`(viii)Bellovin .................................................................................................................. 18
`(ix) RFC 1034 ............................................................................................................... 19
`
`V. Detailed Explanation of the Pertinency and Manner of Applying the Prior Art
`to the Claims ......................................................................................................................... 19
`A. Claim Construction ........................................................................................................ 19
`B. Listing Of Prior Art Patents And Printed Publications .................................................. 19
`C. Statutory Bases for Proposed Rejections ofthe Claims ................................................. 21
`D. Detailed Explanation of the Manner of Applying Kiuchi to the Claims ....................... 21
`E. Detailed Explanation of the Manner of Applying Wesinger to the Claims ................... 22
`F. Detailed Explanation of the Manner of Applying Solana to the Claims ....................... 22
`G. Detailed Explanation of the Manner of Applying Aziz to the Claims ........................... 23
`
`VI. List of Exhibits ...................................................................................................................... 25
`
`VII. Conclusion ............................................................................................................................. 2 7
`
`VIII. Certificate of Service ...................................................................................................... 28
`
`Page 2 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`I.
`
`Introduction
`
`The claims of U.S. Pat. No. 6,502,135 describe transparently creating a virtual private
`
`network ("VPN") in response to a Domain Name Service ("DNS") request. The Patent Office
`
`has twice identified this feature-creating a VPN in response to a DNS request-in deciding to
`
`allow or confirm the claims. In the original prosecution, this feature was successfully argued by
`
`the applicants to distinguish over the Examiner's rejections. In the previously filed inter partes
`
`reexamination, the Examiner found that the submitted prior art-with the exception of the
`
`A ventail reference-failed to adequately teach "establishing a VPN based on a DNS request for
`an IP address" or "using domain name resolution to establish a VPN." 1
`
`Unknown to those earlier Examiners, however, other people developed and publicized
`
`the same technology of creating a VPN in response to a DNS request more than a year earlier
`
`than the applicant for the '135 patent. This request shows how the claims of the '135 patent are
`
`invalid over four primary references. For example, the Kiuchi reference describes how a client
`
`sends a DNS request to a specialized name server. The specialized name server responds with the
`
`target computer's address and encryption key. The client then begins communicating securely
`
`with the target computer using the encryption key. Thus, Kiuchi teaches that a DNS request is
`
`used to initiate a virtual private network connection.
`
`Another reference, Wesinger, teaches that when a client requests the address for a host
`
`name, a DNS server returns the IP address of an envoy that will provide a transparent virtual
`
`private network connection to the requested host. The other references, Solana and Aziz,
`
`similarly provide new, non-cumulative disclosures of creating a VPN in response to a DNS
`
`request.
`
`All four references present substantial new questions of patentability because their
`
`teachings undermine the earlier reasons for allowing or confirming the '135 patent claims.
`
`Although Aziz and Wesinger are listed on the face ofthe '135 patent, the substance oftheir
`
`teachings was never discussed during prosecution or the previously filed reexamination. Because
`
`1 The Examiner failed to find evidence of the publication date of the A ventail reference and
`withdrew his rejections based on the Aventail reference for that reason. See, e.g., § III.B. herein.
`
`Page 3 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`they have never been considered on the record, this request presents them in a new light and they
`
`present substantial new questions of patentability.
`
`Requester therefore asks that an Order for Reexamination be issued and that the
`
`reexamination proceeding continue on to reject and cancel claims 1-18 of the '135 Patent.
`
`II.
`
`Description of the '135 Patent
`The '13 5 patent currently has 18 total claims and four independent claims-claims 1, 10,
`
`13, and 18. Independent claims 1, 10, and 13 were from the originally filed application, while
`
`claim 18 was added during the prior reexamination of the '13 5 patent.
`
`Each ofthe independent claims describes a method (claims 1, 13, and 18) or a system
`
`(claim 1 0) for establishing a virtual private network ("VPN") between two computers. Fig. 26
`illustrates a "system employing a DNS proxy server with transparent VPN creation."2 Fig. 27
`
`"shows steps that can be carried out to implement transparent VPN creation based on a DNS
`look-up function." 3
`
`2701
`
`2702
`
`2706
`
`2604
`
`2611
`
`2703
`
`PASSTHRU
`REQUESTTO
`DNSSERVER
`
`2705
`
`RETURN
`'HOST UNKNOWN'
`ERROR
`
`'135 Patent, Fig. 26
`
`FIG.27
`
`2 '135 Patent, 7:20-21.
`3 '135 Patent, 7:22-23.
`
`Page 4 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`'135 Patent, Fig. 27
`
`For example, claim 1 recites:
`
`1. A method of transparently creating a virtual private network
`(VPN) between a client computer and a
`target computer,
`comprising the steps of:
`
`(1) generating from the client computer a Domain Name Service
`(DNS) request that requests an IP address corresponding to a
`domain name associated with the target computer;
`
`(2) determining whether the DNS request transmitted in step (1) is
`requesting access to a secure web site; and
`
`(3) in response to determining that the DNS request in step (2) is
`requesting access to a secure target web site, automatically
`initiating the VPN between the client computer and the target
`computer.
`
`III.
`
`Prosecution and Reexamination History of the '135 Patent
`A.
`Initial Prosecution of the '135 Patent
`
`During the prosecution of the application that issued as the '13 5 patent, the Patent Office
`
`rejected thirteen ofthe pending claims (claims 1-10 and 13-15 ofthe issued '135 patent) under
`
`35 U.S.C. § 103 as being unpatentable over U.S. Patent No. 6,330,562 to Boden et al. in view of
`
`U.S. Patent No. 6,332,158 to Risley et al. The four remaining pending claims (claims 11, 12, 16,
`
`and 17 of the issued' 135 patent) were objected to as being dependent upon a rejected base
`claim.4
`
`The Applicant traversed the rejections and argued that neither Boden nor Risley taught or
`
`suggested "establishing a VPN based on a DNS request for an IP address" or "using domain
`
`4 See Ex. B-1, Non-Final Rejection mailed March 13, 2002, pp. 4-6.
`
`Page 5 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`name resolution to establish a VPN."5 The Examiner then allowed the claims to issue with no
`statement of reasons for allowance. 6 The '135 patent then issued on December 31, 2002.
`
`B.
`
`The Microsoft Reexamination of the '135 Patent
`
`In 2009, Microsoft requested inter partes reexamination of claims 1-10 and 12 based on
`six references. 7 In granting the request, the Examiner focused in particular on the feature
`
`emphasized by the applicants during the initial examination. Commenting on the lack of explicit
`
`reasons for allowance in the original prosecution, the Examiner summarized the Patent Owner's
`
`arguments regarding "establishing a VPN based on a DNS request for an IP address" and noted
`
`that "the record suggests that the above noted arguments were persuasive and formed the reasons
`for allowance."8
`
`Accordingly, the Examiner's review of the request focused on the prior art teachings of
`
`establishing a VPN in response to a DNS request. For example, in analyzing the "Gauntlet"
`
`reference, the Examiner stated:
`
`[D]uring the prosecution of the '135 patent, the Examiner issued a
`reasons for allowance after receiving arguments which asserted
`that the prior art of record failed to teach or suggest "establishing a
`VPN based on a DNS request for an IP address" or "using domain
`name resolution to establish a VPN". Therefore, Gauntlet will raise
`a substantial new question of patentability only if it presents a new
`teaching pertaining to those claimed limitations which formed a
`basis for allowance.9
`
`5 Ex. B-1, Applicant Arguments/Remarks Made in an Amendment, June 13,2002, pp. 3-5.
`6 See Ex. B-1, Notice of Allowance, July 3, 2002.
`7 The six references are: Aventail Administrator's Guide (hereafter "Aventail"); Gauntlet
`Firewall for Windows NT, Administrator's Guide (hereafter "Gauntlet"); "Building and
`Managing Virtual Private Networks" that was published by David Kosiur in 1998 (hereafter
`"Kosiur"); Building a Microsoft VPN: A Comprehensive Collection of Microsoft Resources
`(hereafter "Microsoft VPN"); Microsoft Windows NT Server, Virtual Private Networking: An
`Overview (hereafter "VPN Overview"); and RFC 1035.
`8 Ex. B-2, Determination- Reexam Ordered, December 31, 2009, p. 3.
`9 Ex. B-2, Determination- Reexam Ordered, December 31, 2009, p. 8.
`
`Page 6 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`The Reexamination Examiner found three issues- the references Aventail, Kosiur, and
`
`VPN Overview in view of A ventail -presented substantial new questions of patentability. The
`Examiner then granted the request for reexamination. 10
`
`The Examiner declined to enter the proposed rejections based upon Kosiur and VPN
`
`Overview. As in the initial determination, the Examiner focused on the limitations for
`
`establishing a VPN based on a DNS request for an IP address. For example, the Examiner stated
`
`with regard to Kosiur:
`
`Kosiur fails to teach Claim 1's step of "in response to determining
`that the DNS request in step (2) is requesting access to a secure
`target web site, automatically initiating the VPN between the client
`computer and the target computer." While Kosiur teaches that
`VPN connections are created dynamically, Kosiur never
`specifically discloses that the dynamic creation of the VPN
`connection is automatically initiated in response to determining
`that the DNS request is requesting access to a secure target
`website. 11
`
`The Examiner made similar statements regarding other proposed rejections that were not
`
`adopted. However, the Examiner rejected claims 1, 3, 4, 6-10 and 12, finding that Aventail
`
`taught each element of those claims, including automatically initiating the VPN in response to
`determining that the DNS request is requesting access to a secure target website. 12
`
`In response, the Patent Owner argued two points. First, the patent owner argued that
`
`A ventail was not prior art because the copyright dates on the face of the A ventail reference were
`
`insufficient proof that Aventail was actually published at that time. Second, the patent owner
`argued that the A ventail reference did not teach a virtual private network ("VPN"). 13
`
`The third party requester did not file any comments.
`
`10 See Ex. B-2, Reexam- Non-Final Action, January 15,2010, pp. 4-9.
`11 Ex. B-2, Reexam- Non-Final Action, January 15,2010, p. 13 (internal citation to Kosiur
`omitted, emphasis added).
`12 See Ex. B-2, Determination- Reexam Ordered, December 31, 2009, pp. 3-15.
`13 See Ex. B-2, Response After Non-Final Action, April 15, 2010, p. 3.
`
`Page 7 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`In light of the Patent Owner's arguments, the Reexamination Examiner conducted a
`
`search to determine the publication date of the A ventail reference. The Examiner ultimately
`
`withdrew the prior rejections because "no evidence was found that established the publication
`date" of A ventail. 14 There was no further opposition and the reexamination certificate issued on
`June 7, 2011.
`
`C.
`
`The Effective Priority Date of the Claims in the '135 Patent
`
`The' 135 patent issued December 31, 2002 from U.S. Patent Application No. 09/504,783
`
`("the '783 application"), which was filed February 15, 2000. The '783 application is a
`
`continuation-in-part ("CIP") application of U.S. Patent Application No. 09/429,643, filed
`
`October 29, 1999, now U.S. Patent No. 7,010,604 ("the '604 patent," attached as Exhibit C-1).
`
`The '135 patent also claims priority to provisional application No. 60/106,261, filed on October
`
`30, 1998 (attached as Exhibit C-2), and provisional application No. 60/137,704, filed on June 7,
`
`1999 (attached as Exhibit C-3).
`
`The Requester submits that the earliest effective filing date for the claims of the '135
`
`Patent is the actual filing date ofthe corresponding application, February 15, 2000. The earlier(cid:173)
`
`filed applications lack an enabling disclosure and written description support for various
`
`limitations that appear in all of the independent claims. But because the prior art references relied
`
`on in this request predate even the earliest cited provisional applications, the issue is not
`
`currently relevant to this request and will not be analyzed in detail.
`
`IV.
`
`Statement Pointing Out Substantial New Questions of Patentability
`As discussed above, the claims of the '13 5 patent were allowed because the prior art of
`
`record failed to teach or suggest "establishing a VPN based on a DNS request for an IP address"
`
`or "using domain name resolution to establish a VPN." As shown below, each of the four
`
`primary references presented in this request-Kiuchi, Wesinger, Solana, and Aziz(cid:173)
`
`independently teach this limitation. These teachings present substantial new questions of
`
`patentability not previously considered by the Patent Office.
`
`14 Ex. B-2, Action Closing Prosecution, June 16, 2010, p. 3. The Examiner did not reach the
`Patent Owner's substantive arguments about Aventail. Id.
`
`Page 8 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`A.
`
`Kiuchi Presents a Substantial New Question of Patentability
`
`"C-HTTP- The Development of a Secure, Closed HTTP-based Network on the Internet"
`
`by Takahiro Kiuchi and Shigekoto Kaihara was published in the Proceedings of the Symposium
`
`on Network and Distributed System Security, 1996. This publication was publicly available more
`
`than one year before the '135 Patent's earliest claimed priority date of Oct. 30, 1998 and is prior
`
`art under 35 U.S.C. § 102(b). A copy ofKiuchi is attached as Exhibit D-1. Kiuchi has not been
`
`previously cited to the Patent Office.
`
`Similar to the '135 patent, Kiuchi was concerned with establishing secure network links
`
`between different hosts on the Internet. Kiuchi sought to develop a secure network by which
`
`medical information, including sensitive clinical trial documents, could be shared between
`
`different institutions.
`
`To accomplish this goal, Kiuchi describes a system with "a client-side proxy, a server(cid:173)
`
`side proxy and a C-HTTP name server." (Kiuchi, Abstract.) The client- and server-side proxies
`
`"communicate with each other using a secure, encrypted protocol"-forming a virtual private
`
`network, as claimed in the '135 patent.
`
`Kiuchi teaches that the secure, encrypted connection is initiated in response to a request
`
`for an IP address sent to a name server:
`
`A client-side proxy asks the C-HTTP name server whether it can
`communicate with the host specified in a given URL.... If the
`connection is permitted, the C-HTTP name server sends the IP
`address and public key of the server-side proxy and both request
`and response Nonce values .... When the C-HTTP name server
`confirms that the specified server-side proxy is an appropriate
`closed network member, a client-side proxy sends a request for
`connection to the server-side proxy, which is encrypted using the
`server-side proxy's public key .... 15
`
`In short, Kiuchi's client-side proxy sends a request to a name server, and in response
`
`receives a public key for the server-side proxy. The client-side proxy then sends an encrypted
`
`message to the server-side proxy. This encrypted communication link forms a virtual private
`
`15 Kiuchi p. 65 (emphasis added).
`
`Page 9 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`network. Thus, Kiuchi teaches "establishing a VPN based on a DNS request for an IP address"(cid:173)
`
`the exact limitation that was missing in the prior art previously considered by the Patent Office.
`
`This teaching presents a substantial new question of patentability relative to the claims of the
`
`'135 patent.
`
`B.
`
`Wesinger Presents a Substantial New Question of Patentability
`
`U.S. Pat. No. 5,898,830 to Wesinger, Jr. et al., entitled "Firewall providing enhanced
`
`network security and user transparency," was filed on October 17, 1996, and issued April27,
`
`1999. Wesinger is prior art under 35 U.S.C. § 102(e). A copy ofWesinger is attached as Exhibit
`
`D-2. Wesinger was noted as a relevant disclosure during the initial prosecution of the '135
`
`patent, but was never discussed or analyzed by the patent owner or Examiner.
`
`Wesinger describes an enhanced firewall used to securely route information between
`
`different parts of a network or across an insecure network. As described by Wesinger, the
`
`enhanced firewall system provides "programmable transparency ... achieved by establishing
`
`DNS mappings between remote hosts to be accessed through one of the network interfaces and
`respective virtual hosts on that interface." 16 These DNS mappings and virtual hosts are used to
`
`establish virtual private networks:
`
`Furthermore, the firewalls may be configured to also transparently
`perform any of various kinds of channel processing, including
`various types of encryption and decryption, compression and
`decompression, etc. In this way, virtual private networks may be
`established whereby two remote machines communicate securely,
`regardless of the degree of proximity or separation, in the same
`manner as if the machines were on the same local area network. 17
`
`As shown in Fig. 1 of Wesinger, these firewalls are used to isolate each portion of the
`
`network:
`
`16 Wesinger, 4:22-25.
`17 Wesinger, 4:38-46 (emphasis added).
`
`Page 10 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`FIG. I
`
`Wesinger, Fig. 1
`
`Referring to the computers "C" and "D" in the lower portion of Fig. 1, We singer teaches
`
`that when a client "C" sends a DNS request for the IP address of host "D", it receives in response
`
`the network address for a virtual host on a firewall:
`
`When client C tries to initiate a connection to host D using the
`name of D, DNS operates in the usual manner to propagate a name
`request to successive levels of the network until D is found. The
`DNS server for D returns the network address of D to a virtual
`host on the firewall 155. The virtual host returns its network
`address to the virtual host on the firewall 157 from which it
`received the lookup request, and so on, until a virtual host on tlte
`firewall 105 retums its network address (instead of the network
`address of D) to the client C. This activity is all transparent to the
`user. 18
`
`18 Wesinger, 9:16-20 (emphasis added).
`
`Page 11 of28
`
`
`
`The firewall's virtual host, in turn, provides transparent encryption and other security
`
`processing to enable a virtual private network connection:
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`Furthermore, the firewalls may be configured to also transparently
`perform any of various kinds of channel processing, including
`various types of encryption and decryption, compression and
`decompression, etc. In this way, virtual private networks may be
`established whereby two remote machines communicate securely,
`regardless of the degree of proximity or separation, in the same
`manner as if the machines were on the same local area network. 19
`
`Referring again to Fig. 1, Wesinger teaches that "on the network segment between
`firewall 105 and 107, DES encryption might be used."20 This encryption processing, which
`
`supports the security available to the virtual private network, is automatically performed by the
`
`virtual host on the firewall:
`
`Once the connection has been allowed, the virtual host process
`invokes code 818
`that performs protocol-based connection
`processing and, optionally, code 823
`that performs channel
`processing (encryption, decryption, compression, decompression,
`etc.). 21
`
`In summary, Wesinger teaches responding to a client's DNS request with the address of a
`
`virtual host that will transparently provide a virtual private network connection to the requested
`
`destination. Wesinger discloses "establishing a VPN based on a DNS request for an IP
`
`address"- the exact limitation that was missing in the prior art previously considered by the
`
`Patent Office. Thus, Wesinger presents a substantial new question of patentability relative to the
`
`claims of the '13 5 patent.
`
`C.
`
`Solana Presents a Substantial New Question of Patentability
`
`"Flexible Internet Secure Transactions Based on Collaborative Domains" by Eduardo
`
`Solana and Ji.irgen Harms was published at the Security Protocols Workshop in 1997. This
`
`publication was publicly available before the '135 Patent's earliest priority date of Oct. 30, 1998
`
`and is prior art under 35 U.S.C. § 102(a). Solana was also publicly available more than one year
`
`19 Wesinger, 4:39-46 (emphasis added).
`20 Wesinger, 12:12-14.
`21 Wesinger, 17:1-5 (emphasis added).
`
`Page 12 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`before the '135 Patent's earliest effective filing date of Feb. 15,2000 and is prior art under 35
`
`U.S.C. § 1 02(b ). A copy of Solana is attached as Exhibit D-3. Solana has not been previously
`
`cited to the Patent Office.
`
`Solana takes a more global view of network security, suggesting that a global Directory
`
`Service (DS) built using the existing domain name service (DNS) be used to securely exchange
`
`cryptographic keys for secure communications between different security domains:
`
`A coordinated, global Directory Service (DS) holding naming
`information and especially certificates that securely bind domains
`to
`their public keys
`is also required and constitutes
`the
`cryptographic support for inter-domain transactions. As mentioned,
`existing naming infrastructures (DNS-sec, X.509) might be used
`h"
`c
`22
`10r t 1s purpose.
`
`Fig. 1 of Solana (below) shows the DNS-based Directory Service (DS), along with the
`
`secured and encrypted channels (the "VPN" links):
`
`22 Solana, p. 43.
`
`Page 13 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`DS:
`UN!:
`LAD:
`DKH:
`DBS:
`
`Directory Service
`Unifonn Nilllling Infonnation
`Local Authentication Database
`Domain Key Holder
`Domain Border System
`
`Authenticated cllannel
`
`Authenticated and encrypted channel
`
`End-to-end secure extension
`
`DS
`
`•.
`
`PubK
`UNT
`abc@D :zxcvbn
`
`. ..,_,fi LAD
`
`.~~~r
`
`~
`
`.
`
`:
`
`... ~
`;,===G== :r., D-DKH
`··
`;~~~ .. f:? .. ,'·,~. D-DBS ·>~~
`
`~
`
`--~-" S DBS ~'''1 <;)'r
`-
`
`·. ;;~·-- .. ~
`~
`
`lniti---~~ -~~~= = = = ="' = = = = = =--~'-"""'"""
`
`Source
`Domain
`
`lJ
`
`·
`·
`D
`estmat}on
`Domam
`
`Fig. 1: Collaborative Domains Architecture
`
`Solana, Fig. 1.
`
`Solana teaches establishing a VPN based on a DNS request for an IP address.
`
`Specifically, Solana teaches using a request to the DNS-based Directory Service (DS) to obtain
`
`the encryption keys required for virtual private network communications:
`
`The initiator generates the same header as in the precedent case
`(Session Key + responder UNI) and then issues a DS query to
`obtain the destination domain public key for header encryption.
`Finally, the whole packet together with the decryption information
`is submitted directly to the responder. 23
`
`As previously noted, Solana suggests building the Directory Service (DS) on top of the
`
`DNS architecture. Thus, a "DS query" is a Domain Name Service (DNS) request as recited in the
`
`'135 Patent claims. Solana also teaches automatically generating a VPN in response to this
`
`request:
`
`23 Solana, p. 46.
`
`Page 14 of28
`
`
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`Inter-domain confidentiality. The source DBS acts as encryptor for
`the outgoing transactions, using tlte public key (obtained from tlte
`DS) of tlte destination domain(s) .... The functionality offered by
`the DBSs in this scheme is often known as secure gatewaying. The
`main advantage of inter-domain confidentiality lies in the fact that
`services may be provided transparently to the parties involved in
`the transaction. 24
`
`Solana's transparently encrypted transactions form a virtual private network. Thus, Solana
`
`teaches automatically "establishing a VPN based on a DNS request for an IP address"- the
`
`exact limitation that was missing in the prior art previously considered by the Patent Office.
`
`Accordingly, Solana presents a substantial new question of patentability relative to the claims of
`
`the '135 patent.
`
`D.
`
`Aziz Presents a Substantial New Question of Patentability
`
`U.S. Patent 6,119,234 to Aziz, Jr., et al., entitled "Method and apparatus for client-host
`
`communication over a computer network," was filed on June 27, 1997. The patent issued
`
`September 12, 2000 and is prior art under 35 U.S.C. § 102(e). A copy of Aziz is attached as
`
`Exhibit D-4. Aziz was cited in an IDS during the previous reexamination of the' 135 patent, but
`
`was never previously discussed by the patent owner or Examiner.
`
`Aziz teaches extending the standard Domain Name Service (DNS) system to allow a
`
`name server to facilitate the creation of a virtual private network based on a DNS request:
`
`The registered name server for a domain is configured to return a
`new resource record type, herein called an SX record, in response
`to requests for information needed for secure communications with
`protected hosts in that domain. The resolver on (or otherwise
`associated with) the authorized client is configured to use the data
`in the SX record to dynamically update the information used by the
`client to handle secure communications.25
`
`The new type of record returned by Aziz's name server is the "SX record," which stands
`
`for a "Security Exchanger" record. The SX record identifies the secure gateway that can be used
`
`to establish a virtual private network link with a remote network. Aziz describes how a
`
`24 Solana, pp.44-45 (emphasis added).
`25 Aziz, Abstract.
`
`Page 15 of28
`
`
`
`resolver-software on the client computer-uses the SX record to create an encrypted tunnel
`
`connection with a target host:
`
`Request for Inter partes Reexamination
`U.S. Patent No. 6,502,135
`
`Therefore, at step 415 of FIG 4A, the first response that the
`resolver 225 receives to the address query from application 215
`includes an A record for inside host 140 and an SX record
`identifying firewall 11 0 as the corresponding secure exchanger ....
`Once resolver 225 receives all these records, execution proceeds at
`step 430, where resolver 225 creates a tunnel map entry 500, such
`as the one illustrated in FIG. 5, which is used by crypto-processor
`230 to encrypt messages to inside host 140.26
`
`The "address query" is the DNS request for an IP address, and the SX record identifies
`
`the necessary information for the VPN link with the secure site ("inside host 140"). Aziz then
`
`specifies that the next communication is automatically encrypted using this information:
`
`The query from application 215 for the address of inside host 140
`is subsequently encrypted by crypto-processor 230 using field1
`510, field2 520, and field3 530 ofthe last tunnel map entry 500.27
`
`Using the data returned from the name server to automatically encrypt subsequent
`
`communications shows "establishing a VPN based on a DNS request for an IP address"-the
`
`exact limitation that was missing in the prior art previously considered by the Patent Office.
`
`Accordingly, Aziz presents a su