IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`In re patent of Munger et al.
`
`U.S. Patent No. 7,490,151
`
`Filed: September 30, 2002
`
`Issued: February 10, 2009
`
`Title: ESTABLISHMENT OF
`A SECURE COMMUNICATION LINK
`BASED ON A DOMAIN NAME
`SERVICE (DNS) REQUEST
`
`Attorney Docket No.: 43614.99
`
`§ REQUEST FOR Inter Partes
`§ REEXAMINATION
`§
`§
`§
`§
`§
`§
`§
`§
`§
`§
`
`Customer No.: 27683
`
`Real Party in Interest:
`Cisco Systems, Inc.
`
`REQUEST FOR INTER PARTES REEXAMINATION
`
`Mail Stop Inter partes Reexam
`Hon. Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Dear Sir:
`
`Pursuant to the provisions of35 U.S.C. §§ 311-318, David L. McCombs ("Requester")
`
`hereby requests inter partes reexamination of claims 1-16 (all of the claims) of United States
`
`Patent No. 7,490,151 that issued on February 10,2009, to Munger et al. ("the '151 patent," Ex.
`
`A), on behalf of Cisco Systems Inc., the real party in interest. In accordance with 37 C.F.R.
`
`§ 1.915(b)(7), Cisco Systems Inc. hereby certifies that the estoppel provisions of 37 C.F.R. §
`
`1.907 do not prohibit this request for inter partes reexamination.
`
`This request presents prior art references that are better than and non-cumulative of the
`
`prior art that was considered during the original prosecution of the '151 patent. Claims 1-16 (all
`
`of the claims) are invalid over these new references. Requester asks that reexamination be
`
`ordered and that all of the claims be rejected and ultimately canceled.
`
`The '151 patent is the subject of a co-pending request for reexamination, control number
`
`95/001,697 ("the '697 request"), filed on behalf of Apple, Inc. The '697 request cites different
`
`references and proposes different rejections than in this request. The '151 patent is also the
`
`subject of pending litigation, styled VirnetX Inc. v. Cisco Systems, Inc., Case No. 6:10-cv-417
`
`(E.D. Tex. filed Aug. 11, 2010). No final decision has been entered in that case.
`
`VIRNETX EXHIBIT 2003
`New Bay Capital v. Virnetx
`Case IPR2013-00376
`
`Page 1 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`TABLE OF CONTENTS
`
`I.
`
`Introduction ............................................................................................................................ 3
`
`II. Description of the '151 Patent ............................................................................................... 4
`
`III. History of the '151 Patent ...................................................................................................... 5
`A. Prosecution of the '151 Patent ......................................................................................... 5
`B. The Effective Priority Date of the Claims in the '151 Patent .......................................... 7
`C. Prior Litigation ................................................................................................................. 8
`
`IV. Statement Pointing Out Substantial New Questions of Patentability ................................ 8
`A. Kiuchi Presents a Substantial New Question of Patentability ......................................... 9
`B. Wesinger Presents a Substantial New Question of Patentability ................................... 10
`C. Blum Presents a Substantial New Question of Patentability ......................................... 12
`D. Aziz Presents a Substantial New Question ofPatentability ........................................... 14
`E. Summary of the Remaining Prior Art ............................................................................ 15
`(i) Edwards .................................................................................................................. 15
`(ii) Martin ..................................................................................................................... 15
`(iii) RFC 1034 ............................................................................................................... 16
`(iv) RFC 1035 ............................................................................................................... 16
`(v) RFC 1123 ............................................................................................................... 16
`(vi) RFC 1945 ............................................................................................................... 16
`
`V. Detailed Explanation of the Pertinency and Manner of Applying the Prior Art
`to the Claims ......................................................................................................................... 16
`A. Claim Construction ........................................................................................................ 17
`B. Listing Of Prior Art Patents And Printed Publications .................................................. 17
`C. Statutory Bases for Proposed Rejections of the Claims ................................................. 18
`D. Detailed Explanation ofthe Manner of Applying Kiuchi to the Claims ....................... 19
`E. Detailed Explanation of the Manner of Applying Wesinger to the Claims ................... 19
`F. Detailed Explanation ofthe Manner of Applying Blum to the Claims ......................... 19
`G. Detailed Explanation of the Manner of Applying the Combination of Aziz and Edwards
`to the Claims .......................................................................................................................... 20
`H. Detailed Explanation of the Manner of Applying the Combination ofKiuchi and
`Edwards to the Claims ........................................................................................................... 20
`I. Detailed Explanation of the Manner of Applying the Combination ofWesinger and
`Edwards to the Claims ........................................................................................................... 21
`
`VI. List of Exhibits ...................................................................................................................... 21
`
`VII. Conclusion ............................................................................................................................. 23
`
`VIII. Certificate of Service ...................................................................................................... 24
`
`Page 2 of24
`
`Page 2 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`I.
`
`Introduction
`
`The claims of U.S. 7,490,151 describe a Domain Name Service ("DNS") module that
`
`intercepts DNS requests and automatically initiates an encrypted channel when a requested
`
`domain name corresponds to a secure server. In the original prosecution, the Applicants
`
`successfully argued these features to distinguish over the Examiner's rejections.
`
`Unknown to the Examiner, however, other people developed and publicized the same
`
`technology more than a year earlier than the Applicants for the ' 151 patent. This request shows
`
`how four references raise substantial new questions of patentability and invalidate claims in the
`
`'151 patent. For example, the Kiuchi reference describes a firewall computer with a DNS proxy
`
`module that intercepts all requests for communication outside the network. The proxy looks up
`
`the IP address corresponding to the request and determines whether the request targets a
`
`computer that is part of a secure, closed network. If so, the proxy server automatically creates an
`
`encrypted tunnel to allow that the client to communicate with the secure server. Thus, Kiuchi
`
`teaches a DNS proxy module that intercepts DNS requests and automatically initiates an
`
`encrypted channel between the client and the server when a request corresponds to a secure
`
`server.
`
`Another reference, Blum, teaches a client computer with an enhanced name service
`
`provider that intercepts DNS requests from client applications. When a DNS request relates to a
`
`remote server, the name service provider engages a transparent proxy to automatically initiate a
`
`tunnel to the remote network. The client application can then communicate securely with the
`
`remote server through the transparent proxy. Blum describes using Secure Sockets Layer (SSL),
`
`an encrypted protocol, as a tunneling protocol between the client and server. Thus, Blum also
`
`teaches a DNS proxy module with the features mistakenly believed to be absent from the prior
`
`art during the original prosecution.
`
`Two other references also provide highly relevant teachings that were not considered
`
`during prosecution. The Wesinger reference describes using virtual hosts and a specialized DNS
`
`module to automatically create secure, transparent connections between and among networks.
`
`And the Aziz reference similarly teaches a DNS system that automatically provides a target
`
`server's encryption keys to a requesting client, which then encrypts messages sent to the target
`
`server. Although Wesinger and Aziz are listed on the face of the '151 patent, their teachings
`
`were never discussed or analyzed by the Applicants or Examiner during prosecution.
`
`Page 3 of24
`
`Page 3 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`These references provide new, non-cumulative disclosures of intercepting a DNS request
`
`and automatically initiating an encrypted channel. They undermine the arguments that led the
`
`Examiner to allow the '151 patent claims and raise substantial new questions of patentability.
`
`Requester therefore asks that the Office issue an Order for Reexamination and that the
`
`reexamination proceed to reject and cancel claims 1-16 of the '151 Patent.
`
`II.
`
`Description of the '151 Patent
`
`The ' 151 patent has 16 total claims and three independent claims-claims 1, 7, and 13.
`
`Each of the independent claims describes a data processing device that performs a method (claim
`
`1), or a computer readable medium holding instructions that perform a method (claims 7 and 13).
`
`Thus, while not written as a method claim per se, the body of each claim recites method steps.
`
`Fig. 27 "shows steps that can be carried out to implement transparent VPN creation based
`on a DNS look-up function" 1
`
`:
`
`2701
`
`2702
`
`2704
`
`2706
`
`RECEIVEDNS
`REQUEST FOR
`TARGET SITE
`
`2703
`
`PASSTHRU
`REQUEST TO
`DNSSERVER
`
`2705
`
`RETURN
`'HOST UNKNOWN'
`ERROR
`
`ESTABLISH
`VPNWITH
`TARGET SITE
`
`FIG. 27
`
`'151 Patent, Fig. 27
`
`Page 4 of24
`
`1 '151 Patent, 7:22-23.
`
`Page 4 of 24
`
`

`

`Claim 1 is representative:
`
`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`1. A data processing device, comprising memory storing a domain
`name server (DNS) proxy module that intercepts DNS requests
`sent by a client and, for each intercepted DNS request, performs
`the steps of:
`
`(i) determining whether the intercepted DNS request corresponds
`to a secure server;
`
`(ii) when the intercepted DNS request does not correspond to a
`secure server, forwarding the DNS request to a DNS function that
`returns an IP address of a nonsecure computer, and
`
`(iii) when the intercepted DNS request corresponds to a secure
`server, automatically initiating an encrypted channel between the
`client and the secure server.
`
`III. History of the '151 Patent
`Prosecution of the '151 Patent
`
`A.
`
`U.S. 7,490,151 was filed September 30,2002, as application no. 10/259,494. The '151
`
`patent is a divisional of application no. 09/504,783, now issued as U.S. 6,502, 135, which is itself
`
`a continuation-in-part of application no. 09/429,643, now issued as U.S. 7,010,604. The '151 and
`
`its parents all claim priority to two provisional applications, no. 60/137,704, filed June 1999, and
`
`no. 60/106,261, filed October 1998.
`
`During the prosecution of the application that issued as the '151 patent, the Examiner
`
`rejected the original twenty claims as being obvious over Strentzsch et al., U.S. 6,256,671, under
`35 U.S.C. § 103(a).2 The Examiner also noted that an "encryption feature is a well-known
`feature in the art."3 In response, the Applicants argued that Strentzsch was a non-analogous
`
`reference because Strentzsch "provides a method and apparatus for preventing network access by
`
`manipulating a domain name system," whereas the "claimed invention establishes secure
`network connections. "4
`
`2 See Ex. B-1, Non-Final Rejection mailed June 24, 2004, pp. 2-3.
`3 See Ex. B-1, Non-Final Rejection mailed June 24,2004, p. 3.
`4 Ex. B-1, Applicant Arguments/Remarks Made in an Amendment, September 13,2002, p. 10
`(emphasis in original).
`
`Page 5 of24
`
`Page 5 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`This argument was apparently successful, as the Examiner identified a new reference,
`
`Sistanizadeh et al., U.S. 5,790,548, and rejected all of the claims as being anticipated under 35
`U.S.C. § 102 by Sistanizadeh.5 The Applicants attempted to traverse the rejection by arguing that
`
`Sistanizadeh didn't teach automatically creating the encrypted channel "in response to" a request
`for access to a secure system.6 The Examiner again rejected the claims over Sistanizadeh, but
`
`this time finding them obvious under 35 U.S.C. § 103. The Examiner noted that Sistanizadeh
`
`"discloses the use of the encrypted channel between a client and a target," and reasoning that "it
`
`would have been obvious to one of ordinary skill in the art to recognize that ... when to create[]
`this encrypted channel would have been a matter of choice."7
`
`The Applicants again traversed the rejection, arguing that the Examiner's obviousness
`
`rejection did not provide sufficient detail to explain "how or why one of skill in the art would be
`motivated to modify [Sistanizadeh] to arrive at any of the pending claims."8 The Applicants
`
`argued the purported novelty of many claims, many of them dependent claims. Notably, the
`
`Applicants again emphasized the "in response to" aspect of the claims, arguing that:
`
`For example, with respect to claim 6, the Office Action does not
`indicate how or why the initiation of an encrypted channel
`responsive to intercepting a DNS request for a domain name
`comprising a predetermined domain name extension is taught or
`suggested by [Sistanizadeh] ....
`
`With respect to claim 9, the Office Action does not indicate how or
`why [Sistanizadeh] teaches or suggests automatically creating the
`encrypted channel in response to detecting a request for access to a
`predetermined IP address.9
`
`The Applicants did not present any arguments directed to independent claims 11 and 16,
`
`but in the following Office Action the Examiner allowed those claims along with their respective
`dependent claims. 10 Both independent claims recite the argued limitation of "when the
`
`intercepted DNS request corresponds to a secure server, automatically initiating" an encrypted or
`
`5 See Ex. B-1, Non-Final Rejection mailed October 18,2005, pp. 2-5.
`6 Ex. B-1, Applicant Arguments/Remarks Made in an Amendment, January 6, 2006, p. 8,
`emphasis in original.
`7 Ex. B-1, Non-Final Rejection mailed March 28, 2006, p. 2.
`8 See Ex. B-1, Applicant Arguments/Remarks Made in an Amendment, July 27,2006, p. 3.
`9 !d.
`10 See Ex. B-1, Non-Final Rejection mailed October 30, 2006, p. 4.
`
`Page 6 of24
`
`Page 6 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`secure channel. The allowed claims were later renumbered and reordered, ultimately issuing as
`
`patent claims 1-12.
`
`The Examiner continued to reject the remaining claims, including the dependent claims
`
`specifically argued by the Applicants, as obvious in view of Sistanizadeh in two more Office
`actions. 11 With respect to claims 6 and 9, however, the Examiner's continued rejections did not
`discuss or focus on the "in response to" aspect of the claims. For example, the Examiner's
`
`rejection of claim 6 focused solely on the limitation of "a predetermined domain name
`
`extension:"
`
`As to claim 6, the feature of predetermined domain name
`extension. It would have been obvious to one of ordinary skill in
`the art to recognize that such predetermined domain name
`extention [sic] (e.g., .gov, .org, etc.) is well know feature in the
`art.l2
`
`The rejected claims were eventually canceled and a Notice of Allowance was sent. The
`
`Applicants then added claims 69-72 (corresponding to issued claims 13-16). These claims also
`
`recite "when the intercepted DNS request corresponds to a secure server, automatically creating
`
`a secure channel" and were allowed without comment.
`
`In summary, no reasons for allowance are expressly stated in the '151 Patent file history.
`
`But the claims were allowed only after the Applicants argued the limitation of initiating an
`
`encrypted or secure channel in response to a DNS request. Thus, the file history suggests that
`
`the Examiner would have an interest in any prior art reference that taught initiating an encrypted
`
`or secure channel in response to a DNS request.
`B.
`The Effective Priority Date of the Claims in the '151 Patent
`
`The '151 patent was filed September 30, 2002 as a divisional of application no.
`
`09/504,783, now issued as U.S. 6,502,135 (the '"783 application") which was filed February 15,
`
`2000. The '783 application is a continuation-in-part ("CIP") application of U.S. Patent
`
`Application No. 09/429,643, filed October 29, 1999, now U.S. Patent No. 7,010,604 ("the '604
`
`patent," attached as Exhibit C-1 ). The '151 patent also claims priority to provisional application
`
`11 See generally Ex. B-1, the Non-Final Rejections mailed October 30,2006 and June 15,2007,
`and Applicant Arguments/Remarks mailed March 30,2007, and December 13,2007.
`12 See, e.g., Ex. B-1, Non-Final Rejection mailed Oct. 30, 2006, at 4.
`
`Page 7 of24
`
`Page 7 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`No. 60/106,261, filed on October 30, 1998 (attached as Exhibit C-2), and provisional application
`
`No. 60/137,704, filed on June 7, 1999 (attached as Exhibit C-3).
`
`Each of the independent claims in the '151 patent (claims 1, 7, and 13) includes
`
`limitations that have their earliest possible written description support in the '783 CIP
`
`application, filed February 15, 2000. Specifically, each independent claim recites a "domain
`
`name server (DNS)" module and acting response to a "DNS request."
`
`To the extent there is any written description support for these limitations, the written
`
`description support for this claimed subject matter first appeared in the '783 CIP application, in
`
`the section specifically labeled "CONTINUATION-IN-PART IMPROVEMENTS," starting at
`
`Col. 32, line 28. Specifically, the description from col. 32, line 18 to col. 40, line 13 discusses the
`
`use of a DNS server, DNS proxy server, or creating a VPN in response to a DNS request.
`
`Similarly, col. 44, lines 49-55 disclose the use of tables "that contain enough information to
`
`authenticate a communication request."
`
`None of the three earlier filed applications from which priority is claimed by the '151
`
`patent includes corresponding descriptions of the claimed functionality. Accordingly, the
`
`effective priority date of independent claims 1, 7, and 13, and, by dependency, claims 2-6, 8-12,
`
`and 14-16, is February 15, 2000. As previously noted, the earliest claimed priority date is
`
`October 30, 1998.
`
`C.
`
`Prior Litigation
`
`The '151 patent was asserted in prior litigation, styled VirnetX, Inc. v. Microsoft Corp.,
`
`Case No. 6:07-cv-80, but was withdrawn before any claims were construed by the court. The
`
`'151 patent's parent, the ' 13 5 patent, was also asserted in the same litigation and was construed
`
`by the district court. As potentially helpful guidance in giving the claims the broadest reasonable
`
`interpretation consistent with the specification, the district court's Memorandum Opinion on
`
`Claim Construction (B.D. Tex. Jul. 30, 2009) is attached as Exhibit B-2.
`
`IV.
`
`Statement Pointing Out Substantial New Questions of Patentability
`As discussed above, the record suggests that independent claims of the '151 patent were
`
`allowed because the prior art considered in prosecution failed to teach or suggest initiating an
`
`encrypted or secure channel in response to a DNS request. As shown below, the references
`
`presented in this request teach this limitation. Because these references provide technical
`
`disclosures that were believed to be absent in the art discussed by the Examiner, the references
`
`Page 8 of24
`
`Page 8 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`are not cumulative of art already considered by the Office. Their teachings present substantial
`
`new questions of patentability that call for the reexamination of the '151 Patent.
`
`A.
`
`Kiuchi Presents a Substantial New Question of Patentability
`
`"C-HTTP- The Development of a Secure, Closed HTTP-based Network on the Internet"
`
`by Takahiro Kiuchi and Shigekoto Kaihara was published in the Proceedings of the Symposium
`
`on Network and Distributed System Security, 1996. This publication was publicly available more
`
`than one year before the '151 Patent's earliest claimed priority date of October 3 0, 1998 and is
`
`prior art under 35 U.S.C. § 102(b). A copy ofKiuchi is attached as Exhibit D-1. Kiuchi has not
`
`been previously cited to the Patent Office.
`
`Similar to the '151 patent, Kiuchi was concerned with establishing secure network links
`
`between different hosts on the Internet. Kiuchi sought to develop a secure network by which
`
`medical information, including sensitive clinical trial documents, could be shared between
`
`different hospitals and other institutions.
`
`To accomplish this goal, Kiuchi describes a system with "a client-side proxy, a server(cid:173)
`side proxy and a C-HTTP name server." 13 The proxies reside on a firewall computer and
`"communicate with each other using a secure, encrypted protocol." 14 Thus, the communications
`
`between proxies use an encrypted channel.
`
`Kiuchi teaches that the encrypted connection is initiated in response to a name service
`
`request:
`
`A client-side proxy asks the C-HTTP name server whether it can
`communicate with the host specified in a given URL .... If the
`connection is permitted, the C-HTTP name server sends the IP
`address and public key of the server-side proxy and both request
`and response Nonce values .... When the C-HTTP name server
`confirms that the specified server-side proxy is an appropriate
`closed network member, a client-side proxy sends a request for
`connection to the server-side proxy, which is encrypted using the
`server-side proxy's public key .... 15
`
`In short, Kiuchi's client-side proxy sends a request to a name server, and in response
`
`receives a public key for the server-side proxy. The client-side proxy then initiates a new
`
`13 Kiuchi, Abstract.
`14 Kiuchi, Abstract.
`15 Kiuchi p. 65 (emphasis added).
`
`Page 9 of24
`
`Page 9 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`connection that is encrypted with the server's key. Thus, Kiuchi teaches initiating an encrypted
`
`channel in response to a DNS request-the limitation previously argued to be novel before the
`
`Patent Office. This teaching presents a substantial new question of patentability relative to the
`
`claims of the ' 151 patent.
`
`B.
`
`Wesinger Presents a Substantial New Question of Patentability
`
`U.S. Pat. No. 5,898,830 to Wesinger, Jr. et al., entitled "Firewall providing enhanced
`
`network security and user transparency," was filed on October 17, 1996, and issued April27,
`
`1999. Wesinger is prior art under 35 U.S.C. § 102(e) and§ 102(a). A copy ofWesinger is
`
`attached as Exhibit D-2. Wesinger was noted as a relevant disclosure during the initial
`
`prosecution of the '151 patent, but its teachings were never discussed or analyzed by the patent
`
`owner or Examiner.
`
`Wesinger describes an enhanced firewall including a DNS server module that is used to
`
`securely route information between different parts of a network or across an insecure network.
`
`As described by Wesinger, the enhanced firewall system provides "programmable
`
`transparency ... achieved by establishing DNS mappings between remote hosts to be accessed
`through one ofthe network interfaces and respective virtual hosts on that interface." 16 Wesinger
`
`specifically teaches that these DNS mappings through the firewall are accomplished using a
`
`DNS module:
`
`Referring more particularly to FIG. 3, there is shown a firewall 305
`having a first set of virtual hosts 305a, a second set of virtual hosts
`305b, and a DNS DDNS module 315. 17
`
`Wesinger continues describing the DNS module in the memory:
`
`When a client needs a particular piece of information (e.g., the IP
`address of homer.odyssey.com), it asks its local DNS server for
`that information. The local DNS server first examines its own local
`memory, such as a cache, to see if it already knows the answer to
`the client's query. 18
`
`Wesinger further teaches automatically initiating a tunnel between the client and the
`
`server ifthe request corresponds to a secure server. As shown in Fig. 1 ofWesinger, these
`
`16 Wesinger, 4:22-25.
`17 Wesinger, 10:25-27 (emphasis added).
`18 Wesinger, 8:33-37 (emphasis added).
`
`Page 10 of24
`
`Page 10 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`firewalls with DNS modules are used to connect each portion of the network, or to connect
`
`different parts of the secure network (within the dotted lines) across the insecure Internet (shown
`
`at reference 120):
`
`' . . . . . . . . . . . . . . .. . ~. " . . . . .. . .
`
`,.....,.........,.---IL...-,o""T""'...., ... • .•
`
`.... · .. 167
`107 .........
`·.
`'
`I ';;;::::;::::==~~
`·.
`t--'1
`· •.
`117
`·.
`·. l
`
`168
`
`4.5
`
`... N,
`
`118
`
`~~·
`
`ADDRESS SUBSET, i ~
`E.G. 192.168.X.X
`: :
`
`........... \········
`
`151
`
`FIG. 1
`
`W esinger Fig. 1
`
`Referring to the computers "C" and "D" in the lower portion of Fig. 1, Wesinger teaches
`
`that when a client "C" sends a DNS request for the IP address of host "D", it receives in response
`
`the network address for a virtual host on a firewall:
`
`When client C tries to initiate a connection to host D using the
`name of D, DNS operates in the usual manner to propagate a name
`request to successive levels of the network until D is found. The
`DNS server for D returns the network address of D to a virtual
`host on the firewall 155. The virtual host returns its network
`
`Page 11 of24
`
`Page 11 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`address to the virtual host on the firewall 157 from which it
`received the lookup request, and so on, until a virtual host on the
`firewall 105 returns its network address (instead of the network
`address of D) to the client C. This activity is all transparent to the
`user. 19
`
`The firewall's virtual host, in tum, provides transparent encryption and other security
`
`processing to enable a virtual private network connection:
`
`Furthermore, the firewalls may be configured to also transparently
`perform any of various kinds of channel processing, including
`various types of encryption and decryption, compression and
`decompression, etc. In this way, virtual private networks may be
`established whereby two remote machines communicate securely,
`regardless of the degree of proximity or separation, in the same
`manner as if the machines were on the same local area network. 20
`
`In summary, Wesinger teaches a DNS server module included in the memory of each
`
`firewall that responds to a client's DNS request with the address of a virtual host that will
`
`transparently provide a secure connection to the requested destination. The firewalls do this
`
`automatically and "transparently," without any intervention from the user. Thus, Wesinger
`
`teaches initiating a secure channel in response to a DNS request-the limitation previously
`
`argued to be novel before the Patent Office. Accordingly, Wesinger presents a substantial new
`
`question of patentability for the claims of the '151 patent.
`
`C.
`
`Blum Presents a Substantial New Question of Patentability
`
`U.S. Pat. No. 6,182,141 to Blum, Jr. et al., entitled "Firewall providing enhanced network
`
`security and user transparency," was filed on December 20, 1996, and issued January 30, 2001.
`
`Blum is prior art under 35 U.S.C. § 102(e). A copy of Blum is attached as Exhibit D-3. Blum has
`
`not been previously cited to the Patent Office.
`
`Blum describes intercepting and acting on DNS requests through a transparent proxy
`
`system operating on a client:
`
`A transparent proxy. In a computer system, a layered service
`provider intercepts a communications request from a client
`application in the native protocol of the communications request
`
`19 Wesinger, 9:16-20 (emphasis added).
`20 Wesinger, 4:39-46 (emphasis added).
`
`Page 12 of24
`
`Page 12 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`wherein the communications request requests communication with
`a remote server?1
`
`Blum describes how the transparent proxy intercepts DNS communications from the
`
`client using a name service provider:
`
`The NSP stub 430 of the invention enables communications
`between the client computer system 300 through the transparent
`proxy to remote DNS or other address resolution servers or
`services .... The NSP stub 430 is capable of intercepting DNS
`requests which require a remote connection and thus, need to be
`directed to the transparent proxy application .... 22
`
`Blum continues, teaching that the transparent proxy creates a bi-directional communications
`
`tunnel to the secure remote server:
`
`A transparent proxy application listening on the predetermined
`well-known port receives the communications request in the native
`protocol of the request and establishes communication with the
`remote server, such that communication between the client
`application and the remote server is tunneled bi-directionally
`through the transparent proxy.23
`
`And Blum describes connecting via a secure, encrypted protocol such as Secure Sockets:
`
`Commonly used protocols include Hypertext Transfer Protocol
`(HTTP), File Transfer Protocol (FTP), Telnet, and Secure Sockets
`Layer (SSL), for example. 24
`
`Finally, Blum also teaches that the name service provider is in the client computer's
`
`memory:
`
`One embodiment of the invention is implemented through a set of
`software modules which may be executed on a computer system
`such as the computer system 200 illustrated in FIG. 2. In general,
`such computer systems as illustrated by FIG. 2 comprise ... a
`main memory 220 coupled to the bus 205 for storing information
`and instructions for the processor. 25
`
`21 Blum, Abstract.
`22 Blum, 6:40-54 (emphasis added).
`23 Blum, 2:32-37 (emphasis added).
`24 Blum, 12:23-27 (emphasis added).
`25 Blum, 4:8-17 (emphasis added).
`
`Page 13 of24
`
`Page 13 of 24
`
`

`

`Request for Inter partes Reexamination
`U.S. Patent No. 7,490,151
`
`Thus, Blum teaches a DNS server module in the memory of the client that intercepts
`
`client DNS requests and, if necessary, automatically routes them to the secure "remote server"
`
`over a transparent proxy. Accordingly, Blum teaches initiating a secure channel in response to a
`
`DNS request-the limitation previously argued to be novel before the Patent Office. Blum
`
`presents a substantial new question of patentability relative to the claims of the '151 patent.
`
`D.
`
`Aziz Presents a Substantial New Question of Patentability
`
`U.S. Patent 6,119,234 to Aziz, Jr., et al., entitled "Method and apparatus for client-host
`
`communication over a computer network," was filed on June 27, 1997, and issued September 12,
`
`2000. Aziz is prior art under 35 U.S.C. § 102(e). A copy of Aziz is attached as Exhibit D-4. Aziz
`
`was cited to the Patent Office in an IDS, but was never previously discussed by the patent owner
`
`or Examiner.
`
`Aziz teaches extending a standard Domain Name Service (DNS) server module to allow
`
`a name server to facilitate the creation of a secure connection based on DNS requests:
`
`The registered name server for a domain is configured to return a
`new resource record type, herein called an SX record, in response
`to requests for information needed for secure communications with
`protected hosts in that domain. The resolver on (or otherwise
`associated with) the authorized client is configured to use the data
`in the SX record to dynamically update the information used by the
`client to handle secure communications?6
`
`The new type of record returned by Aziz's name server is the "SX record," which stands
`
`for a "Security Exchanger" record. The SX record identifies the secure gateway that can