Electronic Patent Application Fee Transmittal
`
`Title oflnventlonz
`
`AGILE NETWORK PROTOCOL FOR SECURE COMMUNICATIONS USING SECURE
`DOMAIN NAMES
`
`Attorney Docket Number:
`
`077580-0063 (VRNK-1CP3CN2
`
`Utility under 35 USC 1 1 1 (a) Filing Fees
`
`Description
`
`Fee Code
`
`Quantity
`
`Sub-Total in
`USD($)
`
`Basic Filing:
`
`Pages:
`
`Claims in excess of2O
`
`1202
`
`2236
`
`Miscellaneous-Filing:
`
`Patent-Appeals-and-Interference:
`
`Post-AIIowance-and-Post-Issuance:
`
`Extension-of-Time:
`
`ew ay apl a,
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`Description
`
`Extension -1 month with $0 paid
`
`Miscellaneous:
`
`Sub-Total in
`USD($)
`
`Total in USD ($)
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`Electronic Acknowledgement Receipt
`
`T—
`
`Title of Invention:
`
`AGILE NETWORK PROTOCOL FOR SECURE COMMUNICATIONS USING SECURE
`DOMAIN NAMES
`
`Customer Number:
`
`23630
`
`Filer Authorized By:
`
`Toby H. Kusmer.
`
`Attorney Docket Number:
`
`077580-0063 (VRNK-1CP3CN2
`
`Receipt Date:
`
`28-JUN-2010
`
`Application Type:
`
`Utility under 35 USC111(a)
`
`Payment information:
`
`Submitted with Payment
`
`Payment Type
`
`yes
`
`Deposit Account
`
`
`The Director ofthe USPTO is hereby authorized to charge indicated fees and credit any overpayment as follows:
`
`Charge any Additional Fees required under 37 C.F.R. Section 1.17 (Patent application and reexamination processing fees)
`
`Charge any Additional Fees required under 37 C.F.R. Section 1.19 (Document supply fees)
`
`New Bay Capital, LLCI I
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`Charge any Additional Fees required under 37 C.F.R. Section 1.20 (Post Issuance fees)
`
`Charge any Additional Fees required under 37 C.F.R. Section 1.21 (Miscellaneous fees and charges)
`
`Document
`Number
`
`Document Description
`
`File Size(Bytes)/
`Message Digest
`
`Pages
`Multi
`Part /.zip (if appl.)
`
`AmendA.pdf
`
`d13a86bf1882Z4a7964be0a28e8cbec6ee2
`5774f
`
`Multipart Description/PDF files in .zip description
`
`Document Description
`
`Amend ment/Req. Reconsideration-After Non-Final Reject
`
`Specification
`
`Information:
`
`Warnings:
`
`Information:
`
`Fee Worksheet (PTO—875)
`
`fee—info.pdf
`
`3c32cel 43a<3l4ff8062b7696dd72407183
`eb7c
`
`Total Files Size (in bytes)
`
`This Acknowledgement Receipt evidences receipt on the noted date by the USPTO of the indicated documents,
`characterized by the applicant, and including page counts, where applicable. It serves as evidence of receipt similar to a
`Post Card, as described in MPEP 503.
`
`New Applications Under 35 U.S.C. 111
`lfa new application is being filed and the application includes the necessary components for a filing date (see 37 CFR
`1.53(b)-(d) and MPEP 506), a Filing Receipt (37 CFR 1.54) will be issued in due course and the date shown on this
`Acknowledgement Receipt will establish the filing date of the application.
`
`National Stage of an International Application under 35 U.S.C. 371
`If a timely submission to enter the national stage of an international application is compliant with the conditions of 35
`U.S.C. 371 and other applicable requirements a Form PCT/DO/E0/903 indicating acceptance of the application as a
`national stage submission under 35 U.S.C. 371 will be issued in addition to the Filing Receipt, in due course.
`
`New International Application Filed with the USPTO as a Receiving Office
`lfa new international application is being filed and the international application includes the necessary components for
`an international filing date (see PCT Article 11 and MPEP 1810), a Notification of the International Application Number
`and ofthe International Filing Date (Form PCT/R0/105) will be issued in due course, subject to prescriptions concerning
`national security, and the date shown on this Acknowledgement Receipt will establish the international filing date of
`the application.
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`PTO/SB/06 (07-O6)
`Approved for use through 1/31/2007. OMB 0651-0032
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`Under the Paervvork Reduction Act of 1995. no ersons are reuired to resond to a collection of information unless it disla s a valid OMB control number.
`
`PATENT APPLICATION FEE DETERMINATION RECORD
`substitute fgr Form pTo-375
`
`APP"°a“°” °' Docket N”"‘I’e’
`1 1/840,560
`
`FI"“9 Date
`08/17/2007
`
`I] To be Mailed
`
`OTHER THAN
`SMALL ENTITY
`
`OTH ER THAN
`SMALL ENTITY
`
`RATE ($)
`
`><
`
`ea01"I
`—
`
`ADDITIONAL
`FEE ($)
`
`2080
`
`wm= IIIIJIIII
`IIIIIIIII
`
`2080
`
`ADDITIONAL
`FEE ($)
`
`RATE ($)
`
`X 35
`
`X :5
`
`=
`
`=
`
`OR
`
`OR
`
`TOTAL
`ADD’L
`FEE
`
`APPLICATION AS FILED — PART I
`(Column 1)
`NUMBER FILED
`
`IIIIIIIHMIIIIIII
`III BASIC FEE
`37CFR1.16a, b,or c
`
`N/A
`
`N/A
`
`[I SEARCH FEE
`37CFR’l.’l6k, i,or m
`
`/A
`
`N/A
`
`N
`/AN
`(37lP).0r(<=I)) -
`D EXAMINATION FEE
`TOTAL CLAIMS
`,
`_
`(37 CFR 1.16i
`“Imus 20'
`INDEPENDENT CLAIMS
`,
`_
`(37 CFR 1.16 h
`m‘””S3'
`Ifthe specification and drawings exceed 100
`Sheets of paper, the application Size fee due
`is $250 ($125 for small entity) for each
`additional 50 sheets or fraction thereof. See
`35 U.S.C. 41 a 1 G and 37 CFR 1.16 S.
`
`DAPPLICATION SIZE FEE
`(37 CFR1.16(S))
`
`E] MULTIPLE DEPENDENT CLAIM PRESENT (37 CFR1.16(j))
`* If the difference in column 1 is less than zero, enter “0" in column 2.
`
`APPLICATION AS AMENDED — PART II
`
`(Column 1)
`CLAIMS
`REMAINING
`AFTER
`AMENDMENT
`
`(Column 2)
`HIGHEST
`NUMBER
`PREVIOUSLY
`PAID FOR
`
`(Column 3)
`
`SMALL ENTITY
`
`ADDITIONAL
`EEE m
`
`RATE ($)
`
`XX %%
`
`I:I Application Size Fee (37 CFR 1.16(s))
`
`I] FIRST PRESENTATION OF MULTIPLE DEPENDENT CLAIM (37 CFR ’l.16(j))
`
`I-
`
`ZU
`
`JEDzU
`
`J2<
`
`1:
`
`CLAIMS
`REMAINING
`AFTER
`AMENDMENT
`
`HIGHEST
`NUMBER
`PREVIOUSLY
`PAID FOR
`
`ADDITIONAL
`EEE (58)
`
`RATE ($)
`
`AMENDMENT
`
`Minus
`
`*9(!(
`
`XX %%
`
`I:I Application Size Fee (37 CFR 1.16(s))
`
`D FIRST PRESENTATION OF MULTIPLE DEPENDENT CLAIM (37 CFR1.16(j))
`
`* If the entry in column 1 is less than the entry in column 2, write “0" in column 3.
`** If the “Highest Number Previously Paid For" IN THIS SPACE is less than 20, enter “20“.
`“‘ If the “Highest Number Previously Paid For" IN THIS SPACE is less than 3, enter
`The “Highest Number Previously Paid For" (Total or Independent) is the highest number found in the appropriate box in column 1.
`This collection of information is required by 37 CFR 1.16. The information is required to obtain or retain a benefit by the public which is to file (and by the USPTO to
`process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.14. This collection is estimated to take 12 minutes to complete, including gathering,
`preparing, and submitting the completed application form to the USPTO. Time will vary depending upon the individual case. Any comments on the amount of time you
`require to complete this form and/or suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and Trademark Office, U.S.
`Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS
`ADDRESS. SEND TO: Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`If you need assistance In completing the form, call 1-800-PTO-9199 and select option 2.
`
`Legal Instrument Examiner:
`/WANDA D. M|TCHELL/
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`e
`
`07/15/2010
`
`MeDermott Will & Emery
`600 13th Street, NVV
`Washington, DC 20005-3096
`
`UNITED STATES DEPARTMENT OF COMMERCE
`U.S. Patent and Trademark Office
`Address: COMMISSIONER FOR PATENTS
`P.O. Box 1450
`
`Alexandria, Virginia 22313-1450
`www.uspto.gov
`
`Paper No.
`
`Application No.:
`
`11/840,560
`
`Date Mailed:
`
`07/15/2010
`
`
`
`First Named Inventor:
`
`Larson, Victor,
`
`Examiner:
`
`LIM, KRISNA
`
`Attorney Docket No.:
`
`077580-0063 (VRNK—
`1CP3CN2
`
`Art Unit:
`
`2453
`
`Confirmation No.:
`
`1537
`
`Filing Date:
`
`08/17/2007
`
`Please find attached an Office communication concerning this application or proceeding.
`
`PTO-90c (Rev.08-06)
`
`Commissioner for Patents
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`Notice of Non-Compliant Amendment
`(37 CFR 1.121)
`
`Application No.
`11/340550
`
`Applicant(s)
`LARSON ET AL-
`
`-- The MAILING DA TE of this communication appears on the cover sheet with the correspondence address --
`
`The amendment document filed on 28 June 2010 is considered non-compliant because it has failed to meet the
`requirements of 37 CFR 1.121 or 1.4. In order for the amendment document to be compliant, correction of the following
`item(s) is required.
`
`THE FOLLOWING MARKED (X) |TEM(S) CAUSE THE AMENDMENT DOCUMENT TO BE NON-COMPLIANT:
`IXI
`1. Amendments to the specification:
`IX A. Amended paragraph(s) do not include markings.
`I:I B. New paragraph(s) should not be underlined.
`D C. Other
`.
`
`El 2. Abstract:
`I:I A. Not presented on a separate sheet. 37 CFR 1.72.
`D B. Other
`
`I:I 3. Amendments to the drawings:
`I:I A. The drawings are not properly identified in the top margin as “Replacement Sheet,” “New Sheet,” or
`“Annotated Sheet” as required by 37 CFR 1.121(d).
`I:I B. The practice of submitting proposed drawing correction has been eliminated. Replacement drawings
`showing amended figures, without markings, in compliance with 37 CFR 1.84 are required.
`I:I C. Other
`
`I:I 4. Amendments to the claims:
`I:I A. A complete listing of all of the claims is not present.
`I:I B. The listing of claims does not include the text of all pending claims (including withdrawn claims)
`I:I C. Each claim has not been provided with the proper status identifier, and as such, the individual status
`of each claim cannot be identified. Note:
`the status of every claim must be indicated after its claim
`number by using one of the following status identifiers: (Original), (Currently amended), (Canceled),
`(Previously presented), (New), (Not entered), (Withdrawn) and (Withdrawn—current|y amended).
`E] D. The claims of this amendment paper have not been presented in ascending numerical order.
`E] E. Other:
`
`I:I 5. Other (e.g., the amendment is unsigned or not signed in accordance with 37 CFR 1.4): For further explanation
`of the amendment format required by 37 CFR 1.121, see MPEP § 714.
`
`TIME PERIODS FOR FILING A REPLY TO THIS NOTICE:
`
`1. Applicant is given no new time period if the non-compliant amendment is an after-final amendment or an amendment
`filed after allowance, or a drawing submission (only)
`If applicant wishes to resubmit the non-compliant after-final
`amendment with corrections, the entire corrected amendment must be resubmitted.
`
`Applicant is given one month, or thirty (30) days, whichever is longer, from the mail date of this notice to supply the
`correction, if the non-compliant amendment is one of the following: a preliminary amendment, a non-final amendment
`(including a submission for a request for continued examination (RCE) under 37 CFR 1.114), a supplemental
`amendment filed within a suspension period under 37 CFR 1.103(a) or (c), and an amendment filed in response to a
`Quayle action. If any of above boxes 1 to 4 are checked, the correction required is only the corrected section of the
`non-compliant amendment in compliance with 37 CFR 1.121.
`
`Extensions of time are available under 37 CFR 1.136(a) only if the non-compliant amendment is a non-final
`amendment or an amendment filed in response to a Quayle action.
`Failure to timely respond to this notice will result in:
`Abandonment of the application if the non-compliant amendment is a non-final amendment or an amendment
`filed in response to a Quayle action; or
`Non-entry of the amendment if the non-compliant amendment is a preliminary amendment or supplemental
`amendment.
`
`Legal Instruments Examiner (LIE), if applicable /WANDA D. MlTCHELL/
`
`Telephone No: (571)272-1032
`
`U.S. Patent and Trademark Office
`PTOL-324 (04-06)
`
`Notice of Non-Compliant Amendment (37 CFR1.121)
`
`Part of Paper No_ 2010071 3-1
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`077580-0057Subst. for form1449/PTO
`
`INFORMATION DISCLOSURE STATEMENT BY
`APPLICANT
`(use as many sheets as necessary)
`
`g Ciompletiefiiflfnown M
`H
`7
`T
`Application Number
`11/840,560 7
`
`» W3‘ Name“ '“Ve"‘°'
`Art Unit
`
`2453
`
`———‘ D°°ke‘ Numb“
`
`°7758°~°°63
`
`CERTIFICATION STATEMENT
`
`Please See 37 CFR 1.97 and 1.98 to make the appropriate selectionlsl
`
`[
`
`[
`
`[
`
`]
`
`]
`
`]
`
`lnformation Disclosure Statement is being filed before the receipt of a first office action.
`
`ltems contained in this Information Disclosure Statement were first cited in any communication from a
`foreign patent office in a counterpart foreign application.
`
`No item of information contained in this Information Disclosure Statement was cited in a communication
`from a foreign patent office in a counterpart foreign application, and, to the knowledge of the undersigned,
`after making reasonable inquiry, no item of information contained in the information disclosure statement
`was known to any individual designated in 37 CFR 1.56(c) more than three months prior to the filing of this
`Information Disclosure Statement
`
`The Commissioner is hereby authorized to charge the fee pursuant to 37 CFR 1.17(P) in the amount of
`$180.00, or further fees which may be due, to Deposit Account 50—1133.
`
`The
`for Continued Examination.
`is being filed with the Request
`information Disclosure Statement
`Commissioner is hereby authorized to charge the fee pursuant to 37 CFR 1.17(P) in the amount of $810.00, or
`further fees which may be due, to Deposit Account 50-1133.
`
`[X]
`
`None
`
`SIGNATURE
`
`A signature of the applicant orfire resentative is required in accordance with CFR 1.33, 10.18. Please see CFR
`1.4(d) f
`the form of the,8'fg’n/ature.
`
`./
`
`fl
`
`a ak R. Royaee, Re . No:
`McDermott Will & Emery LLP
`28 State Street
`Boston, MA 02108
`Tel. (617) 535-4000
`Fax (617) 535-3800
`
`BST99 I 6549964 077580 0057
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`Subst. TOT fOIITl ‘I449/PTO
`
`I§’§I5tTé“£Jl°“ °'5°“°‘°’”T‘T STATEMENT T”
`ruseasmawasnecessarw
`
`First Named Inventor
`
`I
`
`Appizzation Nlurnber
`
`Comp|ete Known
`10840560 """H
`
`2453
`
`077500-0003
`
`2 Examiner Name
`_— Docket Number
`
`EXAMINER‘S
`INITIALS
`
`CITE
`NO.
`
`Patent Number
`
`Publication Date
`
`Name of patentee or Applicant of
`.
`(med Document
`
`Pages, Columns, Lines,
`Where Relevant Passages or
`Relevant Figures Appear
`
`— A1037 | 5,870,610
`
`02/1999
`
`Beyda etal. —
`
`Translation
`
`0z
`
`(‘D(II
`
`EXAMINER‘S
`INITIALS
`
`CITE
`Z
`
`Foreign Patent Document
`Country Code3—Number .a-Kind
`Codestilkriown)
`
`FOREIGN PATENT DOCUMENTS
`Publication Date
`Name of Patentee or
`Applicant of Cited
`Document
`
`Pages, Columns, Lines
`Where Relevant
`Figures Appear
`
`B1003
`
`EPO838930
`
`B1004
`
`B1005
`
`EPO814589
`
`GB2317792
`
`4/29/1988
`
`Digital Equipment
`Cororation
`
`12/29/1997
`04/01/1998
`
`AT&T Corp.
`Secure
`
`81006
`
`WO98/27783
`
`06/25/1998
`
`B1007
`
`B1008
`
`WO99/11019
`
`GB2334181
`
`03/04/1999
`08/11/1999
`
`Computing
`Cororation
`Northern Telecom
`Limited
`
`V One Corp
`NEC
`Tech nolo ies
`
`B1009
`
`GB2340702
`
`02/23/2000
`
`Sun Microsystems
`Inc.
`
`EXAMlNER'S
`INITIALS
`
`Cm;
`2
`
`OTHER ART (Including Author, Title, Date, Pertinent Pages, Etc.)
`Include name of the author (in CAPITAL LETTERS), title of the article (when appropriate), title of the item
`(book, magazine, journal. serial, symposium, catalog, etc), date, page(s), volume-issue number(s), publisher,
`city and/or country where published.
`
`C1244 Baumgartner et al, “Differentiated Services: A New Approach for Quality of Service in the
`Internet,” International Conference on High Performance Networking, 255-273 (1998)
`
`01245 Chapman et aI., “Domain Name System (DNS),” 278296 (1995)
`
`C1246 Davila et aI., “Implementation of Virtual Private Networks at the Transport Layer," M. Mambo, Y.
`Zheng (Eds), Information Security (Second International) Workshop, ISWT 99. Lecture Notes in
`Computer Science (LNCS), Vol. 1729; 85-102 (1999)
`
`C1247 De Raadt et al., “Cryptography in OpenBSD,” 10 pages (1999)
`
`C1248 Eastlake, “Domain Name System Security Extensions," Internet Citation, Retrieved from the
`Internet: URL:ftp://ftp.inet.no/pub/ietf/internet-drafts/draft-ietf—dnssec-secext2-05.txt (1998)
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`Subst. for form 1449/PTO
`
`INFORMATION DISCLOSURE STATEMENT BY
`APPUCANT
`(Use as many sheets as necessary)
`
`l App”li.c_ation»NTln1ber
`..
`‘ Filing Date
`
`Comp|ete if Kncwn
`H7540 566%
`'
`08-17-2007
`VICIOT l—3T50n
`2453
`Krisna Lim
`077580-0063
`
`C1249
`
`Gunter et al., “An Architecture for Managing Q08-Enabled VRNs Over the Internet," Proceedings
`24th Conference on Local Computer Networks. LCN’ 99 IEEE Comput. Soc Los Alamitos, CA,
`pages 122-131 (1999)
`
`Shimizu, “Special Feature: Mastering the Internet with Windows 2000”, Internet Magazine,
`63:296—307 (2000)
`
`01251 Stallings, “Cryptography and Network Security," Principals and Practice, 2nd Edition, pages 399-
`440 (1999)
`
`C1252 Takata, “U.S. Vendors Take Serious Action to Act Against Crackers —— A Tracking Tool and a
`Highly Safe DNS Software are Released", Nikkei Communications, 257:87(1997)
`
`- C1253 Wells, Email (Lancasterb1be@mail.msn.com), Subject: “Security Icon,” (1998)
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`(19)
`
`(12)
`
`Europaisches Patentamt
`European Patent Office
`Office européen des brevets
`
`(11)
`
`EP 0 838 930 A2
`
`EUROPEAN PATENT APPLICATION
`
`(43) Date of publication:
`29.04.1998 Bulletin 1998/18
`
`(21) Application number: 97118556.G
`
`(22) Date of filing: 24.10.1997
`
`(51) Int. CL5: H04L 29/06
`
`(84) Designated Contracting States:
`AT BE CH DE DK ES FI FR GB GR IE IT LI LU MC
`NL PT SE
`
`Designated Extension States:
`AL LT LV RO SI
`
`(30) Priority: 25.10.1996 us 738155
`
`(71) Applicant:
`DIGITAL EQUIPMENT CORPORATION
`Maynard, Massachusetts 01 754 (US)
`
`(72) Inventors:
`- Alden, Kenneth F.
`Boylston, Massachusetts 01 505 (US)
`- Lichtenberg, Mitchell P.
`Sunnyvale, CA 94087 (US)
`- Wobber, Edward P.
`Menlo Park, California 94025 (US)
`
`(74) Representative: Betten & Ftesch
`Reichenbachstrasse 19
`80469 Mfinchen (DE)
`
`(54)
`
`Pseudo network adapter for frame capture, encapsulation and encryption
`
`OTHER
`OPERATING SYSTEM
`FUNCTIONS
`
`250
`
`TCPIIP STACK
`
`263
`VIRTUAL ADAPTER
`DRIVER
`
`ENCAPSULATION
`
`ENCRYPTION
`
`262
`
`PHYSICAL NETINORK ADAPTER'S
`DRIVER
`
`270
`ARP SERVER EMULATOR
`DHCP SERVER EMULATOR
`272
`266
`
`DECAPSULATION
`DECRYPTION
`266
`
`A new pseudo network adapter provides an
`(57)
`interface for capturing packets from a local communica-
`tions protocol stack for transmission on the virtual pri-
`vate
`network,
`and
`includes
`a Dynamic Host
`Configuration Protocol (DHCP) server emulator, and an
`Address Resolution Protocol
`(ARP) server emulator.
`The new system indicates to the local communications
`protocol stack that nodes on a remote private network
`are reachable through a gateway that is in turn reacha-
`ble through the pseudo network adapter. A transmit
`path in the system processes data packets from the
`local communications protocol stack for transmission
`through the pseudo network adapter. An encryption
`engine encrypts the data packets and an encapsulation
`engine encapsulates the encrypted data packets into
`tunnel data frames. The network adapter
`further
`includes an interface into a transport layer of the local
`communications protocol stack for capturing received
`data packets from the remote server node, and a
`receive path for processing received data packets cap-
`tured from the transport layer of the local communica-
`tions protocol stack. The receive path includes a
`decapsulation engine, and a decryption engine, and
`passes the decrypted, decapsulated data packets back
`to the local communications protocol stack for delivery
`to a user.
`
`EP0838930A2
`
`Printed by Xerox (UK) Business Services
`2.16.1/3 4
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`EP 0 838 930 A2
`
`2
`
`Description
`
`FIELD OF THE INVENTION
`
`The invention relates generally to establishing
`secure virtual private networks. The invention relates
`specifically to a pseudo network adapter for capturing,
`encapsulating and encrypting messages or frames.
`
`BACKGROUND
`
`is often required that
`In data communications it
`secure communications be provided between users of
`network stations (also referred to as "network nodes") at
`different physical
`locations. Secure communications
`must potentially extend over public networks as well as
`through secure private networks. Secure private net-
`works are protected by "firewalls", which separate the
`private network from a public network. Firewalls ordinar-
`ily provide some combination of packet filtering, circuit
`gateway, and application gateway technology, insulating
`the private network from unwanted communications
`with the public network.
`One approach to providing secure communications
`is to form a virtual private network. In a virtual private
`network,
`secure communications are provided by
`encapsulating and encrypting messages. Encapsulated
`messaging in general is referred to as "tunneling". Tun-
`nels using encryption may provide protected communi-
`cations between users separated by a public network,
`or among a subset of users of a private network.
`Encryption may for example be performed using an
`encryption algorithm using one or more encryption
`"keys". When an encryption key is used, the value of the
`key determines how the data is encrypted and
`decrypted. When a pubIic—key encryption system is
`used, a key pair is associated with each communicating
`entity. The key pair consists of an encryption key and a
`decryption key. The two keys are formed such that it is
`unteasible to generate one key from the other. Each
`entity makes its encryption key public, while keeping its
`decryption key secret. When sending a message to
`node A, for example, the transmitting entity uses the
`public key of node A to encrypt the message, and then
`the message can only be decrypted by node A using
`node A's private key.
`In a symmetric key encryption system a single key
`is used as the basis for both encryption and decryption.
`An encryption key in a symmetric key encryption system
`is sometimes referred to as a "shared" key. For exam-
`ple, a pair of communicating nodes A and B could com-
`municate securely as follows: a first shared key is used
`to encrypt data sent from node A to node B, while a sec-
`ond shared key is to be used to encrypt data sent from
`node B to node A.
`In such a system, the two shared
`keys must be known by both node A and node B. More
`examples of encryption algorithms and keyed encryp-
`tion are disclosed in many textbooks,
`for example
`
`"Applied Cryptography - Protocols, Algorithms, and
`Source Code in C". by Bruce Schneier, published by
`John Wiley and Sons, New York, New York, copyright
`1994.
`
`Information regarding what encryption key or keys
`are to be used, and how they are to be used to encrypt
`data for a given secure communications session is
`referred to as "key exchange material". Key exchange
`material may for example determine what keys are used
`and a time duration for which each key is valid. Key
`exchange material for a pair of communicating stations
`must be known by both stations before encrypted data
`can be exchanged in a secure communications session.
`How key exchange material is made known to the com-
`municating stations for a given secure communications
`session is referred to as "session key establishment".
`A tunnel may be implemented using a virtual or
`"pseudo" network adapter that appears to the communi-
`cations protocol stack as a physical device and which
`provides a virtual private network. A pseudo network
`adapter must have the capability to receive packets
`from the communications protocol stack, and to pass
`received packets back through the protocol stack either
`to a user or to be transmitted.
`
`A tunnel endpoint is the point at which any encryp-
`tion/decryption and encapsulation/decapsulation pro-
`vided by a tunnel is performed. In existing systems, the
`tunnel end points are pre-determined network layer
`addresses. The source network layer address in a
`received message is used to determine the "creden-
`tials" of an entity requesting establishment of a tunnel
`connection. For example, a tunnel server uses the
`source network layer address to determine whether a
`requested tunnel connection is authorized. The source
`network layer address is also used to determine which
`cryptographic key or keys to use to decrypt received
`messages.
`Existing tunneling technology is typically performed
`by encapsulating encrypted network layer packets (also
`referred to as "frames") at the network layer. Such sys-
`tems provide "network layer within network layer"
`encapsulation of encrypted messages. Tunnels in exist-
`ing systems are typically between firewall nodes which
`have statically allocated IP addresses. In such existing
`systems, the statically allocated IP address of the fire-
`wall is the address of a tunnel end point within the fire-
`wall. Existing systems fail to provide a tunnel which can
`perform authorization based for an entity which must
`dynamically allocate its network layer address. This is
`especially problematic for a user wishing to establish a
`tunnel
`in a mobile computing environment, and who
`requests a dynamically allocated IP address from an
`Internet Service Provider (ISP).
`Because existing virtual private networks are based
`on network layer within network layer encapsulation.
`they are generally only capable of providing connection-
`less datagram type services. Because datagram type
`services do not guarantee delivery of packets, existing
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`EP 0 838 930 A2
`
`4
`
`tunnels can only easily employ encryption methods over
`the data contained within each transmitted packet.
`Encryption based on the contents of multiple packets is
`desirable, such as cipher block chaining or stream
`ciphering over multiple packets. For example, encrypted
`data would advantageously be formed based not only
`on the contents of the present packet data being
`encrypted, but also based on some attribute of the con-
`nection or session history between the communicating
`stations. Examples of encryption algorithms and keyed
`encryption are disclosed in many textbooks, for exam-
`ple "Applied Cryptography - Protocols, Algorithms, and
`Source Code in C", by Bruce Schneier, published by
`John Wiley and Sons, New York, New York, copyright
`1994.
`
`Thus there is required a new pseudo network
`adapter providing a virtual private network having a
`dynamically determined end point to support a user in a
`mobile computing environment. The new pseudo net-
`work adapter should appear to the communications pro-
`tocol stack of the node as an interface to an actual
`
`physical device. The new pseudo network adapter
`should support guaranteed, in-order delivery of frames
`over a tunnel
`to conveniently support cipher block
`chaining mode or stream cipher encryption over multi-
`ple packets.
`
`SUMMARY OF THE INVENTION
`
`A new pseudo network adapter is disclosed provid-
`ing a virtual private network. The new system includes
`an interface for capturing packets from a local commu-
`nications protocol stack for transmission on the virtual
`private network. The interface appears to the local com-
`munications stack as a network adapter device driver
`for a network adapter.
`The invention, in its broad form, includes a pseudo
`network adapter as recited in claim 1, providing a virtual
`network and a method therefor as recited in claim 9.
`
`further
`The system as described hereinafter
`includes a Dynamic Host Configuration Protocol
`(DHCP) server emulator, and an Address Resolution
`Protocol (ARP) server emulator. The new system indi-
`cates to the local communications protocol stack that
`nodes on a remote private network are reachable
`through a gateway that is in turn reachable through the
`pseudo network adapter. The new pseudo network
`adapter includes a transmit path for processing data
`packets from the local communications protocol stack
`for transmission through the pseudo network adapter.
`The transmit path includes an encryption engine for
`encrypting the data packets and an encapsulation
`engine for encapsulating the encrypted data packets
`into tunnel data frames. The pseudo network adapter
`passes the tunnel data frames back to the local commu-
`nications protocol stack for transmission to a physical
`network adapter on a remote server node.
`Preferably, as described hereinafter,
`
`the pseudo
`
`network adapter includes a digest value in a digest field
`in each of the tunnel data frames. A keyed hash function
`is a hash function which takes data and a shared cryp-
`tographic key as inputs, and outputs a digital signature
`referred to as a digest. The value of the digest field is
`equal to an output of a keyed hash function applied to
`data consisting of the data packet encapsulated within
`the tunnel data frame concatenated with a counter
`
`value equal to a total number of tunnel data frames pre-
`viously transmitted to the remote server node.
`In
`another aspect of the system,
`the pseudo network
`adapter processes an Ethernet header in each one of
`the captured data packets,
`including removing the
`Ethernet header.
`
`The new pseudo network adapter further includes
`an interface into a transport layer of the local communi-
`cations protocol stack for capturing received data pack-
`ets from the remote server node, and a receive path for
`processing received data packets captured from the
`transport layer of the local communications protocol
`stack. The receive path includes a decapsulation
`engine, and a decryption engine, and passes the
`decrypted, decapsulated data packets back to the local
`communications protocol stack for delivery to a user.
`Thus there is disclosed a new pseudo network
`adapter providing a virtual private network having
`dynamically determined end points to support users in a
`mobile computing environment. The new pseudo net-
`work adapter provides a system for capturing a fully
`formed frame prior to transmission. The new pseudo
`network adapter appears to the communications proto-
`col stack of the station as an interface to an actual phys-
`ical device. The new pseudo network adapter further
`includes encryption capabilities to conveniently provide
`secure communications between tunnel end points
`using stream mode encryption or cipher block chaining
`over multiple packets.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`A more detailed understanding of the invention may
`be had from the following description of a preferred
`embodiment, given by way of example and to be under-
`stood in conjunction with the accompanying drawing in
`which:
`
`9
`
`is a block diagram showing the Open Sys-
`1
`Fig.
`tems Interconnection (OSI) reference model;
`
`Fig. 2 is a block diagram showing the TCP/lP inter-
`net protocol suite;
`
`Fig. 3 is a block diagram showing an examplary
`embodiment of a tunnel connection across a public
`network between two tunnel servers;
`
`Fig. 4 is a flow chart showing an examplary embod-
`iment of steps performed to establish a tunnel con-
`
`New Bay Capital, LLC
`
`New Bay Capital, LLC
`Ex. 1007
`
`

`
`EP 0 838 930 A2
`
`6
`
`nection;
`
`Fig. 5 is a flow chart showing an examplary embod-
`iment of steps performed to perform session key
`management for a tunnel connection;
`
`Fig. 6 is a block diagram showing an examplary
`embodiment of a relay frame;
`
`Fig. 7 is a block diagram showing an examplary
`embodiment of a connection request frame;
`
`Fig. 8 is a block diagram showing an examplary
`embodiment of a connection response frame;
`
`Fig. 9 is a block diagram showing an examplary
`embodiment of a data frame;
`
`Fig. 10 is a block diagram showing an examplary
`embodiment of a close connection frame;
`
`Fig. 11 is a state diagram showing an examplary
`embodiment of a state machine forming a tunnel
`connection in a network node initiating a tunnel
`connection;
`
`Fig. 12 is a state diagram showing an examplary
`embodiment of a state machine forming a tunnel
`connection in a server computer;
`
`Fig. 13 is a state diagram showing an examplary
`embodiment of a state machine forming a tunnel
`connection in a relay node;
`
`Fig. 14 is a block diagram showing an examplary
`embodiment of a tunnel connection between a cli-
`
`ent computer (tunnel client) and a server computer
`(tunnel server);
`
`Fig. 15 is a block diagram showing an examplary
`embodiment of a pseudo network adapter;
`
`Fig. 16 is a block diagram showing an examplary
`embodiment of a pseudo network adapter;
`
`Fig. 17 is a flow chart showing steps performed by
`an examplary embodiment of a pseudo network
`adapter during packet transmission;
`
`Fig. 18 is a flow chart showing steps performed by
`an examplary embodiment of a pseudo network
`adapter during packet receipt;
`
`Fig. 19 is a data flow diagram showing data flow in
`an examplary embodiment of a pseudo network
`adapter during packet transmission;
`
`Fig. 20 is a data flow diagram showing data flow in
`
`an examplary embodiment of a pseudo network
`adapter during packet receipt;
`
`Fig. 21 is a diagram showing the movement of
`encrypted and unencrypted data in an examplary
`embodiment of a system including a pseudo net-
`work adapter;
`
`Fig. 22 is a diagram showing the movement of
`encrypted and unencrypted data in an examplary
`embodiment of a system including a pseudo net-
`work adapter; and
`
`Fig. 23 is a flow chart showing steps initialization of
`an examplary embodiment of a system including