`
`Attorney Docket No. 077580-0089
`
`In the Reexamination of:
`
`Edmund Munger, et al.
`
`U.S. Patent No.: 6,502,135
`Filed: February 15, 2000
`Issued: December 31, 2002
`
`For: AGILE NETWORK PROTOCOL
`FOR SECURE COMMUNICATIONS
`WITH ASSURED SYSTEM
`AVAILABILITY
`
`Reexamination Proceeding
`Control No.: 95/001,269
`Filed: December 8, 2009
`
`\/\/%%%%€%%%%%€%¥%
`
`Examiner:
`Andrew L. Nalven
`
`Group Art Unit: 3992
`
`Declaration of Jason Nieh, Ph.D., Pursuant to 37 C.F.R.§ 1.132
`
`Pursuant to 37 C.F.R. § 1.132, I declare that the following statements are true to the best
`
`of my knowledge,
`
`information, and belief,
`
`formed after
`
`reasonable inquiry under the
`
`circumstances.
`
`Background
`
`1.
`
`I have over 15 years of experience with operating systems and distributed systems.
`
`More specifically, my experience includes remote access, computer networking, and computer
`
`security. Examples of my experience are evidenced by my publication of papers in top-tier
`
`networking and security conferences, service on programming committees for networking and
`
`security conferences, awards for research work, and receipt ofresearch grants in the field of
`
`networking and security. My qualifications, including a description of all of this information,
`
`may be found in my curriculum vitae, which is attached hereto as Exhibit A.
`
`2.
`
`I earned a Bachelor of Science degree from the Massachusetts Institute of Technology
`
`in Electrical Engineering in1989. I earned a Masters of Science degree from Stanford University
`
`in Electrical Engineering in 1990. I also received my Ph.D. in Electrical Engineering fiom
`
`Stanford University in 1999.
`
`EXHIBIT A-3
`
`Petitioner Apple - Ex. 1051, p. 1
`
`Petitioner Apple - Ex. 1051, p. 1
`
`
`
`Control No.: 95/001,269
`Declaration ofJason Nieh, Ph.D.
`
`3.
`
`I joined Columbia University as a faculty member in 1999, where I am now a tenured
`
`Associate Professor in the Department of Computer Science.
`
`I am also currently the director of
`
`the Network Computer Laboratory at Columbia University.
`
`4. My research interests include mobile computing, operating sstems, distributed systems,
`
`thin-client computing, web and multimedia systems, and performance evaluation.
`
`1 have
`
`supervised a number of Ph.D. students who worked on and completed dissertations in the area of
`
`networking and security. I also teach courses in advanced operating systems and mobile
`
`computing, both ofwhich involve computer networking and security.
`
`5.
`
`I have also served as an expert in various litigations in the fields of computer
`
`networking and security, which include virtual private networking.
`
`Resources I have Consulted
`
`6.
`
`I have been retained by the Patent Owner, Virnetx, Inc., to offer my opinion of the
`
`patentability of claims 1, 3, 4, 6-10, and 12 of U.S. Patent Number 6,502,135 (“the ‘I35 Patent”)
`
`in view of the Office Action dated January 15, 2010 (“the Office Action”) received by the Patent
`
`Owner in the reexamination of the ‘I35 Patent.
`
`7.
`
`In preparing this declaration,
`
`I have reviewed the ‘I35 Patent, including the claims.
`
`I
`
`have also reviewed the outstanding Office Action.
`
`I have also reviewed the Request for Inter
`
`Partes Reexamination of Patent (“the Request”) to the extent it is adopted by the Office Action.
`
`I have also reviewed Appendix A to the Request (“Appendix A”) to the extent that it is adopted
`
`in the Oflice Action. Lastly, I have reviewed Aventail Connect v3.l/v2.6 Administrator’s Guide
`
`(“Aventail”), the reference upon which the rejection in the Office Action is based.
`
`8. A detailed explanation of the basis for my opinions is set forth in the remainder of this
`
`declaration.
`
`I prgvide here a br_ief desggptign of the system dis’glgsfi in Ayentail.
`
`Detailed Basis for My Opinion
`
`9. As I stated above, I have read the ‘I35 Patent, including the claims, and understand
`
`independent claim 1 to recite “[a] method of transparently creating a virtual private network
`
`(VPN) between a client computer and a target computer, comprising the steps of: (1) generating
`
`fi'om the client computer a Domain Name Service (DNS) request that requests an IP address
`
`corresponding to a domain name associated with the target computer, (2) determining whether
`
`Petitioner Apple - Ex. 1051, p. 2
`
`Petitioner Apple - Ex. 1051, p. 2
`
`
`
`Control No.: 95/001,269
`Declaration of Jason Nieh, Ph.D.
`
`the DNS request transmitted in step (1) is requesting access to a secure web site; and (3) in
`
`response to determining that the DNS request in step (2) is requesting access to a secure target
`
`web site, automatically initiating the VPN between the client computer and the target computer.”
`
`10. Similarly, I understand independent claim 10 to recite “[a] system that transparently
`
`creates a virtual private network (VPN) between a client computer and a secure target computer,
`
`comprising: a DNS proxy server that receives a request fiom the client computer to look up an IP
`
`address for a domain name, wherein the DNS proxy server returns the IP address for the
`
`requested domain name if it is determined that access to a non-secure web site has been
`
`requested, and wherein the DNS proxy sewer generates a request to create the VPN between the
`
`client computer and the secure target computer if it is determined that access to a secure web site
`
`has been requested; and a gatekeeper computer that allocates resources for the VPN between the
`
`client computer and the secure web computer in response to the request by the DNS proxy
`
`server.”
`
`11. After reviewing the Aventail reference, I understand Aventail to disclose a system for
`
`transmitting data between two computers using the SOCKS protocol. The system according to
`
`Aventail routes certain, predefined network traflic from a WinSock (Windows sockets)
`
`application to an extranet (SOCKS) server, possibly through successive servers. Upon receipt of
`
`the network traflic, the SOCKS server then transmits the network trafiic to the Internet or
`
`external network. Aventail’s disclosure is limited to connections created at the socket layer of
`
`the network architecture.
`
`12.
`
`I note that pages 9-12 of Aventail discuss the basics of the operation of Aventail
`
`Connect, the software necessary to implement the system disclosed in Aventail. According to
`
`page 9 of Aventail, a component of the Aventail Connect software described in the reference
`
`resides between WinSock and the underlying TCP/IP stack. Accordingly, Aventail Connect is
`
`able to intercept all connection requests fiom the user, and determines whether each request
`
`matches local, preset criteria for redirection to a SOCKS server.
`
`13. According to page 12 of Aventail, if redirection is appropriate, then Aventail Connect
`
`creates a false DNS entry to return to the requesting application. Aventail discloses that Aventail
`
`Connect then forwards the destination hostname identified in the DNS request to the extranet
`
`SOCK server over a SOCKS connection.
`
`Petitioner Apple - Ex. 1051, p. 3
`
`Petitioner Apple - Ex. 1051, p. 3
`
`
`
`Control No.: 95/001,269
`Declaration of Jason Nieh, Ph.D.
`
`14. Although Aventail
`
`is generally silent on the operation of the SOCKS server,
`
`I
`
`understand from page 12 that the SOCKS server performs the hostname resolution. Once the
`
`hostname is resolved, the user can transmit data over a SOCKS connection to the SOCKS server.
`
`The SOCKS server, then, separately relays that transmitted data to the target.
`
`15. Page 12 of the Request also cites to the “Proxy Chaining” and “MultiProxy’ modes
`
`disclosed in Aventail at pages 68-73.
`
`I have reproduced below a figure taken fiom page 72 of
`
`Aventail depicting these two modes.
`.§esrverl «s:1xu.s—M~.a-um basspzwz.
`
`
`
`16.
`
`In the “Proxy Chaining” mode, Aventail indicates that a user can communicate with a
`
`target via a number of proxies such that each proxy server acts as a client to the next downstream
`
`proxy server. As shown above, in this mode, the user does not communicate directly with the
`
`proxy servers other than the one immediately downstream from it.
`
`17.
`
`In the “MultiProxy” mode, Aventail indicates that the user, via Aventail Connect,
`
`authenticates with each successive proxy server directly.
`
`18. Regardless of whether one of these modes is enabled, as shown in the figure, an
`
`external SOCKS server is necessary and the operation of Aventail Connect, for the purposes of
`
`my opinion, does not materially differ based on whether one of these modes is enabled.
`
`Aventail has not been shown to disclose a virtual private mtwork according’ to claim 1,
`
`19. Aventail has not been shown to disclose the VPN claimed in claim 1 of the ‘135 Patent
`
`for at least three reasons.
`
`20.
`
`First, Aventail has not been shown to demonstrate that computers connected via the
`
`Aventail system are able to communicate with each other as though they were on the same
`
`networle Aventail discloses establishing a point-to-point SOCKS connection between a client
`
`Petitioner Apple - Ex. 1051, p. 4
`
`Petitioner Apple - Ex. 1051, p. 4
`
`
`
`Control No .: 95/001,269
`Declaration of Jason Nieh, Ph.D.
`
`computer and a SOCKS server. According to Aventail, the SOCKS server then relays data
`
`received to the intended target. Aventail does not disclose a VPN, where data can be addressed
`
`to one or more different computers across the network, regardless ofthe location ofthe computer.
`
`21. For example, suppose two computers, A and B, reside on a public network. Further,
`
`suppose two computers, X and Y, reside on a private network.
`
`If A establishes a VPN
`
`connection with X and Y’s network to address data to X, and B separately establishes a VPN
`
`connection with X and Y’s network to address data to Y, then A would nevertheless be able to
`
`address data to B, X, and Y without additional set up. This is true because A, B, X, and Y would
`
`all be a part of the same VPN.
`
`22.
`
`In contrast, suppose, according to Aventail, which only discloses communications at
`
`the socket layer, A establishes a SOCKS connection with a SOCKS server for relaying data to X,
`
`and B separately establishes a SOCKS connection with the SOCKS server for relaying data to Y.
`
`In this situation, not only would A be unable to address data to Y without establishing a separate
`
`SOCKS connection (the alleged VPN according to the Oflice Action), but A would be unable to
`
`address data to B over the secure connection. This is one example of how the cited portions of
`
`Aventail fail to disclose a VPN.
`
`23. Second,
`
`according to Aventail, Aventail Connect’s
`
`fundamental operation is
`
`incompatible with users attempting to transmit data that is sensitive to network information. As I
`
`stated above, Aventail discloses that Aventail Connect operates between the WinSock and
`
`TCP/IP layers. The figure I have reproduced below from page 9 of Aventail depicts this
`
`operation.
`
`
`
`
`-3-V0!‘-i:-I-7; Ceimoet 1 *"‘”“" L3?‘ °“"
`uhpnr‘no can... n-us-our‘o
`”'''‘‘-''''‘'..,..q ‘M’
`
`Petitioner Apple - Ex. 1051, p. 5
`
`Petitioner Apple - Ex. 1051, p. 5
`
`
`
`Control No.: 95/001,269
`Declaration of Jason Nieh, PhD.
`
`24. Because Aventail discloses that Aventail Connect operates between these layers, Aventail
`
`Connect can intercept DNS requests requested by the user. Aventail discloses that Aventail
`
`Connect intercepts certain DNS requests, and returns a false DNS response to the user if the
`
`requested hostname matches a hostname on a user-defined list. Accordingly, Aventail discloses
`
`that the user will receive false network information from Aventail Connect for these hostnames.
`
`25. If the client computer hopes to transfer to the target data that is sensitive to network
`
`information, this falsification of network information would prevent the correct transfer of data.
`
`A client and target connected according to Aventail would be unable to transfer data as they
`
`otherwise would have been had they been on the same network Thus, Aventail has not been
`
`shown to disclose a VPN.
`
`26. Third, Aventail has not been shown to disclose a VPN because computers connected
`
`according to Aventail do not communicate directly with each other. Aventail discloses a system
`
`where a client on a public network transmits data to a SOCKS server via a singular, point-to-
`
`point SOCKS connection at the socket layer of the network architecture. The SOCKS server
`
`then relays that data to a target computer on a private network on which the SOCKS server also
`
`resides. All communications between the client and target stop and start at the intermediate
`
`SOCKS server. The client cannot open a connection with the target itself. Therefore, one skilled
`
`in the art would not have considered the client and target to be virtually on the same private
`
`network.
`
`Instead, the client computer and target computer would have been understood to be
`
`deliberately separated by the intermediate SOCKS server.
`
`27. For the reasons stated above, I do not believe that Aventail has been shown to teach or
`
`disclose the “VPN” recited in claim 1. Because claims 2, 4, and 6-9 depend from claim 1, I also
`
`do not believe that Aventail has been shown to teach or disclose the inventions claimed in claims
`
`2, 4, and 6-9.
`
`Aventail has not been shown to disclose a virtual private network accor@g to claim 10.
`
`28.As I stated above,
`
`independent claim 10 similarly recites a “VPN between a client
`
`computer and the secure target computer.” For at least the reasons I have stated above, 1 do not
`
`believe that Aventail has been shown to teach or disclose the invention recited in claim 10.
`
`29. Because claim 12 depends fi'om claim 10, I also do not believe that Aventail has been
`
`shown to teach or disclose the invention claimed in claim 12.
`
`Petitioner Apple - Ex. 1051, p. 6
`
`Petitioner Apple - Ex. 1051, p. 6
`
`
`
`Control No.: 95/001,269
`Declaration of Jason Nieh, Ph.D.
`
`Aventail has not hm; shown to teach a DNS proxy server according‘ tg glaim 10.
`
`30. As I stated above, claim 10 recites a “DNS proxy server” that 1) “returns the IP address
`
`for the requested domain name if it is determined that access to a non-secure web site has been
`
`requested” and that 2) also “generates a request to create the VPN .
`
`.
`
`. if it is determined that
`
`access to a secure web site has been requested.”
`
`31. The Office Action and Request allege that Aventail Connect is the claimed DNS proxy
`server.
`
`32. As I have stated previously, Aventail discloses that Aventail Connect intercept all DNS
`
`requests. According to Aventail, at page 11, “[i]f the hostname matches a local domain string or
`
`does not match a redirection rule, Aventail Connect passes the name resolution query through to
`
`the TCP/IP stack on the local workstation. The TCP/IP stack performs the lookup as if Aventail
`
`Connect were not running.” Thus, Aventail discloses that Aventail Connect does not return the
`
`IP address if the DNS request requests the address for a non-secure web site. As such, Aventail
`
`Connect does not correspond to the DNS proxy server recited in claim 10.
`
`33. For at least this reason, I do not believe that Aventail has been shown to teach or disclose
`
`the invention recited in claim 10. Because claim 12 depends from claim 10, I also do not believe
`
`that Aventail has been shown to teach or disclose the invention claimed in claim 12.
`
`Truth and Accuracy of Statements
`
`34.
`
`I fiirther declare that all statements made herein of my own knowledge are true and that
`
`all statements made on information and belief are believed to be true and further that these
`
`statements were made with the knowledge that willfiil liilse statements and the like so made are
`
`punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States
`
`Code and that willfiil false statements or the like may jeopardize the validity ofthe application or
`
`any patent issuing thereon.
`
`Petitioner Apple - Ex. 1051, p. 7
`
`Petitioner Apple - Ex. 1051, p. 7
`
`
`
`
`
`Control No.: 95/001,269
`Declaration of Jason Nich, Ph.D.
`
`Signed at New York, New York this 3§ 'th day of April, 2010.
`
`Ja
`
`ieh, Ph.D.
`
`WDC99 1857192-5.071.580.0089
`
`Petitioner Apple - Ex. 1051, p. 8
`
`Petitioner Apple - Ex. 1051, p. 8