`
`
`
`
`Filed on behalf of: VirnetX Inc.
`By:
`
`Joseph E. Palys
`Paul Hastings LLP
`875 15th Street NW
`Washington, DC 20005
`Telephone: (202) 551-1996
`Facsimile: (202) 551-0496
`E-mail: josephpalys@paulhastings.com
`
`
`
`Paper No.
`Filed: February 5, 2015
`
`Naveen Modi
`Paul Hastings LLP
`875 15th Street NW
`Washington, DC 20005
`Telephone: (202) 551-1990
`Facsimile: (202) 551-0490
`E-mail: naveenmodi@paulhastings.com
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPLE INC.
`Petitioner
`
`v.
`
`VIRNETX INC.
`Patent Owner
`
`
`
`
`
`
`
`Case IPR2014-00237
`Patent 8,504,697
`
`
`
`
`
`
`
`
`
`
`Patent Owner’s Demonstrative Exhibits
`
`
`
`
`
`
`
`
`
`Inter Partes Review of
`
`U.S. Patent No. 8,504,697
`
`Case No. IPR2014-00237
`
`Case No. IPR2014-00238
`
`
`
`Background
`
`Background
`
`
`
`.; United States Patent
`I.ursmI (4 II.
`\\a 3| §\ll \II IlIllI||\lHlV|l\l. \\
`Moll! \| IKUMA PS1! I fill NM ‘II III
`I ulllfl \N l
`‘I l’ul\1. MI I II.
`III“ II\ \ \\II\
`IA'v\ an s.
`....a. uni.’
`u.:uuIn-nnamnnuu :...:-n
`-. w ~. n..u-mu -In >5..."
`‘..,....y.- u w\ xnquq
`\hIIAuo-u. um um, ‘-\\
`\\
`‘ikx ‘-1
`\luv¢\ I-u. /.4’.
`‘.1.-. .r ....
`Ivan
`\-
`.-......x. .L.
`\ .
`x
`\-
`-4.1.».-..-...
`1.. ,.....
`. ..-..-.
`xnulsn 1..
`.1;u.v
`I I-u1.:!|T
`ID-1 ll. EIH
`Pom hi-Inna Ibu-
`1'\ JYILNM .4 u
`m :- zu ,
`
`Mama I .x, ughmn nu.
`n.:nn.n.v.. n um \.
`an 1» _u\l -nu V
`-_,‘
`u .4: ml
`- \
`’.'*1In..m
`I
`‘ any Ink. 4 ‘m.
`4 sun nun...
`
`.‘ um...” 4:~\(I
`um nu:
`I--v
`
`Ilrln.nu|\. u-l_.
`u . u-4 ~..‘
`‘I-Hhdnl
`u"-
`I’-N ,..m...uI nun . \-
`vm...m ‘y
`»
`
`I S.(l!5DIur?1
`
`l S 8.S4N.m7 B1
`‘ \D:‘ GI. 10! .1
`
`‘
`
`.-1»
`I"
`pm
`
`in hit: \a.:
`; . Dale III‘ Patel!‘
`|u.IL
`mu um
`I
`.~ 1|
`.9
`Mtllrll Iuulnuq \rUI‘I
`\4\
`\. “..,
`. 'r| mu’:-. ..
`llvlvvnanl hr!
`.u xxx \
`\ I‘\.I‘-l
`raw
`up...‘
`V
`|\.\‘
`-.»...u
`- num-
`v[ll'lv\"\1lIIIl uI\.
`
`W \
`-.24 \
`
`-.
`
`. mum
`1Il|,I|(71’x u unnx
`:.m....“.:\....
`n.....
`numvv lAfl~
`n I4
`v
`-. noun
`ivlunl n.
`.-mu. . -..- ».
`‘~-
`. 4,
`‘Hrvm
`up.‘
`II?
`x
`\I\lIM I
`u.
`no-1|‘-v‘ ..-
`.—l
`In-4:1! u .
`1‘.
`...,u.n.n..¢x;. nu .uI.uuzuuu.
`nu ..n.I
`I-I
`V:
`<V( -mus.
`-
`-
`up...
`.‘
`>- 1 .A n s
`v:\\u.'
`I
`v
`n ,L\'.'c mu;
`um cl I“I'\
`I}: run! 904:-
`»; v nu
`-.-nu -. an In ..\»-nu u.-~->
`n<uu
`..
`.
`...g.....»|. .
`. ~.(V*>.\'u.
`..~-u.p.un
`.
`4. n. u.
`..u-
`n
`-..n |r- .«.m..- «aura u. .p..-»..,~w. - -(Iv
`
`DH Ion» ll lvu-nu: Hum»
`
`
`
`2-:tr:_.us
`was no ;.E$T
`r-zemu; vane
`
`$3 "”"r‘a
`c«§ 9;-jt‘{EH
`
`-.
`
`I
`
`%“5f
`K?-"‘* ""“""‘-"""‘“]
`FETLF}-‘
`‘H3 ST U|NuC\‘R.'
`ERBIR
`
`'.'.‘~\F_ *-EEPER
`
`-.._
`
`
`
`1. A n1etl1od of connecting a first network device and a
`second network device, the method comprising:
`intercepting, from the first network device, a request to
`look up an internet protocol (IP) address of the second
`network device based on a domain name associated with
`
`the second network device:
`
`deterniining, in response to the request, whether the second
`network device is available fora secure communications
`
`service; and
`
`initiating a secure communication link between the first
`network device and the second network device based on
`
`a determination that the second network device is avail-
`
`able for the secure connnunications service;
`wherein the secure comnlunications service uses the secure
`
`
`
`16. A system for connecting a first network device and a
`second network device. the systetn including one or more
`servers configured to:
`intercept. from the first network device. a request to look up
`an intemel protocol (IP) address oi" the second network
`device based on a domain name associated with the
`
`second network device:
`determine, in response to the request, whether the second
`network device is available for a secure contmtuiieations
`
`service; and
`
`initiate a secure communication link between the first net-
`
`work device and the second network device based on a
`
`detemiination that the second network device is avail-
`
`able for the secure conmiunications service.
`
`
`
`- IPR2014-00237
`
`— Claims 1-11, 14-25, and 28-30 are anticipated by
`
`Beser
`
`— Claims 1-11, 14-25, and 28-30 are obvious over
`
`Beser in View of RFC 2401
`
`- IPR2014-00238
`
`— Claims 1-3, 8-11, 14-17, 22-25, and 28-30 are
`
`anticipated by Wesinger
`
`
`
`Claim Construction
`
`Claim Construction
`
`
`
`Patent 0wner’s Proposed
`Constmction
`
`Apple’ .s Proposed
`Construction
`
`Board’s Preliminary
`Construction
`
`A direct communication
`
`A communication link in
`
`link that provides data
`security through
`encryption
`
`which computers
`privately and directly
`communicate with each
`
`other on insecure paths
`between the computers
`where the communication
`
`is both secure and
`
`anonymous, and where
`the data transferred may
`or may not be encrypted
`
`A transmission path that
`restricts access to data,
`
`addresses , or other
`information on the path,
`generally using
`obfuscation methods to
`
`hide information on the
`
`path, including, but not
`limited to, one or more of
`
`authentication,
`encryption, or address
`hopping
`
`Patent Owner Response at 10
`
`
`
`- Dec1s1on
`
`Based on the foregoing. using a plain and ordinary construction in light of
`
`the ‘69’ Patent. the broadest reasonable construction of the term "sec:iu‘e
`
`comniunication link" is a transmission path that restricts access to data. addresses.
`
`or other information on the path. generally using 'C1:‘0>l§UlIl"‘§il.’.l'-It‘)l1'.fTI7§i3hIC)fCt. to hide
`
`information on the path. including. but not limited to. one or more of
`
`.:IuE'}lr:tt‘t ir;:I1'irmt, el1Cl'y])li0ll. 01' ;:1:;lrfkr::~:::;', Ihioiyipinr 3
`
`Decision at 10
`
`- Patent Owner’s Response
`
`The Decisions construction is also technically flawed.—
`
`
`
`- Prosecution History: Patent Owner’s Response
`to Office Action of Dec. 29, 2011
`
`Ex. 1056 at 25, Patent Owner’s Response
`
`to Office Action of Dec. 29, 2011
`
`- Apple ’ s Petition
`
`*3
`
`In the grandparent of the present patent (11e., the "504 patent),-
`
`
`
`Case 6210-01-00417-l.ED Document 541
`
`Filed 10104112 Page I 01 I Pa9eID it 19045
`
`IN THE YNITED STATES DISTRICT COIJRT
`FOR THE EASTERN DISTRICT 0}’ TEX-XS
`TYLER DI\'ISIO.V
`
`In M of VimetX’s Notice of Non-Opposition to Defendanfs Motion for
`
`§
`§
`§
`
`§§
`
`I
`
`Reconsideration (Docket No- 424), the Court GRANTS Defendants" Motion foe Reconsideration
`
`\‘IR_N'IZTX INC.
`.
`.
`nmun.
`
`"S.
`
`asc—osmms.n-c-....t.
`
`Defendants.
`
`Befnte the Court IsDef
`
`,,,,,,.m.,,,C.,.,,,,,.,,,m,,,
`
`-
`
`(Docket No. 366). The tum “secure comimmication
`
`is construed to mean “a dinect
`
`(Docket No. 366). The lam:
`
`‘
`
`communication link that provides data secuiity through
`
`communcalion lmk that provides data secunty through enLx_vpnon."
`
`so ORDERED and SIGNED this all clay‘ of October, 2012.
`
`LEONARD DAVIS
`
`
`
`Patent 0wner’s Proposed Apple’s Proposed
`Construction
`Construction
`
`Board’s Preliminary
`Constmction
`
`Receiving a request
`pertaining to a first entity
`at another entity
`
`A proxy computer or
`No construction
`device receiving and
`necessary; alternatively,
`receiving a request to look acting on a request sent
`up an internet protocol
`by a first computer that
`address and, apart from
`was intended for another
`resolving it into an
`computer
`address, performing an
`evaluation on it related to
`
`establishing a secure
`communicationlink
`
`Patent Owner Response at 23
`
`
`
`- Patent Owner’s Response
`
`However, the ’697 patent goes on to explain that the claimed embodiments
`
`differ from conventional DNS- in part, because they apply an -=1<.Ec'{'I'c'L~:)u-.13 at-,;m <:-'i"
`
`"i_‘uuv:"r.c).:<1Ywty to a request to look up a network address beyond merely resolving it
`
`and retuming the network address-
`
`(Ex- 2025 at 17, 11 24, Monrose Decl.) For
`
`Patent Owner Response at 25
`
`
`
`Patent Owner’s Proposed Apple’sProposed
`Construction
`Construction
`
`Board’s Preliminary
`Construction
`
`No construction proposed No construction proposed Includes determining one
`or more of 1) whether the
`device is listed with a
`
`public internet addres s,
`and if so, allocating a
`private address for the
`second network device, or
`
`2) some indication ofthe
`relative permission level
`or security privileges of
`the requester
`
`Patent Owner Response at 27
`
`
`
`- Decision
`
`Based on the record. "determining. in response to the request. whether the second
`
`netvvork device is available for a sectue connmmications.“ includes determining.
`
`one or more of 1) '.~rv3t‘c>?F.‘ttr';r' 1'ttt~:.'v§b:>.<¢i::r:
`
`IL’i.*;’r:r§l xw,i'ch 2:1 .[.»1u'1:»;l‘;'r«‘; :"ruk:1:rtr$. ::‘.«i'l'dk:-'=:a.s, ssrmi-I :ii’:','
`
`.2 oz, ;=ilIl.cxc;::‘t't mg; .-:1 '{.):"i=.'(sL”~.w‘: ;:1'dl€h-.*.:.'-§.:€
`
`."ifc=:ir'.T;'-h-“.2 mrirzcartdl un1::‘t-we) :_‘E<_ 1:’ lrwi ifv.::_, or 2) so111e
`
`indication of the relative permission level or sectuity privileges of the requester.
`
`Decision at 15
`
`
`
`’697 Patent
`
`According to one embodiment. DNS proxy 2610 intercept s
`all DNS looku functions from client 2605 and—
`. . .[faccessto
`
`a secure site has been requested (as determined. for example.
`by a domain name extension. or by reference to an internal
`table of such sites). DNS proxy 2610 determines whether the
`user has sufficient security privileges to access the site.
`
`Ex. 1001 at 40:31-37, ’697 Patent
`
`
`
`- Decision
`
`Based on the record. "determining. in response to the request. whether the second
`
`network device is available fora secure connnunications.“ includes determining.
`
`one or more of 1) whether the device is listed with a public intemet address. and if
`
`so. allocating a private address for the second network device. or -
`
`..
`v
`i’nm_rIi1;:::'.‘c ‘mm .:c:«"n"iI‘ttr: ';uz:;“kr:'.‘c"r»w‘~‘ '.’-1=.:urwm?i::::imm ‘i’-.*\:.sm?l :c;sr ::.zr'r<)LI1.:'f.*-y ;r.>I'i'r~.<riiIi'='§‘;;:’I.-‘: =w.'I" i-W1‘: it-*rqp_:r:‘:;‘.«m;
`
`Decision at 15
`
`
`
`- Patent Owner’s Response
`
`'Ihe_
`
`—(Ex. 1001, claims 1 and 16, “whether the second network
`
`device is available for a secure communications service,” emphasis added). so the
`
`
`
`
`
`“detenmmng.' '
`
`phrase need not be limited to the Decision’s determre’mn'g
`
`“permission level or security privileges of the requester.”
`
`
`
`Patent Owners Proposed Apple’s Proposed
`Construction
`Constmction
`
`Board’s Preliminary
`Construction
`
`No construction proposed No construction proposed A secure communication
`link with the additional
`
`requirement that the link
`includes a portion ofa
`public network
`
`Patent Owner Response at 19
`
`
`
`Patent Owner"s Proposed Apple’sPropos_ed
`Construction
`Construction
`
`Board’sPreliminary
`Construction
`
`The process ofencoding
`The process ofencoding
`No construction
`data for transmission over data for transmission
`necessary; alternatively,
`a physical or
`the process ofencoding
`data for transmission over electromagnetic medium
`a medium by varying a
`by varying a carrier signal
`carrier signal
`
`Preliminary Response at 28
`Decision at 14
`
`
`
`Patent 0wner’s Proposed Apple’sProposed
`Construction
`Construction
`
`Board’s Preliminary
`Construction
`
`The functional
`
`The functional
`
`The functional
`
`configuration ofa
`configuration ofa
`configuration ofa
`computer that enables it to network device that
`network device that
`enables it to participate in participate in a secure
`enables it to participate in
`a secure communications
`communications link with a secure communications
`
`link with another network another computer
`device
`
`link with another network
`device
`
`Preliminary Response at 28
`Decision at 14
`
`
`
`Instituted Grounds
`
`(IPRZOI4-0023 7)
`
`
`
`- 35 U.S.C. § 102
`
`— Claims 1-11, 14-25, and 28-30 are anticipated by
`
`Beser
`
`- 35 U.S.C. § 103
`
`— Claims 1-11, 14-25, and 28-30 are obvious over
`
`Beser in View of RFC 2401
`
`
`
`PRNATE
`NETWORK
`
`PRNATE
`NETWORK
`
`
`
`ORIGINATING
`TELEPHONY
`DEVICE
`E
`
`TRUSTED-
`THIRD-PARTY
`NETWORK
`DEVICE
`
`TERMINATING
`TELEPHONY
`DEVICE
`25
`
`SECOND
`NETWORK
`DEVICE
`1!
`
`
`
`TRUSTED-
`THIRD-PARTY
`NETWORK
`DEVICE
`E
`
`SELECT FIRST
`PRIVATE IP
`TRUSTED-
`ADDRES: - - _ - - - — - - ---‘C:-151--—-_
`THIRD-PARTY
`NETWORK
`DEVICE
`E
`
`SELECT FIRST
`PRIVATE IP
`SELECT
`ADDRES: - - _ - - - — - - ---‘C:-151--—-_
`SECOND
`PRIVATE IP
`ADDRESS
`
`THIRD PACKET 191
`
`SELECT
`SECOND
`PRIVATE IP
`ADDRESS
`
`
`
`TRUSTEE)-
`THIRD-PARTY
`NETWORK
`
`SECOND
`NETWORK
`DEVICE
`1!
`
`SELECT FIRST
`PRIVATE IP
`ADDRESS
`
`SELECT
`SECOND
`PRIVATE IP
`ADDRESS
`
`
`
`- 35 U.S.C. § 102
`
`— Claims 1-11, 14-25, and 28-30 are anticipated by
`
`Beser
`
`
`
`1. A method of connecting a first network device zmd a
`second network device. the tnethod comprising:
`intercepting. from the first network device. a request to
`look up an internet protocol (IP) address of the second
`network device based on a domain name associated with
`
`the second network device:
`
`determining, in response to the request. whether the second
`network device is avai lablc fora secure communications
`
`service: and
`
`initiating a secure communication link between the first
`network device and the second network device based on
`
`a dctemiination that the second network device is avail-
`
`able for the secure communications service:
`
`wherein the secure communications service uses the secure
`
`
`
`Patent 0wner’s Proposed Apple’s Proposed
`Construction
`Construction
`
`Board’s Preliminary
`Constmction
`
`Receiving a request
`pertaining to a first entity
`at another entity
`
`A proxy computer or
`No construction
`device receiving and
`necessary; alternatively,
`receiving a request to look acting on a request sent
`up an internet protocol
`by a first computer that
`address and, apart from
`was intended for another
`resolving it into an
`computer
`address, performing an
`evaluation on it related to
`
`establishing a secure
`communicationlink
`
`Patent Owner Response at 23
`
`
`
`- Decision
`
`domain name associated with the second network device." According to Mr.
`
`Fr:-no-
`— See Ex. 1003 1i 355. According further to Mr. Fratto. a router
`
`evaluates all traffic flowing through it. and if a packet contains a request for
`
`initiating an IP numel. it will send the request to tiusted-third-party network deiice
`
`30.
`
`Decision at 20-21
`
`
`
`Patent Owner’s Response
`
`connection")
`
`,(‘}\‘L2“gp:r:1:a"t\"u'c> »m'.';m"r: tn ?.~uuut~.~I:‘n;,-5 .’;‘.':)cm:1c'atc»)u, even if it happens to
`
`include a domain name in some embodiments. -.613‘:-Ls
`
`'n«:11 -.r:‘o):m'uzf'.
`
`‘»3'u:~ rm-a~ra'f:~;;;
`
`u«:-‘1o,|_I!:1:3"L' ‘I ~f(c:~ Ffiirq C .~.wnm'1. '3 rr:z<_}Irr.':a”c (‘ca-> "IE:-;.c-J5: -.299; .-mt ‘I|1Y‘~:'.IIQ1j9)1’:§I0ItJC3l 1( 35);) ;-.t<a'Eo‘lz:.1:1.-5 '::-'1" x’I’:rc.‘
`
`t:m'r2m1-5l "Ii2‘r~'.‘J(o)I'k -.6b.<n1'c:.i,
`
`as recited in claim 1.
`
`(Ex. 2025 at 25. "40. Monrose
`
`Decl.) Whether the request
`
`includes a domain name or some other type of
`
`Patent Owner Response at 37
`
`
`
`INFORM A TRUSTED-THIRD-PARTY
`NETWORK DEVICE OF THE REQUEST ON
`A PUBLIC NETWORK
`
`INFORM A TRUSTED-THIRD-PARTY
`NETWORK DEVICE OF THE REQUEST ON
`A PUBLIC NETWORK
`
`ASSOCIATE A PUBLIC NETWORK
`ADDRESS FOR A SECOND NETWORK
`DEVICE ON THE TRUSTED-THIRD-PARTY
`NETWORK DEVICE
`INFORM A TRUSTED-THIRD-PARTY
`NETWORK DEVICE OF THE REQUEST ON
`A PUBLIC NETWORK
`
`ASSOCIATE A PUBLIC IP ADDRESS FOR A
`SECOND NETWORK DEVICE ON THE
`TRUSTED-THIRD-PARTY NETWORK
`DEVICE
`INFORM A TRUSTED-THIRD-PARTY
`NETWORK DEVICE OF THE REQUEST ON
`A PUBLIC NETWORK
`
`NEGOTIATE A FIRST PRIVATE NETWORK
`ADDRESS ON THE FIRST NETWORK
`DEVICE AND A SECOND PRIVATE
`ASSOCIATE A PUBLIC NETWORK
`NETWORK ADDRESS ON THE SECOND
`ADDRESS FOR A SECOND NETWORK
`NETWORK DEVICE THROUGH THE
`DEVICE ON THE TRUSTED-THIRD-PARTY
`PUBLIC NETWORK
`NETWORK DEVICE
`
`NEGOTIATE A FIRST PRIVATE IP
`ADDRESS ON THE FIRST NETWORK
`DEVICE AND A SECOND PRIVATE IP
`ASSOCIATE A PUBLIC IP ADDRESS FOR A
`ADDRESS ON THE SECOND NETWORK
`SECOND NETWORK DEVICE ON THE
`DEVICE THROUGH THE PUBLIC
`TRUSTED-THIRD-PARTY NETWORK
`NETWORK
`DEVICE
`
`NEGOTIATE A FIRST PRIVATE NETWORK
`ADDRESS ON THE FIRST NETWORK
`DEVICE AND A SECOND PRIVATE
`
`NEGOTIATE A FIRST PRIVATE IP
`ADDRESS ON THE FIRST NETWORK
`DEVICE AND A SECOND PRIVATE IP
`
`
`
`- Decision
`
`Mr. Fratto and Petitioner alternatively reason that—
`
` because the request includes a unique identifier.
`
`including a domain name. that identifies t11e teiminating end 26. or second network
`
`device. of the ttumeling association. instead of the ttusted-third-patty. See Pet.
`
`18-19; Ex. 1003 mi 305-306. 357-353. Pursuant to the request.—
`— in pan by looking up a public
`
`internet address based on the domain name associated with "second network
`
`device“ 26. as claim 1 requires.
`
`
`
`Device 30 Does Not Translate Domain Names to IP Addresses
`
`- Patent Owner’s Response
`
`Moreover. the trusted-third—party network device 30 does not perform any
`
`translation into an IP address of the domain name of the terminating device 26.
`
`(Ex. 2025 at 25-26. " 41. Monrose Decl.) After being informed of the request.
`
`trusted—third-party network device 30 associates an identifier (e.g.. a domain name)
`
`of terminating device 26 with a public IP address of a second network device 16.
`
`Patent Owner Response at 37
`
`A public IP 58 address for a second network device 16 is
`associated with the unique identifier for the terminating
`telephony device 26 at Step 116. The second network device
`
`
`
`START
`
`START
`
`COMMUNICATE THE FIRST PRIVATE
`NETWORK ADDRESS FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`COMMUNICATE THE FIRST PRIVATE
`NETWORK ADDRESS FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`COMMUNICATE THE SECOND PRIVATE
`NETWORK ADDRESS FROM THE
`SECOND NETWORK DEVICE TO THE
`FIRST NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`COMMUNICATE THE SECOND PRIVATE
`Ex. 1009 at Fig. 7
`NETWORK ADDRESS FROM THE
`SECOND NETWORK DEVICE TO THE
`FIRST NETWORK DEVICE THROUGH THE
`
`
`
`1. A method of connecting a first network device and a
`second network device. the method comprising:
`intercepting. from the first network device. a request to
`look up an internet protocol (IP) address of the second
`network device based on a domain name associated with
`
`the second network device:
`
`initiating a secure connnunication link between the first
`network device and the second network device based on
`
`a detemiination that the second network device is avail-
`
`able for the secure conununications service:
`
`
`
`Patent Owner’s Proposed Apple’sProposed
`Construction
`Construction
`
`Board’s Preliminary
`Construction
`
`No construction proposed No construction proposed Includes determining one
`or more of 1) whether the
`device is listed with a
`
`public internet addres s,
`and if so, allocating a
`private address for the
`second network device, or
`
`2) some indication ofthe
`relative permission level
`or security privileges of
`the requester
`
`Patent Owner Response at 27
`
`
`
`“determining, in response to the request, Whether the
`
`second network device is available for a secure communications service”
`
`- Apple’s Petition
`
`Consequently.
`
`when methods shown in Beser are perfonned. they will necessarily determine if a
`
`second network device is available for sec1u'e communications.
`
`- Decision
`
`Petition at 21
`
`On this record. Beser’s system satisfies the determining step. because as
`
`outlined above in the claim construction section. determining the availability of
`
`second network device 26 for secure connnunication service reasonably includes
`
`detennining that the device has a private intemet address assigned to it, and that
`
`
`
`- App1e’s Petition
`
`when methods shown in Beser are pe1“fonned.
`
`Consequently.
`
`Petition at 21
`
`
`
`- Patent Owner’s Response
`
`_in which "a domain name in a request is recognized by the
`
`trusted-third-party network device but does not map to a device requiring
`
`negotiation of an 11> tunnel.” (Ex. 2025 at 23, 145, Monrose Decl.) -
`
`
`
`- Decision
`
`On this record, Beser’s system satisfies the determining step, because as
`
`outlined above in the claim construction section, determining the availability of
`
`second network device 26 for secure communication service reasonably includes
`
`— See Pet 19—2l: Ex. I003 ‘W 363-371-
`
`Decision at 23
`
`
`
`START
`
`START
`
`COMMUNICATE THE FIRST PRIVATE
`NETWORK ADDRESS FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`COMMUNICATE THE FIRST PRIVATE
`NETWORK ADDRESS FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`COMMUNICATE THE SECOND PRIVATE
`NETWORK ADDRESS FROM THE
`SECOND NETWORK DEVICE TO THE
`FIRST NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`COMMUNICATE THE SECOND PRIVATE
`Ex. 1009 at Fig. 7
`NETWORK ADDRESS FROM THE
`SECOND NETWORK DEVICE TO THE
`FIRST NETWORK DEVICE THROUGH THE
`
`
`
`- Patent Owner’s Response
`
`In particular, Besefs tunnel-establishment process occurs in response to
`
`Besefs request to initiate a tunnel. but that request is not a “DNS" request that
`
`might result in a domain name server performing Mr. I-‘ratto's ‘hlown DNS
`
`operations." (Ex. 2025 at 31-32. 1] 50, Monrose Decl.) Beser provides no teaching
`
`on as issue.Also.
`
`— (Id)
`
`
`
`- Patent Owner’s Response
`
`less be capable of caxrying out Be.*;er‘s ttmnel-establishment process.
`
`(Id.)
`
`Patent Owner Response at 47,
`
`
`
`- Decision
`
`On this record, Beser’s system satisfies the detennining step. because as
`
`outlined above in the claim construction section, determining the availability of
`
`second network device 26 for secure commtmication service reasonably includes
`
`— See Pet. 19-21; Ex. 1003 W11 363-371.
`
`Decision at 23
`
`
`
`- Patent Owner’s Response
`
`Beser discloses two items sent from first network device 24, but neither
`
`pertains to authorization.
`
`(Ex- 2.025 at 32-33. 11 52- Monrose Decl.)_
`
`—<ie~~ die identifier indicating the end
`
`device with which the requesting device wishes to communicate).-
`
`— (See, e.g.. Ex. 1009 at 10:4-6: Ex. 2025 at 32.33.11 52, Monrose Decl-)
`
`Patent Owner Response at 48
`
`
`
`The Bit Sequence Does Not Indicate Authorization of Device 24
`
`- Patent Owner’s Response
`
`The second is a bit sequence from device 24 that “indicates to the tunnelling
`
`application that it should examine the informing message for its content and not
`
`ignore the datagranl" (Ex. 1009 at 8:35-9:1; Ex. 2025 at 32-33. ‘J 52. Monrose
`
`Decl_)
`
`It says nothing about device 24's authorization.
`
`Patent Owner Response at 48
`
`higher layer. For example, the indicator may be a distinctive
`sequence of hits at the beginning of a datagrarn that has been
`passed up from the network and transport layers. lly meth-
`ods known to those skilled in the art,
`the distinctive
`
`
`
`Beser Does Not Disclose “initiating a secure communication link .
`
`.
`
`. .”
`
`1. A method of connecting a first network device and a
`second network dev ice. the method comprising:
`intercepting. from the first network device. a request to
`look up an internet protocol (IP) address of the second
`network device based on a domain name associated with
`
`the second network device:
`
`cletennining. in response to the request. whether the second
`network device is ax-“ai Iablc fora secure communications
`
`service: and
`
`initiating a secure communication link between the first
`network device and the second network device based on
`
`a dctcmiination that the second network device is avail-
`
`able for the secure conununications service:
`
`
`
`Patent 0wner’s Proposed
`Constmction
`
`Apple’ .s Proposed
`Construction
`
`Board’s Preliminary
`Construction
`
`A direct communication
`
`A communication link in
`
`link that provides data
`security through
`encryption
`
`which computers
`privately and directly
`communicate with each
`
`other on insecure paths
`between the computers
`where the communication
`
`is both secure and
`
`anonymous, and where
`the data transferred may
`or may not be encrypted
`
`A transmission path that
`restricts access to data,
`
`addresses , or other
`information on the path,
`generally using
`obfuscation methods to
`
`hide information on the
`
`path, including, but not
`limited to, one or more of
`
`authentication,
`encryption, or address
`hopping
`
`Patent Owner Response at 10
`
`
`
`- Apple s Petition
`
`,
`
`.
`
`.
`
`tunnel based on the results of that evaluation. Ex. 1003 at M 302-309. Beser
`
`explainsthat
`
` (i.e.. u11der the IPsec protocol). and that
`
`encryption of the tunneling connection 0CClll'S automatically. Ex. 1003 at 1111 268-
`Petition at 22
`
`- Decision
`
`Based on the this determination of availability that involves negotiating
`
`between first and second network devices 24 and 26.—
`
`
`
`- Apple s Pet1t1on
`
`,
`
`.
`
`.
`
`tunnel based on tl1e results of that evaluation. Ex. 1003 at M 302-309. Beser
`
`explainsthat
`
` (i.e.. under the IPsec protocol). and that
`
`encryption of the tunneling co1mection OCClll'S automatically. Ex. 1003 at 1111 268-
`Petition at 22
`
`
`
`- App1e’s Previous Admission Regarding Beser
`
`A person ofordinary skill in the an would have relied on K_ent to
`being sent in IP tunnels between a first and
`second network device in the [P tunneling procedures being described in Beser,-
`Accordingly. Beser in View of gm
`would have rendered obvious claim 1 under 35 U.S.C. § 103.
`
`Ex. 2029 at 2, Apple’s Request for Inter Partes
`
`Reexamination in Control No. 95/001,682
`
`See also PO Response at 51
`
`
`
`Beser Teaches Away from Using Encryption
`
`- Dr. Monrose’s Declaration
`
`Given Be.s’er’s extensive teaching away from encryption a11d its
`
`associated coinputational burdens. Beser ne\'er discloses using enciyption or other
`
`si111ila1'1y burdeiisoine tecliniques fo1't1'ansn1itting data througli its tuimels.
`
`BACKGROUND 01* THE INVENTION
`
`Ex. 2025 at 1] 56, Monrose Decl.
`
`packet that is transmitted on the public net.work. The tun-
`neled IP packets, however, may need to be encrypted before
`the encapsulation in order to hide the source IP address.
`
`
`
`- Decision
`
`Based on the this determination of availability that involves negotiating
`
`between first and second network devices 24 and 26,—
` or
`
`both. satisfving the last two clauses of claim 1 and similar clauses in claim 16.
`
`Decision at 23
`
`
`
`- Patent Owner’s Response
`
`In the first cited passage. Beser discloses that_
`
` o ensute that the unique identifier cannot be
`
`read on the public network." (Ex. 1009 at 11:22-25.) These packets, however. are
`
`not communicated between device 24 and device 26 (i.e-. ovet the tunnel).
`
`(Ex. 2025 at 35-3641 58. Monrose Decl.) Rame:.—
`
`-—not over the tunnel after it is established.
`
`(See Ex. 1009 at 11:9-25: FIG.
`
`
`
`Beser Does Not Teach Encryption of Audio/Video on the Tunnel
`
`At Step 114. a tmsted-third-party network device 30 is
`informed of the request on the public network 12. The
`informing step may include one or multiple transfer of IP 58
`packets across the public network 12. 'lhe public network 12
`may include the Internet. For each transfer of a packet from
`the first network device 14 to the trusted-third-party network
`device 30, the first network device 14 constructs an IP 58
`packet. The header 82 of the [P58 packet includes the public
`network 12 address of the trusted-third-party network device
`30 in the destination address field 90 and the public network
`12 address of the first network device 14 in the source
`
`address field 88. At least one of the IP 58 packets includes
`the unique identifier for the terminating telephony device 26
`that had been included in the request message. The IP 58
`packets may require encryption or authentication to ensure
`
`ORIGINATING
`TELEPHONY
`
`TRU$TED-
`THIRD-PARTY
`NETWORK
`
`TERIINATING
`TELEPHONY
`DEVICE
`29
`
`SECOND
`NETWORK
`DEVICE
`1E
`
`
`
`However, accumulating all the packets from one
`source address may provide the hacker with sutlicient infor-
`mation to decrypt the message. Moreover, encryption at the
`source and decryption at the destination may be infeasible
`for certain data formats. For example, streaming data flows,
`such as multimedia or Voice-over—Internet-Protocol
`
`("VolP”), may require a great deal of computing power to
`encrypt or decrypt the IP packets on the fly. The increased
`strain on computer power may result in jitter, delay, or the
`
`
`
`- Patent Owner’s Response
`
`First, even if Bayer had incorporated IPsec by reference,
`
`
`
`— This explains why Beser never
`
`mentions using IPsec or encryption for any data on its tunnels-
`
`Second
`
` ‘To incorporate matter by reference. a host document
`
`must contain language ‘clearly identifying the subject matter which is incorporated
`
`and where it is to be found‘; a ‘mere reference to another application. or patent. or
`
`
`
`2. The metllod ofclaim 1. wherein at least (me of the video
`
`data and the audio data is encrypted over the secure co111n1u-
`nication link.
`
`Ex. 1001, ’697 Patent, Claim 2
`
`24. The systeni ofclaim 16, wherein at least one of the
`video data and the audio data is encrypted over the secure
`C0l11Il1l_lI1iCaIiCtIl link.
`
`Ex. 1001, ’697 Patent, Claim 24
`
`
`
`- Apple’s Previous Admission Regarding Beser
`
`A person ofordinary skill in the art would have relied on Kit to
`being sent in IP tunnels between a first and
`second network device in the IP tunneling procedures being described in Bcscr,—
`Accordingly. Beser in view of @
`would have rendered obvious claim 1 under 35 U.S.C. § 103.
`
`Ex. 2029 at 2, Apple’s Request for Inter Partes
`
`Reexamination in Control No. 95/001,682.
`
`See also PO Response at 51
`
`
`
`Beser Teaches Away from Using Encryption
`
`- Dr. Monrose’s Declaration
`
`Given Be.s’er’s extensive teaching away from encryption a11d its
`
`associated coinputational burdens. Beser ne\'er discloses using encryption or other
`
`siinilarly burdeiisoine tecliniques fo1't1'ansn1itting data tlirough its tuimels.
`
`BACKGROUND OF THE. INVENTION
`
`Ex. 2025 at 1] 56, Monrose Decl.
`
`packet that is transmitted on the public network. The tun-
`neled IP packets, however, may need to be encrypted before
`the encapsulation in order to hide the source IP address.
`
`
`
`- Patent Owner’s Response
`
`In the first cited passage. Beser discloses that_
`
` o ensute that the unique identifier cannot be
`
`read on the public network." (Ex. 1009 at 11:22-25.) These packets, however. are
`
`not communicated between device 24 and device 26 (i.e-. ovet the tunnel).
`
`(Ex. 2025 at 35-3641 58. Monrose Decl.) Rame:.—
`
`-—not over the tunnel after it is established.
`
`(See Ex. 1009 at 11:9-25: FIG.
`
`
`
`Beser Does Not Teach Encryption of Audio/Video on the Tunnel
`
`At Step 114. a tmsted-third-party network device 30 is
`informed of the request on the public network 12. The
`informing step may include one or multiple transfer of IP 58
`packets across the public network 12. 'lhe public network 12
`may include the Internet. For each transfer of a packet from
`the first network device 14 to the trusted-third-party network
`device 30, the first network device 14 constructs an IP 58
`packet. The header 82 of the [P58 packet includes the public
`network 12 address of the trusted-third-party network device
`30 in the destination address field 90 and the public network
`12 address of the first network device 14 in the source
`
`address field 88. At least one of the IP 58 packets includes
`the unique identifier for the terminating telephony device 26
`that had been included in the request message. The IP 58
`packets may require encryption or authentication to ensure
`
`ORIGINATING
`TELEPHONY
`
`TRU$TED-
`THIRD-PARTY
`NETWORK
`
`TERIINATING
`TELEPHONY
`DEVICE
`29
`
`SECOND
`NETWORK
`DEVICE
`1E
`
`
`
`However, accumulating all the packets from one
`source address may provide the hacker with sutlicient infor-
`mation to decrypt the message. Moreover, encryption at the
`source and decryption at the destination may be infeasible
`for certain data formats. For example, streaming data flows,
`such as multimedia or Voice-over—Internet-Protocol
`
`("VolP”), may require a great deal of computing power to
`encrypt or decrypt the IP packets on the fly. The increased
`strain on computer power may result in jitter, delay, or the
`
`
`
`- Patent Owner’s Response
`
`First, even if Bayer had incorporated IPsec by reference,
`
`
`
`— This explains why Beser never
`
`mentions using IPsec or encryption for any data on its tunnels-
`
`Second
`
` ‘To incorporate matter by reference. a host document
`
`must contain language ‘clearly identifying the subject matter which is incorporated
`
`and where it is to be found‘; a ‘mere reference to another application. or patent. or
`
`
`
`3. The method ofclaim ‘l , wherein the secure c:0n1munica-
`
`lion link is a virtual rivate network comnlunjcation link.
`
`Ex. 1001, ’697 Patent, Claim 3
`
`
`
`Beser Criticizes VPNs
`
`BACKGROUND OF THE INVENTION
`
`One method of thwarting the hacker is to establish a Virtual
`Private Network (“VPN'") by initiating a tunneling connec-
`tion between edge routers on the public network. For
`example. tunneling packets between two end-points over a
`public network is accomplished by encapsulating the IP
`packet to be tunneled within the payload field for another
`packet that is transmitted on the public network. The tun-
`neled IP packets, however, may need to be encrypted before
`the encapsulation in order to hide the source IP address.
`Once again, due to computer power limitations, this form of
`tunneling may be inappropriate for the transmission of
`
`
`
`<44‘ ‘=4 r
`
`1
`
`- 35 U.S.C. § 103
`
`— Claims 1-11, 14-25, and 28-30 are obvious over
`
`Beser in View of RFC 2401
`
`Decision at 33
`
`
`
`- Dr. Monrose’s Declaration
`
`- Beser acknowledges the existence of the [Psec protocol. but then recognizes
`
`its problems for