IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Smethurst et al.
`In re Patent of:
`U.S. Patent No.: 7,224,668
`Issue Date:
`May 29, 2007
`Appl. Serial No.: 10/307,154
`Filing Date:
`Nov. 27, 2002
`Title:
`CONTROL PLANE SECURITY AND TRAFFIC FLOW
`MANAGEMENT
`
`
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`
`
`
`
`
`DECLARATION OF BILL LIN
`
`
`
`My name is Dr. Bill Lin. I am a professor of electrical and computer engineering
`
`at the University of California, San Diego. I understand that I am submitting a declaration in
`
`connection with Inter Partes review (“IPR”) proceedings before the United States Patent and
`
`Trademark Office for U.S. Patent Number 7,224,668 (“the ’668 Patent”).
`
`
`
`I have been retained on behalf of Arista Networks, Inc. (“Arista”). My
`
`compensation is not based on the outcome of my opinions.
`
`
`
`I have reviewed the ’668 Patent, including the claims of the patent in view of the
`
`specification and the file history. In addition, I have reviewed the following documents:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`U.S. Patent No. 6,674,743 (“Amara”)
`
`U.S. Patent No. 6,970,943 (“Subramanian”)
`
`U.S. Patent No. 6,460,146 (“Moberg”)
`
`U.S. Patent No. 6,115,378 (“Hendel”)
`
`IETF RFC 2661, “Layer Two Tunneling Protocol ‘L2TP’,” retrieved from
`
`http://www.rfc-editor.org/rfc/rfc2661.txt (“IETF RFC 2661”)
`
`IETF RFC 792, “Internet Control Message Protocol,” retrieved from
`
`http://www.rfc-editor.org/rfc/rfc792.txt (“IETF RFC 792”)
`
`Joe Habraken, Practical Cisco Routers, QUE Corporation, 1999 (“Habraken”)
`
`My curriculum vitae (“CV”) is provided as an Exhibit.
`
`I received a Bachelor of Science in Electrical Engineering and Computer Sciences
`
`from University of California, Berkeley in May 1985; a Masters of Science in Electrical
`
`1
`
`ARISTA-1002
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`Engineering and Computer Sciences from the University of California, Berkeley in May 1988;
`
`and a Ph.D. in Electrical Engineering and Computer Sciences from the University of California,
`
`Berkeley in May 1991.
`
`
`
`I served as the Head of Research of the Systems Control and Communications
`
`Group of IMEC Research Laboratory, Leuven, Belgium from February, 1992 – December, 1996.
`
`I also have served or am currently serving as Associate Editor or Guest Editor on 2 ACM or
`
`IEEE journals, an Associate Editor on the International Journal of Embedded Systems, as
`
`General Chair on 4 ACM or IEEE conferences, on the Organizing or Steering Committees for 6
`
`ACM or IEEE conferences, and on the Technical Program Committees of over 40 ACM or IEEE
`
`conferences.
`
`
`
`I am a named inventor on five patents in the field of computer networking, and
`
`have published over 160 journal articles and conference papers in top-tier venues and
`
`publications.
`
`
`
`The ’668 Patent issued from U.S. application number 10/307,154, which was filed
`
`on November 27, 2002. The ’668 Patent does not include a priority claim. It is therefore my
`
`understanding that the filing date of November 27, 2002 (hereinafter the “Critical Date”)
`
`represents the earliest possible priority date to which the ’668 Patent is entitled.
`
`
`
`A person of ordinary skill in the art as of the Critical Date (hereinafter a
`
`“POSITA”) would have had a Masters of Science Degree (or a similar technical Masters Degree,
`
`or higher degree) in an academic area emphasizing computer networking or, alternatively, a
`
`Bachelor Degree (or higher degree) in an academic area emphasizing the design of electrical,
`
`computer, or software engineering and having several years of experience in computer network
`
`engineering and the design of computer networks. Additional education in a relevant field, such
`
`Page 2 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`as computer science, computer engineering, or electrical engineering, or industry experience may
`
`compensate for a deficit in one of the other aspects of the requirements stated above.
`
`
`
`I am familiar with the knowledge and capabilities of one of ordinary skill in these
`
`areas, and notably with designing computer communications networks and computer architecture
`
`problems, including the design of data networks, high-performance switches and routers, many-
`
`core processors and systems-on-chip, and ASIC chip designs and studying their interaction with
`
`people in experimental and real-world environments. Specifically, my experience working with
`
`industry, with undergraduate and post-graduate students, with colleagues from academia, and
`
`with engineers practicing in industry has allowed me to become directly and personally familiar
`
`with the level of skill of individuals and the general state of the art. Unless otherwise stated, my
`
`testimony below refers to the knowledge of one of ordinary skill in the fields as of the Critical
`
`Date, or before.
`
`
`
`This declaration is organized as follows:
`
`I.
`
`II.
`
`III.
`
`IV.
`
`Brief Overview of the ’668 Patent (pg. 3)
`
`Terminology (pg. 6)
`
`Discussion of References (pg. 11)
`
`Legal Principles (pg. 40)
`
`
`
`
`
`VII. Additional Remarks (pg. 41)
`
`
`
`I.
`
`Brief Overview of the ’668 Patent
`
`
`
`The ’668 patent describes an internetworking device, such as a router, that routes
`
`packets received at the device towards their destination. An internetworking device 100 of the
`
`’668 patent is illustrated in Figure 1:
`
`Page 3 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`The internetworking device 100 includes two logical components: a data
`
`
`
`forwarding plane 135 and a control plane 150. The ’668 Patent at 3:22-34; 5:5-21. The data
`
`plane 135 is composed of physical interface ports 120, line cards 110, and a central switch
`
`engine 130. Id. at 5:5-9. The data plane 135 passes along, or “forwards,” packets received at the
`
`port interfaces 120 toward their ultimate destination. Id. at 1:54-56; 3:23-26; 5:8-9. The control
`
`plane 150 is “a collection of processes” 155 and is responsible for higher layer functions of the
`
`device, such as control and configuration of the internetworking device 100. Id. at 1:56-59;
`
`3:26-31; 4:58-61; 5:10-23.
`
`
`
`The internetworking device 100 applies port services to packets passing through
`
`the internetworking device 100. Id. at 6:1-44; 6:67-7:14. Port services are a set of policies or
`
`rules that are applied to the packets. Id. at 4:3-8; 6:4-7; 6:24-27; 9:1-4. Port services may
`
`include Quality of Service processing or packet rate-limiting. Id. at 4:6-8; 6:4-23. For example,
`
`“one policy may be to rate limit Telnet SYN packets to a specific rate that is a tolerable rate
`
`Page 4 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`determined through a specific hardware configuration.” Id. at 4:6-8. Port services may be
`
`defined using class maps, policy maps, or access control lists. Id. at 7:19-20; 7:46-47.
`
`
`
`The internetworking device applies different port services to different packet
`
`types. Id. at 3:56-58; 6:16-18; 6:41-43. Some of the packets received by the internetworking
`
`device are “normal transit packet[s],” which are destined for other devices connected to the
`
`internetworking device. Id. at 7:3-8. Other packets, however, are “control plane packets,” which
`
`are packets destined for the control plane so that the control plane can provide control and
`
`configuration of the internetworking device. Id. at 6:57-63; 5:56-58; 7:8-14. For example,
`
`“protocol control packets” may be destined for the control plane. Id. at 5:30-31; 8:34-49.
`
`
`
`The internetworking device 100 includes “normal input and output port services”
`
`that are applied to normal transit packets. Id. at 6:41-43. The internetworking device 100 also
`
`includes control plane port services that are specifically for control plane packets. See id. at 7:5-
`
`14; 9:1-6. These control plane port services are applied only to packets destined to the control
`
`plane and not to normal transit packets that are forwarded out of the device. See, e.g., id. at 3:56-
`
`58; 6:16-18; 6:41-43; 7:5-14.
`
`
`
`To this end, the internetworking device 100 includes the control plane port
`
`services 145 and a control plane port 140. The control plane port 140 “may or may not be a
`
`single physical port.” Id. 5:1-2. “For example, it may be a virtual address through which
`
`packets travel or are routed from the data plane 135 to the control plane 150.” Id. at 5:2-4. The
`
`packets bound for the control plane 150 are routed through the control plane port 140. Id. at 7:5-
`
`12; 9:1-6. The control plane port services 145 are only applied to those packets routed through
`
`the control plane port 140. Id. at 3:56-58; 6:16-18; 7:13-14.
`
`Page 5 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`Thus, during operation, a packet enters the internetworking device through one of
`
`the interface ports 120. Id. at 4:53-56. The associated “line card [110] detects [the] packet and
`
`delivers it to the central switch engine 130,” which makes a routing decision. Id. at 6:66-7:4.
`
`“In the case of a normal transit packet, the packet would be routed to a destination port 120 on an
`
`associated line card 110” and the control plane port services 145 are not applied to the packet Id.
`
`at 7:5-7. “If, however, the packet is destined for a known control plane 150 address, or to an
`
`address not on a forwarding table 160, the packet is tagged as being destined to [the] control
`
`plane port” Id. at 7:8-11. “The packet is then routed through the aggregate control plane port
`
`140” and the “aggregate control plane port services [145 are applied to] the packet.” Id. 7:11-14.
`
`Because the “control plane port services” are applied only to packets passing through the control
`
`plane port, these services are only applied to control plane packets and not normal transit packets
`
`that are forwarded out of the device. See, e.g., id. at 3:56-58; 6:16-18; 6:41-43; 7:5-14.
`
`
`
`II.
`
`Terminology
`
`
`
`I am not a lawyer. However, I have been informed that, during an IPR proceeding
`
`involving the ‘668 Patent, claim terminology is given the broadest reasonable interpretation at
`
`the time of the Critical Date. I have been informed that this means the claims should be
`
`interpreted as broadly as their terms reasonably allow, but that such interpretation should not be
`
`inconsistent with the patent’s specification and with usage of the terms by a POSITA when
`
`considering the broadest reasonable interpretation. I have used the Critical Date as the point in
`
`time for claim interpretation purposes, although in many cases the same analysis would hold true
`
`even at an earlier time than the Critical Date.
`
`Page 6 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`I have also been advised that a claim may be written in means-plus-function form,
`
`where the claim recites a means for performing a function. I have further been advised that this
`
`type of claim covers the specific structure disclosed in the patent specification for performing the
`
`claimed function, and the equivalents of that structure. The patent must disclose actual structure
`
`for performing the claimed function, and the structure may not be inferred, inherent, or
`
`incorporated by reference. A structure can be a physical apparatus, or an algorithm executing on
`
`a computing device if the claims involve software. For purposes of invalidity, I have been
`
`advised that to anticipate a means plus function claim, the prior art reference must disclose,
`
`expressly or inherently, the claimed function and the same or equivalent corresponding structure.
`
`A structure is equivalent if the two structures perform the identical function in substantially the
`
`same way to achieve substantially the same result. Structures are also equivalent if the
`
`differences between the two are insubstantial.
`
`
`
`I have been informed that it would be useful to provide some guidance in this
`
`proceeding with respect to the terms below. As part of that, I considered the context of the terms
`
`within the claim, use of the terms within the specification, and my understanding of how a
`
`POSITA would have understood the terms as of the Critical Date.
`
`
`
`I have considered interpretation of the term “specific, predetermined physical
`
`ports” as used in the ‘668 Patent. From my review, I believe the term could be interpreted, under
`
`the broadest reasonable interpretation, broadly enough to encompass all ports of the
`
`internetworking device. I note that this term is not expressly defined in the ‘668 Patent. My
`
`attention has been directed to claim 8, which is dependent on claim 1 and specifies that the
`
`“control plane port services” are implemented as “an aggregate control plane function,” which is
`
`apparently related to a case in which control plane port services are applied to all of the ports of
`
`Page 7 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`the device. The ’668 Patent, 4:24-25; 6:48-61 (“The central, aggregate control plane services 145
`
`provide a level of service (or control) for all packets received from any port on the device 100”).
`
`Thus, it seems that, under the broadest reasonable interpretation standard, the term “specific,
`
`predetermined physical ports” could be construed broadly enough to encompass all of the ports
`
`of the internetworking device.
`
`
`
`Claim 37 recites “means for configuring a plurality of physical network interface
`
`ports.” I understand that Arista proposes that this term recites the function of “configuring a
`
`plurality of physical network interface ports” and, for the purposes of assessing anticipation and
`
`obviousness, that “control plane processes” should be considered as the corresponding structure.
`
`I agree that claim 37 at least indicates that “the ports [are] configurable by control plane
`
`processes.” I further understand that Arista proposes that the ’668 Patent discloses that the
`
`control plane processes can be implemented as software, but does not disclose a specific
`
`algorithm performed by the control plane processes for configuring the ports. I agree with this
`
`assessment. The’668 Patent specifies that control plane processes can be implemented as
`
`software. The ’668 Patent, 4:62-64 (“control plane 150 processes could be implemented as
`
`software at any level of a system.”). But the ’668 Patent does not disclose a specific algorithm
`
`for configuring the ports.
`
`
`
`Claim 37 recites “means for executing port services on packets entering and
`
`exiting the physical network interface ports.” I understand that Arista proposes that this term
`
`recites the function of “executing port services on packets entering and exiting the physical
`
`network interface ports” and that, to the extent the ’668 Patent discloses corresponding structure,
`
`the structure is a switch engine. I agree with that assessment in view of the ’668 Patent at Figs. 4
`
`& 6; 6:67-7:2; 8:7-9.
`
`Page 8 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`Claim 37 recites “means for executing a plurality of control plane processes.” I
`
`understand that Arista proposes that this term recites the function of “executing a plurality of
`
`control plane processes” and that, to the extent the ’668 Patent discloses corresponding structure,
`
`the structure is a processor. I agree with that assessment in view of the ’668 Patent at 4:58-60;
`
`4:62-64; 5:21-23.
`
`
`
`Claim 37 recites “means for accessing the collection of control plane processes as
`
`a control plane port entity.” I understand that Arista proposes that this term recites the function
`
`of “accessing the collection of control plane processes as a control plane port entity” and that, to
`
`the extent the ’668 Patent discloses corresponding structure, the structure is a control plane port.
`
`I agree with that assessment in view of the ’668 Patent at 3:48-50; 4:65-5:4; 8:52-54.
`
`
`
`Claim 37 recites “means for operating on packets received from specific,
`
`predetermined physical ports and destined to the collection of control plane processes in a way
`
`that is independent of the individual physical port interface configuration and port services
`
`applied thereto.” I understand that Arista proposes that this term recites the function of
`
`“operating on packets received from specific, predetermined physical ports and destined to the
`
`collection of control plane processes in a way that is independent of the individual physical port
`
`interface configuration and port services applied thereto” and that, to the extent the ’668 Patent
`
`discloses corresponding structure, the structure is a switch engine. I agree with that assessment in
`
`view of the ’668 Patent at Figs. 4 & 6; 8:12-15.
`
`
`
`Claim 38 recites “means for processing packets originating at a plurality of
`
`physical ports, said means further comprising: means for passing packets through the control
`
`plane port, rather than directly from the physical ports to individual control plane processes.” I
`
`understand that Arista proposes that this term recites the two functions of: (1) “processing
`
`Page 9 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`packets originating at a plurality of physical ports” and (2) “passing packets through the control
`
`plane port, rather than directly from the physical ports to individual control plane processes.” I
`
`agree with that assessment. I also understand that Arista proposes that the ’668 Patent does not
`
`disclose corresponding structure for these functions because the claim further specifies that “the
`
`control plane port additionally comprises” the means for processing packets. I agree with this
`
`assessment. The ’668 Patent does not describe any specific structure that is part of the control
`
`plane port that processes packets or that passes packets through the control plane port. I
`
`understand that, for the purposes of assessing anticipation and obviousness in this proceeding,
`
`Arista proposes that a switch engine should be considered the closest potentially corresponding
`
`structure.
`
`
`
`Claim 43 recites “means for applying distributed control plane port services only
`
`to the packets received from the specific, pre-determined physical ports.” I understand that
`
`Arista proposes that this term recites the function of “applying distributed control plane port
`
`services only to the packets received from the specific, pre-determined physical ports” and that,
`
`to the extent the ’668 Patent discloses corresponding structure, the structure is a switch engine. I
`
`agree with this assessment in view of the ’668 Patent at Fig. 6; 8:12-15.
`
`
`
`Claim 53 recites “means for applying port services to the control plane port
`
`additionally comprises means for applying services selected from a group consisting of Quality
`
`of Service functions, packet classification, packet marking, packet queuing, packet rate limiting,
`
`flow control, and other access policies for packets destined to the control plane port.” I
`
`understand that Arista proposes that this term recites two functions of: (1) “applying port
`
`services to the control plane port” and (2) “applying services selected from a group consisting of
`
`Quality of Service functions, packet classification, packet marking, packet queuing, packet rate
`
`Page 10 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`limiting, flow control, and other access policies for packets destined to the control plane port”
`
`and that, to the extent the ’668 Patent discloses corresponding structure, the structure is a switch
`
`engine. I agree with that assessment in view of the ’668 Patent at Figs. 4 & 6; 8:12-15.
`
`
`
`Claim 54 recites “means for configuring the control plane port services as an
`
`entity separate from physical port services.” I understand that Arista proposes that this term
`
`recites the function of “configuring the control plane port services as an entity separate from
`
`physical port services” and, for the purposes of assessing anticipation and obviousness, that
`
`“control plane processes” should be considered as the corresponding structure. I agree that, to the
`
`extent the ’668 Patent discloses corresponding structure, that structure is a control plane, which
`
`the ’668 Patent describes as a collection of processes. The ’668 Patent, 4:62-64; 5:10-17. I
`
`further understand that Arista proposes that the ’668 Patent discloses that the control plane
`
`processes can be implemented as software, but does not disclose a specific algorithm performed
`
`by the control plane processes for configuring the control plane port services as an entity
`
`separate from physical port services. I agree with this assessment. The’668 Patent specifies that
`
`control plane processes can be implemented as software. See, the ’668 Patent 4:62-64 (“control
`
`plane 150 processes could be implemented as software at any level of a system.”). But the ’668
`
`Patent does not disclose a specific algorithm for configuring the control plane port services.
`
`
`
`III. Discussion of References
`
`A.
`
`Amara
`
`
`
`Amara describes a packet-forwarding device, such as a router, that routes packets
`
`received at the device towards their destination. Amara, 1:9-21; 4:15-21. A device 200 of
`
`Amara is illustrated in Figure 3:
`
`Page 11 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`
`
`Initially, I note that Figure 3 corresponds to an embodiment that extends the
`
`approach shown and described with respect to Figure 2. Id. at 5:51-54. In particular, the
`
`embodiment of Figure 3 extends that of Figure 2 by adding the policy engines 224-228 “to allow
`
`policies to be applied to the external packets as well as the internal packets.” Id. Since Amara
`
`describes Figure 3 as an extension of the approach shown in Figure 2, and because the
`
`description of Figure 3 does not appear to contradict anything described with respect to Figure 2,
`
`a POSITA would have understood that the description of the components shown in Figure 2
`
`would apply to the same components shown in Figure 3.
`
`
`
`The device 200 includes physical interface ports 202-206, packet classifiers 214-
`
`218, and a packet forwarder 222. See id. at Fig. 3; 5:53-62. The physical interface ports 202-
`
`206 “are able to transmit packets to and to receive packets from nodes [208-212],” which may be
`
`“either hosts or packet-forwarding devices, such as routers, that are connected to device [200] via
`
`digital networks.” Id. at 4:17-22. For example, in some cases, the device 200 is connected to
`
`another router or other device via a wide area network (WAN) and a host or other device via a
`
`Page 12 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`local area network (LAN). Id. at 4:25-28. The packet classifiers 214-218 and packet forwarder
`
`222 operate together to pass along, or “forward,” packets received at the interface ports 202-206
`
`toward their ultimate destination. Id. at 5:58-62.
`
`
`
`The device 200 also includes internal applications 230 that run on the device 200.
`
`Id. at 4:34-35. The internal applications 230 “serve to control or configure [the] device [200]”
`
`and thus are control plane processes that form a control plane. Id. at 4:34-35. A POSITA would
`
`have understood that the internal applications 230 are executed by a processor. See, e.g.,
`
`Subramanian, Fig. 6, 7:29-37 (describing a control plane implemented by a processor);
`
`Habraken, pages 113; 126-128; 142. The internal applications “communicate with other devices
`
`remote to device 100, through the use of protocols such as PPTP, L2TP, SNMP or Telnet.” See
`
`id. at 4:36-43. A POSITA would have understood that Telnet is typically used for remote
`
`connection of a system administrator for configuring the device. See, e.g., Habraken, page 124;
`
`143.
`
`
`
`The device 200 further includes policy engines 224-228 and 232. The policy
`
`engines 224-228 and 232 apply policies to packets passing through the device 200. Id. at 6:9-14.
`
`In general, the policies “encompass any disposition of packets that involves more than simply
`
`routing them based on their destination addresses.” Id. at 1:34-36. For example, the policies
`
`may include “dropping [selected] packet[s], logging [selected] packet[s], encrypting or
`
`decrypting [selecting] packet[s], performing network address translation and/or port address
`
`translation on [selected] packet[s], and prioritizing [selected] packet[s] for QoS.” Id. at 1:36-38;
`
`5:16-21. A POSITA would have understood that dropping selected packets or prioritizing
`
`selected packets each provide an ability to control packet flows. Similarly, a POSITA would
`
`have understood that logging selected packets provides an ability to monitor packet flows.
`
`Page 13 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`A POSITA would have understood that Amara describes the policies applied by
`
`the policy engines 224-228 and 232 as being controlled and configured by the internal
`
`applications 230 based, for example, on inputs from administrator. In describing prior policy
`
`engines, Amara notes that policy engines are configurable and, in fact, multiple policy engines in
`
`a device may be separately configurable so as to apply different policies. Id. at 2:53-57. A
`
`POSITA would have understood that such policies are typically set in devices such as routers by
`
`a network administrator. See, e.g., Habraken, 144-145; 244-258. In fact, even the ’668 patent, in
`
`its discussion of FIG. 5, notes that such configuration commands for rate limiting are “familiar to
`
`network administrators.” The ’668 Patent, 7:23-26. To set such policies, administrators would
`
`often use a remote access application, for example Telnet, to instruct the internal applications
`
`running on the router to appropriately configure the router to enforce the policies. See, e.g.,
`
`Habraken, 144-145; 244-258. Accordingly, based on Amara’s combined description of (1) the
`
`policy engines 224-228 and 232 with associated policies, (2) the internal applications serving to
`
`configure or control the device, and (3) the internal applications being remotely accessed using,
`
`for example, Telnet, a POSITA would have understood Amara as disclosing the policies being
`
`set by administrators remotely accessing the internal applications and sending commands to the
`
`internal applications, and the internal applications as a result configuring the device
`
`appropriately so that the policy engines 224-228 and 232 apply the policies. See, e.g., id.
`
`Further, the policies applied by the policy engine 232 may differ from the policies applied by the
`
`policy engines 224-228. Amara, 6:17-19. Since the policy engine 232 is separate from the
`
`policy engines 224-228 and may apply different policies than those policy engines 224-228, the
`
`policies of the policy engine 232 would be configured separately from the policies of the policy
`
`engines 224-228.
`
`Page 14 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`As Amara discloses, “packets received at interfaces [202-206]” are classified as
`
`“either internally-destined or external packets, based on the destination address of the packet.”
`
`Id. at 4:56-58. The “external packets,” are those that are “destined for devices other than device
`
`[200]” and, in general, “have destination addresses that correspond to devices other than device
`
`[200].” Id. at 4:44-48; 4:61-63. In contrast, “internally-destined packets” are those packets that
`
`“have a destination address that is one of the addresses assigned to the device [200] itself,”
`
`which are then forwarded to the internal applications. Id. at 4:59-61; 5:5-6. Therefore, a
`
`POSITA would have understood that “internally-destined packets” are packets that are received
`
`at the interfaces 202-206 and destined for the internal applications 230.
`
`
`
`The policy engines 224-228 execute and “apply policies to external packets.” Id.
`
`at 6:12-13. A separate policy engine 232 executes and applies policies to the internally-destined
`
`packets. Id. at 6:9-12. The policy engine 232 “does not apply [its] policies to the external
`
`packets.” Id. at 5:34-35. Instead, the policy engine 232 “[applies its policies] only to internal
`
`packets.” Id. at 5:43-44.
`
`
`
`To this end, the device 200 also includes an internal interface 220, which
`
`corresponds to the control plane port of the ’668 Patent. Id. at 5:59-60. The internal interface
`
`220 may be “a pseudo interface implemented by software, rather than a physical interface.” Id.
`
`at 4:67 to 5:2. The internally-destined packets (but not the external packets) received on
`
`interface ports 202-206 are routed through the internal interface 220, which then forwards the
`
`internally-destined packets to the policy engine 232. Id. at 5:63-67. Since only internally-
`
`destined packets are routed through the internal interface 220 to the policy engine 232, the policy
`
`engine 232 only applies its policies to the internally-destined packets but not to the external
`
`packets. Id. at 5:33-35; 6:9-16.
`
`Page 15 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`
`
`
`Accordingly, during operation, packets enter the device 200 through one of the
`
`interface ports 202-208, and are passed to a corresponding packet classifier 214-218. Id. at 4:55-
`
`59; 5:53-58. Packet classifiers 214-218 classify the packets “as either internally-destined
`
`packets or external packets, based on the packets destination addresses.” Id. at 4:56-59. As
`
`explained by Amara, that packet classifier 214-218 can do so because internally-destined packets
`
`“have a destination address that is one of the addresses assigned to the device [200] itself.” Id. at
`
`4:59-61. A POSITA would have understood that such information (the addresses of the device
`
`itself) would be specified in the configuration of the device 200, at least so that the packet
`
`classifiers 214-218 could determine internally-destined packets based on this information. See,
`
`e.g., Habraken, pages 124; 134. Particularly, a POSITA would have understood that the device
`
`200 would need to store its own addresses to perform typical router functions such as
`
`communicating its address information to the network and including its address information as
`
`the source address in the packet header of packets originating from the device 200. Id.
`
`
`
`Furthermore, as noted above, Amara’s internal applications 230 communicate
`
`with remote devices using protocols such as L2TP, which is the Layer 2 Tunneling Protocol. A
`
`POSITA would have understood that this means that the remote devices would send L2TP
`
`packets to the internal applications and, as a result, some of the packets identified as internally-
`
`destined would be those L2TP packets. Further, a POSITA would have understood that the
`
`L2TP protocol was proposed in 1999 as RFC2661 to extend the Point-to-Point (PPP) protocol,
`
`which defines an encapsulation mechanism for transporting multiprotocol packets across layer 2
`
`(L2) point-to-point links. IETF RFC 2661 at § 1.0 “Introduction.” L2TP messages are layer 2
`
`messages and divided into control messages and data messages. Id. at § 3.0 “Protocol
`
`Overview.” PPP frames are carried in the data messages, and both control messages and data
`
`Page 16 of 42
`
`

`

`Declaration of Dr. Bill Lin
`U.S. Patent No.: 7,224,668
`Atty Docket No.: 40963-0006IP1
`
`messages are carried in a Packet Transport, such as a User Datagram Protocol (UDP) packet. Id.
`
`Thus, a POSITA would have understood that some of the packets identified as internally-
`
`destined packets would be UDP packets carrying L2TP control messages (that is, would have
`
`been layer 2 control packets).
`
`
`
`In addition, Amara discloses that the device 200 may be a router that runs on a
`
`“[p]acket-switched network, such as the Internet.” Id. at 1:9-11; 1:13; 4:16-17. A POSITA
`
`would have understood that routers must send routing protocol control packets to neighboring
`
`routers in order to share