`Trials@uspto.gov
`Entered: October 7, 2019
`Tel: 571-272-7822
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`APPLE INC.,
`Petitioner,
`v.
`MPH TECHNOLOGIES OY,
`Patent Owner.
`
`
`
`Case IPR2019-00821
`Patent 8,037,302 B2
`__________________________
`
`Before SALLY C. MEDLEY, KAMRAN JIVANI, and
`JOHN D. HAMANN, Administrative Patent Judges.
`HAMANN, Administrative Patent Judge.
`
`
`
`
`DECISION
`Granting Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`
`INTRODUCTION
`I.
`Apple Inc. (“Petitioner”) filed a Petition (Paper 1, “Pet.”) requesting
`an inter partes review of claims 1–16 of U.S. Patent No. 8,037,302 B2 (Ex.
`1001, “the ’302 patent”) pursuant to 35 U.S.C. § 311. MPH Technologies
`Oy (“Patent Owner”) filed a Patent Owner Preliminary Response (Paper 8,
`“Prelim. Resp.”).
`We have authority to determine whether to institute an inter partes
`review under 35 U.S.C. § 314 and 37 C.F.R. § 42.4(a). An inter partes
`review may be instituted if “the information presented in the petition filed
`under section 311 and any response filed under section 313 shows that there
`is a reasonable likelihood that the petitioner would prevail with respect to at
`least 1 of the claims challenged in the petition.” 35 U.S.C. § 314(a). On
`April 24, 2018, the Supreme Court held that a decision to institute under
`35 U.S.C. § 314 may not institute on fewer than all claims challenged in the
`Petition. SAS Inst., Inc. v. Iancu, 138 S. Ct. 1348, 1359–60 (2018).
`Upon consideration of the Petition and the Preliminary Response, we
`determine that the information presented shows there is a reasonable
`likelihood that Petitioner would prevail in establishing the unpatentability of
`at least one challenged claim of the ’302 patent. Accordingly, we institute
`inter partes review on all of the challenged claims based on all of the
`grounds identified in the Petition.
`
`A. Related Matter
`The parties identify MPH Techs. Oy v. Apple Inc., Case No. 4:18-cv-
`05935-PJH, in the U.S. District Court for the Northern District of California,
`as a matter that may affect or would be affected by a decision in this
`proceeding. Pet. 2; Paper 7, 1.
`
`2
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`B. The Challenged Patent (Ex. 1001)
`The ’302 patent relates to providing “secure connections in
`telecommunication networks” more efficiently. Ex. 1001, 1:13–14, 4:55–63,
`7:3–5. In particular, the ’302 patent relates to reducing the handover latency
`for secure connections, such as those employing Internet Protocol (“IP”)
`Security (“IPSec”) with mobile terminals1 (i.e., terminals that can move
`from one network to another). Id. at 4:55–63, 7:3–5, 7:39–41.
`According to the ’302 patent, IPSec comprises a set of rules for
`“provid[ing] the capability to secure communications” between hosts. Id. at
`1:38–39. These rules describe, inter alia, the concept of a Security
`Association (“SA”), which the ’302 patent describes as “a one-way
`relationship between a sender and a receiver that offers [negotiated IPSec]
`security services to the traffic carried on it.” Id. at 1:62–65. SAs are
`identified, in part, by the IP addresses of the hosts. E.g., id. at 2:14–16. The
`’302 patent discloses that when a new SA is formed, “it is registered for
`immediate and/or later use” in a Security Association Database (“SAD”),
`“which is the nominal place to store IPSec SAs in the IPSec model.” Id. at
`7:45–53. Each host participating in the forming of the SA maintains a copy
`of the SAD, according to the ’302 patent. Id. at 7:47–48.
`In addition, the ’302 patent discloses that IPSec is intended to work
`with static network topologies. Id. at 3:19–22. For example, IPSec can
`secure communications between static hosts across a local area network
`(“LAN”), as well as across a private or public wide area network (“WAN”).
`
`
`1 The ’302 patent discloses that “the term[s] mobility and mobile terminal
`do[] not only mean physical mobility, . . . [but also] mean[] moving from
`one network to another, which can be performed by a physically fixed
`terminal as well.” Ex. 1001, 3:51–55.
`
`3
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`Id. at 1:38–40. IPSec, however, “does not work well with mobile”
`terminals, according to the ’302 patent, because when “a mobile terminal
`moves from one network to another [and changes addresses], an IPSec
`connection set up is required,” which typically “is expensive in terms of
`latency,” requiring “several seconds to complete.” Id. at 4:52–60.
`
`To address this problem, the ’302 patent discloses avoiding the need,
`if possible, to set up an IPSec connection when the mobile terminal moves
`networks by relying on a SA that is already established. E.g., id. at 10:39–
`43, 10:51–56. Figure 2, shown below, is a “signalling diagram,” which
`describes the invention of the ’302 patent. Id. at 9:5–6.
`
`
`Figure 2 “describes an example of the method of the invention for
`
`sending messages when a mobile terminal moves to a new address.” Id. at
`10:9–11. We focus on steps 1 and 5 between the mobile terminal and home
`server, because these are the illustrated steps relevant to our analysis below.
`
`4
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`
`First, a SA is established between a first address of the mobile
`terminal and the address of the home server. Id. at 10:12–16. This SA is
`used to send a message from the mobile terminal to the home server, as
`illustrated in step 1. Id. at 10:21–25. Subsequently, the mobile terminal
`moves to a new network and obtains a new address from the new network.
`Id. at 10:39–40. “The mobile terminal then checks whether an SA
`. . . already exists between the new . . . address and the home server address.
`This check is normally done by inspecting the contents of” a SAD, “as
`specified by the IPSec protocol.” Id. at 10:40–46.
`
`If a SA between the mobile terminal’s new address and the home
`server’s address “already exists, this SA is registered to be the actual SA to
`be used.” Id. at 10:51–56. Put differently, the SA is registered as an active
`connection (i.e., “a stored mobility binding that maps a given terminal
`address to one or more” SAs to determine to what address to forward
`packets). E.g., id. at 8:13–14, 10:12–27. “This happens by means of a
`signalling message . . . done between the mobile terminal and the home
`server, described by step[] 5 . . . .” Id. at 10:56–59; see also id. at 7:59–63
`(describing sending a Registration Request signalling message to register the
`actual connection to use). Alternatively, the ’302 patent discloses that in
`lieu of a Registration Request, properly authenticated traffic from a new
`address can be used “as an implicit registration request, and a mobility
`binding update [can be] performed automatically.” Id. at 11:31–33. “When
`a[] . . . SA does not exist between the [mobile terminal’s] new . . . address
`and the home server[’s] address, . . . a[] . . . SA setup” occurs instead. Id. at
`10:66–67.
`
`5
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`C. The Challenged Claims
`Petitioner challenges claims 1–16 of the ’302 patent, of which claim 1
`is the sole independent claim. Claim 1 is illustrative of the challenged
`claims and is reproduced below:
`1.
`A method for ensuring secure forwarding of a message in
`a telecommunication network, comprising:
`
`providing a first terminal from which the message is sent
`and a second terminal to which the message is sent,
`
`a) establishing a first secure connection as being an active
`connection and extending between a first network address of the
`first terminal and an original network address of the second
`terminal, establishing a second secure connection extending
`between a second network address of the first terminal and the
`original network address of the second terminal,
`
`b) the first terminal changing from the first network
`address to the second network address, the first terminal
`checking whether the second secure connection
`already exists, and
`
`c) when the second secure connection already exists, the
`second terminal registering the already established second secure
`connection as being the active connection without having to
`reestablish the second secure connection.
`Ex. 1001, 12:15–34.
`
`
`
`D. Asserted Grounds of Unpatentability
`Petitioner asserts the following grounds of unpatentability:
`
`References
`Basis2 Challenged Claims
`1. Ahonen3 and Ishiyama4
`§ 103(a)
`1–13 and 16
`
`
`2 The Leahy-Smith America Invents Act (“AIA”) included revisions to 35
`U.S.C. § 103 that became effective on March 16, 2013. Because the ’302
`patent issued from an application filed before March 16, 2013, we apply the
`pre-AIA version of the statutory basis for unpatentability.
`3 Int’l Pub. No. WO 01/54379 A1 (published July 26, 2001) (Ex. 1004).
`4 U.S. Patent No. 6,904,466 B1 (issued June 7, 2005) (Ex. 1005).
`
`6
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`
`References
`2. Ahonen, Ishiyama, and
`Gupta5
`
`Basis2 Challenged Claims
`§ 103(a)
`14 and 15
`
`Pet. 3–4, 17–53. Petitioner submits the Declaration of David Goldschlag,
`Ph.D. (Ex. 1003) in support of its arguments.
`
`LEVEL OF ORDINARY SKILL IN THE ART
`II.
`To determine whether an invention would have been obvious at the
`time it was made, we consider the level of ordinary skill in the pertinent art
`at the time of the invention. Graham v. John Deere Co., 383 U.S. 1,
`17 (1966). In assessing the level of ordinary skill in the art, various factors
`may be considered, including the “type of problems encountered in the art;
`prior art solutions to those problems; rapidity with which innovations are
`made; sophistication of the technology; and educational level of active
`workers in the field.” In re GPAC, Inc., 57 F.3d 1573, 1579 (Fed. Cir. 1995)
`(quoting Custom Accessories, Inc. v. Jeffrey-Allan Indus., Inc., 807 F.2d
`955, 962 (Fed. Cir. 1986)). “[O]ne or more factors may predominate.” Id.
`Petitioner argues that one of ordinary skill in the art at the time of the
`invention of the ’302 patent would have had “a B.S. degree in Computer
`Science, Electrical Engineering, or an equivalent field, as well as at least 3–5
`years of academic or industry experience in network security, or comparable
`industry experience.” Pet. 14 (citing Ex. 1003 ¶ 22).
`Patent Owner does not identify a level of skill one would have had at
`the time of the invention of the ’302 patent. For purposes of this Decision
`
`
`5 Vipul Gupta et al., Complete Computing, WWCA ’98 PROC. 2D INT’L
`CONF. ON WORLDWIDE COMPUTING AND ITS APPLICATIONS (Mar. 4–5, 1998)
`(Ex. 1006).
`
`7
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`on Institution, and based on the current record, we adopt Petitioner’s
`assessment of the level of skill in the art because it is consistent with the
`’302 patent and the asserted prior art, and we apply it in our obviousness
`evaluation below.
`
`III. CLAIM CONSTRUCTION
`Because the Petition was filed after November 13, 2018, we construe
`the challenged claims by applying “the standard used in federal courts, in
`other words, the claim construction standard that would be used to construe
`the claim in a civil action under 35 U.S.C. [§] 282(b), which is articulated in
`Phillips [v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005) (en banc)].”6 Under
`Phillips, the words of a claim are generally given their “ordinary and
`customary meaning,” which is the meaning they would have to a person of
`ordinary skill in the art at the time of the invention, in light of the
`specification and prosecution history. See Phillips, 415 F.3d at 1312–13.
`The parties identify for construction, inter alia, claim 1’s step of
`“establishing a second secure connection.” Pet. 15–16; Prelim. Resp. 8–12.
`Patent Owner also identifies for construction whether claim 1 requires its
`steps to be performed in their recited order. Prelim. Resp. 13–18.
`
`A. Establishing Second Secure Connection
`Petitioner argues that establishing a second secure connection means
`
`“establishing one or more second security associations.” Pet. 15 (citing
`Ex. 1003 ¶¶ 40–43). In other words, Petitioner construes “secure
`connection” to mean “one or more . . . security associations.” Id. Petitioner
`
`
`6 Changes to the Claim Construction Standard for Interpreting Claims in
`Trial Proceedings Before the Patent Trial and Appeal Board, 83 Fed. Reg.
`51,340, 51,343–44 (Oct. 11, 2018) (to be codified at 37 CFR pt. 42).
`
`8
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`argues that its proposed construction “is consistent with both the claims and
`the [’302 patent’s S]pecification.” Id. For example, Petitioner argues that
`because claim 3 depends from claim 1 and recites “establishing the first
`secure connection by using IPSec protocols,” claim 1 must be broad enough
`to include claim 3. Id. (citations omitted).
`
`Petitioner also argues that the ’302 patent’s Specification discloses
`that “[t]he secure connections are preferably established by forming
`. . . SAs[] using the IPSec protocols.” Id. at 16 (quoting Ex. 1001, 7:39–41).
`In addition, the ’302 patent’s Specification “repeatedly uses the terms
`‘security association’ and ‘secure connection’ interchangeably,” according
`to Petitioner. Id. (citing Ex. 1001, 2:1–2, 7:54–55).
`
`Patent Owner argues that Petitioner “improperly limit[s] the claimed
`‘secure connection’ to IPSec protocols of the preferred embodiment by
`importing the terms ‘security associations’ when claim 1 is not so limited.”
`Prelim. Resp. 12 n.3. Patent Owner also argues that Petitioner fails to
`provide a proposed construction for “establishing.” Id. at 8–9. Patent
`Owner argues that establishing a second secure connection means “forming
`a new . . . [second] secure connection.” Id. at 12. In other words, Patent
`Owner construes “establishing” to mean “forming a new,” in this context.
`Id. Patent Owner argues that the ’302 patent’s Specification and prosecution
`history support its construction for “establishing.” Id. at 10–11 (citing
`Ex. 1001, 7:41–48; Ex. 1002, 348, 352–53, 375).
`
`For our purposes on institution, we need not decide whether a “secure
`connection” should be limited to one or more SAs. Rather, it is sufficient
`that the parties do not dispute that a secure connection covers one or more
`SAs. E.g., Pet. 15; Prelim. Resp. 10; see also Nidec Motor Corp. v.
`
`9
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed. Cir. 2017)
`(quoting Vivid Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803
`(Fed. Cir. 1999)) (“[W]e need only construe terms ‘that are in controversy,
`and only to the extent necessary to resolve the controversy.’”). Likewise, we
`need not construe “establishing,” as the manner in which Petitioner relies on
`the prior art is consistent with Patent Owner’s proposed construction of
`“forming a new.”7 See Section V(C)(2), infra.
`
`Accordingly, we determine that no express construction of this term is
`needed at this time. See, e.g., Nidec, 868 F.3d at 1017.
`
`B. Steps in Recited Order
`Patent Owner argues that claim 1 should be construed to require that
`steps a), b), and c) be performed in the order they are recited. Prelim. Resp.
`13–17. As we discuss below, however, the manner in which Petitioner relies
`on the prior art shows claim 1’s steps a), b), and c) being performed in their
`recited order. See Section V(C)(2), infra. Thus, we need not determine
`whether claim 1 requires these steps to be performed in their recited order,
`as this is not in controversy. See, e.g., Nidec, 868 F.3d at 1017.
`
`
`7 We question whether Patent Owner’s proposed construction (i.e., “forming
`a new”) differs substantively from the plain meaning of “establishing” in the
`context of the disputed term. We also note that claim 1 recites “establishing
`a first secure connection as being an active connection” and “establishing a
`second secure connection.” Compare Ex. 1001, 12:19–20 (emphasis added),
`with id. at 12:22–23. The parties do not address how, if at all, “as being an
`active connection” modifies the plain meaning of “establishing” in the
`context of the entire limitation. Regardless, our Decision on Institution does
`not turn on these issues, and thus, we do not reach them.
`
`10
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`
`IV. PRINCIPLES OF LAW
`A claim is unpatentable under 35 U.S.C. § 103(a) if the differences
`between the claimed subject matter and the prior art are such that the subject
`matter, as a whole, would have been obvious at the time of the invention to a
`person having ordinary skill in the art. KSR Int’l Co. v. Teleflex, Inc., 550
`U.S. 398, 406 (2007). The question of obviousness is resolved on the basis
`of underlying factual determinations, including: (1) the scope and content of
`the prior art; (2) any differences between the claimed subject matter and the
`prior art; (3) the level of ordinary skill in the art; and (4) objective evidence
`of non-obviousness, if present.8 See Graham, 383 U.S. at 17–18. When
`evaluating a claim for obviousness, we also must “determine whether there
`was an apparent reason to combine the known elements in the fashion
`claimed by the patent at issue.” KSR, 550 U.S. at 418 (citing In re Kahn,
`441 F.3d 977, 988 (Fed. Cir. 2006)).
`
`V. ALLEGED OBVIOUSNESS OVER AHONEN AND ISHIYAMA
`Petitioner argues that the combination of Ahonen and Ishiyama
`renders claims 1–13 and 16 of the ’302 patent obvious under 35 U.S.C.
`§ 103(a). Pet. 17–50. Below we discuss independent claim 1, as Patent
`Owner’s Preliminary Response does not address separately any of the other
`challenged claims for this asserted ground. For the reasons that follow, we
`determine that Petitioner establishes a reasonable likelihood that it would
`prevail in showing that claim 1 would have been obvious to one of ordinary
`skill in the art in view of Ahonen and Ishiyama.
`
`
`8 Patent Owner does not present arguments or evidence of such objective
`evidence of non-obviousness. See generally Prelim. Resp.
`
`11
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`A. Summary of Ahonen
`Ahonen relates to a virtual private network (“VPN”) “in which a
`mobile terminal establishes a secure connection with a correspondent host
`located in an intranet, via a [s]ecurity [g]ateway” (also known as a firewall).
`Ex. 1004, 3:5–7. Figure 1,9 shown below, illustrates this network topology,
`in accordance with Ahonen’s invention. Id. at 7:1–2.
`
`
`Figure 1 illustrates mobile host 1 connected to correspondent host 4
`
`via access network 6, Internet 2, firewall 3, and intranet 5. Id. at 7:23–27.
`As annotated by the dotted line, a secure connection is established between
`mobile host 1 and correspondent host 4 over this path. Id. at 7:28–31.
`Thereafter, mobile host 1 sends firewall 3 an authentication certificate,
`which contains, inter alia, the identity of the SA to use for subsequent
`communication between mobile host 1 and correspondent host 4. E.g., id. at
`Abstract. Mobile host l can then send data packets to correspondent host 4
`using the identified SA, via firewall 3. Id. However, firewall 3 only
`
`9 Shown as annotated by Petitioner. Pet. 19.
`
`12
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`forwards the data packets to correspondent host 4 if they are authenticated
`by firewall 3. Id.
`
`Ahonen discloses that IPSec can be used to create the secure
`connection between mobile host 1 and correspondent host 4. Id. at 3:19–20.
`“In the IP[S]ec model[,however,] the end points of the secure connection are
`identified by their IP addresses.” Id. at 3:21–22. “Whilst this may be
`satisfactory for users having a fixed connection, [according to Ahonen,] it
`. . . present[s] problems for the mobile user . . . who wishes to roam
`[because] . . . the IP address allocated to the roaming mobile user is likely to
`change” as the user moves between networks. Id. at 3:22–26. According to
`Ahonen, when an IP address changes, it is difficult to reuse the pre-existing
`SAs, and the communicating parties may need to establish new SAs using
`the new IP address. Id. at 3:26–29. “This will result in increased signalling
`traffic and will degrade the performance of the VPN . . . .” Id. at 3:30–31.
`
`To address this problem, Ahonen’s invention discloses “reduc[ing] the
`amount of security related messaging during on-the-fly IP address changes,
`as the SAs needed to provide for secure communication between the mobile
`host and the correspondent host pre-exist.” Id. at 4:30–32. More
`specifically, Ahonen discloses negotiating one or more IPSec SAs between
`mobile host 1 and correspondent host 4 in preparation for providing future
`secure connections more efficiently when mobile host 1 roams. E.g., id. at
`5:31–6:1, 8:2–5, 8:28–9:2, 15:1–3. Ahonen discloses that the “[d]etails of
`the negotiated SAs are held at . . . firewall [3] in a Security Association
`Database (SAD)” on “the external side interface,” so that mobile host 3 can
`use the pre-existing SAs when roaming. Id. at 15:4–9.
`
`13
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`
`More specifically, Ahonen discloses that when mobile host 1 roams, it
`can “remotely ‘activate’ [the] pre-existing secure connections to
`. . . correspondent host 4.” Id. at 16:16–19. In particular, Ahonen discloses,
`to activate a pre-existing connection, mobile host 1 sends to firewall 3 an
`authorization certificate, which includes: (i) “the (New) Source and
`Destination IP addresses (if changed),”10 (ii) the cookies used to negotiate
`the SAs between mobile host 1 and correspondent host 4, (iii) the IPSec
`protocol ID, and (iv) the Security Parameter Index (“SPI”) of the SA. Id. at
`17:1–11. Firewall 3 searches its Remote Control DataBase (“RCDB”) for
`records matching the authorization certificate’s cookies, IPSec protocol ID,
`and SPI. Id. at 17:19–25. If a match is found, firewall 3 sends an
`acknowledgement back to mobile host 1. Id. at 18:3–4. In addition, Ahonen
`discloses that if the source IP address was changed, firewall 3 also will
`“forward the new Source and Destination IP addresses to the correspondent
`host 4.” Id. at 18:7–8. Ahonen discloses that correspondent host 4 then
`modifies “its SAD database to correctly reflect the change of the mobile
`host’s IP address to the new valid one.” Id. at 18:10–12.
`
`B. Summary of Ishiyama
`Ishiyama relates to improving a mobile computer’s “capab[ility] of
`
`carrying out communications while moving among a plurality of inter-
`connected networks.” Ex. 1005, 1:9–11. In furtherance of this mobility,
`Ishiyama discloses having the mobile computer send a notification to its
`
`
`10 Ahonen discloses that “mobile host 1 might be required to use a new IP
`address when communicating via” the visited access network. Ex. 1004,
`16:22–24.
`
`14
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`correspondent host when the mobile computer moves networks and gets a
`new address. E.g., id. at 3:63–67, 6:13–18, 15:37–16:10.
`
`According to one aspect of Ishiyama’s invention for an IPSec
`embodiment, Ishiyama discloses that when transmitting a packet, the mobile
`computer’s IPSec module “first searches through a security policy database”
`(“SPD”), using appropriate elements such as the source/destination address
`of a packet, to select a security policy, which identifies a SA to use to
`transmit the packet. Id. at 8:9–11, 9:50–54, 10:1–13.
`
`C. Challenged Claim 1
`Petitioner relies on Ahonen for teaching claim 1’s limitations, except
`
`for “the first terminal checking whether the second secure connection
`already exists,” for which Petitioner also relies on Ishiyama. Pet. 27–38.
`For the reasons that follow, we determine, based on the current record, that
`the combination of Ahonen and Ishiyama renders claim 1 of the ’302 patent
`obvious.
`
`1. Undisputed Limitations
`a. Method for Ensuring Secure Forwarding
`Petitioner argues that Ahonen discloses “[a] method for ensuring
`
`secure forwarding of a message in a telecommunication network,” as recited
`in claim 1’s preamble. Id. at 27–29. More specifically, Petitioner argues
`that Ahonen discloses allowing a mobile host to communicate (e.g.,
`forwarding messages) securely with a correspondent host over a VPN, via a
`gateway (i.e., a telecommunication network). Id. (citing Ex. 1004, Abstract,
`4:7–16, 7:23–31, 8:2–5, Fig. 1; Ex. 1003 ¶ 64).
`
`15
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`b. Providing First and Second Terminals
`Petitioner argues that Ahonen discloses “providing a first terminal
`
`from which the message is sent and a second terminal to which the message
`is sent,” as recited in claim 1. Id. at 29–30. More specifically, Petitioner
`argues that Ahonen’s “mobile user 1 is a first terminal and correspondent
`host [4] is a second terminal,” for which one or more SAs are negotiated for
`communications there between. Id. at 29 (citing Ex. 1004, Abstract); see
`also id. at 29–30 (citing Ex. 1004, 5:31–6:1; Ex. 1003 ¶ 60) (arguing that
`Ahonen discloses that mobile host 1 and correspondent host 4 can send
`encrypted messages to one another).
`
`c. Establishing a First Secure Connection
`Petitioner argues that Ahonen discloses “establishing a first secure
`
`connection as being an active connection and extending between a first
`network address of the first terminal and an original network address of the
`second terminal,” as recited in claim 1. Id. at 30–32. More specifically,
`Petitioner argues that Ahonen discloses establishing multiple secure
`connections (i.e., IPSec SAs) between mobile host 1 (i.e., the first terminal)
`and correspondent host 4 (i.e., the second terminal) “during a ‘preparations’
`phase.” Id. at 30 (citing Ex. 1004, 8:28–30, 8:32–9:2, 15:1–3). Petitioner
`argues that each secure connection extends between an IP address of mobile
`host 1 and correspondent host 4’s IP address, as endpoints of IPSec tunnels.
`Id. at 31 (citing Ex. 1004, 3:19–23, 17:1–13; Ex. 1003 ¶ 72). Petitioner
`argues that Ahonen discloses that at least one of these established secure
`connections can be marked as active via Ahonen’s remote control function.
`Id. (citing Ex. 1004, 16:16–17, 17:20–22).
`
`16
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`d. First Terminal Changing Addresses
`Petitioner argues that Ahonen discloses “the first terminal changing
`
`from the first network address to the second network address,” as recited in
`claim 1. Id. at 34. More specifically, Petitioner argues that Ahonen
`discloses that mobile host 1 roams between networks and changes IP
`addresses. Id. (citing Ex. 1004, 3:19–26, 14:17–19, 16:17–23).
`
`e. When the Second Secure Connection Already Exists11
`Petitioner argues that Ahonen discloses “when the second secure
`
`connection already exists, the second terminal registering the already
`established second secure connection as being the active connection without
`having to reestablish the second secure connection,” as recited in claim 1.
`Id. at 37–38. More specifically, Petitioner argues that Ahonen discloses that
`mobile host 1 sends to firewall 3 an authorization certificate containing SA
`identifying information and IP addresses. Id. at 37 (citing Ex. 1004, 15:1,
`17:19–25). According to Petitioner, if the source IP address was changed,
`firewall 3 will also forward the new Source and Destination IP addresses to
`correspondent host 4. Id. (citing Ex. 1004, 18:7–15). Petitioner argues that
`correspondent host 4 then modifies “its SAD database to correctly reflect
`the change of the mobile host’s IP address to the new valid one.” Id. at
`37–38 (citing Ex. 1004, 18:7–10; Ex. 1003 ¶ 89). Thereby, correspondent
`host 4 registers this SA connection as “active,” without having to reestablish
`the connection, according to Petitioner. Id. at 38.
`
`11 The parties should consider whether our precedential decision regarding
`conditional steps is relevant to this limitation of claim 1. See Ex parte
`Schulhauser, No. 2013-007847, 2016 WL 6277792, at *4 (PTAB Apr. 28,
`2016) (precedential). We do not reach this issue because, based on the
`current record we find that Ahonen discloses this limitation.
`
`17
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`f. Our Analysis
`After reviewing Petitioner’s arguments and information regarding the
`limitations identified above, including Dr. Goldschlag’s Declaration, which
`are not addressed by Patent Owner at this stage of the proceeding (see
`generally Prelim. Resp.), we are persuaded that Petitioner demonstrates, for
`purposes of this Decision on Institution, that Ahonen discloses the above
`identified undisputed limitations.
`
`2. Establishing a Second Secure Connection
`a. Petitioner’s Arguments
`Petitioner argues that Ahonen discloses “establishing a second secure
`connection extending between a second network address of the first terminal
`and the original network address of the second terminal,” as recited in claim
`1. Pet. 32–33. More specifically, Petitioner argues that “Ahonen explains
`that one of the challenges with IPSec and mobile users is that their IP
`addresses change as they roam networks.” Id. at 32 (citing Ex. 1004, 3:24–
`29; Ex. 1003 ¶ 76). To address this problem, Ahonen discloses “creat[ing]
`multiple pre-existing security associations (i.e., a secure connection) for
`each network a mobile hosts visits,” according to Petitioner. Id. at 32 (citing
`Ex. 1004, 4:30–32). In other words, Petitioner argues Ahonen’s invention
`“reduce[s] the amount of security related messaging during on-the-fly IP
`address changes, as the SAs needed to provide for secure communication
`between the mobile host and the correspondent host pre-exist.” Id. at
`32–33 (quoting Ex. 1004, 4:30–32).
`“These pre-existing SAs are then activated based on the network the
`mobile host is visiting using a remote control function,” according to
`Petitioner. Id. at 33 (citing Ex. 1004, 16:16–17). Petitioner argues that
`
`18
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`Ahonen “recognizes that in this new network the secure connection is from
`the mobile host’s second network address.” Id. (citing Ex. 1004, 16:22–25).
`“[I]n such a case, the correspondent host then ‘modif[ies] its SAD database
`to correctly reflect the change of the mobile host’s IP address to the new
`valid one,’” according to Petitioner. Id. (citing Ex. 1004, 18:10–12). In
`addition, Petitioner argues that “because the mobile host might travel back to
`the previous network, not ‘all SAs that are associated between the mobile
`host 1 and the correspondent host 4 need to be modified in the SAD,’”
`according to Petitioner. Id. (citing Ex. 1004, 18:13–15).
`
`b. Patent Owner’s Arguments
`Patent Owner argues that Ahonen fails to disclose establishing a
`
`second secure connection. Prelim. Resp. 19–26. More specifically, Patent
`Owner argues that Ahonen instead discloses a “remote control function” that
`“modifies a pre-existing connection (e.g., SA) with the new address after the
`first terminal moves.” Id. at 21; id.(citing Ex. 1004, 16:16–19). In other
`words, Patent Owner argues that Ahonen’s pre-existing secure connections
`are not established “from different addresses of the first terminal in the first
`instance.” Id. at 23. Rather, each of Ahonen’s pre-existing SAs “uses the
`same original source address of the mobile terminal,” according to Patent
`Owner. Id. (citing Ex. 1004, 15:15–17). For this reason, Patent Owner
`argues Ahonen “‘modif[ies] its SAD database’ after the first terminal moves
`to a new address in order to establish the second secure connection.” Id. at
`22–23.
`
`In addition, Patent Owner argues that for this limitation, Petitioner
`“never relies on any alleged creation of secure connections in Ahonen’s
`‘preparations function stage,’ but only after that stage.” Id. at 21 n.5. In
`
`19
`
`
`
`IPR2019-00821
`Patent 8,037,302 B2
`other words, Petitioner here “relies on Ahonen’s ‘activat[ion]’ of ‘pre-
`existing SAs,’” according to Patent Owner. Id. at 22 (citing Pet. 35).
`
`Lastly,12 Patent Owner argues that under Petitioner’s “mapping of
`Ahonen to the claims, Ahonen’s alleged ‘establishing a second secure
`connection extending between a second