`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`Microsoft contends that the asserted claims of the ’209 Patent are invalid as obvious by U.S. Patent Application Publication No.
`2007/0079307 (“Dhawan”) prior art reference under various subsections of 35 U.S.C. § 102 in view of other prior art references under
`35 U.S.C. § 103 as set forth in Microsoft’s invalidity contentions.
`
`As Dhawan was filed on September 30, 2005, and published by the U.S. Patent and Trademark Office by no later than April 5, 2007,
`Microsoft contends that it is prior art to the ’209 Patent under at least pre-AIA 35 U.S.C. § 102(e).
`
`Patent No. 8,381,209
`Claim 1
`1[Pre] A computer
`implemented method of
`controlling network
`security of a virtual
`machine,
`
`Dhawan
`
`To the extent the preamble is limiting, Dhawan discloses a computer implemented method of
`controlling network security of a virtual machine. Specifically, Dhawan discloses a method for the
`secure transfer of data by carrier virtual machines between participating physical hosts through a
`virtual network (VNET) implemented on one or more internal and/or external networks. For example,
`Dhawan states:
`
`“A system and method is disclosed for the secure transfer of data by carrier virtual machines between
`participating physical hosts through a virtual network (VNET) implemented on one or more internal
`and/or external networks.” Dhawan at Abstract.
`
`“In accordance with the present invention, a system and method is disclosed for virtual machines
`implemented as carriers of a payload that may include applications, data, another virtual machine etc.
`In various embodiments of the invention, virtual machines carrying the payload can be routed between
`physical hosts, based on set policies providing a secure, manageable and highly flexible environment
`for data and process management. Those of skill in the art will realize that many variations and
`implementations of such embodiments are possible.” Dhawan at [0017].
`
`“When coupled with encryption, the system and method of the invention described in more detail
`hereinbelow can provide a secure environment for data/application management among multiple
`physical hosts. Data to be transported is first encrypted and then encapsulated by a carrier virtual
`machine at each stage of the migration process among the physical hosts involved. To implement
`various embodiments of the invention requires an infrastructure, such as that provided by VMware or
`the Xen open source environment, to create and manage virtual machines.” Dhawan at [0018].
`
`1
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 1 of 13
`
`
`
`Patent No. 8,381,209
`Claim 1
`
`1[a] the method
`comprising enforcing
`network security and
`routing at a hypervisor
`layer via dynamic
`updating of routing
`controls initiated by a
`migration of said virtual
`machine from a first
`device to a second device.
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`To the extent that it is argued that Dhawan does not disclose all or part of this limitation, it would have
`been at least obvious to combine it with any other reference disclosing this limitation as explained in
`Microsoft’s Preliminary Invalidity Contention Cover Pleading.
`Dhawan discloses enforcing network security and routing at a hypervisor layer via dynamic updating
`of routing controls initiated by a migration of said virtual machine from a first device to a second
`device. Specifically, Dhawan teaches migration of a virtual machine from a first device to a second
`device; the virtual machine migration causes the routing controls to update continuously with each
`migration that occurs. For example, Dhawan states:
`
`“A VNET is typically established at layer 2 of the OSI network model. Through the use of layer 2
`tunneling and by translating between physical and virtual network addresses, a VNET can create the
`illusion of a local area network, even when physical network resources are spread over a wide area.
`Since a VNET is established at layer 2, a virtual machine can be migrated from site to site without
`changing its presence, as it keeps the same media access control (MAC) and IP addresses, network
`routes, etc. Furthermore, since VNETs are decoupled from the underlying network topology, they are
`able to maintain network connectivity during virtual machine migration.” Dhawan at [0014].
`
`“In accordance with the present invention, a system and method is disclosed for virtual machines
`implemented as carriers of a payload that may include applications, data, another virtual machine etc.
`In various embodiments of the invention, virtual machines carrying the payload can be routed between
`physical hosts, based on set policies providing a secure, manageable and highly flexible environment
`for data and process management. Those of skill in the art will realize that many variations and
`implementations of such embodiments are possible.” Dhawan at [0017].
`
`“The carrier virtual machine is then migrated to the next participating physical host. Using the policy
`based Autorun Engine; necessary actions can be taken at each host. Examples may include transferring
`of data to the physical host or to a virtual machine in the physical host through a virtual network, to
`any other physical or virtual machine, a payload application gathering data or performing some
`maintenance on the physical or virtual machine, destroy itself if VM is on an unidentifiable host,
`change network interface properties like set new MAC address etc. In an embodiment of the invention,
`payload is transferred to a next carrier virtual machine through a virtual network implemented between
`
`
`
`2
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 2 of 13
`
`
`
`Patent No. 8,381,209
`Claim 1
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`the originating carrier VM and a carrier VM established on the participating physical host next to
`initiator in the migration path.” Dhawan at [0020].
`
`“In this embodiment of the invention, carrier virtual machine 426 is migrated from participating
`physical host 302 using a multi-layer communications protocol stack as described in more detail
`herein, through network 128 to router 306. Router 306 receives IP packets through network access port
`‘1’ 308, examines the destination IP address contained in IP datagrams generated by IP layer 318, and
`routes IP packets through network access port ‘2’ 310 to the designated destination IP address. In this
`same embodiment, participating physical host ‘2’ 304 receives incoming IP packets through its
`associated multi-layer communications protocol stack to implement virtual machine 438, comprising,
`but not limited to virtual machine autorun scripts 428, and payload 429 that includes operating systems
`430, other virtual machines 432, applications 434, and data 436. Once carrier virtual machine 426 has
`completed migration to participating physical host ‘2’ 304 as virtual machine 438, carrier virtual
`machine 426 on participating physical host ‘1’ 302 can be destroyed (if required by security policies).”
`Dhawan at [0043].
`
`“In an embodiment of the invention, predetermined routing table 506 manages originating and
`terminating network addresses. In an embodiment of the invention, predetermined routing table 506
`can translate between physical network addresses and virtual network addresses as typically
`implemented in a virtual network (VNET) whether the VNET is implemented on a Local Area
`Network (LAN), a Wide Area Network (WAN) such as the Internet or a corporate intranet, or a
`combination of public and/or private network technologies and protocols. In an embodiment of the
`invention, predetermined routing table 506 may also include routing, event tree, and security
`information regarding individual physical or virtual network hops between two endpoints.” Dhawan at
`[0048].
`
`“Skilled practitioners of the art will be aware that a VNET is typically established at layer 2 of the OSI
`network model. Through the use of layer 2 tunneling and by translating between physical and virtual
`network addresses, a VNET can create the illusion of a local area network, even when physical
`network resources are spread over a wide area. Since a VNET is established at layer 2, a virtual
`machine can be migrated from site to site without changing its presence, as it keeps the same media
`
`
`
`3
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 3 of 13
`
`
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`access control (MAC) and IP addresses, network routes, etc. Furthermore, since VNETs are decoupled
`from the underlying network topology, they are able to maintain network connectivity in its original
`form during/after virtual machine migration.” Dhawan at [0072].
`
`To the extent Dhawan does not disclose dynamically updating the routing control, it would have at
`least been obvious to combine Dhawan with prior art disclosing this as demonstrated in Microsoft’s
`Invalidity Contentions Cover Pleading.
`
`Dhawan
`
`Dhawan discloses routing traffic for the virtual machine to the second device at the hypervisor layer.
`Specifically, Dhawan discloses a hypervisor that sets the contents of an IP datagram, including the
`destination IP addresses. For example, Dhawan states:
`
`“In an embodiment of the invention, a user specifies which payload should be secured and needs to be
`sent to particular hosts. A special carrier virtual machine (VM) is created that can transfer the payload
`to its predetermined destination host(s). VM migration and/or routing tables are built in the carrier
`VM, which determine which hosts will be participating. A connection is made to the target host(s) to
`accept the request for transferring the virtual machine. The specified payload is (or can be encrypted
`and then) encapsulated in a carrier VM. Typically, a “time-to-live” attribute is also set for VM. If the
`VM fails to migrate to its next hop/does not completed intended task at the host in the specified time, it
`can notify the sender then destroy itself and hence the payload it contains, send a request to the
`originating host for a time-to-live extension if network is congested, request a reroute due to high
`traffic on a predetermined route or access policies etc, or other predetermined actions.” Dhanwan at
`[0019].
`
`“In the present invention, a virtual machine monitor 116 sets the contents of IP datagram header fields,
`including but not limited to, service type 208, time to live 218 and destination IP address 226. In an
`implementation of one embodiment of the invention, a participating physical host can receive a carrier
`virtual machine and set the destination IP address 226 to forward the carrier virtual machine to the
`
`4
`
`Patent No. 8,381,209
`Claim 1
`
`Patent No. 8,381,209
`Claim 2
`2[a] The method
`according to claim 1,
`further comprising:
`routing traffic for the
`virtual machine to the
`second device at the
`hypervisor layer; and
`
`
`
`
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 4 of 13
`
`
`
`Patent No. 8,381,209
`Claim 2
`
`2[b] setting firewalls to
`permit a network traffic
`for the virtual machine to
`go to the second device at
`the hypervisor layer.
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`destination IP address of the next for the next participating physical host. This process can be repeated
`to implement a flexible, yet secure, carrier virtual machine routing path over one or more networks.”
`Dhawan at [0039].
`
`To the extent that it is argued that Dhawan does not disclose all or part of this limitation, it would have
`been at least obvious to combine it with any other reference disclosing this limitation as explained in
`Microsoft’s Preliminary Invalidity Contention Cover Pleading.
`Dhawan discloses setting firewalls to permit a network traffic for the virtual machine to go to the
`second device at the hypervisor layer. Specifically, Dhawan discloses setting firewalls to protect
`virtual networks from exposure of sensitive data and the identity of systems involved. For example,
`Dhawan states:
`
`“One of the challenges in secure computing and network environments is hiding the identities of the
`originator and intended recipient of highly sensitive data. Hackers continue to use creative approaches
`to monitor network activity, especially in identifying high profile candidate IP/MAC addresses, and
`high value data conduits or paths within a network. Various techniques can be used against these
`malicious monitors to protect against exposure of sensitive data and the identity of systems involved,
`including firewalls, data encryption, traffic camouflaging, etc. However, these methods are not fool
`proof and they each have characteristics that can result in attendant issues.” Dhawan at [0006].
`
`“In an embodiment of the invention, virtual machine (VM) packet management 504 comprises
`parameters that may include, but are not limited to, time-to-live (TTL), security mechanisms such as
`access control lists (ACLs), usage policies, directory roles, etc. for carrier virtual machine 120, and by
`extension, application 122 and/or secure data 124, individually or in combination. For example, VM
`packet management 504 may control the flexibility of hardware and/or software access for VM
`network endpoints and/or intermediate routing hops. As another example, the VM packet management
`504 may instantiate quarantining of all VM packets, a group of packets, a single VM, subpackets
`within a VM between network endpoints, or at a predetermined intermediary network point. VM
`packet management 504 may also manage access to carrier virtual machine payloads by security
`groups, individual access, subdivided individual access, and MIME-like subdivision of a VM-
`
`
`
`5
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 5 of 13
`
`
`
`Patent No. 8,381,209
`Claim 2
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`encapsulated payload, thereby providing the ability to carry many secured payloads.” Dhawan at
`[0047].
`
`“Virtual machine monitor 116 encapsulates the software state of carrier virtual machine 120, including
`application 122 and/or secure data 124, and can map and remap carrier virtual machine 120 to
`available hardware resources as it is migrated across different physical machines. Virtual machine
`monitor 116 can provide a uniform view of underlying hardware, making different physical machines
`with different I/O subsystems appear the same. Furthermore, virtual machine monitor 116 can interact
`with routing and policy wrapper 508 to access information contained by predetermined routing table
`506 and/or VM packet management 504 to facilitate the secure transfer of data across a network
`environment.” Dhawan at [0050].
`
`To the extent that it is argued that Dhawan does not disclose this limitation, this would have at least
`been inherent because a POSITA would have understood Dhawan to teach that setting firewall settings
`facilitates filtering out, at the hypervisor layer, unwanted or unauthorized traffic transmitted to the
`migrated virtual machine at the second device. Furthermore, to the extent that it is argued that Dhawan
`does not disclose all or part of this limitation, it would have been at least obvious to combine it with
`any other reference disclosing this limitation as explained in Microsoft’s Preliminary Invalidity
`Contention Cover Pleading.
`
`
`Patent No. 8,381,209
`Claim 3
`3[a] The method
`according to claim 1,
`further comprising:
`copying network security
`and routing for said virtual
`machine to said
`hypervisor layer;
`
`Dhawan
`
`Dhawan discloses copying network security and routing for said virtual machine to said hypervisor
`layer. Specifically, Dhawan discloses a virtual machine that migrates from one host to another,
`copying migration tables and/or routing tables. For example, Dhawan states:
`
`“The carrier virtual machine is then migrated to the next participating physical host. Using the policy
`based Autorun Engine; necessary actions can be taken at each host. Examples may include transferring
`of data to the physical host or to a virtual machine in the physical host through a virtual network, to
`
`6
`
`
`
`
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 6 of 13
`
`
`
`Patent No. 8,381,209
`Claim 3
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`any other physical or virtual machine, a payload application gathering data or performing some
`maintenance on the physical or virtual machine, destroy itself if VM is on an unidentifiable host,
`change network interface properties like set new MAC address etc. In an embodiment of the invention,
`payload is transferred to a next carrier virtual machine through a virtual network implemented between
`the originating carrier VM and a carrier VM established on the participating physical host next to
`initiator in the migration path. Once the secure payload has been transferred to the next carrier VM, the
`virtual network, can be destroyed to provide an additional level of security. In an embodiment of the
`invention, the payload is transferred to the next carrier virtual machine through “hot cloning.” In this
`embodiment, as the carrier VM migrates from one physical host to another, a clone of the VM is
`created in the next participating physical host in the migration path. This hot cloning process may use
`copy on write (COW), which can be implemented as completion of the cloning operation before the
`next carrier virtual machine transfer is initiated, or beginning the next virtual machine carrier transfer
`before the cloning operation is complete. Once the secure data has been transferred to the next carrier
`VM, the virtual network can be destroyed to provide an additional level of security.” Dhawan at
`[0020].
`
`“In an embodiment of the invention, a user specifies which payload should be secured and needs to be
`sent to particular hosts. A special carrier virtual machine (VM) is created that can transfer the payload
`to its predetermined destination host(s). VM migration and/or routing tables are built in the carrier
`VM, which determine which hosts will be participating. A connection is made to the target host(s) to
`accept the request for transferring the virtual machine.” Dhawan at [0019].
`
`“Each carrier virtual machine 120, 520 is associated with VM packet management 504 and
`predetermined routing table 506. In an embodiment of the invention, application 122 may comprise
`one or more software programs that can execute within carrier virtual machines 120, 520.” Dhawan at
`[0051].
`
`“In an embodiment of the invention, virtual machine (VM) packet management 204 comprises
`parameters that may include, but are not limited to, time-to-live (TTL), security mechanisms such as
`access control lists (ACLs), usage policies, directory roles, etc. for each carrier virtual machine 120,
`520, and by extension, application 122 and/or secure data 124, individually or in combination. For
`
`
`
`7
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 7 of 13
`
`
`
`Patent No. 8,381,209
`Claim 3
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`example, VM packet management 504 may control the flexibility of hardware and/or software access
`for VM network endpoints and/or intermediate routing hops. As another example, the VM packet
`management 504 may instantiate quarantining of all VM packets, a group of packets, one or more
`VMs, subpackets within a VM between network endpoints, or at a predetermined intermediary
`network point. VM packet management 504 may also manage access to carrier virtual machine
`payloads by security groups, individual access, subdivided individual access, and MIME-like
`subdivision of a VM-encapsulated payload, thereby providing the ability to carry many secured
`payloads. In an embodiment of the invention, VM packet management 504 may implement individual
`or combinations of these functionalities on one or more of a plurality of carrier virtual machines 120,
`520, and by extension, application 122 and/or secure data 124, individually or in combination.”
`Dhawan at [0052].
`
`“In an embodiment of the invention, predetermined routing table 506 manages originating and
`terminating network addresses. In an embodiment of the invention, predetermined routing table 506
`can translate between physical network addresses and virtual network addresses as typically
`implemented in a virtual network (VNET) whether the VNET is implemented on a Local Area
`Network (LAN), a Wide Area Network (WAN) such as the Internet or a corporate intranet, or a
`combination of public and/or private network technologies and protocols. In an embodiment of the
`invention, predetermined routing table 506 may also include routing, event tree, and security
`information regarding individual physical or virtual network hops between two endpoints. In an
`embodiment of the invention, individual or combinations of event tree and security functionalities may
`be implemented on one or more of a plurality of carrier virtual machines 120, 520.” Dhawan at
`[0053].
`
`“FIG. 6 b is a generalized illustration of carrier virtual machines that can be used to implement the
`system and method of the present invention through a virtual network (VNET) 6614. In FIG. 6 b,
`participating physical host ‘1’ comprises virtual machine monitor 616 comprising virtual machine ‘A’
`622, virtual machine ‘B’ 624, virtual machine ‘C’ 626, and local physical storage 608. Participating
`physical host ‘2’ comprises virtual machine monitor 618 comprising virtual machine ‘D’ 632, virtual
`machine ‘E’ 634, and local physical storage 610. Participating physical host ‘1’ and participating
`physical host ‘2’ are coupled through network connections 126 to network 128, which can be but is not
`
`
`
`8
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 8 of 13
`
`
`
`Patent No. 8,381,209
`Claim 3
`
`3[b] migrating said virtual
`machine from a first
`hardware device to a
`second hardware device.
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`limited to, a local area network (LAN), a wide area network (WAN), or any combination of
`communication technologies and/or protocols that may be required to transport data packets between
`one or more information handling systems. Virtual network (VNET) 614 is a virtual private network
`(VPN) that implements a virtual local area network (VLAN) that in turn is implemented on a physical
`network 128 such as a Local Area Network (LAN), a Wide Area Network (WAN) such as the Internet
`or a corporate intranet, or a combination of public and/or private network technologies and protocols.”
`Dhawan at [0071].
`
`To the extent that it is argued that Dhawan does not disclose all or part of this limitation, it would have
`been at least obvious to combine it with any other reference disclosing this limitation as explained in
`Microsoft’s Preliminary Invalidity Contention Cover Pleading.
`Dhawan discloses migrating said virtual machine from a first hardware device to a second hardware
`device. For example, Dhawan states:
`
`“In accordance with the present invention, a system and method is disclosed for virtual machines
`implemented as carriers of a payload that may include applications, data, another virtual machine etc.
`In various embodiments of the invention, virtual machines carrying the payload can be routed between
`physical hosts, based on set policies providing a secure, manageable and highly flexible environment
`for data and process management. Those of skill in the art will realize that many variations and
`implementations of such embodiments are possible.” Dhawan at [0017].
`
`“The carrier virtual machine is then migrated to the next participating physical host. Using the policy
`based Autorun Engine; necessary actions can be taken at each host. Examples may include transferring
`of data to the physical host or to a virtual machine in the physical host through a virtual network, to
`any other physical or virtual machine, a payload application gathering data or performing some
`maintenance on the physical or virtual machine, destroy itself if VM is on an unidentifiable host,
`change network interface properties like set new MAC address etc. In an embodiment of the invention,
`payload is transferred to a next carrier virtual machine through a virtual network implemented between
`the originating carrier VM and a carrier VM established on the participating physical host next to
`initiator in the migration path. Once the secure payload has been transferred to the next carrier VM, the
`virtual network, can be destroyed to provide an additional level of security. In an embodiment of the
`
`
`
`9
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 9 of 13
`
`
`
`Patent No. 8,381,209
`Claim 3
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`invention, the payload is transferred to the next carrier virtual machine through “hot cloning.” In this
`embodiment, as the carrier VM migrates from one physical host to another, a clone of the VM is
`created in the next participating physical host in the migration path. This hot cloning process may use
`copy on write (COW), which can be implemented as completion of the cloning operation before the
`next carrier virtual machine transfer is initiated, or beginning the next virtual machine carrier transfer
`before the cloning operation is complete. Once the secure data has been transferred to the next carrier
`VM, the virtual network can be destroyed to provide an additional level of security.” Dhawan at
`[0020].
`
`“In this embodiment of the invention, carrier virtual machine 426 is migrated from participating
`physical host 302 using a multi-layer communications protocol stack as described in more detail
`herein, through network 128 to router 306. Router 306 receives IP packets through network access port
`‘1’ 308, examines the destination IP address contained in IP datagrams generated by IP layer 318, and
`routes IP packets through network access port ‘2’ 310 to the designated destination IP address. In this
`same embodiment, participating physical host ‘2’ 304 receives incoming IP packets through its
`associated multi-layer communications protocol stack to implement virtual machine 438, comprising,
`but not limited to virtual machine autorun scripts 428, and payload 429 that includes operating systems
`430, other virtual machines 432, applications 434, and data 436. Once carrier virtual machine 426 has
`completed migration to participating physical host ‘2’ 304 as virtual machine 438, carrier virtual
`machine 426 on participating physical host ‘1’ 302 can be destroyed (if required by security policies).”
`Dhawan at [0043].
`
`To the extent that it is argued that Dhawan does not disclose all or part of this limitation, it would have
`been at least obvious to combine it with any other reference disclosing this limitation as explained in
`Microsoft’s Preliminary Invalidity Contention Cover Pleading.
`
`Patent No. 8,381,209
`Claim 4
`4[a] The method
`according to claim 3,
`
`See Claim element 1[a].
`
`Dhawan
`
`
`10
`
`
`
`
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 10 of 13
`
`
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`
`Dhawan discloses updating traffic filters for said virtual machine at the hypervisor level. Specifically,
`Dhawan discloses migrating a virtual machine from one physical host to another, and implementing
`firewall security for the virtual machine. For example, Dhawan states:
`
`“Once the originating carrier virtual machine has completed its migration to the next participating
`physical host it can be destroyed on the originating participating physical host. The migrated virtual
`machine now becomes a carrier virtual machine if migration to additional participating physical hosts
`is required. At each physical host the carrier virtual machine completes its assigned task and can notify
`the management application about the status of its task. In case of failure, necessary steps can be taken
`based on set policies and events (e.g. type of failure).” Dhawan at [0021].
`
`To the extent that it is argued that Dhawan does not disclose this limitation, this would have at least
`been inherent because a POSITA would have understood Dhawan to disclose that the filtering for the
`migrated virtual machine must be updated to occur at its new physical location. Furthermore, to the
`extent that it is argued that Dhawan does not disclose all or part of this limitation, it would have been
`at least obvious to combine it with any other reference disclosing this limitation as explained in
`Microsoft’s Preliminary Invalidity Contention Cover Pleading.
`To the extent Dhawan does not disclose parts of this limitation, it would have at least been obvious to
`combine Dhawan with prior art disclosing this as demonstrated in Microsoft’s Invalidity Contentions
`Cover Pleading.
`
`Patent No. 8,381,209
`Claim 4
`further comprising:
`updating routing controls
`for said virtual machine at
`the hypervisor level;
`4[b] updating traffic filters
`for said virtual machine at
`the hypervisor level; and
`
`4[c] advertising said
`migration of said virtual
`machine from said first
`hardware device to said
`second hardware device.
`
`Patent No. 8,381,209
`Claim 5
`5 The method according to See Claim element 2[b].
`
`Dhawan
`
`
`11
`
`
`
`
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 11 of 13
`
`
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`
`Patent No. 8,381,209
`Claim 5
`claim 1, further
`comprising setting
`firewalls to permit
`network traffic for the
`virtual machine to go to
`the second hardware
`device at the hypervisor
`layer.
`
`Patent No. 8,381,209
`Claim 6
`6 The method according to
`claim 1, further
`comprising adding a
`network section to a
`Virtual Machine
`Description File.
`
`Dhawan
`
`Dhawan discloses adding a network section to a Virtual Machine Description File. Specifically,
`Dhawan discloses a virtual machine Autorun scripts initiated per virtual machine initiation. For
`example, Dhawan states:
`
`“In an embodiment of the invention, virtual machine Autorun scripts 428 can be initiated per virtual
`machine initiation and may comprise, but is not limited to, central policy updates, heartbeat and
`timeout monitors, and security checks including but not limited to VM group, individual VM, VM
`packet, etc. as described in more detail hereinbelow.” Dhawan at [0044].
`
`Patent No. 8,381,209
`Claim 7
`7 The method according to
`claim 1, further
`comprising storing
`network access control
`lists.
`
`Dhawan
`
`Dhawan discloses storing network access control lists. Specifically, Dhawan discloses providing
`additional security controls including access control lists (ACLs). For example, Dhawan states:
`
`“In an embodiment of the invention, virtual machine (VM) packet management 504 comprises
`parameters that may include, but are not limited to, time-to-live (TTL), security mechanisms such as
`access control lists (ACLs), usage policies, directory roles, etc. for carrier virtual machine 120, and by
`extension, application 122 and/or secure data 124, individually or in combination. For example, VM
`
`12
`
`
`
`
`
`
`
`IPR2021-00832
`
`Daedalus EX2007
`Page 12 of 13
`
`
`
`EXHIBIT D-1
`U.S. Patent App. Pub. No. 2007/0079307 (“Dhawan”)
`
`
`Dhawan
`
`packet management 504 may control the flexibility of hardware and/or software access for VM
`network endpoints and/or intermediate routing hops.” Dhawan at [0047].
`
`“At a minimum, the present invention provides a system and method for the secure transfer of data by
`carrier virtual machines between participating physical hosts through a virtual network (VNET)
`implemented on one or more internal and/or external networks. Furthermore, use of the invention can
`provide additional security controls, comprising for example, parameters that may include, but are not
`limited to, time-to-live (TTL), access control lists (ACLs), usage policies, directory roles, etc.”
`Dhawan at [0090].
`
`To the extent that it is argued that Dhawan does not disclose all or part of this limitation, it would have
`been at least obvious to combine it with any other reference disclosing this limitation as explained in
`Microsoft’s Preliminary Invalidity Contention Cover Pleading.
`
`Dhawan
`
`Dhawan discloses the network access control lists. See Claim 7.
`
`To the extent Dhawan does not disclose parts of this limitation, it would have at least been obvious to
`combine Dhawan with prior art disclosing this as demonstrated in Microsoft’s Invalidity Contentions
`Cover Pleading.
`
`13
`
`Patent No. 8,381,2