UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD. APPLE INC. Petitioner,

Paper No. 1 UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD APPLE INC. Petitioner, v. VIRNETX, INC. AND SCIENCE APPLICATION INTERNATIONAL CORPORATION, Patent Owner. Patent No. 8,850,009 Issued: September 30, 2014 Filed: June 6, 2013 Inventors: Victor Larson, et al. Title: SYSTEM AND METHOD EMPLOYING AN AGILE NETWORK PROTOCOL FOR SECURE COMMUNICATIONS USING SECURE DOMAIN NAMES Inter Partes Review No. IPR2015-00813 Petition for Inter Partes Review of U.S. Patent No. 8,850,009

Table of Contents I. Introduction... 1 A. Certification the 009 Patent May Be Contested by Petitioner... 1 B. Fee for Inter Partes Review ( 42.15(a))... 1 C. Mandatory Notices (37 CFR 42.8(b))... 1 1. Real Party in Interest ( 42.8(b)(1))... 1 1. Other Proceedings ( 42.8(b)(2))... 2 2. Lead and Backup Lead Counsel ( 42.8(b)(3))... 2 3. Proof of Service ( 42.6(e) and 42.105(a))... 2 II. Identification of Claims Being Challenged ( 42.104(b))... 2 III. Relevant Information Concerning the Contested Patent... 3 A. Overview of the 009 Patent... 3 1. The 009 Patent Specification... 3 2. Representative Claims... 5 B. Patent Owner s Contentions About Related Patents... 5 C. Effective Filing Date... 6 D. The Person of Ordinary Skill in the Art... 8 E. Claim Construction... 8 1. domain name service (DNS) request... 9 2. interception of the DNS request... 9 3. encrypted communication link... 11 4. provisioning information... 12 5. secure communications service... 14 6. indication... 15 7. virtual private network communication link... 16 8. domain name... 17 9. modulation... 17 ii

IV. Analysis of the Patentability of the 009 Patent... 18 A. Summary of Prior Art to the 009 Patent... 18 1. Overview of Aventail (Ex. 1009), Aventail User s Guide (Ex. 1010) and Aventail Extranet Guide (Ex. 1011)... 19 a) Nature of the Aventail Documents... 19 b) Components of the Aventail scheme... 21 c) Incorporation of Aventail Into A Client Computer... 22 d) Handling Requests... 22 e) Establishing a Secure Connection... 24 f) Using Multiple Proxies... 26 g) Secure Extranet Explorer... 27 2. Overview of RFC 2401 (Ex. 1008)... 28 3. Overview of RFC 2543 (Ex. 1013)... 30 B. Aventail (Ex. 1009) in View of RFC 2401 (Ex. 1008) Would Have Rendered Claims 1, 6-14, 19-20 and 22-25 Obvious... 31 1. Aventail Describes or, with RFC 2401, Suggests Every Element of Independent Claims 1 and 14... 32 a) Claim 1 Preamble: a network device... 32 b) storage device storing an application program and processor configured to execute the application program... 33 c) Claim 14 Preamble: a method executed by a first device for communicating with a second network device... 34 d) sending... a domain name service (DNS) request to look up a network address... based on an identifier... 34 e) The receiving step... 35 f) connecting... over the encrypted communication link, using the received network address... and the provisioning information...... 44 g) communicating data... using the secure communications service via the encrypted communication link... 45 iii

h) the first network device being a device at which a user uses the secure communications service to access the encrypted communication link... 46 2. The Distinctions Between the Claimed Methods and Systems Would Have Been Obvious Based on Aventail in View of RFC 2401... 47 3. Claims 6 and 19 Would Have Been Obvious... 51 4. Claims 7 and 20 Would Have Been Obvious... 51 5. Claim 8 Would Have Been Obvious... 52 6. Claims 10 and 22 Would Have Been Obvious... 53 7. Claims 11 and 23 Would Have Been Obvious... 54 8. Claims 12 and 24 Would Have Been Obvious... 54 9. Claims 13 and 25 Would Have Been Obvious... 55 C. Aventail in view of RFC 2401 in Further View of RFC 2543 Would Have Rendered Claims 2-5 and 15-18 Obvious... 55 1. Claims 2, 3, 15 and 16 Would Have Been Obvious... 55 2. Claims 4, 5, 17, and 18 Would Have Been Obvious... 58 D. No Secondary Considerations Exist... 59 V. Conclusion... 59 iv

I. Introduction A. Certification the 009 Patent May Be Contested by Petitioner Petitioner certifies that U.S. Patent No. 8,850,009 (Ex. 1003) (the 009 patent) is available for inter partes review. Petitioner also certifies it is not barred or estopped from requesting inter partes review of the claims of the 009 patent. Neither Petitioner, nor any party in privity with Petitioner, has filed a civil action challenging the validity of any claim of the 009 patent. The 009 patent has not been the subject of a prior inter partes review by Petitioner or a privy of Petitioner. Petitioner also certifies this petition for inter partes review is timely filed as it has never been asserted against Petitioner in litigation. Thus, because there is no patent owner s action, this petition complies with 35 U.S.C. 315(b). Petitioner also notes that the timing provisions of 35 U.S.C. 311(c) and 37 C.F.R. 42.102(a) do not apply to the 009 patent, as it pre-dates the first-to-file system. See Pub. L. 112-274 1(n), 126 Stat. 2456 (Jan. 14, 2013). B. Fee for Inter Partes Review ( 42.15(a)) The Director is authorized to charge the fee specified by 37 CFR 42.15(a) to Deposit Account No. 50-1597. C. Mandatory Notices (37 CFR 42.8(b)) 1. Real Party in Interest ( 42.8(b)(1)) The real party in interest of this petition pursuant to 42.8(b)(1) is Apple Inc. ( Apple ) located at One Infinite Loop, Cupertino, CA 95014. 1

1. Other Proceedings ( 42.8(b)(2)) IPR2015-00812 filed concurrently also involves the 009 patent. Each petition advances unique grounds and is based on different primary references. Each petition presents a unique correlation of the claims to the prior art, and warrants independent institution of trial. Petitioner respectfully requests the Board institute each petition, as each presents distinct and non-redundant grounds. 2. Lead and Backup Lead Counsel ( 42.8(b)(3)) Lead Counsel is: Jeffrey P. Kushan (Reg. No. 43,401), jkushan@sidley.com, (202) 736-8914. Back-Up Lead Counsel are: Scott Border (pro hac to be requested), sborder@sidley.com, (202) 736-8818; and Thomas A. Broughan III (Reg. No. 66,001), tbroughan@sidley.com, (202) 736-8314. 3. Proof of Service ( 42.6(e) and 42.105(a)) Proof of service of this petition is provided in Attachment A. II. Identification of Claims Being Challenged ( 42.104(b)) Claims 1-8, 10-20, and 22-25 of the 009 patent are unpatentable as obvious under 35 U.S.C. 103. Specifically: (i) claims 1, 6-8, 10-14, 19-20, and 22-25 would have been obvious based on Aventail Connect v3.01/v2.51 Administrator s Guide ( Aventail ) (Ex. 1009) in view of RFC 2401, Security Architecture for the Internet Protocol ( RFC 2401 ) (Ex. 1008); and claims 2-5 and 15-18 are obvious based on Aventail in view of RFC 2401 in further view of RFC 2543 SIP: Session Initiation Protocol ( RFC 2543 ) (Ex. 1013). 2

Attachment B lists the evidence relied upon in support of this petition. III. Relevant Information Concerning the Contested Patent A. Overview of the 009 Patent 1. The 009 Patent Specification The 009 patent is a member of a family of patents issued to Larson et al., including, inter alia, U.S. Patent Nos. 6,502,135 ( 135 patent ), 7,188,180 ( 180 patent ), 7,418,504 ( 504 patent ), 7,490,151 ( 151 patent ), 7,921,211 ( 211 patent ), 7,987,274 ( 274 patent ), 8,051,181 ( 181 patent ), 8,504,697 ( 697 patent ), and 8,868,705 ( 705 patent ). 1 The 009 patent disclosure, like other members of this patent family, is largely focused on techniques for securely communicating over the Internet based on a protocol called the Tunneled Agile Routing Protocol or TARP. Ex. 1003 at 3:20-23. According to the 009 specification, TARP allows for secure and anonymous communications by using tunneling, an IP address hopping scheme where the IP addresses of the end devices and routers participating in the system can change over time, and a variety of other security techniques. Ex. 1003 at 1:38-40, 3:20-6:13. Two short sections of the 009 specification spanning primarily columns 39 to 42 and 49 to 53 are directed to a different concept, namely, techniques for establishing secure communications in response to DNS requests 1 IPR2015-00810 and -00811 filed concurrently involve the 705 patent. 3

specifying a secure destination. See Ex. 1003 at 39:36-42:29, 49:41-53:49. This material was added in a continuation-in-part application filed in February 2000. In proceedings involving related patents, Patent Owner has asserted that these short passages provide written description support for claim terms involving domain names, DNS requests, requests to look up network addresses, and DNS servers. These portions of the 009 specification describe a conventional DNS server that purportedly is modified to include additional functionality that allows it to support the creation of virtual private networks. See Ex. 1003 at 40:29-57. According to the 009 specification, the modified DNS server (id. at 40:33-34) receives a request to look up a network address associated with a domain name, determines whether a secure site has been requested (for example, by checking an internal table of sites), and then performs additional steps to support establishing a virtual private network with the secure site. See Ex. 1003 at 39:33-38, 40:11-28, 40:39-57, 41:31-49, 52:7-13. This process can include conventional devices such as personal computers running web browsers, proxy servers, intermediate routers, and web servers. Ex. 1003 at 40:29-38, 49:55-65, 52:65-53:4. The 009 specification describes several optional features of this system, such as using IP hopblocks to create a VPN or incorporating user authentication. Ex. 1003 at 40:18-22, 40:27-28, 41:42-49, 52:21-34. It also describes several optional configurations of the modified DNS server, including a standalone DNS 4

server and a system incorporating a DNS server, a DNS proxy server, and a gatekeeper. Ex. 1003 at 41:1-14. 2. Representative Claims Independent claims 1 and 14 of the 009 patent define a network device and a method, respectively, but recite the same operative steps. See Ex. 1003 at 56:22-48, 57:22-58:3. Claim 14 is representative, specifying a method executed by a first network device for communicating with a second network device by: (1) sending a request to look up a network address of the second network device; (2) receiving, following interception of the request, (i) an indication that the second network device is available for a secure communications service; (ii) the requested network address; and (iii) provisioning information for an encrypted communication link; (3) connecting to the second network device over the encrypted communication link; and (4) communicating data using the secure communications service via the encrypted communication link, the first network device being a device at which a user uses the secure communications service to access the encrypted communication link. B. Patent Owner s Contentions About Related Patents Patent Owner has asserted varying sets of claims of its patents in this family against Petitioner and other entities in numerous lawsuits. In August of 2010, Patent Owner sued Petitioner and five other entities (the 2010 Litigation ) 5

asserting claims from the 135, 151, 504, and 211 patents. In November 2011, Patent Owner filed a lawsuit accusing Petitioner of infringing claims of the 181 patent. In December 2012, Patent Owner served a new complaint on Petitioner asserting infringement of numerous claims of the 135, 151, 504, and 211 patents (the 2012 Litigation ). In August 2013, Patent Owner served an amended complaint adding the 697 patent to the 2012 Litigation. Patent Owner also asserted patents from this family against Microsoft and others in separate lawsuits filed in February 2007, March 2010, and April 2013, and against numerous other defendants in actions filed in 2010 and 2011. C. Effective Filing Date The 009 patent issued from U.S. Appl. No. 13/911,792 ( the 792 application ). The 792 application claims the benefit as a continuation of the following applications: 13/903,788, filed May 28, 2013; 13/336,790 (issued as U.S. Patent No. 8,458,341); 13/049,552 (issued as U.S. Patent No. 8,572,247); 11/840,560 (issued as the 211 patent); 10/714,849 (issued as the 504 patent); and 09/558,210, filed April 26, 2000, and now abandoned. It also is designated a continuation-in-part of 09/504,783, filed on February 15, 2000 ( the 783 application ), which is a continuation-in-part of 09/429,643, filed on October 29, 1999. The 210, 783 and 643 applications also claim priority to 60/106,261, filed October 30, 1998 and 60/137,704, filed June 7, 1998. 6

Claims 1 and 14 of the 009 patent are independent claims. Claims 2-8 and 10-13 depend directly or indirectly from claim 1, and claims 15-20 and 22-25 depend directly or indirectly from claim 14. Claims 2-8, 10-13, 15-20 and 22-25 cannot enjoy an effective filing date earlier than that of claims 1 and 14, respectively, from which they depend. Claims 1 and 14 of the 009 patent rely on information found only in the 783 application. For example, claim 1 of the 009 patent specifies a network device comprising at least one processor configured to execute an application program to enable the network device to send a domain name service (DNS) request and receive, following interception of the DNS request (emphasis added). Claim 14 specifies a method executed by a first network device comprising sending a domain name service (DNS) request and receiving, following interception of the DNS request (emphasis added). No application filed prior to the 783 application mentions the terms domain name, domain name service or DNS request, much less provide a written description of devices or methods corresponding to the 009 patent claims. In proceedings involving the related 135, 504, 151, 211, 274 and 697 patents, Patent Owner has not disputed that claims reciting a domain name or domain name service are not entitled to an effective filing date prior to February 15, 2000. See, e.g., Patent Owner Preliminary Oppositions in IPR2013-00348, -00349, -00354, -00375 7

to -00378, -00393, -00394, -00397, and -00398, as well as IPR2014-00237, - 00238, -00403, -00404, and -00610; see also Inter Partes Reexamination Nos. 95/001,682, 95/001,679, 95/001,697, 95/001,714, 95/001,788, and 95/001,789. Accordingly, the effective filing date of the 009 patent claims is no earlier than February 15, 2000. D. The Person of Ordinary Skill in the Art A person of ordinary skill in the art in the field of the 009 patent would have been someone with a good working knowledge of networking protocols, including those employing security techniques, as well as computer systems that support these protocols and techniques. The person also would be very familiar with Internet standards related to communications and security, and with a variety of client-server systems and technologies. The person would have gained this knowledge either through education and training, several years of practical working experience, or through a combination of these. Ex. 1005 110. E. Claim Construction In this proceeding, claims must be given their broadest reasonable construction in light of the specification. 37 CFR 42.100(b). The 009 patent shares a common disclosure and uses several of the same terms as the 697, 274, 180, 151, 504, and 211 patents with respect to which Patent Owner has advanced constructions. Also, if Patent Owner contends terms in the claims should 8

be read as having a special meaning, those contentions should be disregarded unless Patent Owner also amends the claims compliant with 35 U.S.C. 112 to make them expressly correspond to those contentions. See 77 Fed. Reg. 48764 at II.B.6 (August 14, 2012); cf. In re Youman, 679 F.3d 1335, 1343 (Fed. Cir. 2012). In the constructions below, Petitioner identifies representative subject matter within the scope of the claims, read with their broadest reasonable interpretation. Petitioner expressly reserves its right to advance different constructions in any district court litigation, which employs a different claim construction standard. 1. domain name service (DNS) request Each independent claim recites the term domain name service (DNS) request. The 009 patent does not define the term domain name service (DNS) request. In IPR2014-00610 involving the related 151 patent, the Board has interpreted DNS request to mean a request for a resource corresponding to a domain name. Paper 9 at 6 (Oct. 15, 2014). This is consistent with the 009 patent specification, which provides examples of DNS requests seeking to obtain a network address corresponding to a web name or domain name. Ex. 1003 at 39:39-45, 40:52-58; see also Ex. 1005 at 85. Accordingly, the broadest reasonable interpretation of domain name service (DNS) request is a request for a resource corresponding to a domain name. Ex. 1005 at 85. 2. interception of the DNS request 9

Each independent claim requires interception of a DNS request. In a related proceeding involving the 697 patent, the Board interpreted the phrase intercepting... a request as including receiving a request pertaining to a first entity at another entity. IPR2014-00237, Paper 15 at 13 (May 14, 2014). The Board further explained that intercepting a request involves receiving and acting on a request, the request being intended for receipt at a destination other than the destination at which the request is intercepted. Id. at 12. The Board s construction is consistent with the 009 patent specification. Ex. 1005 at 67. The 009 patent does not expressly define interception of a DNS request, but uses the term intercepting as meaning receiving a request at a device other than the device specified in the request. Ex. 1005 at 68, 86. For example, the specification explains that a DNS proxy 2610 intercepts all DNS lookup functions to examine whether access to a secure site has been requested. Ex. 1003 at 40:39-45, Figs. 26 & 27. The specification also shows the requests are routed to the DNS proxy instead of a DNS server 2609, which ordinarily would receive and resolve the domain name in the request. Id. at 39:39-41. Because the DNS proxy and DNS server as described as separate entities, the 009 patent uses the term intercept as meaning receipt of a message by a proxy server instead of the intended destination. Accordingly, the broadest reasonable interpretation of the term interception of the DNS request includes receiving a DNS request 10

pertaining to a first entity at another entity. Ex. 1005 at 86. 3. encrypted communication link Each independent claim recites the term encrypted communication link. The 009 patent does not define encrypted communication link. The Board has not interpreted this term in proceedings involving related patents, but has construed the terms secure communication link and virtual private network communication link. Specifically, in IPR2014-00237 involving the related 697 patent, the Board interpreted secure communication link to mean a transmission path that restricts access to data, addresses, or other information on the path, generally using obfuscation methods to hide information on the path, including, but not limited to, one or more of authentication, encryption, or address hopping. Paper 15 at 10 (May 4, 2014). Also, in IPR2014-00481 involving the related 180 patent, the Board interpreted virtual private network communication link to mean a transmission path between two devices that restricts access to data, addresses, or other information on the path, generally using obfuscation methods to hide information on the path, including, but not limited to, one or more of authentication, encryption, or address hopping. Paper 11 at 6-7 (Sept. 3, 2014). Like the 697 and 180 patent claims, the 009 patent claims require communication over a communication link, but the 009 claims specify that the link is encrypted. All three patents generally claim DNS-based methods and 11

systems for establishing secure communications or VPNs. The common specification explains that the DNS-based VPN scheme permits computers to privately communicate with each other over a public network by protecting their anonymity. See Ex. 1003 at 39:56-65. In other words, the communication link resulting from implementation of the claimed DNS-based methods and systems must be a transmission path that restricts access to data, addresses, or other information on the path, including, but not limited to, one or more of authentication, encryption, or address hopping. Ex. 1005 at 88-90; see also IPR2014-00237, Paper 15 at 10 (May 4, 2014); IPR2014-00481, Paper 11 at 6-7 (Sept. 3, 2014). Thus, an encrypted communication link is a type of secure communication link that uses encryption. Ex. 1005 at 90. The broadest reasonable interpretation of encrypted communication link in the context of the 009 claims is a transmission path that restricts access to data, addresses, or other information on the path at least by using encryption. Ex. 1005 at 91. 4. provisioning information Each independent claim recites the term provisioning information. The 009 patent does not define provisioning information. The only discussion in specification concerning provisioning states that VPN gatekeeper 3314 provisions computer 3301 and secure web server computer 3320, or a secure edge router for server computer 3320, thereby creating the VPN. Ex. 1003 at 52:10-13 12

(emphasis added). The 009 specification also explains that, after a DNS proxy determines that access a secure site has been requested, it transmits a message to a gatekeeper requesting creation of a virtual private network. Id. at 40:45-48, 41:39-42. The gatekeeper returns a resolved IP address and IP address hopblocks to be used by the client computer and the target site to communicate securely. Id. at 40:48-57; see also Ex. 1005 at 74. In IPR2014-00481 involving the 180 patent, whose claims recite provisioning information for a virtual private network rather than encrypted communications channel, the Board interpreted provisioning information as information that is provided to enable or to aid in establishing communications to occur in the VPN. Paper 11 at 11 (Sept. 3, 2014). The 009 patent disclosure only describes use of DNS systems to establish VPN connections between devices, and it does not describe creating encrypted channels that are isolated from a VPN. See Ex. 1003 at 39:36-38, 51:31-33, 52:9-10, Fig. 37. Examples of provisioning information in the 009 patent includes IP address hopblocks or other data that enables or to aids in establishing communications in a VPN where the VPN uses encryption. Ex. 1003 at 40:45-57: Ex. 1005 at 75. Therefore, the broadest reasonable interpretation of the term provisioning information in the context of the 009 claims is information that enables communication in a virtual private network, where the virtual private network uses encryption. Ex. 1005 at 92. 13

5. secure communications service Each independent claim recites the term secure communications service. The 009 patent does not expressly define this term. In IPR2014-00237 involving the related 697 patent, the Board interpreted the term secure communications service as the functional configuration of a network device that enables it to participate in a secure communication link with another network device. Paper 15 at 10 (May 14, 2014). Secure communication link in turn has been interpreted by the Board to mean a transmission path that restricts access to data, addresses, or other information on the path, including, but not limited to, one or more of authentication, encryption, or address hopping. IPR2014-00237, Paper 15 at 10 (May 4, 2014). This is consistent with the 009 patent specification, which uses the phrase secure communications service in a manner that indicates the term simply refers to the capacity of two computers to participate in a secure communications link. Ex. 1005 at 95. For example, the 009 patent explains that a first network device communicat[es] at least one of video data and audio data with the second network device using the secure communications service via the secure communication link. Ex. 1003 at 8:28-31, 8:45-48. Therefore, the broadest reasonable construction of the term secure communications service should encompass the functional configuration of a network device that enables it to participate in a 14

secure communications link with another computer or device. Ex. 1005 at 96. 6. indication Each independent claim requires the first network device to receive an indication that the second network device is available for the secure communications service. The 009 specification does not define the term indication. In IPR2014-00614 involving the related 504 patent, the Board interpreted the term indication to mean something that shows the probable presence or existence or nature of. Paper 9 at 12-13 (Oct. 15, 2014); see also IPR2014-00615, Paper 9 (Oct. 15, 2014) (involving the related 211 patent). This is consistent with the 009 specification, which explains that, after a DNS proxy determines access to a secure site has been requested and forwards the request to a gatekeeper, the client receives a resolved address and is provisioned information such as hopblocks to be used for secure communication with the secure target site. Ex. 1003 at 40:39-57; Ex. 1005 at 99. In some scenarios, the DNS proxy may return a host unknown error message, such as if the user lacks appropriate credentials. Ex. 1003 at 40:62-65. Although a web browser may show an icon indicating a secure connection has been established (id. at 52:37-40), the 009 specification contains no discussion of a client receiving a message explicitly confirming that the secure target site is available for secure communications. Ex. 1005 at 100. Accordingly, the broadest reasonable interpretation of the term 15

indication should encompass something that shows the probable presence or existence or nature of. Ex. 1005 at 101. 7. virtual private network communication link Dependent claims 8 and 21 specify that the encrypted communication link is part of a virtual private network communication link. The 009 patent does not provide an explicit definition for virtual private network communication link. In IPR2014-00481 involving the related 180 patent, the Board interpreted virtual private network communication link to mean a transmission path between two devices that restricts access to data, addresses, or other information on the path, generally using obfuscation methods to hide information on the path, including, but not limited to, one or more of authentication, encryption, or address hopping. Paper 11 at 6-7 (Sept. 3, 2014). The Board also read the 180 patent as employing various levels of security in a VPN that do not require encryption, such as authentication, or information or address hopping. Id. at 7. This is consistent with the 009 specification, which explains that software module 3309 accesses secure server 3320 through VPN communication link 3321 and the communication link 3321 is shown as only the portion of the path between computer 3301 and server 3320 that is over network 3302. Ex. 1003 at 52:35-36, Fig. 33; Ex. 1005 at 104. Accordingly, the broadest reasonable interpretation of virtual private network communication link is a transmission path between two 16

devices that restricts access to data, addresses, or other information on the path, generally using obfuscation methods to hide information on the path, including, but not limited to, one or more of authentication, encryption, or address hopping. Ex. 1005 at 105. 8. domain name Dependent claims 7 and 20 recite the term domain name. The 009 patent does not define domain name. A domain name would be understood by a person of ordinary skill to be a hierarchical sequence of words in decreasing order of specificity that corresponds to a numerical IP address. Ex. 1005 at 70. A more general description of domain name has been advanced by Patent Owner in other proceedings; namely, a name corresponding to an IP address. See, e.g., Ex. 1042 at 14-15. Both definitions are reasonable; thus the broadest reasonable interpretation of domain name is a name corresponding to an IP address. Ex. 1005 at 106. 9. modulation Dependent claims 4, 5, 17 and 18 recite the term modulation. The term modulation is not defined in the 009 patent. In IPR2014-00237 involving the 697 patent, the Board interpreted modulation to include the process of encoding data for transmission over a medium by varying a carrier signal. Paper 15 at 14 (May 14, 2014). This is consistent with the 009 patent and the 17

understanding of a person of ordinary skill in the art. Ex. 1005 at 78-79. For example, the specification explains that transmission paths may comprise logically separate paths contained within a broadband communication medium (e.g., separate channels in an FDM, TDM, CDMA, or other type of modulated or unmodulated transmission link). Ex. 1003 at 35:17-23. A person of skill would understand unmodulated and modulated to refer to whether data is encoded for transmission over a physical medium by varying or modulating a carrier signal. Ex. 1005 at 80. Any data transmitted via a modem (i.e., a modulatordemodulator device) is modulated. Id. Similarly, any data transmitted via a cellular network is modulated. Id. Accordingly, the broadest reasonable interpretation of modulation is the process of encoding data for transmission over a medium by varying a carrier signal. Ex. 1005 at 108. IV. Analysis of the Patentability of the 009 Patent The 009 patent has two independent claims (claims 1 and 14), each of which specifies the same operative steps. See III.A.2. Claim 14 is representative, and defines a process for establishing a secure communications service via an encrypted communications link between a first network device and a second network device based on intercepting a request to look up a network address of the second device. A. Summary of Prior Art to the 009 Patent 18

19 Well before 2000, there was an extensive amount of literature and other prior art describing techniques for establishing secure communication links, including VPNs. A person of ordinary skill would have been familiar with this prior art, and would have found it to render obvious the claimed methods for the reasons set forth below in IV.B-IV.D. A brief overview of the prior art and what it taught the person of ordinary skill is provided in this section. 1. Overview of Aventail (Ex. 1009), Aventail User s Guide (Ex. 1010) and Aventail Extranet Guide (Ex. 1011) a) Nature of the Aventail Documents The Aventail Connect v3.01/v2.51 Administrator s Guide (Ex. 1009, Aventail ), Aventail Connect v3.01/v2.51 User s Guide (Ex. 1010, Aventail User s Guide ), and Aventail ExtraNet Center v3.0 Administrator s Guide (Ex. 1011, Aventail Extranet Guide ) are documentation for software (version 3.0 of a product called Aventail Extranet Center) that were distributed together. Aventail is a printed publication that was distributed to the public without restriction no later than January 31, 1999. Enclosed with this request are declarations under 37 CFR 1.32 from three individuals having personal knowledge that Aventail was publicly distributed no later than January 31, 1999. The declarations were previously filed in inter partes reexamination 95/001682. In Exhibit 1023, Christopher Hopen, formerly of Aventail Corporation, explains that Aventail was distributed with Aventail Extranet Center v3.0, which was announced in August of 1998, and

shipped to customers between December 1998 and January of 1999. He further explains that Aventail was shipped with the installation discs for the Aventail Extranet Server v3.0 and Aventail Connect v3.01 software products. In Exhibit 1043, Michael Fratto, Editor of Network World, testifies that he received Aventail no later than the end of October of 1998. In Exhibit 1022, James Chester, formerly of IBM, testifies that he received Aventail no later than the end of December of 1998, and subsequently distributed this document to customers and IBM employees in connection with deployment of VPN solutions to these entities and individuals in mid-january of 1999. In view of this evidence, the publication date of Aventail is no later than January 31, 1999, and, accordingly, Aventail is prior art to the claims of the 009 patent under 35 U.S.C. 102(b). An summary of the scheme disclosed by Aventail can be found in Ex. 1005 160-273. Aventail describes the configuration and operation of client and server components of the Aventail VPN system. See, e.g., Ex. 1005 at 142-45. The documents cross-reference each other, which is logical as they are describing two components of a single system that are designed to work together (i.e., the Aventail Connect client running on the client computer, and the Aventail Extranet Server running on a server computer). See, e.g., Ex. 1009 at 3, 5, 6, 11, 14, 19, 36-40, 44, 46, 48, 50, 52, 55-56, 57, 61-71, 76-77, 79-83, 92-94, 96, 99, 107-109. Given the close interrelationship between the documents, the fact that were distributed 20

together in a single product, and their extensive cross-referencing of the other document, each of the Aventail documents incorporates the others by reference. Ex. 1005 at 145. b) Components of the Aventail scheme Aventail discloses a scheme for creating virtual private networks by establishing encrypted and authenticated connections between a client computer running the Aventail Connect software and a private network protected by a proxy server running Aventail Extranet server software. Ex. 1009 at 12, 72; Ex. 1005 at 160-162. Aventail provides an example in which mobile computers running Aventail Connect establish a VPN (virtual private network) with a remote network by communicating over an encrypted link with a proxy server running Aventail Extranet server software: 21

Ex. 1009 at 72-73; Ex. 1005 at 163-169, 182. c) Incorporation of Aventail Into A Client Computer To provide VPN functionality to software on user devices, Aventail Connect inserts itself into the networking subsystem of the client computer. As Aventail explains, Aventail Connect slips in between Winsock and the underlying TCP/IP stack. Aventail Connect can change data (compressing it or encrypting it, for example) before routing it to the TCP/IP stack for transport over the network. Ex. 1009 at 9; Ex. 1005 at 214-216. d) Handling Requests A flowchart (prepared for the purposes of this Petition) summarizing Aventail s handling of requests can be found in Exhibit 1005 at paragraph 218. See also id. 217-256. The process of communicating with a remote host starts with an application on a client computer running Aventail Connect requesting to lookup the network address associated with a domain name. For example, if a user enters www.yahoo.com into a web-browser application running on a client 22

computer, the web-browser will send a request to lookup the network address associated with www.yahoo.com to establish a network connection with the computer identified as www.yahoo.com. Ex. 1005 at 209. Aventail discloses two configuration options for Aventail Connect to handle this request. In one configuration, Aventail Connect consults a table of redirection rules to determine whether the request corresponds to a device on a remote network and must be proxied. See, e.g., Ex. 1009 at 10; see also id. at 8-9, 11-12. To do so, Aventail Connect compares the target of the request with a table that represents the remote hosts that Aventail Connect knows are available by way of an Aventail Extranet server. See, e.g., Ex. 1009 at 11-12. If the request relates to a host determined to be available by way of an Extranet server then Aventail Connect proxies that request to the Extranet server. Id. Otherwise Aventail Connect allows the request to be handled by the client computer s operating system. Id. In a second configuration where the client is configured to proxy all requests (rather than evaluating them on the client), Aventail Connect routes all requests to an Aventail Extranet server for handling and resolution. Ex. 1009 at 61; see also Ex. 1009 at 12. In this configuration, the server will receive the requests, and resolve the host name in the request if the request specifies one. Ex. 1009 at 61; see also Ex. 1009 at 12; Ex. 1005 225-228. Regardless of configuration, if a request contains a domain name to be 23

proxied to the Extranet server (e.g., because the domain name matches an entry in a table of entries specifying hosts accessible via the Extranet server), Aventail Connect flags the request by inserting a false DNS entry called a HOSTENT, as the network address, into the response to the request to lookup the domain name. See Ex. 1009 at 11-12; Ex. 1005 237. The HOSTENT entry is recognized by the Aventail Connect client later when a connection request is sent. Id. Once the DNS query has been resolved and the requesting application has the network address for the host with which the application wishes to communicate, the client computer running Aventail Connect will send a connection request that includes this network address. See Ex. 1009 at 12; Ex. 1005 238-239. If that network address is a false entry that Aventail Connect provided, Aventail Connect will proxy the connection request to the Extranet server. See Ex. 1009 at 12; Ex. 1005 239. For these connections, Aventail Connect can be configured to establish an encrypted and authenticated connection that enables the application to securely communicate with the remote host. See Ex. 1009 at 12; Ex. 1005 238-254, 255-256. e) Establishing a Secure Connection Aventail explains that after determining whether the domain name lookup request corresponds to a remote host that is available for a secure communications service, the client computer will receive various parameters to establish an 24

encrypted connection. Ex. 1005 at 238-254. In one configuration, Aventail will encrypt communications according to a known encryption standard called Secure Sockets Layer (SSL). Ex. 1009 at 12, 73, 110; Ex. 1005 247-250. For example, Aventail explains that the Extranet server can be configured to send an SSL certificate to the client computer which uses the SSL certificate to verify the identity of the Extranet server. See Ex. 1009 at 47; see also Ex. 1009 at 47-51. The Extranet server also sends a selection of the encryption method that can be used to the client computer. See Ex. 1009 at 51. Aventail also explains that the client computer performs a TCP handshake. See Ex. 1009 at 8; Ex. 1005 at 210, 238. A person of ordinary skill in the art would have known that this handshake is specified by the TCP standard and would have understood Aventail s TCP-handshake disclosure to mean that the client computer will receive a synchronization packet and an acknowledgement packet. See Ex. 1005 117-119; Ex. 1014 at 27-28. A person of ordinary skill would have understood packets contain sequence numbers that are parameters necessary to establish TCP communications. See Ex. 1014 at 27-28; Ex. 1005 119. Aventail explains that client computers also can also perform a SOCKSnegotiation. Ex. 1009 at 12; Ex. 1005 242. This negotiation involves authentication, with the Aventail client providing a list of authentication methods, and the server selecting an authentication method to use. Ex. 1009 at 12; Ex. 1005 25

242. Aventail also explains that the SOCKS negotiation entails Aventail Connect providing a proxy request to the Extranet server. Ex. 1009 at 12; Ex. 1005 241-243. A person of ordinary skill in the art would have understood that the SOCKS 5 standard specifies this negotiation, and according to standard, if the client computer is allowed access to the requested remote host, the Extranet server will send a succeeded response to the client that provides the BIND network address and BIND network port to which the client computer should send its encrypted communications. See Ex. 1005 243; Ex. 1018 at 5-6. f) Using Multiple Proxies Another feature of Aventail s scheme is its multiproxy functionality, which allows routing of traffic through multiple firewalls or proxies, rather than through a single Aventail Extranet Server. Ex. 1009 at 59-67; Ex. 1005 257-265. Aventail explains that Aventail Connect can be configured to specify one or more intermediary proxies through which communications can be routed. Ex. 1009 at 59-67. After defining the final destination and the extranet server locations, one or more intermediary proxy servers could be added (i.e., a destination ). Ex. 1009 at 59-62; Ex. 1005 257-262. All or some of the traffic from the client could be routed through each destination, based on configuration. Ex. 1009 at 59-62; Ex. 1005 257-262. Aventail also describes another routing scheme used by client computers 26

running Aventail Connect called proxy chaining. Ex. 1009 at 63-64; Ex. 1005 263-265. In this scheme, the client computer running Aventail Connect is configured to send traffic to a specified intermediary proxy server. See Ex. 1009 at 63-64. That server then forwards the traffic on to one or more subsequent proxy servers. Id. The Aventail Connect client computer authenticates the connection to the first intermediary which would in turn authenticate to the next proxy server, and so on. See id. at 63. Again, the information being sent via these connections may be encrypted. See, e.g., Ex. 1009 at 63. g) Secure Extranet Explorer Aventail describes client computers running Aventail Connect that can dynamically browse and access resources within a private network once a secure connection had been established using a feature called Secure Extranet Explorer (SEE). Ex. 1009 at 90-101; Ex. 1005 266-272. This functionality allows a remote user who had successfully established a VPN to a private network to access the network resources that user was authorized to, just as [the user] would using the Windows network neighborhood as a local user. Ex. 1009 at 91-92. A person of ordinary skill would recognize based on the description of the SEE functionality that the functionality would have needed domain lookup and connection functionality, and looked to the description of the domain lookup and connection functionality in Aventail (e.g., to set up the VPN over which the 27

interactions via the SEE functionality are effected). See Ex. 1009 at 11-12, 94-105. 2. Overview of RFC 2401 (Ex. 1008) RFC 2401, Security Architecture for the Internet Protocol, ( RFC 2401 ) (Ex. 1008) was published in November 1998, and is prior art to the 009 patent under 35 U.S.C. 102(b). Ex. 1008 at 1; Ex. 1005 148-155, 156-157. The operation and features of the systems described in RFC 2401 are explained in greater detail in Ex. 1005 at 346-364. RFC 2401 is an Internet standards track protocol for the Internet community, Ex. 1008 at 1, and specifies the base architecture for IPsec compliant systems, Ex. 1008 at 3. Among other things, RFC 2401 discloses a scheme for providing security services for network traffic at the IP layer. Ex. 1008 at 3, 4; Ex. 1005 at 346. Two of the security services that RFC 2401 provides are authentication and encryption. RFC 2401 incorporates by reference several other documents to further detail its authentication and encryption mechanisms. See, e.g., Ex. 1008 at 4, 10; Ex. 1005 at 347. For example, RFC 2401 refers to IP Security Document Roadmap (RFC 2411) as describing encryption and authentication algorithms for IPsec. Ex. 1008 at 4, 64. RFC 2401 also refers to RFC 2402, IP Authentication and RFC 2406 IP Encapsulating Security Payload (ESP). Ex. 1008 at 4, 63, 64; see also Ex. 1005 at 350. 28

RFC 2401 provides a set of models for implementing encryption using IPsec. Ex. 1008 at 25-27; Ex. 1005 at 362-364. RFC 2401 shows that IPsec can be used to provide encryption over certain portions of a communications path, or can be used to provide end-to-end encryption (meaning that the entire path between the communicating devices is encrypted). Ex. 1008 at 24-26; Ex. 1005 at 362-364. RFC 2401 shows one configuration (case 3) where there is one tunnel between two security gateways such as an edge router, and another encrypted tunnel between the two end devices: Ex. 1008 at 25. In another configuration (case 4), RFC 2401 shows a host us[ing] the Internet to reach an organization s firewall (SG2) and to then gain access to some server or other machine (H2). Ex. 1008 at 25; Ex. 1005 363. 29

Ex. 1008 at 26; Ex. 1005 at 363. This illustration shows that in this configuration the computer accessing the resource on the remote network establishes a direct connection to the resource. 3. Overview of RFC 2543 (Ex. 1013) Request for Comments: 2543; SIP: Session Initiation Protocol ( RFC 2543 ) (Ex. 1013) was published in March 1999, and is prior art under 35 U.S.C. 102(b). Ex. 1013 at 1; Ex. 1005 148-155; 158-159. RFC 2543 describes a network-based secure video telephony architecture that supports both audio and video conferences. See, e.g., Ex. 1013 at 1 ( The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. ); id. at 137 ( assume that the caller Alice has included the following description in her INVITE request. It includes an audio stream and two bidirectional video streams. ); Ex. 1005 418-240. RFC 2543 discloses that these multimedia telephony 30

sessions may be encrypted. Ex. 1012 at 54; Ex. 1005 420. 31 B. Aventail (Ex. 1009) in View of RFC 2401 (Ex. 1008) Would Have Rendered Claims 1, 6-14, 19-20 and 22-25 Obvious Aventail describes systems and methods highly analogous to the systems and methods disclosed in and claimed by the 009 patent. Both describe techniques whereby connection requests made by a client computer are intercepted and evaluated, and where, if a secure destination has been specified in the connection request, a VPN/secure communication link is transparently established between the client computer and the host specified in the request, with network traffic between the client computer and secure network host being automatically encrypted/decrypted. In IV.B.1, below, the claims are compared to Aventail on an element-by-element basis. This analysis shows that the only distinction that may be found to exist between the systems and methods described in Aventail and the claimed systems and methods is the nature of the secure communication link in particular whether the secure communication link provides end-to-end encryption (i.e., data encrypted on the client remains encrypted as it passes through firewall or proxy computers until it arrives at the specified host computer). Even if the Board finds this end-to-end encryption to be a requirement of the claimed systems and methods, it would not render the claims patentable, as a person of ordinary skill would have considered deploying the Aventail system in a manner that provides end-to-end encryption to have been obvious based on the

guidance in Aventail with RFC 2401. Section IV.B.2, below, provides the explanation of the basis of this conclusion of obviousness. 1. Aventail Describes or, with RFC 2401, Suggests Every Element of Independent Claims 1 and 14 Claims 1 and 14 are defined using the same operative limitations. See III.A.2. Claim 14 is cast in the form of a method for two devices to communicate through a secure communications service and encrypted communications link; claim 1 is cast in the form of a network device configured to execute the steps of the method defined in claim 14. In this analysis, the steps of the method are addressed first, followed by the corresponding system elements of claim 1. a) Claim 1 Preamble: a network device 2 Aventail discloses, among other things, a scheme for creating secure, private communication and data channels over the Internet. See, e.g., Ex. 1009 at 5. These channels are between a client computer (a network device ) and remote hosts (a second network device ), see e.g., Ex. 1009 at 12; and can be encrypted, see, e.g., id. at 1, 77; see also id. at 91-92. Aventail thus shows a method executed by a [first] network device for communicating with a second network device as specified by the preamble in claim 1. 2 Claim 1 specifies a network device while claim 14 specifies a first network device. For simplicity, references to the first network device of claim 14 in this analysis are intended to apply equally to the network device of claim 1. 32

b) storage device storing an application program and processor configured to execute the application program Aventail explains that software ( application program ) including Aventail Connect and an operating system (collectively the software ) executes on user workstations and enables these devices to access remote hosts run on users workstations. Ex. 1009 at 4, 5, 7. Aventail explains the software intercepts connection requests made on the client computer, which specify a remote host either by name or by IP address, and then creates an encrypted channel between the client computer and remote host. See, e.g., Ex. 1005 171-172, 214-216; Ex. 1009 at 9-12, 73. Aventail further teaches that communications between the client computer and remote host are routed over the encrypted channel. See, e.g., Ex. 1009 at 12, 73. Aventail thus shows an application program for a secure communications service as specified in claim 1. Aventail also explains that for the Aventail Connect software to operate the workstations must have a processor ( processor ) and RAM (a storage device ). Ex. 1009 at 13. Aventail also explains that Aventail Connect is installed on the workstations and that the default installation paths are c:\program Files\Aventail\Connect and c:\connect. Ex. 1009 at 26. A person of ordinary skill in the art would have understood that this disclosure to mean that Aventail Connect was installed on a hard drive (also a storage device ). Aventail also discloses that some Aventail Connect files may 33