JNPR Opening CC Brief

8/14/2019 JNPR Opening CC Brief

1/35

IN THE UNITED STATES DISTRICT COURTFOR THE DISTRICT OF DELAWARE

JUNIPER NETWORKS, INC.,

Plaintiff,

v.

PALO ALTO NETWORKS, INC.,

Defendant.

))))))))

C.A. No. 11-1258 (SLR)

PLAINTIFF JUNIPER NETWORKS, INC.S

INITIAL CLAIM CONSTRUCTION BRIEF

OF COUNSEL:

Morgan Chu

Jonathan S. KaganLisa S. Glasser

David McPhieRebecca Clifford

Talin GordniaIRELL &MANELLA LLP

1800 Avenue of the Stars, Suite 900Los Angeles, CA 90067-4276

(310) 277-1010

MORRIS,NICHOLS,ARSHT &TUNNELL LLP

Jack B. Blumenfeld (#1014)

Jennifer Ying (#5550)1201 North Market StreetP.O. Box 1347

Wilmington, DE 19899-1347(302) 658-9200

[email protected]@mnat.com

Attorneys for Plaintiff

Case 1:11-cv-01258-SLR Document 181 Filed 08/21/13 Page 1 of 35 PageID #: 7310

REDACTED -

PUBLIC VERSION

Original Filing Date: July 19, 2013

Redacted Filing Date: August 21, 2013


2/35

i

TABLE OF CONTENTS

I. INTRODUCTION ........................................................................................................ 1II. LEGAL FOUNDATION FOR CLAIM CONSTRUCTION .......................................... 1III. BACKGROUND OF THE TECHNOLOGY AT ISSUE............................................... 2

A. Fundamentals of Computer Technology ............................................................ 2B. Fundamentals of Networking ............................................................................ 4C. Fundamentals of Network Security ................................................................... 5

IV. U.S. PATENT NO. 7,650,634....................................................................................... 6A. two or more security devices (634 patent) ..................................................... 6B. receiving . . . evaluation information . . . (634 patent) ................................... 8

V. U.S. PATENT NO. 7,107,612....................................................................................... 9A. rule (612 patent) ........................................................................................... 9

VI. U.S. PATENT NO. 6,772,347..................................................................................... 12A. sorting packets into . . . initially denied packets (347 patent)....................... 12

VII. U.S. PATENT NO. 7,734,752..................................................................................... 14A. primary portion and secondary portion (752 patent) ................................ 14

VIII. U.S. PATENT NO. 8,077,723..................................................................................... 17A. first engine and second engine (723 patent) ............................................. 17B. route a packet (723 patent) ......................................................................... 20C. a tag and associate a tag (723 patent) ....................................................... 23

IX. U.S. PATENT NO. 7,779,459..................................................................................... 27A. security screening (459 patent) ................................................................... 27B.

without performing the security screening (459 patent)............................... 28

C. security domains (459 patent) ..................................................................... 30

X. CONCLUSION .......................................................................................................... 30



3/35

ii

TABLE OF AUTHORITIES

CasesBicon, Inc. v. Straumann Co.,

441 F. 3d 945 (Fed. Cir. 2006) ....................................................................................... 28

CBT Flint Partners, LLC v. Return Path, Inc.,

654 F.3d 1353 (Fed. Cir. 2011) ...................................................................................... 30

Elcommerce. com, Inc. v. SAP AG,

2011 WL 710487 (E.D. Pa. Mar. 1, 2011) ........................................................................2

Freedom Wireless, Inc. v. Alltel Corp.,

2008 WL 4647270 (E.D. Tex. Oct. 17, 2008)................................................................. 30

Liebel-Flarsheim Co. v. Medrad, Inc.,

358 F.3d 898 (Fed. Cir. 2004) ........................................................................................ 26

Markman v. Westview Instruments, Inc.,

52 F.3d 967 (Fed. Cir. 1995) ............................................................................................1

Northeastern Univ. et al. v. Google, Inc.,

2010 WL 4511010 (E.D. Tex. Nov. 9, 2010) ........................................................... 16, 20

NTP, Inc. v. Research in Motion, Ltd.,

418 F. 3d 1282 (Fed. Cir. 2005) ..................................................................................... 28

Oatey Co. v. IPS Corp.,

514 F.3d 1271 (Fed. Cir. 2008) ...................................................................................... 25

Phillips v. AWH Corp.,

415 F.3d 1303 (Fed. Cir. 2005) ............................................................................ 1, 10, 14

Synergetics, Inc. v. Peregrine Surgical, LTD,

427 F. Supp. 2d 537 (E.D. Pa. 2006) ................................................................................2

U.S. Surgical Corp. v. Ethicon, Inc.,

103 F.3d 1554 (Fed. Cir. 1997) ........................................................................................2

Ultramercial, Inc. v. Hulu LLC,__ F.3d __ (Fed. Cir. 2013) ..............................................................................................3

Visto Corp. v. Seven Networks, Inc.,

2005 WL 6220108 (E.D. Tex. Apr. 20, 2005) .................................................................7

Vitronics Corp. v. Conceptronic, Inc.,

90 F.3d 1576 (Fed. Cir. 1996) ..........................................................................................1



4/35

iii

Other AuthoritiesMerriam-Websters Collegiate Dictionary10th ed. ................................................................... 24

Websters College Dictionary2005 ed. ..................................................................................... 24



5/35

- 1 -

I. INTRODUCTIONFaced with infringement claims on seven patents that PANs own founders invented

while employed by Juniper, PAN now seeks to re-define those patents. PANs primary approach

is to ignore the technological context of the patentscomputer networkingand seek to import

structural or physical limitations into computer terms that do not contain such limitations. Even

PANs employees and experts do not agree with PAN on many of these issues, illustrating how

far afield PANs constructions are from the patents and the relevant art of computer networking.

Most of the terms presented for construction use straightforward language, and should be

given their plain and ordinary meaning, consistent with how one skilled in the relevant

technology would understand them. Juniper has nevertheless proposed constructions that (where

appropriate) incorporate concepts from PANs proposals, while otherwise remaining faithful to

the specifications of the patents-in-suit. Juniper respectfully requests that the Court adopt

Junipers claim constructions, as set forth herein.

II. LEGAL FOUNDATION FOR CLAIM CONSTRUCTIONIt is a bedrock principle of patent law that the claims of a patent define the invention.

Phillips v. AWH Corp., 415 F.3d 1303, 1312 (Fed. Cir. 2005). The words in a claim are

generally given their ordinary and customary meaning, which is the meaning that the term

would have to a person of ordinary skill in the art at the time of the invention. Id. 1312-13.

When the meaning of a claim term is in doubt, the patents specification is appropriately

consulted for guidance. Id. For example, a construction that excludes a preferred embodiment

described in the specification is rarely, if ever correct and would require highly persuasive

evidentiary support. Vitronics Corp. v. Conceptronic, Inc., 90 F.3d 1576, 1583 (Fed. Cir.

1996). The specification, however, cannot enlarge or diminish the claim language. Markman v.

Westview Instruments, Inc., 52 F.3d 967, 980 (Fed. Cir. 1995).



6/35

2

Claim construction is a matter of resolution of disputed meanings and technical scope, to

clarify and when necessary to explain what the patentee covered by the claims, for use in the

determination of infringement. It is not an obligatory exercise in redundancy. U.S. Surgical

Corp. v. Ethicon, Inc., 103 F.3d 1554, 1568 (Fed. Cir. 1997).1 Straightforward terms should thus

be given their plain meaning, not replaced with other words under the guise of construction.

See, e.g., Elcommerce.com, Inc. v. SAP AG, 2011 WL 710487, at *6 (E.D. Pa. Mar. 1, 2011) (a

court may resolve [claim construction disputes] by simply instructing the jury to evaluate a term

in light of its plain and ordinary meaning).

III.

BACKGROUND OF THE TECHNOLOGY AT ISSUE

The following section provides an overview of some basic technological principles of

computer security and networking to facilitate claim construction analysis in this case. To

minimize dispute, the materials cited are primarily PANadmissions, including from PANs co-

founders (CTO Nir Zuk and Chief Architect Yuming Mao) and its own litigation experts.2

A. Fundamentals of Computer TechnologyThe patents-in-suit are directed to inventions for computer networks and systems using

hardware, software, or combinations thereof. Physical hardwareencompasses components such

as circuits, wires, and computer chips (e.g., a central processing unit or CPU). Hardware

components may be combined and embedded inside each other to create complex computer

systems, even within just one physical chip. For example, a single CPU today may include

1 All emphases to quotations herein have been added, unless otherwise indicated.

2 As in other legal contexts, party admissions are properly considered in claimconstruction. Moreover, although inventor and expert testimony is typically a disfavored

form of extrinsic evidence because of its self-serving nature, here no such concern isimplicated because the inventor and expert testimony is that of PANs principals and

experts. See Synergetics, Inc. v. Peregrine Surgical, LTD, 427 F. Supp. 2d 537, 546(E.D. Pa. 2006) (noting weight to be given opposing party admissions as contrasted with

extrinsic evidence from a partys own experts).



7/35

3

literally billions of electronic switches (e.g., transistors or logic gates) and other components.

Computer systems may also include software comprising data or instructions that can perform

computation or other actions. Programmers write software source code using programming

languages that are understandable to humans, then build it into computer-executable form.

Hardware and software aspects of computer systems are often interchangeable. As the

Federal Circuit has recently observed:

[T]he line of demarcation between a dedicated circuit and acomputer algorithm accomplishing the identical task is frequentlyblurred and is becoming increasingly so as the technologydevelops. In this field, a software process is often interchangeablewith a hardware circuit.

Ultramercial, Inc. v. Hulu LLC, __ F.3d __, 2013 WL 3111303, at *16 (Fed. Cir. June 21, 2013).

3

Computer systems use memoryto facilitate the storage and manipulation of software and

other data. Memory comes in numerous varieties (e.g., SRAM and DRAM) and can be

shared by multiple other components in a system.

Notably, in most kinds of memory, data

stays retained in memory even after it is retrieved; that is, data retrieval is non-destructive.5

There are two primary ways of sending data in memory to parts of a computer system

that need to use it. The first is to create a new copy of the data in a new memory location,

3

Ex. __ refers to exhibits attached to the Declaration of David McPhie,

submitted herewith.

4

5 SeeEx. B (Mitchell Depo. Tr.) at 25:8 27:4.



8/35

4

sometimes called passing by value, and the second is to communicate a pointer to the

location in memory where the data is held, sometimes called passing by reference.6 Neither

method results in physical movement or removal of the original data in memory, although (of

course) the original data may be later modified or overwritten via other steps.

Data may be structured or organized in memory to facilitate its use. For example, data

may be grouped into larger structures of multiple (often related) data values, and formatted

depending on how the data entries are to be looked up and accessed. Data elements can be

organized sequentially in a linked list, or for fast lookup in a hash table. Moreover, a related

block of data need not be stored in a single physically connected portion of memory; there are

mechanisms for storing . . . [a] meaningful collection of data in a noncontiguous way.7

B. Fundamentals of NetworkingConnection of computer systems using networks (such as the Internet) allows data

communication between computers, even at significant distances. To facilitate efficient

communication, data is broken down into packets, along with additional metadata for addressing

and other purposes. These packets are typically structured in accordance with networking

standards that provide a well-defined framework for communication between disparate

networking technologies. It is common to format data packets to include multiple layers of

metadata information, each corresponding to a particular networking function. One well-known

framework describing these networking layers is the seven-layer OSI model. The lowest layer

of the model (layer 1) is the physical medium through which the basic bits of data are

communicated (e.g., a copper wire or radiofrequency wave). At the other end of the spectrum

(layer 7) is the actual application with which users can actually interact (e.g., email programs or





9/35

5

web browsers). The layers in between handle other aspects of network connectivity, such as the

well-known Internet Protocol (IP) at layer 3. By providing conceptual separation of various

aspects of networking, the OSI model allows communication at a high level independent of its

underlying technical implementation. Thus (for example), when operating at the IP packet layer

(layer 3), the underlying physical structure [layer 1] doesnt matter.8

As a corollary to the above, an IP packet is best understood as formatted, computer-

readable datanot something tangible that humans physically handle or manipulate.9 Thus,

when a packet is described as sent through the OSI model layers, it is not really physically as

if something is being sent from one component to another . . . inside the computer.

10

C. Fundamentals of Network SecurityPermitting computers to communicate with other computers over a network exposes the

risk of network attacks and security breaches. Accordingly, network security technologies have

been developed for regulating communications between networked computers (e.g., by blocking

attacks). One such technology is known as a firewall.

Network administrators can configure firewalls and other network security products in a

variety of ways to enable a security policy desired by an organization, e.g., to allow or prevent

communication based on a number of rules. There are many ways in which such rules can be

structured and applied. For example, in simple firewalls, each rule generally specifies some

8 SeeEx. B (Mitchell Depo Tr.) at 29:13 34:14.

9 SeeEx. B (Mitchell Depo Tr.) at 23:14 24:12; Ex. C (Mao Depo. Tr.) at 376:3-8

).

10 SeeEx. B (Mitchell Depo Tr.) at 17:12-19;



10/35


11/35

7

The term two or more security devices is easily understandable and requires no

construction.14

Alternatively, security devices may be construed as hardware, firmware,

software or combinations thereof for performing security functions, in accordance with the 634

patent specification. For further clarity, the construction may also state that the security devices

may be included on one or more programmable processors executing a computer program.

Junipers proposed construction comes directly from the 634 patents description of the

invention. For example, the Summary section of the patent describes plural security devices as

a feature of the present invention, which may includ[e] computer program products. 634

patent at 2:14-22. The specification elaborates that [t]he invention can be implemented . . . in

computer hardware, firmware, software, or in combinations of them, and further states that

the invention can be performed byone or moreprogrammable processors executing a

computer program. . . . Id.at 6:1-3, 6:18-21.

The specification also provides specific examples that further confirm that the claimed

devices can take a variety of forms. For example, multiple security devices may be included

in a single structure. See, e.g., 634 patent at 2:56-62, Figs. 1 & 9. Figure 9 shows that a single

security device may itself include additional security devices such as a firewall or IPS.

See, e.g., id.at 1:17-19, 2:49-50, 3:5-7, 7:3-7. A firewall operating as a security device can, in

turn, be a set of computer programs, according to the priority application incorporated into the

634 patent specification. Ex. D (Pat. App. No. 10/072,683) at 3:32; see also Visto Corp. v.

Seven Networks, Inc., 2005 WL 6220108, at *8 (E.D. Tex. Apr. 20, 2005) (construing firewall

as comprising software and/or hardware). Moreover, as indicated above, the 634

specification expressly contemplates an embodiment wherein the claimed invention is executed

14 There is no dispute regarding the phrase two or more. Though unnecessary, Juniper

does not object to PANs proposal to construe two or more as at least two.



12/35

8

on just one . . . programmable processor[]. 634 patent at 6:18-21. Junipers construction of

security device encompasses each of these configurations and embodiments.

PANs proposed construction, in contrast, disregards the specification by limiting

security devices to physically distinct structures. The specification makes no reference to

physically or distinct. Moreover, the 634 patents only use of the term structure refers

not to a security device, but to a flow table (a non-physical data entity). Id.at 3:33. Indeed,

PANs expert, Dr. Mitchell, admitted that a device need not be a physically distinct structure.

Q. What is a device?

A. Device -- device isgenerally a thing that does something.

That probably means different things in different contexts.

Ex. B (Mitchell Depo. Tr.) at 10:3-7. Dr. Mitchell further testified that although one way to

think about a device was as a physical thing, that term is also used in computing to refer to

a technique or method, which has nothing to do with physical devices. Id.at 45:2-9.

B. receiving . . . evaluation information . . . (634 patent)Term Juniper Proposal PAN Proposal

receiving from each of the two or more

security devices, evaluationinformation, the evaluation information

being generated by a respective one ofthe two or more security devices

No construction

required.

receiving, from each of the two or

more security devices, evaluationinformation generated by that

device

Construction of this 28-word phrase appears unnecessary as it uses ordinary English

words consistent with their plain meaning. Indeed, most of the words in the claim language

(e.g., receiving from, generated, and evaluation information) also are used in PANs

construction, and the included term security devices is the subject of a separate proposed

construction. Nor has PAN identified any disputed merits issue to which this construction

relates. Accordingly, no construction of this term is required.



13/35

9

V. U.S. PATENT NO. 7,107,612Prior to the invention of the 612 patent, firewalls commonly used a fixed set of rules in

performing network security functions, which the patent notes can be restrictive in many

practical applications. 612 patent at 3:12. Thus, there was a need in the art for a firewall

engine which can generate rules dynamically, based upon information extracted from incoming

packets . . . . Id.at 3:912. The 612 patent describes approaches for dynamically adding or

modifying rules based on a sequence of data packets received by a network. The newly added or

modified rules may (for example) be designed to respond to or mitigate a network attack

identified based on analysis of data received.

A. rule (612 patent)Term Juniper Proposal PAN Proposal

rule Juniper is willing to stipulate that,for purposes of the 612 patent

claims, rules exist across multiple

sessions.

No further construction necessary.

A rule is a policy for filteringpackets across multiple

sessions, as distinct from alookup table

The simple term rules does not require elaborate construction. The parties have already

agreed on one aspect of the term, namely that rules, in the context of the 612 patent, exist

across multiple sessions. See also Ex. B (Mitchell Depo. Tr.) at 210:2-5.15

No further

construction is needed for the jury to understand the basic concept of a rulea subject on

which there appears to be substantial agreement.

As indicated above, PAN expert Dr. Mitchell admits that, consistent with the usage . . .

in the 612 patent, a rule generally specifies some characteristic of a packet[,] and an action . . .

15 PAN expert Dr. Mitchell went on to identify at least one portion of the 612 patent

specification as supporting this view: column 5, starting on line 25 and reading down.Ex. B (Mitchell Depo. Tr.) at 210:16 211:6 (So . . . the rules persist and . . . in that

sense, they are beyond a particular session).



14/35

10

to take with any packets that match the characteristic. Ex. B (Mitchell Depo. Tr.) at 130:9

131:10.16

Dr. Mitchell further testified:

I think generally, a rule is an if-then statement. If the packet has

some properties or in some way satisfies some conditions or isrelated to the processing environment in some way, then someaction will or will not be taken as a result.

Id.at 134:21-25. This formulation is consistent with the testimony of one of the inventors of the

612 patent, Yuming Mao. Ex. C (Mao Depo. Tr.) at 132:3 - 134:13 (

). It also conforms with the exemplary rules disclosed in the 612

patent specification. For example, Figure 3 depicts an embodiment of a rule that provides

items that may serve as a matching criterion for the rule (e.g., source IP address), along with

a field to specify the action to be taken if the rule is matched. 612 patent at 4:43-44. Thus,

the specification, inventor testimony, and even PANs expert agree on the relevant characteristics

of a rule as used in the 612 patent.

By contrast, PANs proposed construction makes no mention of any of these agreed

aspects of a rule, but rather attempts to inject two new concepts into the meaning of rule that

are inconsistent with the usage in the patent.

First, PAN argues that a rule is a policy for filtering packets. But adoption of this

construction would introduce a conflict with the surrounding claim language or (at best)

confusing redundancy. For example, claim 1 recites rules . . . for incoming and outgoing data

units. Because the claim already specifies that rules apply to packets (i.e., a type of data

units), it is incorrect to expressly restate the notion of packets in the construction for rule. See

Phillips v. AWH Corp., 415 F.3d 1303, 1314 (Fed. Cir. 2005) (en banc) (when a concept is

16 Dr. Mitchell further stated that in so testifying he was not trying to defin[e] what it

means to be a rule. Ex. B (Mitchell Depo. Tr.) at 131:7-10. This is consistent with

Junipers position that the term need not be construed.



15/35

11

already included in surrounding context of a claim term, it strongly implies the term does not

inherently include that concept). Similarly, claim 1 states that rules are for controlling access

to and from a network device. Because the claim already specifies what the rules are for, it is

improper to import other requirements by way of claim construction. Id.

The second, and even more problematic, concept PAN tries to introduce into the claim

involves the words as opposed to a lookup table. As an initial matter, PANs construction

confuses the definitional makeup of a rule with the manner in which a particular rule is

implemented or maintained. As explained in the technical overview above, data structures in

memory (including rules) can be stored in a variety of formats. There is nothing in the patent or

intrinsic record to suggest that any particular data format is excluded for the purpose of rules.17

Indeed, PANs own experts testified that rules can, in fact, be stored in a lookup table.

For example, Dr. Mitchell testified:

Q. [C]an you store rules in a hash table?

A. Yeah. Hash table is another general data structure forstoring data. You can treat rules as data and store them in a

hash table.

Ex. B (Mitchell Depo. Tr.) at 140:24 141:5.

Similarly, Dr. Mitzenmacher has

stated, in his published writings and in deposition testimony, that rules can be provided in a hash

table for lookup. Ex. E (Mitzenmacher Article) at 207-208 (describing hash table lookups for

a hash table that will provide the packet classification rules);

17 Notably, PANs Founder and Chief Architect Yuming Mao, an inventor of the 612

patent, was unable at his deposition to identify

Ex. C (Mao Depo. Tr.) at 379:16 380:19.



16/35

12

.18

Thus, neither

the intrinsic nor extrinsic record provides any support for PANs restrictive construction.

VI. U.S. PATENT NO. 6,772,347The 347 patent describes technology for efficient packet processing in a firewall. For

example, after a firewall receives a packet, the packet may be sorted or processed into initially

denied and initially allowed packets. Later, the initially denied packets are processed or sorted

further intoallowed or denied packets. See347 patent at Abstract, 5:45-49. Denied packets are

dropped, and allowed packets pass through the firewall. Id.

A. sorting packets into . . . initially denied packets (347 patent)Term Juniper Proposal PAN Proposal

sorting packets into

initially denied packets

No construction required. applying rules to make a first

determination that identifiespackets to be dropped

There is no need to construe the term sorting packets into . . . initially denied packets.

As an initial matter, the term as phrased by PAN does not appear in any of the asserted claims.

Indeed, at least one of the asserted claims (claim 24) does not use the word sorting at all.

Moreover, PANs proposed construction is inconsistent with the 347 patent in at least two ways.

First, PANs construction improperly requires that initially denied packets be identified

as packets to be dropped. This contradicts the 347 patents teaching that a packet neednotbe

identified to be dropped until after it is finally denied by an additional sorting or processing

phase. This clear distinction between initially denied and denied packets is illustrated in

Figure 6, an embodiment where the second sorting phase is a dynamic filter:

18 A lookup table can be used for many other purposes as well. For example, the 612

patent describes using a lookup table to implement a flow table. 612 patent at 5:10-42;

see alsoEx. B (Mitchell Depo. Tr.) at 80:10 - 84:3.



17/35


18/35

14

synonymous, and in fact, the 347 distinguishes between them. For example, some, but not all,

of the claimed sorting steps require that the sorting be performed using rules. See, e.g.,

Claim 14 (further sorting the initially denied packets using rules). In claim elements that

contain a using rules limitation, PANs construction would render the claim language using

rules completely redundant; in the other claim elements that do not set forth such a requirement,

PANs construction would add an extraneous limitation. Neither result is consistent with the

347 patent or the canons of claim construction. See Phillips, 415 F.3d at 1314.

VII. U.S. PATENT NO. 7,734,752The 752 patent describes an apparatus and method for sharing information between two

security systems to provide protection in the event of failure. Specifically, two security systems

each store information for flows that they are actively processing, as well as flow information

synchronized from the other security system. 752 patent at 8:17-29. By doing so, each system

can take over processing that ordinarily would be performed by the other, if the other system

experiences a failure event. Id. To clarify which of the two security systems is being referenced,

the 752 patent sometimes refers to them as the primary and secondary security systems.

A. primary portion and secondary portion (752 patent)Terms Juniper Proposal PAN Proposal

a primary portion that stores

information associated with theoperation of the first device-

implemented session module,when the primary security systemis operating in a primary security

mode

No construction required.

Alternatively: a portion of the flow tablethat stores information for flows that the

primary security system participates inprocessing when failover has not

occurred

the portion of the flow

table that storesinformation for

processing packetswhen all securitydevices are operational

a secondary portion that storesinformation associated with the

operation of the first device-implemented session module,

when the primary security systemis functioning in a failover mode


Alternatively: a portion of the same flow

table that stores information for flowsthat the primary security system may

process when there is a failover event

a different portion ofthe same flow table

that stores informationfor processing packets

if there is a failoverevent



19/35

15

This disputed language does not require construction, as each of its words has a plain and

ordinary meaning. PANs proposal, moreover, does not seek to clarify the claim language but

rather to change it. Accordingly, Juniper has proposed alternative constructions that reflect the

actual claimed invention.

As explained above, one aspect of the 752 patent is that two systems synchronize

information in their respective flow tables so that, if there is any malfunction affecting one

system, the other system may use that flow information to process packets that would have been

processed by the [other] security system but for the detected failure. 752 patent at 8:6-7; id. at

7:37-50. To do this, each systems flow table has a secondary portion that includes

information for flows that the session module may process in the event of a failover. Id. at

8:22-27. Junipers proposal tracks this language from the 752 patent explicitly, stating that the

secondary portion stores information for flows that the primary security system may process

when there is a failover event.

Similarly, the specification explains that the primary portion of the flow table includes

flow information used for actively participating in the processing of the packets. Id. at 8:17-

22. Junipers proposal also tracks this language, stating that the primary portion stores

information for flows that the primary security system participates in processing. Mirroring

the construction for secondary portion, Junipers construction further states that such

processing occurs when failover hasnotoccurred in that system.20

By contrast, PANs proposals do not correspond to language in the 752 patent or to the

scope of the invention. For example, for both first portion and second portion, PAN seeks to

20 Of course, even if the primary system should fail, the secondary system continues to

participate in processing packets that the secondary system ordinarily would process (to

the extent it was doing this before failover). See, e.g., 752 patent at 9:59-65.



20/35

16

replace information associated with the operation of the first device-implemented session

module with information for processing packets. As the preceding element of claim 1

explains, however, the claimed session module is used to maintain flow information. . . to

facilitate processing of the packets. Thus, its operation comprises use of flow information.

PANs use of the more generalized phrase information for processing packets is at best

imprecise, as it could be read as encompassing activity having nothing to do with the use of flow

information maintained by the session module. For example, as illustrated in Figure 5, if a

session is not found for a packet (e.g., because it is the first packet of a flow), the packet may

nevertheless undergo processing before flow information is even generated (in step 555). And

Figure 5 depicts other additional steps that may occur even on existing flows before extracting

information from the session modules flow table.

As another example, PANs construction for secondary portion requires that the second

portion be different from the first portion. The 752 patent does not use the word different in

relation to any aspect of the flow table. Nor does labeling the portions as primary and

secondary necessitate that these portions be distinct. See Northeastern Univ. et al. v. Google,

Inc., 2010 WL 4511010, at *8 (E.D. Tex. Nov. 9, 2010) (Absent support from the intrinsic

record or the language of the claims, requiring the first portion of the hashed query fragment to

be distinct and separate from the second portion would be improper.). PAN has previously

suggested that the basis for this aspect of its construction is an embodiment which describes the

first and second portions as dedicated to store certain information (see752 patent at 8:17-27).

However, dedicated and different do not mean the same thing. Moreover, this is one

embodiment, and the specification goes on to explain that the primary and secondary portions

also may be integrated togetherthe opposite of distinct or different. Id. at 8:27-29.



21/35

17

PAN also makes other unexplained changes to the claim language, such as replacing the

word a with the, and introducing the term operational, a term which is not used in the

claims or the specifications discussion of the claimed portions. These changes introduce further

uncertainty and inaccuracy, and the Court should therefore reject them as well.

VIII. U.S. PATENT NO. 8,077,723The 723 patent describes technology that uses tags to improve the efficiency of packet

processing in a system containing multiple processing engines. For example, in the 723

patent, a first engine directs a packet to a second engine. The second engine then processes the

packet and associates a tag with the packet that contains information related to the processing of

the packet. The information in the tag can include information that is useful to other engines

when they are processing or routing the packet. See723 patent at 5:50 6:5. Subsequently, the

first engine directs the packet to a third engine, and the third engine processes the packet using

the information in the tag. In one embodiment of the 723 patent, the second and third engines

are included on one integrated circuit.

A. first engine and second engine (723 patent)Terms Juniper Proposal PAN Proposal

first engine No construction required.Alternatively, engine may be

construed as:

hardware, firmware, software, orcombinations thereof for

implementing one or more

functional operations

software program on a firstprocessor

second engine software program on a second

processor

PANs proposal to construe the terms first engine and second engine may be best

understood by first considering the context of the parties dispute regarding this element of the

723 patent.



22/35

18

Ex. C (Mao Depo. Tr.) at

197:7 202:8.

Id.at 198:4-10. PAN now seeks to change the ordinary meaning of

engine in an attempt to distinguish it from the way PAN consistently uses engine in

describing its products. That, of course, is not a valid reason to construe the claims.

The 723 patent makes clear what an engine does (and does not) mean in the claims.

As PANs Founder and Chief Architect (also a named inventor) Yuming Mao admitted,

See,

e.g., Ex. C (Mao Depo. Tr.) at 197:7-18. The 723 patent specification explains that the

engines of the claimed invention are a functional concept that can be implemented with

hardware and/or software: the functional operations described herein can be implemented in . .

. computer hardware, firmware, software, or in combinations of them, including on one or

more programmable processors. 723 patent at 10:20-23, 10:38-39.21 Junipers proposed

construction accurately captures this full range of embodiments, using the exact language of the

patentassuming the term engine requires construction at all.

Other PAN admissions provide further support for Junipers construction. For example,

PAN states in its own patent applications (authored by the 723 patents inventors, Mao and Zuk)

that a processing engine can be of the form of hardware or software of combinations or both.

Ex. G (Pat. App. No. 2008/0253366) 0021.

21 As shown above, this language is also used in the 634 patent specification to describe the

breadth of possible architectural implementations; indeed, the 723 patent notes that a

processing engine can be an example of a device. See723 patent at 5:34-36.



23/35

19

And PANs expert

Dr. Mitchell, when asked whether he disagreed with the notion that an engine can be software

that performs a function, responded, I dont see any reason to disagree with that. Ex. B

(Mitchell Depo. Tr.) at 172:15-23; see also id.at 104:21-24 (Q. Have you ever heard the word

engine used to describe software? A. I believe so.). These PAN admissions confirm the

accuracy of Junipers proposed construction for engine: hardware, firmware, software, or

combinations thereof for implementing one or more functional operations.

PANs proposed constructions, by contrast, seek to artificially constrain the scope of

engine to only the specific combination of a software programanda processor. As shown

by the evidence cited above, the 723 patent invention may well encompass such a combination

as a possible embodiment, but does not require it. For example, the patent states that the

invention maybe implemented using a stand-alone [software] program, but also permits use of

a software module, component, subroutine, or other unit suitable for use in a computing

environment. 723 patent at 10:32-34. Other disclosed implementations focus more on

hardware, e.g., special purpose logic circuitry such as an FPGA or ASIC. Id.at 10:41-45.

PANs proposal improperly excludes these embodiments.

Moreover, PANs constructions for the first and second engine terms are also

problematic to the extent that they may be understood as improperly introducing a requirement

that the first and second engines include different software programs running on different

processors.22

There is no basis for introducing such a constraint into the 723 patent claims

22 PAN is not requesting construction of the term third engine, presumably because a

construction suggesting that engines must be physically separated could not apply to

the second and third enginein claim 1, those engines are included on one integratedcircuit. However, PANs attempt to avoid this issue by construing only the first and

second engines only creates an additional problem of inconsistency within the claims.



24/35

20

through the engine terms. The claim drafters knew how to specify a difference requirement

when they wanted one; in fact, claim 1 expressly requires that the second engine is different

than the third engine. By contrast, claim 1 contains no such requirement as between the first

and second engines, and thus there is no basis for adding one now. See Northeastern Univ., 2010

WL 4511010, at *8 (improper to read distinct and separate requirement into claims [a]bsent

support from the intrinsic record).23

Requiring separate processors for multiple engines is also contrary to the 723 patent

specification, which indicates that the invention may be performed on one programmable

processor. 723 patent at 10:38-39. Tellingly, PANs expert Dr. Mitchell opined that, based on

the understanding of engine in PANs construction, it would not be possible to perform the

method of the invention on a single programmable processorthus confirming that PANs

construction contradicts the specification. Ex. B (Mitchell Depo. Tr.) at 106:13 107:1. Dr.

Mitchell also admitted that the 723 patent does not require separate software programs, as

functionally distinct engines can be part of the same executable software file. Id.at 241:16

242:3. Indeed, claim 1 illustrates that that engines need not be physically separate, describing

multiple engines as included on a single integrated circuit.

B. route a packet (723 patent)Term Juniper Proposal PAN Proposal

route a packet No construction required. Alternatively, Juniperwould be willing to adopt send a packet(PANs

original proposed construction) as a compromise, if

the parties agree to further clarify that send doesnot exclude routing by reference or by pointer.

send a packet from asource to its intended

destination

23 Compare claims 9 and 17, whichdoexpressly require a second engine that is differentthan the first engine. Such an express limitation would not be necessary if the terms

first engine and second engine inherently included the concept of difference.



25/35


26/35

22

recites routing . . . a packet to a second engine, whereas dependent claim 13 further requires

routing the packet to a destination.

Figure 1 of the patent provides a further illustration. The router labeled 118 is

connected to and capable of routing packets to destinations on the network such as a web

server (110) or workstations (134). But no connection is shown between the router and the

individual engines that are part of processing system 126, because the individual engines within

one packet processing system are not discrete network destinations. Therefore, there must be

some othermechanism available to route packets between engines.

The 723 patent encompasses a number of methods for communication between the

claimed engines. As described in the technical overview, one skilled in the computer arts would

understand that a packet in memory may be passed in a system either by making a copy of the

packet data in a new location, or by using a pointer to the memory location corresponding to

the packet location. The 723 patent specification expressly contemplates this approach of using

pointers to communicate packet data. For example, the 723 patent incorporates by reference the

entirety of the 634 patent disclosure, including the following diagram:

See723 patent at 1:11-12; 634 patent at Fig. 6. Similarly, an earlier patent application that is

incorporated by reference into the 723 patent specification (723 patent at 2:66 3:3) provides

extensive discussion of the use of pointers. See, e.g., Ex. D (U.S. Pat. App. No. 10/072,683) at

33-40, Figs. 8, 9, 11.24

24 Even PANs expert Dr. Mitchell concedes that [t]wo [software] processes on the same

computer can use some forms of shared memory and that in such a case, some data . . .



27/35

23

Contrary to the intrinsic record, PANs construction is misleading because the jury could

interpret it to require the physical movement of a packet. For the reasons discussed above, this

contradicts basic computer networking principles and the 723 patent. As a further example, the

patent explains that to route the packets to processing engines is a form of communication

between processing engines. 723 patent, 4:5-6 (communication between processing engines

[as] discussed in greater detail below); 4:15-16 (route the packets to processing engines).

One of ordinary skill in the art would understand that communicationdoes not require physical

movement. In fact, PANs expert Dr. Mitchell testified that he was not sure that send was an

appropriate way to characterize the communication of data packets within a computer. See Ex. B

(Mitchell Depo. Tr.) at 16:16-22. PANs expert also identified a concrete example of routing

without movement, namely, the use of a well-known networking mechanism called localhost,

where one can route packets to oneself. Id. at 75:12-24. And the specification notes the

possibility that the claimed engines between which routing takes place can be integrated on a

single integrated circuit (IC). 723 patent at 10:15-17. Thus, adopting PANs construction

would be inaccurate and misleading unless, per Junipers proposed compromise, the construction

clarified that it does not exclude routing by reference or by pointer.

C. a tag and associate a tag (723 patent)Term Juniper Proposal PAN Proposal

a tag No construction required. a structure for holding data thatis sent along with a packet

associate a tag No construction required.

Alternatively, associate may be construed

as: to connect or bring into relationship in

any of various intangible ways

form a connection with a tag

could reside in shared memory and, therefore, be read by the second process from thesame shared memory location the first process wrote it intothat is, sending or routing

the data via pointer. Ex. B (Mitchell Depo. Tr.) at 73:12 75:11.



28/35

24

The terms a tag and associate a tag do not need construction. The term tag is

consistently used in the 723 to refer to the data or information used to help process packets in

the multiple processing engine system of the 723 patent. For example, the 723 patent explains

that a tag can provide information that a particular packet was determined to be possibly part of

an attack on the system. 723 patent at 7:62-64. A tag can also comprise such information as

network layer 3 and layer 4 data, a context pointer . . . and a communication action flag. Id.at

5:57-60. Additional types of information for a tag are also possible. Id.

Because the information in a tag is to be used for processing a packet, the claims also

provide that a tag needs to be associate[d] with the packet in some way. The word associate

is used in its common English language sense; the patent does not provide any specialized

definition or specify that association occur in any particular manner. Thus, it should be given its

plain English language meaning, which is to connectorbring into relationship in any of various

intangible ways. SeeEx. J (Merriam-Websters Collegiate Dictionary10th ed.) at 70 (to bring

together or into relationship in any of various intangible ways); Ex. K (Websters College

Dictionary2005 ed.) at 76 (bring into relation).

Those of skill in the art would appreciate that there are a variety of ways to associate a

tag with a packet, as reflected in the 723 patent specification. For example, the 723 patent

incorporates into its specification an earlier application describing association through use of

memory pointers. See 723 patent at 2:66 3:3; Ex. D (U.S. Pat. App. No. 10/072,683) at

34:3-9 (this association [of packet flow and session] is done by a double pointer).

Alternatively, the specification notes that a tag can be appended or prepended to the packet.

723 patent at 2:60-61. PANs expert Dr. Mitchell has further observed that often the way that

a tag or other annotation is associated with a data value is through some other data structure that



29/35

25

contains both of them or links them in some way. Ex. B (Mitchell Depo. Tr.) at 228:7-10.

Junipers construction encompasses all of these valid possibilities.

By contrast, PANs proposed constructions confuse, rather than clarify, the meaning of

associate a packet. As with several other claim terms, PANs construction is susceptible to

being misinterpreted as imposing physical limitations inapplicable to the network security

context of the 723 patent. See Ex. C (Mao Depo. Tr.) at 377:3-7

For example, PANs

proposal requires that a tag is sent along with a packet. The 723 patent does not use this

language, and (as noted in the technical overview and in connection with other claim terms) the

concept of sending is ill-suited to non-physical data structures such as packets and tags.

Moreover, PANs position that tags must be sent along with packets is at odds with the

patent specification, which presents two alternative scenarios: (1) tags and packets are

communicated over separate paths, as illustrated in Figure 3a; or (2) [a]lternatively, packets and

tags may be sent over a common path. 723 patent, 5:4-7, Fig. 3. Because the 723 patent

contemplates that tags and packets may be sent over either different or common paths, it is

incorrect torequirethat tags and packets be sent together. Because PANs construction excludes

the embodiment where tags and packets are sent over different paths, it is improper. Oatey Co.

v. IPS Corp., 514 F.3d 1271, 1276 (Fed. Cir. 2008) (We normally do not interpret claim terms

in a way that excludes embodiments disclosed in the specification.).

PANs constructions also present the risk of being misunderstood as requiring that the tag

be physically appended to the packet itself. The intrinsic record rejects this notion. The 723

patent specification clearly explains that [t]ags can be appended or prepended to the packet,



30/35

26

but also can be communicated over separate paths. 723 patent at 2:60-61; Fig. 3. PAN

overlooks this discretionary language to the extent it seeks to mandate a physical connection

between the tag and packet. PANs construction is also inconsistent with the meaning of

associated as reflected in the prosecution history. For example, claim 17 of the original patent

application included the language creating a tag associated with the packet, while original

dependent claim 22 added the limitation wherein creating a tag includes one of appending the

tag to the packet or prepending the tag to the packet. Appendix Ex. 8 at JA-246 (5/14/10 Patent

App.). According to the doctrine of claim differentiation, this connotes that the patentee did not

consider appending or prepending to be an intrinsic part of associating, because those

limitations were added by a dependent claim. Liebel-Flarsheim Co. v. Medrad, Inc., 358 F.3d

898, 910 (Fed. Cir. 2004) (the presence of a dependent claim that adds a particular limitation

raises a presumption that the limitation in question is not found in the independent claim).

Finally, an additional problem with PANs proposed language, a structure for holding

data, has recently arisen. It now appears based on expert discovery that PAN may be taking the

position that a structure (a word that is not used in the 723 patent) does not include data

itself.25

That position is inconsistent with the specification, which (as shown above), considers

the information included in a tag an essential part of the tag itself. Put simply, a tag includes

information. See, e.g., 723 patent at 2:22-23. The 723 patent does not contemplate that a tag

is independent of that information. This constitutes another reason why PANs construction

25 As part of the meet-and-confer process, Juniper inquired whether PAN would accept the

phrase a structure for holding data standing alone as an acceptable construction for

tag, but PAN did not respond. After the parties submitted the Joint Claim ConstructionStatement, Juniper learned of PANs apparent position that a structure for holding data

did not include the data itself. Because Juniper disagrees with that premise, it haswithdrawn its prior proposal to avoid a situation where construction might generate more

confusion than it would resolve.



31/35

27

should not be adopted, and the plain meaning of the straightforward term tag should govern.

IX. U.S. PATENT NO. 7,779,459The 459 patent discusses security domains and the processing of both inter-zone and

intra-zone packets, where inter-zonetraffic passes between distinct security domains and intra-

zone traffic remains within a security domain. See 459 patent at 6:62-65; 10:42-59. For

example, the 459 patent describes ways to bypass one or more types of security screening for

intra-zone packets traveling within a distinct security domain, to increase processing efficiency.

A. security screening (459 patent)Term Juniper Proposal PAN Proposal

security screening No construction required.

Alternatively:

application of one or more security

policies

inspection to determine whether a

packet should be dropped

Although the term security screening does not require construction, Juniper has

alternatively proposed a modified version of PANs earlier proposed construction (the

construction that PANs experts use): application of one or more security policies.26

Consistent with Junipers construction and aspects of PANs original construction, the

specification of the 459 patent describes security screening as application of a security policy

or policies. See, e.g., 459 patent at 7:19-21 (policies can be established for . . . screening

packets as they traverse the security switch), 9:5-9 (after an appropriate policy is retrieved,

then the packet is inspected . . . [which] can include screening); see also Fig. 3 (showing

policies retrieved if a [p]acket [is] to be screened). The patent explains that screening can be

based on one or more considerations, e.g., packets can be screened based on source,

26 PAN originally proposed applying security policies to determine whether a packet

should be forwarded but changed position after expert reports.



32/35

28

destination, or both. 459 patent at 7:31-34. Similarly, dependent claim 2 discloses that

performing the security screening may comprise enforcing at least one security constraint.

By contrast, PANs proposed construction inspection to determine whether a packet

should be droppeddoes not have similar support in the intrinsic record. The 459 patent does

not equate screening with inspection, and in fact expressly distinguishes the concepts. Id.at

7:20 (inspecting or otherwise screening), 9:8-9 (inspection can include screening).

Moreover, the 459 patent never discloses or even suggests that security screening is

equivalent to determin[ing] whether a packet should be dropped. Thus, PANs proposal is

inconsistent with the 459 patent and should not be adopted.

B. without performing the security screening (459 patent)Term Juniper Proposal PAN Proposal

without performing

the security screening


Alternatively:

without applying the one or

more security policies that areapplied to inter-zone traffic

without performing inspection to

determine whether a packet shouldbe dropped

The issues presented for the term without performing the security screening are

essentially the same as discussed above for security screening, with one important exception:

PAN attempts an additional sleight of hand by deleting the definite article the from the claim

term. This facially minor change significantly changes the meaning of the 459 patent claims.

Claims must be construed with an eye toward giving effect to all terms in the claim.

Bicon, Inc. v. Straumann Co., 441 F. 3d 945, 950 (Fed. Cir. 2006). In patent law, the word the

has a particular, well-defined meaning: it signals that the term that follows is referring to

something mentioned earlier in the claim (often referred to as its antecedent basis). See NTP,

Inc. v. Research in Motion, Ltd., 418 F. 3d 1282, 1306 (Fed. Cir. 2005). Thus, in claim 1 of the



33/35

29

459 patent, the term thesecurity screening refers to thesame security screening recited in

the preceding elementthat is, the claimed security screening performed based on a []

determination that the packet is to pass between the two distinct security domains.27

PANs attempt to read the antecedent basis out of without thesecurity screening is not

only inaccurate, but could engender significant confusion. Particularly when coupled with

PANs (improper) proposal to define screening by reference to determin[ing] whether a

packet should be dropped, the jury could be left with the erroneous impression that no packet

can be dropped unless: (1) it is determined to be an inter-zone packet, and (2) an inspection is

performed, based on that determination, which further determines that the packet must be

dropped. Of course, a packet can be dropped for many other reasons. The 459 patent describes

one example where a packet can be dropped if the MAC address is unknown. Id. at 3:60-61.

The 459 patent also describes setting a period of time to attempt to locate an address for the

packet and dropping the packet after the expiration of the predetermined amount of time. Id.at

3:44-60. Furthermore, the 459 patent describes embodiments in which firewall protections

are applied to both inter-zone and intra-zone traffic, such as TCP stateful inspection, syn-

attack guard, and policy-based control. Id. at 4:48-52. These scenarios could likewise result

in a packet being dropped.

Only Junipers proposed construction (without applying the one or more security

policies that are applied to inter-zone traffic) captures the meaning of the complete claim term

without the security screening. It retains the key definite article the (the one or more

security policies) and makes clear that the referenced security policies are those that the claim

earlier indicated are applied based on the determination that a packet is an inter-zone packet.

27 The patent uses the term inter-zone to refer to packets passed from one zone or security

domain to another. See, e.g., 459 patentat 6:62-65.



34/35

30

Thus, if the Court construes this claim term, it should adopt Junipers proposal.

C. security domains (459 patent)Term Juniper Proposal PAN Proposal

security domains security security domains [no response]

Finally, the Court should exercise its power to correct a typographical error in the 459

patent, where the claims recite security domains security instead of security domains. See,

e.g., CBT Flint Partners, LLC v. Return Path, Inc., 654 F.3d 1353, 1358 (Fed. Cir. 2011) (It is

well-settled law that, in a patent infringement suit, a district court may correct an obvious error in

a patent claim.). PAN does not dispute Juniper's proposal and courts routinely correct such

errors. See, e.g., Freedom Wireless, Inc. v. Alltel Corp., 2008 WL 4647270, at *13 (E.D. Tex.

Oct. 17, 2008) (correcting causing a call is caused to be terminated by omitting is caused).

X. CONCLUSIONFor the foregoing reasons, Juniper respectfully requests that its proposed constructions be

adopted.

OF COUNSEL:

Morgan ChuJonathan S. Kagan

Lisa S. GlasserDavid McPhie

Rebecca CliffordTalin Gordnia

IRELL &MANELLA LLP1800 Avenue of the Stars, Suite 900

Los Angeles, CA 90067-4276(310) 277-1010

MORRIS,NICHOLS,ARSHT &TUNNELL LLP

/s/ Jennifer YingJack B. Blumenfeld (#1014)Jennifer Ying (#5550)

1201 North Market StreetP.O. Box 1347

Wilmington, DE 19899-1347(302) 658-9200

[email protected]

[email protected]

Attorneys for Plaintiff

July 19, 20137376005



35/35

CERTIFICATE OF SERVICE

I hereby certify that on August 21, 2013, I caused the foregoing to be

electronically filed with the Clerk of the Court using CM/ECF, which will send notification of

such filing to all registered participants.

I further certify that I caused copies of the foregoing document to be served on

August 21, 2013, upon the following in the manner indicated:

Philip A. Rovner, EsquireJonathan A. Choa, Esquire

POTTER ANDERSON &CORROON LLP1313 North Market Street

Hercules PlazaWilmington, DE 19801

Attorneys for Defendant

VIA ELECTRONIC MAIL

Daralyn J. Durie, EsquireRagesh K. Tangri, Esquire

Ryan M. Kent, EsquireBrian C. Howard, Esquire

Sonali D. Maitra, EsquireDURIE TANGRI LLP

217 Leidesdorff StreetSan Francisco, CA 94111

Attorneys for Defendant

VIA ELECTRONIC MAIL

Harold J. McElhinny, EsquireMichael A. Jacobs, Esquire

Matthew A. Chivvis, EsquireMatthew I. Kreeger, Esquire

MORRISON &FOERSTER LLP425 Market Street

San Francisco, CA 94105Attorneys for Defendant

VIA ELECTRONIC MAIL

/s/ Jennifer Ying

Jennifer Ying (#5550)


Date post:	04-Jun-2018
Category:	Documents
Upload:	markman-advisors
View:	229 times
Download:	0 times

JNPR Opening CC Brief

Documents