1:19-cv-01544
Alterwan Inc v. Amazon.com Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: AlterWAN, Inc. (California)
- Defendant: Amazon.com, Inc. and Amazon Web Services, Inc. (Delaware)
- Plaintiff’s Counsel: Farnan LLP
- Case Identification: 1:19-cv-01544, D. Del., 08/19/2019
- Venue Allegations: Venue is asserted on the basis that both Defendants are incorporated in the State of Delaware.
- Core Dispute: Plaintiff alleges that Defendant’s Amazon Virtual Private Cloud products and services infringe six patents related to creating high-performance, secure wide-area networks (WANs) using the public internet as a backbone.
- Technical Context: The technology addresses methods for providing quality-of-service guarantees (e.g., bandwidth, latency, low hop-count) for network traffic over the internet, a foundational capability for enterprise-grade virtual private networks (VPNs) and modern cloud computing.
- Key Procedural History: The complaint does not mention prior litigation. The six asserted patents are part of a single family originating from an application filed in 2000. Post-filing, an inter partes review (IPR) proceeding resulted in the cancellation of all asserted claims of the most recent patent in the family, U.S. Patent No. 9,667,534.
Case Timeline
| Date | Event |
|---|---|
| 2000-07-10 | Earliest Priority Date for all six Patents-in-Suit |
| 2006-09-19 | U.S. Patent No. 7,111,163 Issued |
| 2008-01-08 | U.S. Patent No. 7,318,152 Issued |
| 2013-11-26 | U.S. Patent No. 8,595,478 Issued |
| 2015-04-21 | U.S. Patent No. 9,015,471 Issued |
| 2016-12-20 | U.S. Patent No. 9,525,620 Issued |
| 2017-05-30 | U.S. Patent No. 9,667,534 Issued |
| 2019-08-19 | Complaint Filed |
| 2023-06-06 | Inter Partes Review Certificate Issued Cancelling Claims of ’534 Patent |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,111,163 - "Wide Area Network Using Internet With Quality of Service"
The Invention Explained
- Problem Addressed: The patent describes a dilemma in wide-area networking: dedicated private networks offered guaranteed quality of service but were exceedingly expensive, while using the public internet as a backbone was cheaper but suffered from unpredictability in hop count, bandwidth, latency, and privacy (Compl. ¶11; ’163 Patent, col. 3:9-43).
- The Patented Solution: The invention proposes creating secure "private tunnels" through the public internet. This is achieved by using "specially selected" Internet Service Providers (ISPs) whose infrastructure provides high-bandwidth, low-hop-count data paths. At a customer's site, a firewall encrypts data packets and encapsulates them into new IP packets addressed to a corresponding firewall at the destination. These composite packets are then routed through the predefined tunnel of selected ISPs, ensuring a quality of service comparable to a private network but at a lower cost (’163 Patent, Abstract; col. 4:5-34).
- Technical Importance: This technology provided a framework for combining the economic advantages of the public internet with the performance and security guarantees of private leased lines, a critical step toward the viability of enterprise-grade VPNs (Compl. ¶12-14).
Key Claims at a Glance
- The complaint asserts independent claim 7 (Compl. ¶31).
- Claim 7 is a method claim with the following essential elements:
- Generating an IP packet destined for a device at the other end of a private WAN tunnel.
- Encrypting the payload of that IP packet.
- Generating a "composite AlterWAN packet" by encapsulating the encrypted packet inside another IP packet, with the outer packet addressed to a firewall at the destination site.
- Routing the composite packet from a source router to a dedicated "AlterWAN data path."
- The "AlterWAN data path" is defined as a high-bandwidth, low-latency, low-hop-count path provided by one or more "participating" ISPs selected for these characteristics.
- These participating ISPs use "predetermined routing statements" to recognize and route the composite packets into the AlterWAN data path.
- The complaint does not explicitly reserve the right to assert dependent claims for this patent, but states that "at least these patent claims (and likely others) are infringed" (Compl. ¶18).
U.S. Patent No. 7,318,152 - "Wide Area Network Using Internet with High Quality of Service"
The Invention Explained
- Problem Addressed: As a continuation of the ’163 Patent, the ’152 Patent addresses the same problem of achieving quality of service over the public internet (’152 Patent, col. 3:10-53).
- The Patented Solution: The invention is claimed as a machine-readable medium with instructions to establish a high-performance data path over a network. The core of the method involves actively selecting at least one router from a "participating service provider" based on performance criteria such as "non-blocking bandwidth," the "number of hops," or "latency," and then defining a route along the selected router(s) (’152 Patent, Abstract; col. 4:5-24). This shifts the focus from the static description of the network to the process of its creation.
- Technical Importance: This approach describes an automated or semi-automated method for constructing high-quality network routes across a multi-provider internet backbone, moving beyond static configurations toward more dynamic path selection based on performance metrics (Compl. ¶13-14).
Key Claims at a Glance
- The complaint asserts independent claims 1 and 20 (Compl. ¶¶ 44, 96).
- Claim 1 is for a machine-readable medium with instructions to perform operations comprising:
- Establishing a path for transmitting data with a certain level of latency and bandwidth.
- Wherein establishing comprises:
- Selecting at least one router of at least one "participating service provider" along the route based on non-blocking bandwidth, number of hops, or latency.
- Defining a route between the at least one router along the path.
- The complaint also asserts dependent claims 12, 15, 16, 17, 18, 22, 23, 25, 26, and 28 (Compl. Counts 3, 4, 5, 6, 7, 9, 10, 11, 12, 13).
U.S. Patent No. 8,595,478 - "Wide Area Network with High Quality of Service"
Technology Synopsis
The ’478 Patent claims methods and apparatus for operating a router within a WAN. The router filters inbound packets to identify a "selected group" and provides them with "priority routing" by looking up a transmission path that meets a "minimum transmission requirement" and routing the traffic to a "cooperating service provider."
Asserted Claims
Independent claims 1, 6, 18, 51, and 63 are asserted (Compl. ¶¶ 147, 188, 221, 299, 361).
Accused Features
The complaint alleges that Amazon's VPC router performs the claimed filtering and priority routing by identifying traffic destined for an AWS Direct Connect connection, selecting a high-bandwidth (1G or 10G) Direct Connect path, and routing the traffic to an AWS Direct Connect partner, which is alleged to be a "cooperating service provider" (Compl. ¶¶ 149-155).
U.S. Patent No. 9,015,471 - "Inter-Autonomous Networking Involving Multiple Service Providers"
Technology Synopsis
The ’471 Patent claims a network apparatus with circuitry that identifies packets corresponding to predetermined addresses. The circuitry selects a specific transmission path from a set of available paths based on a "minimum link cost" and a "reserved, non-blocking bandwidth," and then transmits the packets on that path.
Asserted Claims
Independent claims 1, 12, and 14 are asserted (Compl. ¶¶ 395, 454, 466).
Accused Features
The complaint accuses Amazon's VPC router, alleging its circuitry identifies packets for Direct Connect paths, uses the Border Gateway Protocol (BGP) AS_PATH value to select a path based on "minimized link cost," and transmits the packets over the selected high-bandwidth Direct Connect path (Compl. ¶¶ 397-401, 404).
U.S. Patent No. 9,525,620 - "Private Tunnel Usage to Create Wide Area Network Backbone over the Internet"
Technology Synopsis
This patent claims a method and apparatus for sorting inbound traffic into two groups. A "first group" consists of traffic with a destination address matching a "predetermined private tunnel," which is routed over a reserved "first route." A "second group" consists of all other traffic, which is routed over a "second route" that is "exclusive" to the first.
Asserted Claims
Independent claims 1, 14, and 27 are asserted (Compl. ¶¶ 522, 565, 604, 628).
Accused Features
The complaint accuses Amazon's VPC router and Transit Gateway of sorting traffic, routing packets destined for a customer's network via the VPN/Direct Connect connection (the "first route"), and routing other traffic (e.g., to the public internet or other VPCs) via different, exclusive routes (the "second route") (Compl. ¶¶ 525-528, 630-638).
U.S. Patent No. 9,667,534 - "VPN Usage to Create Wide Area Network Backbone over the Internet"
Technology Synopsis
The ’534 Patent claims a method of routing that identifies packets as either associated with a virtual private network or not. VPN-associated packets are encapsulated and routed via a "dedicated connection," while non-VPN packets are routed "exclusively over" a different connection. A key element is the use of mutually-exclusive routing tables for each type of traffic.
Asserted Claims
Independent claim 1 is asserted (Compl. ¶685). All asserted claims of this patent were subsequently cancelled in an inter partes review (IPR2020-00580).
Accused Features
The complaint accuses the AWS VPC router of identifying VPN-bound traffic, encapsulating it with IPsec, and routing it over an AWS Direct Connect connection using a "Main route table," while routing non-VPN traffic from a public subnet over an Internet Gateway using a different "Custom route table" (Compl. ¶¶ 687-701).
III. The Accused Instrumentality
Product Identification
The accused instrumentalities are Amazon's Virtual Private Cloud (VPC) products and services, particularly when used in conjunction with Amazon Site-to-Site VPN and AWS Direct Connect connections (Compl. ¶¶ 4, 27).
Functionality and Market Context
- The accused services allow customers to create logically isolated virtual networks within the AWS cloud and establish a dedicated, private network connection between their on-premises data centers and AWS (Compl. ¶32). This functionality is central to enterprise cloud adoption, enabling hybrid cloud architectures.
- Technically, the complaint alleges that when a customer configures a Site-to-Site VPN with an AWS Direct Connect connection, the system establishes a high-bandwidth (e.g., 1G or 10G) path for data transfer (Compl. ¶49, ¶60). Routing decisions are allegedly made using the Border Gateway Protocol (BGP), with path selection based on attributes such as the shortest AS_PATH, which the complaint equates to minimizing hop count (Compl. ¶50, ¶84). Traffic for the private connection is allegedly encrypted using IPsec and encapsulated for transport (Compl. ¶34, ¶59). The complaint alleges that AWS Direct Connect Partners, which it equates to ISPs, provide the underlying connectivity for these dedicated paths (Compl. ¶38).
- No probative visual evidence provided in complaint.
IV. Analysis of Infringement Allegations
U.S. Patent No. 7,111,163 Infringement Allegations
| Claim Element (from Independent Claim 7) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A method comprising: generating an Internet Protocol data packet...having as its destination address an Internet Protocol address assigned to a computing device at the other end of a private, wide area network using the internet as a backbone (hereafter referred to as an AlterWAN private tunnel); | Logic within Amazon VPC subnets generates IP packets with destination addresses located in the customer's remote network. | ¶33 | col. 8:10-24 |
| encrypting a payload portion of said IP packet to generate an encrypted IP packet; | The AWS system utilizes the IPsec protocol to encrypt the payload of the received IP packet. | ¶34 | col. 8:51-56 |
| generating a composite AlterWAN packet by encapsulating said encrypted IP packet in another IP packet having as its destination address an IP address of an untrusted side of a firewall which is at a destination site which is part of said AlterWAN private tunnel; and | The VPC router encapsulates the encrypted packet within a new, outer IP packet. The destination address of this outer packet is the firewall at the customer gateway. | ¶35 | col. 8:51-67 |
| routing said composite AlterWAN packet using a source router whose routing table has been configured to include a routing statement which recognizes said destination address of said composite AlterWAN packet and routes said composite AlterWAN packet via a dedicated data path to an AlterWAN data path, | The VPC router acts as the source router, using its routing table to recognize the customer gateway's address and route the composite packet over the VPN connection. | ¶36, ¶37 | col. 4:21-34 |
| said AlterWAN data path being defined as a high bandwidth, low latency, low hop count data path provided by one or more participating ISX/ISP internet service providers that links said source site and said destination site...each participating ISX/ISP internet service provider being one which has been selected as having at least one high bandwidth, low latency, low hop count data path...and which has routers which either already contain or which are configured to contain predetermined routing statements... | The Site-to-Site VPN using an AWS Direct Connect connection is alleged to be the high-bandwidth, low-latency path, provided by AWS Direct Connect Partners (ISPs). | ¶38 | col. 4:16-34 |
| said predetermined routing statements being ones which will recognize said IP destination address of each said composite AlterWAN data packets and cause said composite AlterWAN packets to be routed into said AlterWAN data path. | The AWS Direct Connect Partners are alleged to configure their routers with specific route statements that direct the packets to the customer's gateway. | ¶39 | col. 4:25-29 |
Identified Points of Contention
- Scope Questions: A central question may be whether the AWS Direct Connect service, provided by various partners in a marketplace model, constitutes an "AlterWAN data path" as defined in the claim. The claim requires the path to be provided by "participating ISX/ISP internet service providers" who have been "selected" for their high-performance characteristics and have routers configured with "predetermined routing statements" as part of an agreement to provide routing services. This language suggests a curated, pre-negotiated network, and the court may need to determine if Amazon's more dynamic, on-demand service model meets this definition.
- Technical Questions: The complaint alleges on "information and belief" that Direct Connect Partners are "commonly ISX/ISP internet service providers" and that they "configure their routers to include route statements" for the customer (Compl. ¶¶ 38-39). A key factual dispute may be the nature of the technical and business arrangements between Amazon and its partners, and whether this arrangement meets the claim requirement of ISPs that have "agreed to provide routing services as part of said AlterWAN data path."
U.S. Patent No. 7,318,152 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A machine-readable medium including instructions which when executed by a machine causes the machine to perform operations comprising: | Amazon servers operate with code that allegedly performs the claimed method steps. | ¶45 | N/A |
| establishing a path for transmitting data over a network between a source and a destination, the path to provide a level of latency and bandwidth for the data, wherein the establishing comprises, | Amazon Site-to-Site VPN, via AWS Direct Connect, establishes paths that provide specified levels of latency and bandwidth (e.g., 1G or 10G connections). | ¶48, ¶49 | col. 4:8-10 |
| selecting at least one router of at least one participating service provider along the route based on a non-blocking bandwidth for the data, a number of hops in the path or latency for the data; and | AWS Direct Connect uses the BGP protocol's AS_PATH attribute to select the router and path based on the shortest number of hops. | ¶50 | col. 4:10-13 |
| defining a route between the at least one router along the path. | The system defines the route using BGP route propagation and best path selection based on the shortest AS_PATH length. | ¶51 | col. 4:12-13 |
Identified Points of Contention
- Scope Questions: The analysis may turn on whether the automated process of BGP's "best path selection" constitutes the specific act of "selecting at least one router of at least one participating service provider" as required by the claim. The patent language could be interpreted to imply a more deliberate, programmatic choice among a pre-vetted set of providers, rather than the standard operation of an internet routing protocol.
- Technical Questions: The definition of "participating service provider" remains a central technical question. The complaint alleges that AWS selects the "appropriate router of the Direct Connect partner" (Compl. ¶50). Discovery will likely focus on how this selection process works in practice and whether it aligns with the patent's description of selecting based on non-blocking bandwidth or latency, versus simply relying on BGP's default hop-count metric (AS_PATH).
V. Key Claim Terms for Construction
"participating service provider" / "cooperating service provider"
Context and Importance
This term appears across the asserted patents and is critical to defining the scope of the claimed network. Infringement depends on whether AWS's Direct Connect partners qualify. Practitioners may focus on this term because the patents appear to describe a curated collective of ISPs that have affirmatively agreed to provide specific routing services, which may differ from the more open, marketplace-style relationship AWS has with its Direct Connect partners.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The patents often use the term interchangeably with "ISX/ISP," suggesting it could encompass any internet service provider that happens to be part of the selected data path (’163 Patent, col. 4:19-20).
- Evidence for a Narrower Interpretation: The ’163 Patent states that a participating provider is one "which has been selected as having at least one high bandwidth, low latency, low hop count data path" and "agrees to provide routing services as part of said AlterWAN data path" (’163 Patent, col. 7:52-60). This suggests an active agreement and selection process, potentially narrowing the term to providers with specific contractual or service-level obligations to the network operator.
"selecting at least one router ... based on a non-blocking bandwidth for the data, a number of hops in the path or latency"
Context and Importance
This term from claim 1 of the ’152 Patent is central to the method of creating the claimed network path. The dispute may center on whether Amazon's alleged use of BGP's AS_PATH attribute for path selection meets this limitation.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The claim lists "number of hops" as one of several possible criteria for selection. Because the complaint alleges Amazon uses AS_PATH (a hop count metric), this could be read to meet the limitation (Compl. ¶50).
- Evidence for a Narrower Interpretation: The claim preamble requires establishing a path to provide a "level of latency and bandwidth," and the "selecting" step is a sub-part of that process. An argument could be made that the "selecting" must be an active choice based on these QoS metrics, rather than the passive, default behavior of the BGP protocol which primarily considers hop count. The specification's emphasis on solving latency and bandwidth problems may support a narrower construction that requires more than just standard BGP operation (’152 Patent, col. 3:10-53).
VI. Other Allegations
Indirect Infringement
The complaint alleges induced infringement for all asserted method claims. The allegations are based on Amazon designing its systems to operate in an infringing manner and providing user guides and other support materials that encourage and instruct customers on how to configure the accused services in a way that practices the claimed methods (Compl. ¶28).
Willful Infringement
The complaint alleges Amazon possesses "specific intent to cause and encourage direct infringement with affirmative intent or willful blindness" (Compl. ¶29). It does not allege pre-suit knowledge but establishes a basis for post-suit willfulness by stating that Amazon has knowledge "at least after this detailed complaint" is served (Compl. ¶40, ¶52, etc.).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "participating service provider," which the patents frame as a party that "agrees to provide routing services" in a curated, high-QoS network, be construed to cover the relationship between AWS and its Direct Connect partners in a more open, on-demand marketplace?
- A key evidentiary question will be one of functional operation: does the standard operation of BGP's best-path selection based on AS_PATH (hop count) constitute the specific, multi-factor "selecting" process described in the patent claims, which lists non-blocking bandwidth and latency as criteria for building a path with guaranteed quality of service?
- A significant procedural question will be the impact of claim cancellation: how will the successful invalidation of all asserted claims of the newest patent in the family (’534 Patent) in a post-filing IPR influence the viability and strategic direction of the litigation on the five older, related patents?