Re: [dispatch] Reminder: IETF-75 plans for DISPATCH
"Vijay K. Gurbani" <vkg@alcatel-lucent.com> Fri, 05 June 2009 14:13 UTC
Return-Path: <vkg@alcatel-lucent.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 439563A67F8 for <dispatch@core3.amsl.com>; Fri, 5 Jun 2009 07:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5As6zj7FpKZ for <dispatch@core3.amsl.com>; Fri, 5 Jun 2009 07:13:04 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by core3.amsl.com (Postfix) with ESMTP id 029E83A6932 for <dispatch@ietf.org>; Fri, 5 Jun 2009 07:13:03 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-61.lucent.com [135.3.40.61]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id n55ED2S1000051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dispatch@ietf.org>; Fri, 5 Jun 2009 09:13:02 -0500 (CDT)
Received: from [135.185.236.17] (il0015vkg1.ih.lucent.com [135.185.236.17]) by umail.lucent.com (8.13.8/TPES) with ESMTP id n55ED2lB019782 for <dispatch@ietf.org>; Fri, 5 Jun 2009 09:13:02 -0500 (CDT)
Message-ID: <4A2927EE.4010505@alcatel-lucent.com>
Date: Fri, 05 Jun 2009 09:13:02 -0500
From: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: dispatch@ietf.org
References: <1ECE0EB50388174790F9694F77522CCF1E590C4B@zrc2hxm0.corp.nortel.com>
In-Reply-To: <1ECE0EB50388174790F9694F77522CCF1E590C4B@zrc2hxm0.corp.nortel.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
Subject: Re: [dispatch] Reminder: IETF-75 plans for DISPATCH
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2009 14:13:05 -0000
Mary Barnes wrote: > Hi folks, > > A reminder to folks that submitted proposals for the initial deadline > that the "charter proposals" are due next Monday, June 8th. [...] Folks: Here is the final "charter proposal" for the SIP CLF work. I received a couple of comments privately on typos and such, but most of the matter is the same as the one distributed on May 15th. Unless anyone has any objections, I will submit this to the dispatch list as per Mary's instructions above on or before Monday, June 8. Charter proposal for SIP Common Log File (CLF) format work ========================================================== Vijay K. Gurbani and Eric Burger Problem Statement ================= Well-known web servers such as Apache and web proxies like Squid support event logging using a common log format. The logs produced using these de-facto standard formats are invaluable to system administrators for trouble-shooting a server, and to tool writers for crafting tools that mine the log files to produce reports and trends. These log files also enable searches for a certain SIP message or messages, a transaction or a related set of transactions. Furthermore, these log files can also be used to train anomaly detection systems and feed events into a security event management system. The Session Initiation Protocol does not have a common log format, and as a result, each server supports a distinct log format that makes it unnecessarily complex to produce tools to do trend analysis and security detection. Ad ad-hoc meeting was sponsored by the SIPPING WG during the San Francisco IETF where the participants expressed interest in undertaking this work. Minutes from the ad-hoc are available at: http://www.ietf.org/mail-archive/web/sipping/current/msg17199.html. Since then, various discussions on CLF file format and other assorted discussions have occurred on the SIPPING mailing list, the sip-ops mailing list and the newly formed sip-clf mailing list. Milestones and deliverables =========================== 1) A document enunciating the problem statement, motivation, the possible use cases of a SIP CLF, and the list of mandatory fields that will allow identifying transactions, grouping transactions into dialogs, and doing the latter with provisions for allowing the systems administrator or an automata to correlate forked branches. Provisions must be made to accommodate ad-hoc fields without adversely impacting the parsing of the mandatory parameters. A possible starting document for this deliverable is http://tools.ietf.org/html/draft-gurbani-sipping-clf-01 2) A document that details the byte layout of the SIP CLF record. The participants have done preliminary work on writing encoders and decoders for space-separated ASCII and binary format. The runtime complexity to produce the space-separated ASCII and binary CLF is comparable, however, the binary CLF is appreciably faster in locating random records from the binary CLF file. On the other hand, a ASCII CLF format was preferable because it allowed for a visual interpretation of the mandatory fields to the benefit of a human user and allowed for expedited operations on the data using text-based tools. Based on subsequent deliberations, a text format has been defined which lends itself well to fast searches while still allowing the use of visual identification and interpretation using text-based tools. This format is documented in: http://tools.ietf.org/html/draft-roach-sipping-clf-syntax-01 and can serve as a possible starting document for the details of byte layout. 3) A document that provides reference implementation(s) for decoding the byte layout of the CLF. NOTE: It could very well be that three individual documents are produced to meet the deliverables or a single document is produced that merges all three aspects. This can be decided by the BoF/design team/mini working group. Thanks, - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA) Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org} Web: http://ect.bell-labs.com/who/vkg/
- [dispatch] Reminder: IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Roni Even
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Mary Barnes
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Mary Barnes
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Roni Even
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Roni Even
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Emil Ivov
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Vijay K. Gurbani
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Mary Barnes
- Re: [dispatch] Reminder: IETF-75 plans for DISPAT… Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH Vijay K. Gurbani
- Re: [dispatch] IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH Vijay K. Gurbani
- [dispatch] IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH James M. Polk
- Re: [dispatch] IETF-75 plans for DISPATCH Hadriel Kaplan
- Re: [dispatch] IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH Cullen Jennings
- Re: [dispatch] IETF-75 plans for DISPATCH Janet P Gunn
- Re: [dispatch] IETF-75 plans for DISPATCH Mary Barnes
- Re: [dispatch] IETF-75 plans for DISPATCH Cullen Jennings