IETF Logo Mail Archive

Re: [dispatch] Reminder: IETF-75 plans for DISPATCH

"Vijay K. Gurbani" <vkg@alcatel-lucent.com> Fri, 05 June 2009 14:13 UTC

Return-Path: <vkg@alcatel-lucent.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 439563A67F8 for <dispatch@core3.amsl.com>; Fri, 5 Jun 2009 07:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5As6zj7FpKZ for <dispatch@core3.amsl.com>; Fri, 5 Jun 2009 07:13:04 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by core3.amsl.com (Postfix) with ESMTP id 029E83A6932 for <dispatch@ietf.org>; Fri, 5 Jun 2009 07:13:03 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-61.lucent.com [135.3.40.61]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id n55ED2S1000051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dispatch@ietf.org>; Fri, 5 Jun 2009 09:13:02 -0500 (CDT)
Received: from [135.185.236.17] (il0015vkg1.ih.lucent.com [135.185.236.17]) by umail.lucent.com (8.13.8/TPES) with ESMTP id n55ED2lB019782 for <dispatch@ietf.org>; Fri, 5 Jun 2009 09:13:02 -0500 (CDT)
Message-ID: <4A2927EE.4010505@alcatel-lucent.com>
Date: Fri, 05 Jun 2009 09:13:02 -0500
From: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: dispatch@ietf.org
References: <1ECE0EB50388174790F9694F77522CCF1E590C4B@zrc2hxm0.corp.nortel.com>
In-Reply-To: <1ECE0EB50388174790F9694F77522CCF1E590C4B@zrc2hxm0.corp.nortel.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
Subject: Re: [dispatch] Reminder: IETF-75 plans for DISPATCH
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2009 14:13:05 -0000

Mary Barnes wrote:
> Hi folks,
> 
> A reminder to folks that submitted proposals for the initial deadline
> that the "charter proposals" are due next Monday, June 8th.  
[...]

Folks: Here is the final "charter proposal" for the SIP CLF
work.  I received a couple of comments privately on typos
and such, but most of the matter is the same as the
one distributed on May 15th.

Unless anyone has any objections, I will submit this to the
dispatch list as per Mary's instructions above on or
before Monday, June 8.

Charter proposal for SIP Common Log File (CLF) format work
==========================================================
Vijay K. Gurbani and Eric Burger

Problem Statement
=================
Well-known web servers such as Apache and web proxies like Squid
support event logging using a common log format.  The logs produced
using these de-facto standard formats are invaluable to system
administrators for trouble-shooting a server, and to tool writers
for crafting tools that mine the log files to produce reports
and trends.  These log files also enable searches for a certain
SIP message or messages, a transaction or a related set of
transactions.

Furthermore, these log files can also be used to train anomaly
detection systems and feed events into a security event management
system.  The Session Initiation Protocol does not have a common log
format, and as a result, each server supports a distinct log format
that makes it unnecessarily complex to produce tools to do trend
analysis and security detection.

Ad ad-hoc meeting was sponsored by the SIPPING WG during the San
Francisco IETF where the participants expressed interest in undertaking
this work.  Minutes from the ad-hoc are available at:
http://www.ietf.org/mail-archive/web/sipping/current/msg17199.html.
Since then, various discussions on CLF file format and other
assorted discussions have occurred on the SIPPING mailing list,
the sip-ops mailing list and the newly formed sip-clf mailing list.

Milestones and deliverables
===========================

1) A document enunciating the problem statement, motivation,
the possible use cases of a SIP CLF, and the list of mandatory
fields that will allow identifying transactions, grouping
transactions into dialogs, and doing the latter with provisions
for allowing the systems administrator or an automata to
correlate forked branches.  Provisions must be made to
accommodate ad-hoc fields without adversely impacting the
parsing of the mandatory parameters.

A possible starting document for this deliverable is
http://tools.ietf.org/html/draft-gurbani-sipping-clf-01

2) A document that details the byte layout of the SIP CLF
record.

The participants have done preliminary work on writing encoders
and decoders for space-separated ASCII and binary format.  The
runtime complexity to produce the space-separated ASCII and
binary CLF is comparable, however, the binary CLF is appreciably
faster in locating random records from the binary CLF file.
On the other hand, a ASCII CLF format was preferable because
it allowed for a visual interpretation of the mandatory
fields to the benefit of a human user and allowed for
expedited operations on the data using text-based tools.

Based on subsequent deliberations, a text format has been
defined which lends itself well to fast searches while still
allowing the use of visual identification and interpretation
using text-based tools.  This format is documented in:
http://tools.ietf.org/html/draft-roach-sipping-clf-syntax-01
and can serve as a possible starting document for the
details of byte layout.

3) A document that provides reference implementation(s)
for decoding the byte layout of the CLF.

NOTE: It could very well be that three individual documents
are produced to meet the deliverables or a single document is
produced that merges all three aspects.  This can be decided
by the BoF/design team/mini working group.

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
Web:   http://ect.bell-labs.com/who/vkg/

v2.23.0 | Report a Bug | By Email