Re: [sip-clf] IETF 76 Minutes posted -> IPFIX questions

"David B Harrington" <> Wed, 02 December 2009 13:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F095A3A688D for <>; Wed, 2 Dec 2009 05:36:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.74
X-Spam-Status: No, score=-0.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IApdg9wj4UTW for <>; Wed, 2 Dec 2009 05:36:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D937228C1DD for <>; Wed, 2 Dec 2009 05:36:20 -0800 (PST)
Received: from ([]) by with comcast id CCtD1d0020xGWP851DbdEJ; Wed, 02 Dec 2009 13:35:37 +0000
Received: from Harrington73653 ([]) by with comcast id CDcD1d002284sdk3YDcDdU; Wed, 02 Dec 2009 13:36:13 +0000
From: "David B Harrington" <>
To: "'SIP-CLF Mailing List'" <>
References: <>
Date: Wed, 2 Dec 2009 08:36:12 -0500
Message-ID: <108601ca7354$69e0d5b0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <>
Thread-Index: AcpzT0+vwKyeCHsER1OaA4fuiZY9wAAACZug
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailman-Approved-At: Wed, 02 Dec 2009 06:38:56 -0800
Subject: Re: [sip-clf] IETF 76 Minutes posted -> IPFIX questions
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2009 13:36:22 -0000


I have a concern with sipclf.
I have been looking at "How to have a successful BOF":

the goal of the
   BOF is to demonstrate that the community has agreement that:

      - there is a problem that needs solving, and the IETF is the
        group to attempt solving it.

      - the scope of the problem is well defined and understood, that
        is, people generally understand what the WG will work on (and
        what it won't) and what its actual deliverables will be.

Note the emphasis on what ***problem*** needs to be solved. 
The sipclf community decided "we need a logging file format"
That is not a clear problem description; that is a solution - a
partial solution.

The members of the sipclf WG have very different problems they are
trying to solve.
Some want to dump everything so they can later grep to find entries.
Some express concern about dumping everything and think maybe filters
are needed to limit what gets dumped.
Some want a dump from a single device.
Some want to be able to reconstruct SIP conversations across multiple

I do not think the WG has consensus on what ***problem*** is being
The appropriate file format to use for a solution depends a lot on
what problem you are trying to solve, and how the information will get
used (and possibly moved).

Some think the apache file format is a great starting place. I have
concerns about modeling sipclf after a web-server logging format. Web
servers typically run on hosts, with lots of CPU cycles and lots of
disk storage. Very appropriate for logging EVERYTHING. Maybe I just
don't know SIP well enough to understand the environments in which it
runs. Where does SIP typically run? on hosts? on routers? on
middleboxes? in embedded systems? Would these environments have the
same resources that web server environments typically have?

IPFIX may not be the right solution. But IPFIX has considered issues
of CPU impact, limited storage, filters to select subsets of
information to log, how to move the data off the box quickly, etc. The
sipclf WG has not done that analysis because it is starting with a
presumption of what they want for a solution, apparently without
agreement on the problem to be solved.

I question whether a simple ascii dump is the right answer. And I
don't think the WG has done the necessary analysis of requirements
based on the various problems to be solved, and the environments that
must be supported.