Re: [sip-clf] draft CLF charter
"David Harrington" <ietfdbh@comcast.net> Thu, 23 July 2009 15:06 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0FFD3A67EF for <sip-clf@core3.amsl.com>; Thu, 23 Jul 2009 08:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.788
X-Spam-Level:
X-Spam-Status: No, score=-1.788 tagged_above=-999 required=5 tests=[AWL=0.811, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kDSDe5E4IpXL for <sip-clf@core3.amsl.com>; Thu, 23 Jul 2009 08:06:14 -0700 (PDT)
Received: from QMTA04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net [76.96.62.40]) by core3.amsl.com (Postfix) with ESMTP id 958A63A67D2 for <sip-clf@ietf.org>; Thu, 23 Jul 2009 08:06:14 -0700 (PDT)
Received: from OMTA13.westchester.pa.mail.comcast.net ([76.96.62.52]) by QMTA04.westchester.pa.mail.comcast.net with comcast id KPb81c00217dt5G54T5Xck; Thu, 23 Jul 2009 15:05:31 +0000
Received: from Harrington73653 ([24.147.240.21]) by OMTA13.westchester.pa.mail.comcast.net with comcast id KT5W1c00U0UQ6dC3ZT5Wwh; Thu, 23 Jul 2009 15:05:31 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Spencer Dawkins' <spencer@wonderhamster.org>, 'SIP-CLF Mailing List' <sip-clf@ietf.org>
References: <3B33A97D-7E19-4A08-A431-A085D53A2A6E@nostrum.com> <D5E606B8-0811-4D40-AA76-ED989B00FD02@nostrum.com><EDC652A26FB23C4EB6384A4584434A0401892AF4@307622ANEX5.global.avaya.com><4A664053.7070603@alcatel-lucent.com> <CB8F8D6E-5908-446A-84B1-B4FF84010F06@nostrum.com> <F3298CA2E6E14FB3BA1B5234ACF402FC@china.huawei.com>
Date: Thu, 23 Jul 2009 11:05:29 -0400
Message-ID: <1e6401ca0ba7$04c65070$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-reply-to: <F3298CA2E6E14FB3BA1B5234ACF402FC@china.huawei.com>
Thread-Index: AcoK3iAJaVF9tBZXTJOEO1JkFNObywAI1zIw
Subject: Re: [sip-clf] draft CLF charter
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2009 15:06:15 -0000
Hi, My concern is that I am not quite sure what we are trying to log, or why. If we are trying to log events that occur, then syslog might be a reasonable choice for a logging protocol. If we are trying to log the series of IP flows that make up a SIP transaction, then ipfix might be a reasonable choice for a logging protocol. Somebody suggested using libpcap format, which would indicate that we are trying to capture the packets that make up a transaction, for later off-line analysis. If so, then libpcap might be a reasonable logging protocol. If we want to use an IETF standard protocol for packet captures, or if we do not need to capture every packet, but just sample the flows enough to be able to track the transaction, then PSAMP might be a reasonable logging protocol. If there are multiple purposes we are trying to meet, then it might be best to address each purpose separately. There may be existing standards that would meet the separate requirements very well, but no standard that can meet the combination of purposes because the requirements are so varied and potentially in conflict. I am not promoting any particular solution. I would like to make sure we discuss the targeted purposes and the subsequent requirements, so we can best assess whether any of the existing IETF standards or industry defacto standards meet those requirments. I am a bit concerned that the charter seems to have a goal of defining a data model, without knowing what the corresponding transport protocol will be (if transporting the data is not a requirement, why should the IETF standardize it?). The format that the data can take is often inter-dependent with the protocol to be used to transport it. For example, we have existing pairings - SMIv2 MIBs and SNMP, IEs and IPFIX, XML and Netconf, SDEs and syslog. I am not sure it makes sense to define a common log format without knowing which protocols will be used when it is being transported. It is possible we could define an information model rather than a data model, but the plan to define a specific vendor-neutral format says we are working on a data model. See RFC 3444 for a discussion of the difference between information model and data model. Part of my concern about the data and the transport protocol is driven by my OPS-DIR role; part of it is driven by my SEC-DIR role. How sensitive will this information be? Will this potentially be used as evidence in legal proceedings? How much information will there be? If it used for intrusion detection purposes or as evidence, does the data-in-flight need to have integrity protection? Will this data be used as a legal audit log? i.e., does the data-at-rest need to have integrity protection? SIP transactions might include information that should be subject to privacy protection - protection against revealing personal information, and that means confidentiality and integrity must be preserved for data-in-flight as well as data-at-rest. The charter talks about meeting efficiency requirements for client and server. What about resource requirements? How much information do we expect might be generated? What happens if the buffer fills? Do we discard old data? That could enable an attacker to force a buffer overflow to hide their tracks. Large buffers of information could cause problems in storage-or-CPU-constrained enviornments; IPFIX is designed to off-load information quickly to reduce local resource requirements. Without understanding how this data is expected to be used, we do not know the requirements that must be met for operations, management, and security while at rest and while in transit to support the use cases. I think the applicability of the data to be collected really needs to be nailed down much better than this charter proposal does. I think the operations, management, and security requirements need to be nailed down better. Then we can realistically talk about what the field formats should be. David Harrington dbharrington@comcast.net ietfdbh@comcast.net dharrington@huawei.com > -----Original Message----- > From: Spencer Dawkins [mailto:spencer@wonderhamster.org] > Sent: Wednesday, July 22, 2009 11:05 AM > To: SIP-CLF Mailing List > Cc: David Harrington > Subject: Re: [sip-clf] draft CLF charter > > Just to stay on the same page :D > > I had a short chat with Dave Harrington Monday, and he asked "why not > IPFIX?" - has anyone looked at IPFIX yet? > > I know Glen Zorn's question in February was "why not SYSLOG?" > - the answer > then, from Eric Burger, was (paraphrasing) "SYSLOG's the > envelope, CLF might > use SYSLOG but needs to define what goes in the envelope". > > The answer may be the same for IPFIX, and we'll probably need > to figure this > out, but if anyone has already looked at this, that would be > great to know. > > Thanks, > > Spencer > > > > Just to make sure we are all on the same page: > > > > On Jul 21, 2009, at 5:25 PM, Vijay K. Gurbani wrote: > > > >> Romascanu, Dan (Dan) wrote: > >>> A few comments after the first reading of the charter. > >> > >> Dan: Thanks for your feedback; more inline. > >> > >>> - Is it Common Log File as it appears at the first > instance, or Common > >>> Log Format? > >> > >> CLF expands to Common Log File, though colloquially you will > >> see references to "the CLF format", which simply means the > >> specific fields and their representation. > > > > This is something we need to state more clearly. > > > > Are we defining a file are we defining a format that might > go in a file? > > > > I think the proposals I've read so far are trying to do the second. > > Does anyone disagree? > > > > I was planning to change the word File Dan is pointing to in the > > proposed charter to Format. > > > > RjS > > _______________________________________________ > > sip-clf mailing list > > sip-clf@ietf.org > > https://www.ietf.org/mailman/listinfo/sip-clf > >
- [sip-clf] draft CLF charter Robert Sparks
- Re: [sip-clf] draft CLF charter Romascanu, Dan (Dan)
- Re: [sip-clf] draft CLF charter DRAGE, Keith (Keith)
- Re: [sip-clf] draft CLF charter Vijay K. Gurbani
- Re: [sip-clf] draft CLF charter Hadriel Kaplan
- Re: [sip-clf] draft CLF charter Romascanu, Dan (Dan)
- Re: [sip-clf] draft CLF charter Romascanu, Dan (Dan)
- Re: [sip-clf] draft CLF charter Robert Sparks
- Re: [sip-clf] draft CLF charter Vijay K. Gurbani
- Re: [sip-clf] draft CLF charter Vijay K. Gurbani
- Re: [sip-clf] draft CLF charter Spencer Dawkins
- Re: [sip-clf] draft CLF charter Romascanu, Dan (Dan)
- Re: [sip-clf] draft CLF charter Robert Sparks
- Re: [sip-clf] draft CLF charter Theo Zourzouvillys
- Re: [sip-clf] draft CLF charter Hadriel Kaplan
- Re: [sip-clf] draft CLF charter Romascanu, Dan (Dan)
- Re: [sip-clf] draft CLF charter Vijay K. Gurbani
- Re: [sip-clf] draft CLF charter David Harrington
- Re: [sip-clf] draft CLF charter Romascanu, Dan (Dan)
- Re: [sip-clf] draft CLF charter Juergen Quittek
- Re: [sip-clf] draft CLF charter Spencer Dawkins