Re: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix
"Vijay K. Gurbani" <vkg@alcatel-lucent.com> Fri, 24 July 2009 21:03 UTC
Return-Path: <vkg@alcatel-lucent.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E461B3A68BB for <sip-clf@core3.amsl.com>; Fri, 24 Jul 2009 14:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOL1pvrycsge for <sip-clf@core3.amsl.com>; Fri, 24 Jul 2009 14:03:10 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id BC0C23A6809 for <sip-clf@ietf.org>; Fri, 24 Jul 2009 14:03:10 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-61.lucent.com [135.3.40.61]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id n6OKVbQO006895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Jul 2009 15:31:38 -0500 (CDT)
Received: from [135.185.236.17] (il0015vkg1.ih.lucent.com [135.185.236.17]) by umail.lucent.com (8.13.8/TPES) with ESMTP id n6OKVbuL027692; Fri, 24 Jul 2009 15:31:37 -0500 (CDT)
Message-ID: <4A6A1A29.9010504@alcatel-lucent.com>
Date: Fri, 24 Jul 2009 15:31:37 -0500
From: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Hadriel Kaplan <HKaplan@acmepacket.com>
References: <4A69DFBB.3010307@alcatel-lucent.com> <E6C2E8958BA59A4FB960963D475F7AC31984654C6C@mail>
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC31984654C6C@mail>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: "sip-clf@ietf.org" <sip-clf@ietf.org>
Subject: Re: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2009 21:03:12 -0000
Hadriel Kaplan wrote: > Hi Vijay, Hadriel: Thanks for the feedback; more inline. > I would recommend the following changes: > > 1) Get rid of the two slides on "Need for CLF in current literature". > Neither of those two use-cases are actually addressed by SIP CLF, > afaict. At least not for the purpose of performing anomaly detection > by using the CLF. (CLF would be useful to report when anomalous > events are found perhaps, but we've said it's not a replacement for > Syslog/SNMP event reporting, right?) Even if you don't agree with my > view of that, there's no need to debate it in the meeting, because > it's not central to the need for CLF. OK; training anomaly detection systems for semantic attacks on SIP through the CLF may well be classified as a research topic, so you are right -- I have taken these two slides out. > 2) Maybe summarize the proposed charter in a slide or two? Like list > what's in/out-of-scope, and the deliverables? OK; will do. > 3) on the last slide, include opsarea in the parenthesis list, since > that's planned for Stockholm as well I believe. OK. > 4) I'm not quite sure what the purpose of the "Challenges in defining > SIP CLF" slides are, but if you're itemizing them... then add "To get > a common view of merged/global CLF's, must choose where in the > stack/system to log SIP messages", and "Security and privacy related > issues of various forms". I have put in security and privacy related issues as a bullet. The other point -- "to get a common view of merged/global CLFs ..." may require some discussion. Are you proposing that there be a central CLF server where all SIP actors in a network send their messages for correlation? At least my view of the SIP CLF was more along the lines of each SIP actor producing their own CLF. > 5) editorial nit: slide 3, remove the word "problem" from the top, > since this is a slide on benefits, not problems. Unless you're saying > the problem is we don't have these benefits. ;) Done. The updated copy is at the same location http://ect.bell-labs.com/who/vkg/IETF/75/IETF-75-sip-clf-vkg.ppt Thank you for your time on this. - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA) Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org} Web: http://ect.bell-labs.com/who/vkg/
- [sip-clf] SIP-CLF slides for opsarea and possibly… Vijay K. Gurbani
- Re: [sip-clf] SIP-CLF slides for opsarea and poss… Hadriel Kaplan
- Re: [sip-clf] SIP-CLF slides for opsarea and poss… Vijay K. Gurbani
- Re: [sip-clf] SIP-CLF slides for opsarea and poss… Hadriel Kaplan
- Re: [sip-clf] SIP-CLF slides for opsarea and poss… Vijay K. Gurbani
- Re: [sip-clf] anomaly detectors (was: SIP-CLF sli… Hadriel Kaplan
- Re: [sip-clf] anomaly detectors Vijay Gurbani
- Re: [sip-clf] anomaly detectors Hadriel Kaplan
- Re: [sip-clf] anomaly detectors Vijay Gurbani