Re: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix

"Vijay K. Gurbani" <> Fri, 24 July 2009 21:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E461B3A68BB for <>; Fri, 24 Jul 2009 14:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TOL1pvrycsge for <>; Fri, 24 Jul 2009 14:03:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BC0C23A6809 for <>; Fri, 24 Jul 2009 14:03:10 -0700 (PDT)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id n6OKVbQO006895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Jul 2009 15:31:38 -0500 (CDT)
Received: from [] ( []) by (8.13.8/TPES) with ESMTP id n6OKVbuL027692; Fri, 24 Jul 2009 15:31:37 -0500 (CDT)
Message-ID: <>
Date: Fri, 24 Jul 2009 15:31:37 -0500
From: "Vijay K. Gurbani" <>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: Hadriel Kaplan <>
References: <> <E6C2E8958BA59A4FB960963D475F7AC31984654C6C@mail>
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC31984654C6C@mail>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on
Cc: "" <>
Subject: Re: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jul 2009 21:03:12 -0000

Hadriel Kaplan wrote:
> Hi Vijay,

Hadriel: Thanks for the feedback; more inline.

> I would recommend the following changes:
> 1) Get rid of the two slides on "Need for CLF in current literature".
> Neither of those two use-cases are actually addressed by SIP CLF,
> afaict.  At least not for the purpose of performing anomaly detection
> by using the CLF. (CLF would be useful to report when anomalous
> events are found perhaps, but we've said it's not a replacement for
> Syslog/SNMP event reporting, right?)  Even if you don't agree with my
> view of that, there's no need to debate it in the meeting, because
> it's not central to the need for CLF.

OK; training anomaly detection systems for semantic attacks on
SIP through the CLF may well be classified as a research topic,
so you are right -- I have taken these two slides out.

> 2) Maybe summarize the proposed charter in a slide or two?  Like list
> what's in/out-of-scope, and the deliverables?

OK; will do.

> 3) on the last slide, include opsarea in the parenthesis list, since
> that's planned for Stockholm as well I believe.


> 4) I'm not quite sure what the purpose of the "Challenges in defining
> SIP CLF" slides are, but if you're itemizing them... then add "To get
> a common view of merged/global CLF's, must choose where in the
> stack/system to log SIP messages", and "Security and privacy related
> issues of various forms".

I have put in security and privacy related issues as a bullet.

The other point -- "to get a common view of merged/global CLFs ..."
may require some discussion.  Are you proposing that there be a
central CLF server where all SIP actors in a network send their
messages for correlation?  At least my view of the SIP CLF was
more along the lines of each SIP actor producing their own

> 5) editorial nit: slide 3, remove the word "problem" from the top,
> since this is a slide on benefits, not problems. Unless you're saying
> the problem is we don't have these benefits. ;)


The updated copy is at the same location

Thank you for your time on this.

- vijay
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{,,}