Re: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix

Hadriel Kaplan <> Fri, 24 July 2009 17:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 24CEE3A6B01 for <>; Fri, 24 Jul 2009 10:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rrNrfdVbluXu for <>; Fri, 24 Jul 2009 10:41:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9BC9A3A6A13 for <>; Fri, 24 Jul 2009 10:41:18 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 8.1.375.2; Fri, 24 Jul 2009 13:41:16 -0400
Received: from ([]) by mail ([]) with mapi; Fri, 24 Jul 2009 13:41:16 -0400
From: Hadriel Kaplan <>
To: "Vijay K. Gurbani" <>, "" <>
Date: Fri, 24 Jul 2009 13:41:15 -0400
Thread-Topic: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix
Thread-Index: AcoMewhSCE45pU3/S2actHFv57HzhwABjPHg
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC31984654C6C@mail>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [sip-clf] SIP-CLF slides for opsarea and possibly ipfix
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jul 2009 17:41:20 -0000

Hi Vijay,

I would recommend the following changes:

1) Get rid of the two slides on "Need for CLF in current literature".  Neither of those two use-cases are actually addressed by SIP CLF, afaict.  At least not for the purpose of performing anomaly detection by using the CLF. (CLF would be useful to report when anomalous events are found perhaps, but we've said it's not a replacement for Syslog/SNMP event reporting, right?)  Even if you don't agree with my view of that, there's no need to debate it in the meeting, because it's not central to the need for CLF.

2) Maybe summarize the proposed charter in a slide or two?  Like list what's in/out-of-scope, and the deliverables?

3) on the last slide, include opsarea in the parenthesis list, since that's planned for Stockholm as well I believe.

4) I'm not quite sure what the purpose of the "Challenges in defining SIP CLF" slides are, but if you're itemizing them... then add "To get a common view of merged/global CLF's, must choose where in the stack/system to log SIP messages", and "Security and privacy related issues of various forms".

5) editorial nit: slide 3, remove the word "problem" from the top, since this is a slide on benefits, not problems. Unless you're saying the problem is we don't have these benefits. ;)


> -----Original Message-----
> From: [] On Behalf
> Of Vijay K. Gurbani
> Hello: Here is a link to the slide show I plan to present
> on SIP-CLF at the opsarea meeting on Thu.  An abbreviated
> version of this may be presented at the ipfix meeting
> on Mon as well.
> Please do look at the contents and suggest any changes.