IETF Logo Mail Archive

Re: [sip-clf] Problem Statement - Source/Dest Fields & Contact

Hadriel Kaplan <HKaplan@acmepacket.com> Wed, 06 October 2010 17:46 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9EC433A6DED for <sip-clf@core3.amsl.com>; Wed, 6 Oct 2010 10:46:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.484
X-Spam-Level:
X-Spam-Status: No, score=-2.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YicfLEXgyl8e for <sip-clf@core3.amsl.com>; Wed, 6 Oct 2010 10:46:17 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 1BFFC3A6AD2 for <sip-clf@ietf.org>; Wed, 6 Oct 2010 10:46:17 -0700 (PDT)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.2.254.0; Wed, 6 Oct 2010 13:47:17 -0400
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Wed, 6 Oct 2010 13:46:56 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "Vijay K. Gurbani" <vkg@bell-labs.com>
Date: Wed, 06 Oct 2010 13:46:55 -0400
Thread-Topic: [sip-clf] Problem Statement - Source/Dest Fields & Contact
Thread-Index: ActlfneR34i3e4epSmayu1YVijL7bw==
Message-ID: <DD2D25EE-FF9A-4358-A0F0-813D60F4922E@acmepacket.com>
References: <AANLkTime-SfqMydvu8gKENvk=iBZsNq_q_4J-DpTh1aX@mail.gmail.com> <4CACA5BD.7080807@bell-labs.com>
In-Reply-To: <4CACA5BD.7080807@bell-labs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: List SIP-CLF Mailing <sip-clf@ietf.org>
Subject: Re: [sip-clf] Problem Statement - Source/Dest Fields & Contact
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2010 17:46:18 -0000

A DNS name is neither necessary nor sufficient.  It's not necessary because you don't need to have one to use SIP, whereas everyone needs an IP Address of some form or other.  It's not sufficient because a DNS name can resolve to multiple IP's (or even address families), and thus not be sufficiently unique or meaningful to log as the source/dest info.

And ultimately recording it as a DNS name requires the recording to be done at a high level of the SIP stack.  My receive parser, for example, may have no idea what the received message's  host DNS name is, but it always knows the IP (e.g., from the socket).  And lastly, it would require a lot of reverse DNS lookups, since we can't possibly trust the Via to be true/legit.

-hadriel

On Oct 6, 2010, at 12:37 PM, Vijay K. Gurbani wrote:

> On 10/01/2010 06:23 AM, Peter Musgrave wrote:
>> Hi all,
> 
> Peter: Catching up with pending email.  Please see inline.
> 
>> In the problem statement/datamodel the source/dest information is
>> listed as "DNS name or IP address".  This is for the upstream node/NIC
>> which received it (and not the eventual destination covered by the AOR
>> in To/From).
>> 
>> As I implemented both formats I had assumed this was an IP address
>> (and in the IPFIX format this is explicit). In the indexed ascii doc
>> example it is a DNS name - the same as the AOR [Aside-I'd suggest we
>> make it different simply so the example covers the general case].
>> 
>> In typical implementations I would expect the logger to look at the IP
>> headers to get source/dest information. I would not expect the DNS
>> name to be available (unless a reverse DNS lookup is performed).
> 
> Since SIP is an application-layer protocol, DNS names are always
> available.  That said, I do realize that IP addresses are used quite
> a bit SIP today, but I would not like to impose this as
> a requirement to the SIPCLF mechanism.
> 
> For reasons why, let's look at generating SIPCLF records at a proxy
> since it is the most general of the SIP entities and consumes both
> the UAC and UAS halves of the SIP transaction.
> 
> The case of mandating IP addresses is more strong on the UAS
> side.  When a UAS gets a request the topmost Via header
> may contain the DNS name in the host production rule.  On the
> chance that NATs were involved, rfc3261 exhorts implementations
> to add a "received" parameter to the topmost Via header.  So it
> seems reasonable to log IP addresses for a UAS.
> 
> However, the case for mandating IP addresses is not as clear on
> the UAC side.  A UAC will execute rfc3263 resolution on the SIP
> AUS (the R-URI, in essence.)  R-URIs will mostly be identifiers
> of the form sip:user@example.com.  It seems reasonable (and certainly
> more readable) to allow the logging of the DNS name corresponding to
> the server that resulted from rfc3263 resolution on the SIP AUS.
> 
>> Q: Can we remove the "DNS or" phrase and mandate that source/dest be
>> an IP address?
> 
> My preference would like to preserve the "DNS or" phrase if possible.
> 
>> Also, since I'm on the topic of IP addresses...
>> 
>> Do we think that the logging of the Contact: header should be
>> mandatory (when the header is present)? I find I am constantly
>> checking Contact  headers in cases where Nat traversal is involved to
>> confirm things are not FOOBAR.
> 
> Earlier versions of the the pure ASCII draft [1] carried the
> Contact header in the SIPCLF record.  However, the indexed approach
> [2,3] makes that a TLV field.  I don't have any specific leanings
> one way or the other on whether or not we make the Contact field
> mandatory, although I do have a slight preference for leaving it
> as a TLV field (as it is in [3].)
> 
> [1] http://tools.ietf.org/html/draft-gurbani-sipping-clf-01
> [2] http://tools.ietf.org/html/draft-roach-sipping-clf-syntax-01
> [3] http://tools.ietf.org/html/draft-salgueiro-sipclf-indexed-ascii-01
> 
> Thanks,
> 
> - vijay
> -- 
> Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
> 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
> Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
> Web:   http://ect.bell-labs.com/who/vkg/
> _______________________________________________
> sip-clf mailing list
> sip-clf@ietf.org
> https://www.ietf.org/mailman/listinfo/sip-clf

v2.23.0 | Report a Bug | By Email