Re: [sip-clf] Problem Statement - Source/Dest Fields & Contact

["Vijay K. Gurbani" <vkg@bell-labs.com>]

On 10/07/2010 12:27 PM, Hadriel Kaplan wrote:
> No, that's not really the issue.  Nobody's saying "you must not
> record the hostname".  What we're saying is "you must record the IP
> Address, and may optionally *also* record the hostname separately".

No surprise, I disagree on the word "separately" above ;-)

> It's that word "instead" you used above that's the issue.  That
> implies the same *field* carries two different types of information.
> And it's not just syntactically different fields - they're
> *Semantically* different.  A Layer-3 IP destination address is
> unambiguous when we say it's the layer-3 IP.

Unambiguous how?  In finding the exact host?  What happens if it
was a DHCP address and re-assigned later on to someone else?  What
does the unambiguity of an IP address get you then?  I don't think
that just because we have a raw IP address, all other problems
associated with that will simply vanish.

> But using a hostname is _ambiguous_: which hostname is it?  Is it
> the input into the 3263 process (ie, the domain portion of the
> target URI), or is it an intermediate step of 3263? or if 3263 isn't
> used, is it one from a local-policy of proxy-routing which might use
> a hostfile instead of 3263/DNS?  In other words, can the reader of
> the file know which hostname it is without knowing the internals of
> the recorder?

First off, I never claimed that an intermediate step of rfc3263 be
used as a DNS name, it is the target name that is of interest here.
Second, if the name is taken from a hostfile instead of rfc3263/DNS,
then what difference does it make?  The contents of the hostfile are
pertinent to and of interest to the administrative domain
interpreting the SIPCLF log file since we are not claiming that log
files be sent from one domain to another.

> No, not simple.  The semantic of the IP Address field is one of being
> a Layer-3 IP.  For example, getting the layer-3 IP in a SIP-CLF lets
> me go create an ACL or BPF for that... to block or capture packets
> from it in more detail, for example.

Yes, you can do that but if the IP address was re-assigned by DHCP
you will inadvertently block good traffic.

> You can't do that with a hostname.  Furthermore, it means in a
> database/table storing the individual fields I have to have a string
> or blob or complex type instead of a uint32[4] for ip.  And it also
> means my reader/tool/grep has to deal with determining which type it
> is (ip vs hostname) by its content instead of by it's position or
> type value.

The position is invariant irrespective of the contents, so I do not
see why the reader/tool/grep cannot simply interpret it.  If you
want to store the SIPCLF record contents in a database, yes, you'd
have to do a bit more work, but by no means is this extra work
a showstopper, is it?

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
Web:   http://ect.bell-labs.com/who/vkg/