Re: [sip-clf] draft CLF charter

Hadriel Kaplan <HKaplan@acmepacket.com> Thu, 23 July 2009 02:31 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00DDB3A6CA8 for <sip-clf@core3.amsl.com>; Wed, 22 Jul 2009 19:31:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EsRaQg-SD1fs for <sip-clf@core3.amsl.com>; Wed, 22 Jul 2009 19:31:42 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id ED74C3A6BCD for <sip-clf@ietf.org>; Wed, 22 Jul 2009 19:31:41 -0700 (PDT)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.375.2; Wed, 22 Jul 2009 22:30:32 -0400
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Wed, 22 Jul 2009 22:30:32 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>, Spencer Dawkins <spencer@wonderhamster.org>, SIP-CLF Mailing List <sip-clf@ietf.org>
Date: Wed, 22 Jul 2009 22:30:30 -0400
Thread-Topic: [sip-clf] draft CLF charter
Thread-Index: AcoK4KfZzNfNxEVnT/2kAOLMye5ViwAAf2NgABZPkPA=
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC3196D182386@mail>
References: <3B33A97D-7E19-4A08-A431-A085D53A2A6E@nostrum.com> <D5E606B8-0811-4D40-AA76-ED989B00FD02@nostrum.com><EDC652A26FB23C4EB6384A4584434A0401892AF4@307622ANEX5.global.avaya.com><4A664053.7070603@alcatel-lucent.com><CB8F8D6E-5908-446A-84B1-B4FF84010F06@nostrum.com> <F3298CA2E6E14FB3BA1B5234ACF402FC@china.huawei.com> <EDC652A26FB23C4EB6384A4584434A0401893076@307622ANEX5.global.avaya.com>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A0401893076@307622ANEX5.global.avaya.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [sip-clf] draft CLF charter
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2009 02:31:43 -0000

Yeah when I first heard someone mention ipfix at the beginning - the first thing in my mind was "we're not doing samples for flow counters".  But then I thought about it some more and think what they mean is the ipfix record format concept in particular, not ipfix the protocol/architecture/mechanism.  So for example one could define a "SIP-CLF" template set of fields which record what we want.

If that's what people mean when they say "ipfix", I like that way too, because in my mind that's pretty close to the advantages of a Pcap file format.  Ipfix is a little hokey when dealing with variable-length fields, as I recall (it was really optimized for fixed-length fields like counters and IP Addresses), but probably less hokey than Pcap.  And it'll probably be smaller record sizes which is a big deal.

-hadriel

> -----Original Message-----
> From: sip-clf-bounces@ietf.org [mailto:sip-clf-bounces@ietf.org] On Behalf
> Of Romascanu, Dan (Dan)
> Sent: Wednesday, July 22, 2009 11:45 AM
> 
> I need to have a more careful look, but the answer I think is No, the
> argument is different. IPFIX defines information elements based on
> packets inspection that characterize a 'flow' - in a SIP you cannot
> differentiate packets that belong to different sessions only based on
> on-wire information, so the definition of an IPFIX Information Element
> (IE) may have too little or too much granularity for what we need.
> 
> But, again, I need to read the CLF requirements and cross-match these
> carefully with the IPFIX capabilities to make sure that I am not passing
> a too easy judgment.
> 
> Dan
> 
> 
> > -----Original Message-----
> > From: sip-clf-bounces@ietf.org
> > [mailto:sip-clf-bounces@ietf.org] On Behalf Of Spencer Dawkins
> > Sent: Wednesday, July 22, 2009 6:05 PM
> > To: SIP-CLF Mailing List
> > Subject: Re: [sip-clf] draft CLF charter
> >
> > Just to stay on the same page :D
> >
> > I had a short chat with Dave Harrington Monday, and he asked
> > "why not IPFIX?" - has anyone looked at IPFIX yet?
> >
> > I know Glen Zorn's question in February was "why not SYSLOG?"
> > - the answer then, from Eric Burger, was (paraphrasing)
> > "SYSLOG's the envelope, CLF might use SYSLOG but needs to
> > define what goes in the envelope".
> >
> > The answer may be the same for IPFIX, and we'll probably need
> > to figure this out, but if anyone has already looked at this,
> > that would be great to know.
> >
> > Thanks,
> >
> > Spencer
> >
> >
> > > Just to make sure we are all on the same page:
> > >
> > > On Jul 21, 2009, at 5:25 PM, Vijay K. Gurbani wrote:
> > >
> > >> Romascanu, Dan (Dan) wrote:
> > >>> A few comments after the first reading of the charter.
> > >>
> > >> Dan: Thanks for your feedback; more inline.
> > >>
> > >>> - Is it Common Log File as it appears at the first instance, or
> > >>> Common Log Format?
> > >>
> > >> CLF expands to Common Log File, though colloquially you will see
> > >> references to "the CLF format", which simply means the specific
> > >> fields and their representation.
> > >
> > > This is something we need to state more clearly.
> > >
> > > Are we defining a file are we defining a format that might
> > go in a file?
> > >
> > > I think the proposals I've read so far are trying to do the second.
> > > Does anyone disagree?
> > >
> > > I was planning to  change the word File Dan is pointing  to in the
> > > proposed charter to Format.
> > >
> > > RjS
> > > _______________________________________________
> > > sip-clf mailing list
> > > sip-clf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/sip-clf
> >
> > _______________________________________________
> > sip-clf mailing list
> > sip-clf@ietf.org
> > https://www.ietf.org/mailman/listinfo/sip-clf
> >
> _______________________________________________
> sip-clf mailing list
> sip-clf@ietf.org
> https://www.ietf.org/mailman/listinfo/sip-clf