Download presentation
Presentation is loading. Please wait.
Published bySharon Lynch Modified over 9 years ago
1
The Session Initiation Protocol (SIP) Common Log Format (CLF) IETF 74, March 2009, San Francisco, CA (USA) Vijay K. Gurbani Eric Burger Humberto Abdelnur Olivier Festor Tricha Anjali
2
Agenda Scope of the problem (Eric). Solution as documented (Vijay). Open issues (Vijay).
3
CLF Motivations Large heterogeneity of SIP equipments available –Interoperate at SIP level –but support proprietary log formats (if any) Fostering heterogeneity acceptance Build on a per device basis log wrappers for any management application (tedious, error prone, costly) OR Standardize a common format CLF provides the means for option (2)
4
What SIP CLF is and is not … SIP CLF is NOT… … a replacement for a CDR (Call Detail Record). … a billing tool. … a QoS measurement tool. SIP CLF IS: … a standardized format that can be used by all SIP entities. … an easily digestible log of past and current transactions. … a format that allows quick parsing to discover relation- ships between transactions $ grep yuhyt6 sip-clf.txt gets all transactions with this label. … amenable to easy parsing for creating other innovative tools.
5
Applications that can benefit from CLF Security Management –Forensic analysis tools –Intrusion detection/prevention systems –Automata training Fault Management –Faults tracking / calls correlation –Call traces Validation Standard log services –E.g. SYSLOG
6
6 Challenges in defining SIP CLF SIP is not a linear request-reply protocol – HTTP is linear: pipelining okay, one request = one response. Complexity inherent in the protocol: – Serial and parallel forking elicit multiple responses. – Delays between getting a request and sending a response (origin server in HTTP is quick; UAS not quite so. Impact on proxies.) – Multiple transactions grouped in a dialog; dialog persists for a long time, transactions short-lived (e.g., BYE comes much later, but relation between INV and BYE should be preserved in a log file.)
7
7 Challenges in defining SIP CLF ACK requests need careful considerations: – Only tied to an INVITE. – No responses for ACKs. – For non-2xx, ACKs hop-by-hop (part of INV transaction.) – For 2xx, ACK end-to-end. CANCEL requests need careful considerations: – Only tied to an INVITE. – Requires exactly one response. – Is propagated hop-by-hop. INV can pend, resulting in a 1xx response (200ms rule.) This 1xx response needs to be captured to train automata. SIP has a richer set of actors: UAS, UAC, B2BUA, proxy, registrar, redirect server,...
8
8 SIP CLF is... inspired by HTTP CLF %h %l %u %t \"%r\" %s %b remotehost rfc931 authuser [date] request status bytes Example: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] \ "GET /apache_pb.gif HTTP/1.0" 200 2326 SIP CLF borrows a bit from Apache CLF and Squid CLF. Some elements don't contribute (%b %l -- removed.)
9
Request CLF B2BUA correlation directives –FORK/ used by the server transaction –CLIENT/ used by the client transaction Extensions –to be defined (other headers) / message-body 1230756560 192.168.1.10 - INVITE sip:bob@example.net sip:alice@example.com;tag=iu8u76 sip:bob@example.net i98ju@example.com " “ y6y78u - server client date remotehost userauth method request-URI from to callid “contact-list” transact. transact. delim extension code code
10
Response CLF Need to record provisional/final responses Both CANCELs and INVITEs will have the same %x value. 1230756560 y6y78u - 100 INVITE sip:bob@example.net;tag=yh78 - 1230756560 y6y78u - 180 INVITE + - 1230756560 y6y78u - 200 INVITE + - server client date transaction transaction status method to “contact-list” delim extension code
11
11 Open issues Preserving privacy Anonymize IP addresses and other private information. File system, operating-level permissions.
12
12 Open issues Handling rfc3841 directives How rfc3841 directives should be handled? –directives may lead a proxy to alter normal rules (e.g. no- cancel directive)
13
13 Open issues “%c” issue Contact: ;param=”1 2”
14
14 Backups
15
15 SIP CLF: Examples In the following example, Alice is registering herself with her domain's registrar and is challenged for HTTP Digest: 1230756550 192.168.1.2 - REGISTER sip:example.com sip:alice@example.com;tag=iu8u76 sip:alice@example.com 8719u@example.com - hgt678h - 1230756550 hgt678h - 401 REGISTER sip:alice@example.com;tag=8hy -
16
16 SIP CLF: Examples Registration is successful: 1230756560 192.168.1.2 alice REGISTER sip:example.com sip:alice@example.com;tag=iu8u76 sip:alice@example.com;tag=yh78 8719u@example.com " ;q=0.7;expires=7200, ;q=0.5;expires=3600" hgt679h - 1230756550 hgt679h - 200 REGISTER + " ;q=0.7;expires=7200, ;q=0.5;expires=3600" Note: +
17
17 SIP CLF: Examples In this example, Bob contacts Alice; Alice's UAS has sent a 180 upstream but has not generated a final response yet. Before Alice has a chance to pick up the phone, Bob hangs up causing a CANCEL to arrive at Alice's UAS. Alice's UAS processes the CANCEL, sending a 200 OK (CANCEL), followed by sending a 487 (INVITE) and receiving an ACK: 1230756560 192.168.1.10 - INVITE sip:bob@example.net sip:alice@example.com;tag=iu8u76 sip:bob@example.net i98ju@example.com " " y6y78u - 1230756560 y6y78u - 100 INVITE sip:bob@example.net;tag=yh78 - 1230756560 y6y78u - 180 INVITE + - 1230756561 192.168.1.10 - CANCEL + + + + - y6y78u - 1230756560 y6y78u - 200 CANCEL + - 1230756561 y6y78u - 487 INVITE sip:bob@example.net;tag=yh78 - 1230756561 192.168.1.10 - ACK + + + + + y6y78u - Note: Correlation using %x (server transaction.)
18
18 SIP CLF: Examples A session queued and answered: 1230756560 192.168.1.10 - INVITE sip:agent@acd.example.net sip:alice@example.com;tag=iu8u76 sip:agent@acd.example.net i98ju@example.com - z9hG4bk7yt6 - 1230756560 z9hG4bk7yt6 - 100 INVITE sip:agent@acd.example.net;tag=oi8 - 1230756560 z9hG4bk7yt6 - 180 INVITE + - 1230756561 z9hG4bk7yt6 - 182 INVITE + - 1230756564 z9hG4bk7yt6 - 182 INVITE + - 1230756565 z9hG4bk7yt6 - 183 INVITE + - 1230756566 z9hG4bk7yt6 - 200 INVITE + - 1230756566 192.168.1.10 - ACK + + + + - z9hG4bk7yt6 -
19
CLF Motivations Large heterogeneity of SIP equipments available –Interoperate at SIP level –but support proprietary log formats (if any) Fostering heterogeneity acceptance Build on a per device basis log wrappers for any management application (tedious, error prone, costly) OR Standardize a common format CLF provides the means for option (2)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.