Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur.

Similar presentations


Presentation on theme: "The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur."— Presentation transcript:

1 The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur Olivier Festor Tricha Anjali

2 Agenda  Scope of the problem (Eric).  Solution as documented (Vijay).  Open issues (Vijay).

3 CLF Motivations  Large heterogeneity of SIP equipments available –Interoperate at SIP level –but support proprietary log formats (if any)‏  Fostering heterogeneity acceptance Build on a per device basis log wrappers for any management application (tedious, error prone, costly) OR Standardize a common format CLF provides the means for option (2)‏

4 What SIP CLF is and is not … SIP CLF is NOT…  … a replacement for a CDR (Call Detail Record).  … a billing tool.  … a QoS measurement tool. SIP CLF IS:  … a standardized format that can be used by all SIP entities.  … an easily digestible log of past and current transactions.  … a format that allows quick parsing to discover relation- ships between transactions $ grep yuhyt6 sip-clf.txt gets all transactions with this label.  … amenable to easy parsing for creating other innovative tools.

5 Applications that can benefit from CLF  Security Management –Forensic analysis tools –Intrusion detection/prevention systems –Automata training  Fault Management –Faults tracking / calls correlation –Call traces Validation  Standard log services –E.g. SYSLOG

6 6 Challenges in defining SIP CLF  SIP is not a linear request-reply protocol – HTTP is linear: pipelining okay, one request = one response.  Complexity inherent in the protocol: – Serial and parallel forking elicit multiple responses. – Delays between getting a request and sending a response (origin server in HTTP is quick; UAS not quite so. Impact on proxies.)‏ – Multiple transactions grouped in a dialog; dialog persists for a long time, transactions short-lived (e.g., BYE comes much later, but relation between INV and BYE should be preserved in a log file.)‏

7 7 Challenges in defining SIP CLF  ACK requests need careful considerations: – Only tied to an INVITE. – No responses for ACKs. – For non-2xx, ACKs hop-by-hop (part of INV transaction.)‏ – For 2xx, ACK end-to-end.  CANCEL requests need careful considerations: – Only tied to an INVITE. – Requires exactly one response. – Is propagated hop-by-hop.  INV can pend, resulting in a 1xx response (200ms rule.) This 1xx response needs to be captured to train automata.  SIP has a richer set of actors: UAS, UAC, B2BUA, proxy, registrar, redirect server,...

8 8 SIP CLF is... inspired by HTTP CLF %h %l %u %t \"%r\" %s %b remotehost rfc931 authuser [date] request status bytes Example: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] \ "GET /apache_pb.gif HTTP/1.0" 200 2326 SIP CLF borrows a bit from Apache CLF and Squid CLF. Some elements don't contribute (%b %l -- removed.)‏

9 Request CLF  B2BUA correlation directives –FORK/ used by the server transaction –CLIENT/ used by the client transaction  Extensions –to be defined (other headers) / message-body 1230756560 192.168.1.10 - INVITE sip:bob@example.net sip:alice@example.com;tag=iu8u76 sip:bob@example.net i98ju@example.com " “ y6y78u - server client date remotehost userauth method request-URI from to callid “contact-list” transact. transact. delim extension code code

10 Response CLF  Need to record provisional/final responses  Both CANCELs and INVITEs will have the same %x value. 1230756560 y6y78u - 100 INVITE sip:bob@example.net;tag=yh78 - 1230756560 y6y78u - 180 INVITE + - 1230756560 y6y78u - 200 INVITE + - server client date transaction transaction status method to “contact-list” delim extension code

11 11 Open issues Preserving privacy  Anonymize IP addresses and other private information.  File system, operating-level permissions.

12 12 Open issues Handling rfc3841 directives  How rfc3841 directives should be handled? –directives may lead a proxy to alter normal rules (e.g. no- cancel directive)

13 13 Open issues “%c” issue  Contact: ;param=”1 2”

14 14 Backups

15 15 SIP CLF: Examples In the following example, Alice is registering herself with her domain's registrar and is challenged for HTTP Digest: 1230756550 192.168.1.2 - REGISTER sip:example.com sip:alice@example.com;tag=iu8u76 sip:alice@example.com 8719u@example.com - hgt678h - 1230756550 hgt678h - 401 REGISTER sip:alice@example.com;tag=8hy -

16 16 SIP CLF: Examples Registration is successful: 1230756560 192.168.1.2 alice REGISTER sip:example.com sip:alice@example.com;tag=iu8u76 sip:alice@example.com;tag=yh78 8719u@example.com " ;q=0.7;expires=7200, ;q=0.5;expires=3600" hgt679h - 1230756550 hgt679h - 200 REGISTER + " ;q=0.7;expires=7200, ;q=0.5;expires=3600" Note: +

17 17 SIP CLF: Examples In this example, Bob contacts Alice; Alice's UAS has sent a 180 upstream but has not generated a final response yet. Before Alice has a chance to pick up the phone, Bob hangs up causing a CANCEL to arrive at Alice's UAS. Alice's UAS processes the CANCEL, sending a 200 OK (CANCEL), followed by sending a 487 (INVITE) and receiving an ACK: 1230756560 192.168.1.10 - INVITE sip:bob@example.net sip:alice@example.com;tag=iu8u76 sip:bob@example.net i98ju@example.com " " y6y78u - 1230756560 y6y78u - 100 INVITE sip:bob@example.net;tag=yh78 - 1230756560 y6y78u - 180 INVITE + - 1230756561 192.168.1.10 - CANCEL + + + + - y6y78u - 1230756560 y6y78u - 200 CANCEL + - 1230756561 y6y78u - 487 INVITE sip:bob@example.net;tag=yh78 - 1230756561 192.168.1.10 - ACK + + + + + y6y78u - Note: Correlation using %x (server transaction.)‏

18 18 SIP CLF: Examples A session queued and answered: 1230756560 192.168.1.10 - INVITE sip:agent@acd.example.net sip:alice@example.com;tag=iu8u76 sip:agent@acd.example.net i98ju@example.com - z9hG4bk7yt6 - 1230756560 z9hG4bk7yt6 - 100 INVITE sip:agent@acd.example.net;tag=oi8 - 1230756560 z9hG4bk7yt6 - 180 INVITE + - 1230756561 z9hG4bk7yt6 - 182 INVITE + - 1230756564 z9hG4bk7yt6 - 182 INVITE + - 1230756565 z9hG4bk7yt6 - 183 INVITE + - 1230756566 z9hG4bk7yt6 - 200 INVITE + - 1230756566 192.168.1.10 - ACK + + + + - z9hG4bk7yt6 -

19 CLF Motivations  Large heterogeneity of SIP equipments available –Interoperate at SIP level –but support proprietary log formats (if any)‏  Fostering heterogeneity acceptance Build on a per device basis log wrappers for any management application (tedious, error prone, costly) OR Standardize a common format CLF provides the means for option (2)‏


Download ppt "The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur."

Similar presentations


Ads by Google