The Session Initiation Protocol SIP Common Log Format

The Session Initiation Protocol (SIP) Common Log Format (CLF) IETF 74, March 2009, San Francisco, CA (USA) Vijay K. Gurbani <vkg@bell-labs. com> Eric Burger <eburger@sipforum. org> Humberto Abdelnur <Humberto. Abdelnur@loria. fr> Olivier Festor <Olivier. Festor@loria. fr> Tricha Anjali <tricha@ece. iit. edu>

Agenda Scope of the problem (Eric). Solution as documented (Vijay). Open issues (Vijay).

CLF Motivations Large heterogeneity of SIP equipments available – Interoperate at SIP level – but support proprietary log formats (if any) Fostering heterogeneity acceptance �Build on a per device basis log wrappers for any management application (tedious, error prone, costly) OR �Standardize a common format • CLF provides the means for option (2)

What SIP CLF is and is not … SIP CLF is NOT… SIP CLF IS: … a replacement for a CDR … a standardized format that (Call Detail Record). can be used by all SIP entities. … a billing tool. … an easily digestible log of … a Qo. S measurement tool. past and current transactions. … a format that allows quick parsing to discover relationships between transactions $ grep yuhyt 6 sip-clf. txt gets all transactions with this label. … amenable to easy parsing for creating other innovative tools.

Applications that can benefit from CLF Security Management – Forensic analysis tools – Intrusion detection/prevention systems – Automata training Fault Management – Faults tracking / calls correlation – Call traces Validation Standard log services – E. g. SYSLOG

Challenges in defining SIP CLF SIP is not a linear request-reply protocol – HTTP is linear: pipelining okay, one request = one response. Complexity inherent in the protocol: – Serial and parallel forking elicit multiple responses. – Delays between getting a request and sending a response (origin server in HTTP is quick; UAS not quite so. Impact on proxies. ) – Multiple transactions grouped in a dialog; dialog persists for a long time, transactions short-lived (e. g. , BYE comes much later, but relation between INV and BYE should be preserved in a log file. ) 6

Challenges in defining SIP CLF ACK requests need careful considerations: – – Only tied to an INVITE. No responses for ACKs. For non-2 xx, ACKs hop-by-hop (part of INV transaction. ) For 2 xx, ACK end-to-end. CANCEL requests need careful considerations: – Only tied to an INVITE. – Requires exactly one response. – Is propagated hop-by-hop. INV can pend, resulting in a 1 xx response (200 ms rule. ) This 1 xx response needs to be captured to train automata. SIP has a richer set of actors: UAS, UAC, B 2 BUA, proxy, registrar, redirect server, . . . 7

SIP CLF is. . . inspired by HTTP CLF %h %l %u %t "%r" %s %b remotehost rfc 931 authuser [date] request status bytes Example: 127. 0. 0. 1 - frank [10/Oct/2000: 13: 55: 36 -0700] "GET /apache_pb. gif HTTP/1. 0" 200 2326 SIP CLF borrows a bit from Apache CLF and Squid CLF. Some elements don't contribute (%b %l -- removed. ) 8

Request CLF B 2 BUA correlation directives – FORK/<code> used by the server transaction – CLIENT/<code> used by the client transaction Extensions – to be defined (other headers) / message-body <all. One. Line> 1230756560 192. 168. 1. 10 - INVITE sip: bob@example. net sip: alice@example. com; tag=iu 8 u 76 sip: bob@example. net i 98 ju@example. com "<sip: bob@home. example. net>“ y 6 y 78 u </all. One. Line>

Response CLF Need to record provisional/final responses Both CANCELs and INVITEs will have the same %x value. 1230756560 y 6 y 78 u - 100 INVITE sip: bob@example. net; tag=yh 78 1230756560 y 6 y 78 u - 180 INVITE + 1230756560 y 6 y 78 u - 200 INVITE + -

Open issues Preserving privacy Anonymize IP addresses and other private information. File system, operating-level permissions. 11

Open issues Handling rfc 3841 directives How rfc 3841 directives should be handled? – directives may lead a proxy to alter normal rules (e. g. nocancel directive) 12

Open issues “%c” issue Contact: <sip: 123@example. com>; param=” 1 2” 13

Backups 14

SIP CLF: Examples In the following example, Alice is registering herself with her domain's registrar and is challenged for HTTP Digest: 1230756550 192. 168. 1. 2 - REGISTER sip: example. com sip: alice@example. com; tag=iu 8 u 76 sip: alice@example. com 8719 u@example. com - hgt 678 h 1230756550 hgt 678 h - 401 REGISTER sip: alice@example. com; tag=8 hy - 15

SIP CLF: Examples Registration is successful: 1230756560 192. 168. 1. 2 alice REGISTER sip: example. com sip: alice@example. com; tag=iu 8 u 76 sip: alice@example. com; tag=yh 78 8719 u@example. com "<sip: alice@lab. example. com>; q=0. 7; expires=7200, <sip: alice@home. example. net>; q=0. 5; expires=3600" hgt 679 h 1230756550 hgt 679 h - 200 REGISTER + "<sip: alice@lab. example. com>; q=0. 7; expires=7200, <sip: alice@home. example. net>; q=0. 5; expires=3600" Note: + 16

SIP CLF: Examples In this example, Bob contacts Alice; Alice's UAS has sent a 180 upstream but has not generated a final response yet. Before Alice has a chance to pick up the phone, Bob hangs up causing a CANCEL to arrive at Alice's UAS processes the CANCEL, sending a 200 OK (CANCEL), followed by sending a 487 (INVITE) and receiving an ACK: 1230756560 192. 168. 1. 10 - INVITE sip: bob@example. net sip: alice@example. com; tag=iu 8 u 76 sip: bob@example. net i 98 ju@example. com "<sip: bob@home. example. net>" y 6 y 78 u 1230756560 1230756561 y 6 y 78 u - 100 y 6 y 78 u - 180 192. 168. 1. 10 y 6 y 78 u - 200 y 6 y 78 u - 487 192. 168. 1. 10 INVITE sip: bob@example. net; tag=yh 78 INVITE + - CANCEL + + - y 6 y 78 u CANCEL + INVITE sip: bob@example. net; tag=yh 78 - ACK + + + y 6 y 78 u - Note: Correlation using %x (server transaction. ) 17

SIP CLF: Examples A session queued answered: 1230756560 192. 168. 1. 10 - INVITE sip: agent@acd. example. net sip: alice@example. com; tag=iu 8 u 76 sip: agent@acd. example. net i 98 ju@example. com - z 9 h. G 4 bk 7 yt 6 1230756560 z 9 h. G 4 bk 7 yt 6 - 100 INVITE sip: agent@acd. example. net; tag=oi 8 1230756560 z 9 h. G 4 bk 7 yt 6 - 180 INVITE + 1230756561 z 9 h. G 4 bk 7 yt 6 - 182 INVITE + 1230756564 z 9 h. G 4 bk 7 yt 6 - 182 INVITE + 1230756565 z 9 h. G 4 bk 7 yt 6 - 183 INVITE + 1230756566 z 9 h. G 4 bk 7 yt 6 - 200 INVITE + 1230756566 192. 168. 1. 10 - ACK + + 18 - z 9 h. G 4 bk 7 yt 6 -

CLF Motivations Large heterogeneity of SIP equipments available – Interoperate at SIP level – but support proprietary log formats (if any) Fostering heterogeneity acceptance �Build on a per device basis log wrappers for any management application (tedious, error prone, costly) OR �Standardize a common format • CLF provides the means for option (2)