[asterisk-dev] A question about the nonce generation and checking
Isaac Lee
cwl20 at student.canterbury.ac.nz
Wed Jan 23 19:44:02 CST 2008
Hi,
Thanks for the reply. I would like to disable the nonce checking for
Register and Invite requests. I am implementing a SIP firewall and I
want the firewall to generate a specially crafted nonce and challenge
the UA with 401 or 407 response on behalf of the Asterisk. The firewall
generated nonce is used to prevent flooding attacks and spoofed
requests. After the firewall verifies the nonce coming back from the UA,
the request is then forwarded to the Asterisk. What I want to do now is
to make the Asterisk take the nonce from the header and use this
firewall generated nonce, instead of checking its validity. Do you guys
have any thoughts?
Johansson Olle E wrote:
> 23 jan 2008 kl. 11.07 skrev Isaac Lee:
>
>
>> Hi,
>>
>> I would like to find out more information on how the Asterisk
>> generates
>> its nonce and whether it checks the validity of the nonce. Whereabouts
>> in the code I can find those information? And is the nonce just a
>> random
>> string or it is computed based on some caller related information to
>> prevent replay attacks? Thank you
>>
>
> What part of ASterisk are you talking about? We have digest auth
> in many places.
>
> /O
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>
More information about the asterisk-dev
mailing list