[asterisk-dev] A question about the nonce generation and checking

Isaac Lee cwl20 at student.canterbury.ac.nz
Wed Jan 23 19:44:02 CST 2008


Hi,

Thanks for the reply. I would like to disable the nonce checking for 
Register and Invite requests. I am implementing a SIP firewall and I 
want the firewall to generate a specially crafted nonce and challenge 
the UA with 401 or 407 response on behalf of the Asterisk. The firewall 
generated nonce is used to prevent flooding attacks and spoofed 
requests. After the firewall verifies the nonce coming back from the UA, 
the request is then forwarded to the Asterisk. What I want to do now is 
to make the Asterisk take the nonce from the header and use this 
firewall generated nonce, instead of checking its validity. Do you guys 
have any thoughts?

Johansson Olle E wrote:
> 23 jan 2008 kl. 11.07 skrev Isaac Lee:
>
>   
>> Hi,
>>
>> I would like to find out more information on how the Asterisk  
>> generates
>> its nonce and whether it checks the validity of the nonce. Whereabouts
>> in the code I can find those information? And is the nonce just a  
>> random
>> string or it is computed based on some caller related information to
>> prevent replay attacks? Thank you
>>     
>
> What part of ASterisk are you talking about? We have digest auth
> in many places.
>
> /O
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>   




More information about the asterisk-dev mailing list