[asterisk-dev] [Code Review] SIP authentication support
Olle E. Johansson
oej at edvina.net
Fri Feb 8 00:58:29 CST 2013
On the topic of authentication:
The nonce in the current sip channel belongs to the transaction or dialog. It should not, it belongs to a specific set of credentials and is valid for a certain amount of time. That time should be settable for nonce-reuse, which is important for some service providers.
This is particularly important in the case of REGISTER where the second REGISTER using the nonce from the first may have a completely different set of identifiers.
Also look into the QoP specs for replay protection.
Cheers,
/O
More information about the asterisk-dev
mailing list