[asterisk-dev] [Code Review] SIP authentication support

Olle E. Johansson oej at edvina.net
Fri Feb 8 00:58:29 CST 2013


On the topic of authentication:

The nonce in the current sip channel belongs to the transaction or dialog. It should not, it belongs to a specific set of credentials and is valid for a certain amount of time. That time should be settable for nonce-reuse, which is important for some service providers.

This is particularly important in the case of REGISTER where the second REGISTER using the nonce from the first may have a completely different set of identifiers.

Also look into the QoP specs for replay protection.

Cheers,
/O


More information about the asterisk-dev mailing list