[asterisk-dev] [Code Review] SIP authentication support

[Mark Michelson]

On 02/08/2013 12:58 AM, Olle E. Johansson wrote:
> On the topic of authentication:
>
> The nonce in the current sip channel belongs to the transaction or dialog. It should not, it belongs to a specific set of credentials and is valid for a certain amount of time. That time should be settable for nonce-reuse, which is important for some service providers.

Hi Olle! We are not correlating nonces with dialogs or transactions. 
Instead, they are based on the time the challenge was sent and the 
source IP and port of the requester. The code currently sets a time of 
32 seconds for the lifetime of the nonce, but it would be quite easy to 
make this configurable.
>
> This is particularly important in the case of REGISTER where the second REGISTER using the nonce from the first may have a completely different set of identifiers.

Exactly. REGISTER doesn't use a dialog, so it's perfectly acceptable for 
entities to send a REGISTER with completely different Call-ID and 
from-tag if they wish. I think it's also possible (though not 
necessarily recommended) for dialog-forming requests like INVITE or 
SUBSCRIBE to use different identifiers for the follow-ups since no 
dialog was established from the previous transaction. Our implementation 
will work fine since nonces are not tied in any way to dialogs or 
transactions.

>
> Also look into the QoP specs for replay protection.

I certainly will!

Mark Michelson
>
> Cheers,
> /O
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-dev