[asterisk-dev] [Code Review] SIP authentication support

Olle E Johanson oej at edvina.net
Fri Feb 8 09:18:01 CST 2013


8 feb 2013 kl. 16:01 skrev Mark Michelson <mmichelson at digium.com>:

> On 02/08/2013 12:58 AM, Olle E. Johansson wrote:
>> On the topic of authentication:
>> 
>> The nonce in the current sip channel belongs to the transaction or dialog. It should not, it belongs to a specific set of credentials and is valid for a certain amount of time. That time should be settable for nonce-reuse, which is important for some service providers.
> 
> Hi Olle! We are not correlating nonces with dialogs or transactions. Instead, they are based on the time the challenge was sent and the source IP and port of the requester. The code currently sets a time of 32 seconds for the lifetime of the nonce, but it would be quite easy to make this configurable.
>> 
>> This is particularly important in the case of REGISTER where the second REGISTER using the nonce from the first may have a completely different set of identifiers.
> 
> Exactly. REGISTER doesn't use a dialog, so it's perfectly acceptable for entities to send a REGISTER with completely different Call-ID and from-tag if they wish. I think it's also possible (though not necessarily recommended) for dialog-forming requests like INVITE or SUBSCRIBE to use different identifiers for the follow-ups since no dialog was established from the previous transaction. Our implementation will work fine since nonces are not tied in any way to dialogs or transactions.
Great. I was just taking the temperature. It feels great to leave 10 year old bugs behind :-)

Have a great weekend!

/O
> 
>> 
>> Also look into the QoP specs for replay protection.
> 
> I certainly will!
> 
> Mark Michelson
>> 
>> Cheers,
>> /O
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> 
>> asterisk-dev mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/mailman/listinfo/asterisk-dev




More information about the asterisk-dev mailing list