On Sat, 2008-07-19 at 16:45 +0200, Iñaki Baz Castillo wrote: > Hi, RFC 2617 defines "nonce-count" (nc) field in the > request "(Proxy-)Authorization" header as: > > nonce-count > This MUST be specified if a qop directive is sent (see above), and > MUST NOT be specified if the server did not send a qop directive in > the WWW-Authenticate header field. The nc-value is the hexadecimal > count of the number of requests (including the current request) > that the client has sent with the nonce value in this request. For > example, in the first request sent in response to a given nonce > value, the client sends "nc=00000001". The purpose of this > directive is to allow the server to detect request replays by > maintaining its own copy of this count - if the same nc-value is > seen twice, then the request is a replay. See the description > below of the construction of the request-digest value. > > What is a "request replay"? In SIP we have already the "retransmission" > concept that is handled by transaction layer and not by the core. Maybe this > field makes sense just in HTTP where AFAIK there is not "retransmission" > concept? > > If not, what is a "request replay" in SIP?
A 'request replay' is an attempt by an attacker to use the authentication from one (legitimate) authenticated request to authenticate some other (forged) request. -- Scott Lawrence tel:+1.781.229.0533;ext=162 or sip:[EMAIL PROTECTED] sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
