2009/7/16 Klaus Darilion <klaus.mailingli...@pernau.at>: > Hi! > > I really wonder if the nonce_reuse protection feature is useful and if > anybody uses it without problems. > > One problem I have is with retransmission: e.g: > > ----INV1 ---> > <---407------ > ----ACK-----> > > ----INV2------> > here happens a delay to the INVITE (e.g. jam in the access uplink, > SIP proxy slow, ... whatever) which causes a retransmission of the INVITE > > ----INV3------> (retransmission of INV2) > > the proxy processes INV2, authenticates the user successful and forwards > the requests > > then the proxy processes INV3, finds out that the nonce is reused and > sends back 407 --> client gives up, but the request was also forwarded > by the proxy :-(
Yes, that occurs if no transaction was already created. > How do you handle such a scenario? Do you always create the transaction > before authentication? Creating the transaction before authentication could be dangerous (DOS attacks). I suggest to create the transaction manually *just* after authentication (before t_relay and previous routing logic accessing to DB and so). > One other thing I just found out is that reuse-check is done after > successful authentication - shouldn't it be done the other way round? True. However, to anounce "stale=true" in 401/407 response the credentials must be verified. Imagine that a phone sends a request with an already used nonce (very common behaviour) and the proxy replies 401/401 without "stale" parameter. Then the phone could understand that the user/password are wrong and wouldn't try to authenticate again. "stale" parameter in 401/407 means that the credentials are valid (user, password and nonce are valid) but the nonce already expired in the server so the client must create a new credentials with the new nonce received in the 401/407. -- Iñaki Baz Castillo <i...@aliax.net> _______________________________________________ Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
