18 May
2018
18 May
'18
10:05 a.m.
Am Donnerstag, 17. Mai 2018, 15:02:13 CEST schrieb Daniel Tryba:
[..]
The conditions for the nonce check are bit more complicated, but this is basically the way
it works out in the end.
Henning
I wonder why these particular module parameters
would break the
functionality though, I thought the idea was that each proxy would be able
to generate the nonce with a shared secret if it recieved a challenge
response from a ua who's nonce was generated on a different proxy. Is this
a bug, or, is it working as intended when these two module paramters are
enabled?
I was looking at the wording for nonce_count
https://www.kamailio.org/docs/modules/5.1.x/modules/auth.html#auth.p.nonce_c
ount "3.5. nonce_count (boolean)
If enabled the received nc value is remembered and checked against the
older value (for a successful authentication the received nc must be
greater then the previously received one, see rfc2617 for more details).
This will provide protection against replay attacks while still allowing
credentials caching at the UA side."
It sounds like this is kept in memory. Since this isn't shared between
kamailio instances, the discrepancies in nonce count should trigger the
replay attack prevention mechanism (i.e. offer a new challenge).
So I guess this is indended behavior.