Am Donnerstag, 17. Mai 2018, 15:02:13 CEST schrieb Daniel Tryba:
> [..]
> > I wonder why these particular module parameters would break the
> > functionality though, I thought the idea was that each proxy would be able
> > to generate the nonce with a shared secret if it recieved a challenge
> > response from a ua who's nonce was generated on a different proxy. Is this
> > a bug, or, is it working as intended when these two module paramters are
> > enabled?
>
> I was looking at the wording for nonce_count
> https://www.kamailio.org/docs/modules/5.1.x/modules/auth.html#auth.p.nonce_c
> ount "3.5. nonce_count (boolean)
>
> If enabled the received nc value is remembered and checked against the
> older value (for a successful authentication the received nc must be
> greater then the previously received one, see rfc2617 for more details).
> This will provide protection against replay attacks while still allowing
> credentials caching at the UA side."
>
> It sounds like this is kept in memory. Since this isn't shared between
> kamailio instances, the discrepancies in nonce count should trigger the
> replay attack prevention mechanism (i.e. offer a new challenge).
>
> So I guess this is indended behavior.
The conditions for the nonce check are bit more complicated, but this is basically the way it works out in the end.
Henning