Am Donnerstag, 17. Mai 2018, 15:02:13 CEST schrieb Daniel Tryba:

> [..]

> > I wonder why these particular module parameters would break the

> > functionality though, I thought the idea was that each proxy would be able

> > to generate the nonce with a shared secret if it recieved a challenge

> > response from a ua who's nonce was generated on a different proxy. Is this

> > a bug, or, is it working as intended when these two module paramters are

> > enabled?

>

> I was looking at the wording for nonce_count

> https://www.kamailio.org/docs/modules/5.1.x/modules/auth.html#auth.p.nonce_c

> ount "3.5. nonce_count (boolean)

>

> If enabled the received nc value is remembered and checked against the

> older value (for a successful authentication the received nc must be

> greater then the previously received one, see rfc2617 for more details).

> This will provide protection against replay attacks while still allowing

> credentials caching at the UA side."

>

> It sounds like this is kept in memory. Since this isn't shared between

> kamailio instances, the discrepancies in nonce count should trigger the

> replay attack prevention mechanism (i.e. offer a new challenge).

>

> So I guess this is indended behavior.

 

The conditions for the nonce check are bit more complicated, but this is basically the way it works out in the end.

 

Henning