Iñaki Baz Castillo schrieb:
2009/7/16 Klaus Darilion
<klaus.mailinglists(a)pernau.at>at>:
Hi!
I really wonder if the nonce_reuse protection feature is useful and if
anybody uses it without problems.
One problem I have is with retransmission: e.g:
----INV1 --->
<---407------
----ACK----->
----INV2------>
here happens a delay to the INVITE (e.g. jam in the access uplink,
SIP proxy slow, ... whatever) which causes a retransmission of the INVITE
----INV3------> (retransmission of INV2)
the proxy processes INV2, authenticates the user successful and forwards
the requests
then the proxy processes INV3, finds out that the nonce is reused and
sends back 407 --> client gives up, but the request was also forwarded
by the proxy :-(
Yes, that occurs if no transaction was already created.
How do you handle such a scenario? Do you always
create the transaction
before authentication?
Creating the transaction before authentication could be dangerous (DOS
attacks). I suggest to create the transaction manually *just* after
authentication (before t_relay and previous routing logic accessing to
DB and so).
Yes. Because that would require to handle also registrations
transaction-stateful.
One other
thing I just found out is that reuse-check is done after
successful authentication - shouldn't it be done the other way round?
True. However, to anounce "stale=true" in 401/407 response the
credentials must be verified.
It would be sufficient to check if the nonce is reused, response
calculation could be done afterwards
Imagine that a phone sends a request with an already
used nonce (very
common behaviour) and the proxy replies 401/401 without "stale"
parameter. Then the phone could understand that the user/password are
wrong and wouldn't try to authenticate again.
"stale" parameter in 401/407 means that the credentials are valid
(user, password and nonce are valid) but the nonce already expired in
the server so the client must create a new credentials with the new
nonce received in the 401/407.
yes.
IMO disabling nonce-reuse does not get you much security benefits, just
increased SIP traffic. Thus nonce-reuse should be enabled by default.
regards
klaus