[Kamailio-Devel] nonce checking in auth module

Victor Pascual Ávila victor.pascual.avila at gmail.com
Tue Aug 5 18:44:25 CEST 2008


On Tue, Aug 5, 2008 at 6:37 PM, Johansson Olle E <oej at edvina.net> wrote:
>
> 5 aug 2008 kl. 18.19 skrev Daniel-Constantin Mierla:
>
>> I am not sure how many followed the evolution of the auth module during
>> this development cycle. So I am going to present the situation shortly.
>> Starting with revision 4294, auth module is doing nonce reusing checking.
>>
>> http://openser.svn.sourceforge.net/viewvc/openser?view=rev&revision=4294
>>
>> The improvement is very good from security point of view but will have
>> performance impact. The issue I am seeing is the inability to control
>> this feature via a parameter, so will be done all the time. I don't know
>> if it is only me, but I am using in some setups short registration time
>> to ensure that pinholes in the nat routers. Re-usage of the nonce was
>> good as registrations were not challenged for the nonce expiration time
>> (this is controlled by a module parameter), not loading that much the
>> server.
>>
>> Might be late now, but my question is, does someone else sees a good
>> thing in the ability to control nonce re-usage checking via module
>> parameter?
>
> I think that this has to be configurable, to be able to set level of
> security you want. In some cases, I can think of situations where
> I don't want any nonce-reuse at all, I want a fresh challenge for
> every transaction.

Exactly, it should be configurable.

Cheers,
-- 
Victor Pascual Ávila


More information about the Devel mailing list