[Kamailio-Users] nonce_reuse protection issues

[Iñaki Baz Castillo]

2009/7/16 Klaus Darilion <klaus.mailinglists at pernau.at>:
> Hi!
>
> I really wonder if the nonce_reuse protection feature is useful and if
> anybody uses it without problems.
>
> One problem I have is with retransmission: e.g:
>
> ----INV1 --->
> <---407------
> ----ACK----->
>
> ----INV2------>
>   here happens a delay to the INVITE (e.g. jam in the access uplink,
> SIP proxy slow, ... whatever) which causes a retransmission of the INVITE
>
> ----INV3------> (retransmission of INV2)
>
> the proxy processes INV2, authenticates the user successful and forwards
> the requests
>
> then the proxy processes INV3, finds out that the nonce is reused and
> sends back 407 --> client gives up, but the request was also forwarded
> by the proxy :-(

Yes, that occurs if no transaction was already created.



> How do you handle such a scenario? Do you always create the transaction
> before authentication?

Creating the transaction before authentication could be dangerous (DOS
attacks). I suggest to create the transaction manually *just* after
authentication (before t_relay and previous routing logic accessing to
DB and so).



> One other thing I just found out is that reuse-check is done after
> successful authentication - shouldn't it be done the other way round?

True. However, to anounce "stale=true" in 401/407 response the
credentials must be verified.
Imagine that a phone sends a request with an already used nonce (very
common behaviour) and the proxy replies 401/401 without "stale"
parameter. Then the phone could understand that the user/password are
wrong and wouldn't try to authenticate again.
"stale" parameter in 401/407 means that the credentials are valid
(user, password and nonce are valid) but the nonce already expired in
the server so the client must create a new credentials with the new
nonce received in the 401/407.



-- 
Iñaki Baz Castillo
<ibc at aliax.net>