<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
<div class="moz-cite-prefix">On 6/8/12 4:24 PM,
<a class="moz-txt-link-abbreviated" href="mailto:patrice.bodeven@orange.com">patrice.bodeven@orange.com</a> wrote:<br>
</div>
<blockquote
cite="mid:22538_1339165484_4FD20B2C_22538_2819_1_F51524208B2244439FE9395DA60B7EB6010FCB@PEXCVZYM14.corporate.adroot.infra.ftgroup"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello, <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">I try to understand the
nonce count handling.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">By parameter
“modparam("auth", "nonce_expire", 21600)” I can define the
validity of the Nonce in the time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But I want also to
define the validity of the Nonce in the number of use. For
exemple, I want to limit the reuse of the nonce at 64 times
(including register, Invite)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">But I can see the
definition of the nonce_count for all the SIP users on
Kamailio and not user per user.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">If I understand when I
use <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
lang="EN-US">modparam("auth", "nonce_count", 1) # enable
nonce_count support
<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
lang="EN-US">modparam("auth", "nc_array_order", 20) #
1M in-flight nonces, using 1Mb memory<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
lang="EN-US">modparam("auth", "nid_pool_no", 4)<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US">I define a memory to
store the nonce values for all the SIP users.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So when User A use nonce
x for REGISTER and nonce y for INVITE, nonce x is still
valid !
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">My understanding is it
correct ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Is anyway to define a
nonce validity in number of times per user ?</span></p>
</div>
</blockquote>
nid_pool_no is to define more sets of nonces, that will allow better
concurrency. nonce_count is about handling nc parameter which is set
by client for qop -- if you look in the rfc for www digest
authentication, you may get a better picture of these parameters.<br>
<blockquote
cite="mid:22538_1339165484_4FD20B2C_22538_2819_1_F51524208B2244439FE9395DA60B7EB6010FCB@PEXCVZYM14.corporate.adroot.infra.ftgroup"
type="cite">
</blockquote>
Afaik, there is no way to set the number of valid times for a nonce
per user, it's only time base option. One time nonce means that the
nonce is rendered invalid when used even it is still valid from time
point of view (better security, avoiding reply attacks).<br>
<br>
Cheers,<br>
Daniel<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Kamailio Advanced Training, Seattle, USA, Sep 23-26, 2012 - <a class="moz-txt-link-freetext" href="http://asipto.com/u/katu">http://asipto.com/u/katu</a>
Kamailio Practical Workshop, Netherlands, Sep 10-12, 2012 - <a class="moz-txt-link-freetext" href="http://asipto.com/u/kpw">http://asipto.com/u/kpw</a></pre>
<br>
<br>
</body>
</html>