Browse code

- auth update

Andrei Pelinescu-Onciul authored on 10/07/2008 17:11:03
Showing 1 changed files
... ...
@@ -14,8 +14,11 @@ modules:
14 14
                           expression.
15 15
  - avp       - export new selects table to allow dissecting the content of an
16 16
                attribute by interpreting it as a "name-addr" value 
17
- - auth      - experimental support for nc checking when qop=auth
18
-               (fast, non-locking implementation, see nonce-count, 
17
+ - auth      - experimental support for one-time nonces: when enabled a nonce
18
+               will be accepted only for one response (each new request will
19
+               be challenged). See one_time_nonce.
20
+             - experimental support for nc checking when qop=auth
21
+               (fast, non-locking implementation, see nonce_count, 
19 22
                 nc_array_size, nc_array_order and nid_pool_no) 
20 23
              - switched to base64 nonces
21 24
              - record nonce generation time inside the nonce so that a 
... ...
@@ -25,20 +28,43 @@ modules:
25 28
              - added extra authentication checks support, to protect
26 29
                against various reply attacks.
27 30
              - params:
28
-                       - nonce-count - if enabled and qop=auth or 
31
+                       - one_time_nonce - if enabled each nonce is allowed 
32
+                          only once => each new request (including 
33
+                          retransmissions!) will be challenged. It should be
34
+                          used only in stateful mode (so that tm deals with
35
+                          the retransmissions). The major disadvantage is that
36
+                          the UA won't be able to used any cached credentials
37
+                          (=> extra messages, extra round trips, more work for
38
+                           the proxy)
39
+                       - otn_in_flight_no - maximum number of in-flight nonces
40
+                          for one-time-nonces. It must be a number of the form
41
+                          2^k (if not it will be automatically rounded down).
42
+                          The memory used will be otn_in_flight_no/8
43
+                       - otn_in_flight_order - like otn_in_flight_no, but 
44
+                          instead of specifying the number as 2^k, it directly
45
+                          sets k (otn_in_flight_no=2^otn_in_flight_order)
46
+                       - nonce_count - if enabled and qop=auth or 
29 47
                           qop=auth-int, store and check received nc values
30
-                          (for details see rfc2617 and auth/doc)
48
+                          (for details see rfc2617 and auth/doc). It should be
49
+                          used only in stateful mode (so that tm deals with
50
+                          the retransmissions which would otherwise be 
51
+                          challenged). The major advantage is greatly 
52
+                          enhanced security (extremely small probability of
53
+                          a succesfull replay attack) combine with support
54
+                          for cached credentials (if the UAs do support qop 
55
+                          and auth)
31 56
                        - nc_array_size - size of the array used for storing
32 57
                           nc values, default 1Mb. It will be rounded down to
33 58
                           a 2^k value. It represents the maximum number of
34
-                          in-flight nonces supported.
59
+                          in-flight nonces supported
35 60
                        - nc_array_order - equivalent to nc_array_size, but 
36 61
                           instead of specifying the size in bytes, it can 
37 62
                           be used to directly set the power of 2 used
38 63
                           (nc_array_size=2^nc_array_order)
39
-                       - nid_pool_no - number of nc array partitions, useful
40
-                          for increasing performance on multi-cpu systems
41
-                          (default 1, recommended 4)
64
+                       - nid_pool_no - number of nc and one-time-nonce array 
65
+                          and index partitions, useful for increasing 
66
+                          performance on multi-cpu systems (default 1,
67
+                          recommended 4)
42 68
                        - auth_extra_checks - flags specifying which extra
43 69
                           message part/parts will be checked for change before
44 70
                           allowing nonce reuse. See the auth module docs for