On Mon, Sep 20, 2010 at 8:09 PM, Alex Balashov <abalashov at evaristesys.com> wrote:
On 09/20/2010 08:47 PM, James Hess wrote:
It might be useful to think about possible deprecation of the use of UDP ?for registration, or at least ?the requiring of a firm bidirectional acknowledgement with nonce ?(as in an authenticated request/acknowledgement), before a registration ?"attempt" ?can be regarded to fail or succeed.
"Firm bidirectional acknowledgment" is already required in an authenticated REGISTER sequence:
Yes, I think the problem is with authentication failures, not successes. Implementations might flag a failure at step 1, before any round trip has occured. The 'spoofer' may simply reply with a bogus digest. Either way, afaict, the spoofer never needs to see the challenge to submit a register what will produce an authentication failure (may even be intended to produce an auth failure as part of the distraction). The implementation that received the spoof message sees REGISTER + (incorrect digest) which doesn't reveal that the attacker never saw the challenge. -- -J