- added support for extra authentication checks along with comments explaining

  what is checked when and why. Disabled by default.

etc/ser-oob.cfg

@@ -307,6 +307,30 @@ modparam("registrar", "save_nat_flag", "FLAG_NAT")
 #modparam("auth_db", "password_column", "password")
 # minimize replay-attack window
 modparam("auth", "nonce_expire", 10)
+
+# Enable/disable extra authentication checks using the following modparams.
+# The values are: 1:Request-URI, 2:Call-ID, 4: From tag, 8:source IP
+# The options are disabled by default.
+
+# For REGISTER requests we hash the Request-URI, Call-ID, and source IP of the
+# request into the nonce string. This ensures that the generated credentials
+# cannot be used with another registrar, user agent with another source IP
+# address or Call-ID. Note that user agents that change Call-ID with every
+# REGISTER message will not be able to register if you enable this.
+#modparam("auth", "auth_checks_register", 11)
+
+# For dialog-establishing requests (such as the original INVITE, OPTIONS, etc)
+# we hash the Request-URI and source IP. Hashing Call-ID and From tags takes
+# some extra precaution, because these checks could render some UA unusable.
+#modparam("auth", "auth_checks_no_dlg", 9)
+
+# For mid-dialog requests, such as re-INVITE, we can hash source IP and
+# Request-URI just like in the previous case. In addition to that we can hash
+# Call-ID and From tag because these are fixed within a dialog and are
+# guaranteed not to change. This settings effectively restrict the usage of
+# generated credentials to a single user agent within a single dialog.
+#modparam("auth", "auth_checks_in_dlg", 15)
+
 # deal with client's who can't do qop properly
 modparam("auth", "qop", "")
 #DEBCONF-AUTHSECRET-START