RFC3261 section 22.1 states:
Under an authentication scheme that uses responses to carry
values
used to compute nonces (such as Digest), some problems
come up for
any requests that take no response, including ACK. For
this reason,
any credentials in the INVITE that were accepted by a
server MUST be
accepted by that server for the ACK. UACs creating an
ACK message
will duplicate all of the Authorization and
Proxy-Authorization
header field values that appeared in the INVITE to which
the ACK
corresponds. Servers MUST NOT attempt to challenge an
ACK.
This means that integrity cannot be verified for the
original request URI or
any body (e.g. in case of offerless INVITE scenario) for
ACKs. It also means
that proxies and UAS need to maintain state in order to
authenticate ACKs.
Even though ACK cannot be challenged, it would still be
possible for the UAC
to calculate a digest as usual, using the same
username/password as INVITE
and the same nonce.
Is this an omission, is there any reason why this is done
the way it is?
Regards,
Jeroen
_______________________________________________
Sip mailing list https://ww
w1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors cs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip
|
