"Paul Tidwell" <[EMAIL PROTECTED]> writes: > One message can have multiple credentials. One for each proxy along the > way, potentially. The UA_1 should include both Proxy credentials and the > UA_2 in a single message. There is also the concept of a realm that is > important. If all the nodes along the way are in the same realm, then only > one set of credentials is necessary. This is not unique to RFC3265, but is > covered by RFC3261 and RFC2617.
All correct, but there is one difference between proxy authentication in SIP and HTTP (2617) worth noting. In HTTP, proxy authentication is hop-by-hop, so given A ----- P1 ----- P2 ----- B if P1 and P2 are HTTP proxies that require authentication, then when A sends a request to B it gets challenged by P1, but when the resent request is challenged by P2, that challenge must be handled by P1 - it is P1 that is authenticating to P2, not A: A ------- P1 ------ P2 ------ B |--req1-->| | | |<--407---| | | |--req2-->| | | | |--req2-->| | | |<--407---| | | |--req3-->| | | | |--req3-->| Both resent requests (req2 and req3) have only one Proxy-Authorization header (proxies strip that header before forwarding the message). In SIP, authentication is always of the originator, so getting through 2 proxies that challenge looks different: A ------- P1 ------ P2 ------ B |--req1-->| | | |<--407---| | | |--req2-->| | | | |--req2-->| | | |<--407---| | |<--407---| | | |--req3-->| | | | |--req3-->| | | | |--req3-->| the third time A sends the request (req3), it has 2 Proxy-Authorization headers, one for P1 and one for P2. -- Scott Lawrence Pingtel Corp. _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
