I have some concerns about ACK authorization on behalf of a proxy. I read the corresponding thread at sip wg [1], but I still need your advice, guys :)
1) For 2xx ACKs: since authorization headers are copied from INVITEs, the record-routing proxy needs to keep a state of them if auth-int qop is used (because a body is involved in auth-int calculation and it can be changed in ACK). A simple solution I see is not to use auth-int by the proxy and, thus, recompute ACKs on the fly (with method replacement). Am I right? Are there any other solutions? 2) For outgoing non-2xx ACKs: the RFC 3261 says: "UACs creating an ACK message will duplicate all of the Authorization and Proxy-Authorization header field values that appeared in the INVITE to which the ACK corresponds." But this cannot be done by the UAC core since non-2xx ACKs are handled by the client transaction and section "17.1.13 Construction of the ACK Request" doesn't say anything about *-Authorization headers duplication. So what is the best practice to implement this? I think they should be copied by the transaction layer to avoid code overhead in an UAC core. 3) For incoming non-2xx ACKs: how is it possible to authenticate them in stateful mode, i.e. in the transaction layer. Does it make sense to authenticate them after all? I'm asking about best practice again :) [1] http://www.ietf.org/mail-archive/web/sip/current/msg11577.html -- Regards, Evgeniy Khramtsov, ProcessOne. xmpp:[email protected]. _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
