Hi, I was going thru RFC 4474 and noticed that it has some trouble in dealing with authentication in REQUEST and CANCEL message. Has anyone went thru RFC 4474 and noticed why REQUEST and CANCEL message cannot be authenticated by the method suggested by RFC 4474?
RFC 4474 says, pp. 16. > > >Note, in the table above, that this mechanism does not protect the CANCEL method. >The CANCEL method cannot be challenged, because it is hop-by-hop, and accordingly authentication service behavior for CANCEL > would be significantly limited. Note as well that the REGISTER method uses Contact header fields in very unusual ways that >complicate its applicability to this mechanism, and the use of Identity with REGISTER is consequently a subject for future study, > although it is left as optional here for forward-compatibility reasons. The Identity and Identity-Info header MUST NOT appear in CANCEL. > > CANCEL message unauthenticated can only be a threat for a certain duration after the REQUEST message has been sent and before ACK arrives. So it might be less of a threat. but REQUEST message unauthenticated can cause potential problem, as RFC states that REQUEST uses contact headers in unusual ways, as far as i know, it just has the FROM and TO headers same. But why is this causing problem in implementing this technique to it? Any help would be appreciated. Regards, Vineet Menon _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
