> >Basically, you can't use the normal SIP authentication procedures
> >with CANCEL, since -- as you point out -- if you're challenged,
> >there's no room to manoeuvre. I would say the only possible
> >responses to a CANCEL are 200, 481, 400 (because it was garbled),
> >or 500 (because it got the server very upset for some bizarre
> >reason).
>
> Here again the question still remains, How do you authorize the
> CANCEL requests??, Do u ignore the CANCEL(without authorization
> in it) if authentication is required for the same?? Are CANCELs
> in such cases are expected with Authorization in it, which
> otherwise is ignored by just responding with 200 etc responses??
No, I'm saying you can't use normal SIP authentication in
tandem with CANCEL.
Cancelling is done hop-by-hop, which means that any
Authentication/Authorization headers will be lost.
I guess you could effectively ignore the CANCEL, and return
403, or something, but I'm not sure I like that.
Maybe the solution is to employ IPSec, or something like
that; but like I said, I'm no Security Expert.
Cheers,
- Jo.
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
