Pingtel Corp.

400 West Cummings Park, Suite 2200 Woburn MA 01801 US +1 781 938 5306 x173 dworley@pingtel.com http://www.pingtel.com

Transport SIP Authentication The current authentication mechanism in the Session Initiation Procotol (SIP) is based on the originator of a request including an "Authorizatoin" header containing authorization credentials. If an intermediate or destination SIP agent needs authorization credentials that are not present in the request, it returns an error response to the request, which the originator interprets as a demand to re-transmit the request with a suitable "Authorizaton" header included. While this mechanism is sufficient for simple SIP architectures, for many purposes it is insufficient. This document describes deficiencies in the current mechanism and discusses possible improvements. Problems we run into: blocking of alternative forks when a higher priority path demands authentication helped by retrying forks from the point of failure nonces generated by multiple agents in a domain authorization of legs, rather than dialogs: changing or adding authentication when a request is forwarded blanket permission nature of authorization differing levels of access for different authorizations (not solvable by 401)