Cesc Santasusana writes:

For example, Kphone can resend an INV if challenged which contains the auth-data. On the other hand, if a kphone is the receiver of the INV, and it hangs up, kphone generates a BYE message which does NOT contain auth-data. Thus, ser will challlenge the kphone back, kphone will reply with a CANCEL and resend the BYE without (again) the auth-data, entering an endless loop. Ain't it funny?

bye is not initial request, but in-dialog request. it doesn't make sense to authenticate them, because you may not even know if the sender of bye is your local user or not.

for initial requests you always know this and thus can authenticate them.

-- juha