Cesc Santasusana writes:

Fair enough, but then what do you do against fake BYE messages? If you do not authenticate them somehow, anybody could sniff the INV message (and OK/ACK), take the needed fields, and tear down the session.

there is very little you can do to prevent that unless you use tls for signaling.

-- juha