Saying BYE also needs to be authenticated!

BYE sip:alice@pc33.atlanta.example.com SIP/2.0
Via: SIP/2.0/TLS 192.0.2.4;branch=z9hG4bKnashds10 Max-Forwards: 70
From: Bob <sip:bob@biloxi.example.org>;tag=a6c85cf
To: Alice <sip:alice@atlanta.example.com>;tag=1928301774 Date: Thu, 21 Feb 2002 14:19:51 GMT
Call-ID: a84b4c76e66710 CSeq: 231 BYE
Identity: "sv5CTo05KqpSmtHt3dcEiO/1CWTSZtnG3iV+1nmurLXV/HmtyNS7Ltrg9dlxkWzo eU7d7OV8HweTTDobV3itTmgPwCFjaEmMyEI3d7SyN21yNDo2ER/Ovgtw0Lu5csIp
pPqOg1uXndzHbG7mR6Rl9BnUhHufVRbp51Mn3w0gfUs="
Identity-Info: <https://biloxi.example.org/biloxi.cer>;alg=rsa-sha1
Content-Length: 0

alg=rsa-sha1 is a new part of the RFC that was not in the earlier internet draft.

Transcript

[slide361] And as we said yesterday, it's really important that the BYE be authenticated so that a malicious user doesn't do a denial of service attack by just sending lots and lots and lots of BYEs, so it can use the same approach to prove, yes, it's really me that has sent the BYE message.