This memo does not describe a stand-alone protocol, but a particular
   application for the Diameter protocol [RFC3588].  Consequently, all
   the security considerations applicable to Diameter automatically
   apply to this memo.  In particular, Section 13 of RFC 3588 applies to
   this memo.

   This Diameter SIP application allows a Diameter client to use the
   properties of HTTP Digest authentication [RFC2617] by evaluating or
   sending to the Diameter server the credentials supplied by a user.
   The discussion of HTTP Digest authentication in Section 4 of RFC 2617
   [RFC2617] is also applicable to this memo.

 This Diameter SIP application also allows a Diameter client to use
   the properties of HTTP Digest authentication using AKA [RFC3310] by
   evaluating or sending to the Diameter server the credentials supplied
   by a user.  Section 5 of RFC 3310  is also applicable to
   this memo.

14.1. Final Authentication Check in the Diameter Client/SIP Server

   The Diameter SIP application can be configured to operate in a
   scenario where the final authentication check is performed in the
   Diameter client (SIP server).  There are a number of security
   considerations associated to it; all of them are consequences of the
   requirement to transfer H(A1) from the Diameter server to the
   Diameter client:

   o  Both Diameter client and server must trust each other, such as
      when both client and server belong to the same administrative
      domain.

   o  To avoid eavesdroppers, the transport protocol between the
      Diameter client and server MUST be secured.  RFC 3588 
      specifies TLS [RFC4346] and IPsec as possible transport protection
      mechanisms for Diameter.

   Due to these security considerations, it is RECOMMENDED to configure
   the Diameter SIP application to operate in the mode where the final
   authentication check is performed in the Diameter server.

---