Note - Unlike its usage within HTTP, the ProxyAuthenticateHeader must be passed upstream in the Response to the UAC. In SIP, only UAC's can authenticate themselves to proxies.
Proxies MUST NOT add values to the Proxy-Authorization header field. All 407 (Proxy Authentication Required) responses MUST be forwarded upstream toward the UAC following the procedures for any other response. It is the UAC's responsibility to add the Proxy-Authorization header field value containing credentials for the realm of the proxy that has asked for authentication.
When the originating UAC receives the 407 (Proxy Authentication Required) it SHOULD, if it is able, re-originate the request with the proper credentials. It should follow the same procedures for the display of the "realm" parameter that are given above for responding to 401. If no credentials for a realm can be located, UACs MAY attempt to retry the request with a username of "anonymous" and no password (a password of ""). The UAC SHOULD also cache the credentials used in the re-originated request.
Proxy-Authenticate: Digest realm="jcp.org",
nonce="f84f1cec41e6cbe5aea9c8e88d359", opaque="", stale=FALSE,