When forwarding a message, the proxy should remove a Proxy-Authorization header that it has consumed.
There is already code for doing this but it is commented out.
Relevant comments from the RFC 3261:
s22.1 "The requirements for inclusion of the Proxy-Authenticate,
Proxy-Authorization, WWW-Authenticate, and Authorization in the
various messages are identical to those described in RFC 2617 ."
s22.3 "The use of Proxy-Authenticate and Proxy-Authorization parallel that
described in , with one difference. Proxies MUST NOT add values
to the Proxy-Authorization header field."
"A Proxy-Authorization header field value applies only to the proxy
whose realm is identified in the "realm" parameter (this proxy may
previously have demanded authentication using the Proxy-Authenticate
field). When multiple proxies are used in a chain, a Proxy-
Authorization header field value MUST NOT be consumed by any proxy
whose realm does not match the "realm" parameter specified in that
In particular, RFC 2617 is the HTTP RFC, and it mandates that proxies remove headers that they have used to successfully. This rule isn't explicitly written in the SIP RFC, but it is implied.