Comment on page

Configure Stir Shaken in DB

Trunk setting can be defined in Class 4 DB. The name of the table is "resource." The resource DB table has fields for configuring stir shaken signing and verificaiton methods.
  • resource.shaken_sign_policy - conditions on which switch is allowed sign the call (for ingress trunks):
0 - Never sign calls
1 - Sign only US numbers
2 - Sign any telephone number (URI is not allowed) 3 - Sign only numbers from the pool
  • resource.shaken_vfy_policy (for ingress trunks) - conditions to block calls:
0 - None: do not block calls based on shaken identity
1 - Reject the call if Identity is missing
2 - Reject the call if Identity is missing or invalid
3 - Pass through: allow all calls (same as 0)
  • resource.shaken_vfy_policy (for egress trunks) - conditions to route the call to egress:
0 - None: route all calls; do not sign/validate
1 - Block if missing: route the call if Identity is provided in the inbound INVITE, or if it can be created. Do not perform validation.
2 - Block if invalid: route the call if inbound INVITE contains a _valid_ identity, or if inbound INVITE does not contain Identity but ingress sign policy allows to create one
3 - Pass through: if inbound INVITE does not have Identity, try to sign the call, if ingress allows it. Otherwise - pass the call as is, performing signature validation.
  • resource.shaken_allow_resign (for ingress trunks):
If inbound INVITE contains an Identity, inside of which ANI/DNIS do not match outbound INVITE, switch is allowed to create a new signature. This flag takes effect if egress shaken_vfy_policy is "Block if invalid" or "Pass through", and if ingress sign policy allows to sign calls.
  • resource.shaken_p_headers - put SHAKEN signature parameters into INVITE headers (for egress trunks):
0 - None
1 - Regular: put verstat into P-Asserted-Identity header
2 - Extended: put verstat into P-Asserted-Identity header; origid into P-Origination-ID; attestation level into P-Attestation-Indicator
Verstat value contains signature validation status, which should be shown on user's device. Since validation is configurable, the value depends on egress's vfy policy. vfy_policy - possible verstat values:
0 - No-TN-Validation
1 - No-TN-Validation
2 - TN-Validation-Passed
3 - No-TN-Validation / TN-Validation-Passed / TN-Validation-Failed (depending on signature validation status)