Configure Stir Shaken in DB

Trunk setting can be defined in Class 4 DB. The name of the table is "resource." The resource DB table has fields for configuring stir shaken signing and verificaiton methods.

  • resource.shaken_sign_policy - conditions on which switch is allowed sign the call (for ingress trunks):

0 - Never sign calls 
1 - Sign only US numbers 
2 - Sign any telephone number (URI is not allowed) 3 - Sign only numbers from the pool
  • resource.shaken_vfy_policy (for ingress trunks) - conditions to block calls:

0 - None: do not block calls based on shaken identity 
1 - Reject the call if Identity is missing 
2 - Reject the call if Identity is missing or invalid 
3 - Pass through: allow all calls (same as 0)
  • resource.shaken_vfy_policy (for egress trunks) - conditions to route the call to egress:

0 - None: route all calls; do not sign/validate 
1 - Block if missing: route the call if Identity is provided in the inbound INVITE, or if it can be created. Do not perform validation. 
2 - Block if invalid: route the call if inbound INVITE contains a _valid_ identity, or if inbound INVITE does not contain Identity but ingress sign policy allows to create one 
3 - Pass through: if inbound INVITE does not have Identity, try to sign the call, if ingress allows it. Otherwise - pass the call as is, performing signature validation.
  • resource.shaken_allow_resign (for ingress trunks):

If inbound INVITE contains an Identity, inside of which ANI/DNIS do not match outbound INVITE, switch is allowed to create a new signature. This flag takes effect if egress shaken_vfy_policy is "Block if invalid" or "Pass through", and if ingress sign policy allows to sign calls.
  • resource.shaken_p_headers - put SHAKEN signature parameters into INVITE headers (for egress trunks):

0 - None 
1 - Regular: put verstat into P-Asserted-Identity header 
2 - Extended: put verstat into P-Asserted-Identity header; origid into P-Origination-ID; attestation level into P-Attestation-Indicator

Verstat value contains signature validation status, which should be shown on user's device. Since validation is configurable, the value depends on egress's vfy policy. vfy_policy - possible verstat values:

0 - No-TN-Validation 
1 - No-TN-Validation 
2 - TN-Validation-Passed 
3 - No-TN-Validation / TN-Validation-Passed / TN-Validation-Failed (depending on signature validation status)

Last updated