Master DNL Class4
  • Introduction
  • Configure a new Class 4 instance
    • Setup Admin Access
    • First Time Login
    • Setup SIP Switch
  • Your First Call with Class 4 Fusion
    • Create Vendor Rate Table
    • Create Termination Vendor
    • Create Egress Trunk
    • Create Dynamic Route
    • Create Routing Plan
    • Create Client Rate Table
    • Create Termination Client
    • Create Ingress Trunk
    • Simulate Your Call
  • Support Contact
  • eLearning
  • Bug Reporting Process
  • Hardware Sizing
  • Licensing
  • Installation
    • Install with Tarball
    • Install with RPM
      • Step by Step Guide
    • Install with AWS
    • Install with Google Cloud
    • Distributed Architecture
      • Switch Server
        • dnl_live_monitor
        • dnl_tool
        • dnl_livecall
        • dnl_softswitch
        • dnl_watchdog
        • dnl_cloud
      • Web UI
        • dnl_web_helper
    • Troubleshoot Your Installation
    • Setup SSL on Web UI
    • LAN IP Setup for Virtual Machine
    • Change IP/MAC Address
    • Validate Your Installation
      • Check dnl_softswitch log
    • Configuring DNL softswitch
    • Setup Selinux
  • Configuring Stir/Shaken
    • Generating Certificate with Peeringhub.io
  • Upgrade an Existing Installation
    • Update an Existing Installation
      • Update with Tarball
      • Update with RPM
  • Stir Shaken
    • Introduction
    • Configure Class 4
    • Configure Stir Shaken in DB
    • Configure Ingress Trunk
    • Configuring Egress Trunk
    • Basic Configuration Example
    • Validation of Stir/Shaken Setup
    • Setup External AS/VS connectivity
  • Basic Switch Configuration
    • Integrate Class 4 to Google SMTP
    • Customize your logo
    • Customize Domain Name
    • Customize email template
    • Customize invoice template
    • Configuring Payment Gateway
      • Stripe Configuration
      • Paypal Configuration
    • Configuring CDR and PCAP Backup
      • Google Cloud Setup
    • Configuring SIP Registration
    • Configuring LRN
  • Quick Setup for Termination Traffic
    • Create Termination Vendor
      • Specify IP to send to egress
    • Create Termination Route
      • Routing Plan
      • Static Route
      • Dynamic Route
    • Create Termination Client
    • Test with Call Simuation
    • Test Calls with SIP Client
    • Check CDR
  • Quick Setup for Origination Traffic
    • Introduction
    • Create DID Vendors
    • Create DID Billing Plan
    • Create DID Clients
    • DID Repository
    • Assign DID to Client
    • Test Calls with Call Simulation
    • Setup for your client to buy DIDs from portal
  • Data Access
    • Postgres Database
      • Obtain Report Data from DB
      • Obtain CDR from DB
    • Raw Switch Data
      • CDR Data
        • Release Cause Definition
      • PCAP Data
      • Auto Data Cleanup
  • System Administration
    • Modules
    • Start and Stop
    • Logging
    • Software Updates
    • Setup additional dnl_softswitch
    • Add Additional IP to Switch
    • Configure SIP Cause Code and Q850 Mapping
    • Enable Media Proxy
  • Class 4 API
    • Authorization
    • Class4 API
  • Troubleshooting
    • Calls are failure
    • Change Q850 in 4xx/5xx
    • One-way Audio with SIP Client Testing
      • Using Zoiper to resolve NAT issue
  • Automatic Call Blocking
    • Introduction
    • Youmail Blocking
    • DNC Blocking
    • LERG Blocking
Powered by GitBook
On this page
  • STIR/SHAKEN
  • I. Validating incoming requests
  • II. Signing outgoing requests
  • III. Routing

Was this helpful?

  1. Stir Shaken

Introduction

Class 4 Fusion supports different kinds of configuration Stir Shaken configuration.

  1. If you are already an iconnectiv certified SP, then you can use the built-in AS/VS within Class 4

  2. If you are not an existing iconnectiv certified SP, you can use an external AS/VS service to sign and verify your calls.

  3. If you just simply want to bypass stir shaken signature from ingress to egress, you can configure Class 4 to block calls that don't have valid stir shaken signature. This setting can be done on a per ingress trunk basis.

STIR/SHAKEN

I. Validating incoming requests

STIR/SHAKEN Identity is a JWT with encoded origination ANI and DNIS, signed by a certified STIR/SHAKEN Service Provider, included into the INVITE request.

Ingress and egress trunks may put requirements on incoming and outgoing INVITE requests respectively, using resource.shaken_vfy_policy parameter: 0 - Do not check STIR/SHAKEN Identity; 1 - Require STIR/SHAKEN Identity; 2 - Require valid STIR/SHAKEN Identity; 3 - Require STIR/SHAKEN Identity; Try to validate, but bypass if failed.

If the inbound INVITE request does not satisfy ingress verification policy, the call should be blocked with the corresponding reason:

 Release cause | SIP code                      | Reason
------------------------------------------------------------------------------------------------------------
            71 | 428 - Use Identity header     | Ingress requires STIR/SHAKEN Identity
            72 | 438 - Invalid Identity Header | Call blocked due to invalid STIR/SHAKEN Identity signature

Another set of codes represents errors in the STIR/SHAKEN module, which prevent ingress trunk from validating the Identity:

 Release cause | SIP code                  | Reason
-------------------------------------------------------------------------------------
            73 | 503 - Service Unavailable | All SHAKEN providers failed
            74 | 503 - Service Unavailable | No SHAKEN providers configured
            75 | 503 - Service Unavailable | General error in the STIR/SHAKEN module

II. Signing outgoing requests

  1. STIR/SHAKEN identity creation

Switch can create STIR/SHAKEN Identity when placing the outbound INVITE, if caller did not provide it. Ingress trunk can regulate the conditions on which switch can generate Identity for the call, using resource.shaken_sign_policy parameter: 0 - Do not sign calls; 1 - Sign call, if ANI is a US numbers; 2 - Sign, if ANI is a valid phone number (do not allow URI as ANI); 3 - Sign, if ANI is in the SHAKEN ANI pool.

Since class4 switch has options to alter, replace or randomize ANI, final ANI/DNIS may not match numbers in the original Identity provided by the caller. In such scenarios, switch may re-create Identity using the new ANI and DNIS. This behavior is controlled by resource.shaken_allow_resign flag in the ingress trunk configuration. NOTE: New identity creation is allowed only due to ANI/DNIS mismatch. Switch cannot re-sign call, if STIR/SHAKEN Identity did not pass validation.

  1. ANI pools and attestation levels

STIR/SHAKEN Identity contains a trust level for the call (attestation level): A - Full attestation B - Partial Attestation C - Gateway Attestation

Client may control attestation levels for each ANI, using SHAKEN ANI groups. Attestation level for numbers outside of the pool can be set with resource.shaken_default_attest_lvl ingress parameter.

  1. SHAKEN ANI pool creation

Create SHAKEN ANI group:

INSERT INTO shaken_ani_group (name) VALUES ('my test group') RETURNING id;

Populate ANI group:

INSERT INTO shaken_ani_group_rel (group_id, did) VALUES (<shaken_ani_group.id>, <number>);

Create ANI pool (list of groups):

INSERT INTO shaken_ani_group_list (name) VALUES ('Trunk X ANI pool') RETURNING id;

Add created ANI group to the pool, defining the attestation level:

INSERT INTO shaken_ani_group_list_rel (ani_group_list_id, ani_group_id, attest_lvl) VALUES (<shaken_ani_group_list.id>, <shaken_ani_group.id>, 'B');

Assign SHAKEN ANI pool ID to the ingress trunk, using resource.shaken_ani_group_list_id parameter.

ANI groups and/or pools may be shared between different resources freely.

III. Routing

Egress trunks may put requirements on STIR/SHAKEN Identity using resource.shaken_vfy_policy parameter (see above). If verification policy cannot be satisfied, egress trunk should be removed from routing with the corresponding cause:

 Egress cause | Reason
----------------------------------------------------------------------------
           62 | Egress requires STIR/SHAKEN Identity
           63 | Provided STIR/SHAKEN Identity is not valid
           64 | All SHAKEN providers failed
           65 | No SHAKEN providers configured
           66 | General error in the STIR/SHAKEN module

If all egress routes failed due to STIR/SHAKEN policy, ingress shall block the call with the regular "No egress found" reason.

PreviousUpdate with RPMNextConfigure Class 4

Last updated 3 years ago

Was this helpful?