46 Labs - STIR/SHAKEN Explanation

• Digital Certificate: This certificate is much like a driver’s license. It is used to identify the originating party that initiates the call and is issued by certificate authorities, similar to how the DMV is the central authority for issuing and managing driver’s licenses. TransNexus has been listed as a Certificate Authority though as June 30th, 2021 approaches, many more Certificate Authorities will become available. 46 Labs does not participate in this step of the call flow.

• Call Signing/Tokenization: Every call needs a unique token in the SIP Identity Header. The token uses the digital certificate and several unique properties about the call attempt (calling number, called number, current timestamp, attestation level, origination identifier) in order to generate the token for the call. It is the responsibility of the originator to sign the call before sending it to Eco for routing. Generally speaking, 46 Labs does not participate in this step of the call flow though it is conceivable that some 46 Labs customers will not be able/willing to perform this function and will request that we do it on their behalf. This will require additional development or partnership with a company that offers this service as part of our Ecosystem. Phase 3 of the implementation provides the ability for the 46 Labs platform to sign calls using an external call signing provider via 302 redirect.

• Call Routing: As an intermediary platform (neither originating device nor the terminating device) Eco Carrier is required to pass all tokens unaltered. For most implementations, this is the sole participation level of Eco Carrier.

• Call Verification: When the call is received by the terminating service provider it goes through a multi-step verification process before being sent to the called party. 46 Labs does not participate in this step of the call flow though it is conceivable if we are routing inbound calls for a customer of ours, they will request custom call handling based on the attestation level of the call. Example: Attestation level A can be sent directly to the called party whereas attestation levels B and C require call treatment prior to being sent to the called party.

46 Labs Implementation

The 46 Labs STIR/SHAKEN functionality has been developed and deployed in 3 phases.

1. Phase 1 was simply the ability to pass a received token in the SIP Identity Header. This covered the basic functional requirement for intermediary service providers. It was deployed in January, 2021.

2. Phase 2 was an extension of the CDR to accommodate reporting and debugging of STIR/SHAKEN information related to the call. Please see the Phase 2 Details section for additional information.

3. Phase 3 of the implementation provides the ability for the 46 Labs platform to sign calls using an external call signing provider via 302 redirect. High-level functionality is itemized below. Please see the Phase 3 Details section for additional information.

1. Ability to define the call signing endpoints.

2. Ability to define call signing endpoint per customer/termination trunk group.

3. Ability to define call signing treatment per customer/termination trunk group.

Additional STIR/SHAKEN Information

For additional information on STIR/SHAKEN please refer to the following:

• Overview of Call Flow

• Certificate Management

• STIR: 

• IETF Working Group Documents

• SHAKEN:

• ATIS FAQ

• SHAKEN and Other NNI Task Force Ratified Standards Documents

Phase 2 Details

CDR Modifications

The following fields will be parsed from the token and saved in the CDR Warehouse. The warehouse is used to deliver this information to the CDR Diagnostic page as well as the FTP CDR.

{

“attest”: “A”,

“dest”: {

“tn”: [

“14045261234”

]

},

“iat”: 15488512340,

“orig”: {

“tn”: “18001231234”

},

“origid”: “3a47ca23-d7ab-446b-821d-33d5deedbed7”

}

{

“alg”: “ES256”,

“ppt”: “shaken”,

“typ”: “passport”,

“x5u”: “https://certificates.clearip.com/b15d7cc9-0f26-46c2-83ea-a3e63a82ec3a/7cc4db695d13edada4d1f9861b9b80fe.crt”

}

Field Definitions

 stir_attest               varchar(1)

 stir_dest                 varchar(50)

 stir_tn1                  varchar(50)

 stir_iat                  varchar(50)

 stir_orig                 varchar(50)

 stir_tn2                  varchar(50)

 stir_origid               varchar(50)

 stir_alg                  varchar(10)

 stir_ppt                  varchar(10)

 stir_typ                  varchar(15)

 stir_x5u                  varchar(200)

Phase 3 Details

Configuration of Call Signing Endpoints

The 46 Labs platform will not be signing attempts directly. It will permit configuration of signing endpoints that use a 302 redirect interface. Each customer/termination trunk group can then select which signing endpoint it uses out of the globally configured Call Signing Endpoints.

Navigation: Settings >> STIR/SHAKEN Endpoints

Endpoints will be configured as a list wherein users can create an unlimited number of endpoints, each with its own IP or DNS value.

In most cases, there will be a separate endpoint for each attestation level (A, B, C). Some implementations might also use dynamic endpoints which will assign attestation levels based on criteria they determine during the dip itself.

Customer/Termination Trunk Group Config

We have added the ability for 46 Labs customers to sign calls on behalf of their customers if no token is included in the SIP Identity Header of the outbound call. We also provide the ability to block customer/termination attempts if the customer is supposed to sign their own calls but does not. 

• Added “STIR/SHAKEN Treatment” drop-down on customer/termination trunk groups that identify how to handle the attempts. This is a required field for customer/termination trunk groups. Configuration options include:

• No Treatment - This will simply send the attempt through the routing module without any kind of blocking or signing. (Default Setting)

• Block Unsigned - This feature will be used if the originator is supposed to sign their own calls. If an attempt is received without a token, it will be blocked with “503 / Missing SS token.”

• Sign Unsigned Calls - This option will be used if the 46 Labs platform is supposed to sign calls for the customer using a selected STIR/SHAKEN endpoint. It will not alter calls that have already been signed.

• Added a “STIR/SHAKEN Endpoint” drop-down. It will allow the user to select a STIR/SHAKEN signing endpoint configured in the new Call Signing Endpoints page. This field is required if STIR/SHAKEN Treatment = “Sign Unsigned Calls”. If STIR/SHAKEN Treatment is “No Treatment” or “Block Unsigned” then this drop-down is not required.

Call Signing Treatment During Routing

This logic is implemented on the switch itself. This logic only applies to customer/termination trunk groups.

Routing Logic

• If (STIR/SHAKEN Treatment = “No Treatment”) Then

• Forward attempt through routing module

• ElseIf (STIR/SHAKEN Treatment = “Block Unsigned”) Then

• If SIP Identity Header does not contain token Then

• Return 503 / Missing SS Token

• Else

• Forward attempt through routing module

• End If

• ElseIf (STIR/SHAKEN Treatment = “Sign Unsigned Calls”) Then

• If token is already present in SIP Identity Header Then

• Forward attempt through routing module

• Else

• Sign call using the selected S/S Endpoint

• Forward attempt through routing module

• End If

• Else

• Return 503 / Invalid STIR/SHAKEN Treatment configured

• End If