How To Configure a 302 Redirect for STIR/SHAKEN

Please read the following information:

  1. If you already have a Vendor (TILTX or 46 Labs for example) that supports 302 redirect which can return the digital token for insertion into the SIP Header using a 302 redirect response, iterate through the configuration sections below to configure.

  2. 302 Redirect Originating IP Information:

    1. Dallas Originating IPs: 108.166.187.49 and 108.166.187.50

    2. Ashburn Originating IPs: 23.167.192.0

    3. If necessary, the platform can be reconfigured to use a signaling IP.

  3. A local 302 Redirect Endpoint server can be spun using your own certificate up by the 46 Labs team if you do not have a vendor that can perform this function.

  4. Please reach out to support@46labs.com for additional information, to change originating IP or in case you have your own endpoint integration.

 

Configuration of Call Signing Endpoints

Endpoints will be configured as a list wherein users can create an unlimited number of endpoints, each with its own IP or FQDN.

In most cases, there will be a separate endpoint for each attestation level (A, B, C). Some implementations might also use dynamic endpoints which will assign attestation levels based on criteria they determine during the dip itself.

 

Customer/Termination Trunk Group Configuration

We have added the ability for 46 Labs customers to sign calls on behalf of their customers if no token is included in the SIP Identity Header of the outbound call. We also provide the ability to block customer/termination attempts if the customer is supposed to sign their own calls but does not.

The STIR/SHAKEN Treatment drop-down on Termination-Customer trunk groups allow users to identify how the attempts will be handled. This is a required field for customer/termination trunk groups. Configuration options include:

  • No Treatment: This will simply send the attempt through the routing module without any kind of blocking or signing. (Default Setting)

  • Block Unsigned: This feature should be used if the originator is supposed to sign their own calls. If an attempt is received without a token, it will be blocked with the release code and cause: “503 / Missing SS token.”

  • Sign Unsigned Calls: This option should be used if the 46 Labs platform is supposed to sign calls for the customer using a selected STIR/SHAKEN endpoint. It will not alter calls that have already been signed.

  • Sign All Calls - This option should be used if the 46 Labs platform is supposed to sign calls for the customer using a selected STIR/SHAKEN endpoint.

The STIR/SHAKEN "Endpoint” drop-down will allow the user to select a STIR/SHAKEN signing endpoint configured in the Call Signing Endpoints page. This field is required if STIR/SHAKEN Treatment = “Sign Unsigned Calls” and “Sign All Calls”.

 

Invite/Response Example

Invite

INVITE sip:19495964629@44.194.151.255 SIP/2.0

Via: SIP/2.0/UDP 172.18.0.108:5060;rport;branch=z9hG4bKPj1bb44035-bc9a-4ae8-b099-c9da2b731de4

Max-Forwards: 70

From: sip:19495964629@44.194.151.255;tag=0c407c59-751e-45af-93f3-27ac133d67a6

To: sip:19495964629@44.194.151.255

Contact: <sip:19495964629@172.18.0.108:5060;ob>

Call-ID: da8fd167-b518-4053-a3ec-7e504d8bd577

CSeq: 20495 INVITE

Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS

Supported: replaces, 100rel, timer, norefersub

Session-Expires: 1800

Min-SE: 90

User-Agent: HCv

X-SUBID: devdev01

Attestation: A

Content-Length:  0

Response

SIP/2.0 302 Moved Temporarily.

Via: SIP/2.0/UDP 176.9.206.72:5060;received=176.9.206.72;rport=5060;branch=z9hG4bKPjhbSF313qP6ImtB7Z1lzxD3-clbu8l16U.

To:  <sip:13178564903@34.205.8.24>;tag=3b5c80c5-c38d-49b6-978f-21b3bcd68349.

From:  <sip:17068015359@34.205.8.24>;tag=ZAxUhcKKiLXFJeYLKjlvxskYHADeo4Th.

Call-ID: YDc7a.NELI1m5s9c6u0wG4.kXbNw8frK.

CSeq: 23910 INVITE.

X-Clearip-Id: 3b5c80c5-c38d-49b6-978f-21b3bcd68349;sbc=69caed66-ddae-4a4e-8123-843de9affd24;serviceProvider=c2f49b72-a2fa-4927-b2fd-314daf586c81;group=1ebbeeec-cf4f-404f-9021-e36733c53cc1;user=a1561729-57b6-4eee-81ab-74e0a83a98d6.

Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vZmRmYjMzMjgtYjc1NC00YTBkLThiMzQtZGUzMGIwOGFkYWMyL2I1MGU4YjRkMjIwY2YzZDhkMzAwNWJjNTUwNGY4OGNmLmNydCJ9.eyJhdHRlc3QiOiJDIiwiZGVzdCI6eyJ0biI6WyIxMzE3ODU2NDkwMyJdfSwiaWF0IjoxNjI0NjQ3NjEyLCJvcmlnIjp7InRuIjoiMTcwNjgwMTUzNTkifSwib3JpZ2lkIjoiYTE1NjE3MjktNTdiNi00ZWVlLTgxYWItNzRlMGE4M2E5OGQ2In0.75UZkSej96Jb0IgbssW_1CfrtYfhgRttY-2P5ljeJUip5uKx0ZQEk4UtWQs5rwtEsnSvcJk-sPtGGT4msywvYQ;info=<https://certificates.clearip.com/fdfb3328-b754-4a0d-8b34-de30b08adac2/b50e8b4d220cf3d8d3005bc5504f88cf.crt>;alg=ES256;ppt=shaken.

Contact: <sip:13178564903@34.205.8.24>;q=0.99.

Reason: SIP;cause=302;text="no-fraud-detected".

Content-Length: 0.

 

CDR Modifications

The following fields will be parsed from the token and saved in the CDR Warehouse. The warehouse is also used to generate Reports.

stir_attest

Character. (Max 1)

(STIR Signing Request Component)

This value indicates the attestation level. Must be either A, B, or C. (Full, Partial, or Gateway)

stir_orig_id

Character.  (Max. 50)

(STIR Signing Request Component)This value indicates the origination identifier which is a GUID that represents the originating point of a call. For example the switch where the call started or a trunk group. This information is used to help traceback the origin of a call on a trusted network.

stir_orig_tn

Character.  (Max. 50)

(STIR Signing Request Component)

 

Indicates the calling number or calling Uniform Resource Identifier.

stir_dest_tn

Character.  (Max. 50)

(STIR Signing Request Component)

 

Indicates the called number(s) or called Uniform Resource Identifier(s).

stir_iat

Character.  (Max. 50)

(STIR Signing Request Component) 

 

Initiated at time (IAT). The time the request is initiated.

stir_x5u

Character.  (Max. 200)

(STIR Signing Request Component)

 

Indicates the location of the certificate used to sign the token.