How To Configure a 302 Redirect for STIR/SHAKEN
Please read the following information:
If you already have a Vendor (TILTX or 46 Labs for example) that supports 302 redirect which can return the digital token for insertion into the SIP Header using a 302 redirect response, iterate through the configuration sections below to configure.
302 Redirect Originating IP Information:
Dallas Originating IPs: 108.166.187.49 and 108.166.187.50
Ashburn Originating IPs: 23.167.192.0
If necessary, the platform can be reconfigured to use a signaling IP.
A local 302 Redirect Endpoint server can be spun using your own certificate up by the 46 Labs team if you do not have a vendor that can perform this function.
Please reach out to support@46labs.com for additional information, to change originating IP or in case you have your own endpoint integration.
Configuration of Call Signing Endpoints
Endpoints will be configured as a list wherein users can create an unlimited number of endpoints, each with its own IP or FQDN.
In most cases, there will be a separate endpoint for each attestation level (A, B, C). Some implementations might also use dynamic endpoints which will assign attestation levels based on criteria they determine during the dip itself.
Customer/Termination Trunk Group Configuration
We have added the ability for 46 Labs customers to sign calls on behalf of their customers if no token is included in the SIP Identity Header of the outbound call. We also provide the ability to block customer/termination attempts if the customer is supposed to sign their own calls but does not.
The STIR/SHAKEN Treatment drop-down on Termination-Customer trunk groups allow users to identify how the attempts will be handled. This is a required field for customer/termination trunk groups. Configuration options include:
No Treatment: This will simply send the attempt through the routing module without any kind of blocking or signing. (Default Setting)
Block Unsigned: This feature should be used if the originator is supposed to sign their own calls. If an attempt is received without a token, it will be blocked with the release code and cause: “503 / Missing SS token.”
Sign Unsigned Calls: This option should be used if the 46 Labs platform is supposed to sign calls for the customer using a selected STIR/SHAKEN endpoint. It will not alter calls that have already been signed.
Sign All Calls - This option should be used if the 46 Labs platform is supposed to sign calls for the customer using a selected STIR/SHAKEN endpoint.
The STIR/SHAKEN "Endpoint” drop-down will allow the user to select a STIR/SHAKEN signing endpoint configured in the Call Signing Endpoints page. This field is required if STIR/SHAKEN Treatment = “Sign Unsigned Calls” and “Sign All Calls”.
Invite/Response Example
Invite
INVITE sip:19495964629@44.194.151.255 SIP/2.0
Via: SIP/2.0/UDP 172.18.0.108:5060;rport;branch=z9hG4bKPj1bb44035-bc9a-4ae8-b099-c9da2b731de4
Max-Forwards: 70
From: sip:19495964629@44.194.151.255;tag=0c407c59-751e-45af-93f3-27ac133d67a6
To: sip:19495964629@44.194.151.255
Contact: <sip:19495964629@172.18.0.108:5060;ob>
Call-ID: da8fd167-b518-4053-a3ec-7e504d8bd577
CSeq: 20495 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: HCv
X-SUBID: devdev01
Attestation: A
Content-Length: 0
Response
SIP/2.0 302 Moved Temporarily.
Via: SIP/2.0/UDP 176.9.206.72:5060;received=176.9.206.72;rport=5060;branch=z9hG4bKPjhbSF313qP6ImtB7Z1lzxD3-clbu8l16U.
To: <sip:13178564903@34.205.8.24>;tag=3b5c80c5-c38d-49b6-978f-21b3bcd68349.
From: <sip:17068015359@34.205.8.24>;tag=ZAxUhcKKiLXFJeYLKjlvxskYHADeo4Th.
Call-ID: YDc7a.NELI1m5s9c6u0wG4.kXbNw8frK.
CSeq: 23910 INVITE.
X-Clearip-Id: 3b5c80c5-c38d-49b6-978f-21b3bcd68349;sbc=69caed66-ddae-4a4e-8123-843de9affd24;serviceProvider=c2f49b72-a2fa-4927-b2fd-314daf586c81;group=1ebbeeec-cf4f-404f-9021-e36733c53cc1;user=a1561729-57b6-4eee-81ab-74e0a83a98d6.
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuY2xlYXJpcC5jb20vZmRmYjMzMjgtYjc1NC00YTBkLThiMzQtZGUzMGIwOGFkYWMyL2I1MGU4YjRkMjIwY2YzZDhkMzAwNWJjNTUwNGY4OGNmLmNydCJ9.eyJhdHRlc3QiOiJDIiwiZGVzdCI6eyJ0biI6WyIxMzE3ODU2NDkwMyJdfSwiaWF0IjoxNjI0NjQ3NjEyLCJvcmlnIjp7InRuIjoiMTcwNjgwMTUzNTkifSwib3JpZ2lkIjoiYTE1NjE3MjktNTdiNi00ZWVlLTgxYWItNzRlMGE4M2E5OGQ2In0.75UZkSej96Jb0IgbssW_1CfrtYfhgRttY-2P5ljeJUip5uKx0ZQEk4UtWQs5rwtEsnSvcJk-sPtGGT4msywvYQ;info=<https://certificates.clearip.com/fdfb3328-b754-4a0d-8b34-de30b08adac2/b50e8b4d220cf3d8d3005bc5504f88cf.crt>;alg=ES256;ppt=shaken.
Contact: <sip:13178564903@34.205.8.24>;q=0.99.
Reason: SIP;cause=302;text="no-fraud-detected".
Content-Length: 0.
CDR Modifications
The following fields will be parsed from the token and saved in the CDR Warehouse. The warehouse is also used to generate Reports.
stir_attest | Character. (Max 1) | (STIR Signing Request Component) This value indicates the attestation level. Must be either A, B, or C. (Full, Partial, or Gateway) |
stir_orig_id | Character. (Max. 50) | (STIR Signing Request Component)This value indicates the origination identifier which is a GUID that represents the originating point of a call. For example the switch where the call started or a trunk group. This information is used to help traceback the origin of a call on a trusted network. |
stir_orig_tn | Character. (Max. 50) | (STIR Signing Request Component)
Indicates the calling number or calling Uniform Resource Identifier. |
stir_dest_tn | Character. (Max. 50) | (STIR Signing Request Component)
Indicates the called number(s) or called Uniform Resource Identifier(s). |
stir_iat | Character. (Max. 50) | (STIR Signing Request Component)
Initiated at time (IAT). The time the request is initiated. |
stir_x5u | Character. (Max. 200) | (STIR Signing Request Component)
Indicates the location of the certificate used to sign the token. |