STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legitimate source, often a nearby phone number with the same area code and exchange, or from well-known agencies like the Internal Revenue Service or Ontario Provincial Police. This sort of spoofing is common for calls originating from voice-over-IP (VoIP) systems, which can be located anywhere in the world. © Wikipedia

Compliance

Plan of actions


Initial STIR/SHAKEN functionality was introduced in Sippy 2020.  Since then we allow the calls to be signed with one of our technology Partners 1 Call Connect who will sign calls on your behalf.  Customers needing their calls signed will need to subscribe with their service at this URL: http://1callconnect.net/sippy-stir-shaken-request-form/


Stir/Shaken Authentication setup

Select Stir/Shaken provider

The special web page was added in >=2021 under System Management - System Parameters - STIR/SHAKEN.

For now it's possible to either choose supported provider 1CallConnect or disable Stir/Shaken authentication for the whole environment.

Extended setup

As of >=2023 version the ability to manage Stir/Shaken settings within the Routing Group would be available.

It's possible to disable signing of the calls/requests to AS for any Routing Entry by unsetting Stir/Shaken Enabled checkbox, also for specific Routing Entry it's possible to set one of the following Stir/Shaken policies:

  • Required
  • Supported (default one for existing and new records)
  • Disabled

S/S policy

Should AS be queried if no Identity cached?

Send INVITE to Vendor with cached Identity?

Send INVITE to Vendor with no Identity (no cached Identity present)?

Disabled

no

no

yes

Supported

no

yes

yes

Required

yes

yes

no



1 Call Connect - Configuration Settings

Once subscribed you will need to ensure that your system is configured correctly.


For authentication you will need to configure a specific connector in order to enable the signing of your calls.  The value you should specify in Sippy 2020 should be 1callconnect_sip.  You will also need to specify a hostname or IP address of 1CallConnect's authentication server.  They have a few setup and you may want to select the one located closest to your data center.  Our Support can help configure your system through the database to get you up and running on signing calls right away if you need additional assistance.


Principle of Operation


Before sending an outgoing INVITE the b2bua sends a special INVITE message to 1CallConnect authentication server.  In response the 1CallConnect server sends a response with code 302 and a signature for the call.  The b2bua collects that signature and puts it in X-Identity header along with Date header into the outgoing INVITE which goes to vendor connection or trunk or registered UA.

  • Requests are sent to 5060 port only
  • requests are sent from b2bua's port, not OpenSIPS
  • requests are sent with random call-id generated on our side
  • 1callconnect/sip_hosts would be tried within 10 seconds.


Long term Outlook (Sippy 2021 and beyond)


In future versions of our software we will also be adding a few more ways for both signing for calls as well as verification. We'll be looking at adding functionality to be able to sign or verify calls locally on your softswitch.  We have also received requests for other devices to work on other integrations for other third party signing and verification services.  We will be adding additional services where we can.


FAQ


> Please let know how Sippy decides for which call needs to be enabled AS and for which VS.
1. Any incoming call with Identity and Date will be sent to the VS service to verify if signature is correct. 
2. Any outgoing call before termination will be sent to the AS to receive the signature (Identity), and then sent to the INVITE vendor with the signature, if the AS provided it.

> Does Sippy can do AS by itself, using a private key?
Starting from Sippy2021 it's possible to use your own certificate, key and other parameters to perform either call signing or verification.