The feature works based on RFC-3325 and draft-ietf-sip-privacy-04

Implementation applicable for >=2021 version of Sippy.

Rationale

Existing privacy support consists of many often unrelated features which provide a very limited subset of privacy functionality and this creates a big and constant demand from customers for new and new scenarios.

The goals of refactoring are:

  • Make the privacy support consistent across multiple existing standards such as P-Asserted-Identity from RFC3325 and Remote-Party-Id from draft-ietf-sip-privacy-04 

  • Make it possible to convert from one standard to another. For example, receive a P-Asserted-Identity but send a Remote-Party-Id.

  • Streamline the Sippy configuration.

  • Add missing features requested by customers.

To achieve these goals a notion of protocol-independent Privacy ID should be introduced in Sippy. The Identity is neither P-Asserted-Identity nor Remote-Party-Id, but an internal generalized entity which exists for a session. The idea is to be able to receive the Identity using any protocol and also send it using any protocol.

The Identity of a session consists of:

  • ID of the caller (the username from P-Asserted-Identity or Remote-Party-Id)

  • the anonymity attribute

The anonymity attribute is conveyed by the Privacy: SIP header from RFC3325 or the ‘privacy’ parameter from the Remote-Party-Id: header which may be accompanied by the RPID-Privacy: header as stated in the corresponding standard.

Proposed Architecture

Features

The main features are:

  • Receive Identity

  • Authentication with the Identity

  • Send the received or generated Identity

  • Rewrite outgoing CLI based on Identity

CLI in the below documentation means username of From: header

Identity should never be sent to a registered account or trunk. The scenarios above are related to calls to vendors - as mentioned in SS-2728: Privacy header support and  processingCOMPLETED 

Receive Identity

An Identity can be received from the caller. For that purpose an Account has Identity Schemas attribute which contains a list of acceptable protocols in the order of preference. For example:

  • Identity Schemas = P-Asserted-Identity means that Sippy accepts P-Asserted-Identity and creates a session Identity based on received values.

  • Identity Schemas = Remote-Party-Id, P-Asserted-Identity means that Sippy accepts either P-Asserted-Identity or Remote-Party-Id but prefers the Remote-Party-Id over P-Asserted-Identity.

  • Identity Schemas = Disabled means that Sippy ignores any Identity headers.


Authentication with the Identity

Sippy should be able to use the received Identity for authentication. An Account has a new attribute Trust Identity Headers which allows to use the received Identity instead of CLI when looking for Account or DID authentication rule.

Parameter Identity Auth Mode in System Parameters/ SIP, Media, LRN controls how the authentication should be performed:

  • Relaxed - try to authenticate against Identity first and then CLI and use whichever is successful

  • Strict - if Identity is received then do not try to use CLI for authentication. Default for old systems and new environments.

  • Mandatory - never use CLI and always rely only on Identity for authentication


Send the received or generated Identity

A Vendor Connection has Send Identity As attribute which dictates which standard is to be used to send the privacy information to the Vendor. Possible values are:

  • P-Asserted-Identity

  • Remote-Party-Id

  • Off

If the Identity has not been received from the caller then Sippy may generate it. A Connection should have a Use CLI as Identity parameter for that purpose.

Hide Own CLI parameter from Account’s preferences - Anonymous Calling section enforces the anonymity attribute in the Identity of the session.

The outgoing ‘P-Asserted-Identity’ and ‘Remote-Party-Id’ SIP headers are not sent if the Trusted Privacy Domain parameter on Connection is unchecked.

Headers that indicate privacy are sent if Send Identity As is set to non-off values:

  • case of P-Asserted-ID header Privacy with value id would be sent, even if Trusted Privacy Domain parameter on Connection is unchecked and no PAI is sent

  • case of Remote-Party-Id header Rpid-privacy with value party=calling;privacy=full would be sent, even if Trusted Privacy Domain parameter on Connection is unchecked and no RPID is sent

Rewrite outgoing CLI based on Identity

A Vendor Connection has Use Identity As CLI parameter in Advanced Parameters section.


On-Net Trusted Domain

The "On-Net Trusted Domain" checkbox in SIP section under System Management - SIP Features - SIP, Media, LRN, HEP allows to define whether the destinations for onnet calls should be considered as Trusted. The outgoing ‘P-Asserted-Identity’ and ‘Remote-Party-Id’ SIP headers are not sent in On-Net scenarios if the On-Net Trusted Domain parameter is unchecked.


Old scenarios that should be covered

  • Pass incoming PAI to Connection, then translate and send to Vendor

Set Identity Schemas on Account to P-Asserted-Identity, set checkbox for Pass Identity on Account, apply needed translation on Account and Connection for Identity Tr. Rule and choose on Connection Send Identity As = P-Asserted-Identity, set checkbox Trusted Privacy Domain on Connection.


  • Pass the incoming PAI/RPID in On-Net scenario to Registered UA or Trunk-Connection

Set Identity Schemas on Account to P-Asserted-Identity/Remote-Party-Id, set checkbox for Pass Identity on Account, set On-Net Trusted Domain checkbox in SIP section under System Management - SIP Features - SIP, Media, LRN, HEP


  • Do not pass incoming PAI to Connection, generate it  based on the username of From: header 

PAI would be generated based on the username of From: header. Unset Pass Identity checkbox on Account, set checkbox Use CLI As Identity on Connection, set Send Identity As = P-Asserted-Identity on Connection, set checkbox Trusted Privacy Domain on Connection


  • Translate From: header based on PAI received on Account

Set Identity Schemas on Account to P-Asserted-Identity, set checkbox for Pass Identity on Account, set checkbox Use Identity As CLI on Connection


  • Translate From: header based on Remote-Party-Id received on Account

Set Identity Schemas on Account to Remote-Party-Id, set checkbox for Pass Identity on Account, set checkbox Use Identity As CLI on Connection


New scenarios that should be covered

  • Authenticate call via received P-Asserted-Id, not From

Set checkbox Trust Identity Headers on Account, set Identity Schemas on Account to P-Asserted-Identity, in System Parameters/ SIP, Media, LRN set Identity Auth Mode to one of the options according to the requirement: relaxed/strict/mandatory


  • Authenticate call via received Remote-Party-Id, not From

Set checkbox Trust Identity Headers on Account, set Identity Schemas on Account to Remote-Party-Id, in System Parameters/ SIP, Media, LRN set Identity Auth Mode to one of the options according to the requirement: relaxed/strict/mandatory


  • Add to outgoing INVITE for Vendor a Privacy header with value = id when call was authenticated with one of the above methods

Set checkbox Trust Identity Headers on Account, set Identity Schemas on Account to P-Asserted-Identity, in System Parameters/ SIP, Media, LRN set Identity Auth Mode to one of the options according to the requirement: relaxed/strict/mandatory, set Send Identity ID As = P-Asserted-Identity on Connection


  • Do not pass incoming Remote-Party-Id to Connection, generate it there instead based on username of From: header

Unset Pass Identity Id checkbox on Account, set checkbox Use CLI As Identity on Connection, set Send Identity As = Remote-Party-Id on Connection, set checkbox Trusted Privacy Domain on Connection


  • Send Privacy: id when checkbox Hide Own CLI on Account is set or no CLI/Anonymous was received in incoming INVITE

Set Send Identity As = P-Asserted-Id on Connection, unset checkbox Trusted Privacy Domain on Connection. For the case Note - P-Asserted-Id header would NOT be generated in this case, however Privacy header with value id would be added to outgoing INVITE


  • Send RPID-privacy when checkbox Hide Own CLI on Account is set or no CLI/Anonymous was received in incoming INVITE

Set Send Identity As = Remote-Party-Id , unset checkbox Trusted Privacy Domain on Connection. Note - Remote-Party-Id header would NOT be generated in this case, however RPID-Privacy header with value party=calling;privacy=full would be added to outgoing INVITE