Configuration for STIR/SHAKEN with Transnexus' ClearIP service

Introduction

This document provides instructions to configure a ProSBC to operate with the TransNexus/ClearIP server for STIR/SHAKEN. TransNexus/ClearIP is a SIP redirect server that provides advanced Least Cost Routing (LCR), fraud control and STIR (Secure Telephony Identity Revisited) / SHAKEN (Secure Handling of Asserted information using toKENs) features.

ProSBC 3.0.90 or a later version is needed to support verification with CNAM and Robocall Analytics with TransNexus.

For all configurations with all Transnexus/ClearIP Solutions, please click here.
In case you are new to STIR-SHAKEN technology is highly recommended to watch the explanatory webinar available in our YouTube channel:

Typical Call-Flow Scenario

In this call flow scenario the network diagram illustrates the typical layout of the network. This is followed by a detailed description of the call flow.

Stir/Shaken Call Flow

1. The ProSBC receives an inbound call from the Service Provider.

2. ProSBC forwards the call to ClearIP for Authentication or Verification or Robocall Analytics

3. ClearIP performs Authentication or Verification, CNAM lookup, Robocall Analytics, and then sends one of the following responses to ProSBC

SIP 404 Not Found: No fraud is detected. This is not a robocall.
SIP 503 Service unavailable: No fraud is detected. This is not a robocall.
SIP 603 Decline: Fraud is detected. Block the call.
SIP 302 with Identity for Authentication, or Verstat in PAI header (P-Asserted-Identity ) for Verification. Or CNAM in PAI header

Upon receiving 404 or 503

    ProSBC returns SIP 503 (or mapping to the TDM cause code) to the Source switch to perform route advance  
    Call Source (TDM or SIP) --------Invite or SETUP or IAM ---------> ProSBC/TMG ----Invite--> ClearIP
    Call Source (TDM or SIP) <---SIP 503 or REL with 41 or 34 -------- ProSBC/TMG < ----503---- ClearIP

    ProSBC route advances on SIP 503 and sends call to next destination, does not return response to the Source switch  
    Call Source (TDM or SIP) ---Invite or SETUP or IAM ---> ProSBC/TMG ----Invite--> ClearIP
                                                            ProSBC/TMG < ----503---- ClearIP
                                                            ProSBC/TMG  ----Invite---Next Routes

Upon receiving 603

    ProSBC returns SIP 603 (or mapping to the TDM cause code) to the Source switch, then release the call 
    Call Source (TDM or SIP) -----Invite or SETUP or IAM ------> ProSBC/TMG ----Invite--> ClearIP
    Call Source (TDM or SIP) <---SIP 603 or REL with 21 -------- ProSBC/TMG < ----603---- ClearIP

Upon receiving 302

    ProSBC takes the Identity or the Verstat string from the PAI header of the 302, and pass it to the next destination (NAP) according to the Routes priority order
    Call Source (TDM or SIP) ---Invite or SETUP or IAM ---> ProSBC/TMG ----Invite--> ClearIP
                                                           ProSBC/TMG < ----302---- ClearIP
                                                           ProSBC/TMG  ----Invite with Identity for Authentication, or Verstat in PAI header for Verification, Or CNAM in PAI header

ProSBC Configuration

This section provides the ProSBC configuration procedures for the solution. They are grouped into 4 main sections.

Initial Common Procedures: The procedures in this section are common to any scenario. You must follow them.
Scenario 1, One ClearIP NAP: Follow this section to learn how to configure ProSBC with one ClearIP NAP without a need to differentiate between Inbound and Outbound calls.
Scenario 2, More than one ClearIP NAP: Follow this section to learn how to configure ProSBC in which you have more than one ClearIP NAP and you need to differentiate between Inbound and Outbound calls.
Final Common Procedures: The procedures in this section are common to all scenarios.

Initial Common Procedures

Configure Routing Script

ProSBC is configured to use routing scripts to send some SIP headers to ClearIP to identify the source of the call.

1. Enable routing script

Gateway->Use script: choose the right main script

2. Load routing scripts

Click here to download ClearIP_Query.rb (the fitler script)
Import the filter script:

Gateway->Routes->Routing Script->Import Script File
   File->ClearIP_Query.rb
   ScriptType->filter
   Load on startup->checked

Include the filter script in the main script, default is simple_routing_sbc.rb.

Note: Only one "main" script should show the set of the Scripts:

Gateway->Routes->Routing Script->Edit the main script:

- Add the "require 'ClearIP_Query' unless defined?(ClearIPQuery)" statement at the top of the main script.
- Add the "include ClearIPQuery" statement in the main routing class.
- Add the filter "  before_filter :method => :ClearIP_query" in the main routing class.

Note: if label routing or other before_filter script are used, please place ClearIP_query last
Refer to Main_ClearIP.rb here to know what it should look like in your existing "main" script

Add service_type in NAPs Column

NAPs Columns->Create New NAPs Column
    Name->service_type
    Type attributes -> NORMAL|AUTHENTICATION|VERIFICATION
    Default ->NORMAL

Set the value to "AUTHENTICATION" for CLEARIP NAPs

Scenario 1:One ClearIP NAP

Follow the procedures in this scenario of you will only have one ClearIP NAP and do not need to differentiate between inbound and outbound calls.

Create Transport Server for ClearIP NAP

 SIP -> Create New Transport Server
    Name->SIP_TS_CLEARIP
    Port Type->TCP
    Port->5060
    IP Interface-> Select the IP interface which can reach to ClearIP on the public network

Create ClearIP NAP

NAPs->Create New NAP
    Name->NAP_CLEARIP
    SIP Transport Servers->SIP_TS_CLEARIP
    Proxy address->sip.clearip.com (Or appropriate Domain provided by ClearIP)
    Port range->[Select port range of IP interface above)

Set service_type to "AUTHENTICATION" for NAP_CLEARIP

NAP Columns -> select NAP_CLEARIP
service_type: AUTHENTICATION

Add Route to NAP_CLEARIP

Routes -> Create New Route
Name: To_ClearIP
NAP: (Any)  (or you can choose specific NAPs - you may need to create multiple routes in this case)
Remapped NAP: NAP_CLEARIP
Priority: 10

Scenario 2: More than one ClearIP NAP

Follow the procedures in this scenario if you have more than one ClearIP NAP and must differentiate between inbound and outbound calls.

Create 2 TCP transport servers: one for inbound and one for outbound

 SIP -> Create New Transport Server
    Name->SIP_TS_CLEARIP_IN
    Port Type->TCP
    Port->5060
    IP Interface-> Select the IP interface which can reach to ClearIP on the public network
 
 SIP -> Create New Transport Server
    Name->SIP_TS_CLEARIP_OUT
    Port Type->TCP
    Port->5060
    IP Interface-> Select the IP interface which can reach to ClearIP on the public network

Create Inbound ClearIP NAP and Outbound ClearIP NAP

NAPs->Create New NAP
    Name->NAP_CLEARIP_IN
    SIP Transport Servers->SIP_TS_CLEARIP_IN
    Proxy address->sip.clearip.com (Or appropriate Domain provided by ClearIP)
    Port range->[Select port range of IP interface above)
NAPs->Create New NAP
    Name->NAP_CLEARIP_OUT
    SIP Transport Servers->SIP_TS_CLEARIP_OUT
    Proxy address->sip.clearip.com (Or appropriate Domain provided by ClearIP)
    Port range->[Select port range of IP interface above)

Set service_type to "AUTHENTICATION" for NAP_CLEARIP_IN and NAP_CLEARIP_OUT

NAP Columns -> select NAP_CLEARIP_IN
service_type: AUTHENTICATION
NAP Columns -> select NAP_CLEARIP_OUT
service_type: AUTHENTICATION

Add Routes to NAP_CLEARIP_IN and NAP_CLEARIP_OUT

Routes -> Create New Route
Name: To_ClearIP_IN
NAP: specific NAPs which carry the inbound traffic
Remapped NAP: NAP_CLEARIP_IN
Priority: 10 
Routes -> Create New Route
Name: To_ClearIP_OUT
NAP: specific NAPs which carry the outbound traffic
Remapped NAP: NAP_CLEARIP_OUT
Priority: 10

Final Common Procedures

Follow these procedures to wrap up the ProSBC configuration work. They apply to both previously described scenarios.

Configure other Routes

You need to configure other routes after the ClearIP routes if you want ProSBC to perform route advances upon receiving 503 or 302.

 Check the below link for the detail instruction to create static routes:

 It could also combine with other Routeset routing:

Route retry action of 3xx, 404 and 603 must be configured to allow ProSBC to perform failover, fraud control and SHAKEN AS/VS request.

Profiles->Edit Reason Cause Mapping
    404 Not found->Route retry action->Continue call
    503 Service unavailable->Route retry action->Continue call
    603 Decline->Route retry action->Stop call
    302 Moved Temporarily-> Route retry action: Process call routing

Note:

The default route retry action of 404 is Stop call.
The default route retry action of 603 is Continue call.

PreviousProSBC and ClearIP (TransNexus)NextConfiguration for CNAM Verification and Robocall Analytics with Transnexus' ClearIP service

Last updated 13 days ago

Was this helpful?