STIR/SHAKEN Inbound VerificationFollow
Configuration and testing guidelines
The deadline for service providers to comply with STIR/SHAKEN is June 30, 2021. As part of Bandwidth’s STIR/SHAKEN roadmap, we provide an Inbound Verification (VERSTAT) feature. With this feature, Bandwidth customers can receive STIR/SHAKEN verification results for inbound calls via SIP headers. This is an optional feature that can be enabled in the Bandwidth Dashboard at no additional charge.
How Inbound Verification works
For STIR/SHAKEN attested calls, Bandwidth invokes an STI-Verification Service (STI-VS) function to verify inbound calls and then signals the results of the verification to our customers. Bandwidth passes the STIR/SHAKEN verification results in the SIP INVITE for the incoming call.
Note: The green box in the lower right corner in the diagram below shows this new capability.
Verified Inbound SIP header formats
No signaling change. The SIP INVITE header won't be changed from what you receive today.
On - Verification Status
The SIP INVITE will display VERSTAT in the P-Asserted-Identity, with possible values of TN-Validation-Passed, TN-Validation-Failed or No-TN-Validation.
Note: If no VERSTAT value is present, then there was no Identity Header in the incoming SIP INVITE.
On - Enhanced Verification Status
The SIP INVITE will have a VERSTAT “Attestation-Indicator” and “Origination-ID” in the P-Asserted-Identity, like the example below. In addition, P-Attestation-Indicator and P-Origination-ID headers will be present.
Enabling Inbound Verification
There are two options for Inbound Verification:
- Verification Status: Bandwidth provides the standard VERSTAT information.
- Enhanced Verification Status: Bandwidth provides VERSTAT, attestation level, and the origination ID for traceback.
The Inbound Verification settings are configured per Location in the Bandwidth Dashboard. To enable this service:
- Log into the Bandwidth Dashboard.
- In the top right corner, click Account and select Locations.
- Scroll down to Origination Settings.
- Toggle the Inbound Verification Results button to On and select either Verification Status or Enhanced Verification Status.
Once enabled, inbound STIR/SHAKEN calls that have been signed by the Originating Service Provider (OSP) with a SHAKEN Personal Assertion Token (PASSporT) will include the verification results.
Note: Not all calls will include verification results as many service providers are still in the process of rolling out STIR/SHAKEN in their networks.
Testing Inbound Verification
Note: We recommend testing one Location before enabling the feature across all Locations.
- To begin, create a new test Location in your Bandwidth Dashboard account and order a Bandwidth phone number specifically for testing.
- Call the test number from another Bandwidth number in your production account (if available). A call from a Bandwidth number using a Bandwidth number will receive A-level attestation and the inbound call will include the resulting headers.
- To date, we have performed STIR/SHAKEN interoperability testing with Verizon, Comcast, and T-Mobile/Sprint, so a test call from a number with any of these providers should result in A-level attestation with the appropriate headers.
Additional STIR/SHAKEN resources
Note: STIR/SHAKEN is not deployed on legacy network devices such as inbound/outbound gateways "Bandwidth 7", "Bandwidth 9", and "Bandwidth Edge" devices. Calls traversing these routes won't be signed. If you'd like to migrate to STIR/SHAKEN devices, please open a ticket with your Bandwidth Support Team or hit us up at (855) 864-7776!
Was this article helpful?
14 out of 18 found this helpful