STIR/SHAKEN Inbound Verification

David Preo

Updated

Configuration and testing guidelines

The deadline for service providers to comply with STIR/SHAKEN is June 30, 2021. As part of Bandwidth’s STIR/SHAKEN roadmap, we provide an Inbound Verification (VERSTAT) feature. With this feature, Bandwidth customers can receive STIR/SHAKEN verification results for inbound calls via SIP headers. This optional feature can be enabled in the Bandwidth App at no additional charge. 

How Inbound Verification works

For STIR/SHAKEN attested calls, Bandwidth invokes an STI-Verification Service (STI-VS) function to verify inbound calls and then signals the verification results to our customers. Bandwidth passes the STIR/SHAKEN verification results in the SIP INVITE for the incoming call.

Note: The green box in the lower right corner of the diagram below shows this new capability. 

Inbound Verification toggle

Verified Inbound SIP header formats

Off

No signaling change. The SIP INVITE header won't change from what you're receiving today.

On - Verification Status

The SIP INVITE will display VERSTAT in the P-Asserted-Identity, with possible TN-Validation-Passed, TN-Validation-Failed, or No-TN-Validation values.

Note: If there's no VERSTAT value, it means there was no Identity Header in the incoming SIP INVITE.

P-Asserted-Identity:
<sip:+13339990000
@67.xxx.x.xx:5060>;verstat=TN-Validation-Passed

On - Enhanced Verification Status

The SIP INVITE will have a VERSTAT “Attestation-Indicator” and “Origination-ID” in the P-Asserted-Identity, as shown in the example below. In addition, P-Attestation-Indicator and P-Origination-ID headers will be present. 

P-Asserted-Identity:
<sip:+13339990000
@67.xxx.x.xx:5060>;verstat=TN-Validation-Passed   
P-Attestation-Indicator=A;
P-Origination-ID= b37efe53-564d-5095-b66d-720366cc1395

Enabling Inbound Verification

There are two options for Inbound Verification: 

  • Verification Status: Bandwidth provides the standard VERSTAT information. 
  • Enhanced Verification Status: Bandwidth provides VERSTAT, attestation level, and the origination ID for traceback. 

The Inbound Verification settings are configured per Location in the Bandwidth App. To enable this service:

  1. Log in to the Bandwidth App.
  2. In the side navigation bar, select Account and click Locations.
  3. Select a Location from the list and click Voice.
  4. Scroll down to the STIR/SHAKEN section.
  5. Set the Inbound Verification Results toggle to On and select either Verification Status or Enhanced Verification Status

Screen Shot 2024-09-09 at 7.05.47 PM.png

Once enabled, inbound STIR/SHAKEN calls that have been signed by the Originating Service Provider (OSP) with a SHAKEN Personal Assertion Token (PASSporT) will include the verification results.

Note: Not all calls will include verification results as many service providers are still rolling out STIR/SHAKEN in their networks.

Testing Inbound Verification

Note: We recommend testing one Location before enabling the feature across all Locations.

  1. To begin, create a new test Location in your Bandwidth App account and order a Bandwidth phone number specifically for testing. 
  2. Call the test number from another Bandwidth number in your production account (if available). A call from a Bandwidth number using a Bandwidth number will receive A-level attestation and the inbound call will include the resulting headers.
  3. To date, we have performed STIR/SHAKEN interoperability testing with Verizon, Comcast, and T-Mobile/Sprint, so a test call from a number with any of these providers should result in A-level attestation with the appropriate headers. 

Additional STIR/SHAKEN resources

Article is closed for comments.