Stir_Shaken: no Identity header


On a 20.7.0 instance offering SIP trunking services, I can’t see any Identity header in outbound INVITE while trying to send my first outbound call bearing this header.

I checked each of the 7 points of Outgoing Call Flow from [1] though I’m not 100% sure I did it correctly for all of them.

I’m not too confident about the various cert files I have.

How can I debug this ?


[1] STIR-SHAKEN - Asterisk Documentation

The first thing to check are the logs. Are there any STIR/SHAKEN related errors or warnings when Asterisk starts? Are there any when the call is made?

Thank you very much for replying.

I don’t see any related error or warning message in my setup.

May I focus here on settings when peering with a business IPBX ?
This IPBX will send calls to my Asterisk instance that will route them to a downstream ITSP.
I want to tag my outbound INVITE with Identity header certifying the CallerID number is known and allowed.

  1. Let say the endpoint matching this business IPBX is named Foo.
    Its stir_shaken_prodile is set to ipbx-profile.
    When checking with “stir_shaken show eprofile ipbx-profile”, I see that “endpoint_behavior” is set to “attest”.
    Is this correct ?

  2. Let say the endpoint matching the downstream trunk (to PSTN) is named Bar.
    Its stir_shaken_profile is set to itsp-profile.
    When checking with “stir_shaken show eprofile itsp-profile”, I see that “endpoint_behavior” is set to “on”.
    Is this correct ?

  3. In my dialplan, I don’t include any special statement to add STIR -related headers (Identity, …) as I
    suppose Asterisk decides by itself if it needs or not to add STIR headers, depending on related profiles and CALLERID(num) value.
    Is this correct ?

Attestation is for outgoing calls (from Asterisk’s perspective) and you need to have been issued a certificate and key with which to sign the Identity header. This is probably NOT what you want for the IPBX endpoint.

“on” does both attestation of outgoing calls and verification of incoming calls (again from Asterisk’s perspective). So if you want to add an Identity header to calls you send to the ITSP (attestation) you need to have been issued that certificate and key to sign the header. If you want to verify Identity headers on calls received from the ITSP, you need to get from the ITSP the CA certificate that was used to create the certificate specified in the Identity header.

Correct. For outgoing calls, Asterisk will automatically add the Identity header if the profile associated with the endpoint has endpoint_behavior set to “on” or “attest”. If you want to check the verification status of incoming calls, you need to use the STIR_SHAKEN dialplan function.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.