Oracle Acme Packet SBC configuration for STIR/SHAKEN with ClearIP
This documentation provides instructions on how to configure an Oracle Acme Packet Session Border Controller (Oracle SBC) with embedded header option to pass SIP headers from a SIP 302 into an outbound SIP INVITE leaving the Oracle SBC.
This documentation does not include Oracle SBC installation instructions, such as installing Oracle SBC VMware image, configuring network interfaces, etc. This work should be done by Oracle technical support.
We have provided Oracle Acme Packet outbound configuration for ClearIP instructions separately.
Embedded header mechanism
The SIP URI in the SIP 302 response from ClearIP may contain embedded headers. For example, in the following SIP URI, the part highlighted in yellow is an embedded header.
sip:atlanta.com;method=REGISTER?to=alice%40atlanta.comThe mechanism described in this document can be used to pass embedded SIP headers within the SIP 302 into the outbound SIP INVITE.
Network diagram and call scenario
- The calling party sends a call to Oracle SBC.
- Oracle SBC forwards the call to ClearIP for services, such as LCR, STIR/SHAKEN, CNAM, etc.
- ClearIP responds with a SIP 302 that includes headers embedded in the Contact header URI, such as STIR/SHAKEN Identity, P-Asserted-Identity with CNAM, etc.
- Oracle SBC copies the embedded headers into the SIP INVITE sent to the called party.
Call flow diagram
Note:
- SIP 302 Redirect from ClearIP contains a Contact header, which includes embedded headers. The values of the embedded headers must be URL encoded.
- SIP INVITE from Oracle SBC to the called party contains the embedded headers as normal SIP headers.
Sample SIP Messages
- SIP INVITE sent from Oracle SBC to ClearIP
07:40.539 On [3:0]172.16.4.157:5060 sent to 10.0.11.108:5060 INVITE sip:14040000001@redirect.transnexus.com:5060 SIP/2.0 Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK6g1gad00b09h7lolh411.1 From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001 To: sut <sip:14040000001@172.16.4.157:5060> Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2 CSeq: 1 INVITE Contact: <sip:16780000001@172.16.4.157:5060;transport=udp> Max-Forwards: 69 Subject: Performance Test Content-Type: application/sdp Content-Length: 135 P-Source-Device: 172.16.4.113 v=0 o=user1 53655765 2353687637 IN IP4 172.16.4.113 s=- c=IN IP4 172.16.4.113 t=0 0 m=audio 6000 RTP/AVP 0 a=rtpmap:0 PCMU/8000
- SIP 302 with embedded headers sent from ClearIP to Oracle SBC
07:41.566 On [3:0]172.16.4.157:5060 received from 10.0.11.108:5060 SIP/2.0 302 Moved Temporarily Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK6g1gad00b09h7lolh411.1 From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001 To: sut <sip:14040000001@172.16.4.157:5060>;tag=24325SIPpTag012 Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2 CSeq: 1 INVITE Contact: <sip:16780000000@10.0.11.108:5070;transport=udp?P-Asserted-Identity=%22%5BV%5DTxNx%20Test%22%3Csip%3A%2B16780000001%3Bverstat%3DTN-Validation-Passed%40transnexus.com%3E&Identity=eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJhbnNuZXh1cy5jb20vOTk0VC81ZTE1ODI0OS0yYTFkLTQxYWMtYmE1NC1hNjM4ZjM5NThmNjMuY3J0In0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI4NjEwODIwNzYyOTIiXX0sImlhdCI6MTU4MDkyNjc4MCwib3JpZyI6eyJ0biI6IjE0MDQ1MjY2MDYwIn0sIm9yaWdpZCI6Ijk4ZDA5NjM5LWZiYWYtMTFlNy05ZjU0LTAwMGMyOWIxYjM5ZSJ9.Iac_OyI0Hy2yB0X5WNRDuVATp4KAc-p91LtDrT-9z_BZXQVT2ItIdGmG06l9XeT20IqGlalOCETjsZAD_NlOXw%3Binfo%3D%3Chttps%3A%2F%2Fcertificates.transnexus.com%2F994T%2F5e158249-2a1d-41ac-ba54-a638f3958f63.crt%3E%3Balg%3DES256%3Bppt%3Dshaken>;q=0.9 Content-Length: 0
- SIP Invite sent from Oracle SBC to called party
07:41.569 On [3:0]172.16.4.157:5060 sent to 10.0.11.108:5070 INVITE sip:16780000000@10.0.11.108:5070;transport=udp SIP/2.0 Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK608jsm00c850clol7510.2 From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001 To: sut <sip:14040000001@172.16.4.157:5060> Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2 CSeq: 1 INVITE Contact: <sip:16780000001@172.16.4.157:5060;transport=udp> Max-Forwards: 69 Subject: Performance Test Content-Type: application/sdp Content-Length: 135 P-Source-Device: 172.16.4.113 P-Asserted-Identity: "[V]TxNx Test"<sip:+16780000001;verstat=TN- Validation-Passed@transnexus.com> Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJhbnNuZXh1cy5jb20vOTk0VC81ZTE1ODI0OS0yYTFkLTQxYWMtYmE1NC1hNjM4ZjM5NThmNjMuY3J0In0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI4NjEwODIwNzYyOTIiXX0sImlhdCI6MTU4MDkyNjc4MCwib3JpZyI6eyJ0biI6IjE0MDQ1MjY2MDYwIn0sIm9yaWdpZCI6Ijk4ZDA5NjM5LWZiYWYtMTFlNy05ZjU0LTAwMGMyOWIxYjM5ZSJ9.Iac_OyI0Hy2yB0X5WNRDuVATp4KAc-p91LtDrT-9z_BZXQVT2ItIdGmG06l9XeT20IqGlalOCETjsZAD_NlOXw;info=<https://certificates.transnexus.com/994T/5e158249-2a1d-41ac-ba54-a638f3958f63.crt>;alg=ES256;ppt=shaken v=0 o=user1 53655765 2353687637 IN IP4 172.16.4.113 s=- c=IN IP4 172.16.4.113 t=0 0 m=audio 6000 RTP/AVP 0 a=rtpmap:0 PCMU/8000
Required ClearIP configuration
For ClearIP to return the P-Asserted-Identity with CNAM or the Identity header in the Contact URI of the SIP 302 response, you must ensure the following configurations are in place.
- For embedded Identity header:
- In the Authentication Policies page, there must be an enabled policy configured with the Method field set to In-Band or In-Band and Out-of-Band.
- In the SBCs page, the SBC must be configured with the Identity Header field set to Identity Embedded in Contact URI.
- For embedded P-Asserted-Identity header with CNAM:
- For [V] modified CNAM on verified calls - In the Verification Policies page, there must be an enabled policy configured with the Indication Method to CNAM or Verstat and CNAM.
- For CNAM lookup - In the CNAM Policies page, there must be an enabled policy configured.
- In the SBCs page, the SBC must be configured with the CNAM Header field set to P-Asserted-Identity Embedded in Contact URI.
Oracle SBC Embedded Header Configuration
Oracle SBC supports embedded header on the session agent level. This should be configured for the SIP Redirect Server session agent.
For request-uri-headers, you should enter a list of embedded headers extracted from the Contact header URI that will be inserted in the outbound SIP INVITE message. acmesystem2(session-agent)# request-uri-headers (P-Asserted-Identity Identity)
- Oracle SBC configuration example
session-agent hostname sip.clearip.com ip-address port 5060 state enabled app-protocol SIP app-type transport-method DynamicTCP realm-id AccessRealm egress-realm-id description carriers allow-next-hop-lp enabled constraints disabled max-sessions 0 max-inbound-sessions 0 max-outbound-sessions 0 max-burst-rate 0 max-inbound-burst-rate 0 max-outbound-burst-rate 0 max-sustain-rate 0 max-inbound-sustain-rate 0 max-outbound-sustain-rate 0 min-seizures 5 min-asr 0 time-to-resume 0 ttr-no-response 0 in-service-period 0 burst-rate-window 0 sustain-rate-window 0 req-uri-carrier-mode None proxy-mode redirect-action Recurse loose-routing enabled send-media-session enabled response-map ping-method ping-interval 0 ping-send-mode keep-alive ping-all-addresses disabled ping-in-service-response-codes out-service-response-codes load-balance-dns-query hunt media-profiles in-translationid out-translationid trust-me disabled request-uri-headers P-Asserted-Identity Identity stop-recurse local-response-map ping-to-user-part ping-from-user-part li-trust-me disabled in-manipulationid out-manipulationid manipulation-string manipulation-pattern p-asserted-id trunk-group max-register-sustain-rate 0 early-media-allow invalidate-registrations disabled rfc2833-mode none rfc2833-payload 0 codec-policy enforcement-profile refer-call-transfer disabled refer-notify-provisional none reuse-connections NONE tcp-keepalive none tcp-reconn-interval 0 max-register-burst-rate 0 register-burst-window 0 sip-profile sip-isup-profile kpml-interworking inherit
Note:
- redirect-action must be set to recurse.
- request-uri-headers must be set to include all embedded headers that will be passed to outbound INVITE to the called party. In the above example, P-Asserted-Identity header for CNAM and Identity header for STIR/SHAKEN are configured for embedded headers.
Limitations of using embedded headers with routing
In general, the method described for implementing embedded headers is recommended when using the CNAM or Identity header provided by a SIP 302 response from ClearIP because it allows the Oracle SBC configuration to be simpler.
Embedded headers with only the P-Asserted-Identity header with CNAM and not including the Identity header work well even with multiple routing destinations because the additional size of the headers is small.
However, there are some limitations to using embedded headers for the Identity header when ClearIP is simultaneously used to return multiple routing destinations in the SIP 302 Contact header such as for least cost routing (LCR). In these cases, the SIP message becomes too large for the UDP or TCP packet:
- For UDP transport between the Oracle SBC and ClearIP, the SIP 302 can only have one routing destination with the embedded Identity header.
- For TCP transport between the Oracle SBC and ClearIP, the SIP 302 can have at most four routing destinations with the embedded Identity header. Having more than four routing destinations with the embedded Identity header can cause the call to fail.
If you would like to receive the Identity header from ClearIP along with multiple destinations for least cost routing, you cannot use the embedded header approach. You must use a separate approach to add a header manipulation rule (HMR) to copy the standard, non-embedded Identity header from the ClearIP SIP 302 response into the outbound SIP Invite to the called party. Using the HMR approach allows the Identity header to be passed in the 3xx response along with up to twelve routing destinations with UDP and TCP.
