Oracle Acme Packet SBC configuration for STIR/SHAKEN with ClearIP

This documentation provides instructions on how to configure an Oracle Acme Packet Session Border Controller (Oracle SBC) with embedded header option to pass SIP headers from a SIP 302 into an outbound SIP INVITE leaving the Oracle SBC.

This documentation does not include Oracle SBC installation instructions, such as installing Oracle SBC VMware image, configuring network interfaces, etc. This work should be done by Oracle technical support.

We have provided Oracle Acme Packet outbound configuration for ClearIP instructions separately.

Embedded header mechanism

The SIP URI in the SIP 302 response from ClearIP may contain embedded headers. For example, in the following SIP URI, the part highlighted in yellow is an embedded header.

sip:atlanta.com;method=REGISTER?to=alice%40atlanta.com

The mechanism described in this document can be used to pass embedded SIP headers within the SIP 302 into the outbound SIP INVITE.

Network diagram and call scenario

Network diagram and call scenario
  1. The calling party sends a call to Oracle SBC.
  2. Oracle SBC forwards the call to ClearIP for services, such as LCR, STIR/SHAKEN, CNAM, etc.
  3. ClearIP responds with a SIP 302 that includes headers embedded in the Contact header URI, such as STIR/SHAKEN Identity, P-Asserted-Identity with CNAM, etc.
  4. Oracle SBC copies the embedded headers into the SIP INVITE sent to the called party.

Call flow diagram

 Call flow diagram

Note:

  1. SIP 302 Redirect from ClearIP contains a Contact header, which includes embedded headers. The values of the embedded headers must be URL encoded.
  2. SIP INVITE from Oracle SBC to the called party contains the embedded headers as normal SIP headers.

Sample SIP Messages

  • SIP INVITE sent from Oracle SBC to ClearIP
    07:40.539 On [3:0]172.16.4.157:5060 sent to 10.0.11.108:5060
                INVITE sip:14040000001@redirect.transnexus.com:5060 SIP/2.0
                Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK6g1gad00b09h7lolh411.1
                From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001
                To: sut <sip:14040000001@172.16.4.157:5060>
                Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2
                CSeq: 1 INVITE
                Contact: <sip:16780000001@172.16.4.157:5060;transport=udp>
                Max-Forwards: 69
                Subject: Performance Test
                Content-Type: application/sdp
                Content-Length: 135
                P-Source-Device: 172.16.4.113
                
                v=0
                o=user1 53655765 2353687637 IN IP4 172.16.4.113
                s=-
                c=IN IP4 172.16.4.113
                t=0 0
                m=audio 6000 RTP/AVP 0
                a=rtpmap:0 PCMU/8000
                
  • SIP 302 with embedded headers sent from ClearIP to Oracle SBC
    07:41.566 On [3:0]172.16.4.157:5060 received from 10.0.11.108:5060
                SIP/2.0 302 Moved Temporarily
                Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK6g1gad00b09h7lolh411.1
                From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001
                To: sut <sip:14040000001@172.16.4.157:5060>;tag=24325SIPpTag012
                Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2
                CSeq: 1 INVITE
                Contact: <sip:16780000000@10.0.11.108:5070;transport=udp?P-Asserted-Identity=%22%5BV%5DTxNx%20Test%22%3Csip%3A%2B16780000001%3Bverstat%3DTN-Validation-Passed%40transnexus.com%3E&Identity=eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJhbnNuZXh1cy5jb20vOTk0VC81ZTE1ODI0OS0yYTFkLTQxYWMtYmE1NC1hNjM4ZjM5NThmNjMuY3J0In0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI4NjEwODIwNzYyOTIiXX0sImlhdCI6MTU4MDkyNjc4MCwib3JpZyI6eyJ0biI6IjE0MDQ1MjY2MDYwIn0sIm9yaWdpZCI6Ijk4ZDA5NjM5LWZiYWYtMTFlNy05ZjU0LTAwMGMyOWIxYjM5ZSJ9.Iac_OyI0Hy2yB0X5WNRDuVATp4KAc-p91LtDrT-9z_BZXQVT2ItIdGmG06l9XeT20IqGlalOCETjsZAD_NlOXw%3Binfo%3D%3Chttps%3A%2F%2Fcertificates.transnexus.com%2F994T%2F5e158249-2a1d-41ac-ba54-a638f3958f63.crt%3E%3Balg%3DES256%3Bppt%3Dshaken>;q=0.9
                Content-Length: 0
                

  • SIP Invite sent from Oracle SBC to called party
    07:41.569 On [3:0]172.16.4.157:5060 sent to 10.0.11.108:5070
                INVITE sip:16780000000@10.0.11.108:5070;transport=udp SIP/2.0
                Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK608jsm00c850clol7510.2
                From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001
                To: sut <sip:14040000001@172.16.4.157:5060>
                Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2
                CSeq: 1 INVITE
                Contact: <sip:16780000001@172.16.4.157:5060;transport=udp>
                Max-Forwards: 69
                Subject: Performance Test
                Content-Type: application/sdp
                Content-Length: 135
                P-Source-Device: 172.16.4.113
                P-Asserted-Identity: "[V]TxNx Test"<sip:+16780000001;verstat=TN-  Validation-Passed@transnexus.com>
                Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJhbnNuZXh1cy5jb20vOTk0VC81ZTE1ODI0OS0yYTFkLTQxYWMtYmE1NC1hNjM4ZjM5NThmNjMuY3J0In0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI4NjEwODIwNzYyOTIiXX0sImlhdCI6MTU4MDkyNjc4MCwib3JpZyI6eyJ0biI6IjE0MDQ1MjY2MDYwIn0sIm9yaWdpZCI6Ijk4ZDA5NjM5LWZiYWYtMTFlNy05ZjU0LTAwMGMyOWIxYjM5ZSJ9.Iac_OyI0Hy2yB0X5WNRDuVATp4KAc-p91LtDrT-9z_BZXQVT2ItIdGmG06l9XeT20IqGlalOCETjsZAD_NlOXw;info=<https://certificates.transnexus.com/994T/5e158249-2a1d-41ac-ba54-a638f3958f63.crt>;alg=ES256;ppt=shaken
                
                v=0
                o=user1 53655765 2353687637 IN IP4 172.16.4.113
                s=-
                c=IN IP4 172.16.4.113
                t=0 0
                m=audio 6000 RTP/AVP 0
                a=rtpmap:0 PCMU/8000
                

Required ClearIP configuration

For ClearIP to return the P-Asserted-Identity with CNAM or the Identity header in the Contact URI of the SIP 302 response, you must ensure the following configurations are in place.

  • For embedded Identity header:
    • In the Authentication Policies page, there must be an enabled policy configured with the Method field set to In-Band or In-Band and Out-of-Band.
    • In the SBCs page, the SBC must be configured with the Identity Header field set to Identity Embedded in Contact URI.
  • For embedded P-Asserted-Identity header with CNAM:
    • For [V] modified CNAM on verified calls - In the Verification Policies page, there must be an enabled policy configured with the Indication Method to CNAM or Verstat and CNAM.
    • For CNAM lookup - In the CNAM Policies page, there must be an enabled policy configured.
    • In the SBCs page, the SBC must be configured with the CNAM Header field set to P-Asserted-Identity Embedded in Contact URI.

Oracle SBC Embedded Header Configuration

Oracle SBC supports embedded header on the session agent level. This should be configured for the SIP Redirect Server session agent.

For request-uri-headers, you should enter a list of embedded headers extracted from the Contact header URI that will be inserted in the outbound SIP INVITE message. acmesystem2(session-agent)# request-uri-headers (P-Asserted-Identity Identity)

  • Oracle SBC configuration example
                  session-agent
                    hostname                       sip.clearip.com
                    ip-address
                    port                           5060
                    state                          enabled
                    app-protocol                   SIP
                    app-type
                    transport-method               DynamicTCP
                    realm-id                       AccessRealm
                    egress-realm-id
                    description
                    carriers
                    allow-next-hop-lp              enabled
                    constraints                    disabled
                    max-sessions                   0
                    max-inbound-sessions           0
                    max-outbound-sessions          0
                    max-burst-rate                 0
                    max-inbound-burst-rate         0
                    max-outbound-burst-rate        0
                    max-sustain-rate               0
                    max-inbound-sustain-rate       0
                    max-outbound-sustain-rate      0
                    min-seizures                   5
                    min-asr                        0
                    time-to-resume                 0
                    ttr-no-response                0
                    in-service-period              0
                    burst-rate-window              0
                    sustain-rate-window            0
                    req-uri-carrier-mode           None
                    proxy-mode
                    redirect-action                Recurse
                    loose-routing                  enabled
                    send-media-session             enabled
                    response-map
                    ping-method
                    ping-interval                  0
                    ping-send-mode                 keep-alive
                    ping-all-addresses             disabled
                    ping-in-service-response-codes 
                    out-service-response-codes
                    load-balance-dns-query         hunt
                    media-profiles
                    in-translationid
                    out-translationid
                    trust-me                       disabled
                    request-uri-headers            P-Asserted-Identity Identity
                    stop-recurse
                    local-response-map
                    ping-to-user-part
                    ping-from-user-part
                    li-trust-me                    disabled
                    in-manipulationid
                    out-manipulationid
                    manipulation-string
                    manipulation-pattern
                    p-asserted-id
                    trunk-group
                    max-register-sustain-rate      0
                    early-media-allow
                    invalidate-registrations       disabled
                    rfc2833-mode                   none
                    rfc2833-payload                0
                    codec-policy
                    enforcement-profile
                    refer-call-transfer            disabled
                    refer-notify-provisional       none
                    reuse-connections              NONE
                    tcp-keepalive                  none
                    tcp-reconn-interval            0
                    max-register-burst-rate        0
                    register-burst-window          0
                    sip-profile
                    sip-isup-profile
                    kpml-interworking              inherit

Note:

  1. redirect-action must be set to recurse.
  2. request-uri-headers must be set to include all embedded headers that will be passed to outbound INVITE to the called party. In the above example, P-Asserted-Identity header for CNAM and Identity header for STIR/SHAKEN are configured for embedded headers.

Limitations of using embedded headers with routing

In general, the method described for implementing embedded headers is recommended when using the CNAM or Identity header provided by a SIP 302 response from ClearIP because it allows the Oracle SBC configuration to be simpler.

Embedded headers with only the P-Asserted-Identity header with CNAM and not including the Identity header work well even with multiple routing destinations because the additional size of the headers is small.

However, there are some limitations to using embedded headers for the Identity header when ClearIP is simultaneously used to return multiple routing destinations in the SIP 302 Contact header such as for least cost routing (LCR). In these cases, the SIP message becomes too large for the UDP or TCP packet:

  • For UDP transport between the Oracle SBC and ClearIP, the SIP 302 can only have one routing destination with the embedded Identity header.
  • For TCP transport between the Oracle SBC and ClearIP, the SIP 302 can have at most four routing destinations with the embedded Identity header. Having more than four routing destinations with the embedded Identity header can cause the call to fail.

If you would like to receive the Identity header from ClearIP along with multiple destinations for least cost routing, you cannot use the embedded header approach. You must use a separate approach to add a header manipulation rule (HMR) to copy the standard, non-embedded Identity header from the ClearIP SIP 302 response into the outbound SIP Invite to the called party. Using the HMR approach allows the Identity header to be passed in the 3xx response along with up to twelve routing destinations with UDP and TCP.

Oracle Acme Packet SBC configuration for ClearIP outbound scenarios