Oracle Acme Packet SBC configuration for STIR/SHAKEN with ClearIP

This documentation provides instructions on how to configure an Oracle Acme Packet Session Border Controller (Oracle SBC) with embedded header option to pass SIP headers from a SIP 302 into an outbound SIP INVITE leaving the Oracle SBC.

This documentation does not include Oracle SBC installation instructions, such as installing Oracle SBC VMware image, configuring network interfaces, etc. This work should be done by Oracle technical support.

We have provided Oracle Acme Packet outbound configuration for ClearIP instructions separately.

Embedded header mechanism

The SIP URI in the SIP 302 response from ClearIP may contain embedded headers. For example, in the following SIP URI, the part highlighted in yellow is an embedded header.

sip:atlanta.com;method=REGISTER?to=alice%40atlanta.com

The mechanism described in this document can be used to pass embedded SIP headers within the SIP 302 into the outbound SIP INVITE.

Network diagram and call scenario

Network diagram and call scenario
  1. The calling party sends a call to Oracle SBC.
  2. Oracle SBC forwards the call to ClearIP for services, such as LCR, STIR/SHAKEN, CNAM, etc.
  3. ClearIP responds with a SIP 302 that includes headers embedded in the Contact header URI, such as STIR/SHAKEN Identity, P-Asserted-Identity with CNAM, etc.
  4. Oracle SBC copies the embedded headers into the SIP INVITE sent to the called party.

Call flow diagram

 Call flow diagram

Note:

  1. SIP 302 Redirect from ClearIP contains a Contact header, which includes embedded headers. The values of the embedded headers must be URL encoded.
  2. SIP INVITE from Oracle SBC to the called party contains the embedded headers as normal SIP headers.

Sample SIP Messages

  • SIP INVITE sent from Oracle SBC to ClearIP
    07:40.539 On [3:0]172.16.4.157:5060 sent to 10.0.11.108:5060
    INVITE sip:14040000001@redirect.transnexus.com:5060 SIP/2.0
    Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK6g1gad00b09h7lolh411.1
    From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001
    To: sut <sip:14040000001@172.16.4.157:5060>
    Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2
    CSeq: 1 INVITE
    Contact: <sip:16780000001@172.16.4.157:5060;transport=udp>
    Max-Forwards: 69
    Subject: Performance Test
    Content-Type: application/sdp
    Content-Length: 135
    P-Source-Device: 172.16.4.113
    
    v=0
    o=user1 53655765 2353687637 IN IP4 172.16.4.113
    s=-
    c=IN IP4 172.16.4.113
    t=0 0
    m=audio 6000 RTP/AVP 0
    a=rtpmap:0 PCMU/8000
    
  • SIP 302 with embedded headers sent from ClearIP to Oracle SBC
    07:41.566 On [3:0]172.16.4.157:5060 received from 10.0.11.108:5060
    SIP/2.0 302 Moved Temporarily
    Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK6g1gad00b09h7lolh411.1
    From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001
    To: sut <sip:14040000001@172.16.4.157:5060>;tag=24325SIPpTag012
    Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2
    CSeq: 1 INVITE
    Contact: <sip:16780000000@10.0.11.108:5070;transport=udp?P-Asserted-Identity=%22%5BV%5DTxNx%20Test%22%3Csip%3A%2B16780000001%3Bverstat%3DTN-Validation-Passed%40transnexus.com%3E&Identity=eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJhbnNuZXh1cy5jb20vOTk0VC81ZTE1ODI0OS0yYTFkLTQxYWMtYmE1NC1hNjM4ZjM5NThmNjMuY3J0In0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI4NjEwODIwNzYyOTIiXX0sImlhdCI6MTU4MDkyNjc4MCwib3JpZyI6eyJ0biI6IjE0MDQ1MjY2MDYwIn0sIm9yaWdpZCI6Ijk4ZDA5NjM5LWZiYWYtMTFlNy05ZjU0LTAwMGMyOWIxYjM5ZSJ9.Iac_OyI0Hy2yB0X5WNRDuVATp4KAc-p91LtDrT-9z_BZXQVT2ItIdGmG06l9XeT20IqGlalOCETjsZAD_NlOXw%3Binfo%3D%3Chttps%3A%2F%2Fcertificates.transnexus.com%2F994T%2F5e158249-2a1d-41ac-ba54-a638f3958f63.crt%3E%3Balg%3DES256%3Bppt%3Dshaken>;q=0.9
    Content-Length: 0
    

  • SIP Invite sent from Oracle SBC to called party
    07:41.569 On [3:0]172.16.4.157:5060 sent to 10.0.11.108:5070
    INVITE sip:16780000000@10.0.11.108:5070;transport=udp SIP/2.0
    Via: SIP/2.0/UDP 172.16.4.157:5060;branch=z9hG4bK608jsm00c850clol7510.2
    From: sipp <sip:16780000001@172.16.4.113:5050>;tag=SD51qc601-32136SIPpTag001
    To: sut <sip:14040000001@172.16.4.157:5060>
    Call-ID: SD51qc601-52943f2a548ac1c7f74dd448e0130c5b-c5480f2
    CSeq: 1 INVITE
    Contact: <sip:16780000001@172.16.4.157:5060;transport=udp>
    Max-Forwards: 69
    Subject: Performance Test
    Content-Type: application/sdp
    Content-Length: 135
    P-Source-Device: 172.16.4.113
    P-Asserted-Identity: "[V]TxNx Test"<sip:+16780000001;verstat=TN-  Validation-Passed@transnexus.com>
    Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJhbnNuZXh1cy5jb20vOTk0VC81ZTE1ODI0OS0yYTFkLTQxYWMtYmE1NC1hNjM4ZjM5NThmNjMuY3J0In0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI4NjEwODIwNzYyOTIiXX0sImlhdCI6MTU4MDkyNjc4MCwib3JpZyI6eyJ0biI6IjE0MDQ1MjY2MDYwIn0sIm9yaWdpZCI6Ijk4ZDA5NjM5LWZiYWYtMTFlNy05ZjU0LTAwMGMyOWIxYjM5ZSJ9.Iac_OyI0Hy2yB0X5WNRDuVATp4KAc-p91LtDrT-9z_BZXQVT2ItIdGmG06l9XeT20IqGlalOCETjsZAD_NlOXw;info=<https://certificates.transnexus.com/994T/5e158249-2a1d-41ac-ba54-a638f3958f63.crt>;alg=ES256;ppt=shaken
    
    v=0
    o=user1 53655765 2353687637 IN IP4 172.16.4.113
    s=-
    c=IN IP4 172.16.4.113
    t=0 0
    m=audio 6000 RTP/AVP 0
    a=rtpmap:0 PCMU/8000
    

Required ClearIP configuration

For ClearIP to return the P-Asserted-Identity with CNAM or the Identity header in the Contact URI of the SIP 302 response, you must ensure the following configurations are in place.

  • For embedded Identity header:
    • In the Authentication Policies page, there must be an enabled policy configured with the Method field set to In-Band or In-Band or Out-of-Band.
    • In the SBCs page, the SBC must be configured with the Identity Header field set to Identity Embedded in Contact URI.
  • For embedded P-Asserted-Identity header with CNAM:
    • For [V] modified CNAM on verified calls - In the Verification Policies page, there must be an enabled policy configured with the Indication Method to CNAM or Verstat and CNAM.
    • For CNAM lookup - In the CNAM Policies page, there must be an enabled policy configured.
    • In the SBCs page, the SBC must be configured with the CNAM Header field set to P-Asserted-Identity Embedded in Contact URI.

Oracle SBC Embedded Header Configuration

Oracle SBC supports embedded header on the session agent level. This should be configured for the SIP Redirect Server session agent.

For request-uri-headers, you should enter a list of embedded headers extracted from the Contact header URI that will be inserted in the outbound SIP INVITE message. acmesystem2(session-agent)# request-uri-headers (P-Asserted-Identity Identity)

  • Oracle SBC configuration example
      session-agent
        hostname                       redirect.transnexus.com
        ip-address                     10.0.11.108
        port                           5060
        state                          enabled
        app-protocol                   SIP
        app-type
        transport-method               UDP
        realm-id                       access
        egress-realm-id
        description
        carriers
        allow-next-hop-lp              enabled
        constraints                    disabled
        max-sessions                   0
        max-inbound-sessions           0
        max-outbound-sessions          0
        max-burst-rate                 0
        max-inbound-burst-rate         0
        max-outbound-burst-rate        0
        max-sustain-rate               0
        max-inbound-sustain-rate       0
        max-outbound-sustain-rate      0
        min-seizures                   5
        min-asr                        0
        time-to-resume                 0
        ttr-no-response                0
        in-service-period              0
        burst-rate-window              0
        sustain-rate-window            0
        req-uri-carrier-mode           None
        proxy-mode
        redirect-action                Recurse
        loose-routing                  enabled
        send-media-session             enabled
        response-map
        ping-method
        ping-interval                  0
        ping-send-mode                 keep-alive
        ping-all-addresses             disabled
        ping-in-service-response-codes 
        out-service-response-codes
        load-balance-dns-query         hunt
        media-profiles
        in-translationid
        out-translationid
        trust-me                       disabled
        request-uri-headers            P-Asserted-Identity Identity
        stop-recurse
        local-response-map
        ping-to-user-part
        ping-from-user-part
        li-trust-me                    disabled
        in-manipulationid
        out-manipulationid
        manipulation-string
        manipulation-pattern
        p-asserted-id
        trunk-group
        max-register-sustain-rate      0
        early-media-allow
        invalidate-registrations       disabled
        rfc2833-mode                   none
        rfc2833-payload                0
        codec-policy
        enforcement-profile
        refer-call-transfer            disabled
        refer-notify-provisional       none
        reuse-connections              NONE
        tcp-keepalive                  none
        tcp-reconn-interval            0
        max-register-burst-rate        0
        register-burst-window          0
        sip-profile
        sip-isup-profile
        kpml-interworking              inherit

Note:

  1. redirect-action must be set to recurse.
  2. request-uri-headers must be set to include all embedded headers that will be passed to outbound INVITE to the called party. In the above example, P-Asserted-Identity header for CNAM and Identity header for STIR/SHAKEN are configured for embedded headers.

Limitations of using embedded headers with routing

In general, the method described for implementing embedded headers is recommended when using the CNAM or Identity header provided by a SIP 302 response from ClearIP because it allows the Oracle SBC configuration to be simpler.

Embedded headers with only the P-Asserted-Identity header with CNAM and not including the Identity header work well even with multiple routing destinations because the additional size of the headers is small.

However, there are some limitations to using embedded headers for the Identity header when ClearIP is simultaneously used to return multiple routing destinations in the SIP 302 Contact header such as for least cost routing (LCR). In these cases, the SIP message becomes too large for the UDP or TCP packet:

  • For UDP transport between the Oracle SBC and ClearIP, the SIP 302 can only have one routing destination with the embedded Identity header.
  • For TCP transport between the Oracle SBC and ClearIP, the SIP 302 can have at most four routing destinations with the embedded Identity header. Having more than four routing destinations with the embedded Identity header can cause the call to fail.

If you would like to receive the Identity header from ClearIP along with multiple destinations for least cost routing, you cannot use the embedded header approach. You must use a separate approach to add a header manipulation rule (HMR) to copy the standard, non-embedded Identity header from the ClearIP SIP 302 response into the outbound SIP Invite to the called party. Using the HMR approach allows the Identity header to be passed in the 3xx response along with up to twelve routing destinations with UDP and TCP.

Oracle Acme Packet SBC configuration for ClearIP outbound scenarios