Call Flow

Service providers who originate calls are responsible for authenticating calls while service providers who terminate calls are responsible for verifying calls. ClearIP can perform both authentication and verification functions which users can configure in the Authentication Policies and Verification Policies pages.

To authenticate and verify a call, the originating provider must pass a signed identity token to the terminating provider. The identity token can be transmitted to the terminating party through 2 methods: in-band or out-of-band. The identity token is passed in-band if the token is inserted into the SIP Invite and delivered to the terminating provider. The identity token is passed out-of-band if the token is transmitted to the terminating provider through the public internet independently from the call signaling.

In-band STIR/SHAKEN Call Flow

In-Band STIR Call Flow

  1. A call is made from a subscriber to the softswitch of the originating service provider.
  2. The SIP Invite is sent to the SHAKEN Authentication Service (ClearIP). The Authentication Service has a connection to the originating provider’s certificate repository.
  3. The SIP Invite with the digital signature is returned to the originating provider’s softswitch.
  4. The softswitch routes the signed SIP Invite to the terminating service provider. The signed SIP Invite may pass through intermediary service providers.
  5. The terminating provider’s softswitch receives a signed SIP Invite.
  6. The softswitch sends the signed SIP Invite to the SHAKEN Verification Service (ClearIP).
  7. The Verification Service accesses the originating provider’s certificate in the originating provider’s certificate repository if the issuing certificate authority is listed in the Certificate Authorities page. The Verification Service validates the originating provider’s SHAKEN certificate and verifies the signature on the signed SIP Invite.
  8. The SIP Invite and the verification results are returned to the terminating provider’s softswitch.
  9. The softswitch can send the SIP Invite and verification results to the called party, based on local policy.

Out-of-band STIR/SHAKEN Call Flow

Out-of-Band STIR Call Flow

  1. A call is made from a subscriber to the softswitch of the telephone service provider.
  2. The softswitch sends a message (via SIP or HTTP) to its SHAKEN Authentication Service.
  3. The Authentication module checks the service provider’s policy for the call source and calling number. If the call is authenticated for SHAKEN, the Authentication Service creates a signed identity token, encrypts it with the terminating provider’s public key, and then delivers it directly to the Call Placement Service (CPS) of the terminating service provider. (The signed SHAKEN token may also be sent to the softswitch so it can be included in the in-band signaling.)
  4. The service provider then routes the call over the voice network (TDM or IP).
  5. When the call arrives at the terminating service provider, the softswitch sends a message to the SHAKEN Verification Service.
  6. The Verification Service then pulls the identity token from the CPS and performs the same SHAKEN verification it would perform if the token was received in-band. This process includes fetching the certificate from the certificate repository of the originating provider.
  7. After verifying the token, the Verification Service sends its response to the softswitch.
  8. The softswitch completes the call to the called party.