Call Flow

Service providers who originate calls are responsible for authenticating calls while service providers who terminate calls are responsible for verifying calls. ClearIP can perform both authentication and verification functions which users can configure in the Authentication Policies and Verification Policies pages.

To authenticate and verify a call, the originating provider must pass a signed PASSporT to the terminating provider. The PASSporT can be delivered through 2 methods: in-band or out-of-band. The PASSporT is delivered in-band when it is included in the Identity header of the SIP INVITE and sent to the terminating provider. The PASSporT is delivered out-of-band when the PASSporT is transmitted to the terminating provider through the public internet independently from the call signaling.

In-band STIR/SHAKEN Call Flow

1. A call is made from a subscriber to the softswitch of the originating service provider.
2. The SIP INVITE is sent to the SHAKEN Authentication Service (ClearIP). The Authentication Service has a connection to the originating provider’s certificate repository.
3. The SIP INVITE with the digital signature is returned to the originating provider’s softswitch.
4. The softswitch routes the signed SIP INVITE to the terminating service provider. The signed SIP INVITE may pass through intermediary service providers.
5. The terminating provider’s softswitch receives a signed SIP INVITE.
6. The softswitch sends the signed SIP INVITE to the SHAKEN Verification Service (ClearIP).
7. The Verification Service accesses the originating provider’s certificate in the originating provider’s certificate repository if the issuing certificate authority is listed in the Certificate Authorities page. The Verification Service validates the originating provider’s SHAKEN certificate and verifies the signature on the signed SIP INVITE.
8. The SIP INVITE and the verification results are returned to the terminating provider’s softswitch.
9. The softswitch can send the SIP INVITE and verification results to the called party, based on local policy.

Out-of-band STIR/SHAKEN Call Flow

1. A call is made from a subscriber to the softswitch of the telephone service provider.
2. The softswitch sends a message (via SIP or HTTP) to its SHAKEN Authentication Service.
3. The Authentication module checks the service provider’s policy for the call source and calling number. If the call is authenticated for SHAKEN, the Authentication Service creates a signed PASSporT, encrypts it with the terminating provider’s public key, and then delivers it directly to the Call Placement Service (CPS) of the terminating service provider. (The signed PASSporT may also be sent to the softswitch so it can be included in the in-band signaling.)
4. The service provider then routes the call over the voice network (TDM or IP).
5. When the call arrives at the terminating service provider, the softswitch sends a message to the SHAKEN Verification Service.
6. The Verification Service then pulls the PASSporT from the CPS and performs the same SHAKEN verification it would perform if the PASSporT was received in-band. This process includes fetching the certificate from the certificate repository of the originating provider.
7. After verifying the PASSporT, the Verification Service sends its response to the softswitch.
8. The softswitch completes the call to the called party.