Vicidial Server Setup, STIR/SHAKEN Implementation, VOS3000 Call Center Solution
STIR/SHAKEN implementation has become mandatory for all VoIP service providers operating in the United States and Canada, following FCC regulations designed to combat robocall fraud and caller ID spoofing. The STIR/SHAKEN framework, which stands for Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted information using toKENs (SHAKEN), uses cryptographic signatures to verify that the calling party is authorized to use the phone number displayed on the recipient’s caller ID. For VoIP providers using VOS3000 softswitch or similar platforms, implementing STIR/SHAKEN requires either native softswitch support or deployment of a separate authentication gateway.
Open source solutions for STIR/SHAKEN implementation provide cost-effective alternatives to commercial services, allowing providers to maintain control over their infrastructure while achieving regulatory compliance. Kamailio SIP server includes native STIR/SHAKEN modules (secsipid and stirshaken) that can sign and verify calls at the SIP signaling layer. Similarly, Asterisk PBX has built-in STIR/SHAKEN support through the res_stir_shaken module since version 18. These open source tools enable providers to implement caller ID authentication without recurring subscription fees, making compliance accessible even for smaller operators.
💡 Critical Requirement: VOS3000 softswitch does NOT have native STIR/SHAKEN support. VoIP providers using VOS3000 must deploy a separate STIR/SHAKEN gateway (Kamailio, Asterisk, or commercial service) to sign calls before they reach carriers. This architecture allows VOS3000 to continue handling routing and billing while the STIR/SHAKEN layer handles authentication.
STIR/SHAKEN implementation requires understanding several interconnected components that work together to authenticate caller identity. The framework operates at the SIP signaling layer, adding a cryptographically signed token to the SIP Identity header during call setup. This token, called a PASSporT (Personal Assertion Token), contains claims about the call including the calling number, called number, timestamp, and attestation level. The receiving party can verify this signature using public certificates published in the SHAKEN ecosystem.
| Component | Function | Implementation |
|---|---|---|
| PASSporT Token | JWT containing call claims (orig/dest numbers, timestamp) | Generated by STI-AS (Attestation Service) |
| Identity Header | SIP header carrying the signed PASSporT | Added by signing service, verified by receiver |
| STI-AS | Secure Telephone Identity Attestation Service | Signs outgoing calls with private key |
| STI-VS | Secure Telephone Identity Verification Service | Verifies incoming call signatures |
| STI-CA | Certificate Authority for SHAKEN | Issues certificates (Neustar, Transnexus, etc.) |
| TNAuth Certificate | Certificate proving number authorization | Contains authorized telephone numbers |
STIR/SHAKEN implementation uses three attestation levels to indicate the level of confidence in the caller ID authenticity. These levels help terminating carriers and consumers understand how thoroughly the calling number has been verified by the originating service provider.
┌─────────────────────────────────────────────────────────────────────────┐ │ STIR/SHAKEN ATTESTATION LEVELS │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────────────────────────────────────────────────────┐ │ │ │ ATTESTATION LEVEL A - FULL │ │ │ │ ────────────────────────────────────────────────────────────── │ │ │ │ • Service provider verified caller is authorized to use │ │ │ the telephone number │ │ │ │ • Customer has passed identity verification │ │ │ │ • Number assigned to customer account │ │ │ │ • Highest trust level - shows "Verified Call" │ │ │ └─────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────────────────┐ │ │ │ ATTESTATION LEVEL B - PARTIAL │ │ │ │ ────────────────────────────────────────────────────────────── │ │ │ │ • Call originated from known customer │ │ │ │ • Cannot verify specific number authorization │ │ │ │ • Common for enterprise PBX with multiple DIDs │ │ │ │ • Medium trust level │ │ │ └─────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────────────────┐ │ │ │ ATTESTATION LEVEL C - GATEWAY │ │ │ │ ────────────────────────────────────────────────────────────── │ │ │ │ • Call passed through gateway from unknown source │ │ │ │ • No verification of caller ID │ │ │ │ • Used for transit/wholesale traffic │ │ │ │ • Lowest trust level - may show warning │ │ │ └─────────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘
Kamailio SIP server provides two modules for STIR/SHAKEN implementation: secsipid (recommended) and stirshaken. The secsipid module uses the SecSIPIDx library, a mature Go/C implementation that handles both signing and verification. This module can operate as a REST API server, allowing integration with existing infrastructure without modifying the Kamailio core configuration significantly.
# Install Kamailio with STIR/SHAKEN modules on CentOS/RHEL yum install -y kamailio kamailio-secsipidx kamailio-mysql # Install libstirshaken (alternative approach) git clone https://github.com/signalwire/libstirshaken.git cd libstirshaken ./bootstrap.sh ./configure make && make install # Kamailio secsipid module installation kamailio -V # Verify installation # Load module in kamailio.cfg: loadmodule "secsipid.so"
# Kamailio secsipid Module Configuration
# /etc/kamailio/kamailio.cfg
# Load STIR/SHAKEN module
loadmodule "secsipid.so"
# Module parameters
modparam("secsipid", "mode", 1) # 1=sign, 2=verify, 3=both
modparam("secsipid", "libopt", 4) # Enable certificate caching
# Certificate paths
modparam("secsipid", "key_path", "/etc/kamailio/certs/private.pem")
modparam("secsipid", "cert_path", "/etc/kamailio/certs/public.pem")
# Attestation level (A=1, B=2, C=3)
modparam("secsipid", "attest_level", 1)
# REST API endpoint for external signing service
modparam("secsipid", "sign_endpoint", "http://localhost:8080/sign")
# Verification settings
modparam("secsipid", "verify_timeout", 5)
modparam("secsipid", "cache_expire", 3600)
# Request routing with STIR/SHAKEN signing
request_route {
# Sign outgoing calls
if (is_method("INVITE") && !has_totag()) {
# Extract caller and called numbers
$var(caller) = $fU; # From user (caller)
$var(called) = $rU; # R-URI user (called)
# Sign the call
if (secsipid_sign($var(caller), $var(called))) {
xlog("L_INFO", "Call signed successfully\n");
} else {
xlog("L_ERR", "STIR/SHAKEN signing failed: $secsipid_error\n");
}
}
# Verify incoming calls
if (is_method("INVITE") && has_totag()) {
if (secsipid_verify()) {
xlog("L_INFO", "STIR/SHAKEN verification passed\n");
# Get verification result
$var(attest) = $secsipid_attest;
xlog("L_INFO", "Attestation level: $var(attest)\n");
}
}
# Continue with normal routing
route(RELAY);
}
The most practical deployment for VOS3000 users is placing Kamailio as a front-end STIR/SHAKEN gateway. In this architecture, calls from VOS3000 are first sent to Kamailio, which signs them with valid certificates before forwarding to carriers. This approach requires no modifications to VOS3000 and maintains full compatibility with existing routing and billing configurations.
┌─────────────────────────────────────────────────────────────────────────┐ │ KAMAILIO STIR/SHAKEN GATEWAY FOR VOS3000 │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌───────────────┐ │ │ │ VOS3000 │ │ │ │ Softswitch │ │ │ │ (No STIR/ │ │ │ │ SHAKEN) │ │ │ └───────┬───────┘ │ │ │ │ │ │ SIP INVITE (unsigned) │ │ ▼ │ │ ┌───────────────────────────────────────────────────────┐ │ │ │ KAMAILIO STIR/SHAKEN GATEWAY │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ │ │ 1. Receive INVITE from VOS3000 │ │ │ │ │ │ 2. Extract caller/called numbers │ │ │ │ │ │ 3. Generate PASSporT token │ │ │ │ │ │ 4. Sign with private key (A/B/C attest) │ │ │ │ │ │ 5. Add Identity header to SIP │ │ │ │ │ │ 6. Forward signed INVITE to carrier │ │ │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ │ │ │ │ ┌───────────────┐ ┌───────────────┐ │ │ │ │ │ secsipid.so │ │ Certificate │ │ │ │ │ │ Module │ │ Store │ │ │ │ │ └───────────────┘ └───────────────┘ │ │ │ └───────────────────────────────────────────────────────┘ │ │ │ │ │ │ SIP INVITE (with Identity header) │ │ ▼ │ │ ┌───────────────┐ │ │ │ CARRIER │ │ │ │ NETWORK │ │ │ │ (Verifies │ │ │ │ signature) │ │ │ └───────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘
Asterisk PBX version 18 and later includes native STIR/SHAKEN support through the res_stir_shaken and res_pjsip_stir_shaken modules. This implementation allows Asterisk to both sign outgoing calls and verify incoming calls. The Asterisk approach is particularly suitable for call centers, PBX deployments, and smaller VoIP operations where a full SIP proxy like Kamailio may be overkill.
# Asterisk STIR/SHAKEN Configuration # /etc/asterisk/stir_shaken.conf
[general]
; Enable STIR/SHAKEN functionality enabled = yes ; Certificate configuration
[my_certificate]
type = attestation ; Attestation level: A, B, or C attest_level = A ; Certificate file paths (obtain from STI-CA) private_key_file = /etc/asterisk/keys/private.pem public_cert_file = /etc/asterisk/keys/public.pem ca_file = /etc/asterisk/keys/ca.pem ; Caller ID to certificate mapping
[callerid_map]
type = callerid callerid = +1XXXXXXXXXX attestation = my_certificate ; Endpoint configuration for signing
[signing_config]
type = endpoint stir_shaken = yes attest_level = A check_tn_auth = yes ; Verification configuration
[verification]
type = verify ; Action on verification failure: allow, reject, continue failure_action = continue ; Cache verified certificates cache_expiry = 3600
# Asterisk PJSIP Configuration with STIR/SHAKEN # /etc/asterisk/pjsip.conf ; Trunk to carrier with STIR/SHAKEN
[carrier-trunk]
type = endpoint context = from-carrier disallow = all allow = ulaw,alaw,g729 outbound_auth = carrier-auth aors = carrier-aor ; Enable STIR/SHAKEN signing stir_shaken_profile = signing_config
[carrier-auth]
type = auth username = your_username password = your_password
[carrier-aor]
type = aor contact = sip:carrier.ip.address:5060 ; Incoming verification
[incoming-trunk]
type = endpoint context = from-pstn disallow = all allow = ulaw,alaw ; Verify incoming STIR/SHAKEN stir_shaken_profile = verification
⚠️ Certificate Requirement: Both Kamailio and Asterisk require valid certificates from an authorized STI-CA (Secure Telephone Identity Certification Authority) such as Neustar, Transnexus, or Telnyx. Self-signed certificates are NOT acceptable for production STIR/SHAKEN implementation. Certificate costs typically range from $100-500/month depending on provider and number of DIDs.
Certificate management is the most critical aspect of STIR/SHAKEN implementation. Certificates must be obtained from an authorized STI-CA, installed securely on your signing server, and renewed before expiration. The certificate contains TNAuth (Telephone Number Authorization) claims that prove your authorization to sign calls for specific telephone numbers.
| Provider | Type | Monthly Cost | Features |
|---|---|---|---|
| Neustar | STI-CA | $250-500 | Industry standard, full support |
| Transnexus | STI-CA + Service | $250-500 | Managed service option |
| Telnyx | Carrier + STI-CA | $100-200 | Included with SIP trunking |
| ClearlyIP | STI-CA | $150-300 | FreePBX integration |
| SignalWire | Open Source | Free (self-hosted) | libstirshaken library |
Step 1: Apply for Certificate – Submit application to STI-CA with your company information, TN registration documents, and proof of telephone number ownership
Step 2: Identity Verification – Complete business verification process (similar to SSL certificate validation)
Step 3: Number Authorization – Prove ownership or authorization for telephone numbers you will sign
Step 4: Certificate Issuance – STI-CA issues TNAuth certificate containing authorized numbers
Step 5: Installation – Install private key and certificate on your signing server (Kamailio/Asterisk)
Step 6: Testing – Test signing and verification with test calls to verifying parties
Step 7: Monitoring – Set up certificate expiration monitoring (typically 1-2 year validity)
✅ Free Option: SignalWire’s libstirshaken library provides free, open source STIR/SHAKEN implementation. However, you still need a valid certificate from an STI-CA for production use. The library handles token generation and verification, reducing implementation complexity.
Integrating VOS3000 with a STIR/SHAKEN gateway requires configuring routing to send calls through the signing server before reaching carriers. This can be accomplished by setting up the STIR/SHAKEN server as a “carrier” in VOS3000’s routing gateway configuration, effectively making it the first hop in the call path.
1. Create Mapping Gateway: Add Kamailio/Asterisk STIR/SHAKEN server as a mapping gateway in VOS3000 with IP authentication
2. Configure Routing Gateway: Set up routing rules to send calls through the STIR/SHAKEN gateway first
3. Gateway Group Setup: Create gateway group that includes STIR/SHAKEN server as primary and carriers as secondary
4. Caller ID Passthrough: Ensure caller ID is passed correctly to the signing server for attestation
┌─────────────────────────────────────────────────────────────────────────┐ │ VOS3000 + STIR/SHAKEN INTEGRATION ARCHITECTURE │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ CLIENTS VOS3000 STIR/SHAKEN CARRIERS │ │ │ │ │ │ │ │ │ 1. INVITE │ │ │ │ │ │────────────────▶│ │ │ │ │ │ │ │ │ │ │ │ │ 2. Route to │ │ │ │ │ │ STIR/SHAKEN │ │ │ │ │ │─────────────────▶│ │ │ │ │ │ │ │ │ │ │ │ │ 3. Sign call │ │ │ │ │ │ (add Identity)│ │ │ │ │ │ │ │ │ │ │ │ 4. Forward │ │ │ │ │ │ to carrier │ │ │ │ │ │─────────────────▶│ │ │ │ │ │ │ │ │ │ │ │ │ 5. Verify │ │ │ │ │ │ & route │ │ │ │ │ │ │ │ │ │ │◀─────────────────│ │ │ │ │ │ 200 OK / 183 │ │ │ │ │◀─────────────────│ │ │ │ │◀────────────────│ │ │ │ │ │ 200 OK │ │ │ │ │ │ │ ═══════════════════════════════════════════════════════════════════ │ │ VOS3000 Configuration: │ │ • Gateway Type: Mapping Gateway │ │ • Gateway IP: [STIR/SHAKEN Server IP] │ │ • Signaling Port: 5060 │ │ • Media: Bypass (pass-through) │ │ • Caller ID: Preserve original │ └─────────────────────────────────────────────────────────────────────────┘
📞 Need STIR/SHAKEN Gateway Server?
Get pre-configured Kamailio or Asterisk STIR/SHAKEN gateway server ready for VOS3000 integration. We provide certificate installation, attestation configuration, and complete setup.
STIR/SHAKEN implementation has modest resource requirements since it operates at the SIP signaling layer only, without processing media. A lightweight server can handle thousands of calls per second, making it cost-effective to deploy alongside existing infrastructure.
| Capacity | CPU | RAM | Storage | Monthly Cost |
|---|---|---|---|---|
| Small (<500 CPS) | 2 Cores | 2 GB | 20 GB SSD | $15-25 |
| Medium (500-2000 CPS) | 4 Cores | 4 GB | 40 GB SSD | $30-50 |
| Large (2000+ CPS) | 8 Cores | 8 GB | 80 GB SSD | $80-150 |
After completing STIR/SHAKEN implementation, thorough testing is essential to verify correct operation. Testing should include both signing verification (ensuring your signatures are valid) and verification testing (ensuring you can correctly validate incoming signed calls). Several tools and services are available for testing without making actual phone calls.
# Test STIR/SHAKEN signing with secsipidx CLI secsipidx sign -caller +1XXXXXXXXXX -called +1YYYYYYYYY \ -key /path/to/private.pem \ -cert /path/to/public.pem \ -attest A # Verify a PASSporT token secsipidx verify -token "eyJhbGciOiJFUzI1NiIsInR5cCI6..." # Check Identity header in SIP message # Look for header format: # Identity: eyJhbGciOiJFUzI1NiIsInR5cCI6Imp3dCIsInhtc...;info=;alg=ES256;ppt=shaken
Q: Does VOS3000 support STIR/SHAKEN natively?
A: No, VOS3000 does not have native STIR/SHAKEN support. You must deploy a separate STIR/SHAKEN gateway using Kamailio, Asterisk, or a commercial service to sign calls before they reach carriers.
Q: What is the minimum server requirement for STIR/SHAKEN gateway?
A: A 2 GB RAM, 2 CPU core server can handle up to 500 calls per second (CPS) for STIR/SHAKEN signing. The operation is CPU-intensive for cryptographic operations but does not require significant RAM or storage.
Q: Can I use free certificates for STIR/SHAKEN?
A: No, valid STIR/SHAKEN certificates must be obtained from an authorized STI-CA (Secure Telephone Identity Certification Authority). Self-signed or standard SSL certificates are not valid for SHAKEN. Certificate costs typically range from $100-500/month.
Q: What attestation level should I use?
A: Use Attestation A (Full) when you have verified the customer owns the phone number. Use Attestation B (Partial) for enterprise PBX with multiple DIDs. Use Attestation C (Gateway) only for transit traffic where you cannot verify the caller.
Q: Is Kamailio or Asterisk better for STIR/SHAKEN?
A: Kamailio is better for high-volume carrier-grade deployments with thousands of CPS, offering better performance and scalability. Asterisk is easier to configure for smaller deployments and integrates well with existing PBX installations.
Q: What happens if I don’t implement STIR/SHAKEN?
A: Calls without valid STIR/SHAKEN signatures may be blocked or marked as spam by US and Canadian carriers. The FCC requires all providers to implement STIR/SHAKEN and may impose fines for non-compliance.
🚀 Deploy Your STIR/SHAKEN Gateway Today
Get pre-installed Kamailio or Asterisk server with STIR/SHAKEN configuration ready for VOS3000 integration. Complete FCC compliance solution with certificate installation support.
💬 Contact Us: WhatsApp +8801911119966
For professional VOS3000 call center configuration and deployment:
📱 WhatsApp: +8801911119966
🌐 Website: www.vos3000.com
🌐 Blog: multahost.com/blog
📥 Downloads: VOS3000 Downloads
VOS3000 Caller Number Pool: Powerful CLI Rotation for Outbound Traffic The VOS3000 caller number pool feature solves a critical problem… Read More
VOS3000 Protect Route: Smart Backup Gateway Activation with Timer The VOS3000 protect route feature is one of the most misunderstood… Read More
VOS3000 outbound registration setup guide for carrier SIP trunk connections. Configure VOS3000 to register outbound to carriers, IMS, and ITSP… Read More
This website uses cookies.