Hey Folks,
I'm integrating STIR/SHAKEN using kamailio, but not using self hosted certs with the secsipid module, just using a redirect from clearip on the SIP Calls. I've got the basic connection to clearip using t_relay_to_tcp for testing, but I'm struggling with the checks and timeouts. I have call progress past the initial request where I need to wait for a response. Should I put the clearip invite in its own route block use return? Has anyone successfully integrated the redirect method with kamailio to clearip and can give me some example route checks in the kamailio configs?
Thanks. JR
Hey JR,
Basic aspects of what I do…
Change the ru like you already have and then add something like:
if (!t_is_set("failure_route")) t_on_failure("MANAGE_FAILURE_STIR”);
Then 2 aspects…
onreply_route[MANAGE_REPLY] { if (t_check_status("30[1-2]")) { if (is_present_hf("Identity")) { $avp(stir) = $hdr(Identity); xinfo("Identity found: $avp(stir)\n"); } } }
failure_route[MANAGE_FAILURE_STIR] { xinfo("$T_reply_code received.\n"); if (t_is_canceled()) { exit; }
if (t_check_status("30[1-2]")) { if ($avp(stir)!=$null) { if (!is_present_hf("Date")) { append_time_to_request(); xinfo("Date header added\n"); }
append_hf("Identity: $avp(stir)\r\n", "Server"); xinfo("Identity header added: $avp(stir)\n"); } else { xinfo("Identity not detected\n"); }
route(WHEREVER); }
t_reply("404","Cannot Send MFS1"); }
Fred Posner Tel: +1 (352) 664-3733 Alt: +1 (224) 334-3733
Contact info at https://fredp.xyz
On May 19, 2025, at 3:45 PM, JR Richardson via sr-users sr-users@lists.kamailio.org wrote:
Hey Folks,
I'm integrating STIR/SHAKEN using kamailio, but not using self hosted certs with the secsipid module, just using a redirect from clearip on the SIP Calls. I've got the basic connection to clearip using t_relay_to_tcp for testing, but I'm struggling with the checks and timeouts. I have call progress past the initial request where I need to wait for a response. Should I put the clearip invite in its own route block use return? Has anyone successfully integrated the redirect method with kamailio to clearip and can give me some example route checks in the kamailio configs?
Thanks. JR
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Since the redirect response is 3xx+, you should catch it in a failure_route[], which is armed with t_on_failure().
In the failure_route, you can check if the failure_route was invoked because of a timeout with if(t_branch_timeout()), and if it was not, extract the reply code with $T_rpl($rs).
Then, you modify the R-URI ($ru) to proceed to the original destination and call t_relay() again.
-- Alex
On May 19, 2025, at 3:45 PM, JR Richardson via sr-users sr-users@lists.kamailio.org wrote:
Hey Folks,
I'm integrating STIR/SHAKEN using kamailio, but not using self hosted certs with the secsipid module, just using a redirect from clearip on the SIP Calls. I've got the basic connection to clearip using t_relay_to_tcp for testing, but I'm struggling with the checks and timeouts. I have call progress past the initial request where I need to wait for a response. Should I put the clearip invite in its own route block use return? Has anyone successfully integrated the redirect method with kamailio to clearip and can give me some example route checks in the kamailio configs?
Thanks. JR
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Also, t_relay_to_tcp() is not necessarily the way forward. Be mindful of the possibility of manipulating $fs to select an outgoing (TCP) listener socket, and of the need to add or strip ;transport=tcp R-URI attributes depending on whether the request is going to a TCP destination.
Putting it all together:
route[ANI_ATTESTATION_QUERY] { t_on_branch('ANI_ATTESTATION_QUERY_BRANCH'); t_on_failure('ANI_ATTESTATION_QUERY_CATCH');
if(!t_relay()) sl_reply_error();
exit; }
branch_route[ANI_ATTESTATION_QUERY_BRANCH] { uac_replace_from("", "sip:$avp(trans_ani)@$fd"); $ru = 'sip:' + $rU + '@' + ANI_ATTESTATION_GW; }
failure_route[ANI_ATTESTATION_QUERY_CATCH] { if(t_is_canceled()) { #xlog(...) exit; }
if(t_branch_timeout()) { #xlog(...) route(OUTBOUND_ROUTE_CONTINUE); # Proceed as normal, w/o Identity header. exit; }
# Received response, but not 302. if($T_rpl($rs) != 302) { #xlog(...) - unexpected reply route(OUTBOUND_ROUTE_CONTINUE); exit; }
# Received 302, but no Identity header. if($T_rpl($hdr(Identity)) == $null) { route(OUTBOUND_ROUTE_CONTINUE); exit; }
# Intermediate storage required because $hdr(...) value is not # constant. $avp(attest_hdr) = "Identity: " + $T_rpl($hdr(Identity));
route(OUTBOUND_ROUTE_CONTINUE); # t_relay() etc. }
On May 19, 2025, at 4:11 PM, Alex Balashov abalashov@evaristesys.com wrote:
Since the redirect response is 3xx+, you should catch it in a failure_route[], which is armed with t_on_failure().
In the failure_route, you can check if the failure_route was invoked because of a timeout with if(t_branch_timeout()), and if it was not, extract the reply code with $T_rpl($rs).
Then, you modify the R-URI ($ru) to proceed to the original destination and call t_relay() again.
-- Alex
On May 19, 2025, at 3:45 PM, JR Richardson via sr-users sr-users@lists.kamailio.org wrote:
Hey Folks,
I'm integrating STIR/SHAKEN using kamailio, but not using self hosted certs with the secsipid module, just using a redirect from clearip on the SIP Calls. I've got the basic connection to clearip using t_relay_to_tcp for testing, but I'm struggling with the checks and timeouts. I have call progress past the initial request where I need to wait for a response. Should I put the clearip invite in its own route block use return? Has anyone successfully integrated the redirect method with kamailio to clearip and can give me some example route checks in the kamailio configs?
Thanks. JR
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800
A few additional thoughts based on the responses from Fred and Alex:
I'd leave the RURI alone and just set the destination URI (unless you're required to have their hostname in your RURI domain). As Alex recommended, do this in the branch route. The advantage here is that you don't need to worry about any existing transport parameters in the RURI. Just:
branch_route[STIAS_BRANCH] { $du = "sip:" + $sht(clearip_ip)+ ":" $sht(clearip_port) + ";transport=tcp"; }
I'm not entirely sure on replacing the From: user, since you really want the value you're sending on to match what's signed. IIRC, clear IP has some options to allow for normalization to globalized e.164 (without the leading plus character). Also, if memory serves, you might want to re-try in the event of timeout failures, etc. since clear ip is operating multiple hosts on their hostname.
(note, my company used to use clear IP, but has since moved to signing our own calls, so I don't have any direct access or examples for clear IP - just going from memory.
Regards, Kaufman ________________________________ From: JR Richardson via sr-users sr-users@lists.kamailio.org Sent: Monday, May 19, 2025 2:45 PM To: sr-users@lists.kamailio.org sr-users@lists.kamailio.org Cc: JR Richardson jmr.richardson@gmail.com Subject: [SR-Users] stir/shaken integration with clearip redirect method
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hey Folks,
I'm integrating STIR/SHAKEN using kamailio, but not using self hosted certs with the secsipid module, just using a redirect from clearip on the SIP Calls. I've got the basic connection to clearip using t_relay_to_tcp for testing, but I'm struggling with the checks and timeouts. I have call progress past the initial request where I need to wait for a response. Should I put the clearip invite in its own route block use return? Has anyone successfully integrated the redirect method with kamailio to clearip and can give me some example route checks in the kamailio configs?
Thanks. JR
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
On May 19, 2025, at 5:06 PM, Ben Kaufman via sr-users sr-users@lists.kamailio.org wrote:
I'd leave the RURI alone and just set the destination URI (unless you're required to have their hostname in your RURI domain).
I was under the impression they want themselves in the RURI domain. If that's not true, this is absolutely right.
My recollection is that you need to explicitly allowlist your source addresses in their interface, and that was it for the authentication, but it's been a while since I worked with it, and if they want that hostname in the RURI, then definitely it needs to be there 🙂
Kaufman
________________________________ From: Alex Balashov via sr-users sr-users@lists.kamailio.org Sent: Monday, May 19, 2025 4:35 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Alex Balashov abalashov@evaristesys.com Subject: [SR-Users] Re: stir/shaken integration with clearip redirect method
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On May 19, 2025, at 5:06 PM, Ben Kaufman via sr-users sr-users@lists.kamailio.org wrote:
I'd leave the RURI alone and just set the destination URI (unless you're required to have their hostname in your RURI domain).
I was under the impression they want themselves in the RURI domain. If that's not true, this is absolutely right.
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://urldefense.com/v3/__https://evaristesys.com__;!!KWzduNI!dKo9Cr98vlrI... Tel: +1-706-510-6800
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Alex Balashov -
Ben Kaufman -
Fred Posner -
JR Richardson