Hello, Daniel.

You disscussed it with Oleg Belousov at Kamailio World 2019. ( I added him in cc as he Just subscribed on list and did not saw this thread)

I was a part of his team Who realized this.

Yes, we've implemented STIR/SHAKEN platform for mobile operator, using Lua, which interrogates with php-fpm scripts via http/json queries.

Apart from signing SIP requests and validation of identity headers we had to deploy additional business requirements,

including integration with CVT (Call Validation Treatment) entity, special handling of certain SIP headers, blacklisting, etc. Above approach gave us bit more flexibility.

We can deploy C module, if required, can share our expertize as well.

On Fri, 16 Aug 2019, 16:38 Daniel-Constantin Mierla, <miconda@gmail.com> wrote:

Hello,

at couple of events I participated during the past few months, I was
asked about support of STIR/SHAKEN (caller identity
authentication/verification), which is a hot topic these days at least
in USA, aiming to combat "fraudulent" robo-calling. Therefore I thought
of share some details with everyone in the community about the state in
Kamailio, writing to both devs and users, the information being relevant
for everyone.

We already have the (related) module named auth_identity, available
since 2008 (iirc):

- https://www.kamailio.org/docs/modules/stable/modules/auth_identity.html

But it implements the previous iteration of the specs for caller
identity, respectively RFC 4474:

- https://tools.ietf.org/html/rfc4474

However, that RFC is obsoleted by 8224 (the latest core specs for
STIR/SHAKEN):

- https://tools.ietf.org/html/rfc8224

Then, there are also RFCs 8225 and 8226 to add to the core specs.

Should anyone be interested to implement STIR/SHAKEN specs in a modules,
I would suggest to start from auth_identity -- might not be much work to
update it to become conform with latest specs (a new module can be
created, of course, even when starting from auth_identity).

However, these specs are about signing the SIP request (the INVITE) with
special PKI certificate. It can be done easily with embedded scripts
such as Lua or Python (inline execution in native kamailio.cfg or using
kemi scripts). At Kamailio World 2019, one of the participants I
discussed with told me they already implemented using Lua.

That's it for a starting point, if anyone wants to discuss more, just
reply to sr-users and add your comments or ask the questions.

If someone wants to go ahead and work on a C module, announce yourself
to avoid duplicate work of others, and use sr-dev if you need assistance
on module development.

Cheers,
Daniel

--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users