0

Diversion ("div") PASSporT

One of the newest standards of STIR/SHAKEN is the Diversion (DIV) PASSporT, which is defined by ATIS 1000085. The DIV PASSporT is an adaptation of the SIP Diversion header to the STIR/SHAKEN framework.

What is the SIP Diversion header for and how will DIV PASSporT be used?

Consider the scenario where John, a customer of Service Provider B (SP-b), configures call forwarding to redirect incoming calls to Jane, a subscriber of Service Provider C (SP-c). In this scenario, when Andrew, a client of Service Provider A (SP-a), places a call to John, the call will be redirected to Jane's phone. The call to Jane will then identify that the call was forwarded with the presence of a Diversion header within the INVITE request that Andrew sent. The Diversion header allows for the proper identification and tracing of the call's original routing and is a crucial element in ensuring the proper handling and management of call traffic in advanced communication call flows.

The DIV Passport extends support for call authentication and verification of calls that have been forwarded or diverted to a different number.  The DIV Passport contains important information, including the original called number, calling number, the identity of the service provider that forwarded the call, and the number used to forward/divert the call.

  

This is how a DIV PASSPorT looks like: 

Header:
{ "alg":"ES256",
  "ppt":"div",
  "typ":"passport",
  "x5u":"https://cr.sansay.com/997T/order/119_997T_2" }
Payload:
{ "dest":{"tn":["14444567890"]},
  "div":{"tn":"13334567890"},
  "iat":1676627116,
  "orig":{"tn":"12224567890"} }

 

Merging SIP and SHAKEN terms when the INVITE arrives at SP-c, the STI-VS performs both "shaken" and “div” verification procedures. The verification consists in verifying an unbroken chain of authority from the INVITE Request URI (RURI) in the DIV PASSporT to the SHAKEN PASSPorT "dest" claim.

The beauty of it is, the receiving service provider can verify all this information to ensure that the call is legitimate, hasn't been tampered, and the call is given the level of trust it carries.

SIP Diversion Signing + Verification Example

INVITE sip:4444567890@192.168.10.216:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.25:5060;branch=z9hG4bK-29232-1-14
From: 2224567890 <sip:2224567890@192.168.0.25:5060;qtype=sti-as>;tag=1
To:  <sip:4444567890@192.168.10.216:5060>
Call-ID: 1-29232@192.168.0.25
CSeq: 1 INVITE
Diversion: <sip:3334567890@192.168.10.216:5060>
Contact: sip:2224567890@192.168.0.25:5060
Max-Forwards: 70
Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvMTE5Xzk5N1RfMiJ9.eyJhdHRlc3QiOiJDIiwiZGVzdCI6eyJ0biI6WyIxMzMzNDU2Nzg5MCJdfSwiaWF0IjoxNjc2NjI3MTE2LCJvcmlnIjp7InRuIjoiMTIyMjQ1Njc4OTAifSwib3JpZ2lkIjoiYzhiM2ZmNDgtYWVhNy0xMWVkLTk3MGEtYzFjMWJmZGM4ODg4In0.TPs9aPXKyl4y0woiwydWaJtRxtakSHuBjfRTO_lPttmxpQQOvJ6rpp0T7QIRupBfIHj1r_JFZyejkh1b54Q2RA;info=<https://cr.sansay.com/997T/order/119_997T_2>;alg=ES256;ppt="shaken"
Content-Length: 0


SIP/2.0 302 Moved Temporarily
Via: SIP/2.0/UDP 192.168.0.25:5060;branch=z9hG4bK-29232-1-14
To:  <sip:4444567890@192.168.10.216:5060>
From: 2224567890 <sip:2224567890@192.168.0.25:5060;qtype=sti-as>;tag=1
Call-ID: 1-29232@192.168.0.25
CSeq: 1 INVITE
Contact: <sip:4444567890@192.168.0.25>
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvMTE5Xzk5N1RfMiJ9.eyJhdHRlc3QiOiJDIiwiZGVzdCI6eyJ0biI6WyIxMzMzNDU2Nzg5MCJdfSwiaWF0IjoxNjc2NjI3MTE2LCJvcmlnIjp7InRuIjoiMTIyMjQ1Njc4OTAifSwib3JpZ2lkIjoiYzhiM2ZmNDgtYWVhNy0xMWVkLTk3MGEtYzFjMWJmZGM4ODg4In0.TPs9aPXKyl4y0woiwydWaJtRxtakSHuBjfRTO_lPttmxpQQOvJ6rpp0T7QIRupBfIHj1r_JFZyejkh1b54Q2RA;info=<https://cr.sansay.com/997T/order/119_997T_2>;alg=ES256;ppt="shaken"
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6ImRpdiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvMTE5Xzk5N1RfMiJ9.eyJkZXN0Ijp7InRuIjpbIjE0NDQ0NTY3ODkwIl19LCJkaXYiOnsidG4iOiIxMzMzNDU2Nzg5MCJ9LCJpYXQiOjE2NzY2MjcxMTYsIm9yaWciOnsidG4iOiIxMjIyNDU2Nzg5MCJ9fQ.AJuoeaQM5lKh_Yy30Zex_01LySYn4NbRzSfOE4eiJWt9TR9nl8habDTJ-utHeL2RZpvwAr_QXYMFiz_4ojw_lw;info=<https://cr.sansay.com/997T/order/119_997T_2>;alg=ES256;ppt="div"
Content-Length: 0


Diversion verify

INVITE sip:4444567890@192.168.10.216:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.25:5060;branch=z9hG4bK-29307-1-22
From: 2224567890 <sip:2224567890@192.168.0.25:5060;qtype=sti-vs>;tag=1
To:  <sip:4444567890@192.168.10.216:5060>
Call-ID: 1-29307@192.168.0.25
CSeq: 1 INVITE
Diversion: <sip:3334567890@192.168.10.216:5060>
Contact: sip:2224567890@192.168.0.25:5060
Max-Forwards: 70
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvMTE5Xzk5N1RfMiJ9.eyJhdHRlc3QiOiJDIiwiZGVzdCI6eyJ0biI6WyIxMzMzNDU2Nzg5MCJdfSwiaWF0IjoxNjc2NjI4NTM0LCJvcmlnIjp7InRuIjoiMTIyMjQ1Njc4OTAifSwib3JpZ2lkIjoiMTU5MmJlNWEtYWVhYi0xMWVkLTk3MGEtYzFjMWJmZGM4ODg4In0.p-QD1_UfpAiR9CoSEK7ODQCJtN1U_1Fcj0kdjN97hWD2PRdHPDhZE2K9tNmyi1F8HPnKVSmjLLHRqZ4oahwiFA;info=<https://cr.sansay.com/997T/order/119_997T_2>;alg=ES256;ppt="shaken"
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6ImRpdiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvMTE5Xzk5N1RfMiJ9.eyJkZXN0Ijp7InRuIjpbIjE0NDQ0NTY3ODkwIl19LCJkaXYiOnsidG4iOiIxMzMzNDU2Nzg5MCJ9LCJpYXQiOjE2NzY2Mjg1MzYsIm9yaWciOnsidG4iOiIxMjIyNDU2Nzg5MCJ9fQ.EFAtwl7pGtKio-6zpfkB9TkA60ntPl7_8ifIZXxul2nv0UuqynC7o6pLbugzfjY2l23CjD-MLnpMz3241dk1BQ;info=<https://cr.sansay.com/997T/order/119_997T_2>;alg=ES256;ppt="div"
Content-Length: 0


SIP/2.0 302 Moved Temporarily
Via: SIP/2.0/UDP 192.168.0.25:5060;branch=z9hG4bK-29307-1-22
To:  <sip:4444567890@192.168.10.216:5060>
From: 2224567890 <sip:2224567890;verstat=TN-Validation-Passed-C@192.168.0.25:5060;qtype=sti-vs>;tag=1
Call-ID: 1-29307@192.168.0.25
CSeq: 1 INVITE
Contact: <sip:4444567890@192.168.0.25>
Reason: SIP;cause=302;text="no-fraud-detected"
Content-Length: 0

NSS SIP Interface

Sansay NSS supports the following Diversion signing scenarios:

  • INVITE with SHAKEN ppt and Diversion header, adds DIV ppt.
INVITE TN-c
PAI:TN-a; From: TN-a; To:TN-b;
Identity: shaken PASSporT {orig/dest=a/b; attest=A}
Diversion: TN-b
  • INVITE with no SHAKEN ppt and Diversion header, adds SHAKEN and DIV ppt.
INVITE TN-c
PAI:TN-a; From: TN-a; To:TN-b;
Diversion: TN-b

  • INVITE with no SHAKEN ppt or Diversion, adds SHAKEN ppt. 

INVITE TN-b
PAI:TN-a; From: TN-a; To:TN-b;

Multiple Diversion scenarios are also supported. If you have any questions please drop your comment below.

NSS REST Interface

New diversion parameter has been added for STI-AS requests. STI-VS support Identity array. More information on NSS REST interface. 

STI-AS Request / Response 

curl https://nss.sansay.com:3334/stir/v1/signing -k -X POST
  -H 'Content-Type: application/json'
  -H 'Accept: application/json'
  -H 'X-RequestID: 12345678'
  -d "{"signingRequest":
        {"orig":{"tn":"12155551212"},
        "dest":{"tn":["12355551212"]},
        "iat":$(date +%s)},
        "diversion":{"tn":"1444567890"},
        "reason":{"tn":"busy"},
        "otg":"50}}"
HTTP/1.1 200 OK
X-RequestID: AA97B177-9383-4934-8543-0F91A7A02836
Content-Type: application/json
Content-Length: …
{"signingResponse":
    {"identity":["eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvNjZfOTk3VF8yIn0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxMzMzNDU2Nzg5MCJdfSwiaWF0IjoxNjgwNzU3OTA5LCJvcmlnIjp7InRuIjoiMTIyMjQ1Njc4OTAifSwib3JpZ2lkIjoiODkwZTc3YmMtZDQzOS0xMWVkLTk3MGEtYzFjMWJmZGM4ODg4In0.b0WKVMkrGLlrQIKyKVhOAvJAJmFIM3DXBwb-cfvmvB05sdyFUIh5koqsXesfUFZJ6Ls7VLtZy4CzTJAfu7wOsg;info=<https://cr.sansay.com/997T/order/66_997T_2>;alg=ES256;ppt="shaken",
                "eyJhbGciOiJFUzI1NiIsInBwdCI6ImRpdiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvNjZfOTk3VF8yIn0.eyJkZXN0Ijp7InRuIjpbIjE0NDQ0NTY3ODkwIl19LCJkaXYiOnsidG4iOiIxMzMzNDU2Nzg5MCJ9LCJpYXQiOjE2ODA3NTc5MDksIm9yaWciOnsidG4iOiIxMjIyNDU2Nzg5MCJ9fQ.kCRN4TLkGjuDkgmwD1z38ath4GS62WdKLMZWX1GPakoW-HfZjqto4D4yvR4BoWSFyoZn7T8DsL1o1AsQuSZmjQ;info=<https://cr.sansay.com/997T/order/66_997T_2>;alg=ES256;ppt="div"]}}

 

STI-VS Request / Response 

curl https://192.168.10.215:3333/stir/v1/verification -k -X POST
    -H 'Content-Type: application/json'
    -H 'Accept: application/json'
    -d '{"verificationRequest":
        {"from":{"tn":"2234567890"},
        "to":{"tn":["2334567890"]},
        "time":1676620719,
        "identity":
        ["eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvNjZfOTk3VF8yIn0.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxMzMzNDU2Nzg5MCJdfSwiaWF0IjoxNjgwNzU3NzQxLCJvcmlnIjp7InRuIjoiMTIyMjQ1Njc4OTAifSwib3JpZ2lkIjoiMjRiZTMyM2UtZDQzOS0xMWVkLTk3MGEtYzFjMWJmZGM4ODg4In0.-gNStqe1I3MkGJDp8gsNo0QGyyv1YT2DdbImQjWDs1nmGPwOx-R51WViCEZ59xQSPwtpK6gXIWuKaI7s8Jg67w;info=<https://cr.sansay.com/997T/order/66_997T_2>;alg=ES256;ppt="shaken",
        "eyJhbGciOiJFUzI1NiIsInBwdCI6ImRpdiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tLzk5N1Qvb3JkZXIvNjZfOTk3VF8yIn0.eyJkZXN0Ijp7InRuIjpbIjE0NDQ0NTY3ODkwIl19LCJkaXYiOnsidG4iOiIxMzMzNDU2Nzg5MCJ9LCJpYXQiOjE2ODA3NTc3NDEsIm9yaWciOnsidG4iOiIxMjIyNDU2Nzg5MCJ9fQ.K4FvVfkuSElBiVhYE6lQXxw0fiWNfpAWLAzXM7OajV9fQWox83tzJZaKesPiK6AAiOBKZL6Kjlwwf8pBSLH6_Q;info=<https://cr.sansay.com/997T/order/66_997T_2>;alg=ES256;ppt="div"]}}"}}'
HTTP/1.1 200 OK
X-RequestID: AA97B177-9383-4934-8543-0F91A7A02836
Content-Type: application/json
Content-Length: …
{
"verificationResponse": { “verstat”: “TN-Validation-Passed” }
}

Reply

null
Login to reply

Content aside

Related Articles
Complete Guide to Deploy STIR/SHAKEN
Rich Call Data
Diversion ("div") PASSporT
Canadian CST-GA, STI-PA and STI-CA on-boarding steps
Delegate Certificates
STIR/SHAKEN Quick Start Guide
NSS AWS EC2 Deployment Guide
NSS User Guide
Three Steps to Obtain a STIR/SHAKEN Certificate
Creating an NSS VM Instance
Working with the STI-PA
STIR/SHAKEN Standards List