Enable Inbound Call Filtering for a Shared Trunk

This topic describes how to enable call filtering feature for a shared trunk. Once enabled, the associated P-Series Cloud PBX will use the verification results provided by the ITSP and reject calls based on the rejection criteria.

Requirements

  • The firmware of Yeastar Central Management is 87.17.0.22 or later.
  • The firmware of P-Series Cloud PBX is 84.21.0.16 or later.

Background information

Before delivering an incoming call to your shared trunk, the ITSP verifies the call and includes the signature verification result in the P-Asserted-Identity (PAI) header and the SHAKEN attestation level in a specific SIP header.

When the verification result is sent to the associated PBX, the PBX extracts the signature verification result and the SHAKEN attestation level from the result. If either of them matches the pre-defined rejection criteria, the PBX will reject the call.

The following diagram (for reference only) illustrates the key steps of how a PBX process the verification result provided by ITSP.

Note: If both inbound call filtering and inbound call verification features are enabled for a shared trunk, the associated PBX will first check the rejection criteria configured in call filtering settings and then the one configured in call verification policy.

Prerequisites

Contact your ITSP to obtain the following parameter names.
  • The parameter name in the P-Asserted-Identity (PAI) header where the ITSP includes the signature verification result.
  • The parameter name defined by the ITSP to convey the SHAKEN attestation level.
Tip: ITSP sends the verification results within SIP message. For example, if the verification result provided by ITSP contains the following information, then the signature verification result (TN-Validation-Failed) is conveyed by the verstat parameter, and the SHAKEN attestation level (C) is conveyed by the P-Attestation-Indicator parameter.
P-Asserted-Identity: <sip:+1234567890;verstat=TN-Validation-Passed@203.0.113.45:50560>
P-Attestation-Indicator: C

Procedure

  1. Log in to Yeastar Central Management, go to Cloud PBX > Trunk Sharing > Shared Trunks.
  2. Click besides the desired shared trunk.

  3. In the Advanced tab, scroll down to the STIR/SHAKEN section.
  4. Turn on the switch of Upstream Verification Result Handling, and configure the following settings.

    1. In the Verification Status Parameter in PAI Header field, enter the parameter name defined by the ITSP to convey the signature verification result.

      In this example, enter verstat.

      Note: Both uppercase and lowercase letters are supported (case-sensitive).
    2. In the Header Field for SHAKEN Attestation Level field, enter the parameter name defined by ITSP to convey the SHAKEN attestation level.

      In this example, enter P-Attestation-Indicator.

      Note: Only hyphens (-) and letters (both uppercase and lowercase) are supported.
    3. Select the checkbox of Enable Call Filtering.
    4. In the Drop Calls by Verification Status drop-down list, select one or more verification statuses that will trigger call rejection.

      In this example, select No-TN-Validation, TN-Validation-Failed and C. If either the signature verification result or the SHAKEN attestation level matches the selected status, the inbound call will be rejected.

      Note: If your ITSP has defined custom verification statuses, click Create New to add them as needed. You can create up to 10 custom statuses.

      • B: The call comes from a legitimate user, but it cannot be confirmed whether the caller has the right to use the number (e.g., a call with a custom caller ID).
      • C: The call comes from a legitimate gateway, but it cannot be confirmed whether the number belongs to a legitimate user and the number is authentic (e.g., a call routed through legacy PSTN or from international transfer).
      • TN-Validation-Failed: Signature verification failed (e.g., a call with invalid signature or revoked certificate).
      • No-TN-Validation: No verification result available (e.g., a call without the Identity header).
  5. Click Save.

Result

  • The associated PBX uses the verification result provided by the ITSP and reject calls based on the rejection criteria.

    In this example, the PBX extracts the signature verification result TN-Validation-Failed from the verstat parameter and the SHAKEN attestation level C from the P-Attestation-Indicator parameter. Since either of them matches the rejection criteria configured in the Drop Calls by Verification Status, the inbound call is rejected.

  • The inbound call filtering results can be checked on the associated PBX.
    • The SHAKEN attestation level and reject reason of each inbound call are recorded in the Call Detailed Records (CDR) (Path: Reports and Recordings > CDR).

    • When an inbound call is rejected, an event notification called Inbound Call Rejected due to STIR/SHAKEN Verification Failure will be triggered.