STIR/SHAKEN: All inbound calls with an 'Identity' header get rejected, suddenly

ben_itse · April 25, 2022, 6:33pm

PBXs running:
FreePBX 15.0.23; Sangoma Distro
Asterisk 16.25.2

Hello,

Our PBXs started rejecting calls today from our VoIP Innovations trunks. Upon investigating further, we found that asterisk is filling the logs with this message:

[2022-04-25 13:49:06] ERROR[2605]: res_pjsip_stir_shaken.c:303 stir_shaken_incoming_request: STIR/SHAKEN INVITE for VoIP_Innovations_3 has unsupported ppt ("shaken")

Also, sngrep shows that all invites are getting the Identity with a ppt of “shaken”

Identity: ##REDACTED##;info=<https://t-mobile-sticr.fosrvt.com/a469c800cf6                          
861da3e6b8527088d880791e28584393b4b3158384aeea497c9.pem>;alg=ES256;ppt="shaken"

Right after receiving the packet, we get a 100 Trying and then the PBX rejects the call with status code 428: Use Supported PASSporT Format:

2022/04/25 14:02:21.468665 ##PBX IP##:5060 -> ##VI IP##:5060                                                                                                                                           
SIP/2.0 428 Use Supported PASSporT Format                                                                                                                                                                     
Via: SIP/2.0/UDP ##VI IP##:5060;rport=5060;received=##VI IP##;branch=z9hG4bK1sansay800000170rdb8588                                                                                                 
Record-Route: <sip:sansay800000170rdb8588@##VI IP##:5060;transport=udp;lr>                                                                                                                               
Call-ID: 231155979-0-2731739572@##VI IP##                                                                                                                                                                
From: <sip:##Origin TN##@##VI IP##>;tag=sansay800000170rdb8588                                                                                                                                             
To: <sip:##Destination TN##@##PBX IP##>;tag=bf57855d-4c66-4fcf-aba4-32186b3905a5                                                                                                                                  
CSeq: 1 INVITE                                                                                                                                                                                                
Server: FPBX-15.0.23(16.25.2)                                                                                                                                                                                 
Content-Length:  0

The only info we’ve found on code 428 is:

IETF draft-ietf-stir-rfc4474bis introduces the following SIP failure response codes in subclause 6.2.2:

A 428 response will be sent (per Section 6.2) when an Identity header field is required, but no Identity header field without a “ppt” parameter, or with a supported “ppt” value, has been received. In the case where one or more Identity header fields with unsupported “ppt” values have been received, then a verification service may send a 428 with a human-readable reason phrase like “Use Supported PASSporT Format”.

So, it seems as though Asterisk forgot that ppt is supposed to be “shaken” and doesn’t accept the call. Per this page, at least, “ppt … must be shaken.”

Any help will be greatly appreciated

jcolp · April 25, 2022, 7:27pm

It’s a regression we identified in the releases, we’re working to get a patch done and released.

jcolp · April 25, 2022, 7:37pm

Actually, if you can configure FreePBX to not load res_pjsip_stir_shaken.so that will get you going right now. In Asterisk proper that’s done in modules.conf using noload.

PitzKey · April 25, 2022, 8:00pm

You can add a noload in the custom conf files which should work fine

ben_itse · April 29, 2022, 1:41pm

Thanks @jcolp - do you know more or less when the patch will be done so we can test? Thanks!

jcolp · April 29, 2022, 1:53pm

The patch was reviewed, tested, merged, and regression releases done. I believe Asterisk updates are in the stable repo, but I don’t work on FreePBX so can’t confirm that.

ben_itse · April 29, 2022, 1:54pm

Thanks! @jcolp - @lgaetz - do you know?

lgaetz · April 29, 2022, 1:58pm

In the SNG7 distro, most recent versions are available now, courtesy of @franckdanard

# yum clean all
# yum list asterisk16
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Available Packages
asterisk16.x86_64                    16.25.3-1.sng7                     sng-pkgs

ben_itse · April 29, 2022, 2:00pm

Thank you everyone for the great support!

ben_itse · April 29, 2022, 2:29pm

I can confirm that version 16.25.3-1.sng7 works as expected. Thanks!
@lgaetz @jcolp

system · May 29, 2022, 2:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.