[VoiceOps] STIR/SHAKEN Discussion: Will it help?

Peter Beckman beckman at angryox.com
Tue Dec 17 14:58:13 EST 2019 

A few months ago I attended an FCC STIR/SHAKEN discussion in Washington DC.
They didn't get deep into the technical details but there were a bunch of
big carrier representatives there.

If you haven't followed STIR/SHAKEN, it's really just an additional SIP
header that contains cryptographically-signed information about the origin
point of the call.

You can verify the signature with publically published public keys so you
know whomever signed it is really them.

Here's a few resources if you want to learn more:

     https://www.bandwidth.com/glossary/stir-shaken/
     https://www.fcc.gov/call-authentication
     https://en.wikipedia.org/wiki/STIR/SHAKEN
     https://www.home.neustar/stir-shaken-resource-hub

There are three levels to tell you how much you should trust the origin of
the call:

     1. Full -- The call came from the originating carrier's customer and is
         authorized to use the number

     2. Partial -- The call came from the originating carrier's customer but
         may or may not be authorized to use the number

     3. Gateway -- The carrier has authenticated from where it received the
         call, but cannot authenticate the call source (e.g., International
         Gateway call).

As an example, as will be many legit cases, a Verizon Wireless mobile
customer will place a call, which will route to Verizon, who will sign the
call using STIR/SHAKEN with Full Attestation and we can all "trust" the
call.

But now we throw in VoIP.

I'm a small customer, Initech, of a larger carrier, Hooli. I don't sign my
calls, so I hand my calls to my larger carrier, Hooli. Hooli sees the call
from me (their customer) with a valid CallerID I'm authorized to use and so
Hooli signs the call with STIR/SHAKEN with Full Attestation.

Turns out the call was a robocall.

What changes? The only thing that changes is that the receiving party, say
Soylent Corp, knows that Hooli originated the call. Soylent is not Hooli's
customer, so how does Soylent complain to Hooli about the content of the
call?

And as carriers, we are not legally responsible for the content of our
customer's calls.

How will Soylent accept 90% of Hooli's Fully Attested valid traffic but
avoid the 10% that is spam/robocalls that are ALSO Fully Attested?

How exactly does STIR/SHAKEN help fix the robocall and spam call problem?

Yes, I could block all of Hooli's calls where the attestation is Partial or
Gateway, but you run the risk of false positives, especially in the
International category, or just when Hooli isn't sure, like when I rent a
DID from Acme but do termination through Hooli -- Hooli doesn't know that I
am authorized to use that DID from Acme, even though I am, so Hooli has to
mark my call as Partial or Gateway.

I'm all for reducing annoying spam and robocalls, but I'm still not yet
convinced that STIR/SHAKEN is going to materially reduce them.

Let's discuss!

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------

More information about the VoiceOps mailing list