[VoiceOps] Outsourcing STIR/SHAKEN Setup

Zilk, David David.Zilk at cdk.com
Wed Sep 2 15:56:24 EDT 2020


Replace “robocalls” with “spoofed calls” and you would be correct.  A service provider can legitimately provide A attestation to calls that turn out to be illegal robocalls, as long as the caller can legitimately use the number they are calling from.  At that point the traceback functionality of STIR/SHAKEN can be invoked and trace the call back to the robocaller for prosecution. The service provider would not be on the hook for attesting the illegal calls.

However, if the calling number is spoofed and is not one that the end user can legitimately use, the service provider could have their SHAKEN certificate revoked for attesting that traffic at the A level (presumably after a certain period of warning and if they were not responsive to resolving the situation).

From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Paul Timmins
Sent: Wednesday, September 2, 2020 12:12 PM
To: voiceops at voiceops.org
Subject: Re: [VoiceOps] Outsourcing STIR/SHAKEN Setup

Exactly that. The idea is collateral pain for misbehavior. Or attorneys general knocking on doors wondering why they're allowing robocalls through their network. Ideally both.

On 9/2/20 3:06 PM, Alex Balashov wrote:
That’s what I thought, thank you for clarifying. I was just confused because of the language in Paul’s previous explanation—no fault of his.

But in the bottom of the barrel, it will leave some folks with a conundrum about what to do when XYZTelecom sends their good conversational traffic through their peer A, and their crappier traffic through their peer B. But I suppose that is the very dilemma that this technique is meant to force.

—
Sent from mobile, with due apologies for brevity and errors.


On Sep 2, 2020, at 3:01 PM, Mark Lindsey <lindsey at e-c-group.com><mailto:lindsey at e-c-group.com> wrote:
SHAKEN doesn't record the chain (like you'd see with Via headers, for example) of Intermediate Providers who handle the call. There's only one Identity header and it is to be passed unchanged from the origin point to the terminating Voice Service Provider.

When the Identity header with PASSporT arrives at the final Voice Service Provider, that recipient can determine who created the PASSporT and then make judgments. For example, there has been a lot of discussion in FCC filings about "reputation" of service providers. Perhaps you could subscribe to a Reputation database to determine what to do with the calls.

For example, "This call got an A level attestation from XYZTelecom, but XYZTelecom has a 5% score in the reputation database, so I'm going to treat it as if this call is likely a nuisance call."


Mark R Lindsey, SMTS | +1-229-316-0013 | mark at ecg.co<mailto:mark at ecg.co> | https://ecg.co/lindsey/<https://urldefense.proofpoint.com/v2/url?u=https-3A__ecg.co_lindsey_&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=bfpZN3Qs-XiEWVqI-UO_RSGfdV7fqcSBPBneAU7IkNc&e=>




On Sep 2, 2020, at 2:52 PM, Alex Balashov <abalashov at evaristesys.com<mailto:abalashov at evaristesys.com>> wrote:

Thank you, that’s very clear and sums it all up!

One lingering question: even without providing a fully attestable chain of custody, if the call took a route A -> B -> C, are signatures cumulative such that I could block calls attested by B coming through C? Or am I constrained to blocking a certain level of attestation only through the last/proximate peering hop (C) that directly touches me?

I suppose success is going to come down to the on-the-ground realities, political viability, etc of taking that “block attested calls from carrier X” step.
—
Sent from mobile, with due apologies for brevity and errors.


On Sep 2, 2020, at 2:47 PM, Paul Timmins <ptimmins at clearrate.com<mailto:ptimmins at clearrate.com>> wrote:

The solution is that you sign your calls with your certificate. Carriers aren't doing LNP dips to verify the number is really yours, they're trusting your attestation (A: yes, the caller id is verified, B: it comes from our customer, but not verified, C: "this touched our switches, good luck with it"). If you attest total nonsense as A, or send tons of nonsense in general, people start blocking calls you sign.

It really verifies who is sending the call, and what that company says the call is verified, not a full chain of custody of the number back to the NANPA/PA. Could you attest A a call from "0" or "911", or "999-999-9999"? Yes, you could. It'd work for a while, til someone said "Wow, Alex's SPID is signing tons of bullshit. Let's block attested calls from his SPID"

-Paul

________________________________
From: VoiceOps <voiceops-bounces at voiceops.org<mailto:voiceops-bounces at voiceops.org>> on behalf of Alex Balashov <abalashov at evaristesys.com<mailto:abalashov at evaristesys.com>>
Sent: Wednesday, September 2, 2020 2:42 PM
To: VoiceOps
Subject: Re: [VoiceOps] Outsourcing STIR/SHAKEN Setup

LCR or no LCR, using a termination vendor that is different to one’s origination vendor for a given CID is more normal than not in VoIP. I would guess it’s the default wholesale use-case. Origination and termination are very different business models with radically different economics.

I’m not clear on what the official STIR/SHAKEN solution to this is. I assume it’s delegated certificates as Jared suggested.
—
Sent from mobile, with due apologies for brevity and errors.


On Sep 2, 2020, at 2:39 PM, Carlos Alvarez <caalvarez at gmail.com<mailto:caalvarez at gmail.com>> wrote:

If I understand correctly, no as long as your providers are all supporting this.  What I think you mean is that you get origination/DIDs from say Bandwidth, and you use LCR to route calls to whoever is cheapest?  There are ways to work with that challenge as long as your carriers are ready to do so.

On Wed, Sep 2, 2020 at 11:28 AM Jared Geiger <jared at compuwizz.net<mailto:jared at compuwizz.net>> wrote:
If we purchase our numbers through wholesalers, would we need delegated certificates if we are sending an outbound call through a vendor that is not the wholesaler we got the number from?

On Wed, Sep 2, 2020 at 7:22 AM Dave Frigen <dfrigen at wabash.net<mailto:dfrigen at wabash.net>> wrote:
There is a STIR-SHAKEN process of registering and testing with the Policy
Administrator (PA) as a certified Service Provider (SP) before you can
purchase SHAKEN token certificates from a Certificate Authority (CA) and
begin to engage in using the technology. This is not a walk in the park.
Transnexus is one of two public CA's in the U.S. today. They are experts on
the subject and can help you through both processes. In order to get the
best call attestation you must prove to the PA and CA that you are a bono
fide service provider and not a bad-acting enterprise on a network that
deserves lesser attestation levels.

One of the registration requirements is a SP 's access to valid national
phone number pools. This has been very confusing for some resale providers
that purchase and use numbers from wholesalers only. If your organization
does not have it's own numbering resources, you can register using your
wholesale provider's numbering pool data. Don't assume you have to register
with the FCC and possess your own pool of numbers to become a registered
SHAKEN SP.

SHAKEN ROBO call mitigation is a new frontier, and obtaining the best
attestation level possible for a SP is essential to the SP and the SHAKEN
ecosystem. Register and test for the best attestation level possible.
Transnexus is a seasoned expert on the subject and a U.S. registered CA with
the PA.

Dave


-----Original Message-----
From: VoiceOps <voiceops-bounces at voiceops.org<mailto:voiceops-bounces at voiceops.org>> On Behalf Of Mary Lou Carey
Sent: Tuesday, September 1, 2020 5:36 PM
To: Dovid Bender <dovid at telecurve.com<mailto:dovid at telecurve.com>>
Cc: Voiceops.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__Voiceops.org&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=JXh9xtC2t3NjB0pTS1pIQi2umZ-W5ZrFvuq8I8HA4wE&e=> <voiceops at voiceops.org<mailto:voiceops at voiceops.org>>
Subject: Re: [VoiceOps] Outsourcing STIR/SHAKEN Setup

I'm a Carrier Consultant who's been helping CLEC, IXC, Paging, Wireless and
VOIP carriers install and maintain their PSTN networks for the the last 20
years. I can help clients get their FCC Certification to become a
STIR/SHAKEN carrier as well as Numbering Resources, NPAC / LSR training, etc
(if you need those pieces). Once my clients get their certification, I refer
them to TransNexus. Jim and his team can help you with the process of
turning your STIR/SHAKEN services up.

MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111

On 2020-08-31 05:37 AM, Dovid Bender wrote:
> Hi,
>
> Does anyone have a recommendation for a company that get us everything
> needed for STIR/SHAKEN setup? By setup I mean helping us file to get a
> cert etc. From the small research I have done there is a lot of
> fragmented information out there and it would be easier for us to pay
> someone else to do this then invest our own time to take care of this.
>
> TIA.
>
> Regards,
>
> Dovid
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
> https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>

_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>

Mark R Lindsey, SMTS | +1-229-316-0013 | mark at ecg.co<mailto:mark at ecg.co> | https://ecg.co/lindsey/<https://urldefense.proofpoint.com/v2/url?u=https-3A__ecg.co_lindsey_&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=bfpZN3Qs-XiEWVqI-UO_RSGfdV7fqcSBPBneAU7IkNc&e=>




_______________________________________________

VoiceOps mailing list

VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>

https://puck.nether.net/mailman/listinfo/voiceops<https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMDaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=1R2piqtkdrEiuvmHt_qcplO7ZJqMdIkxdu_REKvI5-0&s=hwKIFiHz5ZoWwXNEoLwzK-VRnEYwCwuiMk4sG8_fLBw&e=>



----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20200902/bf531b98/attachment-0001.htm>


More information about the VoiceOps mailing list