[VoiceOps] Update on STIR/SHAKEN

[Mary Lou Carey]

Thank you for sharing what you do. The only thing I would say is that 
this is similar to building redundancy into your network. If a wholesale 
carrier is signing all their reseller's traffic with the same 
certificate, then there is one point of failure unless you have a way of 
identifying the reseller another way.

The only possible way I can think of to further separate a reseller's 
traffic from the rest of the wholesaler's traffic would be to assign a 
dedicated LRN to each reseller. The OCN and company name of the reseller 
can be associated with a specific LRN by populating the FQDN OCN and 
FQDN fields on the LRN record in the LERG. NPAC also allows an altSPID 
to be added to their records in the NPAC database.

That may be just as cumbersome as associating each carrier's certificate 
with their traffic. I don't know, but I do know that when there's only 
one certificate shared between all companies it puts all involved at a 
lot more risk.


MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111

On 2023-07-13 12:14 PM, Daniel White via VoiceOps wrote:
> Good morning everyone.  I see my company got brought up here, and we
> are probably a good use case in the entire ecosystem to consider when
> it comes to Robocall mitigation.  What is my companies (or any other
> white-label resellers) responsibilities to it.
> 
> While we do not have a direct end-user relationship with the client,
> we do require that our resellers (smaller, regional ISPs primarily)
> have a direct relationship with the client that would meet all of
> Attestation A requirements.  This is actually fairly easy to have as
> an ISP rather than an MSP or other company that accepts any client to
> sign up for service (since an ISP has to visit the premise to install
> service generally).
> 
> Furthermore, every DID on our system is ported though our company (we
> primarily use IQNT, Bandwidth, and VI for our own Orig/Term) so we are
> verifying things like an LOA and last copy of bill.
> 
> No calls are allowed to originate from our system that do not match a
> CLID that we have verified that client has authorization to use.  This
> prevents our clients (i.e. resellers) from spoofing CLID, and CNAME
> storage with our vendors can only be set via Atheral.
> 
> We do use ClearIP/TransNexus for STIR/SHAKEN but also for Telecom
> Fraud and Robocall protection.  If a user starts exhibiting robocall
> or fraudulent call behavior we shut that down immediately.  We also
> prohibit dialer traffic on our network or traffic poor call
> completion.
> 
> The legal advice we were given was that our resellers, all of whom
> file a 499a, do not need to sign their own traffic.  We have always
> been very protective of our switching infrastructure (utilizing a
> Netsapiens switch with Ribbon SBCs in front) and the traffic that
> flows through it.  We do not bill per minute to our clients, so
> minimizing any potential fraudulent traffic is a key concern of ours
> to keep our costs low.
> 
> Of course, if the FCC goes a different direction we will change our
> stance.  I believe there isn't any reason to burden small, regional
> ISPs with the signature since our clients are almost exclusively
> de-minims and adds nothing to the traceback process.  If we get a
> traceback, we will work with the ISP or immediately kick them off our
> system.
> 
> Alianza (https://www.alianza.com/) has a very similar business model
> to ours although we mostly target different ISPs than we do.  I've not
> dug into how they or any other white-label reseller has interpreted
> the rules as they sit today, but I imagine most companies like ours
> are "the good actors" and not the ones that these regulations were
> intended to change behavior of.
> 
> Thank you!
> 
> 		 [1]
> 
>  Daniel White
> Co-Founder
> 
>  phone: +1 (702) 470-2770
> direct: +1 (702) 470-2766
> 
>> David Frankel via VoiceOps
>> July 12, 2023 at 6:01 PM
>> 
>> Nathan: Thanks for sharing your thinking and a specific example.
>> 
>> I can't speak for the FCC or the ITG (obviously) and they probably
>> won't
>> weigh in here. But, as Mary has done, I can share what I hope is a
>> reasonably accurate perspective.
>> 
>> I hope, Nathan, that the key is your statement: "But sans any
>> violations to
>> look into...how would they know?" And, I would add, why would they
>> care? If
>> the group you describe isn't a bunch of trouble-makers, then surely
>> there
>> are other fish to fry when it comes to compliance issues. Let's put
>> our
>> focus on the ones that are actually wreaking havoc.
>> 
>> I hadn't heard of Atheral before, but I see that they have a SHAKEN
>> token
>> per iconectiv, so they can sign calls. They list several customers
>> on their
>> web page; I spot checked those and the ones I searched do NOT have
>> tokens
>> but ARE registered in the Robocall Mitigation Database. I did see
>> that a
>> couple of them had very nicely written Robocall Mitigation Plans
>> (Zirkel,
>> for example, with Vistabeam in second place) that explained exactly
>> how they
>> work with Atheral in terms of getting calls signed.
>> 
>> We could debate (and in fact, we are debating at the FCC) whether,
>> for
>> example, it's OK for Atheral to sign calls with Atheral's token on
>> behalf of
>> Zirkel. We might argue that Zirkel is the one with the direct
>> authenticated
>> relationship with their customer, so it should be a Zirkel signature
>> on
>> those calls. Or you can make a semantic argument that Atheral is the
>> "Originating Voice Service Provider" and that it is through their
>> agent
>> Zirkel that they have the customer relationship. Zirkel explains how
>> they
>> validate the phone numbers that their customers use, and pass that
>> information on to Atheral for proper attestation. It all appears to
>> be on
>> the up-and-up.
>> 
>> Atheral has to understand that by putting the Atheral signature on
>> calls
>> coming via Zirkel and others, Atheral is putting its own reputation
>> on the
>> line. So Atheral is presumably motivated to ensure everybody plays
>> nice,
>> which they probably do at least in part via their contractual
>> agreements.
>> 
>> To my knowledge, the ITG does not "block traffic" or enforce rules
>> about
>> tokens. The ITG is in the business of traceback, and it makes the
>> information it gathers through that process available, selectively,
>> to
>> others that can then act on it. That includes not just government
>> enforcers
>> but, for example, others in the call chain. If a particular provider
>> is
>> involved in a traceback, they get visibility to whether their
>> upstream is
>> responding to that traceback. If not, or if that upstream failed to
>> sign a
>> call when they should have, then the downstream provider can
>> initiate action
>> on its own with respect to that upstream.
>> 
>> Back to Atheral -- our RRAPTOR robocall surveillance platform has
>> never
>> captured a problematic call with an Atheral signature. That doesn't
>> mean we
>> know for certain that no "bad" robocalls flow via Atheral, but it's
>> probably
>> safe to say that at the moment, Atheral and its customers aren't a
>> cause of
>> great concern.
>> 
>> Lastly, thanks Nathan for the nice words about our test tool.
>> 
>> David Frankel
>> ZipDXR LLC
>> St. George, UT USA
>> 
>> -----Original Message-----
>> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Nathan
>> Anderson
>> via VoiceOps
>> Sent: Wednesday, July 12, 2023 4:21 PM
>> To: 'Voice Ops' <voiceops at voiceops.org>
>> Subject: Re: [VoiceOps] Update on STIR/SHAKEN
>> 
>> Personally, I'm quite curious to know how the ITG would even be
>> identifying
>> these companies as being distinct from the wholesaler, at least
>> without a
>> traceback request for an actual violation, where the investigation
>> (that the
>> wholesaler would likely be not only cooperative with but actively
>> involved
>> in) eventually revealed that all of the violations were originating
>> from one
>> particular customer of theirs. But sans any violations to look
>> into...how
>> would they know?
>> 
>> In particular, when asking these questions, what I specifically have
>> in mind
>> are wholesalers not like VI/Sangoma et al., but more like e.g.
>> https://atheral.com/, which carries traffic for a bunch of smaller
>> regional
>> ISPs that want to offer VoIP but don't want any of the headaches
>> associated
>> with doing so. So most of them I presume literally own no
>> infrastructure of
>> their own...no softswitch, no SBC, no nothing. They might be 499
>> filers,
>> but that's likely the extent of their direct regulatory involvement.
>> 
>> I believe Daniel might be hanging around on this list, so perhaps he
>> can
>> shed some light on how they have been advised to approach this
>> (whether they
>> are signing all calls with their own SHAKEN cert/key, or whether
>> they can
>> host SHAKEN certs owned by their customers and sign the end-users of
>> that
>> customer's calls with that customer's own cert, or a mix of both).
>> 
>> -- Nathan
>> 
>> -----Original Message-----
>> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
>> Mary Lou
>> Carey via VoiceOps
>> Sent: Wednesday, July 12, 2023 1:29 PM
>> To: voiceops at voiceops.org
>> Subject: [VoiceOps] Update on STIR/SHAKEN
>> 
>> I spoke with my FCC contact today and was told to read the last
>> order issued
>> in March so his response wasn't crystal clear. He said the FCC is
>> still in
>> the process of deciding which types of companies can sign with a
>> third-party
>> vendor's token and which ones can't.
>> 
>> I told him my concern is that the ITG is going to start blocking
>> traffic in
>> August and companies won't know that they aren't compliant because
>> their
>> wholesale provider told them they were fine. I specifically asked,
>> "If the
>> ITG decides a company should have had its own token, will you give
>> them time
>> to get one?" He said they have a process for handling these issues,
>> but he
>> didn't come out and say "Yes" so here's what I would suggest since
>> the
>> process can sometimes take longer than the 30 days they give you to
>> comply.
>> 
>> If you are using a third-party provider whose signing with their
>> token.
>> At least complete the preliminary steps to qualify for your own
>> STIR/SHAKEN
>> token. That way if they do come to you and tell you that you need to
>> get it
>> on a moment's notice, you won't be fighting the clock so much. The
>> pre-requisites for filing with the STI-PA to become an approved
>> carrier are:
>> 
>> 1. Order your own OCN (aka company code from NECA) IPES is the
>> correct type
>> for all VOIP carriers 2. Have your 499 up to date and fees paid. If
>> you've
>> never filed a 499A yet, get your 499 filer ID and submit your first
>> 499-A.
>> (All carriers delivering long-distance traffic in the US should have
>> already
>> completed this step anyways).
>> 3. Robocall Mitigation Plan filed.
>> 
>> There are multiple companies helping carriers get their STIR/SHAKEN
>> certificate, so it doesn't matter if you use my services or anyone
>> else's. I
>> just want to make sure everyone is aware of what they need to do to
>> make
>> sure their traffic doesn't get blocked because thats a lot harder to
>> fix
>> than getting a certificate/token is!
>> 
>> MARY LOU CAREY
>> BackUP Telecom Consulting
>> Office: 615-791-9969
>> Cell: 615-796-1111
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> 
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> 
>> Nathan Anderson via VoiceOps
>> July 12, 2023 at 4:20 PM
>> 
>> Personally, I'm quite curious to know how the ITG would even be
>> identifying these companies as being distinct from the wholesaler,
>> at least without a traceback request for an actual violation, where
>> the investigation (that the wholesaler would likely be not only
>> cooperative with but actively involved in) eventually revealed that
>> all of the violations were originating from one particular customer
>> of theirs. But sans any violations to look into...how would they
>> know?
>> 
>> In particular, when asking these questions, what I specifically have
>> in mind are wholesalers not like VI/Sangoma et al., but more like
>> e.g. https://atheral.com/, which carries traffic for a bunch of
>> smaller regional ISPs that want to offer VoIP but don't want any of
>> the headaches associated with doing so. So most of them I presume
>> literally own no infrastructure of their own...no softswitch, no
>> SBC, no nothing. They might be 499 filers, but that's likely the
>> extent of their direct regulatory involvement.
>> 
>> I believe Daniel might be hanging around on this list, so perhaps he
>> can shed some light on how they have been advised to approach this
>> (whether they are signing all calls with their own SHAKEN cert/key,
>> or whether they can host SHAKEN certs owned by their customers and
>> sign the end-users of that customer's calls with that customer's own
>> cert, or a mix of both).
>> 
>> -- Nathan
>> 
>> -----Original Message-----
>> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of
>> Mary Lou Carey via VoiceOps
>> Sent: Wednesday, July 12, 2023 1:29 PM
>> To: voiceops at voiceops.org
>> Subject: [VoiceOps] Update on STIR/SHAKEN
>> 
>> I spoke with my FCC contact today and was told to read the last
>> order
>> issued in March so his response wasn't crystal clear. He said the
>> FCC is
>> still in the process of deciding which types of companies can sign
>> with
>> a third-party vendor's token and which ones can't.
>> 
>> I told him my concern is that the ITG is going to start blocking
>> traffic
>> in August and companies won't know that they aren't compliant
>> because
>> their wholesale provider told them they were fine. I specifically
>> asked,
>> "If the ITG decides a company should have had its own token, will
>> you
>> give them time to get one?" He said they have a process for handling
>> 
>> these issues, but he didn't come out and say "Yes" so here's what I
>> would suggest since the process can sometimes take longer than the
>> 30
>> days they give you to comply.
>> 
>> If you are using a third-party provider whose signing with their
>> token.
>> At least complete the preliminary steps to qualify for your own
>> STIR/SHAKEN token. That way if they do come to you and tell you that
>> you
>> need to get it on a moment's notice, you won't be fighting the clock
>> so
>> much. The pre-requisites for filing with the STI-PA to become an
>> approved carrier are:
>> 
>> 1. Order your own OCN (aka company code from NECA) IPES is the
>> correct
>> type for all VOIP carriers
>> 2. Have your 499 up to date and fees paid. If you've never filed a
>> 499A
>> yet, get your 499 filer ID and submit your first 499-A. (All
>> carriers
>> delivering long-distance traffic in the US should have already
>> completed
>> this step anyways).
>> 3. Robocall Mitigation Plan filed.
>> 
>> There are multiple companies helping carriers get their STIR/SHAKEN
>> certificate, so it doesn't matter if you use my services or anyone
>> else's. I just want to make sure everyone is aware of what they need
>> to
>> do to make sure their traffic doesn't get blocked because thats a
>> lot
>> harder to fix than getting a certificate/token is!
>> 
>> MARY LOU CAREY
>> BackUP Telecom Consulting
>> Office: 615-791-9969
>> Cell: 615-796-1111
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
> 
> 
> 
> Links:
> ------
> [1] https://atheral.com
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NPAC SPID Naming Reference.pdf
Type: application/pdf
Size: 103687 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20230713/2efd06a0/attachment-0001.pdf>