<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Black";
panose-1:2 11 10 4 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Mark,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Agreed. I guess it comes down to how to decide who the originating carrier is that should be doing the attestation.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As an intermediate carrier, Bandwidth should just pass through whatever Identity header they get; but if there is no Identity header (stripped header, TDM link in the path, originating carrier not attesting, etc.) then the only assumption
they can make is that the partner originated the call (even if they didn’t) and ‘B‘ is the only proper attestation they can apply.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bandwidth making the assumption that they are an intermediate carrier (and the unattested calls came from some other (non-partner) service provider) isn’t a reasonable assumption.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">David<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Mark Lindsey <lindsey@e-c-group.com> <br>
<b>Sent:</b> Tuesday, July 5, 2022 10:16 AM<br>
<b>To:</b> Zilk, David <David.Zilk@cdk.com>; voiceops@voiceops.org<br>
<b>Subject:</b> Re: [VoiceOps] [EXTERNAL] Identity Header Test Tool<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">The primary problem to fix, in this scenario, is that Term Provider 2 is stripping the Identity header, and therefore violating <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ecfr.gov_current_title-2D47_chapter-2DI_subchapter-2DB_part-2D64_subpart-2DHH_section-2D64.6302&d=DwMFaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=aeE_eSJTR92A8G3x5c2t8ijZIxi52ZwThftNTV696VFw81HptjOHUXj7g4LuI1NY&s=hOdJJ6IH2hogIFreou6rwumeJHyESpE2STfbVEyextw&e=">47
CFR § 64.6302(a)</a>. So many engineers have configured SBCs to strip every header except the handful they want to carry, but
<i>Identity</i> needs to be added to those lists.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The secondary problem to fix is that <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ecfr.gov_current_title-2D47_chapter-2DI_subchapter-2DB_part-2D64_subpart-2DHH_section-2D64.6302&d=DwMFaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=aeE_eSJTR92A8G3x5c2t8ijZIxi52ZwThftNTV696VFw81HptjOHUXj7g4LuI1NY&s=hOdJJ6IH2hogIFreou6rwumeJHyESpE2STfbVEyextw&e=">47
CFR § 64.6302(b)</a> allows intermediate providers to legally opt out of STIR/SHAKEN in any practical fashion. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am speculating in the example call flow shown below, but I wouldn't see Bandwidth's behavior as a key problem. The ATIS destination of the C-level attestation is for a situation that, like flying pigs, doesn't appear to occur anywhere
in reality. Nobody just accepts SIP traffic from random, anonymous sources for termination. I'm glad Bandwidth is adding the attestation that it can add.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B">Mark R Lindsey<span class="apple-converted-space"> </span></span></b><b><span style="font-size:13.5pt;font-family:"Arial Black",sans-serif;color:#18498B">|</span></b><span class="apple-converted-space"><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B"> </span></b></span><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B">SMTS </span></b><b><span style="font-size:13.5pt;font-family:"Arial Black",sans-serif;color:#18498B">|</span></b><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B"> +1-229-316-0013 </span></b><b><span style="font-size:13.5pt;font-family:"Arial Black",sans-serif;color:#18498B">|</span></b><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B"> </span></b><a href="mailto:mark@ecg.co"><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif">mark@ecg.co</span></b></a><span style="color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ecg.co_lindsey_schedule&d=DwMFaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=aeE_eSJTR92A8G3x5c2t8ijZIxi52ZwThftNTV696VFw81HptjOHUXj7g4LuI1NY&s=vIqTzfmopHuZNSqB4ZJS4QYpUWvfa-B0pSBCBkWgVSA&e="><span style="font-size:7.5pt;font-family:"Arial",sans-serif">Schedule
a meeting</span></a><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#18498B"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jul 5, 2022, at 13:01, Zilk, David <<a href="mailto:David.Zilk@cdk.com">David.Zilk@cdk.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">If that is the case, a scammer that should be either attested C, or not attested at all can game the system and upgrade their calls to any customer of Bandwidth to B. Granted, B attestation isn’t much better than nothing, but still it violates
both the intent and the letter of the law.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">David Zilk<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">CDK Global/IP Networked Services<span class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>Mark Lindsey <<a href="mailto:lindsey@e-c-group.com">lindsey@e-c-group.com</a>><span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Tuesday, July 5, 2022 9:58 AM<br>
<b>To:</b><span class="apple-converted-space"> </span>Zilk, David <<a href="mailto:David.Zilk@cdk.com">David.Zilk@cdk.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [VoiceOps] [EXTERNAL] Identity Header Test Tool<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I expect Bandwidth is attesting that they know the identity of the SIP trunking provider that sent your call to Bandwidth. <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<blockquote style="margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">CDK Global -> [term provider 1] -> [term provider 2, Strips Identity Header] -> [term provider 3] -> [<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__Bandwidth.com&d=DwMFAg&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=qZMqiJ48ZdgXQNJnrLDT8ChNCkk7sQ42nMiHCNHAHu2zOSre0DPgkmi2n_jtKDvD&s=R4TtBNn8t5SrkyFy1ozowPSgquZflYU50Y-F6uixyH0&e=">Bandwidth.com</a>]<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">...And <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bandwidth.com_blog_abcs-2Dof-2Dattestation-2Dand-2Danalytics_&d=DwMFAg&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=qZMqiJ48ZdgXQNJnrLDT8ChNCkk7sQ42nMiHCNHAHu2zOSre0DPgkmi2n_jtKDvD&s=G7fgN1eoXUXYZw4vwpfoD5Doij6odPvNXwS2PHlZyM0&e=">term
provider 3 is a customer of Bandwidth.com.</a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B">Mark R Lindsey<span class="apple-converted-space"> </span></span></b><b><span style="font-size:13.5pt;font-family:"Arial Black",sans-serif;color:#18498B">|</span></b><span class="apple-converted-space"><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B"> </span></b></span><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B">SMTS </span></b><b><span style="font-size:13.5pt;font-family:"Arial Black",sans-serif;color:#18498B">|</span></b><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B"> +1-229-316-0013 </span></b><b><span style="font-size:13.5pt;font-family:"Arial Black",sans-serif;color:#18498B">|</span></b><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif;color:#18498B"> </span></b><a href="mailto:mark@ecg.co"><b><span style="font-size:7.5pt;font-family:"Arial Black",sans-serif">mark@ecg.co</span></b></a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ecg.co_lindsey_schedule&d=DwMFAg&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=qZMqiJ48ZdgXQNJnrLDT8ChNCkk7sQ42nMiHCNHAHu2zOSre0DPgkmi2n_jtKDvD&s=CBHDNMBQRfN66ebOCNYxTHugStaeRttBIJ0aIgaIuEk&e="><span style="font-size:7.5pt;font-family:"Arial",sans-serif">Schedule
a meeting</span></a><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#18498B"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">On Jul 5, 2022, at 12:19, Zilk, David <<a href="mailto:David.Zilk@cdk.com">David.Zilk@cdk.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">I am getting results from a test to the Bandwidth number that are confusing. It appears that our Identity header is not making it through to them, however the call does have an Identity header, certified by Bandwith, with B attestation.
This is odd as we don't have any direct business relationship with Bandwidth. How can they claim B attestation?<br>
<br>
David Zilk<br>
CDK Global/IP Networked Services<br>
<br>
-----Original Message-----<br>
From: VoiceOps <<a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>> On Behalf Of David Frankel<br>
Sent: Sunday, July 3, 2022 8:05 AM<br>
To:<span class="apple-converted-space"> </span><a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
Subject: [EXTERNAL] [VoiceOps] Identity Header Test Tool<br>
<br>
CAUTION: This email originated from outside of the CDK organization. Exercise caution when clicking links or opening attachments, especially from unknown senders.<br>
<br>
Last week I was forwarded a note from this list regarding tools to test and debug SHAKEN Identity headers. That prompted us to stitch together some modules we already had in an attempt to help.<br>
<br>
What we have is at<span class="apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__identity.legalcallsonly.org&d=DwMFAg&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=qZMqiJ48ZdgXQNJnrLDT8ChNCkk7sQ42nMiHCNHAHu2zOSre0DPgkmi2n_jtKDvD&s=9EE8xl5gvlIOy3Ck4bTVDx8WWiobc-X72SZEUOtN0o8&e=">http://identity.legalcallsonly.org</a>.
You can call one of the test numbers listed on that page, and if we receive your header, we'll read you a six-digit code. Disconnect and then plug the code into the box on the web form, and we'll show you details of that Identity header.<br>
<br>
Perhaps most importantly, you'll be able to see if the header we received is the one you sent. In addition, we parse the header and try to tell you if it is correctly formatted and valid.<br>
<br>
Currently we have a couple of geographic DIDs and three toll-free numbers (each using different underlying providers). So far we aren't having a lot of success getting the Identity headers on the TFNs; we're working to improve that.<br>
<br>
Suggestions welcome. We hope the tool provokes more discussion about best practices regarding making the Authentication Framework as functional and useful as possible.<br>
<br>
Happy 4th of July!<br>
<br>
David Frankel<br>
ZipDX LLC<br>
St. George, UT USA<br>
<br>
<br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMFaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=aeE_eSJTR92A8G3x5c2t8ijZIxi52ZwThftNTV696VFw81HptjOHUXj7g4LuI1NY&s=9OieWFAAriFZo3GZS0qjYxEuaYJPYcxjkXRzg-6KqJE&e=">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_voiceops&d=DwMFaQ&c=N13-TaG7c-EYAiUNohBk74oLRjUiBTwVm-KSnr4bPSc&r=VcRLyVxkyGds34uxiPM944HQvaWq-nynyZXfNpSfhOs&m=aeE_eSJTR92A8G3x5c2t8ijZIxi52ZwThftNTV696VFw81HptjOHUXj7g4LuI1NY&s=9OieWFAAriFZo3GZS0qjYxEuaYJPYcxjkXRzg-6KqJE&e=">https://puck.nether.net/mailman/listinfo/voiceops</a><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>