Summary:
SHAKEN/STIR does nothing but sign a call by a carrier that can be
verified
by another carrier that they signed it. It does nothing to stem
Robocalls.
Discussion:
All SHAKEN/STIR does is have the originating carrier of a call to
cryptographically attest, to some degree, that the call originated from
their network.
One example given was that SHAKEN/STIR can verify that it is really
the IRS
calling.
But that would require knowledge of which carrier currently serves the
IRS,
and that the IRS use that same carrier for both inbound AND outbound
calling, and that the carrier publishes some record that it is the
carrier
of record for the given phone number. THIS DOES NOT EXIST in SHAKEN/STIR.
If Carrier A is taking calls from a spammer and implements
SHAKEN/STIR, and
their termination Carrier B have also implemented SHAKEN/STIR
verification
and trusted Carrier A's certificate, all that occurs is that Carrier A
says
"this call is trustworthy" and Carrier B verifies that Carrier A said so
and completes the call.
Carrier A can lie all they want, as they do now, providing a false "Full
Attestation" that the "service provider has authenticated the calling
party
and they are authorized to use the calling number." But there's no proof
that they are telling the truth, and no way for any other intermediate
carrier to verify anything other than the originating carrier.
Now if Carrier B decides not to trust Carrier A anymore, they can stop
trusting their cert and drop calls. Which Carrier B can do today by
terminating the relationship with Carrier A.
I still don't see how this will stop CallerID spoofing or Robocalls.
Carrier B can block Carrier A at anytime. Carrier A can attest that any
call originating from it is authorized to use that number. Plus then
there's a ton of intermediates that aren't even addressed here. Do all
the
Intermediates also need to implement SHAKEN/STIR such that the SIP
Identity
header is passed onto the next leg? If the intermediate drops the header,
does the call fail?
And spammers already use real, leased phone numbers for Robocalls. We
had a client come to us who wanted 5,000 new/different and not recycled
phone numbers across the US each month. When prompted about how they'd be
used, they just needed inbound calls and SMS messages routed to their
switch hosted at a cloud provider, outbound calls would be made through
another carrier.
With SHAKEN/STIR, these calls would show up as "Authenticated" as the
client could tell their Carrier C that these 5,000 phone numbers were
theirs, and Carrier C could do a "Full Attestation" SIP Identity
header and
the spam calls would show up as "Verified." But still Robocalls, just
Verified Robocalls.
We declined to do business with this client.
In summary, SHAKEN/STIR seems to do nothing but be some extra technical
work.
Please correct me if I'm missing a key piece of this.
I'm in DC, I'm going to try to attend this summit.
https://transnexus.com/whitepapers/understanding-stir-shaken/
Beckman
On Mon, 8 Jul 2019, Jay R. Ashworth wrote:
----- Original Message -----
From: "Sean Donelan" <s...@donelan.com>
I don't think SHAKEN/STIR really addresses the root problems with
spoofing phone numbers, anymore than any of the BGP proposals for
spoofing
IP addresses.
Nevertheless, the FCC wants to be seen as doing something. So Chairman
Pai is having a summit to show all the progress.
On Thursday, July 11, 2019, FCC Chairman Ajit Pai will convene a summit
focused on the industry’s implementation of SHAKEN/STIR, a caller ID
authentication framework to combat illegal robocalls and caller ID
spoofing. Chairman Pai expects major voice service providers to deploy
the SHAKEN/STIR framework this year. The summit will showcase the
progress that major providers have made toward reaching that goal and
provide an opportunity to identify any challenges to implementation and
how best to overcome them.
Well, y'know, it's been 10 years since I originated calls to LD
carriers.
But when I did, 3 of my carriers (VZN and 2 LDs) trapped outgoing calls
that weren't for 10D calling numbers *they had assigned us* (and hence I
had to work that out with them to prove that *someone* had)...
nd the other 2 didn't give a crap. I could send them anything --
even calls
with CNID that wasn't a valid NANP address (4th digit 1, frex).
Since nearly all of this is being originated over PRIs to LD
carriers, right;
maybe if the FCC just threatened the LD carriers who do not do the
calling
number legitimacy enforcement the regs (I think) already require them
to do...?
Cheers,
-- jra
--
Jay R. Ashworth Baylink j...@baylink.com
Designer The Things I Think
RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beck...@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
