About to STIR the Pot- STIR/SHAKEN With Telcos

?

?

About to STIR the Pot – SHAKEN/STIR and the Future?

I was this close to using a “SHAKEN Not STIRRED” pun for a title, until I realized every blog and think piece had beaten me to the punch. Liberal use of puns aside, the landscape of the relatively new STIR and SHAKEN protocols and implementations seems to be ready for its next phase... So, I wanted to really give myself a primer and study into just what is it, and why do we need it... So just like when I discussed, STUN and TURN, the alphabet soup bowls should be at the ready.?

Background:?

Nothing quite annoys me (and I suspect I am not alone here) as a robocall. There is that really good speech I’m giving, passionate and I suddenly my phone goes off...or I’m in the middle of a good run, listening to some music, really feeling my stride....and my phone rings killing the vibe. Robocalls are going from an annoying nuisance to potentially dangerous when information can be phished from people who are unaware of how information is sold, spread, and used.?Before STIR/SHAKEN was rolled out we had the FTC's Do Not Call list...that is a screen door on a battleship.

Well as it turns out, the FCC (politely prompted by congress and voters) said enough is enough with this interruption of people’s jogging and personal time. Back in 2018, the gauntlet was thrown to get the Carriers of the US to adopt some method of stopping this. Oh, how optimistic we were.... Well, the carriers had to scramble to get something set up that would allow these dreaded robocalls to cease. With two bills, one from the Senate and one from the House, we eventually came away with the STIR-SHAKEN proposal.?

The main summit was to really get the foundation of how this was to be tackled, and led to some key takeaways.?

Carriers should be blocking robocalls by default. So subscribers shouldn’t have to opt in.?

There will be 3 ‘levels’ of Attestation from carriers. Sort of like a ranking of how trusted this caller is. With A, B, and C, with A and B being preferred.?

The big thing, however, which is what I’ll be talking about because I’ve been working on something related to it, is the idea that these robocalls must have a callerID displayed clearly to the end, called user.?

?

The main concept here is to prevent call spoofing. Not necessarily to prevent robocalls...but rather to prevent the spoof’d ones. And here’s the real key... STIR/SHAKEN is not to prevent robocalls. It is to mitigate the spoofing of numbers to allow spam. From a legitimate business’s point of view, the less spam and spoofing of numbers will increase people’s trust in someone who is calling. While this logic is still mired and how should we say...’sketchy’, I can see the reasoning. Mitigate and stop the bad actors and that will allow people to regain confidence in the ‘good’ spammers, I mean advertisers.?

Well for what it is worth the system still has quite a few holes to plug. So, the burden is on the carriers to set up, or interface with 3rd party, STI’s or Secure Telephone Identity components. The most external of which, that SBC will interface with, are the VS and AS servers, or Verification and Authentication servers. The Verizon’s, AT&T’s, and Sprints would be managing these and when we get INVITES that do not sport an Identity Header, it is here where they are checked against. Now deploying and managing an entire STIR/SHAKEN Solution of servers may be above what the carriers would want to have to deal with so there are 3rd party services that provide it. Like the TURN/STUN services that TSP’s can partner with. We at Nokia provide the VS and AS functionality in the CFX-5000, which the SBC sends the verification checks to.?

So how does it work??

The attestation level is the heart of the process, along with other details such as the calling, and called numbers are encrypted and signed by the service provider and passed to the destination in a special SIP Identity header. On receiving the message, the destination carrier uses the SHAKEN (Secure Handling of Asserted information using toKENs) framework to verify the signature and based on the outcome and other parameters, decide on an appropriate call treatment such as reject, continue, divert to voicemail or whatever fate should befall the spam.?

When the inbound request is the initial INVITE/MESSAGE from the SBC core side, our SBC uses the received message to create the authentication HTTPS Post request. The following SIP headers are used: From, To, Origination-Id, Attestation-Info, Date. Once the authentication response is received, the Identity header is inserted into the SIP Request and the call is continued.?

One of the key things to remember is that because the request and answer is an HTTPS request you know what that means...a TLS certificate must join the ranks. There also needs to be a new interface made in the IBCF table as well as it must be enabled in the NGSS Parameters.?

What I love about this approach (mandate...) is that is forces the big carriers to work together, pool their resources against a common foe. Now, I’m not na?ve enough to think this is done for the common good of all humankind... In fact, as stated above this was NOT done to remove robocalls, but rather to curb the spam and fraudulent calls. However even though carriers had to be forced into this...and it does not really work to stop the actual immoral behavior of robocalls, but only to stop the fraudulent side of it...yes despite all of that I think it’s a huge step in the right direction.?

When proposed there was a target goal date for carriers and suppliers to come to grips with the request and comply:?

?

(Yay, we’re compliant.)?

The Architecture:?

Above we see the architecture when this is in play. The Nokia SBC which uses its IBCF (Interconnect Border Control Function) function to do all the HTTPS Requests, is seen doing the communication with the STI-AS that is on the CFX. Likewise, the STI-VS could just as well live on the same CFX5000.?

Here is a breakdown of the process along each step of the way when the SHAKEN and STIR protocols are enacted.?

Below is provided by Transnexus.com:?

1. A SIP INVITE is received by the originating telephone service provider.?
2. The originating telephone service provider checks the call source and calling number to determine how to attest for the validity of the calling number.??

• Full Attestation (A) — The service provider has authenticated the calling party and they are authorized to use the calling number. An example of this case is a subscriber registered with the originating telephone service provider’s softswitch.?
• Partial Attestation (B) — The service provider has authenticated the call origination but cannot verify the call source is authorized to use the calling number. An example of this use case is a telephone number behind an enterprise PBX.?
• Gateway Attestation (C) — The service provider has authenticated from where it received the call but cannot authenticate the call source. An example of this case would be a call received from an international gateway.?

1. The originating telephone service provider uses the authentication service to create a SIP Identity header. The authentication service could be a third-party service hosted in the cloud, a software application integrated with the telephone service provider’s softswitch or the SBC+CFX. It checks for:??

• Calling number?
• Called number(s)?
• Current timestamp?
• Attestation level?
• Origination identifier?

1. The SIP INVITE with the newly added SIP Identity header is sent to the terminating telephone service provider.?
2. The SIP INVITE with Identity header is passed to the verification service.?
3. The verification service obtains the digital certificate of the originating telephone service provider from the public certificate repository and begins a multi-step verification process. If all verification steps are successful, then the calling number has not been spoofed.??

• The SIP Identity header is base64 URL decoded and the details are compared to the SIP INVITE message.?
• The public key of the certificate is used to verify the SIP Identity header signature.?
• The certificate chain of trust is verified.?

1. The verification service returns the results to the terminating service provider’s network.?
2. The terminating network can now act on the results as they see fit.?

So, I’m putting the pen down here! Why did I just take you on this odd but seemingly benevolent law and thus policy? Well, this Summer we seem to have an update to STIR/SHAKEN! Right now, just called ATIS-1000094, it seeks to expand and push the law further. With a thorough background on the reason SHAKEN and STIR were needed and an overview of how they are implemented has been laid out. Next week I want to discuss what is new in the ATIS-1000094 proposition and what it means for telcos, and for the sake of our peace and quiet...Can we kiss robocalls goodbye come summer? No... I think, like the cockroach they may be around, under the floorboard for quite some time.?

?