nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC

From: Peter Beckman <beckman () angryox com>
Date: Thu, 11 Jul 2019 14:57:28 -0400
On Thu, 11 Jul 2019, Ross Tajvar wrote:


What if you use different carriers for termination and origination? How
does your termination carrier validate that your origination carrier has
allocated certain numbers to you and that you're therefore allowed to make
outbound calls with a caller ID set to those numbers? That doesn't sound to
me like something that can be solved as quickly and easily as you imply.


 I attended the first panel at the FCC and Scott Mullen, CTO at Bandwidth,
 was the only one that brought up issues that are not addressed by
 implementing STIR/SHAKEN.

    1. There's no delegation -- there is no standardized means of telling
       anyone who is the End User of a specific TN.

    2. Self-signed certs are being used so far, which means that you need
       to establish trust in a full mesh in order for STIR/SHAKEN to be of any
       value. Not feasible, definitely fragile. This could be addressed
       using a Public Cert Authority.

    3. Relies 100% in your trust of the initial carrier to properly set the
       Attestation level on the call.

    4. Does not cover if the call is received with a STIR/SHAKEN header to
       a termination provider with Full Attestation that turns out to be a
       lie.

    5. Does not actually verify that the CallerID is really the EU
       generating the call. For Wireless Carriers it can, since calls are
       both received and placed by the same carrier in most cases, but what
       about roaming? Is Three UK going to implement STIR/SHAKEN or will it
       occur at Verizon's edge? How do any of us know that the Identity:
       header was added at the first point of origin?

 All STIR/SHAKEN is doing is adding an Identity: header to the SIP payload
 that one can use to verify that a carrier signed the call at some point.
 Some carriers may be trustworthy, some may blindly add Full Attestation
 for a termination customer that has a nice mix legit and spoofed calls.

 There is still no connection between the End User of a phone number and
 the call itself. And there's no way for me as a carrier to check to see if
 a phone number should only originate from specific networks or not. Even
 if it is signed, I know nothing more than I do now about the legitimacy of
 the call.

 Argh.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman () angryox com                                 http://www.angryox.com/
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: