SHAKEN/STIR Robocall Summit - July 11 2019 at FCC

Tue Jul 9 00:08:24 UTC 2019

when we did DKIM back in the day, almost nobody was requiring SMTP auth 
which meant the providers could say "blame me" via the DKIM signature, 
but couldn't really take much action since they didn't know who has 
doing it. we sort of took a leap of faith that that would happen.  
nowadays, almost everybody requires SMTP auth (and tls, ...) afaik. i 
have no idea whether DKIM was in any way a motivating factor, but it did 
happen in the meantime.

i know the parallels here are not exact (is it really PRI's that are the 
source of most of the spam?) , but it's maybe a little premature to 
completely write off the providers for doing the Right Thing. putting 
the "blame me" badge on might give them some incentive to clean up their 
act. as with email spam, there is no silver bullet of course.

fwiw, the stir/shaken problem statement is a good read.

https://datatracker.ietf.org/doc/rfc7340/

Mike

On 7/8/19 2:53 PM, Peter Beckman wrote:
> Summary:
>
> SHAKEN/STIR does nothing but sign a call by a carrier that can be 
> verified
> by another carrier that they signed it. It does nothing to stem 
> Robocalls.
>
> Discussion:
>
> All SHAKEN/STIR does is have the originating carrier of a call to
> cryptographically attest, to some degree, that the call originated from
> their network.
>
> One example given was that SHAKEN/STIR can verify that it is really 
> the IRS
> calling.
>
> But that would require knowledge of which carrier currently serves the 
> IRS,
> and that the IRS use that same carrier for both inbound AND outbound
> calling, and that the carrier publishes some record that it is the 
> carrier
> of record for the given phone number. THIS DOES NOT EXIST in SHAKEN/STIR.
>
> If Carrier A is taking calls from a spammer and implements 
> SHAKEN/STIR, and
> their termination Carrier B have also implemented SHAKEN/STIR 
> verification
> and trusted Carrier A's certificate, all that occurs is that Carrier A 
> says
> "this call is trustworthy" and Carrier B verifies that Carrier A said so
> and completes the call.
>
> Carrier A can lie all they want, as they do now, providing a false "Full
> Attestation" that the "service provider has authenticated the calling 
> party
> and they are authorized to use the calling number." But there's no proof
> that they are telling the truth, and no way for any other intermediate
> carrier to verify anything other than the originating carrier.
>
> Now if Carrier B decides not to trust Carrier A anymore, they can stop
> trusting their cert and drop calls. Which Carrier B can do today by
> terminating the relationship with Carrier A.
>
> I still don't see how this will stop CallerID spoofing or Robocalls.
> Carrier B can block Carrier A at anytime. Carrier A can attest that any
> call originating from it is authorized to use that number. Plus then
> there's a ton of intermediates that aren't even addressed here. Do all 
> the
> Intermediates also need to implement SHAKEN/STIR such that the SIP 
> Identity
> header is passed onto the next leg? If the intermediate drops the header,
> does the call fail?
>
> And spammers already use real, leased phone numbers for Robocalls. We
> had a client come to us who wanted 5,000 new/different and not recycled
> phone numbers across the US each month. When prompted about how they'd be
> used, they just needed inbound calls and SMS messages routed to their
> switch hosted at a cloud provider, outbound calls would be made through
> another carrier.
>
> With SHAKEN/STIR, these calls would show up as "Authenticated" as the
> client could tell their Carrier C that these 5,000 phone numbers were
> theirs, and Carrier C could do a "Full Attestation" SIP Identity 
> header and
> the spam calls would show up as "Verified." But still Robocalls, just
> Verified Robocalls.
>
> We declined to do business with this client.
>
> In summary, SHAKEN/STIR seems to do nothing but be some extra technical
> work.
>
> Please correct me if I'm missing a key piece of this.
>
> I'm in DC, I'm going to try to attend this summit.
>
> https://transnexus.com/whitepapers/understanding-stir-shaken/
>
> Beckman
>
> On Mon, 8 Jul 2019, Jay R. Ashworth wrote:
>
>> ----- Original Message -----
>>> From: "Sean Donelan" <sean at donelan.com>
>>
>>> I don't think SHAKEN/STIR really addresses the root problems with
>>> spoofing phone numbers, anymore than any of the BGP proposals for 
>>> spoofing
>>> IP addresses.
>>>
>>> Nevertheless, the FCC wants to be seen as doing something.  So Chairman
>>> Pai is having a summit to show all the progress.
>>>
>>> On Thursday, July 11, 2019, FCC Chairman Ajit Pai will convene a summit
>>> focused on the industry’s implementation of SHAKEN/STIR, a caller ID
>>> authentication framework to combat illegal robocalls and caller ID
>>> spoofing.  Chairman Pai expects major voice service providers to deploy
>>> the SHAKEN/STIR framework this year.   The summit will showcase the
>>> progress that major providers have made toward reaching that goal and
>>> provide an opportunity to identify any challenges to implementation and
>>> how best to overcome them.
>>
>> Well, y'know, it's been 10 years since I originated calls to LD 
>> carriers.
>>
>> But when I did, 3 of my carriers (VZN and 2 LDs) trapped outgoing calls
>> that weren't for 10D calling numbers *they had assigned us* (and hence I
>> had to work that out with them to prove that *someone* had)...
>>
>> nd the other 2 didn't give a crap.  I could send them anything -- 
>> even calls
>> with CNID that wasn't a valid NANP address (4th digit 1, frex).
>>
>> Since nearly all of this is being originated over PRIs to LD 
>> carriers, right;
>> maybe if the FCC just threatened the LD carriers who do not do the 
>> calling
>> number legitimacy enforcement the regs (I think) already require them 
>> to do...?
>>
>> Cheers,
>> -- jra
>> -- 
>> Jay R. Ashworth                  Baylink jra at baylink.com
>> Designer                     The Things I Think                       
>> RFC 2100
>> Ashworth & Associates       http://www.bcp38.info 2000 Land Rover DII
>> St Petersburg FL USA      BCP38: Ask For It By Name! +1 727 647 1274
>>
>
> --------------------------------------------------------------------------- 
>
> Peter Beckman Internet Guy
> beckman at angryox.com http://www.angryox.com/
> --------------------------------------------------------------------------- 
>