SITR/SHAKEN implementation in effect today (June 30 2021)

K. Scott Helms kscott.helms at
Fri Jul 9 22:32:16 UTC 2021

On Fri, Jul 9, 2021 at 4:47 PM Michael Thomas <mike at> wrote:

> On 7/9/21 1:36 PM, K. Scott Helms wrote:
> > Nothing will change immediately.  Having said that, I do expect that
> > we will see much more effective enforcement. The investigations will
> > come from the ITG (Industry Traceback Group) with enforcement
> > coming from FCC or FTC depending on the actual offense.  The problem
> > has been that it's been far too easy for robocalling companies to hop
> > from one telecom provider to another.  Now there are requirements
> > around "know your customer" that telecom operators have to follow and
> > the ITG will have a much better chance of figuring out who the bad
> > actor is than they have in the past.
> The thing is that that shouldn't have been held up by rolling out STIR.
> With email, there was nothing akin to the FCC so it was really the only
> name-and-shame stick we had. This could have been done years ago.

It wouldn't work the same and I say that as someone who ran email for ISPs
for decades and just got done with a STIR/SHAKEN implementation.  There's
far more money in robocalls than there ever has been in spam.  The other
thing is that the technologies are fundamentally different.  Don't get me
wrong, there are parallels, but comparing email to the various flavors of
telephony (POTS, SIP, MGCP, H.323, etc) isn't all that useful because
they're so different.  When I get an email as a provider I can always
figure out the path it took to get to me.  The same is not at all true for
a call, though I can trace it to a degree via the CDRs from carriers I work
with.  Much of the call path will be opaque and often in the case of
robocallers it's intentionally so.  Number porting is another (big)
difference.  We could always choose to forward email for a customer who
left our service, but imagine if email literally let that person take their
address with them regardless of who was providing the hosting for the email.

> > Longer term I worry that this will lead to more attacks on PBXs,
> > eSBCs, and VOIP handsets to be able to call either from that endpoint
> > itself or be able to use the SIP credentials. The market for robocalls
> > will certainly not disappear.
> >
> A meta question that really needs to be asked these days is why we even
> need telco telephony anymore. A lot of problems go away if you are not
> in thrall to 100 year old technology and its accreted kruft.

Robocalls really aren't a product of the legacy PSTN.  Today almost none of
them originate from anywhere but VOIP.  Now, you can certainly say that if
SS7 had robust authentication mechanisms that we could then trust caller ID
(more) but there's no sign of us abandoning the PSTN anytime soon.  Having
said that, there's any number of protocols we rely on today that have the
exact same gap.  BGP is arguably even worse than SS7.

tl;dr You can no more get rid of telephone companies than you can get rid
of ISPs.

> Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list