STIR/SHAKEN Out-of-Band Call Placement Service

TransNexus operates an STI-CPS (Call Placement Service) for use with Out-of-Band SHAKEN. The STI-CPS enables SHAKEN-authorized providers that rely on non-IP networks or interconnects to exchange STI PASSporTs so that SHAKEN information is preserved when calls transit non-IP barriers.

The TransNexus STI-CPS is available at no charge to any service provider that signs its CPS requests with a valid, unrevoked STI certificate that chains up to an approved STI-CA root certificate.

Our STI-CPS is designed per ATIS-1000096. The system provides three API endpoints:

  • Health check – verify that the STI-CPS is available.
  • Publish – put PASSporTs in the STI-CPS so they are available to other providers for about 5-15 seconds, after which they are automatically deleted.
  • Retrieve – fetch PASSporTs from the STI-CPS.

PASSporTs are indexed in the STI-CPS by the calling and called number referenced in the STI PASSporT. The retrieve function requires this information to fetch the PASSporTs.

Neither TransNexus nor any other entity has visibility into the contents of the TransNexus STI-CPS. We cannot monitor which providers are using it or what kind of calls they are placing. The only way to get information out of the STI-CPS is with the retrieve API call, which requires the calling and called number and a signature with a valid SHAKEN certificate.

Architecture

TransNexus Call Placement Service

Figure 1. TransNexus STI-CPS Architecture

Although the architecture diagram in Figure 1 may seem daunting, it’s a straightforward system. The diagram looks complex because there are so many boxes. However, there are only a few component types, with multiple instances of each for high performance, scalability, and resilience:

  • Global Anycast Network announces the TransNexus STI-CPS to network edge locations around the world.
    • This enables your SHAKEN system to communicate with the CPS at a network endpoint that is as close to your system as possible.
  • TCP load balancers distribute the traffic efficiently among the data centers for maximum performance.
  • Web Application Firewalls monitor network activity to detect and mitigate malicious traffic in real-time.
  • HTTP Load Balancers distribute traffic to web servers for maximum efficiency and performance.
  • Web Servers run the STI-CPS software to provide the health check, publish, and retrieve API endpoints.
  • Redis Nodes provide a high-performance database to store PASSporTs in the STI-CPS.

These components are distributed across geographical data centers for maximum performance and reliability. The system is highly scalable—components can be quickly added as needed to handle heavy traffic.

We have load-tested this architecture with heavy bursts of traffic and observed no loss of performance. We have been operating this STI-CPS for almost four years now with no downtime.

The TransNexus STI-CPS supports IPv6 (and IPv4).

Out-of-Band Service

Communication with the STI-CPS requires additional functionality in a STIR/SHAKEN system. In the ATIS standards document, this functionality is called the STI-OOBS (Out-of-Band Service).

The STI-OOBS takes information available in the STI-AS (Authentication Service) or STI-VS (Verification Service) and uses it to construct an HTTP message that is sent to the STI-CPS.

We expect that STIR/SHAKEN software developers will likely add STI-OOBS functionality to STI-AS and STI-VS software. However, some might prefer to deploy it as a separate program called by the STI-AS and STI-VS programs.

We have shared sample code for an STI-OOBS on GitHub. This script demonstrates the publish and retrieve functions. The source code will give developers a working example to learn how they can add STI-OOBS functionality to their STIR/SHAKEN systems.

This sample program is only 129 lines long, including code to generate a test PASSporT that would not be present in production code. This illustrates that creating STI-OOBS functionality is not a large, complex software development effort.

TransNexus STI-CPS benefits

  • Enables providers that rely on non-IP networks or interconnects to exchange call authentication information using Out-of-Band.
    • This will greatly expand call authentication information available across the SHAKEN ecosystem.
  • The TransNexus STI-CPS uses scalable architecture for maximum performance and resiliency.
  • The TransNexus STI-CPS is available to authorized SHAKEN providers at no charge.

More information

spheres in a network

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.