Another view on the STIR/SHAKEN timeline
The North American Numbering Council (NANC) issued their report to the Federal Communications Commission (FCC) on May 3 with a proposal for governance arrangements and timelines to implement STIR/SHAKEN, which would provide secure caller ID to prevent unwanted robocalls and reduce telecom fraud.
On May 9, Henning Schulzrinne, a noted expert in telecom technology (professor of computer science at Columbia University, former Chief Technology Officer of the FCC and and a major contributor to the SIP standard) issued a minority report to express his views, which differ in some respects from the NANC report. In this blog, we summarize this minority report.
Highlights
Dr. Schulzrinne wrote this minority report because he was “motivated by the desire to accelerate the deployment and use of STIR/SHAKEN and to ensure that all relevant and affected stakeholders are included in the governance of its deployment.”
Accelerate deployment
In the minority report, Dr. Schulzrinne noted that STIR/SHAKEN would only become effective when “almost all calls outside the carrier’s own network are signed.”
- Once almost all calls are signed, there’s strong incentive to participate, because unsigned calls would likely go unanswered.
- Until almost all calls are signed, “there is almost no economic incentive to be among the first carriers to sign calls, as everybody else will have to treat signed and unsigned calls as equally valid.”
- Therefore, without a mandate, “it is quite likely that we will never, or only with long delays, achieve sufficient deployment to fulfill the promise of STIR/SHAKEN.”
Dr. Schulzrinne listed examples in the technology world where new standards were introduced without a mandate and experienced slow adoption:
- Network Ingress Filtering, which prevents certain types of denial of service attacks. First recommended in January 1998 in RFC 2267, still not widely used.
- DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), email technologies that prevent sender spoofing. First recommended in 2009 and 2006. Only 20% participation by May 2016. DHS made it mandatory for all federal agencies, and participation jumped to 47% in eighteen months.
- RPKI (Resource Public Key Infrastructure), introduced in January 2014, designed to protect the integrity of routing, has experienced slow adoption.
In this minority report, Dr. Schulzrinne recommended three steps to accelerate deployment of STIR/SHAKEN:
- Ensure that carriers do not alter or remove STIR SIP header fields.
- Once the number of signed calls reaches a predetermined fraction, e.g., 50%, caller ID CNAM strings should be marked with a prefix to indicate whether the caller ID is validated, unvalidated or spoofed.
- Signing and validation of all VoIP calls by large carriers should be mandatory by May 3, 2019.
What about smaller carriers? They would delegate signing responsibility to larger carriers who gateway their VoIP calls.
What about TDM calls? Almost all unwanted robocalls originate as VoIP calls, not TDM calls.
Governance representation
Dr. Schulzrinne identified a potential conflict of interest in the proposed representation on the STI-GA governance authority recommended in the NANC report.
In that report, representatives would be chosen from industry, especially telecom carriers. The STI-GA would be setting policies about when and if non-carrier entities, such as large enterprises, would be allowed to sign calls. For example, call centers sending outbound calls on behalf of large banks, airlines, etc. might like to sign their calls. Carriers might prefer to offer that service themselves.
In the minority report, Dr. Schulzrinne recommended that two non-carrier members of the STI-GA should be selected: “one board member nominated by NARUC and one by the consumer group members of the FCC Consumer Advisory Committee or drawn from one of the consumer entities that have been most active in this area (e.g., Consumers Union).”
TransNexus view
We believe that secure caller ID, implemented with a digitally signed SIP Identity header defined by STIR/SHAKEN, would help protect the integrity of and trust in the telecom network. And so, we applaud suggestions that would accelerate implementation of this initiative to block unwanted robocalls and telecom fraud.
We have already updated our NexOSS and ClearIP software with STIR/SHAKEN functionality. We can help service providers get ready for STIR/SHAKEN by providing the following:
- A workshop at your location to take you through technical issues and policy choices to consider for testing and implementation of STIR/SHAKEN
- Test plans
- Assistance with configuring your Session Border Controllers for testing
- Help with interop testing with the ATIS industry test bed and other carriers who have implemented STIR/SHAKEN
- Implementation of our production-ready solutions
If you would like to begin laying the groundwork for secure caller ID with STIR/SHAKEN, we’re ready to help. Contact us today for more information.