FCC filings calling for Out-of-Band STIR/SHAKEN call authentication
STIR/SHAKEN can identify caller ID spoofing, a robocall tactic. It’s an important tool to deliver relief from unwanted robocalls. But it won’t work unless the SHAKEN Identity token survives transit across the telephone network. In today’s network, it won’t. That’s why several organizations have filed comments with the FCC urging support for Out-of-Band STIR/SHAKEN call authentication.
Out-of-Band STIR/SHAKEN call authentication and TransNexus
- We’ve provided a whitepaper explaining Out-of-Band SHAKEN call authentication features and benefits. This method overcomes problems with transmitting the Identity token in today’s network while preserving the other standard elements of STIR/SHAKEN.
- We’ve enabled Out-of-Band SHAKEN call authentication as an option in our ClearIP and NexOSS software products.
- TransNexus customers are delivering STIR/SHAKEN benefits to their subscribers today using Out-of-Band STIR/SHAKEN.
Out-of-Band STIR/SHAKEN call authentication ex parte filings with the FCC
Here’s a list of ex parte filings with the FCC that advocate support for Out-of-Band STIR/SHAKEN:
Cloud Communications Alliance
The Cloud Communications Alliance (CCA) filed an ex parte on September 12, 2019. Here are the highlights:
- The CCA and its members are strong supporters of the Commission’s efforts to combat illegal robocalls.
- SHAKEN/STIR is one of the most impactful undertakings effecting networks in many years.
- It’s imperative that the framework be implemented in a manner that works for all providers. The CCA wants to move quickly, but they also want to make sure it is done correctly.
- Therefore, the CCA urges the Commission to ensure that standards and protocols such as certificate delegation and out-of-band signaling for TDM networks are quickly finalized to enable enterprise service providers to attest to calls originating from their customers.
- The Commission should require entities blocking calls to have mechanisms to quickly unblock calls.
- The Commission should exercise oversight to ensure the framework is implemented in a non-discriminatory and competitively neutral manner.
The CCA also filed a response to the FCC robocall blocking proposals on August 23, 2019, in which they also commented on Out-of-Band STIR:
“The ability in the near term for major carriers to authenticate and verify calls within their network or with other major carriers should not be allowed to become a competitive advantage while standards such as certificate delegation, out-of-band transmission of tokens and other processes needed for more universal implementation are being developed and tested.”
Consumer Reports, National Consumer Law Center, Consumer Action, Consumer Federation of America, National Association of Consumer Advocates, and Public Knowledge
This group of consumer advocates filed an ex parte on August 23, 2019 with this request:
”We are pleased to note that several commenters cited the existence of call authentication tools that are compatible with traditional landline service, such as out-of-band SHAKEN/STIR and tools offered by TNS. The Commission should evaluate these alternative means of authentication and consider whether they would be an acceptable alternative means of providing caller ID authentication that TDM providers could employ.”
Neustar filed an ex parte on August 23, 2019. In their comments, they also urged support for Out-of-Band STIR:
“Additionally, legacy networks create challenges for implementation of STIR/SHAKEN, which currently requires Internet Protocol. Recognizing this near-term limitation of in-band STIR/SHAKEN, Neustar continues to support the implementation of complementary call authentication technologies, such as out-of-band authentication that can be integrated into the STIR/SHAKEN authentication framework.”
Smithville Telephone Company
In their ex parte filing on August 23, 2019, Smithville’s primary concern was over the cost of deploying STIR/SHAKEN. They quoted testimony from the FCC Robocall Summit that estimated the cost as $100,000 to upgrade to $100,000 per year to operate.
We don’t know where they got those estimates, but they are way too high. Maybe they were estimating the costs of a large network upgrade.
Out-of-Band STIR/SHAKEN call authentication would not require a network upgrade. For some providers, it might require a SIP-to-TDM gateway. They start at about $5,000. And the cost of STIR/SHAKEN software is very modest—nowhere near what Smithville heard in the Robocall Summit.
In their filing, Smithville did mention out-of-band STIR/SHAKEN, and they understand that it might be a valuable technique that “could underpin a new and affordable approach to robocall mitigation.”
USTelecom – The Broadband Association
USTelecom filed an ex parte on July 24, 2019. They twice cited Out-of-Band STIR/SHAKEN call authentication:
“It is essential that any rules requiring the adoption of SHAKEN/STIR acknowledge the limitations of legacy networks and the challenges in implementing the IP-based standard for carriers with significant portions of TDM in their networks. The Commission has acknowledged the innovation regarding this limitation (footnote citing IETF work on Out-of-Band STIR) and should allow such innovation to continue.”
We filed an ex parte on July 19, 2019 in response to the FCC’s Declaratory Ruling and Third Further Notice of Proposed Rulemaking. Here’s a recap of our comments regarding Out-of-Band STIR:
- Smaller rural providers cannot participate in SHAKEN/STIR as easily as larger providers, even if they install a SIP trunk in their network and SHAKEN/STIR software. Their calls usually transit several interexchange carriers. If any of these segments are not using SIP over TCP/IP, then SHAKEN/STIR will usually fail. These issues are completely outside of the control of the smaller rural service providers.
- Smaller rural providers face a financial disincentive to switch from their SS7 TDM networks to an IP network.
- There is an answer… called Out-of-Band STIR. It is a technique of transmitting the Identity token from the originating provider to the terminating provider over the internet, outside of the call path. This enables any service provider to participate fully in SHAKEN/STIR regardless of the network readiness of the transit carriers who route their calls.
What can the FCC do to support Out-of-Band STIR/SHAKEN call authentication?
When an originating service provider generates a SHAKEN Identity token and intends to send it to the terminating service provider out-of-band, they need to know the internet address (URI) of the terminating service provider’s Call Placement Service (CPS). The IETF draft standard also calls for the token to be encrypted using the terminating service provider’s public key, so the originating service provider needs to know that also.
Currently, there’s no easy way to find a service provider’s URI and public key. If there were only a few providers doing out-of-band STIR, then it wouldn’t be hard to assemble a list. But with potentially hundreds of participants, that would become unwieldy. In the STIR/SHAKEN technical community, this is referred to as the discovery problem.
The Commission should urge the STI Governance Authority to identify a way for voice service providers who deploy Out-of-Band STIR/SHAKEN call authentication to publish the URI of their CPS and their public key. This would enable other voice service providers using Out-of-Band STIR/SHAKEN to easily discover the address of the terminating provider’s CPS and send Identity tokens out of band.
Where might this information be published? It’s up to the Governance Authority (STI-GA) and industry leaders, but here are a few options to consider:
- The Policy Adminstrator (STI-PA) could maintain a new list by OCN with the CPS domain name/IP address and public key.
- This information could be added to the LERG (Local Exchange Routing Guide). This is a database used for the routing of calls by service providers. It provides information at the NPA-NXX and block level.
- Note that iconectiv, who maintains the LERG, is also the STI Policy Administrator in the U.S.
- This information could be added to the NPAC.
- Note also that the currently has an open, unused column for SIP URI that could be designated for use as the internet address of CPS for calls placed to those numbers.
Once a place is established to maintain CPS addresses, voice service providers who wish to use Out-of-Band STIR/SHAKEN call authentication would simply include their URIs and public keys in this database so that other providers could send Identity tokens to them out of band.
Contact us for more information about our STIR/SHAKEN solutions, which can send Identity tokens in-band, out-of-band, or both.
This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.