Out-of-Band SHAKEN with a private Call Placement Service

With the approval of the ATIS Out-of-Band SHAKEN standard, we’ve received questions about the Call Placement Service (STI-CPS) that it uses. Is this resource accessible to the public? Could it be used in a private network? In this article, we’ll explain how this works. Let’s get started.

Out-of-Band SHAKEN

Out-of-Band SHAKEN extends the SHAKEN framework to enable transmission of PASSporTs for calls that use TDM signaling. It does this by sending the PASSporT to an STI-CPS, where it can be held briefly for retrieval by another service provider on the other side of the TDM barrier.

Here’s an illustration that shows a call that’s been authenticated and signed per the SHAKEN standards. The call is about to be placed on a TDM segment in the call path. Ordinarily, the PASSporT would be lost at this point.

PASSporT Sent to an STI-CPS on the National Network

PASSporT Sent to an STI-CPS on the National Network

To enable the PASSporT to survive, the Originating Service Provider (OSP) publishes the PASSporT to an STI-CPS.

The STI-CPS replicates the PASSporT to all the other STI-CPSs on the national network. The Terminating Service Provider retrieves the PASSporT from the STI-CPS they use, then verifies the call authentication per the standard SHAKEN framework.

This is just one of many scenarios in which Out-of-Band SHAKEN would be used to transit PASSporTs around a non-IP barrier. See our Out-of-Band SHAKEN whitepaper for other examples.

Out-of-Band SHAKEN

National network of Call Placement Services

In the above example, the STI-CPS is part of a national network of STI-CPSs. Each STI-CPS in this network does the following:

  • Accepts PASSporTs published to the STI-CPS by SHAKEN-approved service providers,
  • Replicates PASSporTs it receives to all other STI-CPSs on the national network of STI-CPSs,
  • Accepts PASSporT retrieve requests from SHAKEN-approved service providers and returns the PASSporTs requested.

Notice that only SHAKEN-approved service providers can publish and retrieve PASSporTs with the national STI-CPS network. The national STI-CPS network isn’t accessible to the public. Each provider must sign their STI-CPS publish and retrieve requests with their STI certificate. The STI-CPS validates that the STI certificate is currently authorized.

So, to answer the first question, no, the national STI-CPS network is not accessible to the public.

International Out-of-Band SHAKEN

The Out-of-Band SHAKEN standards includes provisions for international calls. Here’s how that works.

PASSporT Transit Across National Network Boundaries

Out-of-Band PASSporT Transit Across National Network Boundaries

In this example, we have a call originated in the U.S. and terminated in Canada. Each country has its own national CPS network. For this example, the intermediate provider would retrieve the PASSporT from any STI-CPS on the U.S. national network and publish it to any STI-CPS on the Canadian national network.

Private network Call Placement Service

Could Out-of-Band SHAKEN be used within a private network? Yes. Here’s an example.

PASSporT Sent to an STI-CPS on a private network

PASSporT Sent to an STI-CPS on a Private Network, Relayed to Another Private Network

This example illustrates two private networks, A and B. You can think of them as two mini-national networks. Access to each private network is limited to service providers that have agreed to exchange PASSporTs among themselves.

If a service provider needs to relay a PASSporT from a private network to another network, private or national, then they would do that the same way a PASSporT would cross international boundaries, as explained above, by retrieving it from one network and publishing it to the other.

Private networks use the standard methods described in the technical standards document, ATIS-1000096.

Related questions and answers

Here are a few follow-on questions and answers about the national network versus private network implementation.

Could more than two parties use the same private network?
Yes. The private network could be configured to permit access by multiple entities.
Could a service provider use Out-of-Band SHAKEN with both the national STI-CPS network and a private STI-CPS network? What about multiple private networks?
Yes, to both questions. A service provider would configure their SHAKEN system to select either the national STI-CPS network or specific private STI-CPS networks based upon which trunk is being used.
Is discovery of STI-CPSs a problem with either the national network or a private network?

No, there are no discovery problems in either case.

Every STI-CPS provider that puts their STI-CPS on the national network must replicate PASSporTs with every other member. Replication enables service providers to use any STI-CPS on the national network without worrying about discovery of other STI-CPSs.

Providers that deploy a private STI-CPS to exchange PASSporTs with each other would ensure that each member of the private network knows where the STI-CPS is and has access.

More information

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. We can make your STIR/SHAKEN deployment a smooth process.

We provide an STI-CPS, the TransNexus CPS, which is available to any SHAKEN-authorized service provider free of charge. It’s part of the national network of STI-CPSs.

We can also provide a private STI-CPS, either hosted or on-premises, to service providers.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.