New Out-of-Band SHAKEN standard published

A new Out-of-Band STIR/SHAKEN standard has been published by ATIS. This document describes a different way for providers to arrange and use Out-of-Band methods to transmit call authentication information around non-IP barriers in the call path. Let’s have a look.

The problem: non-IP barriers

In a simple call authentication scenario, an Originating Service Provider (OSP) authenticates the caller information and conveys this authentication with STIR/SHAKEN.

All SIP

Call authentication in an all-SIP call path

Figure 1. Call Authentication in an All-SIP Call Path

Figure 1 illustrates this example. The OSP performs the technological act of STIR/SHAKEN authentication, which creates a digitally signed SHAKEN PASSporT with the call authentication information and inserts it in the SIP signaling. The SHAKEN PASSporT follows the call along the call path in the SIP signaling.

The Terminating Service Provider (TSP) verifies the SHAKEN PASSporT. The TSP can use this information in call analytics and to display information to the called party.

Hybrid

Call authentication in a hybrid call path

Figure 2. Call Authentication in a Hybrid Call Path

Figure 2 shows that, when there is a non-IP segment somewhere along the call path, the SHAKEN PASSporT is lost. The TSP has no call authentication information to use in call analytics or present to the called party.

To the TSP, this is an “unsigned” call. However, that’s not a fair description of what happened.

The OSP did everything they were supposed to do. Their call authentication effort was thwarted by a non-IP segment farther down the call path.

A solution: Out-of-Band SHAKEN

The TRACED Act includes a requirement that the Federal Communications Commission “shall require a provider of voice service to take reasonable measures to implement an effective call authentication framework in the non-internet protocol networks of the provider of voice service.”

Rather than devising an entirely new call authentication framework for non-IP, the industry and standards bodies came up with ways to extend the STIR/SHAKEN framework with standardized methods to deal with non-IP barriers. One of those methods is Out-of-Band SHAKEN.

Out-of-Band SHAKEN methods

The idea behind Out-of-Band SHAKEN is simple: the SHAKEN PASSporT created by the OSP is published to a Call Placement Service (CPS) before it would be lost at a non-IP barrier along the call path. The SHAKEN PASSporT is later retrieved from the CPS and used for verification.

Notice that almost everything about this call authentication method is standard STIR/SHAKEN. The only thing new is publishing the SHAKEN PASSporT to and retrieving it from a CPS.

There are different versions of Out-of-Band SHAKEN with different ways of determining which provider publishes a PASSporT to a CPS, which one retrieves a PASSporT, and where this is done along the call path.

The original version had the OSP publish and the TSP retrieve. Pretty simple, but what if the OSP and TSP have all-SIP networks? It doesn’t seem fair to make them perform Out-of-Band just because there might be other transit providers in the middle who aren’t using SIP.

The next version requires any provider originating or sending a signed call to a non-IP interconnection to publish. Any provider receiving a call from a non-IP interconnection and either terminating it or sending it to an IP interconnection must retrieve. This seems fairer, because the burden only falls on providers that are using non-IP interconnections.

There were a few providers who felt that they did not want to publish PASSporTs to a CPS used by many other providers. A deep discussion of the security arrangements ensued. This method is quite secure for the following reasons:

  • Publish and retrieve requests must be signed with valid unrevoked SHAKEN credentials.
  • Retrieve requests must specify both the calling and called number.
  • The CPS retains PASSporTs for a very short time—typically a few seconds.

However, a few were still concerned over a potential race condition that could result in the retrieval of the wrong PASSporT. Although this is unlikely, the concern was addressed with a new standard, which has been approved, and recently published. It’s like the previous version, except that each pair of interconnection providers agree to use a CPS that they specify.

Out-of-Band SHAKEN

New Out-of-Band call flow

Figure 3. New Out-of-Band SHAKEN

A provider might choose to share a CPS with a few interconnection partners or set up a separate one for each partner. It’s their choice.

With this new version, a retrieve request must also specify the SPC (Service Provider Code) of the provider that published the PASSporT. This is in addition to the calling and called numbers required with the previous method.

These requirements provide strong guarantees to prevent race conditions and ensure accurate PASSporT retrieval.

More information

  • ATIS-1000105 - The new Out-of-Band SHAKEN standard.
  • ATIS-1000097.v003, A technical report that evaluates each of the Non-IP Call Authentication standards.
  • ATIS-1000106 - A supplemental technical report that describes the viability of each of the Non-IP Call Authentication standards.
Out-of-Band SHAKEN illustration

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks worldwide. The company has over 25 years of experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, CDR and call analytics, advanced call routing, billing support, STIR/SHAKEN, and branded calling.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.