STIR/SHAKEN Out-of-Band Call Placement Service

TransNexus operates an STI-CPS (Call Placement Service) for use with Out-of-Band SHAKEN. The STI-CPS enables SHAKEN-authorized providers that rely on non-IP networks or interconnects to exchange STI PASSporTs so that SHAKEN information is preserved when calls transit non-IP barriers.

The TransNexus STI-CPS is available at no charge to any service provider that signs its CPS requests with a valid, unrevoked STI certificate that chains up to an approved STI-CA root certificate.

The TransNexus STI-CPS supports the following mechanisms:

ATIS-1000105, Standard on SHAKEN: Out-of-Band PASSporT Transmission Between Service Providers that Interconnect using TDM.
- The FCC refers to this mechanism as Out-of-Band Agreed STI-CPS.
ATIS-1000096, Standard on SHAKEN: Out-of-Band PASSporT Transmission Involving TDM Networks.
- The FCC refers to this mechanism as Out-of-Band Multiple STI-CPS.

The system provides three API endpoints:

Health check – verify that the STI-CPS is available.
Publish – put PASSporTs in the STI-CPS so they are available to other providers for a brief period of time.
- In the Out-of-Band Multiple STI-CPS mechanism, PASSporT deletion is determined by local policy of the STI-CPS, with a typical PASSporT life of about 5-15 seconds.
- In the Out-of-Band Agreed STI-CPS mechanism, PASSporT deletion is determined by the publisher using an exp claim containing a timestamp at which the PASSporT is to be deleted, with maximum life of 60 seconds.
Retrieve – fetch PASSporTs from the STI-CPS.

PASSporTs are identified in the STI-CPS by the following:

Mechanism	Key Values
ATIS-1000105, Out-of-Band Agreed STI-CPS	SPC of the upstream provider (publisher) Calling number Called number
ATIS-1000096, Out-of-Band Multiple STI-CPS	Calling number Called number

If the publisher includes its SPC code in the spc claim, then it is using the Out-of-Band Agreed STI-CPS mechanism. The message can only be retrieved by an interexchange partner that includes an spc claim with a matching SPC code in its retrieve message, along with the matching calling and called numbers.

If the publisher does not include the spc claim, then it is using the Out-of-Band Multiple STI-CPS mechanism. The message can only be retrieved by a provider that does not include an spc claim in its retrieve message but does include the matching calling and called numbers.

Neither TransNexus nor any other entity has visibility into the contents of the TransNexus STI-CPS. We cannot monitor which providers are using it or what kind of calls they are placing. The only way to get information out of the STI-CPS is with the retrieve API call, which requires the key values used by the mechanism and a signature with a valid SHAKEN certificate.

Architecture

Figure 1. TransNexus STI-CPS Architecture

Although the architecture diagram in Figure 1 may seem daunting, it’s a straightforward system. The diagram looks complex because there are so many boxes. However, there are only a few component types, with multiple instances of each for high performance, scalability, and resilience:

Global Anycast Network announces the TransNexus STI-CPS to network edge locations around the world.
- This enables your SHAKEN system to communicate with the CPS at a network endpoint that is as close to your system as possible.
TCP load balancers distribute the traffic efficiently among the data centers for maximum performance.
Web Application Firewalls monitor network activity to detect and mitigate malicious traffic in real-time.
HTTP Load Balancers distribute traffic to web servers for maximum efficiency and performance.
Web Servers run the STI-CPS software to provide the health check, publish, and retrieve API endpoints.
Redis Nodes provide a high-performance database to store PASSporTs in the STI-CPS.

These components are distributed across geographical data centers for maximum performance and reliability. The system is highly scalable—components can be quickly added as needed to handle heavy traffic.

We have load-tested this architecture with heavy bursts of traffic and observed no loss of performance. We have been operating this STI-CPS for over six years now with no downtime.

The TransNexus STI-CPS supports IPv6 (and IPv4).

Out-of-Band Service

Communication with the STI-CPS requires additional functionality in a STIR/SHAKEN system. In the ATIS standards document, this functionality is called the STI-OOBS (Out-of-Band Service).

The STI-OOBS takes information available in the STI-AS (Authentication Service) or STI-VS (Verification Service) and uses it to construct an HTTP message that is sent to the STI-CPS.

We expect that STIR/SHAKEN software developers will likely add STI-OOBS functionality to STI-AS and STI-VS software. However, some might prefer to deploy it as a separate program called by the STI-AS and STI-VS programs.

We have shared sample code for an STI-OOBS on GitHub. This script demonstrates the publish and retrieve functions. The source code will give developers a working example to learn how they can add STI-OOBS functionality to their STIR/SHAKEN systems.

This sample program is only 166 lines long, including code to generate a test PASSporT that would not be present in production code. This illustrates that creating STI-OOBS functionality is not a large, complex software development effort.

TransNexus STI-CPS benefits

Enables providers that rely on non-IP networks or interconnects to exchange call authentication information using Out-of-Band.
- This will greatly expand call authentication information available across the SHAKEN ecosystem.
The TransNexus STI-CPS uses scalable architecture for maximum performance and resiliency.
The TransNexus STI-CPS is available to authorized SHAKEN providers at no charge.

More information

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.