Out-of-Band STIR/SHAKEN call authentication
By authenticating and verifying caller ID, STIR/SHAKEN offers relief from spam robocalls with fake caller ID. But the effectiveness of this approach depends on whether caller ID authentication information survives transit over the telephone network.
There are real-world issues that can prevent successful transit of this information across today’s telephone network. These issues limit the effectiveness of STIR/SHAKEN. This whitepaper describes these issues and a solution to overcome them: Out-of-Band STIR/SHAKEN call authentication.

STIR/SHAKEN methodology
STIR/SHAKEN requires the originating service provider to create an Identity token, called a PASSporT, for each call they put on the network. In addition to call information, the Identity token includes an attestation level and a unique orig ID for traceback. This information is signed using PKI techniques to prevent tampering or replay attacks.
The token is placed in the SIP INVITE message used to set up the call on the SIP network. Ideally, this Identity token should accompany the call through the entire network until it reaches the terminating service provider, who then uses it to verify caller ID information and present verification status to the called party.
STIR/SHAKEN call flow

It’s a brilliant solution. But there are pitfalls using it across the telephone network today.
Call routing issues across the telephone network
Calls are typically routed across many segments of the telephone network.
A Typical Segment of the Telephone Network

Service providers negotiate network interconnect agreements among themselves that describe the price they will pay to have their calls sent through the network. They use least cost routing software to select available routes based upon quality and price. This leads to extended call paths as calls travel from one carrier to the next. With extended call paths comes increased risk that the Identity token may be lost in transit. Here are three ways that the PASSporT can be lost:
- Call path segments in the telephone network today are not all SIP. Legacy network technology is still in widespread use. The old networks cannot transmit SIP messages. When an authenticated call reaches one of these segments, the STIR/SHAKEN information is lost.
- Some SIP network software removes the Identity token from the SIP header. Carriers must upgrade their SIP software to enable their network to retain the Identity tokens in calls that transit their network.
- Some SIP networks use UDP network technology, which does not provide flow control and retransmission. Because of this, UDP is prone to packet fragmentation and packet loss—a serious problem when sending Identity tokens, which must be delivered perfectly intact, else they cannot be verified. SIP over TCP, which provides flow control and retransmission, delivers Identity tokens much more reliably than UDP.
These issues create obstacles where the original authentication information is lost.
Other segments further down the call path might use SIP and have equipment and software capable of STIR/SHAKEN. Carriers are expected to sign and authenticate calls they put back on the SIP network. So even if the original PASSporT were lost, the call might get another one further down the call path.
But intermediate and terminating carriers don’t know the calling party like the originating provider does, and therefore can’t provide the same level of attestation or traceback. Subsequent tokens aren’t as useful as the original.
Why not just convert everything to SIP?
The ideal solution to this problem would be to replace all legacy technology throughout the entire telephone network with the latest SIP-capable equipment and software running over TCP networks. This would allow STIR/SHAKEN Identity tokens to be exchanged from one end of the network to the other.
The telephone network has been evolving toward SIP for decades. But such changes are costly and take time. And the economics of carrier compensation access fees is, for some providers, a huge financial disincentive to convert from legacy technology to SIP.
The demand for robocall relief requires widespread STIR/SHAKEN deployment long before the transition to an all-SIP network can be completed.
Consumers need spam robocall relief now. And service providers need practical options to provide it.
Solution: Out-of-band STIR/SHAKEN call authentication
There is a way to enable STIR/SHAKEN for all calls across the current network, and it’s feasible today: Out-of-band STIR/SHAKEN call authentication. The process is very similar to the one described above, except the Identity token is sent across the internet, out-of-band from the call path, through a Call Placement Service, as shown in this illustration:
Out-of-band STIR/SHAKEN call authentication

The steps are very similar to standard STIR/SHAKEN processing, with a few exceptions:
- STI-AS authentication is performed by the originating or gateway service provider as usual.
- The originating service provider encrypts the Identity token with the terminating service provider’s public key and sends the encrypted token separately, out-of-band, across the internet to the terminating service provider’s Call Placement Service (CPS).
- The call is routed through the telephone network as usual. It doesn’t matter whether the call is routed over SIP or legacy networks, or a combination of both.
- When the terminating service provider receives the call, they check their CPS for tokens associated with the called number.
- Having found and decrypted the Identity token in their CPS, the terminating service provider performs STI-VS verification as usual.
Out-of-Band STIR/SHAKEN authentication benefits
There are several compelling advantages of using out-of-band transmission of Identity tokens:
- It does not matter what kind of network segments are used to route the call.
- There are no concerns about whether any of the network equipment or software along the call path might strip the Identity token from the call.
- There are no problems with tokens being corrupted by packet loss or fragmentation.
- Since the Identity tokens are secured using asymmetric encryption, there are no security risks or privacy concerns. Nobody can read the tokens except the terminating service providers.
- Apart from encrypting and decrypting the Identity token, the STI-AS and STI-VS processes are unchanged whether Identity tokens are transmitted either in-band or out-of-band.

At TransNexus, we welcome innovative ways to solve problems. Network issues that prevent end-to-end transmission of Identity tokens are a serious threat to the success of STIR/SHAKEN. We believe Out-of-Band STIR/SHAKEN call authentication is a viable solution, and so we have implemented both in-band and out-of-band methods in our software. These options enable TransNexus customers to authenticate and verify caller ID today, undeterred by the network issues described above.
TransNexus solutions
We have comprehensive STIR/SHAKEN solutions, including both in-band and out-of-band capabilities, available in our ClearIP and NexOSS software products. Contact us today to learn how we can help you with your STIR/SHAKEN deployment.
More on TransNexus.com
February 23, 2021
Webinar — What is STIR/SHAKEN, and how to comply
February 23, 2021
TransNexus works with DigiCert to provide SHAKEN certificates
February 17, 2021
ClearIP Out-of-Band SHAKEN enhancements
February 8, 2021
FCC to telcos—You cannot be dumb pipes for robocalls
February 4, 2021
U.S. SHAKEN Governance Authority issues year-end report for 2020
February 1, 2021
Webinar — TRACED Act compliance — everything you need to know
January 27, 2021
Service provider STI fee changes for 2021
January 18, 2021
Webinar recording — Complying with the TRACED Act made simple
January 15, 2021
FCC proposes rules on SHAKEN certificate revocation for noncompliance
January 4, 2021
FCC issues further restrictions on robocalls
December 18, 2020
SIPNOC webinar recording available—Rich Call Data and Out-of-Band SHAKEN
November 30, 2020
Service providers request SHAKEN extensions
November 20, 2020
FCC SHAKEN Second Report and Order deadlines
November 18, 2020
U.S. STI-GA to update the Service Provider Code token access policy for STIR/SHAKEN
November 3, 2020
Comments on caller ID authentication best practices
November 2, 2020
STIR/SHAKEN, least cost routing and attestation
October 28, 2020
Reply comments on caller ID authentication progress
October 26, 2020
October 21, 2020
SHAKEN benefits for enterprise callers
October 19, 2020
PASSporTs used with STIR/SHAKEN
October 19, 2020
How to register with the STI Policy Administrator to authenticate calls with STIR/SHAKEN
October 14, 2020
October 14, 2020
International SHAKEN — how that might work
October 7, 2020
Best practices for call authentication – first proposal
October 5, 2020
Three requirements from the FCC SHAKEN orders that will apply to most U.S. providers
September 30, 2020
FCC approves second order on SHAKEN
September 28, 2020
SHAKEN, robocall mitigation, or both?
September 16, 2020
Robocall mitigation program mandate
June 25, 2020
Open source Call Placement Service advances SHAKEN call authentication for all
Our STIR/SHAKEN products:
- Most affordable commercial solutions
- Work with any TDM and/or SIP network
- Include support with all aspects of deployment.