Extending the SHAKEN framework to TDM networks
The SHAKEN framework is defined for SIP networks. Unfortunately, much the telephone traffic on the Public Switched Telephone Network (PSTN) does not use SIP signaling. Fortunately, the SHAKEN framework can be easily extended to accommodate TDM networks by transmitting the SHAKEN PASSporT Out-of-Band (OOB). This paper explains how.
In the PSTN, network signaling is based on Time Division Multiplexing or TDM. The telephone calls in TDM networks are transmitted via SS7 (Signaling System 7) signaling using ISUP (Integrated Services User Part) messages. ISUP signaling cannot transmit the SHAKEN PASSporT, the digitally signed PASSporT that prevents caller ID spoofing.
An ISUP-SIP gateway enables TDM networks to participate in the SHAKEN trust network. An ISUP-SIP gateway may be a network appliance, but is more commonly software running on a virtual machine. The following diagram presents the SHAKEN architecture defined in ATIS 1000074 with the addition of an ISUP-SIP gateway to enable signaling integration with TDM switches.
The following diagram is adapted from the SHAKEN standard. The boxes in light gray are defined in the SHAKEN architecture. The boxes in dark grey are the new network elements that enable SHAKEN for TDM. The ISUP-SIP Gateway converts ISUP messages into SIP messages, and vice versa. This enables the TDM switch to communicate with the SHAKEN Authentication Service (STI-AS) and SHAKEN Verification Service (STI-VS). The CPS (Call Placement Server) is a simple new network element that forwards the SHAKEN PASSporT from the originating network to the terminating network. A CPS may be service shared by many terminating service providers or each terminating service provider may run their own CPS.
Call Signing (Authentication) for outbound calls to the PSTN
- In the TDM switch, the first route for every call that should be signed is to the STI-AS via a trunk to the ISUP-SIP Gateway. The originating service provider’s TDM switch sends an Initial Answer Message (IAM) to the ISUP-SIP Gateway.
- The ISUP-SIP Gateway converts the message to a SIP INVITE sent to the STI-AS.
- STI-AS creates a SHAKEN PASSporT and sends it to the CPS of the terminating network.
- STI-AS returns a SIP 503 message to the ISUP-SIP IWF device.
- ISUP-SIP IWF device returns a Call Release (REL) message, with cause code 34 (No circuit available) to the TDM switch.
- The TDM switch route advances to the next trunk group in its local routing table to complete the call.
Call Verification for inbound calls from the PSTN
Valid PASSporT use case
- The first route for every inbound call that should be verified is the trunk to the ISUP-SIP Gateway. The terminating service provider’s TDM switch sends an Initial Answer Message (IAM) to the ISUP-SIP Gateway.
- ISUP-SIP Gateway converts the message to a SIP INVITE sent to the STI-VS.
- STI-VS compares the calling number, called number and time stamp of the SIP INVITE to the SHAKEN PASSporT received from the CPS.
- If the PASSporT is valid and matches the SIP INVITE, STI-VS returns a SIP 503 message to the ISUP-SIP Gateway.
- ISUP-SIP Gateway returns a Call Release (REL) message, with cause code 34 (No circuit available) to the TDM switch.
- The TDM switch recognizes from the cause code 34 that it should route advance to the next trunk group in its local routing table to complete the call.
Invalid PASSporT use case
Steps 1–3 are same as above:
- If the PASSporT is invalid, STI-VS returns a SIP 603 message to the ISUP-SIP Gateway.
- ISUP-SIP Gateway returns a Call Release (REL) message, with cause code 21 (Call Reject) to the TDM switch.
- The TDM switch recognized cause code 21 and returns the REL message the originating service provider’s TDM switch and blocks the call.
Our STIR/SHAKEN products:
- Most affordable commercial solutions
- Work with your existing network
- Include support with deployment
SHAKEN for TDM call ladders
SHAKEN for TDM use case — PASSporT is valid
The following call ladder provides an example of SHAKEN verified call between TDM networks:
Call flow details:
- Call Setup to TDM Switch from Calling Party.
- TDM Switch sends IAM call setup to ISUP-SIP gateway.
- ISUP-SIP Gateway converts IAM to SIP INVITE sent to STI-AS.
- STI-AS uses the calling number, called number and time stamp to create SHAKEN PASSporT which is sent to the CPS of the terminating service provider via HTTPS.
- STI-AS returns a SIP 503 (Service Unavailable) message to the ISUP-SIP IWF device. Steps 4 and 5 occur simultaneously.
- The CPS verifies digital signature of the PASSport and, if valid, immediately forwards the PASSporT to the STI-VS of the terminating service provider.
- ISUP-SIP gateway device returns an ISUP REL message with cause code 34 (no circuit available) to the TDM switch.
- TDM switch route advances to the next route choice in its local routing table and sends and IAM call setup message the TDM switch that will transport the call to the terminating service provider serving the called number. In the call ladder above, the call is shown to interconnect directly to the TDM switch of the terminating service provider. However, a direct interconnect between source and destination switch is not required for OOB SHAKEN. OOB SHAKEN will work when there are multiple TDM switches between the originating and terminating service providers.
- When the call reaches the TDM switch of the terminating service provider, it is routed to the STI-VS via an IAM message to the ISUP-SIP Gateway.
- ISUP-SIP Gateway converts the IAM message to a SIP INVITE that is sent to the STI-VS.
- STI-VS finds a SHAKEN PASSporT received from the CPS that matches the calling number, called number and time stamp of the SIP INVITE to verify the call. STI-VS returns a SIP 503 message to the ISUP-SIP gateway.
- ISUP-SIP Gateway sends an ISUP REL message with cause code 34 (no circuit available) to the TDM switch.
- TDM switch route advances to the next route in its local routing table to complete the call to the Called Party.
SHAKEN for TDM use case — call is blocked
The following call flow ladder is an example of a SHAKEN enabled call, between TDM networks, that is blocked. Call blocking is not a requirement for SHAKEN for TDM, but is a local policy that can be enabled by the information provided by OOB SHAKEN. The terminating service may use the following reasons to determine that a call should be blocked.
- PASSporT is invalid. Verification of the digital signature using the public certificate fails.
- PASSporT cannot be validated because the certificate needed to validation cannot be retrieved from the Certificate Repository (STI-CR).
- No PASSporT is available from the CPS that matches the calling number, called number or time stamp of the SIP INVITE received at the STI-VS.
- The PASSporT is too old. Sixty seconds is the default lifetime of SHAKEN PASSporTs, but terminating service providers may expires SHAKEN PASSporTs sooner.
- Call Analytics, coupled with the STI-VS, may determine that the call should be blocked.
Call flow details:
1–10. The call flow details for steps 1-10 are identical to a call with a valid PASSporT, above.
- STI-VS determines the call should be blocked, based on one of the five reasons listed above, and returns a SIP 603 Decline message to the ISUP-SIP Gateway.
- ISUP-SIP Gateway sends an ISUP REL message with cause code 21 (Call Rejected) to the TDM switch.
- The TDM switch blocks the call and sends an ISUP REL message with cause code 21 (Call Rejected) to the TDM switch of the originating service provider.
- The TDM switch sends a Call Release message to the Calling Party.
TransNexus STIR/SHAKEN solutions
We offer production-ready STIR/SHAKEN solutions in our ClearIP and NexOSS software products. These solutions are unique in their capabilities to combine complete STIR/SHAKEN services with flexible policy controls and a comprehensive portfolio of other services, including fraud prevention, least cost routing and much more.
Contact us today to explore how we can help you implement SHAKEN quickly and easily.
This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.
More on TransNexus.com
June 16, 2021
June 15, 2021
June 11, 2021
June 9, 2021
June 7, 2021
June 2, 2021
June 1, 2021
May 26, 2021
May 25, 2021
May 13, 2021
May 11, 2021
May 3, 2021
April 30, 2021
April 26, 2021
April 7, 2021
March 31, 2021
March 29, 2021
March 26, 2021
March 3, 2021
February 23, 2021
February 23, 2021
February 17, 2021
February 8, 2021
February 4, 2021
February 1, 2021
January 27, 2021
January 18, 2021
January 15, 2021
January 4, 2021
TransNexus is a SHAKEN Certificate Authority
We can provide the certificates you need for STIR/SHAKEN.