SHAKEN AND STIRRED · 2021. 5. 11. · NEUSTAR OVERVIEW 4 20+ years of success in Canadian...

SHAKEN AND STIRRED

Ken PolitzPrincipal Product Specialist

Marcel ChampagneSenior Director Canadian Telecom Industry Liaison

© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited

What should Canadian TSPs consider when implementing

call authentication to mitigate nuisance calls

April 21, 2021

2

WEBINAR AGENDA

Today we will:• Review nuisance call trends in Canada

• Regulatory actions to date

• History

• Explain STIR/SHAKEN

• Checklist

• Neustar’s solution

• Road ahead

• Q&A


3

POLL QUESTION - #1

What is the MOST IMPORTANT driver to your organization for implementing

STIR/SHAKEN call authentication?

A. Regulatory compliance

B. Enterprise experience

C. Consumer experience

D. Other


NEUSTAR OVERVIEW

4

▪ 20+ years of success in Canadian

Telecommunications industry

▪ Canadian Number Portability

Administration Centre (NPAC) solution

provider since 1998

▪ Currently provide commercial services to

over 65 Canadian customers

▪ Employs 1,600 in 8 countries, including

Canada

▪ Provide services in every country &

territory across the globe

▪ Co-author of STIR standards and early

contributor to SHAKEN framework

▪ Leading supplier of STIR/SHAKEN and

related solutions

▪ Ongoing leadership role in defining

industry standards with ATIS, IETF and

NTWG


5

Nuisance Calls nearly doubled in the first seven months of 2020

from last year - Canadian Anti-Fraud Centre

MARKET TRENDS

2X

#1 Nuisance calls are the number #1 contact method for fraudsters

-The Centre, in partnership with the Royal Canadian Mounted Police

as many

nuisance calls

Contact method

for fraudsters

Of unwanted calls involve Caller ID spoofing- CRTC40%


6

REACTION FROM REGULATOR

CRTC (and FCC) see eradicating nuisance calls and illegitimate caller ID spoofing as top priority!

Dec 2019 CRTC establishes Canadian Secure Token Governance Authority CST-GA

IMPACT• CRTC established the CST-GA to kickstart industry-wide adoption of STIR/SHAKEN policies,

protocols, and operating procedures to mitigate illegal spoofing and nuisance calls

• Carriers should implement STIR/SHAKEN

Sept 2020 CRTC extends STIR/SHAKEN deadline until June 2021

IMPACT• Extends deadline due to several factors, including reallocation of resources due to COVID

April 2021 CRTC clarifies stance to mandate STIR/SHAKEN and extends deadline

IMPACT• Directs STIR/SHAKEN implementation by 30 November 2021

• Requires TSPs to submit Readiness Assessment Reports by 31 August 2021


https://cstga.ca/

7

Jan 2018: CRTC 2018-32

statesSTIR/SHAKEN

should be implemented by Mar 2019

Feb 2018: Neustar co-

author of issued

foundational STIR RFCs: 8224, 8225 and 8226

Nov 2019: Neustar supports

TELUS with first successful cross-border SHAKEN call

Dec 2019: CRTC 2019-403

approves establishment of

CST-GA

Jul 2020: CST-GA contracts

Neustar as Canada’s STI-

PA, STI-CA and STI-CR

Sep 2020: CST-GA and

Neustar launch as committed

April 2021:Today’sWebinar

Aug 2021: Readiness

Assessment Reports due

Nov 2021: CRTC date for TSPs to deploy STIR/SHAKEN

STIR Working Group IP-NNI Task Force Network Working Group (NTWG)

STIR/SHAKEN TIMELINE


8

WHAT HAVE WE LEARNED ALONG THE WAY?

“Introducing the STIR/SHAKEN framework in Canada is a major

undertaking. It requires close coordination across multiple groups

within our company, as well as a high degree of TSP collaboration

across our industry. Advanced planning and hands-on experience

early on, have been beneficial in supporting this initiative as a tool for

combatting illegitimately spoofed calls.

We appreciate Neustar’s leadership in standards development on

both sides of the border to ensure interoperability, their on-time

delivery and operations of the required national CST-GA governance

and certificate management infrastructure and partnering with

TELUS to implement an extensible STIR/SHAKEN solution."

Richard Polishak

Technology Fellow, TELUS

Chair, CISC Network Working Group (NTWG)

© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited 8

STIR / SHAKEN are the technology

standards which enable TSPs to attest

and digitally sign phone calls to help

prevent illegitimate spoofing.

❖ Neustar is co-author of STIR, a contributor to the SHAKEN framework,

and exclusively hosts the industry testbed for STIR/SHAKEN implementations

STIR: Secure Telephony Identity Revisited

SHAKEN: Secure Handling of Asserted

information using toKENs

9

WHAT IS STIR / SHAKEN?


*SPOOF CALL*

416-555-4321

10

STIR/SHAKEN:

ATTEST TO CALLER ID AND SECURELY SIGNAL TERMINATING CARRIER

416-555-4321

Reference: ATIS-1000074-E


11

SHAKEN FRAMEWORK (IN CANADA)

Call Management

Key Management

Governance/Policy STI-PA STI-CASPC Token

Validations

SP-KMSSTI-CROptional)

STI-AS STI-VS

SKS

STI Public Key

Certificate

Requests

Private

Key(s)

Private

Key(s)

List of Valid STI-CAs

Service Provider

Code Token

Requests

CRTC: Canadian Radio-television and Telecommunications Commission

CST-GA: Canadian Secure Token - Governance Authority

STI-PA: STI-Policy Administrator

STI-CA: STI-Certification Authority

STI-CR: STI-Certificate Repository

SP-KMS: Service Provider-Key Management Server

STI-CR: STI-Certificate Repository (optional)

SKS: Secure Key Store

STI-AS: STI-Authentication Service

STI-VS: STI-Verification Service

External STI-VS

Verification Requests

STI Public Key

Certificate(s)

CRTC STI-CR

Component of Neustar’s Certified Caller solution


12

CURRENT PREREQUISITES - WHAT YOU WILL NEED TO GET STARTED

1. Be a registered Local Exchange Carrier (LEC) or Wireless Service Provider

(WSP) in good standing with the CRTC

2. Be eligible to acquire Canadian Telephone Numbers directly from the Canadian

Numbering Administrator (CNA)

3. Submit Network Access Services and Mobile Subscribers data to Canadian

Secure Token Governance Authority (CST-GA)

4. Become a member of the CST-GA:❖ Refer to www.cstga.ca for further details and most current information


http://www.cstga.ca/

13

CST-GA MEMBERSHIP IS GROWING

Members As of March 2021


14

POLL QUESTION - #2

What hurdles have you encountered when implementing STIR/SHAKEN?

SELECT ALL THAT APPLY

A. Understanding changing regulations

B. Network readiness – My equipment or uplink TSP

C. Cost – Support for network upgrades

D. Testing – Own network limitations and interoperability validation


15

REGISTERING AND REQUESTING A STI (SIGNING) CERTIFICATE

4. Request a STI Certificate

References: ATIS-1000080 and ATIS-1000084

1. Register with the Canadian Policy Administrator To take part in the STIR/SHAKEN ecosystem, TSPs, as qualified by the

CST-GA, must register with the Canadian STI-PA. TSPs will then

successfully execute a test plan in the User Acceptance Test (UAT)

environment before being granted access to the Production environment.

The current Canadian STI-PA is Neustar.

2. Select a Canadian Certification Authority TSPs next select the STI-CA they will work with to request a STI

Certificate. A generated “fingerprint” is used to request an SPC Token, as

well as to validate a request for a STI Certificate. The current Canadian

STI-CA is Neustar.

3. Obtain a Service Provider Code TokenTSPs then request an SPC Token from the STI-PA for one of its assigned

Operating Company Numbers (OCNs). The SPC Token includes this

OCN, as well as the generated “fingerprint” and is used to finally request a

STI Certificate. Note that this OCN is an identifier for the TSP and is not

meant to define any numbering scope of authority.

To enable end-to-end SHAKEN authentication, a TSP must obtain a STI

Certificate from their selected STI-CA. To request a STI Certificate, the

TSP sends a Certificate Signing Request (CSR) to the STI-CA, along with

its associated SPC Token.


16

TESTING AND IMPLEMENTATION

5. Implement STIR/SHAKEN software Deploy all necessary components that perform functions associated with

the STIR/SHAKEN specification (STI-AS, STI-VS, SP-KMS, SKS and

optional STI-CR).

6. Perform Functional Testing It is important that TSPs test calls in a lab environment before deploying in

a live network. Internal testing provides an opportunity to ensure hardware

and software are configured properly to avoid wasting resources and

causing service disruptions.

7. End-to-End Testing To begin testing between networks, TSPs should start by focusing on

calls that originate and terminate within their own network to validate that

authentication and verification functionality is working as expected. Next,

they should expand to testing calls with other TSPs.

Note: If you are a Neustar Certified Caller customer, you can leverage our comprehensive SHAKEN test plan, integration tools and hosted User

Acceptance Test (UAT) environment. For non-Neustar Certified Caller customers, the ATIS Robocalling Testbed is an industry SHAKEN

interoperability test facility that Neustar exclusively hosts for qualified carriers and vendors.


17

OPERATIONAL SUPPORT AND TRAINING

8. Operational Support & Training To deliver a new capability at scale, a participating TSP needs to transition

network management activities from Engineering to Operations and update

systems and processes. Customer education will also be imperative, so they

understand how to interpret any new messages and alerts appearing on their

device(s).


18

WHAT DO YOU DO IF NOT QUALIFIED TO BECOME MEMBER OF CST-GA

• Potential technical solutions are defined at various levels with application to

certain TSP types (and enterprises):

1. Delegate Certificates

2. Leveraging Models for Originating Entity Authentication- Full Attestation with Entity Identity in a Secure Token

(Lemon Twist)

3. Enterprise Certificates

4. Extended Validation (EV) Certificates with TN Letter of Authorization (TNLoA)

5. Central TN Database

6. Enterprise Identity using Distributed Ledger

• However, these technical solutions require various levels of TSP

participation/cooperation and/or changes in current CST-GA policies

Reference: ATIS-1000092


19

1 December 2021?

© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited 19

20

“WE’VE ONLY JUST BEGUN”

1. Support for non-CSTGA members (and other entities like

enterprises)

2. Cross-border SHAKEN (and beyond)

3. Legacy network support, including PSTN interconnections

4. Published and pending new industry standards

❖ New PASSporT types (e.g., “div”, “rcd”, “rph”)

❖ Changes from operational experience

5. Call treatment (including blocking/safe harbors, subscriber device

display for nuisance and/or fraudulent calls, calling/called party

notifications, reporting requirements and data retention)


21

1. THE ATTESTATION “GAP” FOR ENTERPRISES

TSP #1

TSP #2

TNSP #1 + TSP #1 = A attestation

TNSP #1 + TSP #2 = B attestation

VoIP

Network

Enterprise

PBX / SBC, BPO,

Call Center

CHALLENGE: An enterprise call to the same consumer,

using the same originating number, can have different treatment results!

WHY? Attestation level is determined by combination of a) Which carrier (TNSP) is the source of the assigned TN

b) Which carrier (TSP) originates the call

Enterprise uses a TN assigned

from TSP #1 to call a customer

Unsigned

Same consumer, same

originating number, potentially

different experience?

TN - 416-123-5678

STI-AS

STI-AS

TSP #2 signs

with ”B” and

sends with

SHAKEN

PASSporT


22

2. PHONE CALLS DON’T STOP AT THE BORDER

Likely more of a question of WHEN, not IF, we

will see authenticated calls across North

America

References: ATIS-1000087 and ATIS-1000091


3. STIR/SHAKEN – ASSUMES END-TO-END VOIP CALL

SIP Header

w/Verification

result

Calling Party Called Party

Transit TSP(s)Originating

TSP

Terminating

TSP

Authentication,

Attestation

Verification,

Treatment

STIR/SHAKEN

Authentication Service

STIR/SHAKEN

Verification Service

23

SIP SIPNetwork-

Network

Interface

Setup

A. Originating TSP obtains STI

Certificate through STI-PA/STI-

CA

Call Flow

1. Calling Party places call

2. Originating TSP invokes

Authentication Service and uses

STI Certificate to sign call

3. Signed SIP call traverses any

transit network(s) to the

terminating TSP

4. Terminating TSP invokes


5. The Verification Service, in turn,

initiates a request to the STI-CR

for the referenced public

certificate

6. Verification Service validates the

call

7. Terminating TSP determines call

treatment and any verification

status signaling as final call

processing

1

2 4

5

SIP

A

3

6

STI-CA STI-CR

7

Network-

Network

Interface


24

3. ACHIEVING END TO END SIP REMAINS A CHALLENGE

• Rural and small carriers face financial hurdles

to upgrade networks to 100% SIP

• Majority of TSP interconnects are TDM-based


SIP Header

w/Verification

result

Calling Party Called Party

Transit TSP(s)Originating

TSP

Terminating

TSP

Authentication,

Attestation

Verification,

Treatment

STIR/SHAKEN

Authentication Service

STIR/SHAKEN


25

SIP SIPTDM

Interconnect

Setup (Incremental)

B. Originating and Terminating TSPs

establish connections to Call

Placement Service

Call Flow (Incremental)

2a. Authentication Service also

posts generated PASSporT to Call

Placement Service

4a. If Verification Service detects an

unsigned call, get any posted

PASSporTs for this call

1

2 4

5A

3

6

STI-CA STI-CR

7

TDM

Interconnect

3. DEPLOY OUT-OF-BAND SOLUTION TO ADDRESS TDM INTERCONNECT

“Call

Placement

Service”

Reference: ATIS PTSC-NONIPCA-2021-00006R006 baseline

B

2a 4a


26

NEUSTAR CERTIFIED CALLER

• Access to complete, extensible microservices suite (for hosted

service, through Amazon Web Services exclusively in Canada)

• Web Portal access for configuration & management of software

suite, as well as analytics dashboard & extensive reporting

• 24 X 7 Support through long-standing Neustar support team

• Network-agnostic solution (e.g., flexible APIs, including SIP)

• Established market leader of STIR/SHAKEN software solutions

(billions of calls being processed each month)

• Neustar also supplier & operator of Canadian governance and

certificate management infrastructure since September 2020

• Confidence in Neustar’s industry standards leadership

• No hidden costs for related standards changes, published

roadmap enhancements and bug fixes

• Pre-integrated with Neustar’s broad Trusted Call Solution suite

(e.g., nuisance call analytics, TN industry data and customer

inventory, SHAKEN Out-Of-Band, enterprise calling

optimization, policy management)

FEATURE HIGHLIGHTS AND GENERAL BENEFITS

NEUSTAR

CERTIFIED CALLER

“TO STIR/SHAKEN AND BEYOND”


STI-PA STI-CASPC Token

Validations

SP-KMSSTI-CROptional)

STI-AS STI-VS

SKS

STI Public Key

Certificate

Requests

Private

Key(s)

Private

Key(s)

List of Valid STI-CAs

Service Provider

Code Token

Requests

External STI-VS

Verification Requests

STI Public Key

Certificate(s)

CRTC STI-CR

27

Deliver identity & context

to give subscribers control over their phone

experience.

✓ Restore trust in phone calls.

✓ Protect consumers.

✓ Improve customer engagement.

Neustar’s comprehensive Trusted Call

Solutions suite, including Certified Caller,

helps deliver this perspective.

PERSPECTIVE – It’s not just about authenticating calls


28

RECAP

✓ Note key CRTC dates ❑ August – Readiness Assessment Report

❑ November – STIR/SHAKEN Implementation

✓ Review the prerequisites

✓ Complete the checklist

✓ Plan testing

✓ Get started now


SHAKEN AND STIRRED · 2021. 5. 11. · NEUSTAR OVERVIEW 4 20+ years of success in Canadian...

Documents

Transcript of SHAKEN AND STIRRED · 2021. 5. 11. · NEUSTAR OVERVIEW 4 20+ years of success in Canadian...