Stir-Shaken Clarified
https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
The Wiki above is misleading in what Stir-Shaken means and how it works. End users cannot get a certificate, they cannot self-certify their calls. Somebody completely misunderstood the model. I am afraid the moment will come and thousands of Asterisk operators will be unable to terminate calls. To start with, the model is a hierarchical one: there is an FCC
designated central authority, which appoints (so far two) Certification Authorities, allowed to issue Certificates for Service Providers ONLY, which themselves are ALSO pre-approved by then GA (Governance Authority), and they need to have an OCN, they need to be a CLEC, have their own block of numbers. So the idea that an Asterisk operator can have its own certificate and somehow calculate the signature, is ridiculous. Once the call arrives a the last mile, let’s say VZ or ATT, the carrier will open the signature added to each call and verify it with the Certification Authority that issued the certificate. They will check if the caller-ID and destination number match the actual call. Each signature is valid only for
60 seconds and each call has a different signature, even for the same caller-ID and destination number, so it cannot be stored. As you can see, this is a new world and we need to prepare for its arrival, or our calls will simply fail and we shall be out of business. My company is an approved Service Provider and we are waiting for the certificate, which is in itself complicated paperwork. Our model to solve this riddle for Asterisk is simple: Add a res_odbc.so-connection pointed to our MySQL database. Create a func_odbc function that executes our stored procedure. For each call, you send us the pair Caller-ID and Destination number, and we send you back the signature. In the next line in the dialplan, you add a SIP-header called Identity, and our signature becomes the content. Identity:
eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwicHB0Ijoic2hha2VuIiwieDV1IjoiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxOTU0NDQ0NzQwOCJdfSwiaWF0IjoxNTkwNjcyNDc2LCJvcmlnIjp7InRuIjoiMjE1OTE0MDQyMSJ9LCJvcmlnaWQiOiIxMjNlNDU2Ny1lODliLTEyZDMtYTQ1Ni00MjY2NTU0NDAwMDAifQ.X7noevZGawXv1Jw1wkaqunTMFVE9FLt7sEX1QSgk0GMJmAHJWnbF5PCdj-Mc7UD2JY_5xvuJU3UlhSvswfK7SQ;info=<
https://cert.example.org/passport.cer>;alg=”ES256″;ppt=”shaken”
With two lines of code in the dialplan, you solve the FCC requirements. BUT, the caller-ID must be either verifiable associated with the company that owns Asterisk, or we can supply one for you, from our pool of numbers. Wireless numbers are not allowed. We check each and call return an error if the conditions are not met. What happens if you send a random but valid caller-ID? We still sign it, BUT, with Attestation level “C”, which means we don’t know anything about the caller-ID. At some point, carriers will decline to terminate those calls. It is up to them to terminate or not those calls. So what I am doing for the Asterisk community is helping everybody to stay in business. If you delay the interconnection with me and pretend it is not urgent, you will end-up in the fauces of XXXXnexus, which acts double as a Certification Authority and Service Provider and charges huge fees. I mean HUGE. This wiki should be erased, for it is misleading:
One thought on - Stir-Shaken Clarified
It is not misleading. We are adding support in Asterisk for doing this for cases where the certificate is available to the Asterisk user, much like the support is already available in Kamailio and other solutions. Whether that occurs or not depends on the specific agreement over the phone number
(or number range). An upstream carrier may take care of it, or they may allow it to be done downstream. That aspect is outside the scope of Asterisk itself. We just provide the tools, including verification for inbound traffic.
I also ask as others have that you respect the non-commercial nature of this mailing list and use the asterisk-biz mailing list for your specific offering. If people want to discuss the aspects of STIR/SHAKEN itself, that’s perfectly fine.