STIR/SHAKEN
Excellent point, started new thread.
In my digging today it seems I need to become a SHAKEN service provider, and there is a rather lengthy and difficult process to go through to become one (this slide from a Bandwidth.com seminar):
Has anyone gone through this recently? Does it really still take 7 to 9
months? That seems crazy.
Cheers,
23 thoughts on - STIR/SHAKEN
Excellent point, started new thread.
In my digging today it seems I need to become a SHAKEN service provider, and there is a rather lengthy and difficult process to go through to become one (this slide from a Bandwidth.com seminar):
Has anyone gone through this recently? Does it really still take 7 to 9
months? That seems crazy.
Cheers,
Jeff, yes. The process is long. It is actually around one year. We ended up going with a SHAKEN Service Provider named Technology Innovation Lab (
http://www.tiltx.com). They have been awesome. They are certified in Asterisk and catered the solution to our Asterisk install. Highly recommend them. Their email for SHAKEN is 007@tiltx.com.
Anyways, give them a shot. Took us a while to find a SHAKEN Service Provider that knew Asterisk.
Alex
Thanks Alex! I’ll give them a call. I’m planning to make a big post in a week or so with all I have learned, hopefully will help others unsure where we stand. June is coming up quick!
Cheers,
Hi All. I wanted to give an update to this as we’ve been working closely with the Technology Innovation Lab (TILTX) and getting this working on our Asterisk boxes.
They ended up creating an AGI script for us that handles everything. At the end of the day, all we needed to do was pull down the script, and add the exten => s,n,AGI(TILTX-SHAKEN.agi) command and it handles everything else.
Anyways, I am sharing this because it took us a long time to find a STIR/SHAKEN Service Provider that would work with us. These guys not only worked with us, but they created something super-simple for us at no charge. Highly recommend them. Here’s their email address for this –
007@tiltx.com
Hope this helps.
Alex
Alexander Perkins writes:
I wonder if you could step back and explain the big picture, as I’m not really following this. As I understand it:
usually asterisk is used as a pbx
STIR/SHAKEN is a protocol run between carriers to prove the authority
to use the claimed callerid
when someone gets service from a carrier and connects to it from
asterisk, I would expect the carrier to basically filter the claimed
callerid to be from the set of values recorded with your account as
legit, and for the carrier to do the STIR/SHAKEN authentication.
So I wonder if your asterisk instance is connecting to the PSTN as a top-level carrier, or, more likely, I am confused in some way.
Greg,
I think this is the case for quite alot of those here.
For me though, I just manage the on premise PBX and my carrier handles the STIR/SHAKEN part.
Doug
Hi,
There are issues for those of us that use multiple upstream carriers for call termination, with LCR for example. If you send your calls out the same provider that supplies your inbound DID, your calls should get the
“A” rating and your callers should have no issues. At present if I send calls out a provider that does NOT handle the DID in the caller ID
field, it gets a “B” rating. I don’t think this will pose a problem for the forseeable future – I don’t see carriers marking these as “spam”,
they just won’t get the ultra-special “secure” mark.
Also good to note the upcoming deadline does NOT mean call blocking, just call tagging. The blocking bit will be up to the end user, though I could see phones shipping with default settings that may do so.
Basically we can’t do LCR anymore. Outbound calls are locked to the provider that gave us the DID. I’m not sure that’s really a bad thing, its less headache than for us to try to become a signing authority.
I think the whole thing is still very fluid. Didn’t even mention call forwarding issues.
j
Hi Greg. In our use case, we purchase DIDs from them. So, they are the inbound carrier (they are a CLEC and IPES) and STIR/SHAKEN Service Provider. However, we do not use them for termination. They offer service termination, but we do not use them due to existing contracts. So, in order to have our calls signed, we needed them to do it. The biggest issue we’ve come across is the number of companies *able to *provide this service is limited, especially to the Asterisk community. I stress able to because even though some companies are Service Providers, they are simply not technically capable of offering it.
I will send you my contact’s information at TILTX privately. He’s a subject-matter expert with the STIR/SHAKEN framework and he’s offered us invaluable help.
Thanks, Alex
Hi Alex,
Are they doing anything on inbound for you, and have you made any decisions about how you will display the tag to your customers? I have been focusing on the outbound piece of this, just starting to think about what to do with the incoming data…
Cheers,
Jeff LaCoursiere StratusTalk, Inc.
Hi Jeff. What exactly do you mean by the ‘inbound piece’? I’ve spent quite a lot of time with the folks at TILTX understanding the framework;
but I am not exactly sure what you mean by the ‘inbound piece.
Greg/Doug, like many folks here, we use LCR. So, the terminating carrier is not necessarily the one that issued us the telephone numbers. So, they will not sign it or simply cannot sign it. Remember that a very limited number of companies can actually sign the calls; the rest have to buy it from these ‘Service Providers’.
And there is another situation – the company you purchase your numbers from and the company you place your calls through may be different and both may not be able to sign your calls. Again, a very limited number of service providers that can actually sign your calls. So what do you do in that scenario? You have to find a Service Provider that can:
1. Verify you own that telephone number(s).
2. Sign your calls.
3. Provide you with the technical means to do so.
So, that’s that… I hope this makes sense.
Alex
This is a multipart message in MIME format.
——=_NextPart_000_008E_01D716DF.CFFD48C0
Content-Type: text/plain;
charset=”UTF-8″
Content-Transfer-Encoding: quoted-printable
I reallt don’t understand why people simply use the same operator to terminate your calls, which also provide DIDs for you.
Then you don’t need to touch this at all, your carrier will do all the STIR/SHAKEN handling for you, you are just a PBX customer.
And then the operator then simply limits your account to only present your DID as outgoing number.
Seems to be a unneccesary complicated solution just to have your numbers at company 1 and have your call termination at company 2.
So fricking unneccessary.
What I know there is requirements of number portability, so as long as company 2 can handle DIDs (ergo ”own” DIDs) you should be able to move your DIDs from company 1 to company 2 – then company 2 owns your DIDs.
Best regards, Sebastian Nielsen
Från: asterisk-users-bounces@lists.digium.com För Alexander Perkins Skickat: den 12 mars 2021 01:23
Till: asterisk-users@lists.digium.com
Ämne: Re: [asterisk-users] STIR/SHAKEN
Hi Jeff. What exactly do you mean by the ‘inbound piece’? I’ve spent quite a lot of time with the folks at TILTX understanding the framework; but I am not exactly sure what you mean by the ‘inbound piece.
Greg/Doug, like many folks here, we use LCR. So, the terminating carrier is not necessarily the one that issued us the telephone numbers. So, they will not sign it or simply cannot sign it. Remember that a very limited number of companies can actually sign the calls; the rest have to buy it from these ‘Service Providers’.
And there is another situation – the company you purchase your numbers from and the company you place your calls through may be different and both may not be able to sign your calls. Again, a very limited number of service providers that can actually sign your calls. So what do you do in that scenario? You have to find a Service Provider that can:
1. Verify you own that telephone number(s).
2. Sign your calls.
3. Provide you with the technical means to do so.
So, that’s that… I hope this makes sense.
Alex
——=_NextPart_000_008E_01D716DF.CFFD48C0
Content-Type: text/html;
charset=”UTF-8″
Content-Transfer-Encoding: quoted-printable
If you operate a small PBX for a business your approach is fine.
If you operate a large PBX, or just have lots of high toll rate calls, the price difference between carriers can add up to a lot money every day. These operators will route their calls to whomever offers the best rate for that route.
And that’s the problem being solved. STIR/SHAKEN makes it tough for spoofers, but also tough for businesses doing LCR. Sadly, the easier it becomes to implement STIR/SHAKEN (telling the next hop along the route to trust your identity), the easier it will be for spoofers to do the same. I suspect it won’t be long until unscrupulous service providers undermine STIR/SHAKEN
From: asterisk-users [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Sebastian Nielsen Sent: Thursday, March 11, 2021 7:34 PM
To: ‘Mailing List’
Subject: Re: [asterisk-users] STIR/SHAKEN
I reallt don’t understand why people simply use the same operator to terminate your calls, which also provide DIDs for you.
Then you don’t need to touch this at all, your carrier will do all the STIR/SHAKEN handling for you, you are just a PBX customer.
And then the operator then simply limits your account to only present your DID as outgoing number.
Seems to be a unneccesary complicated solution just to have your numbers at company 1 and have your call termination at company 2.
So fricking unneccessary.
What I know there is requirements of number portability, so as long as company 2 can handle DIDs (ergo ”own” DIDs) you should be able to move your DIDs from company 1 to company 2 – then company 2 owns your DIDs.
Best regards, Sebastian Nielsen
Från: asterisk-users-bounces@lists.digium.com > För Alexander Perkins Skickat: den 12 mars 2021 01:23
Till: asterisk-users@lists.digium.com
Ämne: Re: [asterisk-users] STIR/SHAKEN
Hi Jeff. What exactly do you mean by the ‘inbound piece’? I’ve spent quite a lot of time with the folks at TILTX understanding the framework; but I am not exactly sure what you mean by the ‘inbound piece.
Greg/Doug, like many folks here, we use LCR. So, the terminating carrier is not necessarily the one that issued us the telephone numbers. So, they will not sign it or simply cannot sign it. Remember that a very limited number of companies can actually sign the calls; the rest have to buy it from these ‘Service Providers’.
And there is another situation – the company you purchase your numbers from and the company you place your calls through may be different and both may not be able to sign your calls. Again, a very limited number of service providers that can actually sign your calls. So what do you do in that scenario? You have to find a Service Provider that can:
1. Verify you own that telephone number(s).
2. Sign your calls.
3. Provide you with the technical means to do so.
So, that’s that… I hope this makes sense.
Alex
Hi,
I wanted to add some comments to Sebastian’s response:
1- When you have a lot of DIDs, you can’t just “port” them over from company1 to company2. Try to have 1M or so DIDs and ask if you can just port them. No no, not that simple. There is a process that a lot of times is not worth the cost/risk/etc.
2- What happens if company1 has very good pricing for DIDs, but extremely high rates for placing outbound calls, and company2 has super aggressive pricing for the destinations you use most, but sells DIDs very expensive? Mix and match? 🙂
3- What do you do, when instead of having 1 outbound carrier, you have several 50?
At the end I think you are mistakenly comparing apples to oranges, your DID
provider has nothing to do with your outbound carrier, can the DID provider also give you outbound calling? Most likely, but that doesn’t mean that the best way to go is to route outbound calls via the carrier that is providing you DIDs.
Sebastian, There are many reasons why someone would want the DIDs provided by one provider and outbound calls to go out via 1,2 3, or more providers. In one of my installs I have a situation where local calls are placed via a local telco switch but LD calls go out via a voip provider. The Local telco has the DID but the LD does not so I have to verify the DIDs with the Voip provider(s). Another case may be for least cost routing. There are other reasons but you can see that it is not always as simple as using the same provider for DID and origination. Thanks, John
This is a multipart message in MIME format.
——=_NextPart_000_00F1_01D716E6.5B082AB0
Content-Type: text/plain;
charset=”UTF-8″
Content-Transfer-Encoding: quoted-printable
1: 1M DID’s? Then I would go straight out and say you are a phone operator, and then getting your own STIR/SHAKEN certificate shouldn’t be a problem at all. Thats a massive amount of numbers, unrealistically many numbers for any company ever except for those that are a phone operator.
2: For me, its seems like hunting for nano-cents. I checked around when I got my DID and call account for my own personal use, and the prices aren’t that different. Its really not worth the effort for what you save. Checked with several operators and the prices are almost the same per minute, its like one operator has like 0.016 per minute and another has 0.014 … not gonna save much on that. Might save like 1$-2$ per month on choosing the latter operator.
3: Why? Consolidiate all your agreements to 1 single operator that handles everything, and everything will be so much simpler. Then you are simply a trunk ccustomer to that particular operator, no need to handle all this with signing and certificates and everything..
To save a little tiny nano-cent from each minute of call..
Från: asterisk-users-bounces@lists.digium.com För Joel Serrano Skickat: den 12 mars 2021 01:52
Till: Asterisk Users Mailing List – Non-Commercial Discussion
Ämne: Re: [asterisk-users] STIR/SHAKEN
Hi,
I wanted to add some comments to Sebastian’s response:
1- When you have a lot of DIDs, you can’t just “port” them over from company1 to company2. Try to have 1M or so DIDs and ask if you can just port them. No no, not that simple. There is a process that a lot of times is not worth the cost/risk/etc.
2- What happens if company1 has very good pricing for DIDs, but extremely high rates for placing outbound calls, and company2 has super aggressive pricing for the destinations you use most, but sells DIDs very expensive? Mix and match? 🙂
3- What do you do, when instead of having 1 outbound carrier, you have several 50?
At the end I think you are mistakenly comparing apples to oranges, your DID provider has nothing to do with your outbound carrier, can the DID provider also give you outbound calling? Most likely, but that doesn’t mean that the best way to go is to route outbound calls via the carrier that is providing you DIDs.
I reallt don’t understand why people simply use the same operator to terminate your calls, which also provide DIDs for you.
Then you don’t need to touch this at all, your carrier will do all the STIR/SHAKEN handling for you, you are just a PBX customer.
And then the operator then simply limits your account to only present your DID as outgoing number.
Seems to be a unneccesary complicated solution just to have your numbers at company 1 and have your call termination at company 2.
So fricking unneccessary.
What I know there is requirements of number portability, so as long as company 2 can handle DIDs (ergo ”own” DIDs) you should be able to move your DIDs from company 1 to company 2 – then company 2 owns your DIDs.
Best regards, Sebastian Nielsen
Från: asterisk-users-bounces@lists.digium.com > För Alexander Perkins Skickat: den 12 mars 2021 01:23
Till: asterisk-users@lists.digium.com
Ämne: Re: [asterisk-users] STIR/SHAKEN
Hi Jeff. What exactly do you mean by the ‘inbound piece’? I’ve spent quite a lot of time with the folks at TILTX understanding the framework; but I am not exactly sure what you mean by the ‘inbound piece.
Greg/Doug, like many folks here, we use LCR. So, the terminating carrier is not necessarily the one that issued us the telephone numbers. So, they will not sign it or simply cannot sign it. Remember that a very limited number of companies can actually sign the calls; the rest have to buy it from these ‘Service Providers’.
And there is another situation – the company you purchase your numbers from and the company you place your calls through may be different and both may not be able to sign your calls. Again, a very limited number of service providers that can actually sign your calls. So what do you do in that scenario? You have to find a Service Provider that can:
1. Verify you own that telephone number(s).
2. Sign your calls.
3. Provide you with the technical means to do so.
So, that’s that… I hope this makes sense.
Alex
You said it in your first post when you said “I reallt don’t understand.” You don’t understand the business that these people are in. A few people showed you a few examples of why it’s important to use more than one carrier–and there are other reasons that stir/shaken is a big deal for some of us.
It clearly isn’t a big deal for you, so you probably don’t have much to add to the discussion.
–Don
From: asterisk-users I reallt don’t understand why people simply use the same operator to terminate your calls, which also provide DIDs for you.
Then you don’t need to touch this at all, your carrier will do all the STIR/SHAKEN handling for you, you are just a PBX customer.
And then the operator then simply limits your account to only present your DID as outgoing number.
Seems to be a unneccesary complicated solution just to have your numbers at company 1 and have your call termination at company 2.
So fricking unneccessary.
What I know there is requirements of number portability, so as long as company 2 can handle DIDs (ergo ”own” DIDs) you should be able to move your DIDs from company 1 to company 2 – then company 2 owns your DIDs.
Best regards, Sebastian Nielsen
Från: asterisk-users-bounces@lists.digium.com > För Alexander Perkins Skickat: den 12 mars 2021 01:23
Till: asterisk-users@lists.digium.com
Ämne: Re: [asterisk-users] STIR/SHAKEN
Hi Jeff. What exactly do you mean by the ‘inbound piece’? I’ve spent quite a lot of time with the folks at TILTX understanding the framework; but I am not exactly sure what you mean by the ‘inbound piece.
Greg/Doug, like many folks here, we use LCR. So, the terminating carrier is not necessarily the one that issued us the telephone numbers. So, they will not sign it or simply cannot sign it. Remember that a very limited number of companies can actually sign the calls; the rest have to buy it from these ‘Service Providers’.
And there is another situation – the company you purchase your numbers from and the company you place your calls through may be different and both may not be able to sign your calls. Again, a very limited number of service providers that can actually sign your calls. So what do you do in that scenario? You have to find a Service Provider that can:
1. Verify you own that telephone number(s).
2. Sign your calls.
3. Provide you with the technical means to do so.
So, that’s that… I hope this makes sense.
Alex
This is a multipart message in MIME format.
——=_NextPart_000_0170_01D716EE.E34ADA00
Content-Type: text/plain;
charset=”UTF-8″
Content-Transfer-Encoding: quoted-printable
Its just that it seems so unrealistic.. WHAT do you need 1M DID’s for? Give each stone in your company driveway a own phone number?
1M DID’s = Thats 10% of the population of the country I live in. (sweden)
1M DID’s is also three times more than the amount of customers the phone operator ”tre” ( https://www.tre.se ) has in sweden, one of sweden’s largest phone operators, they are 4th the largest phone operator. (1: Telia, 2: Tele2, 3: Telenor, 4: Tre)
Then you understand why I wonder WTF people are doing…
Best regards, Sebastian Nielsen
Från: asterisk-users-bounces@lists.digium.com För dk@donkelly.biz Skickat: den 12 mars 2021 03:14
Till: ‘Asterisk Users Mailing List – Non-Commercial Discussion’
Ämne: Re: [asterisk-users] STIR/SHAKEN
You said it in your first post when you said “I reallt don’t understand.” You don’t understand the business that these people are in. A few people showed you a few examples of why it’s important to use more than one carrier–and there are other reasons that stir/shaken is a big deal for some of us.
It clearly isn’t a big deal for you, so you probably don’t have much to add to the discussion.
–Don
From: asterisk-users > I reallt don’t understand why people simply use the same operator to terminate your calls, which also provide DIDs for you.
Then you don’t need to touch this at all, your carrier will do all the STIR/SHAKEN handling for you, you are just a PBX customer.
And then the operator then simply limits your account to only present your DID as outgoing number.
Seems to be a unneccesary complicated solution just to have your numbers at company 1 and have your call termination at company 2.
So fricking unneccessary.
What I know there is requirements of number portability, so as long as company 2 can handle DIDs (ergo ”own” DIDs) you should be able to move your DIDs from company 1 to company 2 – then company 2 owns your DIDs.
Best regards, Sebastian Nielsen
Från: asterisk-users-bounces@lists.digium.com > För Alexander Perkins Skickat: den 12 mars 2021 01:23
Till: asterisk-users@lists.digium.com
Ämne: Re: [asterisk-users] STIR/SHAKEN
Hi Jeff. What exactly do you mean by the ‘inbound piece’? I’ve spent quite a lot of time with the folks at TILTX understanding the framework; but I am not exactly sure what you mean by the ‘inbound piece.
Greg/Doug, like many folks here, we use LCR. So, the terminating carrier is not necessarily the one that issued us the telephone numbers. So, they will not sign it or simply cannot sign it. Remember that a very limited number of companies can actually sign the calls; the rest have to buy it from these ‘Service Providers’.
And there is another situation – the company you purchase your numbers from and the company you place your calls through may be different and both may not be able to sign your calls. Again, a very limited number of service providers that can actually sign your calls. So what do you do in that scenario? You have to find a Service Provider that can:
1. Verify you own that telephone number(s).
2. Sign your calls.
3. Provide you with the technical means to do so.
So, that’s that… I hope this makes sense.
Alex
To be honest, that is the logic we ended up with, and are dumping our LCR. The savings aren’t worth the headache. We don’t have 1M numbers, but we have a significant number. We can’t quite get down to one carrier (and don’t really want to), but we can keep outbound calls on the carrier that “owns” them, and not worry about this.
Jeff LaCoursiere StratusTalk, Inc.
The “inbound piece” is “what do I do with the tag information”?
Should I find a way to present the fact that a call has an A rating?
Should I offer to block calls with a C rating?
It would be great to see asterisk be able to unpack this stuff and have it available as a dialplan variable and in the CDRs.
Jeff LaCoursiere StratusTalk, Inc.
Hey All. I spoke to the guys at TILTX and they agreed to host a 30 minute webinar for STIR/SHAKEN and Asterisk. They will coordinate internally and they will send me an invite. I will share this invite in the event anybody would like to join.
Alex
Hi All. The folks at TILTX have set up a Facebook Live event for Wednesday, May 26, 2021 at 12:00 PM Eastern Time. According to TILTX, this will cover STIR/SHAKEN and how Asterisk works with it. If anybody is interested, here is the link.
https://www.facebook.com/events/489246355856999/
Thanks, Alex
Hello, I have some trouble reading the headers. Asterisk 16
in my dial plan I have these:
… exten => _X,n,NoOp(Number of STIR/SHAKEN identities: ${STIR_SHAKEN(count)})
exten => _X,n,NoOp(First STIR/SHAKEN identity: ${STIR_SHAKEN(0,identity)})
exten => _X,n,NoOp(First STIR/SHAKEN attestation: ${STIR_SHAKEN(0,attestation)})
…
and I do get this:
— Executing [********@incoming:2] NoOp(“PJSIP/flowroute-0000003c”, “Number of STIR/SHAKEN identities: 1”) in new stack
— Executing [**********@incoming:3] NoOp(“PJSIP/flowroute-0000003c”, “First STIR/SHAKEN identity: +1********”) in new stack
— Executing [**********@incoming:4] NoOp(“PJSIP/flowroute-0000003c”, “First STIR/SHAKEN attestation: “) in new stack
Why do I not see the attestation?
Also I do not see any validation. What am I missing here?
-H
—
Henning Follmann | hfollmann@itcfollmann.com
—
Unfortunately during recent OpenSIPit testing we encountered issues with things including verification, and will be revisiting our approach to STIR/SHAKEN. It may not work right now.