View
6
Download
0
Category
Preview:
Citation preview
SHAKEN AND STIRRED
Ken PolitzPrincipal Product Specialist
Marcel ChampagneSenior Director Canadian Telecom Industry Liaison
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
What should Canadian TSPs consider when implementing
call authentication to mitigate nuisance calls
April 21, 2021
2
WEBINAR AGENDA
Today we will:• Review nuisance call trends in Canada
• Regulatory actions to date
• History
• Explain STIR/SHAKEN
• Checklist
• Neustar’s solution
• Road ahead
• Q&A
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
3
POLL QUESTION - #1
What is the MOST IMPORTANT driver to your organization for implementing
STIR/SHAKEN call authentication?
A. Regulatory compliance
B. Enterprise experience
C. Consumer experience
D. Other
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
NEUSTAR OVERVIEW
4
▪ 20+ years of success in Canadian
Telecommunications industry
▪ Canadian Number Portability
Administration Centre (NPAC) solution
provider since 1998
▪ Currently provide commercial services to
over 65 Canadian customers
▪ Employs 1,600 in 8 countries, including
Canada
▪ Provide services in every country &
territory across the globe
▪ Co-author of STIR standards and early
contributor to SHAKEN framework
▪ Leading supplier of STIR/SHAKEN and
related solutions
▪ Ongoing leadership role in defining
industry standards with ATIS, IETF and
NTWG
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
5
Nuisance Calls nearly doubled in the first seven months of 2020
from last year - Canadian Anti-Fraud Centre
MARKET TRENDS
2X
#1 Nuisance calls are the number #1 contact method for fraudsters
-The Centre, in partnership with the Royal Canadian Mounted Police
as many
nuisance calls
Contact method
for fraudsters
Of unwanted calls involve Caller ID spoofing- CRTC40%
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
6
REACTION FROM REGULATOR
CRTC (and FCC) see eradicating nuisance calls and illegitimate caller ID spoofing as top priority!
Dec 2019 CRTC establishes Canadian Secure Token Governance Authority CST-GA
IMPACT• CRTC established the CST-GA to kickstart industry-wide adoption of STIR/SHAKEN policies,
protocols, and operating procedures to mitigate illegal spoofing and nuisance calls
• Carriers should implement STIR/SHAKEN
Sept 2020 CRTC extends STIR/SHAKEN deadline until June 2021
IMPACT• Extends deadline due to several factors, including reallocation of resources due to COVID
April 2021 CRTC clarifies stance to mandate STIR/SHAKEN and extends deadline
IMPACT• Directs STIR/SHAKEN implementation by 30 November 2021
• Requires TSPs to submit Readiness Assessment Reports by 31 August 2021
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
7
Jan 2018: CRTC 2018-32
statesSTIR/SHAKEN
should be implemented by Mar 2019
Feb 2018: Neustar co-
author of issued
foundational STIR RFCs: 8224, 8225 and 8226
Nov 2019: Neustar supports
TELUS with first successful cross-border SHAKEN call
Dec 2019: CRTC 2019-403
approves establishment of
CST-GA
Jul 2020: CST-GA contracts
Neustar as Canada’s STI-
PA, STI-CA and STI-CR
Sep 2020: CST-GA and
Neustar launch as committed
April 2021:Today’sWebinar
Aug 2021: Readiness
Assessment Reports due
Nov 2021: CRTC date for TSPs to deploy STIR/SHAKEN
STIR Working Group IP-NNI Task Force Network Working Group (NTWG)
STIR/SHAKEN TIMELINE
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
8
WHAT HAVE WE LEARNED ALONG THE WAY?
“Introducing the STIR/SHAKEN framework in Canada is a major
undertaking. It requires close coordination across multiple groups
within our company, as well as a high degree of TSP collaboration
across our industry. Advanced planning and hands-on experience
early on, have been beneficial in supporting this initiative as a tool for
combatting illegitimately spoofed calls.
We appreciate Neustar’s leadership in standards development on
both sides of the border to ensure interoperability, their on-time
delivery and operations of the required national CST-GA governance
and certificate management infrastructure and partnering with
TELUS to implement an extensible STIR/SHAKEN solution."
Richard Polishak
Technology Fellow, TELUS
Chair, CISC Network Working Group (NTWG)
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited 8
STIR / SHAKEN are the technology
standards which enable TSPs to attest
and digitally sign phone calls to help
prevent illegitimate spoofing.
❖ Neustar is co-author of STIR, a contributor to the SHAKEN framework,
and exclusively hosts the industry testbed for STIR/SHAKEN implementations
STIR: Secure Telephony Identity Revisited
SHAKEN: Secure Handling of Asserted
information using toKENs
9
WHAT IS STIR / SHAKEN?
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
*SPOOF CALL*
416-555-4321
10
STIR/SHAKEN:
ATTEST TO CALLER ID AND SECURELY SIGNAL TERMINATING CARRIER
416-555-4321
Reference: ATIS-1000074-E
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
11
SHAKEN FRAMEWORK (IN CANADA)
Call Management
Key Management
Governance/Policy STI-PA STI-CASPC Token
Validations
SP-KMSSTI-CROptional)
STI-AS STI-VS
SKS
STI Public Key
Certificate
Requests
Private
Key(s)
Private
Key(s)
List of Valid STI-CAs
Service Provider
Code Token
Requests
CRTC: Canadian Radio-television and Telecommunications Commission
CST-GA: Canadian Secure Token - Governance Authority
STI-PA: STI-Policy Administrator
STI-CA: STI-Certification Authority
STI-CR: STI-Certificate Repository
SP-KMS: Service Provider-Key Management Server
STI-CR: STI-Certificate Repository (optional)
SKS: Secure Key Store
STI-AS: STI-Authentication Service
STI-VS: STI-Verification Service
External STI-VS
Verification Requests
STI Public Key
Certificate(s)
CRTC STI-CR
Component of Neustar’s Certified Caller solution
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
12
CURRENT PREREQUISITES - WHAT YOU WILL NEED TO GET STARTED
1. Be a registered Local Exchange Carrier (LEC) or Wireless Service Provider
(WSP) in good standing with the CRTC
2. Be eligible to acquire Canadian Telephone Numbers directly from the Canadian
Numbering Administrator (CNA)
3. Submit Network Access Services and Mobile Subscribers data to Canadian
Secure Token Governance Authority (CST-GA)
4. Become a member of the CST-GA:❖ Refer to www.cstga.ca for further details and most current information
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
13
CST-GA MEMBERSHIP IS GROWING
Members As of March 2021
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
14
POLL QUESTION - #2
What hurdles have you encountered when implementing STIR/SHAKEN?
SELECT ALL THAT APPLY
A. Understanding changing regulations
B. Network readiness – My equipment or uplink TSP
C. Cost – Support for network upgrades
D. Testing – Own network limitations and interoperability validation
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
15
REGISTERING AND REQUESTING A STI (SIGNING) CERTIFICATE
4. Request a STI Certificate
References: ATIS-1000080 and ATIS-1000084
1. Register with the Canadian Policy Administrator To take part in the STIR/SHAKEN ecosystem, TSPs, as qualified by the
CST-GA, must register with the Canadian STI-PA. TSPs will then
successfully execute a test plan in the User Acceptance Test (UAT)
environment before being granted access to the Production environment.
The current Canadian STI-PA is Neustar.
2. Select a Canadian Certification Authority TSPs next select the STI-CA they will work with to request a STI
Certificate. A generated “fingerprint” is used to request an SPC Token, as
well as to validate a request for a STI Certificate. The current Canadian
STI-CA is Neustar.
3. Obtain a Service Provider Code TokenTSPs then request an SPC Token from the STI-PA for one of its assigned
Operating Company Numbers (OCNs). The SPC Token includes this
OCN, as well as the generated “fingerprint” and is used to finally request a
STI Certificate. Note that this OCN is an identifier for the TSP and is not
meant to define any numbering scope of authority.
To enable end-to-end SHAKEN authentication, a TSP must obtain a STI
Certificate from their selected STI-CA. To request a STI Certificate, the
TSP sends a Certificate Signing Request (CSR) to the STI-CA, along with
its associated SPC Token.
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
16
TESTING AND IMPLEMENTATION
5. Implement STIR/SHAKEN software Deploy all necessary components that perform functions associated with
the STIR/SHAKEN specification (STI-AS, STI-VS, SP-KMS, SKS and
optional STI-CR).
6. Perform Functional Testing It is important that TSPs test calls in a lab environment before deploying in
a live network. Internal testing provides an opportunity to ensure hardware
and software are configured properly to avoid wasting resources and
causing service disruptions.
7. End-to-End Testing To begin testing between networks, TSPs should start by focusing on
calls that originate and terminate within their own network to validate that
authentication and verification functionality is working as expected. Next,
they should expand to testing calls with other TSPs.
Note: If you are a Neustar Certified Caller customer, you can leverage our comprehensive SHAKEN test plan, integration tools and hosted User
Acceptance Test (UAT) environment. For non-Neustar Certified Caller customers, the ATIS Robocalling Testbed is an industry SHAKEN
interoperability test facility that Neustar exclusively hosts for qualified carriers and vendors.
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
17
OPERATIONAL SUPPORT AND TRAINING
8. Operational Support & Training To deliver a new capability at scale, a participating TSP needs to transition
network management activities from Engineering to Operations and update
systems and processes. Customer education will also be imperative, so they
understand how to interpret any new messages and alerts appearing on their
device(s).
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
18
WHAT DO YOU DO IF NOT QUALIFIED TO BECOME MEMBER OF CST-GA
• Potential technical solutions are defined at various levels with application to
certain TSP types (and enterprises):
1. Delegate Certificates
2. Leveraging Models for Originating Entity Authentication- Full Attestation with Entity Identity in a Secure Token
(Lemon Twist)
3. Enterprise Certificates
4. Extended Validation (EV) Certificates with TN Letter of Authorization (TNLoA)
5. Central TN Database
6. Enterprise Identity using Distributed Ledger
• However, these technical solutions require various levels of TSP
participation/cooperation and/or changes in current CST-GA policies
Reference: ATIS-1000092
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
19
1 December 2021?
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited 19
20
“WE’VE ONLY JUST BEGUN”
1. Support for non-CSTGA members (and other entities like
enterprises)
2. Cross-border SHAKEN (and beyond)
3. Legacy network support, including PSTN interconnections
4. Published and pending new industry standards
❖ New PASSporT types (e.g., “div”, “rcd”, “rph”)
❖ Changes from operational experience
5. Call treatment (including blocking/safe harbors, subscriber device
display for nuisance and/or fraudulent calls, calling/called party
notifications, reporting requirements and data retention)
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
21
1. THE ATTESTATION “GAP” FOR ENTERPRISES
TSP #1
TSP #2
TNSP #1 + TSP #1 = A attestation
TNSP #1 + TSP #2 = B attestation
VoIP
Network
Enterprise
PBX / SBC, BPO,
Call Center
CHALLENGE: An enterprise call to the same consumer,
using the same originating number, can have different treatment results!
WHY? Attestation level is determined by combination of a) Which carrier (TNSP) is the source of the assigned TN
b) Which carrier (TSP) originates the call
Enterprise uses a TN assigned
from TSP #1 to call a customer
Unsigned
Same consumer, same
originating number, potentially
different experience?
TN - 416-123-5678
STI-AS
STI-AS
TSP #2 signs
with ”B” and
sends with
SHAKEN
PASSporT
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
22
2. PHONE CALLS DON’T STOP AT THE BORDER
Likely more of a question of WHEN, not IF, we
will see authenticated calls across North
America
References: ATIS-1000087 and ATIS-1000091
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
3. STIR/SHAKEN – ASSUMES END-TO-END VOIP CALL
SIP Header
w/Verification
result
Calling Party Called Party
Transit TSP(s)Originating
TSP
Terminating
TSP
Authentication,
Attestation
Verification,
Treatment
STIR/SHAKEN
Authentication Service
STIR/SHAKEN
Verification Service
23
SIP SIPNetwork-
Network
Interface
Setup
A. Originating TSP obtains STI
Certificate through STI-PA/STI-
CA
Call Flow
1. Calling Party places call
2. Originating TSP invokes
Authentication Service and uses
STI Certificate to sign call
3. Signed SIP call traverses any
transit network(s) to the
terminating TSP
4. Terminating TSP invokes
Verification Service
5. The Verification Service, in turn,
initiates a request to the STI-CR
for the referenced public
certificate
6. Verification Service validates the
call
7. Terminating TSP determines call
treatment and any verification
status signaling as final call
processing
1
2 4
5
SIP
A
3
6
STI-CA STI-CR
7
Network-
Network
Interface
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
24
3. ACHIEVING END TO END SIP REMAINS A CHALLENGE
• Rural and small carriers face financial hurdles
to upgrade networks to 100% SIP
• Majority of TSP interconnects are TDM-based
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
SIP Header
w/Verification
result
Calling Party Called Party
Transit TSP(s)Originating
TSP
Terminating
TSP
Authentication,
Attestation
Verification,
Treatment
STIR/SHAKEN
Authentication Service
STIR/SHAKEN
Verification Service
25
SIP SIPTDM
Interconnect
Setup (Incremental)
B. Originating and Terminating TSPs
establish connections to Call
Placement Service
Call Flow (Incremental)
2a. Authentication Service also
posts generated PASSporT to Call
Placement Service
4a. If Verification Service detects an
unsigned call, get any posted
PASSporTs for this call
1
2 4
5A
3
6
STI-CA STI-CR
7
TDM
Interconnect
3. DEPLOY OUT-OF-BAND SOLUTION TO ADDRESS TDM INTERCONNECT
“Call
Placement
Service”
Reference: ATIS PTSC-NONIPCA-2021-00006R006 baseline
B
2a 4a
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
26
NEUSTAR CERTIFIED CALLER
• Access to complete, extensible microservices suite (for hosted
service, through Amazon Web Services exclusively in Canada)
• Web Portal access for configuration & management of software
suite, as well as analytics dashboard & extensive reporting
• 24 X 7 Support through long-standing Neustar support team
• Network-agnostic solution (e.g., flexible APIs, including SIP)
• Established market leader of STIR/SHAKEN software solutions
(billions of calls being processed each month)
• Neustar also supplier & operator of Canadian governance and
certificate management infrastructure since September 2020
• Confidence in Neustar’s industry standards leadership
• No hidden costs for related standards changes, published
roadmap enhancements and bug fixes
• Pre-integrated with Neustar’s broad Trusted Call Solution suite
(e.g., nuisance call analytics, TN industry data and customer
inventory, SHAKEN Out-Of-Band, enterprise calling
optimization, policy management)
FEATURE HIGHLIGHTS AND GENERAL BENEFITS
NEUSTAR
CERTIFIED CALLER
“TO STIR/SHAKEN AND BEYOND”
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
STI-PA STI-CASPC Token
Validations
SP-KMSSTI-CROptional)
STI-AS STI-VS
SKS
STI Public Key
Certificate
Requests
Private
Key(s)
Private
Key(s)
List of Valid STI-CAs
Service Provider
Code Token
Requests
External STI-VS
Verification Requests
STI Public Key
Certificate(s)
CRTC STI-CR
27
Deliver identity & context
to give subscribers control over their phone
experience.
✓ Restore trust in phone calls.
✓ Protect consumers.
✓ Improve customer engagement.
Neustar’s comprehensive Trusted Call
Solutions suite, including Certified Caller,
helps deliver this perspective.
PERSPECTIVE – It’s not just about authenticating calls
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
28
RECAP
✓ Note key CRTC dates ❑ August – Readiness Assessment Report
❑ November – STIR/SHAKEN Implementation
✓ Review the prerequisites
✓ Complete the checklist
✓ Plan testing
✓ Get started now
© 2021 Neustar Inc. Confidential and Proprietary - External Distribution is prohibited
Recommended