SITR/SHAKEN implementation in effect today (June 30 2021)

The root of the problem is that the "Caller ID" is not a "Caller ID". If there were a requirement for "truth in advertizing" it would properly be called the "Caller Advertizement" because it is primarily intended as an advertizement by the caller, and not an ID of the caller.

    > Nothing will change immediately. Having said that, I do expect
    > we will see much more effective enforcement. The investigations
    > come from the ITG (Industry Traceback Group) with enforcement
    > coming from FCC or FTC depending on the actual offense. The
    > has been that it's been far too easy for robocalling companies
    to hop
    > from one telecom provider to another. Now there are requirements
    > around "know your customer" that telecom operators have to
    follow and
    > the ITG will have a much better chance of figuring out who the bad
    > actor is than they have in the past.

    The thing is that that shouldn't have been held up by rolling out
    With email, there was nothing akin to the FCC so it was really the
    name-and-shame stick we had. This could have been done years ago.

It wouldn't work the same and I say that as someone who ran email for ISPs for decades and just got done with a STIR/SHAKEN implementation. There's far more money in robocalls than there ever has been in spam. The other thing is that the technologies are fundamentally different. Don't get me wrong, there are parallels, but comparing email to the various flavors of telephony (POTS, SIP, MGCP, H.323, etc) isn't all that useful because they're so different. When I get an email as a provider I can always figure out the path it took to get to me. The same is not at all true for a call, though I can trace it to a degree via the CDRs from carriers I work with. Much of the call path will be opaque and often in the case of robocallers it's intentionally so. Number porting is another (big) difference. We could always choose to forward email for a customer who left our service, but imagine if email literally let that person take their address with them regardless of who was providing the hosting for the email.

Once it hits a SIP gateway it's pretty much the same. The thing that I think that made the made the biggest -- and this coming from one of the inventors of DKIM -- was shutting down open relays. With email there was no back pressure on ESP's to close them so DKIM was at least a way to name and shame, or at least that was one of the goals at least in my mind. It's hard to say whether there was actually cause and effect, but the reality now is that open relays are pretty much gone -- at least with ESP's.

I was one of the early Cassandras telling people that P-Asserted-Identity was going to lead to exactly what has happened for which I got told I was wrong, and then threw up my hands and went and worked on email. This could have been dealt with 15 years ago and it could have trivially piggybacked off of the DKIM work -- heck I even hacked a SIP stack to prove the point. And it should have learned the lessons with email which it apparently has not because the 9th of July don't seem any different than the 30th of June.

Also: since there are PSTN gateways which fundamentally can't be secured spammers will take advantage of the holes as they become economically viable. The entire scheme of attesting for e.164 addresses was a complete waste of time. The problem is with the SIP gateway that onramps the bogus calls not whether somebody should be able to assert a given address real time. Those onramps could have taken those measures a decade ago but didn't just like the open email sewers before requiring submission auth. I think that Peterson has some other wacky shit to make PSTN gateway traversal better, turning a Rube Goldberg contraption into something even worse. The entire thing is madness with its complexity but I would expect nothing less from the SIP WG.

    > Longer term I worry that this will lead to more attacks on PBXs,
    > eSBCs, and VOIP handsets to be able to call either from that
    > itself or be able to use the SIP credentials. The market for
    > will certainly not disappear.
    A meta question that really needs to be asked these days is why we
    need telco telephony anymore. A lot of problems go away if you are
    in thrall to 100 year old technology and its accreted kruft.

Robocalls really aren't a product of the legacy PSTN. Today almost none of them originate from anywhere but VOIP. Now, you can certainly say that if SS7 had robust authentication mechanisms that we could then trust caller ID (more) but there's no sign of us abandoning the PSTN anytime soon. Having said that, there's any number of protocols we rely on today that have the exact same gap. BGP is arguably even worse than SS7.

I'm not speaking about PSTN qua PSTN/SS7, etc. I'm speaking about being shackled to an architecture that isn't relevant today. The bellheadedness of STIR is frightening: they actually scrape SIP From: addresses and have a regex to determine if it's a telephone number. People don't use telephone numbers for anything but phones, and all of the rest is email addresses. There is fundamentally nothing stopping SIP I've never been able to get a straight answer about it, which means in reality it's not supported. I'd actually like that quite a bit more especially since it would make it difficult right off the bat to spoof my domain vs. spoofing area codes. Doubly so for spear phishing. We already know how to do federation: email. There is just no justification for keeping the legacy PSTN kruft, and even worse wagging the dog.

Mike, Cassandra to the end

The assumption back around 2004 was that P-Asserted-ID would be an old boys network to the end and get told to buzz off when I complained that it wouldn't. This was trivially foreseeable back then and it played it the most ridiculously foreseeable way.


until there is enforcement there will be no changes.

enforcement means more than just sternly worded letters.

robocalls won't stop until the perps go to prison.


No, the root of the problem is the telcos making billions on these
robocalls. Make that illegal, start fining them billions (whatever it
takes), and it will stop.

We've already had this discussion on nanog, recently, and people who
were in that business stood up to affirm that yes indeed-y they're
(telcos) making big buck$ on these robocalls.

If you doubt that (the usual "I don't actually know a thing about it
but I want to say here that I'd rather not live in a world where
that's true so I'll make some vague analogy to email spam etc") I
suggest you start making thousands of phone calls per hour and tell us
how it works out.

Telcos aren't email systems, they know every phone call terminating
and originating on their systems and they do detail billing. When was
the last time you made even one billable call and they missed it?

Telcos have often been described as vast detailed billing systems with
a voice (etc) feature attached.

But they sure are taking advantage of the public's belief that this is
all somehow out of their control. Nope.

The cynic in me would say that STIR was a 10 year long way to delay cutting off the gravy train that could have been done simply by regulation.