[asterisk-users] Stir-Shaken clarified

Joshua C. Colp jcolp at sangoma.com
Fri May 29 05:49:48 CDT 2020 

On Fri, May 29, 2020 at 7:37 AM Saint Michael <venefax at gmail.com> wrote:

>
> https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
> The Wiki above is misleading in what Stir-Shaken means and how it works.
> End users cannot get a certificate, they cannot self-certify their calls.
> Somebody completely misunderstood the model. I am afraid the moment will
> come and thousands of Asterisk operators will be unable to terminate calls.
> To start with, the model is a hierarchical one: there is an FCC
> designated central authority, which appoints (so far two) Certification
> Authorities, allowed to issue Certificates for Service Providers ONLY,
> which themselves are ALSO pre-approved by then GA (Governance Authority),
> and they need to have an OCN, they need to be a CLEC, have their own block
> of numbers. So the idea that an Asterisk operator can have its own
> certificate and somehow calculate the signature, is ridiculous. Once the
> call arrives a the last mile, let's say VZ or ATT, the carrier will open
> the signature added to each call and verify it with the Certification
> Authority that issued the certificate. They will check if the caller-ID and
> destination number match the actual call. Each signature is valid only for
> 60 seconds and each call has a different signature, even for the same
> caller-ID and destination number, so it cannot be stored.
> As you can see, this is a new world and we need to prepare for its
> arrival, or our calls will simply fail and we shall be out of business. My
> company is an approved Service Provider and we are waiting for the
> certificate, which is in itself complicated paperwork.
> Our model to solve this riddle for Asterisk is simple: Add a
> res_odbc.so-connection pointed to our MySQL database. Create a func_odbc
> function that executes our stored procedure. For each call, you send us the
> pair Caller-ID and Destination number, and we send you back the signature.
> In the next line in the dialplan, you add a SIP-header called Identity, and
> our signature becomes the content.
> Identity:
> eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwicHB0Ijoic2hha2VuIiwieDV1IjoiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxOTU0NDQ0NzQwOCJdfSwiaWF0IjoxNTkwNjcyNDc2LCJvcmlnIjp7InRuIjoiMjE1OTE0MDQyMSJ9LCJvcmlnaWQiOiIxMjNlNDU2Ny1lODliLTEyZDMtYTQ1Ni00MjY2NTU0NDAwMDAifQ.X7noevZGawXv1Jw1wkaqunTMFVE9FLt7sEX1QSgk0GMJmAHJWnbF5PCdj-Mc7UD2JY_5xvuJU3UlhSvswfK7SQ;info=<
> https://cert.example.org/passport.cer>;alg="ES256";ppt="shaken"
>
> With two lines of code in the dialplan, you solve the FCC requirements.
> BUT, the caller-ID must be either verifiable associated with the company
> that owns Asterisk, or we can supply one for you, from our pool of numbers.
> Wireless numbers are not allowed. We check each and call return an error if
> the conditions are not met. What happens if you send a random but valid
> caller-ID? We still sign it, BUT, with Attestation level "C", which means
> we don't know anything about the caller-ID. At some point, carriers will
> decline to terminate those calls. It is up to them to terminate or not
> those calls.
> So what I am doing for the Asterisk community is helping everybody to stay
> in business. If you delay the interconnection with me and pretend it is not
> urgent, you will end-up in the fauces of XXXXnexus, which acts double as a
> Certification Authority and Service Provider and charges huge fees. I mean
> HUGE.
> This wiki should be erased, for it is misleading:
>
>> https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
>
>
It is not misleading. We are adding support in Asterisk for doing this for
cases where the certificate is available to the Asterisk user, much like
the support is already available in Kamailio and other solutions. Whether
that occurs or not depends on the specific agreement over the phone number
(or number range). An upstream carrier may take care of it, or they may
allow it to be done downstream. That aspect is outside the scope of
Asterisk itself. We just provide the tools, including verification for
inbound traffic.

I also ask as others have that you respect the non-commercial nature of
this mailing list and use the asterisk-biz mailing list for your specific
offering. If people want to discuss the aspects of STIR/SHAKEN itself,
that's perfectly fine.

-- 
Joshua C. Colp
Asterisk Technical Lead
Sangoma Technologies
Check us out at www.sangoma.com and www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200529/b05200f7/attachment.html>

More information about the asterisk-users mailing list