July 5, 2021

STIR/SHAKEN — color me skeptical

STIR/SHAKEN was required at the start of this month by all carriers. I think it will be helpful but nothing close to the silver bullet that is being hyped. Due to legacy SS7 signaling there are giant holes in the architecture which could be exploited as needed. This is because they fundamentally solved the wrong problem by trying to attest for e.164 addresses rather than just authenticate the SIP onramp domain. Almost everything is SIP these days with SIP even being terminated on phones with VoLTE, so why should we care about legacy PSTN numbering?

The real problem all along was having open SIP relays. You fix open relays by having the carrier require authentication and use the address(es) that they authenticate to. This is directly analogous to email where gmail doesn’t allow me to spoof other gmail users or any non-google served domain for that matter. You don’t need the complex infrastructure of STIR to force that issue. With email there isn’t anything analogous to the FCC to create rules but with phone spam that was always available.

As with email with mailing lists and other things that break signatures, STIR will suffer the same problems as Back to Back UA’s (B2BUA’s) are common, and of course there are no signatures from legacy PSTN signaling. This makes it very difficult to make grand policy decisions on the receive side, just as it has proved difficult for email. I don’t think that STIR has a policy equivalent to DMARC, but DMARC deployment is microscopic so that doesn’t bode well for STIR either.

On top of this, STIR is massively more complex than signing email and teasing out all of the edge cases to enact policy makes me extremely dubious that anybody will go to that effort because of the probability of false positives is very high. False positives mean angry calls to support and that is the last thing they want for something that nothing but a cost center for carriers. Put simply: if it saves them money to deliver spam, we will lose out.

So long post, but I’m pretty skeptical that STIR itself is going to be solving much. Closing open relays will probably make a big difference, but we have always had the ability to do that.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.