On October 8, 2020, Eric Priezkalns asked “Why Did the US Adopt an Anti-Spoofing Solution That Does Not Work for All Calls?”. This article leveled several criticisms against STIR/SHAKEN. Specifically, Priezkalns suggested that STIR/SHAKEN:
- Does not provide a universal solution to Calling Line Identity (CLI) spoofing.
- Took a North American perspective and did not engage interested global parties.
- Only operates in IP-based networks and, therefore, ignores the many users served by non-IP networks.
- Isn’t cheap enough to be widely deployed.
I believe this criticism misses the mark.
Using the word “solution” in the context of telephone scams guarantees we will fail. There are no “solutions” to CLI-spoofing, robocalls, and telephone scams, anymore than there are “solutions” to email spam or computer viruses. Don’t get me wrong. Spam and viruses are manageable problems, but they haven’t gone away. They never will. We need constant vigilance and ongoing work refining tools to manage the problem. Why on earth would anyone expect telephone scams to be any different? We shouldn’t be talking about “solutions”, but “tools” that will mitigate the problem of unwanted calls and help get back to the point where things are manageable for the typical user. STIR/SHAKEN provides a mitigation tool that can be used to move the CLI-spoofing problem in the right direction – to improve things for the end user. That is exactly what it is intended to do.
STIR/SHAKEN is two linked specifications. STIR, the base protocol, was developed by the Internet Engineering Task Force (IETF), which is the very definition of a global standards organization. So, the suggestion that STIR/SHAKEN did not engage interested global parties is simply false. Admittedly, SHAKEN, which provides an interoperable profile of the STIR protocol, did take a single country perspective, but that was done for legitimate reasons. Numbering resources fall under the direct control of national regulators, so it is appropriate for SHAKEN governance to be country-specific. The initial SHAKEN specification was limited to a single country, but additional documents are now available outlining how SHAKEN can be extended to include other countries in a global ecosystem.
We all know the old joke about developing a single all-encompassing standard to replace ten competing standards… and just ending up with eleven competing standards. SHAKEN was never intended to be a total solution. Defining a mitigation tool to reduce telephone scams and CLI spoofing is hard enough without including additional requirements. SHAKEN set clear, well-defined objectives:
- Improve things (rather than completely “solve” problems);
- Limit the scope to SIP (rather than addressing all legacy technologies); and
- Focus on a single country (leaving international interworking for later).
The standards bodies are already working to build on the core STIR/SHAKEN specifications to address legacy technologies and interworking between countries. But if we had insisted on including all of this in the initial release, we would probably still be standing around a white board arguing about where to start.
One of STIR/SHAKEN’s original objectives was to make it as simple as possible to allow widespread deployment, while still ensuring robust security. All the alternative mechanisms I’ve seen include a digital signature comparable to STIR/SHAKEN, but then must provide additional functionality to communicate the signature to the terminating service provider – a server to store the digital signature, discovery protocol to locate the correct server, and security protocols to protect privacy and ensure that the anti-spoofing protocol isn’t vulnerable to spoofing. No matter how simple this additional functionality is, it will inevitably be more complex than simply including the signature as part of the existing SIP signaling. So, while we should always look for simpler approaches, and I completely agree that out-of-band has a role to play, it isn’t a panacea.
STIR/SHAKEN isn’t perfect – it was never intended to be. It doesn’t provide 100% coverage. But it does provide a valuable starting point for extending an anti-spoofing mechanism to other technologies and countries. Instead of lamenting the limitations of STIR/SHAKEN, let’s embrace it, extend it, and improve it.
Don’t let perfect be the enemy of good.