Concerns that misguided regulation of the STIR/SHAKEN anti-spoofing protocols may result in the unfair treatment of smaller telcos have been voiced by the Internet Society Canadian Chapter (ISCC) in a formal submission to the CRTC, Canada’s comms regulator. Canada is following a common approach and similar timetable to the USA in rolling out STIR/SHAKEN for the mandatory validation of caller IDs for all voice calls that originate on Canadian IP networks. STIR/SHAKEN requires a central authority that oversees certification for telcos so they can append digital signatures to calls. It is feared that unequal access to the certification process would mean smaller telcos have a lower grade of signature applied to their calls, making it more likely those calls will be blocked by other networks.
The danger of condemning small telcos to second-class status was described in a January 5th submission to the CRTC by Mitel Cloud Services, a comms provider for businesses. Mitel’s request was plainly stated: they told the CRTC that all Canadian telcos should be able to receive their digital certificates directly from Neustar, the business that has been granted the certification monopoly for Canada. Mitel’s request differs from the rules previously circulated by CRTC, which state only those telcos that obtain their numbers directly from Canada’s numbering authority will be eligible to participate in STIR/SHAKEN in Canada. Mitel outlined the problems this would cause for hundreds of smaller telcos.
TSPs [telecommunication service providers] that are not permitted to obtain certificates from Neustar have only difficult, costly and imperfect options available to them including obtaining a Delegate Certificate from the entity that supplies them with telephone numbers. There are at least three problems with the Delegate Certificate solution. These are as follows:
a) The current issued standard for Delegate Certificate implementation as set out in ATIS-1000092 requires further work to better support use of such certificates by other telecommunications service providers… as currently defined, it will mean thousands of ever-changing Delegate Certificates…
b) There is no mandated timeline… to implement Delegate Certificates… [telcos supplying] Delegate Certificates will likely charge very high prices for such certificates… Additionally, we understand that Neustar… is actively promoting its delegate authority solution as a revenue source for local exchange carriers…
c) The use of Delegate Certificates… will require the excluded TSP to send all of its originating calls (where a higher level of attestation is desired) only to those carriers that support delegation relationships which will reduce options for cost effective, high quality, and highly available call termination services.
Matthew Gamble, the Director & Policy Committee Chair of the ISCC, reiterated the problems through a formal intervention to Mitel’s submission.
There are over 1200 entities registered with the CRTC as Resellers of Telecommunications Services… Many of these TSPs do not have their own numbering resources. They rely on… others to obtain the numbering resources which they need to operate…
…there are serious competitive disadvantages for TSPs that cannot directly… access certificates…
[Telcos] who are not issued certificates will have their calls signed at B or C level attestation. But as the technology becomes widely deployed, network-based call screening services will look at B and C level calls more suspiciously than A level calls, with the result that they may filter them more aggressively. Some carriers or customers may start to reject calls that do not have an A level attestation.
The ISCC intervention then reiterated how this could lead to a fundamental change in the competitive landscape, by creating a second class of lower-status telcos.
If TSPs cannot provide calls with A level attestation to customers, this will cause end customers to move their business to someone who can provide A level attestation for all calls, and thereby create a two-tiered telecommunications system in Canada – those who can sign and those who cannot.
Gamble is a network technologist at EGATE, a cloud and voice provider based in Toronto, and he is also a blogger in his own time. He continued the argument on his personal website through a post entitled “Certificates for me, but not for thee”.
…the STIR/SHAKEN framework is supposed to apply to all telecommunications service providers, however, if you read the CST-GA [Governance Authority] website they state clearly that “Any Canadian Carrier with direct access to Canadian Telephone Numbers can participate in the call authentication scheme”. On the surface this may not sound like a problem, but if you understand how a vast majority of TSPs operate you will quickly understand this is a major issue.
Gamble and others have already warned Canada’s regulator about the risks of creating a second-class status for telcos who cannot sign the calls they originate. He concluded his blog with a bleak assessment of what might happen to those telcos.
Like other internet technologies, we must ensure that all players, including small TSPs, can participate on an equal footing. If parties cannot participate equally in this process, the harm to the smaller carriers will be irreparable.
Other regions should also take note of what is happening in Canada when they contemplate the advantages and disadvantages of using STIR/SHAKEN to prevent CLI spoofing. Some big telcos may calculate it is in their interests to centralize power in a way that will likely help them. Smaller telcos will need to be wary about the consequences, and lobby accordingly.
There are several weaknesses in the design of STIR/SHAKEN, though most observers are likely to focus on the temporary difficulty of the method only working for calls that have been carried by IP networks from end to end. That shortcoming will matter less as TDM networks are decommissioned. STIR/SHAKEN has other limitations which are fundamental and permanent, and are common to any scheme which involves the centralization of power, which often favors large businesses at the expense of their smaller competitors.
Unanswered questions about the centralization of power will become especially important when these central and national authorities start trying to supervise cross-border traffic. It can be difficult for telcos to get satisfactory answers from their own national regulator; lobbying for fair treatment from a foreign authority will be even more problematic.