Non-IP Networks and STIR/SHAKEN

A major impediment to the efficacy of the STIR/SHAKEN caller ID authentication framework is the continuing presence of non-IP networks in the call chain. Their presence strips out the STIR/SHAKEN authentication information inserted by the originating provider and is a leading cause of “unsigned” calls reaching the terminating provider. The FCC has issued a rulemaking notice proposing to address this problem by requiring non-IP networks to either upgrade to IP or adopt specified non-IP network solutions within two years. The notice of proposed rulemaking can be found here: FCC-25-25A1.pdf

Background

            The FCC requires all IP-based providers to implement STIR/SHAKEN but only requires non-IP-based providers to “take reasonable measures to implement an effective call authentication framework.” Currently, non-IP networks can meet this requirement by either upgrading to IP or certifying to involvement in developing solutions to enable transmittal of STIR/SHAKEN information. The requirement to implement STIR/SHAKEN is extended for non-IP providers pending a finding that non-IP solutions have been developed, are reasonably available and are effective.

            Given the continued prevalence of non-IP networks, the FCC’s rules appear to have had little effect. This prompted the FCC, in 2022, to begin an inquiry into steps it might take to address the problem. CCA participated in that process and urged the Commission to require use of one of the two non-IP solutions adopted by ATIS and are now the subject of this most recent notice, which frequently cites CCA’s comments. Both ATIS specifications would enable transmission of STIR/SHAKEN information over non-IP networks. ATIS has also released a third proposed solution.

Criteria For Non-IP Frameworks

            The notice proposes to adopt three criteria to determine whether to mandate use of a non-IP framework. The criteria require that the framework must be developed, reasonably available, and effective. If the criteria are met, the FCC proposes to terminate the current exemption from STIR/SHAKEN implementation for non-IP networks and mandate use of the non-IP framework if the provider has not transitioned to IP. Among other factors, the proposed criteria would require that a framework be: (1) fully developed and finalized by published, implementable industry standards; (2) available such that the underlying equipment and software necessary to implement a developed standard is on the commercial market and is being offered and marketed; and (3) effective at transmitting the STIR/SHAKEN information needed to authenticate a call.

            The FCC proposes that the first two of the three ATIS standards described below meet all three criteria and one of them must be implemented by non-IP network providers if the provider does not transition to IP and seeks comment on that proposed conclusion. The FCC seeks comment on whether the third ATIS standard described below meets the criteria. Although proposing that the third standard has been developed, the notice seeks comment on whether it is reasonably available and effective.

The Three ATIS Non-IP Frameworks.

            ATIS has issued standards for three non-IP caller ID authentication frameworks. As noted, the FCC proposes that the first two meet all three criteria for implementation while seeking comment on the third framework.

1. In-Band Authentication, ATIS-10000095.v002, Extending STIR/SHAKEN over TDM. ATIS-1000095.v002, Extending STIR/SHAKEN over TDM   This standard enables some STIR/SHAKEN information to be transmitted, including the digital signature, or PASSPorT, and the attestation regarding the callers’ right to use the phone number. This standard requires bilateral agreements between a non-IP network provider and any provider with whom it exchanges STIR/SHAKEN traffic. The agreements are designed to create a level of trust between the providers enabling the transmission of verified attestation levels. The standard contemplates two methods: (1) using specific fields in the TDM signaling to encode the attestation level; or (2) using a different Trunk Group for each attestation level.

            2. Out-of-Band Multiple STI-CPS Authentication, Out-of-Band PASSporT Transmission Involving TDM Networks, ATIS-10000096, ATIS-1000096, SHAKEN: Out-of-Band PASSporT Transmission Involving TDM Networks. The standard requires the establishment of one or more STI-Call Placement Services (STI-CPS), which is hosted on the internet by a governance authority, such as the STI governance authority. The service provider that converts a call from SIP signaling to TDM signaling must publish all associated PASSporT(s) received in the SIP signaling to an STI-CPS. An originating service provider that sends a call via a TDM Network-to-Network Interface must generate the applicable PASSporT(s) and then publish the PASSporT(s) to an STI-CPS. If a call is converted from SIP signaling to TDM signaling multiple times, then multiple service providers will publish the same PASSporT(s) to an STI-CPS. The service provider that converts a call from TDM signaling to SIP signaling must send a request to an STI-CPS to retrieve all PASSporT(s) associated with the call and insert the retrieved PASSporT(s) into the SIP signaling in the Identity header(s).

3. Out-of-Band Agreed STI-CPS Authentication Out-of-Band PASSporT

Transmission Between Service Providers that Interconnect using TDM, ATIS-1000105,

https://access.atis.org/higherlogic/ws/public/download/79509/ATIS-1000105.pdf. This standard is similar to the Out-of-Band solution described above but requires every directly connected provider in the call path to agree on the use of the same STI-CPS.

Implementation Deadline

            The FCC proposes to require non-IP networks to either transition to IP or adopt one of the non-IP call authentication frameworks within two years. This means that the current extension of STIR/SHAKEN implementation for non-IP networks will cease at that time.

Next Steps

            Initial comments in the FCC’s proposals are due 30 days after publication of the notice in the Federal Register, which we expect will occur in next few weeks. Reply comments are due 30 days after initial comments. CCA plans to file comments in the proceeding and welcomes member input on the proposals. Please contact the regulatory committee if you have concerns or thoughts regarding comments.

33572574.1