Personally, I'm quite curious to know how the ITG would even be identifying these companies as being distinct from the wholesaler, at least without a traceback request for an actual violation, where the investigation (that the wholesaler would likely be not only cooperative with but actively involved in) eventually revealed that all of the violations were originating from one particular customer of theirs. But sans any violations to look into...how would they know? In particular, when asking these questions, what I specifically have in mind are wholesalers not like VI/Sangoma et al., but more like e.g. https://atheral.com/, which carries traffic for a bunch of smaller regional ISPs that want to offer VoIP but don't want any of the headaches associated with doing so. So most of them I presume literally own no infrastructure of their own...no softswitch, no SBC, no nothing. They might be 499 filers, but that's likely the extent of their direct regulatory involvement. I believe Daniel might be hanging around on this list, so perhaps he can shed some light on how they have been advised to approach this (whether they are signing all calls with their own SHAKEN cert/key, or whether they can host SHAKEN certs owned by their customers and sign the end-users of that customer's calls with that customer's own cert, or a mix of both). -- Nathan -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mary Lou Carey via VoiceOps Sent: Wednesday, July 12, 2023 1:29 PM To: voiceops at voiceops.org Subject: [VoiceOps] Update on STIR/SHAKEN I spoke with my FCC contact today and was told to read the last order issued in March so his response wasn't crystal clear. He said the FCC is still in the process of deciding which types of companies can sign with a third-party vendor's token and which ones can't. I told him my concern is that the ITG is going to start blocking traffic in August and companies won't know that they aren't compliant because their wholesale provider told them they were fine. I specifically asked, "If the ITG decides a company should have had its own token, will you give them time to get one?" He said they have a process for handling these issues, but he didn't come out and say "Yes" so here's what I would suggest since the process can sometimes take longer than the 30 days they give you to comply. If you are using a third-party provider whose signing with their token. At least complete the preliminary steps to qualify for your own STIR/SHAKEN token. That way if they do come to you and tell you that you need to get it on a moment's notice, you won't be fighting the clock so much. The pre-requisites for filing with the STI-PA to become an approved carrier are: 1. Order your own OCN (aka company code from NECA) IPES is the correct type for all VOIP carriers 2. Have your 499 up to date and fees paid. If you've never filed a 499A yet, get your 499 filer ID and submit your first 499-A. (All carriers delivering long-distance traffic in the US should have already completed this step anyways). 3. Robocall Mitigation Plan filed. There are multiple companies helping carriers get their STIR/SHAKEN certificate, so it doesn't matter if you use my services or anyone else's. I just want to make sure everyone is aware of what they need to do to make sure their traffic doesn't get blocked because thats a lot harder to fix than getting a certificate/token is! MARY LOU CAREY BackUP Telecom Consulting Office: 615-791-9969 Cell: 615-796-1111 _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Nathan: Thanks for sharing your thinking and a specific example. I can't speak for the FCC or the ITG (obviously) and they probably won't weigh in here. But, as Mary has done, I can share what I hope is a reasonably accurate perspective. I hope, Nathan, that the key is your statement: "But sans any violations to look into...how would they know?" And, I would add, why would they care? If the group you describe isn't a bunch of trouble-makers, then surely there are other fish to fry when it comes to compliance issues. Let's put our focus on the ones that are actually wreaking havoc. I hadn't heard of Atheral before, but I see that they have a SHAKEN token per iconectiv, so they can sign calls. They list several customers on their web page; I spot checked those and the ones I searched do NOT have tokens but ARE registered in the Robocall Mitigation Database. I did see that a couple of them had very nicely written Robocall Mitigation Plans (Zirkel, for example, with Vistabeam in second place) that explained exactly how they work with Atheral in terms of getting calls signed. We could debate (and in fact, we are debating at the FCC) whether, for example, it's OK for Atheral to sign calls with Atheral's token on behalf of Zirkel. We might argue that Zirkel is the one with the direct authenticated relationship with their customer, so it should be a Zirkel signature on those calls. Or you can make a semantic argument that Atheral is the "Originating Voice Service Provider" and that it is through their agent Zirkel that they have the customer relationship. Zirkel explains how they validate the phone numbers that their customers use, and pass that information on to Atheral for proper attestation. It all appears to be on the up-and-up. Atheral has to understand that by putting the Atheral signature on calls coming via Zirkel and others, Atheral is putting its own reputation on the line. So Atheral is presumably motivated to ensure everybody plays nice, which they probably do at least in part via their contractual agreements. To my knowledge, the ITG does not "block traffic" or enforce rules about tokens. The ITG is in the business of traceback, and it makes the information it gathers through that process available, selectively, to others that can then act on it. That includes not just government enforcers but, for example, others in the call chain. If a particular provider is involved in a traceback, they get visibility to whether their upstream is responding to that traceback. If not, or if that upstream failed to sign a call when they should have, then the downstream provider can initiate action on its own with respect to that upstream. Back to Atheral -- our RRAPTOR robocall surveillance platform has never captured a problematic call with an Atheral signature. That doesn't mean we know for certain that no "bad" robocalls flow via Atheral, but it's probably safe to say that at the moment, Atheral and its customers aren't a cause of great concern. Lastly, thanks Nathan for the nice words about our test tool. David Frankel ZipDXR LLC St. George, UT USA -----Original Message----- From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Nathan Anderson via VoiceOps Sent: Wednesday, July 12, 2023 4:21 PM To: 'Voice Ops' <voiceops at voiceops.org> Subject: Re: [VoiceOps] Update on STIR/SHAKEN Personally, I'm quite curious to know how the ITG would even be identifying these companies as being distinct from the wholesaler, at least without a traceback request for an actual violation, where the investigation (that the wholesaler would likely be not only cooperative with but actively involved in) eventually revealed that all of the violations were originating from one particular customer of theirs. But sans any violations to look into...how would they know? In particular, when asking these questions, what I specifically have in mind are wholesalers not like VI/Sangoma et al., but more like e.g. https://atheral.com/, which carries traffic for a bunch of smaller regional ISPs that want to offer VoIP but don't want any of the headaches associated with doing so. So most of them I presume literally own no infrastructure of their own...no softswitch, no SBC, no nothing. They might be 499 filers, but that's likely the extent of their direct regulatory involvement. I believe Daniel might be hanging around on this list, so perhaps he can shed some light on how they have been advised to approach this (whether they are signing all calls with their own SHAKEN cert/key, or whether they can host SHAKEN certs owned by their customers and sign the end-users of that customer's calls with that customer's own cert, or a mix of both). -- Nathan -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mary Lou Carey via VoiceOps Sent: Wednesday, July 12, 2023 1:29 PM To: voiceops at voiceops.org Subject: [VoiceOps] Update on STIR/SHAKEN I spoke with my FCC contact today and was told to read the last order issued in March so his response wasn't crystal clear. He said the FCC is still in the process of deciding which types of companies can sign with a third-party vendor's token and which ones can't. I told him my concern is that the ITG is going to start blocking traffic in August and companies won't know that they aren't compliant because their wholesale provider told them they were fine. I specifically asked, "If the ITG decides a company should have had its own token, will you give them time to get one?" He said they have a process for handling these issues, but he didn't come out and say "Yes" so here's what I would suggest since the process can sometimes take longer than the 30 days they give you to comply. If you are using a third-party provider whose signing with their token. At least complete the preliminary steps to qualify for your own STIR/SHAKEN token. That way if they do come to you and tell you that you need to get it on a moment's notice, you won't be fighting the clock so much. The pre-requisites for filing with the STI-PA to become an approved carrier are: 1. Order your own OCN (aka company code from NECA) IPES is the correct type for all VOIP carriers 2. Have your 499 up to date and fees paid. If you've never filed a 499A yet, get your 499 filer ID and submit your first 499-A. (All carriers delivering long-distance traffic in the US should have already completed this step anyways). 3. Robocall Mitigation Plan filed. There are multiple companies helping carriers get their STIR/SHAKEN certificate, so it doesn't matter if you use my services or anyone else's. I just want to make sure everyone is aware of what they need to do to make sure their traffic doesn't get blocked because thats a lot harder to fix than getting a certificate/token is! MARY LOU CAREY BackUP Telecom Consulting Office: 615-791-9969 Cell: 615-796-1111 _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/voiceops/attachments/20230713/a3a672af/att...>
Thank you for sharing what you do. The only thing I would say is that this is similar to building redundancy into your network. If a wholesale carrier is signing all their reseller's traffic with the same certificate, then there is one point of failure unless you have a way of identifying the reseller another way. The only possible way I can think of to further separate a reseller's traffic from the rest of the wholesaler's traffic would be to assign a dedicated LRN to each reseller. The OCN and company name of the reseller can be associated with a specific LRN by populating the FQDN OCN and FQDN fields on the LRN record in the LERG. NPAC also allows an altSPID to be added to their records in the NPAC database. That may be just as cumbersome as associating each carrier's certificate with their traffic. I don't know, but I do know that when there's only one certificate shared between all companies it puts all involved at a lot more risk. MARY LOU CAREY BackUP Telecom Consulting Office: 615-791-9969 Cell: 615-796-1111 On 2023-07-13 12:14 PM, Daniel White via VoiceOps wrote:
Good morning everyone. I see my company got brought up here, and we are probably a good use case in the entire ecosystem to consider when it comes to Robocall mitigation. What is my companies (or any other white-label resellers) responsibilities to it.
While we do not have a direct end-user relationship with the client, we do require that our resellers (smaller, regional ISPs primarily) have a direct relationship with the client that would meet all of Attestation A requirements. This is actually fairly easy to have as an ISP rather than an MSP or other company that accepts any client to sign up for service (since an ISP has to visit the premise to install service generally).
Furthermore, every DID on our system is ported though our company (we primarily use IQNT, Bandwidth, and VI for our own Orig/Term) so we are verifying things like an LOA and last copy of bill.
No calls are allowed to originate from our system that do not match a CLID that we have verified that client has authorization to use. This prevents our clients (i.e. resellers) from spoofing CLID, and CNAME storage with our vendors can only be set via Atheral.
We do use ClearIP/TransNexus for STIR/SHAKEN but also for Telecom Fraud and Robocall protection. If a user starts exhibiting robocall or fraudulent call behavior we shut that down immediately. We also prohibit dialer traffic on our network or traffic poor call completion.
The legal advice we were given was that our resellers, all of whom file a 499a, do not need to sign their own traffic. We have always been very protective of our switching infrastructure (utilizing a Netsapiens switch with Ribbon SBCs in front) and the traffic that flows through it. We do not bill per minute to our clients, so minimizing any potential fraudulent traffic is a key concern of ours to keep our costs low.
Of course, if the FCC goes a different direction we will change our stance. I believe there isn't any reason to burden small, regional ISPs with the signature since our clients are almost exclusively de-minims and adds nothing to the traceback process. If we get a traceback, we will work with the ISP or immediately kick them off our system.
Alianza (https://www.alianza.com/) has a very similar business model to ours although we mostly target different ISPs than we do. I've not dug into how they or any other white-label reseller has interpreted the rules as they sit today, but I imagine most companies like ours are "the good actors" and not the ones that these regulations were intended to change behavior of.
Thank you!
[1]
Daniel White Co-Founder
phone: +1 (702) 470-2770 direct: +1 (702) 470-2766
David Frankel via VoiceOps July 12, 2023 at 6:01 PM
Nathan: Thanks for sharing your thinking and a specific example.
I can't speak for the FCC or the ITG (obviously) and they probably won't weigh in here. But, as Mary has done, I can share what I hope is a reasonably accurate perspective.
I hope, Nathan, that the key is your statement: "But sans any violations to look into...how would they know?" And, I would add, why would they care? If the group you describe isn't a bunch of trouble-makers, then surely there are other fish to fry when it comes to compliance issues. Let's put our focus on the ones that are actually wreaking havoc.
I hadn't heard of Atheral before, but I see that they have a SHAKEN token per iconectiv, so they can sign calls. They list several customers on their web page; I spot checked those and the ones I searched do NOT have tokens but ARE registered in the Robocall Mitigation Database. I did see that a couple of them had very nicely written Robocall Mitigation Plans (Zirkel, for example, with Vistabeam in second place) that explained exactly how they work with Atheral in terms of getting calls signed.
We could debate (and in fact, we are debating at the FCC) whether, for example, it's OK for Atheral to sign calls with Atheral's token on behalf of Zirkel. We might argue that Zirkel is the one with the direct authenticated relationship with their customer, so it should be a Zirkel signature on those calls. Or you can make a semantic argument that Atheral is the "Originating Voice Service Provider" and that it is through their agent Zirkel that they have the customer relationship. Zirkel explains how they validate the phone numbers that their customers use, and pass that information on to Atheral for proper attestation. It all appears to be on the up-and-up.
Atheral has to understand that by putting the Atheral signature on calls coming via Zirkel and others, Atheral is putting its own reputation on the line. So Atheral is presumably motivated to ensure everybody plays nice, which they probably do at least in part via their contractual agreements.
To my knowledge, the ITG does not "block traffic" or enforce rules about tokens. The ITG is in the business of traceback, and it makes the information it gathers through that process available, selectively, to others that can then act on it. That includes not just government enforcers but, for example, others in the call chain. If a particular provider is involved in a traceback, they get visibility to whether their upstream is responding to that traceback. If not, or if that upstream failed to sign a call when they should have, then the downstream provider can initiate action on its own with respect to that upstream.
Back to Atheral -- our RRAPTOR robocall surveillance platform has never captured a problematic call with an Atheral signature. That doesn't mean we know for certain that no "bad" robocalls flow via Atheral, but it's probably safe to say that at the moment, Atheral and its customers aren't a cause of great concern.
Lastly, thanks Nathan for the nice words about our test tool.
David Frankel ZipDXR LLC St. George, UT USA
-----Original Message----- From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Nathan Anderson via VoiceOps Sent: Wednesday, July 12, 2023 4:21 PM To: 'Voice Ops' <voiceops at voiceops.org> Subject: Re: [VoiceOps] Update on STIR/SHAKEN
Personally, I'm quite curious to know how the ITG would even be identifying these companies as being distinct from the wholesaler, at least without a traceback request for an actual violation, where the investigation (that the wholesaler would likely be not only cooperative with but actively involved in) eventually revealed that all of the violations were originating from one particular customer of theirs. But sans any violations to look into...how would they know?
In particular, when asking these questions, what I specifically have in mind are wholesalers not like VI/Sangoma et al., but more like e.g. https://atheral.com/, which carries traffic for a bunch of smaller regional ISPs that want to offer VoIP but don't want any of the headaches associated with doing so. So most of them I presume literally own no infrastructure of their own...no softswitch, no SBC, no nothing. They might be 499 filers, but that's likely the extent of their direct regulatory involvement.
I believe Daniel might be hanging around on this list, so perhaps he can shed some light on how they have been advised to approach this (whether they are signing all calls with their own SHAKEN cert/key, or whether they can host SHAKEN certs owned by their customers and sign the end-users of that customer's calls with that customer's own cert, or a mix of both).
-- Nathan
-----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mary Lou Carey via VoiceOps Sent: Wednesday, July 12, 2023 1:29 PM To: voiceops at voiceops.org Subject: [VoiceOps] Update on STIR/SHAKEN
I spoke with my FCC contact today and was told to read the last order issued in March so his response wasn't crystal clear. He said the FCC is still in the process of deciding which types of companies can sign with a third-party vendor's token and which ones can't.
I told him my concern is that the ITG is going to start blocking traffic in August and companies won't know that they aren't compliant because their wholesale provider told them they were fine. I specifically asked, "If the ITG decides a company should have had its own token, will you give them time to get one?" He said they have a process for handling these issues, but he didn't come out and say "Yes" so here's what I would suggest since the process can sometimes take longer than the 30 days they give you to comply.
If you are using a third-party provider whose signing with their token. At least complete the preliminary steps to qualify for your own STIR/SHAKEN token. That way if they do come to you and tell you that you need to get it on a moment's notice, you won't be fighting the clock so much. The pre-requisites for filing with the STI-PA to become an approved carrier are:
1. Order your own OCN (aka company code from NECA) IPES is the correct type for all VOIP carriers 2. Have your 499 up to date and fees paid. If you've never filed a 499A yet, get your 499 filer ID and submit your first 499-A. (All carriers delivering long-distance traffic in the US should have already completed this step anyways). 3. Robocall Mitigation Plan filed.
There are multiple companies helping carriers get their STIR/SHAKEN certificate, so it doesn't matter if you use my services or anyone else's. I just want to make sure everyone is aware of what they need to do to make sure their traffic doesn't get blocked because thats a lot harder to fix than getting a certificate/token is!
MARY LOU CAREY BackUP Telecom Consulting Office: 615-791-9969 Cell: 615-796-1111 _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Nathan Anderson via VoiceOps July 12, 2023 at 4:20 PM
Personally, I'm quite curious to know how the ITG would even be identifying these companies as being distinct from the wholesaler, at least without a traceback request for an actual violation, where the investigation (that the wholesaler would likely be not only cooperative with but actively involved in) eventually revealed that all of the violations were originating from one particular customer of theirs. But sans any violations to look into...how would they know?
In particular, when asking these questions, what I specifically have in mind are wholesalers not like VI/Sangoma et al., but more like e.g. https://atheral.com/, which carries traffic for a bunch of smaller regional ISPs that want to offer VoIP but don't want any of the headaches associated with doing so. So most of them I presume literally own no infrastructure of their own...no softswitch, no SBC, no nothing. They might be 499 filers, but that's likely the extent of their direct regulatory involvement.
I believe Daniel might be hanging around on this list, so perhaps he can shed some light on how they have been advised to approach this (whether they are signing all calls with their own SHAKEN cert/key, or whether they can host SHAKEN certs owned by their customers and sign the end-users of that customer's calls with that customer's own cert, or a mix of both).
-- Nathan
-----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mary Lou Carey via VoiceOps Sent: Wednesday, July 12, 2023 1:29 PM To: voiceops at voiceops.org Subject: [VoiceOps] Update on STIR/SHAKEN
I spoke with my FCC contact today and was told to read the last order issued in March so his response wasn't crystal clear. He said the FCC is still in the process of deciding which types of companies can sign with a third-party vendor's token and which ones can't.
I told him my concern is that the ITG is going to start blocking traffic in August and companies won't know that they aren't compliant because their wholesale provider told them they were fine. I specifically asked, "If the ITG decides a company should have had its own token, will you give them time to get one?" He said they have a process for handling
these issues, but he didn't come out and say "Yes" so here's what I would suggest since the process can sometimes take longer than the 30 days they give you to comply.
If you are using a third-party provider whose signing with their token. At least complete the preliminary steps to qualify for your own STIR/SHAKEN token. That way if they do come to you and tell you that you need to get it on a moment's notice, you won't be fighting the clock so much. The pre-requisites for filing with the STI-PA to become an approved carrier are:
1. Order your own OCN (aka company code from NECA) IPES is the correct type for all VOIP carriers 2. Have your 499 up to date and fees paid. If you've never filed a 499A yet, get your 499 filer ID and submit your first 499-A. (All carriers delivering long-distance traffic in the US should have already completed this step anyways). 3. Robocall Mitigation Plan filed.
There are multiple companies helping carriers get their STIR/SHAKEN certificate, so it doesn't matter if you use my services or anyone else's. I just want to make sure everyone is aware of what they need to do to make sure their traffic doesn't get blocked because thats a lot harder to fix than getting a certificate/token is!
MARY LOU CAREY BackUP Telecom Consulting Office: 615-791-9969 Cell: 615-796-1111 _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Links: ------ [1] https://atheral.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (4)
-
dfrankel@zipdx.com -
dwhite@atheral.com -
marylou@backuptelecom.com -
nathana@fsr.com