SHAKEN Jim McEachern Senior Technology Consultant ATIS December 2017.

Slides:



Advertisements
Similar presentations
Interoperability. So the real question: What does your enterprise strategy need to include to take advantage of cloud based services?
Advertisements

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
Decentralized authorization and data security in web content delivery * Danfeng Yao (Brown University, USA) Yunhua Koglin (Purdue University, USA) Elisa.
1.3 Properties of Numbers 8/24/16. Common Core State Standards Interpret complicated expressions by viewing one or more of their parts as a single entity.
Shelter Employee Engagement & Development Survey
Timeline – Standards & Requirements
IP Transition: Testbeds
Status Update -- ATIS Robocalling and Caller ID Initiatives
STI Interworking with SIP-PBXs
TN Proof-of-Possession and Number Portability
Apprenticeship Standard
SHAKEN Governance Authority Next Steps
Timeline - ATIS Involvement
Status Update -- ATIS Robocalling and Caller ID Initiatives
Stateless Combinational Logic and State Circuits
IP Router-Alert Considerations and usage
SHAKEN Governance Authority Criteria
The Domain Policy DDDS Application
EE 107 Fall 2017 Lecture 7 Serial Buses – I2C Direct Memory Access
Chris Wendt, David Hancock (Comcast)
Timeline - ATIS Involvement
Proposed ATIS Standard for Signing of SIP RPH
GeoMesh Blockchain Networking - Slide Presentation
Verstat Related Best Practices
Reference Architecture and Call Flow Example for SIP RPH Signing
Analysis of Use of Separate Identity Header for SIP RPH Signing
NS/EP Service Provider Credential for SIP RPH Signing
RFC PASSporT Construction 6.2 Verifier Behavior
SHAKEN Jim McEachern Senior Technology Consultant ATIS December 2017.
Proposal for Change/Improvements in STIR/SHAKEN Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server.
RFC PASSporT Construction 6.2 Verifier Behavior
RFC PASSporT Construction 6.2 Verifier Behavior
Doug Bellows – Inteliquent 10/4/2018
Resistors in Series 18.2 When two or more resistors are connected end-to-end, they are said to be in series The current is the same in all resistors because.
Enterprise Scenarios August 2018.
SIP RPH and TN Signing Cross Relationship
TITLE: Baseline Display Guidelines SOURCE*: Hala Mowafy (Ericsson)
SHAKEN & Know Your Customer
TN-PoP Scenarios Jim McEachern Principal Technologist ATIS August 2018.
Change Proposals for SHAKEN Documents
Emergency call assurance
SIP RPH Signing Use Cases
RFC Verifier Behavior Step 4: Check the Freshness of Date
Proposal for Change/Improvements in STIR/SHAKEN Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server.
Issuing delegate certs to Customer AF using Cross-Certification
IPNNI SHAKEN Enterprise Models: LEMON TWIST
Dynamic Difficulty in Video Games
STI-GA Update to the NANC
EE 122: Lecture 22 (Overlay Networks)
Advanced Computer Networks
In 5 minutes.
Doug Bellows – Inteliquent 3/18/2019
Robocalling Blocking Cause and Effect
Enterprise Structure For Use Case Application of Various Token/Cert Proposals Presented by: Rebekah Johnson.
STIR/Shaken: Mitigating Illegal Robocalling and Caller ID Scams
TDR authentication requirements
SHAKEN for Presented to: Ericsson Contact:
Calling Party Identity
Enterprise Use Cases and A-Level Attestation
Enterprise Certificates DRAFT
Enterprise Use Cases and A-Level Attestation
Proposed Changes to STI-VS "iat" freshness check
STIR / SHAKEN for 911 use of SHAKEN 8/7/2019
Calling Party Identity
Enterprise Certificates
draft-ietf-stir-oob-02 Out of Band
Fourth ITU Workshop on Network 2030
Toll Fraud Prevention and STIR/SHAKEN
Toll-Free Number Assignment and Administration – SHAKEN/STIR Delegate Certificates Enterprise Origination Julio Armenta
Implementation Plan system integration required for each iteration
Presentation transcript:

SHAKEN Jim McEachern Senior Technology Consultant ATIS December 2017

PoP – Scenario #1 – Terminate PoP & Originate SHAKEN SP-A Analytics PoP SHAKEN PoP AS PoP VS STI AS STI VS … SP-B SP-C SP-D SP-Z

PoP – Scenario #2 – PoP E2E … SP-A Analytics PoP SP-B SP-C SP-D SP-Z AS PoP VS … SP-B SP-C SP-D SP-Z

PoP – Scenario #3 – PoP & SHAKEN SP-A Analytics PoP PoP AS PoP VS … SP-B SP-C SP-D SP-Z STI AS STI VS SHAKEN

PoP – Scenario #1 - Performance Originating SP must process PoP identity header and factor results into attestation in SHAKEN = No impact on terminating SP SP-A Analytics PoP SHAKEN PoP AS PoP VS STI AS STI VS … SP-B SP-C SP-D SP-Z + Originating SP can cache PoP certificates and refresh every time call is made from their customer PBx to any destination.

PoP – Scenario #2 – Performance – Local Cache + = Originating SP does not need to do anything. Terminating SP processes PoP identity header with complexity comparable to SHAKEN identity header. SP-A Analytics PoP PoP AS PoP VS … SP-B SP-C SP-D SP-Z - Terminating SP could cache PoP certificates but can only refresh every time call is made from a given customer PBx to a given VS function.

PoP – Scenario #2 – Performance – SP Cache + = Originating SP does not need to do anything. Terminating SP processes PoP identity header with complexity comparable to SHAKEN identity header. SP-A Analytics Cache PoP PoP AS PoP VS … SP-B SP-C SP-D SP-Z = - Terminating SP could provide a centralized cache for PoP certificates and refresh every time call is made from a given customer PBx to any VS function within the terminating SP network.

PoP – Scenario #3 - Performance Challenges caching PoP certificates. Terminating SP must also process PoP identity header with complexity comparable to SHAKEN identity header. SP-A Analytics PoP PoP AS PoP VS … SP-B SP-C SP-D SP-Z STI AS STI VS SHAKEN = = Terminating SP processes SHAKEN identity header. Originating SP generates normal SHAKEN identity header.

PoP – Scenario #1 - Traceback Traceback to the source of the “problem” (i.e., SP-A and enterprise) is complicated by having to go to SP-B and correlate SHAKEN origid with PoP certificate. SP-A - Analytics PoP SHAKEN PoP AS PoP VS STI AS STI VS … SP-B SP-C SP-D SP-Z Does knowing that SP-B originated the call onto the network add any value? =

PoP – Scenario #2 - Traceback Traceback points directly to the SP that issued the PoP certificate and then to the enterprise. + SP-A Analytics PoP PoP AS PoP VS … SP-B SP-C SP-D SP-Z = “Originating SP” role is equivalent to intermediate (transit) providers. -

PoP – Scenario #3 - Traceback Traceback points directly to the SP that issued the PoP certificate and then to the enterprise. + SP-A Analytics PoP PoP AS PoP VS … SP-B SP-C SP-D SP-Z STI AS STI VS SHAKEN = Traceback also points to the SP that originated the call onto the network. Is this information useful?

Conclusions Allowing PoP Identity headers to go end-to-end does add some new responsibilities on the terminating SP: They must support PoP Identity headers Caching public certs is less efficient than for standard SHAKEN Centralized caching for all calls to terminating SP improves efficiency Terminating PoP Identity headers at the originating SP does not improve traceback, and may even complicate traceback. If PoP certs go end-to-end, the originating SP could add a second, SHAKEN Identity header if they needed to (e.g., if terminating SP could not verify PoP Identity header). Important to verify that allowing PoP Identity headers to go end-to-end does not cause problems for other use cases (e.g., NS/EP).