-----Original Message-----
From: NANOG <nanog-boun...@nanog.org> On Behalf Of Brandon Martin
Sent: Thursday, 19 December, 2019 10:25
To: nanog@nanog.org
Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
On 12/19/19 12:09 PM, Andreas Ott wrote:
I have also been told that there is no equivalent of uRPF in the phone
world.
This is the biggest issue, and unfortunately (and my knowledge of the
PSTN is admittedly a bit lacking, here), there's likely no good way to
add it.
Calls on the PSTN are routed essentially based on "who do I feel like
handing this off to, today", and then that entity may do the same, and
so on. It's pretty routine for an outfit to have multiple contracts for
termination that may not even be aware of the "legitimate" numbers from
which their customers might "source" a call.
Further, it's entirely normal and perfectly legitimate (to varying
degrees) for an outfit to purport in CID a number that is not directly
assigned to them nor which will actually result in a callback being
routed to them.
Think of caller ID more like reverse DNS. It's largely advisory and,
outside some situations where you deliberately want a higher degree of
repuatation/identity verification and are willing to accept a
potentially large number of false flags, there's no real reason to rely
on it outside of human nicety.
The rough analogy to the source IP address is the ANI information that's
not even passed to most end users. That's "who should I bill this to?".
But even that can get overwritten sometimes during call routing, from
what I gather. It's also rarely a valid callback number for any
non-trivial call source. Or, at least, if you did call it, the person
who (might) answer the phone will have no idea what prompted you to do
so.
SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a
way albeit very much re-envisioned based on circuit switching rather
than packet switching. Each intervening network can attest to what
degree they are able to verify the CID (and maybe ANI?) information in
the call. Unfortunately, a perfectly valid attestation is "I cannot
verify it", and indeed that's likely to be most of the attestations
you'll see at least at first. The best it really lets you do is figure
out some networks at which to point fingers.
When "full attestation" is present, i.e. the network operator has been
able to verify that the CID field represents a number authorized for use
by the entity originating the call, it's maybe more like DKIM in that
you can, with cryptographic certainty, know THE network at which to
point fingers as they're the ones who admitted the call into the PSTN
with authority that the CID field (among others) is "valid".
[And all the old PSTN folks will please forgive me if I'm inaccurate,
here, though corrections are welcome]
--
Brandon Martin