"CallerID" is a misnomer. It is actually the "Advertized ID". However, the telco's realized you would not pay to receive advertizing so they renamed it to something they thought you would pay for. Pretty canny business model eh? And apparently y'all fell for it, thinking it was related to the Identification of the Caller, rather than being what the caller wished to advertize. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Brandon Martin Sent: Thursday, 19 December, 2019 10:25 To: nanog@nanog.org Subject: Re: FCC proposes $10 Million fine for spoofed robocalls
On 12/19/19 12:09 PM, Andreas Ott wrote:
I have also been told that there is no equivalent of uRPF in the phone world.
This is the biggest issue, and unfortunately (and my knowledge of the PSTN is admittedly a bit lacking, here), there's likely no good way to add it.
Calls on the PSTN are routed essentially based on "who do I feel like handing this off to, today", and then that entity may do the same, and so on. It's pretty routine for an outfit to have multiple contracts for termination that may not even be aware of the "legitimate" numbers from which their customers might "source" a call.
Further, it's entirely normal and perfectly legitimate (to varying degrees) for an outfit to purport in CID a number that is not directly assigned to them nor which will actually result in a callback being routed to them.
Think of caller ID more like reverse DNS. It's largely advisory and, outside some situations where you deliberately want a higher degree of repuatation/identity verification and are willing to accept a potentially large number of false flags, there's no real reason to rely on it outside of human nicety.
The rough analogy to the source IP address is the ANI information that's not even passed to most end users. That's "who should I bill this to?". But even that can get overwritten sometimes during call routing, from what I gather. It's also rarely a valid callback number for any non-trivial call source. Or, at least, if you did call it, the person who (might) answer the phone will have no idea what prompted you to do so.
SHAKEN/STIR, the leading proposal to "fix" this, is more like RPKI in a way albeit very much re-envisioned based on circuit switching rather than packet switching. Each intervening network can attest to what degree they are able to verify the CID (and maybe ANI?) information in the call. Unfortunately, a perfectly valid attestation is "I cannot verify it", and indeed that's likely to be most of the attestations you'll see at least at first. The best it really lets you do is figure out some networks at which to point fingers.
When "full attestation" is present, i.e. the network operator has been able to verify that the CID field represents a number authorized for use by the entity originating the call, it's maybe more like DKIM in that you can, with cryptographic certainty, know THE network at which to point fingers as they're the ones who admitted the call into the PSTN with authority that the CID field (among others) is "valid".
[And all the old PSTN folks will please forgive me if I'm inaccurate, here, though corrections are welcome] -- Brandon Martin