# Whisper for Telecom — give every 5G network function an identity it can prove, across operators. This is telecom.whisper.online. The marketing story here is told for the mobile operator, the 5G-core-security team, and the roaming/interconnect engineer; the /docs library, the console, and the whole system behind it are identical to whisper.online. Read it in full — written so both an agent and a person can act on it. Everything here is ADDITIVE to your SBI mTLS + OAuth2 and your operator PKI — it never replaces the mandated 3GPP controls. ## The problem it solves The 5G core (SBA) is a flat, all-IP HTTP/2 mesh of network functions (NFs) — AMF, SMF, UPF, PCF, UDM, AUSF, NSSF — that discover and address each other over the NRF and DNS. Mutual TLS and OAuth2 bind an NF tightly INSIDE one operator, but: NF discovery still addresses over DNS (TS 33.501 mandates mTLS/OAuth2, not DNSSEC or DANE on that name layer), OAuth2 authorization at the NRF is optional by spec, and every certificate chain terminates at an operator-PRIVATE CA that a roaming partner, an IPX hub, or a regulator cannot independently check. So a spoofed DNS answer can redirect a consumer NF to a rogue NRF or a forged token-issuer, any NF that can reach the NRF can pull another's NFProfile and speak as it, and across the N32 roaming boundary trust is transitive through semi-trusted IPX hubs. The root cause is an identity that is real but invisible outside your walls, and non-revocable across an operator boundary at any useful speed. ## The cure — make it an identity problem Give every NF a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the PUBLIC key it already holds — the SubjectPublicKeyInfo (SPKI) of its existing SBI mTLS certificate — with the nfInstanceId its cert SAN already carries (urn:uuid:, TS 33.310 §6.1.3c) as the domain separator. DNSSEC-anchored, DANE-EE pinned to that SAME certificate, RDAP-registered, verifiable trustlessly with `whisper verify --trustless`. Any operator, IPX or regulator then verifies the NF against a PUBLIC anchor — resolve the /128, pull its DANE pin, confirm it — without your private CA in the path, and one revoke kills a compromised NF worldwide at DNS-TTL. The /128 drops straight into the NFProfile's ipv6Addresses field — no NRF API change, no re-keying, no second CA. It complements TS 33.501 mTLS + OAuth2, TS 33.310 NF certs, the NRF and the SEPP; it never replaces them. ## Shipped & live Derive a /128 from your NF's PUBLIC key + its nfInstanceId as the generic `device_id`. The private key never leaves the NF — only the public SPKI is an input, and the identity is a property-level derivation (a deterministic, tenant-bound, forge-proof function of the public key + nfInstanceId). SHIPPED & LIVE: the NF-derived /128, keyless verify / RDAP, the read-only attribution graph (whisper.identify / origins / walk / variants / history), the control plane (connect / policy / firewall / budget / logs / lookups / revoke), and the SIEM export to Splunk (signed JSON -> CEF/ECS). Every mint and every revocation lands in a public, append-only RFC 6962 Merkle transparency log with Ed25519-signed, Bitcoin-anchored checkpoints (tamper-evident and independently co-signable via the C2SP tlog-witness protocol; not yet independently witnessed). ROADMAP, labelled as such: a first-class typed `--nf-instance` CLI flag, and the Microsoft Sentinel / OpenCTI / STIX 2.1-over-TAXII export connectors. ## Pages - / Home — give every NF an identity it can prove, across operators - /nf-impersonation NF impersonation & interconnect abuse, cured — the address is the NF - /platform The three planes + where they fit the NRF, PKI and SEPP you already run - /for-operators For operators: mTLS proves the NF at the handshake — the DNS, route and log need an anchor too - /compare Honest comparison vs signaling firewalls, 5G-core firewalls & operator PKI/SEPP - /pricing Flat, predictable, per-NF pricing - /docs The full technical documentation (identical to whisper.online/docs) ## Docs - /docs Telecom docs overview - /docs/nf-identity NF identity — how the /128 is derived from the NF's key + nfInstanceId - /docs/nf-impersonation-cure The NF-impersonation cure — the same identity at the rogue-NRF / SBI boundary - /docs/telecom-integrations Platform integrations — NRF · SEPP · CAMARA/NEF · O-RAN - /docs/telecom-compliance NESAS · SCAS · NIS2 · EU 5G Toolbox — the honest DIRECT-ADDITIVE / COMPLEMENTARY / DO-NOT-CLAIM map - /docs/telecom-recipes Verify · attribute · govern — six copy-paste recipes, runnable today Every page above also has a clean Markdown twin at the same path with a .md suffix. ## Verify an NF's identity yourself (keyless — no API key, real value) whisper verify --trustless # re-derived to the IANA DNSSEC root dig -x # forward-confirmed reverse DNS names the NF dig +short TLSA _443._tcp. # the DANE-EE 3 1 1 pin on the NF's own cert curl https://whisper.online/verify-identity/ # {"is_whisper_agent":true,"dane_ok":true,...} curl https://whisper.online/ip/ # RDAP + ownership history curl https://whisper.online/ip//lookups # who has been resolving this NF's identity ## Provision & govern (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query Header: X-API-Key: whisper_live_xxx # your key — redacted here # Mint the NF identity: device_id = the nfInstanceId (the urn:uuid already in the cert SAN). # Idempotent — same key + nfInstanceId returns the SAME /128; a different nfInstanceId -> 409; # a non-string device_id -> 400 (never an opaque 500). CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'', device_id:''}}) CALL whisper.agents({op:'policy', args:{...}}) # default-deny egress; allow only SBI peers CALL whisper.agents({op:'firewall', args:{...}}) # allow/deny by host, cidr or port CALL whisper.agents({op:'budget', args:{...}}) # cap egress + arm the kill-switch CALL whisper.agents({op:'logs', args:{...}}) # the NF's own outbound activity CALL whisper.agents({op:'lookups', args:{...}}) # who resolved/RDAP-queried this NF CALL whisper.agents({op:'revoke', args:{...}}) # kill worldwide at DNS-TTL, across operators # Attribution (read-only) — name the operator behind a rotating peer egress, survives IP rotation: CALL whisper.identify("") Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32.