Any function that can reach your NRF can speak as any other one.
The 5G core is a flat, all-IP HTTP/2 web-services mesh, and OAuth2 authorization to the NRF — the registry every NF trusts to discover every other — is optional by spec (TS 33.501 §13). So reachability becomes authorization: any NF that reaches the NRF can pull any other NF's profile and impersonate it — or deregister a live NF for a clean, stealthy DoS. And every NF's identity is a private-PKI TLS cert no roaming partner, IPX, or regulator can independently verify. This is trust that was never authenticated, getting weaponized.
urn:uuid cert, that no peer can forge and any counterparty can verify. A stolen token with no NF key behind it authenticates to nothing. Give every NF an identity it can prove — and no peer can forge.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
Not a breach — a trust fabric used exactly as designed, by a party who was never authenticated.
No zero-day required. The 5G Service-Based Architecture is a web of microservices, and the trust between them — and across the interconnect it still rides on — was asserted, never proven.
A web of microservices
The 5G SBA is an all-IP HTTP/2 + JSON mesh; every NF — AMF, SMF, UPF, PCF, UDM, AUSF — is a web service on the SBI. It inherits the entire web/API threat model.
The NRF, effectively open
Every NF registers its NFProfile with the NRF and discovers peers there. OAuth2 authz to it is optional by spec (TS 33.501 §13) — so reachability becomes authorization.
Become any NF, or erase one
Reach the NRF and you can read any NF's profile and speak as it — or deregister a live NF's profile for a clean, stealthy DoS. Its identity is a private-PKI cert no counterparty can independently check.
SS7 / Diameter / GTP, trust by default
The interconnect the core still interworks with has no mutual auth. Independent pentests: SS7 subscriber-data leakage in 77%, IMSIs over Diameter in ~90%, 100% of 28 GTP networks vulnerable.
Your weakest partner is your risk
Inter-PLMN traffic crosses the SEPP and, under PRINS, a semi-trusted IPX that can read and modify whitelisted JSON. Trust is transitive; the originating NF isn't independently verifiable — and ~70% of operators lack the cloud-native capability the SEPP needs.
CAMARA / Open Gateway
SIM-swap, number-verify, location and QoD are now public developer APIs — the full API threat model (BOLA, shadow endpoints, mis-scoped tokens) exposed at the network's northbound edge.
Every step leans on one structural fact: an NF's identity is a private-PKI assertion no outside party can verify, so reachability keeps standing in for authorization — inside the SBA, and across the roaming border where independent verification matters most. And the endgame isn't the intrusion. It's unattributed persistence: an action bound to no verifiable, revocable identity, with no cross-operator proof of who and no fast federated kill-switch — only slow, manual de-peering. Nation-state-class interconnect campaigns have stayed unattributed and un-evicted for years on exactly this vacuum — class-level, the pattern, not a name.
Stop detecting the impersonation. Make the NF prove itself.
A signaling firewall scores the message; a scanner scores the behavior. Both are a step behind a credential that is genuinely valid, because to your core an impersonating NF is a valid NF. The only strictly-stronger move is to change what the SBI trusts.
Mutual TLS proves the NF at the handshake — but only inside one operator's private CA. No roaming partner, IPX, or regulator can chain that identity to a public anchor without bilateral cross-certification, and a JWS access token is a bearer instrument: whoever holds it can present it. Reachability stands in for authorization, and the source IP that might have narrowed it down is disposable.
Tomorrow · the SBI authorizes an NF that proves itself against a public anchor. Bind authority to an identity the NF holds and can demonstrate cryptographically — the same key already behind its urn:uuid:<nfInstanceId> cert — anchored in the public DNSSEC root, not a hidden operator CA. Now a request either proves it is the NF it claims to be, to any counterparty, or it has no authority at all — before a single detection rule runs.
"3GPP already mandates mutual TLS on the SBI and puts the nfInstanceId UUID in the cert SAN. Why isn't that enough?"
Because the trust is privately rooted and stops at your CA. TS 33.310 §6.1.3c binds nfInstanceId ↔ key ↔ endpoint in a cert — but signed by the operator-private CA only, unverifiable to outsiders without bilateral cross-certification. And the DNS layer NF discovery rides on isn't signed: spoof it and you redirect to a rogue NRF or a forged token-issuer URL. Whisper keeps 3GPP's identity and adds what it lacks: a DNSSEC/DANE anchor any outside party can check, and a one-call cross-operator revoke.
That identity already has a home on the network you run: an address — the ipv6Addresses field already in every NFProfile. Here is how the NF's own key becomes an address no peer can forge.
The key already in the NF becomes an address any peer can verify.
Whisper has one primitive: the address is the identity. A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig.
Point it at the NF. Derive each NF's /128 from the key it already holds — the mTLS key behind the urn:uuid:<nfInstanceId> subjectAltName in its SBA certificate (TS 33.310 §6.1.3c) — passing the nfInstanceId as the device_id domain separator. The private key never leaves the NF; the /128 is a one-way function of its public half and the UUID. The address drops straight into the NFProfile's ipv6Addresses field, and its DANE TLSA record pins the very cert the NF already presents — so the operator-private identity becomes globally, third-party verifiable, with no NRF API change and no new CA. A roaming partner or regulator resolves the /128, pulls the DANE pin, and confirms "this address is NF X" without ever touching your private CA.
Reachability stops being authorization
A peer that reaches the NRF still can't present an NF identity whose key it doesn't hold. Every forgery is a DNSSEC/DANE inconsistency any counterparty catches.
IP rotation becomes irrelevant
Identity is not the source IP. The "last IP" was never the credential — so rotating it, across clouds, IPX or residential proxies, changes nothing.
Stolen tokens fail
A minted or replayed JWS bearer with no NF key behind it authenticates to nothing. The SBI checks the function, not the bearer.
One revoke kills a compromised NF everywhere
At DNS-TTL speed, across operator boundaries: dig -x returns nothing; verify returns false. The federated kill-switch private CRLs/OCSP never had.
"A leaked OAuth token or a compromised roaming peer looks legitimate — how do you catch abuse that passes auth?"
You bind authority to the NF, not the bearer. A state-changing call terminates mutually-authenticated to the target NF's /128, whose DANE pin any counterparty can check against the public root — so a token can't reach an nfInstanceId it can't cryptographically address. A request that passes auth but can't prove the identity never had authority in the first place. At the N32 border, the same pin lets the home operator verify a peer NF or SEPP against a public anchor instead of trusting the IPX's assertion.
NFProfile ipv6Addresses field the NRF already stores; the DANE TLSA pins the urn:uuid cert the NF already presents — same UUID, same address field, same cert identity, anchored in the public DNSSEC root instead of a hidden operator CA. The same DANE pin anchors a SEPP's N32-c endpoint (hardening the spoofing vector GSMA FS.36 names), an O-RAN component's O1/O2/A1 mTLS — where multi-vendor disaggregation multiplies the CAs that must trust each other and WG11's Zero-Trust Architecture makes Identity its first pillar — and a CAMARA / Open Gateway northbound endpoint. Proposed integrations at the IP and DNS boundary; no NRF API change.nfInstanceId is a structured UUID flowing through every NRF registration and discovery; useful for interoperability, but not a secret. The /128 is bound to the NF's key as well as the UUID — so the UUID alone yields nothing. You cannot go nfInstanceId → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the NF's whereabouts. Because the derivation is tenant-bound, the same vendor NF under two operators yields two unrelated /128s — no one can link an instance across networks.revoke. An NF scale-out or software upgrade re-keys to a new /128 and revokes the old one; a decommission or a change of roaming partner is one revoke and a re-register. Compromise one NF and you've compromised that NF, not the mesh — the impersonation failure mode is structurally removed. Every mint and every revoke lands in a public, append-only Merkle transparency log, Ed25519-signed and Bitcoin-anchored via OpenTimestamps — an auditable NF-identity trail for NIS2 incident reporting and your regulator. Honest status: tamper-evident today; independent witnessing is the next step. And you can sign an NF's SCAS logs to its /128 so a PSIRT can prove which exact instance emitted them."Is a first-class --nf-instance-id flag shipping today, or is this a roadmap slide?"
Shipped & live today: derive a /128 from the NF's public key with its nfInstanceId passed as device_id — DNSSEC + DANE-EE + RDAP, verifiable trustless from the IANA root, revocable in one call. A dedicated typed --nf-instance-id CLI/API argument is on the roadmap; the control-plane call in the 60-second proof below runs as-is.
Maps to TS 33.501 mTLS-on-SBI and its OAuth2/NRF authz (hardening the DNS beneath NF discovery so tokens can't be redirected to a spoofed issuer), the TS 33.310 NF cert identity, GSMA FS.36 at the N32 border, EU NIS2 Art.21/23, the EU 5G Toolbox TM02, and NSA/CISA ESF 5G Cloud per-NF micro-segmentation — delivered as a network primitive, not a compliance binder. See the compliance map →
Identity stops the next impersonation. The graph names whoever already got in.
You won't re-anchor every NF and every roaming peer by Monday, and interconnect abuse is unattributed by design. So the same platform back-traces the operator behind the egress you already logged — attribution that survives the rotation, because it fingerprints the operator and the tooling, not the ephemeral IP. This is exactly the gap that keeps nation-state-class interconnect campaigns unattributed for years (class-level — the pattern, not a name).
A live internet-infrastructure graph — billions of nodes and tens of billions of relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud / IPX rotation the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator.
And it's a question, not a signature. Express interconnect abuse directly — "one source touching N distinct NF or peer identities in a window" — as read-only Cypher, and the graph returns the operator with a reproducible evidence chain your core SOC, your PSIRT, your auditors and a regulator can replay — the cryptographic attribution NIS2 Art.23's 24-hour / 72-hour / one-month reporting clock needs.
# ask the graph the interconnect question directly — read-only Cypher (schema illustrative) over the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"MATCH (src)-[t:TOUCHED]->(n:NfIdentity)
WHERE t.window = \"15m\" WITH src, count(DISTINCT n) AS nfs
WHERE nfs > 50 RETURN src, nfs ORDER BY nfs DESC"}'
operator <fingerprinted> 1 source → 2,187 distinct NF identities / 15m
egress: AWS eu-central → GCP europe-w4 → Azure westeu (collapsed to 1)
ja4: same tooling across 41 residential exits → 1 operator
reproducible, replayable JSON evidence chain → your SIEM / PSIRT
"When a peer rotates IPX hops and fresh cloud IPs, can you actually attribute it — or just block a GT and move on?"
Attribute it. Infrastructure genealogy collapses the cloud / IPX rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on — so the rotation that hides them from your core SOC is exactly what the graph reads through.
And before the impersonation even lands: op:lookups returns who resolved or RDAP-queried an NF's identity: the PTR/AAAA/TLSA and RDAP accesses against its records. It's a reconnaissance tripwire that catches a peer enumerating your NFs in recon, not a post-mortem after the impersonation; the early warning a private NRF never gave you. The read-only graph verbs your analysts run (or your agent runs for them): identify(ip) (who really operates a host, even behind a CDN) · origins(prefix) + walk(node,depth) (cluster rotating IPs into one genealogy) · history / watch (a timeline and a standing sentinel over a suspect operator or IPX). Every answer is reproducible, replayable JSON: the incident-reporting paper trail, not a screenshot.
Identity is the cure; the graph is how you attribute what got in before it, and catch the peer who tries anyway. Detection made durable, on top of a root-cause fix.
Where this bites hardest — and where it honestly does not.
An identity layer is not a silver bullet, and a telecom buyer has heard enough of those. Here is exactly where a forge-proof, publicly verifiable NF identity changes the game — and where it does not.
A stolen token or compromised peer that can't prove the NF authenticates to nothing — so it can't become a function it isn't, and the forgery is detectable at every counterparty, not just inside one operator. And an action that once bound to no verifiable, revocable identity now carries one: cross-operator attribution plus a one-call federated revoke collapse the slow-manual-de-peering endgame. This is a spec-level gap — the identity / attribution / revocation vacuum — that persists after your signaling firewall and your SEPP are both deployed and working.
A router or edge implant beneath the identity plane, a stolen management credential, or persistence under the transport boundary are not stopped by an identity layer alone. Campaigns of that class have reportedly reached 80+ countries and hundreds of organisations and gone years unattributed and un-evicted — we cite them only as proof that attribution and eviction are real, unsolved problems, never as something Whisper would have prevented.
And to be precise about the rest: Whisper never replaces 3GPP mTLS + OAuth2/NRF — that is the mandatory, primary layer; this is a second, independent, DNS-anchored one. It is not a NESAS/SCAS certification control and not a CRA conformity route (a differentiator and PSIRT tool for vendors, not a shortcut through certification). It does nothing for FCC rip-and-replace. And its revoke kills the /128 and the egress authorization faster than any CRL/OCSP — but revoking the operator's TLS cert is still your CA's job. We think saying this plainly is more credible than a silver bullet.
Additive to your core security. Mapped to your standards. Availability-safe by construction.
Your signaling and 5G-core firewalls tell you that a message or a packet flow is abusive, inside the plane they inspect — necessary, and where that picture stops. Your operator PKI and SEPP issue and lifecycle NF certs — privately rooted. Whisper adds the layers no one else owns: a publicly verifiable NF identity, cross-operator attribution across rotating egress, and cross-operator revocation at DNS-TTL — exactly the vacuum the impersonation and interconnect attacks live in.
| Signaling & 5G-core firewalls | Operator PKI / SEPP | Whisper | |
|---|---|---|---|
| Signaling & core traffic protection (SS7/Diameter/GTP · SCTP · DoS) | ✓ | — | additive feed |
| NF identity issuance (a certificate) | — | ✓ private CA | ✓ public DNSSEC+DANE |
| Publicly verifiable NF identity (no cross-certification) | — | — | ✓ |
| Cross-operator attribution across rotating egress | — | — | ✓ |
| Cross-operator revocation at DNS-TTL | — | — | ✓ |
Feeds your SIEM and PSIRT
The Splunk connector ships today — findings arrive as signed, replayable JSON mapped to CEF and ECS fields. Microsoft Sentinel, OpenCTI, and STIX 2.1 over TAXII export are on the roadmap, labeled honestly — hand a finding to a regulator or push it straight into a PSIRT workflow.
Speaks your compliance language
Cryptographic attribution for NIS2 Art.23 incident reporting; per-NF /128 micro-segmentation for NSA/CISA ESF 5G Cloud and CISA ZTMM's Identity + Visibility pillars; a DANE-pinned NF resolution is an EU 5G Toolbox TM02 move; a DANE-pinned peer identity hardens the N32-c vector GSMA FS.36 names. Honest: a differentiator and PSIRT tool, not a NESAS/SCAS or CRA conformity route.
Anti-lateral-movement by default
A per-NF /128 with default-deny egress governance — op:firewall by ip/cidr/host/port, op:budget to cap, one-call op:revoke to kill — is network-layer least privilege between NFs: the ESF 5G Cloud "isolate the workloads" control expressed as a primitive, not a policy binder.
Safe in your trust path
It rides on top of the mutual TLS your SBI already runs, anchoring that same identity in public DNSSEC/DANE rather than replacing your PKI — so a partner or regulator can verify an NF outside your CA. Built to fail open: a Whisper outage never drops a call — checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
On-prem or your own tenant
Data residency and sovereignty by construction — the graph and the per-NF logs stay where your regulator needs them. No core telemetry leaving your boundary to a third party you never contracted.
A vendor that will still be here
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.
Don't take our word for it — our API isn't in the trust path.
Two tiers, by design. No key: anyone can verify an NF's identity, resolve it, and back-trace a suspicious peer — trustless, anchored at the IANA root. Your key: bind an NF to the nfInstanceId it already carries, govern its egress, revoke it worldwide.
# keyless — re-derive and verify any NF's identity, trustless
$ whisper verify --trustless 2a04:2a01:3f::a1
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) leaf matches the NF's SBA cert key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the NF — forward-confirmed reverse DNS names it
$ dig -x 2a04:2a01:3f::a1 +short
amf-7f3a2c1d.nf.sbi.example-mno.whisper.online.
# who really operates a suspicious peer — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
# bind an NF to the nfInstanceId it already carries — one control-plane call
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
-H 'content-type: application/json' --data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the NF mTLS key>',
device_id:'3f2504e0-4f89-11d3-9a0c-0305e82c3301'}}) YIELD op, ok, result RETURN op, ok, result"}
JSON
→ identity 2a04:2a01:3f::a1 DNSSEC + DANE-EE live # device_id = the nfInstanceId (urn:uuid)
# govern what the NF may reach; see who enumerated it; then kill it if compromised
$ whisper policy set --default deny --allow nrf.5gc.example-mno.net,scp.5gc.example-mno.net
$ curl -s https://whisper.online/ip/2a04:2a01:3f::a1/lookups # who checked this NF (recon tripwire)
$ whisper kill --revoke 2a04:2a01:3f::a1 # worldwide, at DNS-TTL
Give every NF an identity it can prove.
The address is the NF — routable, DNSSEC-anchored, bound to the nfInstanceId it already carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke. The impersonation that rides trust no one authenticated simply runs out of forgeries.
Or run whisper verify --trustless right now.