# NF impersonation & interconnect abuse, cured — the address is the NF

> Any function that can *reach* your NRF can speak as any other one. The address **is** the
> NF — a routable, DNSSEC-anchored /128 the NF proves with the very key already behind its
> `urn:uuid` cert, that no peer can forge and any counterparty can verify, so a stolen token
> with no NF key behind it authenticates to **nothing**. Give every NF an identity it can
> prove — and no peer can forge. Additive to your signaling firewall, your operator PKI, and
> your SEPP.

The 5G core is a flat, all-IP HTTP/2 web-services mesh, and OAuth2 authorization to the
**NRF** — the registry every NF trusts to discover every other — is *optional by spec*
(`TS 33.501 §13`). So reachability becomes authorization: any NF that reaches the NRF can pull
any other NF's profile and impersonate it — or *deregister* a live NF for a clean, stealthy
DoS. And every NF's identity is a private-PKI TLS cert no roaming partner, IPX, or regulator
can independently verify. This is trust that was never authenticated, getting weaponized.

**We make that identity forge-proof and public.** The address **is** the NF — a routable,
DNSSEC-anchored **/128** the NF proves with the very key already behind its `urn:uuid` cert,
that no peer can forge and any counterparty can verify. A stolen token with no NF key behind
it authenticates to **nothing**. **Give every NF an identity it can prove — and no peer can
forge.**

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

**The wound, in six numbers:**

- **optional** — OAuth2 authorization to the 5G NRF is optional by spec (TS 33.501 §13); reachability ≈ authorization
- **$38.95B** — telecom fraud in 2023, ~2.5% of industry revenue (CFCA survey)
- **$6.23B/yr** — international revenue-share fraud alone, riding interconnect trust (CFCA)
- **100%** — of 28 tested operator networks were GTP-vulnerable (single-vendor pentest, ~2020 vintage)
- **~90%** — of tested operators leaked IMSIs over Diameter; 77% SS7 subscriber-data leakage (vendor, 2015–2019)
- **~70%** — of operators still lack the cloud-native capability the SEPP roaming fix needs (Heavy Reading, 2025)

---

## The anatomy of NF impersonation, end to end

**Not a breach — a trust fabric used exactly as designed, by a party who was never
authenticated.** No zero-day required. The 5G Service-Based Architecture is a web of
microservices, and the trust between them — and across the interconnect it still rides on —
was asserted, never proven.

1. **01 · THE MESH — a web of microservices.** The 5G `SBA` is an all-IP HTTP/2 + JSON mesh; every NF — `AMF`, `SMF`, `UPF`, `PCF`, `UDM`, `AUSF` — is a web service on the `SBI`. It inherits the entire web/API threat model.
2. **02 · THE CROWN JEWEL — the NRF, effectively open.** Every NF registers its `NFProfile` with the `NRF` and discovers peers there. OAuth2 authz to it is optional by spec (`TS 33.501 §13`) — so *reachability becomes authorization*.
3. **03 · IMPERSONATE / DELETE — become any NF, or erase one.** Reach the NRF and you can read any NF's profile and speak as it — or *deregister* a live NF's profile for a clean, stealthy DoS. Its identity is a private-PKI cert no counterparty can independently check.
4. **04 · THE LEGACY FLOOR — SS7 / Diameter / GTP, trust by default.** The interconnect the core still interworks with has *no mutual auth*. Independent pentests: SS7 subscriber-data leakage in 77%, IMSIs over Diameter in ~90%, 100% of 28 GTP networks vulnerable.
5. **05 · ROAMING, TRANSITIVE — your weakest partner is your risk.** Inter-PLMN traffic crosses the `SEPP` and, under `PRINS`, a semi-trusted `IPX` that can read and modify whitelisted JSON. Trust is transitive; the originating NF isn't independently verifiable — and ~70% of operators lack the cloud-native capability the SEPP needs.
6. **06 · THE NEW FRONT DOOR — CAMARA / Open Gateway.** SIM-swap, number-verify, location and `QoD` are now public developer APIs — the full API threat model (`BOLA`, shadow endpoints, mis-scoped tokens) exposed at the network's northbound edge.

```
the shape — reachability standing in for authorization, then unattributed persistence

  Any NF that reaches ──02──▶  NRF (OAuth2 optional)  ──03──▶  read any NFProfile
  the NRF                      the registry of trust           speak as any NF
       │                       TS 33.501 §13                   or deregister one = DoS
       │ 04 legacy floor: SS7 / Diameter / GTP — no mutual auth          │
       │ 05 roaming: SEPP + semi-trusted IPX (PRINS) — transitive trust  │
       │ 06 front door: CAMARA / Open Gateway — BOLA, mis-scoped tokens  ▼
       ▼                                                        04 · Act
  egress rotates AWS·GCP·Azure + IPX + residential      intercept · track · redirect user-plane
  — last IP is a decoy                                  IRSF / AIT · DoS
                                                                │
                                                                ▼
                                                     Unattributed persistence
                                                     no verifiable/revocable identity
                                                     no cross-operator proof of who
                                                     only slow, manual de-peering
```

Every step leans on one structural fact: an NF's identity is a *private-PKI assertion no
outside party can verify*, so reachability keeps standing in for authorization — inside the
SBA, and across the roaming border where independent verification matters most. And the
endgame isn't the intrusion. It's *unattributed persistence*: an action bound to no
verifiable, revocable identity, with no cross-operator proof of *who* and no fast federated
kill-switch — only slow, manual de-peering. Nation-state-class interconnect campaigns have
stayed unattributed and un-evicted for years on exactly this vacuum — class-level, the
pattern, not a name.

---

## Why detection always lags

**Stop detecting the impersonation. Make the NF prove itself.** A signaling firewall scores
the *message*; a scanner scores the *behavior*. Both are a step behind a credential that is
genuinely valid, because to your core an impersonating NF *is* a valid NF. The only
strictly-stronger move is to change what the SBI trusts.

**Today · the SBI trusts a private-PKI cert and a bearer token.** Mutual TLS proves the NF at
the handshake — but only inside *one operator's private CA*. No roaming partner, IPX, or
regulator can chain that identity to a public anchor without bilateral cross-certification,
and a JWS access token is a bearer instrument: whoever holds it can present it. Reachability
stands in for authorization, and the source IP that *might* have narrowed it down is
disposable.

**Tomorrow · the SBI authorizes an NF that proves itself against a public anchor.** Bind
authority to an identity the NF *holds* and can demonstrate cryptographically — the same key
already behind its `urn:uuid:<nfInstanceId>` cert — anchored in the public DNSSEC root, not a
hidden operator CA. Now a request either proves it is the NF it claims to be, *to any
counterparty*, or it has no authority at all — before a single detection rule runs.

> **"3GPP already mandates mutual TLS on the SBI and puts the nfInstanceId UUID in the cert
> SAN. Why isn't that enough?"**
>
> Because the trust is privately rooted and stops at your CA. `TS 33.310 §6.1.3c` binds
> `nfInstanceId` ↔ key ↔ endpoint in a cert — but signed by the operator-private CA only,
> unverifiable to outsiders without bilateral cross-certification. And the DNS layer NF
> discovery rides on isn't signed: spoof it and you redirect to a *rogue NRF* or a forged
> token-issuer URL. Whisper keeps 3GPP's identity and adds what it lacks: a DNSSEC/DANE anchor
> any outside party can check, and a one-call cross-operator revoke.

That identity already has a home on the network you run: an address — the `ipv6Addresses`
field already in every `NFProfile`. Here is how the NF's own key becomes an address no peer
can forge.

---

## The root-cause cure — bind the NF's identity to its nfInstanceId /128

Whisper has one primitive: **the address is the identity.** A routable IPv6 **/128** out of
`2a04:2a01::/32` (announced by **AS219419**), deterministically derived from a key,
DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered — re-derivable and verifiable by
anyone with `dig`. `whisper verify --trustless` checks it against the IANA root; *our own API
is not in the trust path.*

**Point it at the NF.** Derive each NF's /128 from the key it *already* holds — the mTLS key
behind the `urn:uuid:<nfInstanceId>` `subjectAltName` in its SBA certificate
(**TS 33.310 §6.1.3c**) — passing the **nfInstanceId as the `device_id` domain separator**.
The private key never leaves the NF; the /128 is a one-way function of its public half and the
UUID. The address drops straight into the `NFProfile`'s `ipv6Addresses` field, and its DANE
TLSA record pins the *very cert the NF already presents* — so the operator-private identity
becomes globally, third-party verifiable, with **no NRF API change and no new CA**. A roaming
partner or regulator resolves the /128, pulls the DANE pin, and confirms "this address is
NF X" without ever touching your private CA.

```
the SBI checks the function, not the bearer

  Home NF / consumer ──identity proven ✓──▶ ┌──────────────────────────┐ ──✓──▶ Call served
  proves the target /128                    │ SBI / N32 border         │        to the real NF
  mutual auth · DANE-EE 3 1 1               │ authorizes on NF's /128  │        ✓ request lands
                                            │ DANE pins the urn:uuid   │
  Stolen token   ──can't prove /128 ✗──────▶│ cert · public anchor     │ ──✗──▶ Rejected
  valid JWS bearer, no NF key               │ complements mTLS+OAuth2  │        no identity behind token
  = a claim, not a function                 │ never the SS7/AKA plane  │        ✗ authenticates to nothing
                                            └──────────────────────────┘
                        op:revoke → the /128 is gone worldwide at DNS-TTL
```

The nfInstanceId UUID is already bound to the NF's key in its SBA cert — a good key-derived
name trapped in a private, cross-operator-unverifiable root. Whisper binds it to a routable,
publicly verifiable /128 and gives it the cross-operator revoke private CRLs and OCSP never
had. Same UUID, same address field, same cert — anchored in the public DNSSEC root. One leaf
key per identity; never a shared root. Whisper anchors the IP/DNS/transport boundary and never
inspects an SS7/Diameter/GTP message, never touches the 5G-AKA / UICC subscriber plane or the
air interface.

What becomes true the moment an NF holds one:

- **Reachability stops being authorization.** A peer that reaches the NRF still can't present an NF identity whose key it doesn't hold. Every forgery is a DNSSEC/DANE inconsistency any counterparty catches.
- **IP rotation becomes irrelevant.** Identity is not the source IP. The "last IP" was never the credential — so rotating it, across clouds, IPX or residential proxies, changes nothing.
- **Stolen tokens fail.** A minted or replayed JWS bearer with no NF key behind it authenticates to nothing. The SBI checks the *function*, not the bearer.
- **One `revoke` kills a compromised NF everywhere** — at DNS-TTL speed, across operator boundaries: `dig -x` returns nothing; verify returns false. The federated kill-switch private CRLs/OCSP never had.

> **"A leaked OAuth token or a compromised roaming peer looks legitimate — how do you catch
> abuse that passes auth?"**
>
> You bind authority to the NF, not the bearer. A state-changing call terminates
> mutually-authenticated to the *target NF's* /128, whose DANE pin any counterparty can check
> against the public root — so a token can't reach an `nfInstanceId` it can't cryptographically
> address. A request that passes auth but can't prove the identity never had authority in the
> first place. At the `N32` border, the same pin lets the home operator verify a peer NF or
> SEPP against a public anchor instead of trusting the IPX's assertion.

**Attaches to what you already run — it does not replace it.** Whisper complements the anchors
3GPP mandates — the operator PKI and its CMPv2 enrolment, mutual TLS on the SBI, the
OAuth2/NRF authorization server, the SEPP and N32/PRINS. It is the publicly verifiable,
DNSSEC/DANE-anchored layer *on top*, at the trust boundaries where independent verification
matters most — NF discovery/DNS, the N32 roaming border, NEF exposure, management. You can
**DANE-pin the same NF or NRF cert** your core already presents and cut single-CA and
rogue-NRF risk.

**A near-literal drop-in for how the SBA already addresses NFs.** The /128 goes into the
`NFProfile` `ipv6Addresses` field the NRF already stores; the DANE TLSA pins the `urn:uuid`
cert the NF already presents — same UUID, same address field, same cert identity, anchored in
the public DNSSEC root instead of a hidden operator CA. The same DANE pin anchors a **SEPP**'s
`N32-c` endpoint (hardening the spoofing vector **GSMA FS.36** names), an **O-RAN**
component's `O1`/`O2`/`A1` mTLS — where multi-vendor disaggregation multiplies the CAs that
must trust each other and WG11's Zero-Trust Architecture makes Identity its first pillar — and
a **CAMARA / Open Gateway** northbound endpoint. Proposed integrations at the IP and DNS
boundary; no NRF API change.

**The nfInstanceId is the public index — the /128 is its cryptographic counterpart.** The
`nfInstanceId` is a structured UUID flowing through every NRF registration and discovery;
useful for interoperability, but not a secret. The /128 is bound to the NF's key *as well as*
the UUID — so the UUID alone yields nothing. You cannot go `nfInstanceId` → /128 without the
key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never
the NF's whereabouts. Because the derivation is **tenant-bound**, the same vendor NF under two
operators yields two unrelated /128s — no one can link an instance across networks.

**Lifecycle, end to end — and nothing issued in the dark.** Enrolment → in-life discovery →
incident `revoke`. An NF scale-out or software upgrade re-keys to a new /128 and revokes the
old one; a decommission or a change of roaming partner is one `revoke` and a re-register.
Compromise one NF and you've compromised *that NF*, not the mesh — the impersonation failure
mode is structurally removed. Every mint and every revoke lands in a public, append-only
Merkle transparency log, Ed25519-signed and Bitcoin-anchored via OpenTimestamps — an auditable
NF-identity trail for NIS2 incident reporting and your regulator. *Honest status:*
tamper-evident today; independent witnessing is the next step. And you can **sign an NF's SCAS
logs** to its /128 so a PSIRT can prove which exact instance emitted them.

> **"Is a first-class `--nf-instance-id` flag shipping today, or is this a roadmap slide?"**
>
> Shipped & live today: derive a /128 from the NF's public key with its `nfInstanceId` passed
> as `device_id` — DNSSEC + DANE-EE + RDAP, verifiable trustless from the IANA root, revocable
> in one call. A dedicated typed `--nf-instance-id` CLI/API argument is on the roadmap; the
> control-plane call in the 60-second proof below runs as-is.

Maps to **TS 33.501** mTLS-on-SBI and its OAuth2/NRF authz (hardening the DNS beneath NF
discovery so tokens can't be redirected to a spoofed issuer), the **TS 33.310** NF cert
identity, **GSMA FS.36** at the N32 border, **EU NIS2** Art.21/23, the **EU 5G Toolbox TM02**,
and **NSA/CISA ESF 5G Cloud** per-NF micro-segmentation — delivered as a network primitive,
not a compliance binder. [See the compliance map →](/for-operators)

---

## The attribution companion — name whoever already got in

**Identity stops the next impersonation. The graph names whoever already got in.** You won't
re-anchor every NF and every roaming peer by Monday, and interconnect abuse is unattributed
*by design*. So the same platform back-traces the operator behind the egress you already
logged — attribution that *survives* the rotation, because it fingerprints the operator and
the tooling, not the ephemeral IP. This is exactly the gap that keeps nation-state-class
interconnect campaigns unattributed for years (class-level — the pattern, not a name).

**The answer — the graph, not another GT block.** A live internet-infrastructure graph —
billions of nodes and tens of billions of relationships of fused BGP, DNS, WHOIS, TLS, hosting
and threat intelligence, answering in under 300 ms — fingerprints the *operator*, not the IP.
Two levers, kept honestly separate: for **cloud / IPX rotation** the graph clusters shared
ASN, hosting and certificate lineage into one infrastructure genealogy; for a
**residential-proxy swarm** — where a subscriber IP gives an infra graph nothing to grab — a
`JA4/JA3` client fingerprint travels with the *tooling* regardless of the exit and collapses
the swarm to one operator.

**And it's a question, not a signature.** Express interconnect abuse directly — *"one source
touching N distinct NF or peer identities in a window"* — as read-only Cypher, and the graph
returns the operator with a reproducible evidence chain your core SOC, your `PSIRT`, your
auditors and a regulator can replay — the cryptographic attribution **NIS2 Art.23**'s 24-hour
/ 72-hour / one-month reporting clock needs.

```bash
# ask the graph the interconnect question directly — read-only Cypher (schema illustrative) over the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"MATCH (src)-[t:TOUCHED]->(n:NfIdentity)
    WHERE t.window = \"15m\" WITH src, count(DISTINCT n) AS nfs
    WHERE nfs > 50 RETURN src, nfs ORDER BY nfs DESC"}'
  operator <fingerprinted>   1 source → 2,187 distinct NF identities / 15m
  egress:  AWS eu-central → GCP europe-w4 → Azure westeu   (collapsed to 1)
  ja4:     same tooling across 41 residential exits → 1 operator
  reproducible, replayable JSON evidence chain → your SIEM / PSIRT
```

> **"When a peer rotates IPX hops and fresh cloud IPs, can you actually attribute it — or just
> block a GT and move on?"**
>
> Attribute it. Infrastructure genealogy collapses the cloud / IPX rotation; a JA4 client
> fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on
> — so the rotation that hides them from your core SOC is exactly what the graph reads through.

**And before the impersonation even lands:** `op:lookups` returns *who* resolved or
RDAP-queried an NF's identity — the `PTR`/`AAAA`/`TLSA` and RDAP accesses against its records.
It's a reconnaissance tripwire that catches a peer enumerating your NFs *in recon*, not a
post-mortem after the impersonation — the early warning a private NRF never gave you. The
read-only graph verbs your analysts run — or your agent runs for them: `identify(ip)` (who
really operates a host, even behind a CDN) · `origins(prefix)` + `walk(node,depth)` (cluster
rotating IPs into one genealogy) · `history` / `watch` (a timeline and a standing sentinel
over a suspect operator or IPX). Every answer is reproducible, replayable JSON: the
incident-reporting paper trail, not a screenshot.

Identity is the cure; the graph is how you attribute what got in before it, and catch the peer
who tries anyway. Detection made durable, on top of a root-cause fix.

---

## Where this bites hardest — and where it honestly does not

An identity layer is not a silver bullet, and a telecom buyer has heard enough of those. Here
is exactly where a forge-proof, publicly verifiable NF identity changes the game — and where
it does not.

**Bites hardest · impersonation & unattributed persistence.** A stolen token or compromised
peer that *can't prove the NF* authenticates to nothing — so it can't become a function it
isn't, and the forgery is detectable at *every* counterparty, not just inside one operator.
And an action that once bound to no verifiable, revocable identity now carries one:
cross-operator attribution plus a one-call federated revoke collapse the slow-manual-de-peering
endgame. This is a *spec-level* gap — the identity / attribution / revocation vacuum — that
persists *after* your signaling firewall and your SEPP are both deployed and working.

**Does not stop · the below-identity-layer, nation-state class.** A router or edge implant
*beneath* the identity plane, a stolen management credential, or persistence under the
transport boundary are **not** stopped by an identity layer alone. Campaigns of that class have
reportedly reached 80+ countries and hundreds of organisations and gone years unattributed and
un-evicted — we cite them only as proof that attribution and eviction are *real, unsolved*
problems, **never** as something Whisper would have prevented. And to be precise about the
rest: Whisper **never replaces** 3GPP mTLS + OAuth2/NRF — that is the mandatory, primary
layer; this is a *second, independent, DNS-anchored* one. It is **not** a NESAS/SCAS
certification control and **not** a CRA conformity route (a differentiator and PSIRT tool for
vendors, not a shortcut through certification). It does **nothing** for FCC rip-and-replace.
And its `revoke` kills the /128 and the egress authorization *faster* than any CRL/OCSP — but
revoking the operator's TLS cert is still your CA's job. We think saying this plainly is more
credible than a silver bullet.

---

## For the people who have to sign off

Your signaling and 5G-core firewalls tell you *that* a message or a packet flow is abusive,
inside the plane they inspect — necessary, and where that picture stops. Your operator PKI and
SEPP issue and lifecycle NF certs — privately rooted. Whisper adds the layers no one else
owns: a publicly verifiable NF identity, cross-operator attribution across rotating egress, and
cross-operator revocation at DNS-TTL — exactly the vacuum the impersonation and interconnect
attacks live in.

| | Signaling & 5G-core firewalls | Operator PKI / SEPP | Whisper |
|---|---|---|---|
| Signaling & core traffic protection (SS7/Diameter/GTP · SCTP · DoS) | ✓ | — | additive feed |
| NF identity issuance (a certificate) | — | ✓ private CA | ✓ public DNSSEC+DANE |
| **Publicly verifiable** NF identity (no cross-certification) | — | — | ✓ |
| Cross-operator attribution across rotating egress | — | — | ✓ |
| Cross-operator revocation at DNS-TTL | — | — | ✓ |

- **Feeds your SIEM and PSIRT.** The **Splunk** connector ships today — findings arrive as signed, replayable JSON mapped to CEF and ECS fields. **Microsoft Sentinel**, **OpenCTI**, and **STIX 2.1 over TAXII** export are *on the roadmap*, labeled honestly — hand a finding to a regulator or push it straight into a PSIRT workflow.
- **Speaks your compliance language.** Cryptographic attribution for **NIS2 Art.23** incident reporting; per-NF /128 micro-segmentation for **NSA/CISA ESF 5G Cloud** and CISA ZTMM's Identity + Visibility pillars; a DANE-pinned NF resolution is an **EU 5G Toolbox TM02** move; a DANE-pinned peer identity hardens the `N32-c` vector **GSMA FS.36** names. Honest: a differentiator and PSIRT tool, not a NESAS/SCAS or CRA conformity route.
- **Anti-lateral-movement by default.** A per-NF /128 with default-deny egress governance — `op:firewall` by ip/cidr/host/port, `op:budget` to cap, one-call `op:revoke` to kill — is network-layer least privilege *between* NFs: the ESF 5G Cloud "isolate the workloads" control expressed as a primitive, not a policy binder.
- **Safe in your trust path.** It rides *on top of* the mutual TLS your SBI already runs, anchoring that same identity in public DNSSEC/DANE rather than replacing your PKI — so a partner or regulator can verify an NF *outside* your CA. Built to **fail open**: a Whisper outage never drops a call — checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
- **On-prem or your own tenant.** Data residency and sovereignty by construction — the graph and the per-NF logs stay where your regulator needs them. No core telemetry leaving your boundary to a third party you never contracted.
- **A vendor that will still be here.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

[See the full comparison →](/compare)

---

## Prove it in 60 seconds — no account

Two tiers, by design. **No key:** anyone can verify an NF's identity, resolve it, and
back-trace a suspicious peer — trustless, anchored at the IANA root. **Your key:** bind an NF
to the `nfInstanceId` it already carries, govern its egress, revoke it worldwide.

```bash
# keyless — re-derive and verify any NF's identity, trustless
$ whisper verify --trustless 2a04:2a01:3f::a1
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA 3 1 1) leaf matches the NF's SBA cert key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the NF — forward-confirmed reverse DNS names it
$ dig -x 2a04:2a01:3f::a1 +short
  amf-7f3a2c1d.nf.sbi.example-mno.whisper.online.

# who really operates a suspicious peer — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```bash
# bind an NF to the nfInstanceId it already carries — one control-plane call
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    -H 'content-type: application/json' --data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard',
   identity_public_key:'<base64 SPKI of the NF mTLS key>',
   device_id:'3f2504e0-4f89-11d3-9a0c-0305e82c3301'}}) YIELD op, ok, result RETURN op, ok, result"}
JSON
  → identity 2a04:2a01:3f::a1   DNSSEC + DANE-EE live   # device_id = the nfInstanceId (urn:uuid)

# govern what the NF may reach; see who enumerated it; then kill it if compromised
$ whisper policy set --default deny --allow nrf.5gc.example-mno.net,scp.5gc.example-mno.net
$ curl -s https://whisper.online/ip/2a04:2a01:3f::a1/lookups   # who checked this NF (recon tripwire)
$ whisper kill --revoke 2a04:2a01:3f::a1   # worldwide, at DNS-TTL
```

[Secure your core →](https://console.whisper.security/sign-up) · [Read the docs](/docs)

---

## Give every NF an identity it can prove

The address is the NF — routable, DNSSEC-anchored, bound to the `nfInstanceId` it already
carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to
revoke. The impersonation that rides trust no one authenticated simply runs out of forgeries.

[Secure your core →](https://console.whisper.security/sign-up) · [For operators →](/for-operators)

Or run `whisper verify --trustless` right now.

---

*Whisper for Telecom — identity on the wire for the 5G core & interconnect. AS219419 · 2a04:2a01::/32.
© viaGraph B.V. (dba Whisper Security).*
