# Your core doesn't need another firewall. Your NFs need an identity every peer can prove.

Signaling firewalls and SEPPs stack up — and none of them makes your AMF verifiable to a roaming partner, an IPX hub, or a regulator. mTLS proves an NF only to counterparties that already trust your private CA; OAuth2 authorization at the NRF is optional by spec, so on the flat SBA mesh reachability drifts into authorization; attribution stops at the signaling plane; and revocation is a per-operator CRL that never crosses a boundary. Whisper isn't another firewall. It's one primitive — the address is the identity — expressed as three planes that ride on top of the NRF, PKI and SEPP you already run.

Derive an NF's identity once from the key already behind its SBA certificate — the same cert whose SAN carries `urn:uuid:<nfInstanceId>`; verify it anywhere with `dig`. That one primitive becomes three planes — identity, an attribution graph that survives IPX and cloud rotation, and default-deny egress governance — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path — and never replaces your mTLS or OAuth2.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

## Everything below derives from one line: the address is the identity.

A routable IPv6 /128 out of `2a04:2a01::/32` (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.

The 5G core already hands every network function a resolvable identity: an `nfInstanceId` (a UUID), an FQDN and an `ipv6Addresses` list in the NFProfile it registers with the NRF, all bound to the key in its mandatory SBA certificate. It is cryptographically strong — and privately rooted. Every chain terminates at an operator or vendor CA, unverifiable to any outsider, and it breaks at exactly the multi-party boundaries — roaming, IPX, multi-vendor RAN — where independent verification matters most. Whisper starts from the other end: it anchors that same identity — the same key, the same UUID, the same address field — in the public DNSSEC root, so "is this really operator X's AMF?" stops being a matter of bilateral cross-certification and becomes a fact any peer can check with `dig`. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address.

## One address, three jobs: who is this NF, who's really behind that peer, and what may talk to what.

Identity answers who is this NF, provably, to a counterparty that has never seen your CA. The attribution graph answers who's really behind a peer that rotates across IPX hubs and clouds. Egress governance answers what may this NF talk to. Each plane is useful alone; together they close the identity, attribution and revocation vacuum every impersonation attack lives in.

### The three planes on one primitive

| Plane | Question it answers | What it exposes |
|---|---|---|
| Identity | who is this NF, provably — the NF proves it, no peer forges it, no CA to import | NF /128 · DNSSEC · DANE-EE pins the SBA cert |
| Attribution graph | who's really behind this — operator fingerprint across rotating IPX + cloud egress | identify · origins · walk · history · variants · Cypher |
| Egress governance | what may this NF talk to — every NF on its own routable address, default-deny | per-NF /128 · policy · lookups · firewall · budget · revoke |

Base primitive: **the address is the identity** — AS219419 · `2a04:2a01::/32`. Nothing here is a bolt-on connector; each plane is the same NF address answering a different question, so the identity, the attribution and the policy all agree by construction. All of it is additive: it sits on top of the mTLS + OAuth2 the SBI already mandates.

## Plane 1 — An NF identity every counterparty can verify, not a private-CA assertion only you can check.

This is the plane that closes the impersonation gap: on the SBA mesh, an NF that can reach the NRF can pull any NF's profile and speak as it, because identity is a private-PKI assertion no roaming partner, IPX hub or regulator can independently verify. Anchor the identity, not just the assertion.

Point the primitive at network functions. Derive each NF's — AMF, SMF, UPF, PCF, UDM, AUSF, NSSF, or a SEPP — /128 from the key it already holds: the non-exportable private key behind its SBA mTLS certificate, whose `subjectAltName` already carries `urn:uuid:<nfInstanceId>` (TS 33.310 §6.1.3c), with the `nfInstanceId` as the domain separator. The private key never leaves the NF; the address is a one-way function of its public half and the `nfInstanceId`. There's no re-keying, no second CA, and no NRF API change — the resulting /128 is a valid value for the NFProfile's `ipv6Addresses` field, so you register it exactly as you register any address today.

### The identity pipeline

`SBA mTLS key` (SAN `urn:uuid:<nfInstanceId>`, private key sealed) → `public key + nfInstanceId` → `/128` (`2a04:2a01:5e:0:ace::5`, routable identity) → `DNSSEC + DANE-EE` → a name any peer can verify (`whisper verify --trustless`, no private CA to import). One `op:revoke` and it is gone worldwide at DNS-TTL — the cross-operator off-switch a private CRL never had. The `nfInstanceId` is already bound to the NF's key in its certificate; Whisper binds the same key and UUID to a routable, publicly verifiable /128, and publishes a DANE TLSA record that pins the *same* SBA certificate the NF already presents.

### Pin the cert you already present — and close the gap 33.501 leaves open.

3GPP mandates mutual TLS and OAuth2 on the SBI, but it does not mandate DNSSEC or DANE on the SBA name layer — even though NF and NRF discovery ride DNS. Spoof that DNS and you can redirect an NF to a rogue NRF or forge the token-issuer URL, yielding fake token issuance, NF impersonation and N32-c spoofing. Publish a DANE-EE (TLSA 3 1 1) record in the DNSSEC-signed zone for the NF's /128, pinning the SBA certificate it already presents, and the name → address → expected-cert binding becomes cryptographic and hijack-resistant. This is the least-contestable claim on the page: a second, independent, DNS-anchored check mTLS by itself cannot give you.

> "mTLS already authenticates every NF on the SBI. Why isn't that enough?"
>
> Because it only proves the NF to counterparties that already trust your private CA. A roaming partner behind two IPX hubs, a peer operator, or a regulator cannot independently verify "this is really operator X's AMF" without bilateral cross-certification — an N² exchange of private roots. Whisper anchors the same identity — same key, same `nfInstanceId`, same address — in the public DNSSEC root, so anyone verifies it with `dig` and no one imports your CA. It is a second, independent layer, strongest exactly at the trust boundaries — NF discovery, N32/roaming, NEF exposure, management — where mTLS's private trust doesn't reach.

**A per-identity CA, not a shared root.** Each /128 carries its own leaf, deterministically derived and DANE-EE pinned — one key per NF, per SEPP, per O-RAN component. There is no issuing intermediate whose compromise mints look-alike NFs across the mesh, and no shared secret an attacker steals once to impersonate the fleet. Compromise one NF and you've compromised that NF — the single-CA mis-issuance failure mode that has burned public PKIs before is structurally removed, not merely policed.

**The `nfInstanceId` is the public index — the /128 is its cryptographic counterpart.** The `nfInstanceId` is a UUID that flows through every NFProfile registration and every discovery query; that's useful for interoperability, but it isn't a secret. The /128 is bound to the NF's key and the UUID, so the UUID alone yields nothing: you cannot go `nfInstanceId` → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the NF's live location. Because the derivation is tenant-bound, the same NF software under two operators yields two unrelated /128s — no one can link a function across PLMNs.

Attaches to what you already run — the operator CA and CMPv2 enrolment, mTLS on the SBI, OAuth2 with the NRF as authorization server, SEPP/N32/PRINS at the roaming border, O-RAN WG11 mTLS — as the publicly verifiable, DNSSEC/DANE-anchored layer on top. It never touches the intra-SBI mesh where mTLS and the NRF already bind tight; it anchors the boundaries. Its revocation is an additional kill-switch: `op:revoke` pulls the /128, PTR and DANE pin worldwide at DNS-TTL — it does not revoke the operator TLS cert, which stays your CA's job. [Standards mapping →](/for-operators)

## Plane 2 — Attribution that survives IPX and cloud rotation, because it fingerprints the operator, not the exit.

This is the plane that closes the other gap: roaming trust is transitive and opaque through IPX hubs and partner-of-partner, so an event arriving over N32 or from a cloud-hosted peer traces back to a meaningless last IP, and the originating function deep in the peer network isn't independently verifiable.

A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud and IPX rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a rotating-egress swarm — where a residential or grey-market subscriber IP gives an infra graph nothing to grab — a `JA4/JA3` client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.

> "When a signaling or SBI event arrives through rotating IPX peers and fresh cloud IPs, can you actually attribute it — or just rate-limit a GT and move on?"
>
> Attribute it. Infrastructure genealogy collapses the cloud/IPX rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your core SOC, your PSIRT, your auditors and a NIS2 Art.23 incident report can hand around. Your signaling firewall attributes within the signaling plane; Whisper names the operator behind the host on the internet side, and feeds it back as an additive stream.

- **`identify(ip)`** — who really operates a host, even behind a CDN or an IPX hub, across any cloud region.
- **`origins(prefix)` + `walk(node,depth)`** — cluster rotating IPX/cloud IPs into one infrastructure genealogy for a single accountable operator.
- **`history` / `watch`** — a timeline of an operator and a standing sentinel, plus `variants(domain)` to catch a typosquat NRF or SEPP FQDN before it activates.
- **read-only Cypher** — express "one source touching N distinct NF identities in a window" as a query your agent runs, not a ticket your analyst files.

Additive to your signaling firewall, 5G-core firewall and SIEM — it does not do SS7/Diameter/GTP inspection or packet-core protection, and it does not try to. It adds the one thing those tools structurally can't: naming the operator behind a rotating internet-side egress. [Trace the full impersonation back-trace →](/nf-impersonation)

## Plane 3 — Give every NF its own address, default-deny its egress, and see who's been enumerating it.

An identity you can prove is also an identity you can govern and watch. Every NF resolves and egresses through Whisper's own graph-first resolver, so the owner controls precisely what each function may reach — a network-layer micro-perimeter — and sees exactly who looked, a reconnaissance tripwire the private NRF never gave you.

### The graph-first resolution path

An NF's egress or discovery query (source /128) enters Whisper's graph-first resolver, which applies the tenant's default-deny policy against the attribution graph (`whisper.assess` on the graph) *before* any answer leaves. Allowed names — the NRF, the SEPP, and explicitly permitted peer FQDNs — return a real DNS answer; everything else is blocked and logged (`op:logs`). Two servers, ns1 and ns2, are active-active and answer identically — two servers, one truth. A side tap surfaces `op:lookups`: who resolved or RDAP-queried this NF's own identity — a reconnaissance tripwire, before impersonation.

- **Who enumerated this NF is a query** — `op:lookups` returns who resolved or RDAP-queried an NF's identity, early warning that someone is mapping your NRF and NF fleet, not a post-mortem after the impersonation lands.
- **A network-layer micro-perimeter per NF** — a graph-first resolver and source-bound egress enforce default-deny per function (allow the NRF, the SEPP and named peers; block everything else) — the anti-lateral-movement isolation NSA/CISA ESF 5G Cloud calls for.
- **Firewall, budget, kill-switch** — `op:firewall` allow/deny by host, cidr or port; `op:budget` caps an NF's traffic; `op:revoke` cuts a compromised function off worldwide in one call at DNS-TTL.
- **Sign an NF's outputs** — bind SCAS/audit logs, telemetry or charging records to the NF's forge-proof /128 with sign-outputs, so the numbers are non-repudiable — cryptographic PSIRT attribution to the exact instance.

The same address-is-identity primitive that governs a compromised NF also governs the CAMARA/Open-Gateway agents and the AI agents your NEF and OSS/BSS are about to run — per-agent /128, per-agent logs, default-deny egress, one `revoke`. From day one.

## The three planes drop into the systems your core already runs — at the DNS, route and roaming boundary, never inside the SBI mesh.

Whisper anchors the boundaries, not the intra-SBI handshake. Each row below is a proposed integration onto a system you already operate — the device-identity /128 is the one capability that is shipped and live today. Every one is additive: it complements the mTLS + OAuth2 that authenticates the message, and it never reaches into the subscriber/SIM plane (SUPI/SUCI/5G-AKA) or replaces the operator PKI.

| Surface / standard you run | Where a plane plugs in | Complements — does not replace |
|---|---|---|
| **5G NRF · NFProfile** (TS 29.510) | **Identity.** The /128 is a valid value for the NFProfile `ipv6Addresses` field, `device_id` = `nfInstanceId`; a DANE TLSA record pins the SAME SBA cert (SAN `urn:uuid:<nfInstanceId>`). No NRF API change, no re-registration. | Complements NRF registration & discovery — Whisper supplies a publicly verifiable name+address, not a new registry or broker. |
| **Operator PKI · mTLS · OAuth2** (TS 33.501/33.310, CMPv2) *· shipped & live* | **Identity.** Derives the routable /128 from the same non-exportable key behind the SBA cert, and publishes a globally resolvable, DANE-verifiable, RDAP-registered name bound to it — the private NF identity projected onto the public namespace. | Complements the operator CA + CMPv2 + mandatory mTLS + OAuth2 (NRF as authz server) — never replaces them; makes an otherwise un-verifiable-to-outsiders identity publicly checkable and DNS-TTL revocable. |
| **SEPP · N32 · PRINS** (TS 29.573, GSMA FS.36) | **Identity + attribution.** DANE-pin a peer NF or SEPP so the HOME operator verifies it against a PUBLIC anchor — independent of the peer's private CA and any IPX hub; the attribution graph names the operator behind a rotating egress and gives per-message provenance of which PLMN/SEPP an event came from. | Complements N32-c/N32-f TLS + PRINS + topology hiding — hardens the N32-c spoofing vector FS.36 names; never touches the roaming payload semantics. |
| **O-RAN** (E2 · A1 · O1 · O2; WG11 ZTA) | **Identity + egress governance.** A vendor-neutral, publicly verifiable /128 per O-RU/O-DU/O-CU/RIC/xApp serves the WG11 Zero-Trust Architecture *Identity* pillar — without every disaggregated vendor chaining to one private CA — plus per-component egress governance and logging. | Complements WG11 mTLS 1.2+, OAuth2 and mandatory CMPv2 automation — adds the public anchor multi-vendor disaggregation lacks; never the Open-Fronthaul MACsec/802.1X layer. |
| **CAMARA · GSMA Open Gateway** (NEF northbound) | **Attribution + egress governance.** The developer/agent front door (Number Verify, SIM Swap, Location, QoD) inherits the full web-API threat model — BOLA, shadow endpoints, mis-scoped tokens; the attribution graph maps the caller's infrastructure and per-/128 egress governs which agent may reach which endpoint. | Complements OAuth2/OIDC on the NEF — which authorizes the message; Whisper anchors the transport and names the operator identity behind the caller. |

Read together, these are the boundaries where independent verification matters most — NF discovery/DNS, the N32/roaming border, the NEF/Open-Gateway front door, and multi-vendor O-RAN — exactly where every private-PKI chain breaks. It is defense-in-depth the way the EU 5G Toolbox TM02 means it (turn on the optional controls: DANE-pinned NF resolution *is* a TM02 move), and the per-/128 egress logs and attribution graph become ready-made NIS2 Art.23 incident evidence and CISA ESF 5G Cloud micro-segmentation. [Standards mapping →](/for-operators)

## Five things you can't stand up overnight — and a competitor can't clone from a slide.

A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap: **AS219419** (our own AS + real routable `2a04:2a01::/32`) · **the graph** (7.44B nodes, years accreted, BGP·DNS·WHOIS·TLS·JA4) · a **per-identity CA** (one leaf per NF / SEPP / xApp, no shared root) · **RDAP · WHOIS** (every /128 a real registered object) · **DNSSEC** (anchored at the IANA root, not at us).

### Real routable space, not a namespace we invented

AS219419 and `2a04:2a01::/32` are announced to the global routing table, RPKI-covered. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain.

### A graph you accrete, not one you query once

7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across IPX/cloud rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.

### A per-identity CA, so blast radius is one

One deterministically-derived leaf per NF, SEPP or xApp — DANE-EE pinned, never a shared intermediate. The single-CA-breach failure mode that has burned PKIs before is removed by construction, not by policy.

### Registry-anchored and root-anchored

Every /128 is a real RDAP/WHOIS object, and the whole chain validates through DNSSEC to the IANA root. `whisper verify --trustless` checks an identity without trusting Whisper — public accountability and a trust anchor you already run.

> "Telecom-security point products come and go. Will you still be here in five years, and is this real or a checkbox?"
>
> It's infrastructure, and it's built by people who ran the internet's plumbing. Real routable address space at AS219419, run by a team that operated one of the internet's regional address registries and one of its root DNS servers. The moat is real space, an accreted graph and open standards — not a slide. You can verify every claim on this page yourself, today, without an account.

## Exercise all three planes yourself — our API isn't in the trust path.

Two tiers, by design. No key: verify an NF's identity — the identity plane, trustless, anchored at the IANA root. Your key: attribute a suspicious peer across any IPX hub or cloud, bind an NF to the key it already presents, govern its egress, revoke it worldwide.

```
# plane 1 — re-derive and verify any NF's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e:0:ace::5
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA 3 1 1) pins the SBA cert · SAN urn:uuid:<nfInstanceId>
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the NF — reverse DNS names it
$ dig -x 2a04:2a01:5e:0:ace::5 +short
  amf-7f3a4b2c.sba.example-plmn.whisper.online.

# plane 2 — with your key, name the operator behind a rogue N32 peer via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"185.x.x.x\")"}'
  operator:  <fingerprinted> · seen across two IPX hubs + one cloud region
  rotating egress collapsed by JA4: same tooling, 37 exit IPs → 1 operator
```

```
# plane 1 — bind an NF to the key it already presents on the SBI (device_id = nfInstanceId)
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the NF SBA key>',
       device_id:'3f3a2b1c-4b2c-11ee-be56-0242ac120002'}})"   # device_id = nfInstanceId
  → identity 2a04:2a01:5e:0:ace::5   DNSSEC + DANE live (pins the SBA cert)

# plane 3 — default-deny egress; see who enumerated it; kill it worldwide
$ whisper policy set --default deny --allow nrf.5gc.mnc001.mcc234.3gppnetwork.org,sepp.example-plmn.org
$ whisper logs --identity 2a04:2a01:5e:0:ace::5 --tail   # this NF's own egress, per-identity
$ whisper kill --revoke 2a04:2a01:5e:0:ace::5   # worldwide, at DNS-TTL
```

## Three planes, and all three exit into the stack you already run — not a new silo.

### Feeds your SIEM, not another console

A machine-readable feed into your SIEM: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields and arrive as a signed, replayable JSON evidence chain you can hand a regulator — STIX 2.1 over TAXII export on the roadmap. Cryptographic attribution accelerates NIS2 Art.23 who/where forensics.

### Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for NIS2, SCAS logging and PSIRT. Honest status: tamper-evident and signed today; independent witnessing (it speaks C2SP `tlog-witness`) is the next step, not yet done.

### Speaks your compliance language

Maps to NIS2 Art.21/23, the EU 5G Toolbox TM02, NSA/CISA ESF 5G Cloud lateral-movement isolation, CISA ZTMM Identity, and GSMA FS.36 N32 hardening. Honest: not a NESAS/SCAS control and not a CRA conformity route — a defense-in-depth differentiator and PSIRT attribution tool.

### In your auth path — and safe there

If a peer verifies against the DANE/verify path, that plane is built to fail open: a Whisper outage never blocks an NF — checks degrade to your existing anchors. Anycast on AS219419, no single node in the path. Revocation is an additional kill-switch on the /128 + egress, not on the operator TLS cert.

### On-prem or your own tenant

Data residency and GDPR by construction — the graph and the per-NF logs stay where your regulator needs them, with salt-erase GDPR Art.17 that keeps the transparency proofs valid.

### Flat, predictable pricing

Per-NF/year and flat — not per-message, not per-signaling-transaction. Against interconnect-scale economics that's a line item you can forecast. [See pricing →](/pricing)

## One primitive. Three planes. Give every NF an identity every peer can prove.

A publicly verifiable NF identity from the key it already presents, an attribution graph that survives IPX and cloud rotation, and default-deny egress governance — additive to your mTLS, OAuth2 and SEPP, mapped to your standards, priced so you can say yes. Keyless to try, one call to provision, one more to revoke.

Or run `whisper verify --trustless` right now.
