# How it works

Whisper runs the whole trust chain — DNS, certificate authority, registry, egress, and the IP space itself — on one autonomous system it owns.

Most "agent identity" is a dashboard bolted onto someone else's infrastructure. That makes an agent only as trustworthy as the weakest vendor in a chain you can't see, and it disappears the day one of them changes terms, gets acquired, or goes down. This page is the alternative, layer by layer: what each one is, the RFC it implements, and how to check it yourself.

## Three layers, one address

An agent's `/128` — one IPv6 address, `2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4` — is the credential. Everything else is a proof about that address.

| Layer | What it is | Deep dive |
|---|---|---|
| **Identity** | The `/128`, a forward name (`acef2002a323d40d4.<tenant>.agents.whisper.online`), a PTR back to it, a DANE-pinned certificate, and a signed ledger entry. Seven proofs, all DNSSEC-anchored, none needing an SDK to check. | [Identity](/docs/identity), [Verify](/docs/verify) |
| **Control** | A per-agent resolver, egress path, and firewall, evaluated fresh at connection time against policy you set. | [Control plane](/docs/control-plane), [Connect](/docs/connect) |
| **Cognition** | Before it acts, an agent can ask the graph "is this safe?" — `identify` / `assess` / `explain` over billions of fused BGP, DNS, WHOIS, TLS, hosting, and threat-intel records — and get an answer with its evidence. | [Graph & cognition](/docs/graph-api) |

The rest of this page is what makes those layers real: the network underneath them, and the six systems we run ourselves instead of renting.

## The network: AS219419

Every proof terminates in one place — our own autonomous system.

- **AS219419** — IPv6-only, [RPKI](https://www.rfc-editor.org/rfc/rfc6480)-signed, dual-homed, [MANRS](https://www.manrs.org/)-compliant, with a published [geofeed](https://www.rfc-editor.org/rfc/rfc9092) and `security.txt`. Listed on [PeeringDB](https://www.peeringdb.com/) and [bgp.tools](https://bgp.tools/as/219419).
- **2a04:2a00::/31** — a RIPE-allocated superblock we hold outright.
- **2a04:2a01::/32** — the half agents come from. Every `/128` is real, globally routable space we are the registry for. Not NAT, not a shared pool, not a lease from a cloud provider's block.

We hold the space, so we are the authority for it. Nobody has to take our word for what an address is — the routing system and the registries answer directly.

**With stock tools** — trace the announcement and the RIR delegation with `whois` and a route collector:

```bash
whois -h whois.radb.net 2a04:2a01::/32          # route object, origin AS219419
whois -h riswhois.ripe.net 2a04:2a01:eb5a::/48  # BGP origin, seen-by peer count
curl -sG https://stat.ripe.net/data/rpki-validation/data.json \
  --data-urlencode 'resource=219419' \
  --data-urlencode 'prefix=2a04:2a01::/32' | jq -r .data.status
# "valid"
```

**With Whisper** — the same chain, one verdict:

```bash
whisper verify 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4
# ✓ RPKI ROA valid (AS219419)  ✓ in-region delegation (RIPE)  ✓ reverse DNS matches forward
```

## What we run ourselves

Nothing on this list is a SaaS we call at serve time. Each is a system we operate, and each has a public, standards-based way to check it.

### 1. Authoritative DNS + resolver

Forward zones under `agents.whisper.online` and reverse zones under `ip6.arpa` are DNSSEC-signed with ECDSA P-256 (algorithm 13, [RFC 6605](https://www.rfc-editor.org/rfc/rfc6605)) and NSEC3 ([RFC 5155](https://www.rfc-editor.org/rfc/rfc5155)) for authenticated denial. Changes propagate by ordinary zone transfer — AXFR ([RFC 5936](https://www.rfc-editor.org/rfc/rfc5936)), IXFR ([RFC 1995](https://www.rfc-editor.org/rfc/rfc1995)) — not a proprietary sync.

```bash
kdig +dnssec acef2002a323d40d4.demo.agents.whisper.online AAAA
# AAAA 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 + RRSIG, ad flag set
kdig -x 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 +dnssec   # PTR, also signed
delv @1.1.1.1 acef2002a323d40d4.demo.agents.whisper.online AAAA   # independent validator
```

### 2. RDAP and WHOIS — the registry

Every `/128` gets a per-address [RDAP](https://www.rfc-editor.org/rfc/rfc9083) record over HTTPS and a [WHOIS](https://www.rfc-editor.org/rfc/rfc3912) record on port 43 — the same registry pattern any RIR runs, scoped to the space we hold, chaining up to RIPE.

```bash
curl -s https://rdap.whisper.online/ip/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4   # RFC 9083
whois -h whois.whisper.online 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4            # RFC 3912
```

Ownership history and the delegation chain: [RDAP](/docs/rdap).

### 3. A per-agent CA, DANE-pinned

Every agent gets its own TLS key and leaf certificate, and the pin is a `TLSA` record ([RFC 6698](https://www.rfc-editor.org/rfc/rfc6698)) under its own name. Trust then rests on DNSSEC — which you already validate — not on the public CA ecosystem being uncompromised that day.

```bash
kdig +dnssec _443._tcp.acef2002a323d40d4.demo.agents.whisper.online TLSA
# TLSA 3 1 1 b653a4ef…fcb82d1d
openssl x509 -in agent.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum
# compare this hash against the TLSA record by hand
```

Key derivation, rotation, and revocation: [Per-agent CA](/docs/per-agent-ca) and [DANE & TLSA](/docs/dane).

### 4. Egress and a per-agent firewall

Outbound traffic sources from the agent's own `/128` — over WireGuard, or a SOCKS5/HTTP-CONNECT proxy bound with AnyIP — so what leaves the network *is* the identity, never a shared exit IP. Policy (category, geography, ownership, routing posture) is enforced per agent against the live graph at connect time, not a static allow-list. Full flow: [Connect & egress](/docs/connect).

### 5. A transparency log

Every issuance and revocation is a leaf in an append-only Merkle tree, in the style of Certificate Transparency ([RFC 6962](https://www.rfc-editor.org/rfc/rfc6962)). Signed checkpoints are anchored to Bitcoin via OpenTimestamps — an independent, permissionless proof the log existed at a point in time we cannot move.

```python
# verify the Merkle inclusion proof yourself — no key required
import hashlib, requests
leaf = requests.get("https://rdap.whisper.online/ip/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4/transparency").json()
h = bytes.fromhex(leaf["leaf_hash"])
for sibling in leaf["proof"]:
    pair = h + bytes.fromhex(sibling) if leaf["order"] else bytes.fromhex(sibling) + h
    h = hashlib.sha256(b"\x01" + pair).digest()
assert h.hex() == leaf["checkpoint_root"]
```

Why tampering can't hide: [Transparency log](/docs/transparency).

### 6. The graph

Under `identify` / `assess` / `explain` sits a graph fusing routing, DNS, WHOIS, TLS, hosting, and threat-intel history into one queryable structure, answering at resolver speed. It turns "here is an address" into "here is whether you should talk to it." See [Graph & cognition](/docs/graph-api).

## Why it's all checkable

Each system above is verifiable with generic tools — `dig`, `whois`, `openssl`, `curl`, a hand-rolled Merkle check — precisely because none of them is a black box you trust on our say-so. The `whisper` CLI and the `whisper.agents` verb make the common case one command; they wrap the standards, never replace them.

> Every page here resolves end to end on our own `ns1`/`ns2` and validates `AD=yes` on `1.1.1.1` and `8.8.8.8`. Whether you use our resolver, delegate a zone to it, or self-host the stack, you run the same standards — not a wrapper around ours.

## Next

- [Identity](/docs/identity) — the seven proofs on one address, in order
- [Verify an agent](/docs/verify) — one command that runs this whole page's checks
