Whisper · Docs
Telecom

Telecom compliance: NESAS, SCAS, NIS2 & the 5G Toolbox

3GPP TS 33.501, GSMA NESAS/SCAS, EU NIS2, the EU 5G Toolbox and the NSA/CISA 5G-cloud guidance all press a 5G core on one question: which network function is on this connection, can a third party verify it, and can you attribute what it did and cut it off?

Inside one operator, mutual TLS and OAuth2 answer that well at the handshake. But NF discovery and addressing ride DNS, roaming trust crosses opaque IPX hubs, and every certificate chain terminates at an operator-private CA no outside party can check. A routable, DNSSEC/DANE-provable, one-call-revocable IPv6 /128 per NF, derived from the key the NF already holds, adds a second, independent layer that produces the binding, the log, the attribution and the kill-switch those frameworks want as evidence. This page is the honest map of where that evidence fits (and, just as important, where it does not).

How to read this page. We grade every control into one of three verdicts and never blur them. DIRECT-ADDITIVE. Whisper produces evidence that maps to the control (as one input to your package, never the whole standard). COMPLEMENTARY. The framework mandates the operator's own PKI, mTLS or OAuth2; Whisper sits alongside it and can DANE-pin it, but does not satisfy or replace that requirement. DO-NOT-CLAIM. Things Whisper is honestly not: a NESAS/SCAS certificate, an FCC rip-and-replace mapping, a substitute for mandated mTLS. We list them so nobody over-claims.

What every framework is really asking

Read the 5G-core security frameworks side by side and the same three questions surface, phrased in a dozen vocabularies:

None of these is a logging problem you fix with more log lines. They are identity problems. 3GPP already binds a strong identity into the NF certificate (TS 33.310 §6.1.3c mandates a subjectAltName URI-ID of urn:uuid:<nfInstanceId>), but that certificate is signed by an operator-private CA, verifiable only after bilateral cross-certification. It is not a routable identity that survives NAT/roaming/IPX, and under the operator-PKI model it cannot be revoked across an operator boundary at any useful speed. Whisper's job here is to project that same identity, the same nfInstanceId from the NF's existing key, into an address that is globally verifiable and revocable, then let the standard toolchain read the evidence off it.

Three verdicts, stated up front

Before a single row of the map, here's the grading rule, because a telecom-compliance page that claimed to "certify your NF under NESAS" would be lying. Whisper is a network primitive. Against a given control it does exactly one of three things, and we mark which:

grade every control honestly, never blur the three Read the control what does it ask? DIRECT-ADDITIVE Whisper produces the evidence: one input to your package TS 33.501 DNS/rogue-NRF · NIS2 Art.21/23 · ESF 5G-cloud GSMA FS.36 (N32) · SCAS 33.117 logging · CISA ZTMM COMPLEMENTARY sits alongside · DANE-pins the cert · never satisfies it TS 33.501 mTLS + OAuth2/NRF · TS 33.310 NF cert 5G Toolbox TM02 to TM04 · CRA Annex I · O-RAN WG11 DO-NOT-CLAIM things Whisper is honestly not NESAS/SCAS cert · FCC rip-and-replace · ≠ mTLS/OAuth2
The honesty rule is the whole point of this page: a network primitive earns a verdict per control, and we mark DIRECT-ADDITIVE, COMPLEMENTARY or DO-NOT-CLAIM so a security architect, an auditor and a regulator all read the same thing.

The evidence: real and shipped

Everything this page grades DIRECT-ADDITIVE rests on primitives that exist and answer today. Each is checkable with dig, curl, or one control-plane call over the public API: POST https://graph.whisper.security/api/query with your X-API-Key.

Shipped & live. The NF-derived /128, per-/128 logs, op:lookups, one-call revoke, egress governance (policy/firewall/budget), the Merkle transparency log and the attribution graph are in production. The Splunk connector ships. Everything grouped under roadmap below is labelled as such. Nothing on this page is described as working unless you can reproduce it.

An NF-derived /128 identity

Every 5G NF already holds a key: the private half of the mTLS certificate it presents on the SBI, the one whose subjectAltName carries urn:uuid:<nfInstanceId>. Whisper derives a deterministic IPv6 /128 from that key's public SubjectPublicKeyInfo, with the nfInstanceId as the domain separator. The address is tenant-bound (unlinkable across operators to an outsider), DNSSEC-anchored, DANE-EE 3 1 1 pinned to the same certificate the NF already speaks, and RDAP-registered. Re-deriving from the same key and nfInstanceId yields the same /128: nothing new to store, no second CA to stand up, nothing to steal that would let a scraper forge it. The /128 drops straight into the NF's NFProfile ipv6Addresses: no NRF API change.

# Provision an NF identity from the key it already holds (control plane, live).
# identity_public_key is the base64 SPKI of the NF's existing SBI mTLS key.
CALL whisper.agents({op:'connect', args:{
  tier:'wireguard',
  identity_public_key:'<base64 SPKI of the NF key>',
  device_id:'3f2504e0-4f89-11d3-9a0c-0305e82c3301'   // the nfInstanceId, already in the cert SAN as urn:uuid:…
}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error
# -> deterministic /128 out of 2a04:2a01::/32 + a WireGuard config.
#    Same key + nfInstanceId -> same /128 (idempotent). A different nfInstanceId on the
#    same tenant -> 409; a non-string device_id -> 400 + ProblemDetails. Never an opaque 500.

3f2504e0-4f89-11d3-9a0c-0305e82c3301 is a placeholder RFC 4122 UUID. No real network function or operator is implied. The device_id argument is generic: pass the nfInstanceId, an NFProfile identity, or a bare NF/SEPP serial. A first-class typed --nf-instance-id CLI/API flag is on the roadmap; provision via the control-plane call above today, which is live.

Per-/128 logs, and who's looking back

Because each NF owns a dedicated /128, every DNS lookup and connection it makes on the SBI is unambiguously its: no shared-IP or NAT'd-pod noise to reconstruct. And because the identity resolves through Whisper's own authoritative DNS and RDAP, you can also ask who is enumerating you, a reconnaissance tripwire the private NRF's out-of-band trust never offered. When reachability at the NRF equals authorization, seeing who is resolving your NF fleet's identities is an early warning that someone is mapping it.

# The NF's OWN outbound activity, per-event: timestamp, kind, destination, decision, bytes
CALL whisper.agents({op:'logs',    args:{agent:'2a04:2a01:5e0::a3f', kind:'conn', from:'-24h'}})

# Reverse observability: WHO resolved this NF's PTR/AAAA/TLSA or hit its RDAP object, and when
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:5e0::a3f', window:'24h'}})
curl -s https://whisper.online/ip/2a04:2a01:5e0::a3f/lookups | jq   # same view, keyless

One-call revoke

Containment, the end of a compromised NF's or a hostile interconnect's reach, is a single call. It tears down the /128, its PTR and its DANE record worldwide at DNS-TTL speed, and the teardown is provable with the same public tools that proved the identity. Kill it everywhere in one TTL, not one CRL per operator.

CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:5e0::a3f'}})
# after the TTL:
dig -x 2a04:2a01:5e0::a3f +short                          # -> empty
curl -s https://whisper.online/verify-identity/2a04:2a01:5e0::a3f   # -> {"is_whisper_agent": false}

The attribution graph

Turning a raw destination (or a suspicious peer egress in your logs) into "known-bad infrastructure" or "clean CDN" is a read-only query against the public graph API. Attribution survives egress rotation because it fingerprints the operator and the tooling (ASN and hosting genealogy for cloud rotation, a JA4/JA3 client fingerprint for a residential-proxy or IPX-fronted swarm), not the ephemeral IP the way an in-plane signaling firewall does.

curl -s https://graph.whisper.security/api/query \
  -H "X-API-Key: whisper_live_xxx" \
  --data-urlencode "q=CALL whisper.identify('203.0.113.7')"
# -> what the address is, who operates it, threat-intel reputation, relationships:
#    a reproducible, replayable JSON evidence chain your core SOC, PSIRT and a regulator can replay.

The read-only verbs (identify, origins, walk, variants, history) run the same way, over an infrastructure-and-threat-intelligence graph of billions of nodes. That is the enrichment that turns a per-NF egress log into a detection, and names the operator behind a rotating egress that a GT/realm-scoped signaling firewall cannot.

The map, at a glance

Each row is a framework, the control it asks for, our verdict, and the shipped evidence behind it. The deep sections below unpack each group. Read the verdict column first: it is the load-bearing part. Every mapping is additive to the mandated 3GPP mTLS + OAuth2 and the operator PKI; none replaces them.

Framework · control What it asks for Verdict Whisper evidence (shipped)
3GPP TS 33.501: DNS-spoofing / rogue-NRF / forged token-issuer vector A hijack-resistant name→address→expected-cert binding under NF/NRF discovery (which rides DNS) DIRECT-ADDITIVE DNSSEC-signed zone + DANE-EE 3 1 1 pin on the NF/NRF record, the cert the NF already presents
EU NIS2 Art.21(2)(b) + Art.23 Incident handling; early-warning 24 h / notification 72 h / final report 1 month DIRECT-ADDITIVE Attribution graph (who/where) + per-/128 logs + lookups, on the reporting clock
NSA/CISA ESF 5G Cloud (Parts II and III) Prevent lateral movement; securely isolate network resources DIRECT-ADDITIVE Per-NF /128 micro-perimeter + default-deny policy/firewall/budget egress governance
GSMA FS.36: N32 / SEPP Harden the N32-c spoofing vector; verifiable peer identity at the roaming boundary DIRECT-ADDITIVE DANE-pinned peer/SEPP identity + per-message attribution, alongside PRINS/TLS on N32-f
EU NIS2 Art.21(2)(i)/(j) Access control; MFA / continuous authentication DIRECT-ADDITIVE Per-NF /128 least-privilege egress + DANE-verifiable identity + one-call revoke
SCAS TS 33.117: logging Security-event logging on the NF (SECAM assurance) DIRECT-ADDITIVE Logs anchored to a per-NF /128, each event unambiguously one NF's
CISA ZTMM v2 / NIST 800-207 Continuously-authenticated Identity; Visibility & Analytics pillars DIRECT-ADDITIVE DANE/DNSSEC identity + revoke + attribution advance the Identity & Visibility pillars
3GPP TS 33.501 §13: mTLS on the SBI Mutual TLS between every NF pair COMPLEMENTARY Add a DANE out-of-band pin of the same cert (mis-issuance / rogue-CA defense); never replaces mTLS
3GPP TS 33.501 §13: OAuth2 / NRF authz Token-based service authorization, NRF as authorization server COMPLEMENTARY Independent; hardens the DNS under discovery so a token can't be aimed at a spoofed issuer
3GPP TS 33.310 §6.1.3c: NF cert (urn:uuid:nfInstanceId) Operator-CA-signed NF certificate identity COMPLEMENTARY Project the SAME identity into routing + reverse-DNS + RDAP + attribution; /128 from the NF's existing key
EU 5G Toolbox TM02 / TM03 / TM04 Apply / strengthen optional security controls; supplier diversity COMPLEMENTARY DANE-pinned NF resolution is a concrete TM02 move; a vendor-neutral identity supports TM03/TM04
EU CRA Annex I: identity/access + logging Essential cybersecurity requirements for products with digital elements COMPLEMENTARY ¹ Supports as an embeddable identity/logging feature, not a CRA conformity route; nothing for SBOM
O-RAN WG11: ZTA on O1/O2/A1/E2 mTLS + OAuth2 + CMPv2 + a Zero-Trust program whose first pillar is Identity COMPLEMENTARY Per-component /128 + DANE + attribution augment the ZTA Identity pillar across vendors
GSMA NESAS / SCAS (FS.13, SECAM) Product- & process-security certification of NF equipment DO-NOT-CLAIM Not a certification control or shortcut; it does not help you pass SCAS/NESAS (a differentiator + PSIRT tool)
FCC rip-and-replace / Covered List Remove & replace untrusted-supplier equipment DO-NOT-CLAIM A supply-chain provenance/removal program, not an identity mapping
TS 33.501 mandated mTLS + OAuth2 The primary, mandatory SBA security controls DO-NOT-CLAIM Whisper is a second, independent DNS-anchored layer; it never replaces the mandated controls
EU NIS2 Art.21(2)(d) Supply-chain security / assurance of suppliers DO-NOT-CLAIM Attribution can inventory live vendors (visibility); it is not supply-chain assurance

¹ COMPLEMENTARY as an embeddable feature that supports the Annex I identity/access-management and logging requirements. It is not a route to CRA conformity, and it does nothing for the SBOM requirement. See the caveats.

DIRECT-ADDITIVE: the four defensible claims, first

Four claims survive hostile review. They are spec-level, they persist after mTLS, OAuth2, signaling firewalls and the SEPP are all in place, and they are where Whisper earns a DIRECT-ADDITIVE verdict. Lead with these; everything else on the page is downstream of them.

1 · DNSSEC + DANE close the DNS-spoofing / rogue-NRF gap (TS 33.501)

This is the least-contestable claim on the page, so it comes first. 3GPP binds the NF's identity into its certificate: the SBA cert profile (TS 33.310 §6.1.3c) mandates a subjectAltName URI-ID of urn:uuid:<nfInstanceId>, ECDSA recommended. But NF and NRF discovery and addressing ride DNS, and TS 33.501 mandates mTLS and OAuth2 without mandating DNSSEC or DANE on that SBA name layer. Spoof the DNS answer under an NF or NRF FQDN and you can redirect a consumer to a rogue NRF, or point it at a forged token-issuer URL. Mutual TLS by itself does not cover the name → address → expected-cert binding that got hijacked one layer down. A DNSSEC-signed zone with a DANE TLSA record pinning the exact certificate the NF already presents closes that gap: the consumer resolves the name, validates the chain to the IANA root, and confirms the served leaf matches the pin before it trusts a token or opens a session.

NF discovery rides DNS: mTLS starts one layer too late NF consumer SMF · discover NRF then present an OAuth2 token nrf.sbi…? DNS / NF discovery the SBA name layer not signed by default spoofed answer Rogue NRF / forged token issuer impersonate an NF · mint / redirect a token mTLS alone doesn't see the hijack below it DNSSEC-validated Genuine NRF /128 · DANE-EE pin name → 2a04:2a01:5e0::a3f → expected cert TLSA 3 1 1 == the leaf whose SAN is urn:uuid:… rogue path fails before a token is trusted
The gap 33.501 leaves open is a layer below mTLS: the name→address resolution. DNSSEC makes the answer forgery-evident to the IANA root, and DANE pins the exact certificate the NF already presents, so a rogue NRF or a forged issuer is rejected before the consumer ever trusts a token.

2 · Cryptographic attribution for incident handling & reporting (NIS2, SCAS)

NIS2 (Directive (EU) 2022/2555) obliges essential and important entities, telecoms squarely among them, to handle incidents (Art.21(2)(b)) and to report them on a hard clock (Art.23): an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. Every one of those filings needs a defensible who and where. The attribution graph produces exactly that: a reproducible, replayable evidence chain naming the operator behind a rotating egress. The per-/128 logs and lookups supply the per-NF forensic trail, keyed to a registry-anchored address rather than a mutable field in your own database. The SCAS logging requirement (TS 33.117, under GSMA SECAM) is served the same way: anchor each security-event log line to a per-NF /128 so it is unambiguously one NF's, and unforgeable after the fact.

# On the 72h clock: pull one NF's per-party trail, and who enumerated it, over the window
CALL whisper.agents({op:'logs',    args:{agent:'2a04:2a01:5e0::a3f', kind:'conn', from:'-72h'}})
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:5e0::a3f', window:'72h'}})

# Name the operator behind a suspect egress: attribution survives IP rotation
curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
  --data-urlencode "q=CALL whisper.identify('203.0.113.7')"

3 · Anti-lateral-movement micro-segmentation (NSA/CISA ESF, CISA ZTMM)

The 5G SBA is a flat, all-IP, HTTP/2 mesh; when reachability at the NRF equals authorization, a single compromised NF can enumerate and reach the rest of the core. The NSA/CISA Enduring Security Framework guidance for 5G cloud infrastructure (Parts II and III) presses on exactly this: prevent lateral movement and securely isolate network resources. A per-NF /128 with default-deny egress governance is a network-layer micro-perimeter that does that: each NF may reach only its legitimate SBI peers, and nothing else, enforced by source-bound egress rather than by hoping the mesh policy holds. It advances the CISA Zero-Trust Maturity Model (v2) Identity and Visibility & Analytics pillars, and the NIST 800-207 posture O-RAN WG11 also benchmarks to.

# Default-deny egress for one NF: allow only its legitimate SBI peers, block the rest
CALL whisper.agents({op:'policy',   args:{agent:'2a04:2a01:5e0::a3f', default:'deny',
        allow:['nrf.sbi.example-mno', 'udm.sbi.example-mno']}})
CALL whisper.agents({op:'firewall', args:{agent:'2a04:2a01:5e0::a3f', deny:{cidr:'::/0', port:0}}})
CALL whisper.agents({op:'budget',   args:{agent:'2a04:2a01:5e0::a3f', cap:'50GB/day'}})
# -> the NF can talk to its allow-list and nowhere else; a spike trips the budget kill-switch.

4 · Verifiable peer identity at N32 / roaming (GSMA FS.36)

The SEPP is the mandatory PLMN-border gateway; all inter-PLMN SBI crosses N32 between two SEPPs, and where IPX providers mediate, N32-f messages are protected by PRINS (application-layer JWE+JWS over whitelisted JSON) rather than direct peer TLS. Trust is transitive through the SEPP and the IPX hubs: the originating NF deep in a peer network is not independently verifiable by the home operator, and GSMA FS.36 names the N32-c spoofing vector as a live concern. A DNSSEC/DANE-anchored identity per NF or SEPP lets the home operator verify a peer against a public anchor: resolve the peer's /128, pull its DANE pin, confirm it, instead of trusting the SEPP's assertion or the IPX's forwarding. Per-message attribution then names which PLMN/SEPP an event came from. This complements PRINS/TLS on N32-f; it never replaces the SEPP.

roaming trust is transitive through the IPX: verify the peer directly instead Home SEPP HPMN border wants to trust the peer NF N32-f · PRINS IPX hub(s) semi-trusted · may read/modify whitelisted JSON Visited SEPP + NF VPMN · originating NF private-CA cert, opaque to you DANE verify: resolve peer /128 → pull TLSA pin → confirmed, independent of the IPX
The home operator's trust in a roaming peer is only as good as the weakest IPX in the path. A DANE-pinned peer identity lets the home SEPP confirm the originating NF against the public DNSSEC root directly: a second, independent check that hardens the N32-c spoofing vector FS.36 names, alongside PRINS and TLS.

And the rest of the DIRECT lane: access control, logging, zero-trust

Downstream of the four, the same primitives land on several more controls as concrete, additive evidence, never as the whole standard:

COMPLEMENTARY: we sit alongside, we don't replace the mandated controls

Several frameworks mandate the operator's own mTLS, OAuth2 or certificate. Whisper does not, and must not claim to, satisfy or replace those. It complements them: it keeps the good property they already have (a cert-bound, key-derived identity), adds the two they lack at the boundaries (public verifiability and DNS-TTL cross-operator revocation), and where a certificate is in play it can DANE-pin that exact certificate to DNSSEC to cut single-CA trust risk.

Why this whole group is COMPLEMENTARY and not DIRECT: these frameworks name the operator's own PKI, mTLS and OAuth2 as the primary, mandatory controls. Whisper is a second, independent, DNS-anchored layer that hardens the boundaries those controls leave thin: the name layer, the roaming edge, the cross-operator gap. It complements the mandate; it is never the mandated control.

DO-NOT-CLAIM: what we do NOT claim

The most useful rows on a compliance page are often the ones a vendor omits. These exist, they matter, and Whisper is honestly the wrong tool for them. We state them plainly so nobody plans against an over-claim:

Two caveats we state up front

Buyer trust is built by naming the limits before the sales call does:

Nothing issued in the dark: the transparency-log audit trail

Every identity mint and every revocation lands in a public, append-only Merkle transparency log (RFC 6962 tlog-tiles), with Ed25519-signed C2SP checkpoints, each root anchored to Bitcoin via OpenTimestamps. That gives a regulated operator something a database row cannot: a non-repudiable answer to "when was this NF identity issued, and when was it revoked", provably not back-dated, provably in order, which is exactly the evidence an NIS2 incident report or a PSIRT disclosure timeline needs to stand on.

# An NF identity's ordered lifecycle: issuance, any rotations, revocation, keyless
curl -s https://whisper.online/ip/2a04:2a01:5e0::a3f/transparency | jq

# The signed log checkpoint + its Bitcoin anchor: the tamper-evidence root
curl -s https://whisper.online/checkpoint
# -> a C2SP signed note; the root is OpenTimestamps-anchored to Bitcoin

Honest status. The log is tamper-evident, Ed25519-signed and Bitcoin-anchored today, but it is not yet independently witnessed (our two authoritative nodes co-signing is availability, not independence). It already speaks the C2SP tlog-witness protocol, so an external witness can co-sign; until one does, treat the guarantee as tamper-evident, not third-party-attested. It is also GDPR-compatible: leaves are salted opaque commitments with selective disclosure, so erasing the salt renders a leaf's meaning unrecoverable while the proofs stay valid.

Evidence you can hand an auditor

The point of every primitive above is that the auditor (or a roaming partner, or a regulator) does not have to trust Whisper. Each artifact is reproducible from the internet's own records with stock tools: the same --trustless walk any resolver could run. A per-control evidence bundle for a NIS2 review or a vendor RFP looks like this, and every line is checkable without an account:

# IDENTITY (TS 33.310 / SCAS 33.117-adjacent): the NF identity is genuine and current, to the IANA root
whisper verify --trustless 2a04:2a01:5e0::a3f
✓ DNSSEC chain valid to the IANA root   ✓ DANE-EE (TLSA 3 1 1) matches the NF cert key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32   identity: VERIFIED, our API never trusted

# MONITORING (NIS2 Art.21(2)(b) / SCAS logging): the per-NF record and who enumerated it, on the 72h clock
CALL whisper.agents({op:'logs',    args:{agent:'2a04:2a01:5e0::a3f', kind:'conn', from:'-72h'}})
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:5e0::a3f', window:'72h'}})

# CONTAIN + NON-REPUDIATION (NIS2 Art.23): the eviction, provable, timestamped, cross-operator
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:5e0::a3f'}})
curl -s https://whisper.online/ip/2a04:2a01:5e0::a3f/transparency   # the timestamped lifecycle leaf

And because an NF's telemetry or an interconnect record can be bound to (and signed under) its forge-proof /128, a roaming partner, an IPX and a regulator can all trust the record came from the real NF, which is the non-repudiation those reporting and assurance regimes ultimately want.

SIEM & threat-intel export

The evidence above is pullable now via op:logs, op:lookups and the graph API, and it exports to Splunk today as signed, replayable JSON mapped to CEF / ECS fields. Broader connectors are on the roadmap, labelled honestly so nobody plans against vapour:

Destination Status
Splunk (signed JSON → CEF / ECS) Shipped
Microsoft Sentinel connector Shipped
OpenCTI Shipped
STIX 2.1 / TAXII feed Roadmap
Telecom-ISAC / GSMA T-ISAC machine-readable JSON export Roadmap

Until the roadmap items land, the same records are already reachable. The exports are a convenience layer over evidence you can pull today.

What this is, and is not

Whisper anchors one boundary: the cloud/IP interface between a network function (or a SEPP, or a CAMARA/NEF consumer) and the rest of the network. It is deliberate about what it does not touch.

Everything described as working is checkable, today, with dig, curl and one control-plane call. Everything on the roadmap is labelled as such. That is the whole contract of this page.

Next