whisper
whisper
The autonomous system of Whisper Security.
We hold the IPv6 allocation 2a04:2a00::/31 from the RIPE NCC and run
AS219419 to originate and route it directly. The addressing, the routing policy, the DNS,
and the per-agent identity space all run on infrastructure we operate, under numbers registered to us.
None of it is rented from a platform.
What follows is the public face of the network: the routing and registry facts anyone can read out of the global table and the RIR database.
| ASN | AS219419 (whisper-as) |
|---|---|
| Holder | viaGraph b.v. (ORG-VB155-RIPE) |
| RIPE LIR | nl.viagraph |
| Allocation | 2a04:2a00::/31 |
| Originated | 2a04:2a00::/32 · 2a04:2a01::/32 |
| Ping | 2a04:2a00::1 (anycast, answered by both edges) |
| IP version | IPv6 only |
| RPKI | ROAs, origin AS219419, maxLength 32 |
| IRR | as-set AS219419:AS-WHISPER |
| Transit | Vultr AS20473 · Route64 AS212895 |
| Peering | open |
| Look us up | RIPE · PeeringDB · bgp.tools · RIPEstat |
The allocation is a single /31, operated as two routed /32 halves:
2a04:2a00::/32 | Infrastructure. Edge routers, anycast service addresses (authoritative DNS, the DNS64/NAT64 resolver), and our own office and staff access. |
|---|---|
2a04:2a01::/32 | Identity. One /128 per agent, assigned and registered individually in the RIPE database. |
The plan is published because it is, by construction, public. It can be read straight from the routing table and the registry. The specific assignments within it are not.
We originate 2a04:2a00::/32 and 2a04:2a01::/32, and nothing else. Every
announcement carries a matching RPKI ROA pinned to maxLength /32 (RFC 9319); there is
no slack for a more-specific to be forged under our origin. Each edge runs a validating resolver and discards
RPKI-invalid routes on import. The prefixes are originated from more than one independent edge; the loss of
any single one is not visible from the outside.
The network is IPv6-only. There is no IPv4 to announce, and acquiring some is not on the roadmap. The agent estate is native v6, and the legacy v4 Internet is reached through NAT64.
ns1.whisper.online and ns2.whisper.online are authoritative for our zones and for
the reverse of the entire /31 (delegated as the two /32 zones a /31
requires). An anycast resolver provides DNS64, paired with NAT64, so IPv6-only hosts reach the remaining
IPv4 Internet without carrying any IPv4 of their own.
Our policy is open. Build filters from the as-set AS219419:AS-WHISPER,
published in PeeringDB. We announce only RPKI-valid /32s and expect the same discipline in
return: please drop RPKI-invalids toward us. To bring up a session, write to an operator.
| Kaveh Ranjbar | kaveh.org · [email protected] |
|---|---|
| Alireza Saleh | [email protected] |
Abuse & security: [email protected]