Specification

Protocol Standardization

OpenNHP is being standardized through IETF and CSA to ensure interoperability, security review, and industry-wide adoption.

The Leading Authority for Cloud Security

CSA Zero Trust Specification

The Cloud Security Alliance (CSA) β€” the world's leading organization for cloud security standards with 500+ enterprise members including AWS, Google, Microsoft, and Alibaba β€” has published comprehensive guidance on "Stealth Mode SDP for Zero Trust Network Infrastructure" introducing NHP.

πŸ“˜

Stealth Mode SDP for Zero Trust Network Infrastructure

Document View on CSA β†’
Organization Cloud Security Alliance (CSA)
Working Group ZT5 - Pillar: Networks (Zero Trust Research)
Lead Authors Benfeng Chen, Justin Posey, Yuanyuan Liu
Contributors Michael Roza, Leon Zeng, Jason Garbis
Reviewers Justin Bowen, George Chi, Xinpi Du, Philip Griffiths, Matias Katz, Prashant Khanwale, Vaibhav Malik, Dr. Victor Monga, Surendra Narang, Dharnisha Narasappa, Chinaza Obidike, Srinivasa Ravi Teja Peri, Venkataramana Ragothaman, Shashank Shelat, Jen Trahan, Washima Tuleun
CSA Staff Erik Johnson

Document Contents

  • βœ“
    AI-Powered Threat Landscape

    Analysis of AI-driven scanning, reconnaissance, and zero-day exploitation threats

  • βœ“
    NHP Architecture & Workflow

    Core components (NHP-Agent, NHP-Server, NHP-AC) and complete protocol workflow

  • βœ“
    Cryptographic Framework

    Noise Protocol, message header format, and 18 message types specification

  • βœ“
    Integration Guidance

    SDP, DNS, and FIDO integration patterns with implementation considerations

  • βœ“
    Logging & Compliance

    Log types, format, transmission, and compliance auditing requirements

"TCP/IP's default network visibility has enabled much of today's malicious activity. Given our current threat landscape and the widespread adoption of Zero Trust as a set of principles and best practices, we believe that we now have an imperative to pivot our core networking technologies to a default-deny stanceβ€”one that aligns with emerging concepts like Gartner's preemptive cybersecurity, which emphasizes denying, deceiving, and disrupting threats before they can launch or succeed."
β€” CSA Stealth Mode SDP Specification, Abstract
The Standards Body Behind the Internet

IETF Internet-Draft

The Internet Engineering Task Force (IETF) β€” the organization that defined TCP/IP, HTTP, TLS, DNS, and virtually every core Internet protocol β€” is now standardizing NHP. With 9,000+ published RFCs, IETF is the premier authority for Internet protocol standards.

πŸ“„

draft-opennhp-saag-nhp

Status Active Internet-Draft
Working Group SAAG (Security Area Advisory Group)
Published January 1, 2026
Expires July 5, 2026
Authors Benfeng Chen
Document View on IETF Datatracker β†’

Participate in Standardization

Join the IETF NHP standardization effort. Contributions welcome!

RFC Development SAAG Mailing List

Specification Highlights

πŸ—οΈ

Protocol Architecture

Defines NHP-Agent, NHP-Server, NHP-AC, and ASP components with clear separation of concerns for scalability and security.

πŸ”

Cryptographic Framework

Based on the Noise Protocol Framework with XX, IK, and K handshake patterns. Uses Curve25519, ChaCha20-Poly1305, and HKDF.

πŸ“¦

Message Formats

Complete specification of NHP-KNK (Knock), NHP-ACK, NHP-AOP, NHP-ACC, and other message types with binary encoding.

πŸ”—

Integration Patterns

Guidance for integrating with SDP, DNS, FIDO authentication, and Zero Trust policy engines.

Foundation

Built on Industry Standards

NHP builds upon and references established security standards and protocols.

πŸ“‹

NIST SP 800-207

Zero Trust Architecture guidelines from the National Institute of Standards and Technology.

πŸ”’

RFC 8446 (TLS 1.3)

NHP complements TLS by providing pre-connection authentication and service hiding.

⚑

RFC 9000 (QUIC)

NHP can protect QUIC-based services with the same hiding capabilities as TCP.

πŸ”

RFC 9180 (HPKE)

Hybrid Public Key Encryption referenced for advanced key encapsulation scenarios.

🎡

Noise Protocol Framework

The cryptographic foundation for NHP's handshake patterns and key exchange.

🏒

CSA SDP Spec v2.0

Software Defined Perimeter specification by Garbis, Koilpillai, Islam, Flores, Bailey, Chen, et al. (Mar 2022).

Contribute to NHP Standardization

Help shape the future of Zero Trust networking. Review the specification, submit feedback, and participate in the IETF process.

Read the IETF Draft Contribute on GitHub