LayerV is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

LayerV is generally available. Free tier includes 500 QURLs/month for developers. Enterprise plans with custom SLAs are available. Try the interactive playground at layerv.ai/qurl/playground — no signup required.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

QURL stands for Quantum URL. It is a cryptographic, time-limited access link that hides a server's real address behind identity verification. QURLs are single-use credentials that self-destruct after access or expiration — eliminating persistent URLs that can be scraped, shared, or replayed. Try the interactive QURL Playground at layerv.ai/qurl/playground.

Back to Blog

January 23, 20265 min read

OpenNHP: The IETF Standard Making Infrastructure Invisible

OpenNHP is the Cloud Security Alliance's Network Hiding Protocol — now an IETF Internet-Draft. Here's what it is, how it works, and why it matters for the future of cybersecurity.

Justin PoseyCo-Founder & CEO, LayerV

OpenNHPIETFCloud Security AllianceNetwork HidingOpen SourceStandards

In January 2026, the Internet Engineering Task Force published an Internet-Draft for OpenNHP — the Network Hiding Protocol. This wasn't just a milestone for our team at LayerV. It was the moment that infrastructure invisibility went from a niche technique to a recognized internet standard.

OpenNHP defines how network infrastructure can be made invisible using cryptographic authentication. I co-authored the Cloud Security Alliance specification that OpenNHP is based on, and I want to explain what this standard means, how it works, and why it changes the security landscape.

What OpenNHP Is

OpenNHP (Open Network Hiding Protocol) is an open standard that defines cryptographic protocols for making network infrastructure invisible. The core principle: authenticate first, connect second.

In traditional networking, services are visible by default and access is controlled after discovery. OpenNHP inverts this: services are invisible by default and only become visible after cryptographic authentication succeeds.

The standard defines three components:

NHP Agent — The client-side component that initiates authentication. The agent creates a Single Packet Authorization (SPA) message containing the user's cryptographic proof of identity.

NHP Controller (NHP-Server) — The server-side component that validates SPA packets. The Controller is itself invisible — it doesn't respond to invalid packets. Only valid SPA messages receive a response.

NHP Access Control (NHP-AC) — The component that opens and closes access to protected resources. When the Controller validates an SPA packet, it instructs the AC to open a temporary, session-specific connection to the protected resource.

How It Works

The OpenNHP authentication flow:

Knock: The NHP Agent creates an SPA packet containing the user's identity, a timestamp, and a cryptographic nonce. The packet is signed with the user's private key and encrypted with the Controller's public key.
Validate: The NHP Controller receives the SPA packet and validates it:
- Is the signature valid? (proves identity)
- Is the timestamp recent? (prevents replay)
- Has this nonce been seen before? (prevents replay)
- Is this user authorized for the requested resource? (policy check)
Open: If validation succeeds, the Controller instructs the NHP-AC to open a temporary connection between the authenticated user and the requested resource.
Connect: The user connects to the now-visible resource through the opened tunnel.
Close: When the session ends (or the time limit expires), the NHP-AC closes the connection. The resource returns to invisible state.

The entire handshake completes in under 50 milliseconds. To the user, access is seamless. To everyone else, the resource doesn't exist.

Why Standards Matter

Before OpenNHP, infrastructure hiding existed but wasn't standardized. Different implementations used proprietary protocols, making interoperability impossible and security audits difficult.

The OpenNHP standard provides:

Formal security proofs. The protocol has been analyzed for resistance to replay attacks, man-in-the-middle attacks, denial-of-service, and information leakage. These proofs are part of the specification, not just marketing claims.

Interoperability. Different implementations of OpenNHP can work together. An NHP Agent from one vendor can authenticate against an NHP Controller from another. This prevents vendor lock-in.

Community audit. The reference implementation has over 14,000 GitHub stars and 200+ contributors. The code is open source (Apache 2.0), meaning anyone can inspect, audit, and contribute to it.

Regulatory recognition. Having an IETF Internet-Draft and CSA specification makes it significantly easier for organizations to justify network hiding to regulators and auditors. It's not proprietary magic — it's an audited, standards-based approach.

The Evolution from SDP

OpenNHP evolves from the Software-Defined Perimeter (SDP) architecture originally developed by DISA (Defense Information Systems Agency) and later standardized by the Cloud Security Alliance.

SDP introduced the concept of the "dark cloud" — infrastructure invisible to unauthorized users. OpenNHP modernizes this with:

Stronger cryptography: Modern elliptic curve signatures replace older key exchange mechanisms
Lower latency: Sub-50ms authentication through optimized SPA
Better scalability: Stateless Controller design handles enterprise-scale deployments
Protocol formalization: IETF-track specification with formal security analysis

Open Source Reference Implementation

The OpenNHP reference implementation is available at github.com/OpenNHP/opennhp:

Language: Go (Controller and AC), with client libraries in multiple languages
License: Apache 2.0
Stars: 14,000+
Contributors: 200+
Status: Production-ready reference implementation

The reference implementation is designed for direct deployment or as a foundation for commercial implementations.

LayerV and OpenNHP

LayerV is the commercial enterprise implementation of OpenNHP. While OpenNHP provides the protocol and reference implementation, LayerV adds the enterprise features needed for production deployment:

Managed infrastructure: No NHP Controllers to deploy or manage
Identity integration: Native Okta, Azure AD, and OIDC/SAML support
QURL credentials: User-friendly, ephemeral access links built on the NHP protocol
Compliance logging: SOC 2, HIPAA, FedRAMP-ready audit trails
Dashboard and API: Web interface and REST API for managing access
Support and SLA: Enterprise support contracts with guaranteed response times

Think of it as the relationship between Linux and Red Hat, or Kubernetes and managed Kubernetes services. OpenNHP is the community standard. LayerV is the enterprise platform.

What This Means for the Industry

The IETF publication of OpenNHP signals that infrastructure hiding is moving from "emerging technique" to "standard practice." The Cloud Security Alliance, which represents thousands of member organizations, has endorsed the approach. The IETF, which governs internet standards, has accepted it for review.

For security teams evaluating their architecture: network hiding is no longer experimental. It has a standard, an open-source implementation, a formal security analysis, and commercial implementations. The question is no longer "should we hide infrastructure?" but "which infrastructure should we hide first?"

Start with the QURL Playground to see the protocol in action, or read the IETF specification for the technical details.

Justin PoseyCo-Founder & CEO, LayerV

Back to Blog

January 23, 20265 min read

OpenNHP: The IETF Standard Making Infrastructure Invisible

OpenNHP is the Cloud Security Alliance's Network Hiding Protocol — now an IETF Internet-Draft. Here's what it is, how it works, and why it matters for the future of cybersecurity.

Justin PoseyCo-Founder & CEO, LayerV

OpenNHPIETFCloud Security AllianceNetwork HidingOpen SourceStandards

What OpenNHP Is

The standard defines three components:

NHP Agent — The client-side component that initiates authentication. The agent creates a Single Packet Authorization (SPA) message containing the user's cryptographic proof of identity.

How It Works

The OpenNHP authentication flow:

Knock: The NHP Agent creates an SPA packet containing the user's identity, a timestamp, and a cryptographic nonce. The packet is signed with the user's private key and encrypted with the Controller's public key.
Validate: The NHP Controller receives the SPA packet and validates it:
- Is the signature valid? (proves identity)
- Is the timestamp recent? (prevents replay)
- Has this nonce been seen before? (prevents replay)
- Is this user authorized for the requested resource? (policy check)
Open: If validation succeeds, the Controller instructs the NHP-AC to open a temporary connection between the authenticated user and the requested resource.
Connect: The user connects to the now-visible resource through the opened tunnel.
Close: When the session ends (or the time limit expires), the NHP-AC closes the connection. The resource returns to invisible state.

The entire handshake completes in under 50 milliseconds. To the user, access is seamless. To everyone else, the resource doesn't exist.

Why Standards Matter

Before OpenNHP, infrastructure hiding existed but wasn't standardized. Different implementations used proprietary protocols, making interoperability impossible and security audits difficult.

The OpenNHP standard provides:

Interoperability. Different implementations of OpenNHP can work together. An NHP Agent from one vendor can authenticate against an NHP Controller from another. This prevents vendor lock-in.

Community audit. The reference implementation has over 14,000 GitHub stars and 200+ contributors. The code is open source (Apache 2.0), meaning anyone can inspect, audit, and contribute to it.

The Evolution from SDP

OpenNHP evolves from the Software-Defined Perimeter (SDP) architecture originally developed by DISA (Defense Information Systems Agency) and later standardized by the Cloud Security Alliance.

SDP introduced the concept of the "dark cloud" — infrastructure invisible to unauthorized users. OpenNHP modernizes this with:

Stronger cryptography: Modern elliptic curve signatures replace older key exchange mechanisms
Lower latency: Sub-50ms authentication through optimized SPA
Better scalability: Stateless Controller design handles enterprise-scale deployments
Protocol formalization: IETF-track specification with formal security analysis

Open Source Reference Implementation

The OpenNHP reference implementation is available at github.com/OpenNHP/opennhp:

Language: Go (Controller and AC), with client libraries in multiple languages
License: Apache 2.0
Stars: 14,000+
Contributors: 200+
Status: Production-ready reference implementation

The reference implementation is designed for direct deployment or as a foundation for commercial implementations.

LayerV and OpenNHP

LayerV is the commercial enterprise implementation of OpenNHP. While OpenNHP provides the protocol and reference implementation, LayerV adds the enterprise features needed for production deployment:

Managed infrastructure: No NHP Controllers to deploy or manage
Identity integration: Native Okta, Azure AD, and OIDC/SAML support
QURL credentials: User-friendly, ephemeral access links built on the NHP protocol
Compliance logging: SOC 2, HIPAA, FedRAMP-ready audit trails
Dashboard and API: Web interface and REST API for managing access
Support and SLA: Enterprise support contracts with guaranteed response times

Think of it as the relationship between Linux and Red Hat, or Kubernetes and managed Kubernetes services. OpenNHP is the community standard. LayerV is the enterprise platform.

What This Means for the Industry

Start with the QURL Playground to see the protocol in action, or read the IETF specification for the technical details.

Justin PoseyCo-Founder & CEO, LayerV

What OpenNHP Is#

How It Works#

Why Standards Matter#

The Evolution from SDP#

Open Source Reference Implementation#

LayerV and OpenNHP#

What This Means for the Industry#

What OpenNHP Is#

How It Works#

Why Standards Matter#

The Evolution from SDP#

Open Source Reference Implementation#

LayerV and OpenNHP#

What This Means for the Industry#

What OpenNHP Is

How It Works

Why Standards Matter

The Evolution from SDP

Open Source Reference Implementation

LayerV and OpenNHP

What This Means for the Industry

What OpenNHP Is

How It Works

Why Standards Matter

The Evolution from SDP

Open Source Reference Implementation

LayerV and OpenNHP

What This Means for the Industry