| Internet-Draft | Intent-based Agent Routing Security | April 2026 |
| Yan, et al. | Expires 10 October 2026 | [Page] |
This document specifies security requirements for intent-based agent routing. It defines a security architecture, phase-specific attack surface analysis, and normative protections for the Registration, Resolution, and Dispatch phases of routing. It also describes a secure operational process and an annotated interaction flow for protecting routing decisions, intent privacy, and capability integrity.¶
Intent-based routing enables autonomous agents to collaborate based on semantic intent rather than static addresses, but this model introduces new security risks beyond those addressed by traditional channel protection and endpoint authentication. Existing mechanisms such as Transport Layer Security (TLS) and Public Key Infrastructure (PKI) verify identity and protect transport, but do not constrain what an agent claims to be capable of, nor do they protect the semantic content of intent queries during routing. This document establishes requirements to mitigate these risks and provides a comprehensive security framework for intent-based agent networks.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Intent-based agent routing represents a fundamental shift in network architecture. Autonomous agents powered by artificial intelligence are increasingly capable of reasoning, planning, and executing tasks on behalf of users or other agents. Rather than communicating via fixed service endpoints or static addresses, these agents express and receive requests as high-level semantic intents, which are resolved and forwarded by an Agent Gateway (AG) based on capability matching.¶
Traditional networking protocols and security mechanisms—including TLS [RFC8446], IPsec, and OAuth 2.0 [RFC6749]—are designed to protect the transport layer and verify endpoint identity. These mechanisms assume that communication targets are identified by fixed, pre-known addresses. In intent-based routing, however, this assumption no longer holds. The AG must dynamically select a Partner Agent by semantically matching an incoming task intent against a registry of advertised capabilities. This introduces a semantic control plane that has no equivalent in traditional network security models.¶
Securing the transport channel is therefore necessary but insufficient. Trust decisions in intent-based routing must extend beyond identity to encompass the semantic validity of capability claims and the confidentiality of intent content. A standardized security framework operating at the intent level is required.¶
This document specifies the security architecture, attack surface analysis, and normative security requirements for the intent-based agent routing framework. It covers security mechanisms for the three phases of the routing lifecycle:¶
This document explicitly does not cover:¶
This document provides the following:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following terms are used throughout this document. Terms specific to the base routing framework are defined below for convenience, along with security-specific terms.¶
An agent that initiates a task by submitting an Intent Descriptor to the Agent Gateway. The LA is responsible for generating the intent vector locally, signing intent request messages, and establishing a direct session with the selected Partner Agent after route resolution. Also referred to as Source Agent in related literature.¶
An agent that receives and executes a forwarded task. The PA MUST register its capabilities with the Agent Gateway via an authenticated Capability Advertisement before receiving any task requests. Also referred to as Target Agent in related literature.¶
The infrastructure component that receives intent queries from Leader Agents, performs semantic matching against a registry of authenticated capabilities, and returns a signed routing decision.¶
A declarative expression of a desired outcome. Represented at three conceptual levels:¶
Human Intent: A high-level, possibly ambiguous expression from a human user. Out of scope for this specification.¶
Task Intent: An abstract, task-oriented description of the objective, independent of any specific agent or execution plan.¶
Intent Descriptor: A structured, machine-interpretable representation of Task Intent, used for routing and dispatch decisions within the AG.¶
A numerical embedding of an Intent Descriptor, used by the AG to compute semantic similarity scores against registered Capability Advertisements.¶
A registration message submitted by a Partner Agent to the AG, containing the agent's functional descriptors, supported intent domains, and associated cryptographic attestation.¶
A bounded domain of intent types and functional roles that a Partner Agent is authorized to operate within, as asserted by a Domain Authority credential.¶
A trusted entity that issues Verifiable Credentials binding a Partner Agent's identity to its authorized Semantic Namespace.¶
A cryptographically signed attestation, issued by a Domain Authority, asserting a Partner Agent's identity and its authorized functional roles.¶
A globally unique, cryptographically verifiable identifier that does not require a centralized registry, used for agent identity establishment [DID-CORE].¶
The intent-based agent routing framework involves three primary entities: the Leader Agent (LA), the Agent Gateway (AG), and the Partner Agent (PA). The routing lifecycle is structured into three security-relevant phases: Registration, Resolution, and Dispatch. Security controls are required at each phase boundary.¶
[Domain Authority]
|
(issues VC / validates namespace)
|
[Partner Agent] [Agent Gateway] [Leader Agent]
| | |
| | |
PHASE 1: REGISTRATION | |
======================== | |
[SC-1] mTLS session + | |
VP credential attach --> | |
[SC-2] Verify VP sig + |
namespace scope check |
| <-- ACK (routing table updated) -- |
| | |
PHASE 2: RESOLUTION | |
======================== | |
| <-- [SC-3] Signed |
| intent vector |
[SC-4] Authenticate LA |
+ semantic search |
| -- [SC-5] Signed --> |
| route response |
| |
PHASE 3: DISPATCH | |
======================== | |
| [SC-6] Verify AG sig
| <====== Direct E2E encrypted session ====> |
| (task payload, bypasses AG) |
Security Control Points:¶
| ID | Phase | Location | Security Action |
|---|---|---|---|
| SC-1 | Registration | PA to AG | Mutual TLS session establishment + VP attachment |
| SC-2 | Registration | AG (internal) | VP signature verification + namespace scope check |
| SC-3 | Resolution | LA to AG | LA signs intent vector before submission |
| SC-4 | Resolution | AG (internal) | LA identity verification + filtered semantic search |
| SC-5 | Resolution | AG to LA | AG signs route response as proof of routing |
| SC-6 | Dispatch | LA (internal) | LA verifies AG signature before connecting to PA |
This section analyzes the security vulnerabilities specific to each phase of the routing lifecycle. Each attack surface is assigned a unique identifier used throughout this document to link threats to requirements and process steps.¶
The Registration phase is when Partner Agents publish their capabilities to the AG's routing table. This phase is exposed to the following attack surfaces:¶
An adversary may attempt to register capabilities without holding a valid identity. If the AG accepts unauthenticated CAP_ADV messages, any process can inject arbitrary entries into the routing table, enabling subsequent routing manipulation.¶
A validly authenticated agent may advertise capability vectors that are semantically crafted to match task intents outside its authorized domain. For example, a "Logging Agent" may embed intent vectors artificially aligned with "Financial Audit" tasks to intercept sensitive requests. Standard PKI verifies identity but does not constrain what an agent claims to be able to do.¶
An adversary with access to the AG's routing table management interface may overwrite or delete legitimate routing entries, redirecting traffic to unauthorized agents or causing service denial. Without audit logging, such modifications are undetectable.¶
The Resolution phase is when the LA submits an intent query and the AG performs semantic matching. This phase is exposed to the following attack surfaces:¶
An adversary may flood the AG with unsigned or spoofed intent queries, either to probe the network's capability registry or to exhaust the AG's embedding and vector search resources. This constitutes an Intent Denial of Service (IDoS) attack, targeting the computational cost of the routing logic rather than network bandwidth.¶
The AG requires visibility into the semantic content of the Intent Descriptor to perform similarity matching. This creates an inherent tension with end-to-end confidentiality: the AG must process the intent, but the intent may contain sensitive data (e.g., patient records, proprietary business logic). Without privacy-preserving mechanisms, the AG becomes a single point of failure for data leakage.¶
An adversary performing a man-in-the-middle attack between the AG and the LA may tamper with the returned candidate list, substituting legitimate Partner Agents with malicious endpoints. Without integrity protection on the route response, the LA has no means to verify the routing decision.¶
The Dispatch phase is when the LA uses the routing decision to establish a direct session with the selected PA. This phase is exposed to the following attack surfaces:¶
An adversary may intercept the route response from the AG and substitute a malicious endpoint for the legitimate PA. If the LA does not cryptographically verify the AG's routing decision, it will establish a session with the attacker's endpoint and transmit the task payload to an unauthorized party.¶
If the task payload is transmitted through or via the AG rather than directly to the PA, the AG becomes a potential point of cleartext exposure for sensitive data. The payload must not traverse any intermediary that is not the intended recipient.¶
This section specifies the normative security requirements for intent-based agent routing. Requirements are organized by routing phase, corresponding to the attack surfaces identified in Section 3. Implementations MUST satisfy all requirements marked MUST to be considered compliant with this specification.¶
Applicable attack surfaces: AS-R-01, AS-R-02, AS-R-03¶
The AG MUST enforce mutual TLS (mTLS) for all CAP_ADV registration sessions. Unauthenticated agents MUST NOT be permitted to submit capability advertisements or query the routing table.¶
Addresses: AS-R-01¶
A CAP_ADV message MUST include a Verifiable Presentation (VP) issued by a trusted Domain Authority. The VP MUST cryptographically bind the PA's public key to its authorized Semantic Namespace. The AG MUST verify the VP signature before accepting any registration.¶
Addresses: AS-R-02¶
The AG MUST perform a semantic scope check on the advertised intent vector. If the vector falls outside the authorized namespace defined in the PA's VP, the AG MUST reject the registration and return an appropriate error response.¶
Addresses: AS-R-02¶
All routing table modification events (registration, refresh, deregistration) MUST be recorded in a tamper-evident audit log. The log MUST capture the agent identity, timestamp, and operation type to enable detection of unauthorized routing table changes.¶
Addresses: AS-R-03¶
Applicable attack surfaces: AS-Q-01, AS-Q-02, AS-Q-03¶
The AG MUST verify the digital signature on every intent request message before performing any semantic search. Unsigned or invalidly signed queries MUST be rejected with an AUTH_FAILED error. This prevents unauthenticated probing and mitigates IDoS by tying query admission to verified identities.¶
Addresses: AS-Q-01¶
The LA SHOULD separate the intent query into two components: (a) Routing Metadata (intent vector and constraints), transmitted to the AG; and (b) Task Payload (sensitive data), retained locally. The Task Payload MUST NOT be transmitted to the AG. Only the Routing Metadata is used for semantic matching.¶
Addresses: AS-Q-02¶
The AG SHALL support at least one privacy-preserving intent matching mechanism, such as computation over encrypted vectors using Homomorphic Encryption (HE) or semantic matching performed within a Trusted Execution Environment (TEE). This allows the AG to perform similarity scoring without access to plaintext intent content.¶
Addresses: AS-Q-02¶
The AG MUST digitally sign all route responses using its private key before returning them to the LA. The signature MUST cover the Partner Agent identifier, endpoint URI, and response timestamp, providing a cryptographically verifiable proof of routing decision.¶
Addresses: AS-Q-03¶
Applicable attack surfaces: AS-D-01, AS-D-02¶
Upon receiving a route response, the LA MUST verify the AG's digital signature before establishing any session with the indicated PA. If verification fails, the LA MUST abort the session and report an error.¶
Addresses: AS-D-01¶
The LA MUST establish a direct, end-to-end encrypted session (e.g., TLS 1.3 [RFC8446] or QUIC [RFC9000]) with the selected PA for task payload transmission. The task payload MUST NOT be routed through the AG. The AG MUST NOT have access to the plaintext task payload.¶
Addresses: AS-D-02¶
All signaling traffic between any two entities (LA to AG, PA to AG) MUST be transmitted over encrypted channels (TLS 1.3 or equivalent). This applies to capability advertisements, intent queries, and route responses.¶
Addresses: AS-R-01, AS-Q-01, AS-D-01 (baseline for all phases)¶
This section describes the normative operational procedure for secure intent-based agent routing. The process is decomposed into three phases: Registration, Resolution, and Dispatch for security analysis purposes.¶
Steps are numbered continuously (Steps 1-11) to correspond directly to the interaction flow diagram in Section 6.¶
Applicable requirements: REQ-R-01, REQ-R-02, REQ-R-03, REQ-R-04, REQ-D-03¶
This phase establishes the trust domain. All Partner Agents MUST complete registration before any routing requests can be resolved to them.¶
Step 3 - AG Validation: The AG performs two verification steps in sequence:¶
(a) Signature Verification: The AG verifies the cryptographic signature of the attached VP. If the signature is invalid, the registration MUST be rejected.¶
(b) Namespace Scope Check: The AG verifies that the advertised intent vector falls within the Semantic Namespace asserted by the VP. If the vector is out of scope, the registration MUST be rejected.¶
(REQ-R-02, REQ-R-03)¶
Applicable requirements: REQ-Q-01, REQ-Q-02, REQ-Q-03, REQ-Q-04, REQ-D-03¶
This phase is triggered when a registered LA submits a semantic intent query.¶
Applicable requirements: REQ-D-01, REQ-D-02, REQ-D-03¶
This phase transfers the routing decision into a secure execution connection. The AG does not participate in this phase beyond having issued the signed route response.¶
This section presents the complete annotated message sequence for secure intent-based agent routing. Each step in the diagram corresponds to the numbered steps in Section 5. Security requirements satisfied at each step are indicated in brackets.¶
[Partner Agent] [Agent Gateway] [Leader Agent]
| | |
--- PHASE 1: TRUSTED REGISTRATION ---------------------------
| | |
(1) |--- mTLS ClientHello -->| |
|<-- mTLS ServerHello ---| [REQ-R-01, REQ-D-03] |
| | |
(2) |--- CAP_ADV | |
| + Intent Vector | |
| + VP (signed by DA) >| [REQ-R-02] |
| | |
| (3a) Verify VP signature [REQ-R-02] |
| (3b) Namespace scope check [REQ-R-03] |
| | |
(4) |<-- Registration ACK ---| |
| (Routing table updated + audit log) |
| | [REQ-R-04] |
| | |
--- PHASE 2: PRIVACY-PRESERVING RESOLUTION ------------------
| | |
| | (5) Intent Minimization |
| | [Routing Metadata |
| | separated from |
| | Task Payload] |
| | [REQ-Q-02] |
| | |
| |<---- Intent Request |
(6) | | [Signed Vector Only] |
| | [REQ-Q-01, REQ-D-03] |
| | |
| (7a) Verify LA signature [REQ-Q-01] |
| (7b) Semantic search + |
| trust-scope filtering [REQ-Q-03] |
| | |
(8) | |--- Route Response -------->|
| | [PA ID + Endpoint + |
| | AG Signature] |
| | [REQ-Q-04] |
| | |
--- PHASE 3: VERIFIABLE DISPATCH ---------------------------
| | |
| | (9) Verify AG signature |
| | [REQ-D-01] |
| | |
(10) |<======== Direct TLS 1.3 / QUIC Session ==============>|
| [E2E Encrypted, AG not involved] |
| [REQ-D-02, REQ-D-03] |
| | |
(11) |<======== Task Payload Transmission ================>|
| [Plaintext never exposed to AG] |
| [REQ-D-02] |
| | |
Requirement Coverage Summary:¶
| Step | Description | Requirements Satisfied |
|---|---|---|
| 1 | mTLS session establishment | REQ-R-01, REQ-D-03 |
| 2 | CAP_ADV with VP submission | REQ-R-02 |
| 3a | VP signature verification | REQ-R-02 |
| 3b | Namespace scope check | REQ-R-03 |
| 4 | Routing table update + audit log | REQ-R-04 |
| 5 | Intent minimization | REQ-Q-02 |
| 6 | Signed intent request submission | REQ-Q-01, REQ-D-03 |
| 7a | LA signature verification | REQ-Q-01 |
| 7b | Semantic search + trust filtering | REQ-Q-03 |
| 8 | Signed route response | REQ-Q-04 |
| 9 | AG signature verification by LA | REQ-D-01 |
| 10 | Direct E2E session establishment | REQ-D-02, REQ-D-03 |
| 11 | Task payload delivery | REQ-D-02 |
Intent-based agent routing introduces a semantic control plane for which traditional transport-layer security is insufficient. This document has defined a security architecture by analyzing the attack surfaces specific to each routing phase, establishing normative requirements mapped directly to those surfaces, and specifying a secure operational process with a fully annotated interaction flow.¶
The attack surface identifiers, requirement identifiers, process steps, and flow diagram steps maintain strict correspondence throughout, enabling implementers to trace any security property from its threat origin to its operational realization.¶
This memo includes no request to IANA.¶
This document specifies comprehensive security requirements for intent-based agent routing systems. The security considerations are fully addressed through the requirements and processes defined in Sections 3 through 6 of this document. All security controls are mandatory for compliant implementations unless explicitly marked as SHOULD or MAY.¶
Key security properties ensured by this specification include:¶
This document is the product of research conducted at the Institute of Computing Technology, Chinese Academy of Sciences.¶