c/ietf-draft-analyzer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add draft data, gap analysis report, and workspace config
Some checks failed
CI / test (3.11) (push) Failing after 1m37s
Details
CI / test (3.12) (push) Failing after 57s
Details

Browse Source
This commit is contained in:
Christian Nennemann
2026-04-06 18:47:15 +02:00
parent 4f310407b0
commit 2506b6325a
189 changed files with 62649 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

465
workspace/drafts/gap-analysis/draft-nennemann-agent-problem-statement-00.md Normal file
View File

@@ -0,0 +1,465 @@
---
title: "Problem Statement for Autonomous Agent Protocol Gaps"
abbrev: "Agent Problem Statement"
category: info
docname: draft-nennemann-agent-problem-statement-00
area: "OPS"
workgroup: "NMOP"
submissiontype: IETF
v: 3
author:
- fullname: Christian Nennemann
organization: Independent Researcher
email: ietf@nennemann.de
normative:
RFC2119:
RFC8174:
informative:
RFC9334:
RFC9110:
I-D.nennemann-wimse-ect:
title: "Execution Context Tokens for Distributed Agentic Workflows"
target: https://datatracker.ietf.org/doc/draft-nennemann-wimse-ect/
I-D.nennemann-agent-dag-hitl-safety:
title: "Agent Context Policy Token: DAG Delegation with Human Override"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-dag-hitl-safety/
I-D.nennemann-exec-audit:
title: "Cross-Domain Execution Audit Tokens"
target: https://datatracker.ietf.org/doc/draft-nennemann-exec-audit/
I-D.nennemann-agent-behavioral-verification:
title: "Agent Behavioral Verification and Performance Benchmarking"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-behavioral-verification/
I-D.nennemann-agent-cascade-prevention:
title: "Agent Failure Cascade Prevention and Rollback"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-cascade-prevention/
I-D.nennemann-agent-consensus:
title: "Multi-Agent Consensus and Capability Negotiation Protocols"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-consensus/
I-D.nennemann-agent-cross-domain-audit:
title: "Cross-Domain Agent Audit Trails and Resource Accounting"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-cross-domain-audit/
I-D.nennemann-agent-override-protocol:
title: "Standardized Human Override Protocol for Autonomous Agents"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-override-protocol/
I-D.nennemann-agent-federation-privacy:
title: "Federated Agent Learning Privacy and Cross-Protocol Migration"
target: https://datatracker.ietf.org/doc/draft-nennemann-agent-federation-privacy/
ARXIV-GAP:
title: "Gap Analysis for Autonomous Agent Protocols in the IETF Landscape"
author:
- fullname: Christian Nennemann
date: 2025
target: https://arxiv.org/abs/2507.02492
--- abstract
The IETF autonomous agent landscape spans over 260 drafts
touching agent communication, identity, safety, and
operations, yet critical gaps remain where standardization
is absent or insufficient. This document provides a
condensed problem statement identifying eleven protocol
gaps, classifies them by severity, and maps them to a
suite of companion drafts that form a coherent solution
framework. It is intended as an actionable reference for
working group chairs, area directors, and protocol
designers evaluating where autonomous-agent standardization
efforts should focus.
--- middle
# Introduction
Autonomous software agents are moving from research
prototypes to production deployments in network management,
cloud orchestration, supply-chain logistics, and AI-driven
workflows. A survey of IETF work reveals over 260 drafts
relevant to agent capabilities, yet no single reference
architecture ties them together. Several critical
capabilities -- runtime behavioral verification, failure
cascade prevention, cross-vendor human override -- lack
any standardization at all.
This document distills the findings of a comprehensive
gap analysis {{ARXIV-GAP}} into an actionable problem
statement. It identifies eleven gaps, groups them by
severity, and presents a solution roadmap of nine
companion drafts. The full analysis, including a survey
of existing IETF work across WIMSE, RATS, OAuth/GNAP,
SCITT, and NMOP, is available in
{{I-D.nennemann-agent-dag-hitl-safety}} and the
companion arXiv paper {{ARXIV-GAP}}.
The intended audience is working group chairs, area
directors, and protocol designers who need a concise
summary of what is missing and what to build next.
# Terminology
{::boilerplate bcp14-tagged}
The following terms are used throughout this document:
Agent:
: A software component that acts on behalf of a principal
(human or organizational) to perform tasks autonomously.
ECT (Execution Context Token):
: A cryptographically signed token carrying execution
context for an agent action.
See {{I-D.nennemann-wimse-ect}}.
ACP (Agent Context Policy):
: A policy specifying permitted behaviors, resource limits,
and escalation rules for an agent.
See {{I-D.nennemann-agent-dag-hitl-safety}}.
HITL (Human-in-the-Loop):
: A control pattern requiring human approval before an
agent action takes effect.
Cascade Failure:
: A failure mode where an error in one agent propagates
through a multi-agent workflow, causing successive
agents to fail.
Override Signal:
: A message from a human operator instructing an agent
to halt, modify, or roll back its current action.
# Problem Landscape
The autonomous agent ecosystem can be organized into four
layers, each with distinct standardization gaps. The
following diagram presents this reference architecture:
~~~ ascii-art
+-------------------------------------------------------------+
| HUMAN OPERATORS |
| [Override & HITL Layer -- GAP 7] |
+-------------------------------------------------------------+
| AGENT INTERACTION LAYER |
| +---------+ +---------+ +---------+ +---------+ |
| | Agent A |<>| Agent B |<>| Agent C |<>| Agent D | |
| +----+----+ +----+----+ +----+----+ +----+----+ |
| | GAP 3: | GAP 10: | GAP 1: | |
| | Consensus | Cap.Neg. | Behav. | |
| | | | Verif. | |
+-------+------------+------------+------------+--------------+
| EXECUTION LAYER (ECT) |
| DAG Execution | Checkpoints | Rollback | Circuit Breakers |
| [GAP 2: Cascade Prevention] [GAP 4: Rollback] |
+-------------------------------------------------------------+
| POLICY & GOVERNANCE LAYER |
| ACP-DAG-HITL | Trust Scoring | Assurance Profiles |
| [GAP 5: Federated Privacy] [GAP 6: Cross-Domain Audit] |
+-------------------------------------------------------------+
| INFRASTRUCTURE LAYER |
| Identity | Discovery | Registration | Protocol Bridges |
| [GAP 8: Cross-Protocol] [GAP 9: Resource Accounting] |
| [GAP 11: Performance Benchmarking] |
+-------------------------------------------------------------+
~~~
{: #fig-arch title="Agent Ecosystem Reference Architecture"}
Human Operators Layer:
: Provides override and human-in-the-loop controls.
Gap 7 addresses the absence of a cross-vendor override
protocol.
Agent Interaction Layer:
: Where agents communicate, negotiate capabilities
(Gap 10), reach consensus (Gap 3), and undergo
behavioral verification (Gap 1).
Execution Layer:
: Manages DAG-based workflows with cascade prevention
(Gap 2) and rollback (Gap 4), built on Execution
Context Tokens {{I-D.nennemann-wimse-ect}}.
Policy and Governance Layer:
: Enforces privacy in federated learning (Gap 5) and
cross-domain audit trails (Gap 6).
Infrastructure Layer:
: Handles identity, discovery, cross-protocol migration
(Gap 8), resource accounting (Gap 9), and performance
benchmarking (Gap 11).
# Critical Gaps
## CRITICAL Severity
### Gap 1: Agent Behavioral Verification
No standardized mechanism exists for runtime verification
of agent policy compliance. RATS {{RFC9334}} covers
platform attestation but not behavioral conformance.
Without this, operators cannot detect drifted, compromised,
or out-of-bounds agents -- especially dangerous in
multi-agent workflows where one misbehaving agent corrupts
downstream results.
Addressed by {{I-D.nennemann-agent-behavioral-verification}}.
### Gap 2: Agent Failure Cascade Prevention
Multi-agent dependency chains lack standardized circuit
breakers, failure isolation, or cascade containment.
Current ad-hoc timeout and retry logic is neither
interoperable nor sufficient for DAG-structured workflows.
A single agent failure can cascade through an entire
deployment with no automated containment.
Addressed by {{I-D.nennemann-agent-cascade-prevention}}.
## HIGH Severity
### Gap 3: Multi-Agent Consensus Protocols
No standardized consensus protocol exists for
heterogeneous agents with different capabilities, trust
levels, and policy constraints. Distributed systems
consensus (Raft, Paxos) does not address agent-specific
semantics like weighted voting and capability-based
participation. Multi-vendor coordination remains
impossible without proprietary mechanisms.
Addressed by {{I-D.nennemann-agent-consensus}}.
### Gap 4: Real-Time Agent Rollback
No generalized rollback mechanism exists for autonomous
agent actions. Protocol-specific approaches (e.g.,
NETCONF confirmed-commit) do not extend to arbitrary
agent actions or coordinated multi-agent rollbacks.
Operators cannot safely deploy agents for critical
operations without manual intervention for every action.
Addressed by {{I-D.nennemann-agent-cascade-prevention}}.
### Gap 5: Federated Agent Learning Privacy
Agents sharing operational data across domains need
privacy guarantees beyond transport encryption:
differential privacy parameters, data minimization for
shared telemetry, and consent management. Without these,
organizations face unacceptable privacy risks in
federated agent ecosystems.
Addressed by {{I-D.nennemann-agent-federation-privacy}}.
### Gap 6: Cross-Domain Agent Audit Trails
No standardized format exists for cross-domain audit
trails that preserve causal ordering and provide
tamper-evident logging. Execution Audit Tokens
{{I-D.nennemann-exec-audit}} provide per-action records,
but aggregation and correlation across domains remain
undefined. Compliance requirements for automated
decision-making make this urgent.
Addressed by {{I-D.nennemann-agent-cross-domain-audit}}.
### Gap 7: Human Override Standardization
No cross-vendor protocol exists for sending override
signals (emergency stop, graceful pause, forced rollback)
to running agents. ACP-DAG-HITL
{{I-D.nennemann-agent-dag-hitl-safety}} defines when
human approval is required but not how to deliver
override signals. This is a fundamental safety gap.
Addressed by {{I-D.nennemann-agent-override-protocol}}.
## MEDIUM Severity
### Gap 8: Cross-Protocol Agent Migration
Agents migrating between protocol environments (e.g.,
A2A to MCP) have no standard for preserving execution
context, identity, and state across protocol boundaries.
ECT {{I-D.nennemann-wimse-ect}} provides a
protocol-neutral token but not migration procedures.
Addressed by {{I-D.nennemann-agent-federation-privacy}}.
### Gap 9: Agent Resource Accounting and Billing
No mechanism exists for tracking and reconciling agent
resource consumption across administrative domains.
This is a prerequisite for sustainable multi-domain
agent ecosystems with cost attribution.
Addressed by {{I-D.nennemann-agent-cross-domain-audit}}.
### Gap 10: Agent Capability Negotiation
Agents lack a standardized protocol to dynamically
advertise functions, agree on interaction protocols,
and establish compatible parameters. HTTP content
negotiation {{RFC9110}} provides basic discovery but
not agent-specific capability semantics.
Addressed by {{I-D.nennemann-agent-consensus}}.
### Gap 11: Agent Performance Benchmarking
No standardized metrics or methodology exists for
evaluating agent performance across dimensions of
accuracy, latency, resource efficiency, safety
compliance, and behavioral consistency.
Addressed by {{I-D.nennemann-agent-behavioral-verification}}.
# Solution Roadmap
## Companion Draft Mapping
The following table maps each companion draft to the
gaps it addresses:
| Companion Draft | Gaps Addressed | Priority |
|:---|:---:|:---:|
| {{I-D.nennemann-wimse-ect}} | Foundation | CRITICAL |
| {{I-D.nennemann-agent-dag-hitl-safety}} | Foundation | CRITICAL |
| {{I-D.nennemann-exec-audit}} | Foundation | HIGH |
| {{I-D.nennemann-agent-behavioral-verification}} | 1, 11 | CRITICAL |
| {{I-D.nennemann-agent-cascade-prevention}} | 2, 4 | CRITICAL |
| {{I-D.nennemann-agent-consensus}} | 3, 10 | HIGH |
| {{I-D.nennemann-agent-cross-domain-audit}} | 6, 9 | HIGH |
| {{I-D.nennemann-agent-override-protocol}} | 7 | HIGH |
| {{I-D.nennemann-agent-federation-privacy}} | 5, 8 | HIGH |
{: #tab-roadmap title="Companion Draft to Gap Mapping"}
## Companion Draft Summaries
ECT ({{I-D.nennemann-wimse-ect}}):
: Defines Execution Context Tokens that carry task
identity, delegated authority, and constraints across
agent boundaries. Foundational for all other drafts.
ACP-DAG-HITL ({{I-D.nennemann-agent-dag-hitl-safety}}):
: Specifies Agent Context Policy tokens for DAG-based
delegation with human-in-the-loop safety gates.
Foundational for policy enforcement across all gaps.
Execution Audit ({{I-D.nennemann-exec-audit}}):
: Defines per-action audit tokens for tamper-evident
recording of agent actions. Foundation for
cross-domain audit trails.
Behavioral Verification ({{I-D.nennemann-agent-behavioral-verification}}):
: Defines behavioral profiles, verification evidence
formats, and appraisal procedures for runtime agent
compliance. Addresses Gaps 1 and 11.
Cascade Prevention ({{I-D.nennemann-agent-cascade-prevention}}):
: Specifies circuit breakers, failure isolation,
checkpointing, and rollback mechanisms for multi-agent
workflows. Addresses Gaps 2 and 4.
Consensus ({{I-D.nennemann-agent-consensus}}):
: Defines protocols for multi-agent agreement with
weighted voting, capability negotiation, and
policy-constrained proposals. Addresses Gaps 3 and 10.
Cross-Domain Audit ({{I-D.nennemann-agent-cross-domain-audit}}):
: Specifies audit trail aggregation, correlation, and
query across administrative domains, plus resource
accounting. Addresses Gaps 6 and 9.
Override Protocol ({{I-D.nennemann-agent-override-protocol}}):
: Defines a cross-vendor protocol for emergency stop,
graceful pause, parameter modification, and forced
rollback signals. Addresses Gap 7.
Federation Privacy ({{I-D.nennemann-agent-federation-privacy}}):
: Specifies privacy-preserving mechanisms for federated
agent learning and cross-protocol migration procedures.
Addresses Gaps 5 and 8.
## Dependencies
The companion drafts have the following dependency
structure:
~~~ ascii-art
behavioral-verification ---+
| |
v |
cascade-prevention |
| |
v v
override-protocol cross-domain-audit
| |
v v
consensus federation-privacy
~~~
{: #fig-deps title="Companion Draft Dependencies"}
Behavioral verification is foundational: its attestation
format is consumed by cascade prevention and cross-domain
audit. Cascade prevention defines failure containment
that override protocol builds upon. Consensus extends
behavioral verification with multi-agent agreement.
Cross-domain audit provides the infrastructure that
federation privacy adds privacy controls to.
# Recommended Prioritization
Work should proceed in three phases:
Phase 1 -- Safety Foundation (Immediate):
: Behavioral Verification (Gaps 1, 11) and Cascade
Prevention (Gaps 2, 4). These are CRITICAL severity
gaps with direct safety implications. Without runtime
verification and failure containment, no autonomous
agent deployment can be considered safe.
Phase 2 -- Control and Accountability (Near-term):
: Human Override (Gap 7) and Cross-Domain Audit (Gaps 6, 9).
Override capability is a prerequisite for any production
deployment. Audit trails are required for regulatory
compliance in enterprise environments.
Phase 3 -- Interoperability and Scale (Medium-term):
: Consensus (Gaps 3, 10) and Federation Privacy (Gaps 5, 8).
These enable multi-vendor and multi-domain agent
ecosystems but depend on the safety and accountability
foundations from Phases 1 and 2.
# Security Considerations
The gaps identified in this document have cross-cutting
security implications:
- Behavioral Verification (Gap 1): Without runtime
verification, compromised agents exploit trusted
identities to perform unauthorized actions undetected.
- Cascade Prevention (Gap 2): Absence of containment
creates a denial-of-service vector where compromising
a single agent disrupts entire multi-agent workflows.
- Human Override (Gap 7): Without a standard override
protocol, safety-critical agent actions may not be
stoppable in emergency situations.
- Cross-Domain Audit (Gap 6): Audit trail gaps across
domain boundaries enable agents to evade detection
and accountability.
- Federated Privacy (Gap 5): Sharing agent data across
domains without privacy controls exposes network
topology, operational patterns, and business logic.
Implementers of autonomous agent systems SHOULD treat
the CRITICAL and HIGH severity gaps as security
requirements and prioritize their resolution. The
companion drafts each contain detailed security
considerations specific to their scope.
# IANA Considerations
This document has no IANA actions.
--- back
# Acknowledgments
The author thanks the participants of the WIMSE, RATS,
and NMOP working groups for discussions that informed
this analysis. The full gap analysis is available as
{{ARXIV-GAP}}.