%% You should probably cite draft-howard-virp-05 instead of this revision. @techreport{howard-virp-04, number = {draft-howard-virp-04}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-howard-virp/04/}, author = {Nathan Howard}, title = {{VIRP: Verified Infrastructure Response Protocol}}, pagetotal = 33, year = , month = , day = , abstract = {The Verified Infrastructure Response Protocol (VIRP) defines a cryptographic trust framework for agentic AI systems operating on live network infrastructure. As AI agents gain the capability to autonomously configure, audit, and remediate production systems, the absence of a verifiable chain of custody for observations and actions introduces fundamental risks: fabricated telemetry, unauthorized state changes, and the inability to distinguish legitimate AI- initiated operations from compromise. VIRP addresses this through seven trust primitives that collectively enforce observation integrity, intent separation, action authorization, outcome verification, baseline memory, multi-vendor normalization, and agent process containment. Observations are cryptographically signed at collection time using Ed25519 asymmetric signatures. A two-channel architecture separates read-only Observation from write-intent Intent, with intent gating enforced at the protocol layer. Trust tiers (GREEN/YELLOW/RED/BLACK) govern action authorization with human-in-the-loop controls for elevated operations. This paper presents the protocol specification, a live multi-vendor implementation (IronClaw) tested against 35 Cisco IOS routers, a FortiGate 200G firewall, and Cisco 3850 switching infrastructure, adversarial red team findings produced by the AI agent itself, and a two-VM containment architecture derived from agent-identified security gaps. Results demonstrate that VIRP enables mathematically verifiable infrastructure audit trails and that properly contained AI agents exhibit self-reinforcing safety behavior when operating within the protocol boundaries.}, }