IPv6 Networking Considerations for AI Agent Communication
draft-yu-ai-agent-ipv6-networking-considerations-01
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Haisheng Yu | ||
| Last updated | 2026-06-01 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-yu-ai-agent-ipv6-networking-considerations-01
Internet Engineering Task Force H. Yu
Internet-Draft China Internet Network Information Center
Intended status: Informational 2 June 2026
Expires: 4 December 2026
IPv6 Networking Considerations for AI Agent Communication
draft-yu-ai-agent-ipv6-networking-considerations-01
Abstract
AI agents are increasingly expected to communicate across platforms,
organizations, clouds, edge environments, and administrative domains.
Current agent-related mechanisms mainly focus on description,
discovery, identity, authentication, authorization, tool invocation,
and application-layer collaboration. These mechanisms are important,
but they often treat the IP network as a transparent connectivity
substrate.
This document describes networking problems that arise when AI agents
perform cross-domain communication and continuous tool, API, data,
and agent-to-agent calls. It focuses on problem description rather
than a protocol solution. In particular, it discusses gaps related
to agent identity visibility at the network layer, path control,
audit continuity, the separation of discovery from addressing and
authorization, and privacy and privilege risks introduced by highly
autonomous agents.
The document positions Agent6 as a problem space for network support
of cross-domain AI agent collaboration. It does not define a new
agent discovery protocol, a new application-layer collaboration
protocol, a new authentication or authorization mechanism, or a new
IPv6 extension header.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Yu Expires 4 December 2026 [Page 1]
Internet-Draft AI Agent IPv6 June 2026
This Internet-Draft will expire on 4 December 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Conventions Used in This Document . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Scope and Non-Goals . . . . . . . . . . . . . . . . . . . . . 3
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Background: From Training Networks to Agent Operation . . . . 4
6. Implications for Agent6 . . . . . . . . . . . . . . . . . . . 5
7. Current Agent Access and Invocation Flow . . . . . . . . . . 6
8. Core Problems in Current Agent Interconnection . . . . . . . 7
8.1. Lack of Agent Identity Visibility at the Network Layer . 7
8.2. Limited Control over IP Paths . . . . . . . . . . . . . . 8
8.3. Incomplete Audit Chains . . . . . . . . . . . . . . . . . 8
8.4. Separation of Registration, Discovery, Addressing, and
Authorization . . . . . . . . . . . . . . . . . . . . . . 9
8.5. Privacy and Privilege Risks from Highly Autonomous
Agents . . . . . . . . . . . . . . . . . . . . . . . . . 9
9. Summary of the Agent6 Problem Space . . . . . . . . . . . . . 10
10. Security Considerations . . . . . . . . . . . . . . . . . . . 10
11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
13. Normative References . . . . . . . . . . . . . . . . . . . . 11
14. Informative References . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Yu Expires 4 December 2026 [Page 2]
Internet-Draft AI Agent IPv6 June 2026
2. Introduction
AI agents are moving from isolated application components toward
large-scale, cross-domain collaboration. An agent may plan a task,
invoke tools, access data, call APIs, communicate with other agents,
and act on behalf of a user, organization, or system. As these
behaviors become more continuous and autonomous, agent communication
becomes not only an application-layer issue, but also an Internet
infrastructure issue.
Recent discussions in the Internet operations community have raised a
broader question: whether the Internet infrastructure is ready for
the next phase of AI. A key observation from these discussions is
that the main pressure is shifting from centralized model training
toward continuous inference and agent operation. Future traffic may
be shaped by high-frequency small flows, chained API calls,
background agent access, local inference, local policy enforcement,
local audit, and edge-side coordination.
AI infrastructure also includes compute, power, data centers, data
placement, scheduling systems, and governance. However, the network
remains a necessary substrate for agent interaction. If agents
become a common way to access services, tools, data, and other
agents, the Internet will increasingly carry communication that is
initiated, chained, and adapted by software agents rather than
directly by human users through browsers or applications.
In this context, Agent6 is not intended to be a closed new protocol
or a replacement for existing agent frameworks. It is better
understood as a problem space for the network support layer required
by cross-domain AI agent collaboration. The central question is how
the network can remain observable, governable, and interoperable when
agent communication becomes more autonomous, distributed, and cross-
domain.
3. Scope and Non-Goals
This document focuses on problem description for AI agent networking.
It discusses why existing application-layer mechanisms, by
themselves, may be insufficient to provide network-level identity
visibility, path accountability, audit continuity, discovery-to-
reachability association, and privacy-aware governance.
This document does not define:
* a new agent discovery protocol;
* a new application-layer agent collaboration protocol;
Yu Expires 4 December 2026 [Page 3]
Internet-Draft AI Agent IPv6 June 2026
* a new authentication, authorization, or delegation protocol;
* a new replacement for DNS, HTTPS, OAuth, OIDC, DID, WIMSE, RATS,
SCITT, A2A, MCP, RDAP, or audit frameworks;
* a general-purpose semantic routing protocol;
* a requirement that ordinary Internet routers understand agent
semantics, prompts, tasks, or application payloads;
* a new IPv6 extension header, SRv6 behavior, or packet encoding.
4. Terminology
Agent:
A software entity that can perceive context, reason, plan, invoke
tools, communicate with other agents, and perform tasks on behalf
of a user, organization, or system.
Agent Identifier:
A stable identifier used to identify an agent independently from
its current network location.
Agent Gateway:
A gateway or mediation point that provides controlled access to
one or more agents, agent services, tools, APIs, or related policy
functions.
Agent Domain:
An administrative or operational domain in which agents, gateways,
registries, policy systems, audit systems, or network functions
are managed under a common authority.
Agent Communication:
Communication initiated by, received by, or mediated for an agent,
including tool calls, API calls, data access, agent-to-agent
calls, and gateway-mediated interactions.
5. Background: From Training Networks to Agent Operation
Early AI infrastructure discussions often emphasized the network
requirements of large-scale model training. Training workloads may
involve very large data transfers inside data centers or between
training clusters. Agent operation introduces a different traffic
pattern. It may involve many small, frequent, chained, and
automatically generated requests across tools, APIs, data sources,
gateways, and other agents.
Yu Expires 4 December 2026 [Page 4]
Internet-Draft AI Agent IPv6 June 2026
This shift changes the operational problem. Traffic volume remains
relevant, but flow shape, locality, observability, access control,
auditability, and policy correlation become equally important. Agent
traffic may be generated in the background, may traverse multiple
administrative domains, and may depend on intermediate gateways or
registries that are not visible in traditional endpoint-based
measurements.
Locality is also becoming more important. Local agent gateways,
local inference, local audit, local policy execution, and local data
handling may reduce latency, reduce cross-domain exposure, and
support jurisdictional or enterprise controls. At the same time,
excessive localization or incompatible agent-specific infrastructures
could increase fragmentation if there is no interoperable Internet-
facing model.
These observations suggest that the key issue is not whether a single
new protocol can solve all agent communication problems. The issue
is whether the existing Internet protocol stack, identity systems,
registries, gateways, audit systems, and network policy mechanisms
can be coherently related when autonomous agents communicate across
domains.
6. Implications for Agent6
The above background leads to several implications for the Agent6
problem space.
First, the focus needs to move from training networks alone to
inference and agent collaboration networks. Future networks may need
to support not only large flows between model training facilities,
but also agent-to-agent interactions, tool calls, API access, and
cross-domain reachability.
Second, the discussion needs to move from total traffic growth alone
to traffic shape change. Agent traffic may consist of large numbers
of small flows, high-frequency calls, chained invocations, and
automated background access. This makes measurement, observability,
and policy recognition more difficult.
Third, the architecture needs to account for local inference and
Agent Gateways. Not all agent collaboration will return to a remote
central cloud. Some interactions will depend on local exchange,
local policy execution, local audit, local data controls, and edge-
side inference.
Yu Expires 4 December 2026 [Page 5]
Internet-Draft AI Agent IPv6 June 2026
Fourth, the problem is a multi-technology governance problem rather
than a single-protocol design problem. DNS, HTTPS, OAuth, WIMSE,
RDAP, A2A, MCP, DAWN, AUDIT, SCITT, RATS, IPv6, SRv6, and related
mechanisms may all appear in different parts of the agent interaction
lifecycle.
Fifth, Agent6 should be considered in terms of open interoperability.
A closed agent networking system could create new agent islands and
contribute to Internet fragmentation. The problem space therefore
needs to consider distributed deployment, cross-domain operation, and
fallback to existing Internet mechanisms.
Agent6 should therefore not be framed as an AI use case invented to
promote IPv6. It is more accurately framed as the network support
layer problem created by cross-domain AI agent collaboration.
7. Current Agent Access and Invocation Flow
Current agent access or invocation is usually not a single network
transaction. It is a compound process that involves application
entry points, discovery mechanisms, registries, credentials,
gateways, network connections, logs, and later investigation.
A simplified flow is as follows:
1. A user, application, browser, mobile application, or agent client
identifies a task objective or service need.
2. The client finds a stable entry point using mechanisms such as
DNS, DNSSEC, SVCB or HTTPS resource records, or well-known
locations.
3. The client reads an agent description, such as an A2A Agent Card,
ANP Agent Description, MCP server metadata, or a similar
description object.
4. The client or platform queries a registry or identity
registration system, such as an MCP Registry, Agent Registry, DID
Registry, or enterprise directory.
5. The client obtains runtime credentials and authorization material
through mechanisms such as OAuth 2.0, OIDC, WIMSE, SPIFFE or
SPIRE, JWT, or mutual TLS.
6. The client selects a reachable instance, Agent Gateway, Discovery
Service, Service Mesh endpoint, or API Gateway.
Yu Expires 4 December 2026 [Page 6]
Internet-Draft AI Agent IPv6 June 2026
7. The client establishes network connectivity using IP, TLS, QUIC,
HTTP, gateway mediation, service mesh mechanisms, or other
transport and network mechanisms.
8. The involved systems generate logs, telemetry, traces, or audit
records.
9. If a dispute, incident, or compliance review occurs, operators
attempt to reconstruct what was called, by whom, through which
path, under which policy, and with what result.
This flow shows that agent access is assembled from multiple
protocols and platform mechanisms. Discovery, description, registry
lookup, credential issuance, gateway selection, network reachability,
and audit are often handled by separate systems. The networking
problem appears most clearly at the point where an authorized and
discovered agent interaction becomes actual network traffic.
8. Core Problems in Current Agent Interconnection
Based on the flow described above, this document identifies five core
problems in current mainstream agent interconnection.
8.1. Lack of Agent Identity Visibility at the Network Layer
Current identity and authentication mechanisms mainly operate at the
application layer. Examples include accounts, API keys, OAuth
tokens, OIDC assertions, JWTs, workload identities, and TLS
certificates. These mechanisms can authenticate a user, workload,
service, client, or session, but the network commonly observes only
IP addresses, ports, transport protocols, and flow behavior.
As a result, the network often cannot distinguish the agent subject
behind a connection, the organization responsible for that agent, the
type of task being performed, or the trust level associated with the
interaction. A gateway or application may know this information, but
ordinary network elements and cross-domain operators usually do not
have a consistent way to correlate it with the flow.
This creates a separation between identity authentication and network
operation. A connection may be authenticated at an application
endpoint while path control, network policy enforcement, traffic
measurement, and audit reconstruction remain based on locator-level
information. For agent communication, this separation becomes more
significant because a single agent may perform many delegated actions
across many services and domains.
Yu Expires 4 December 2026 [Page 7]
Internet-Draft AI Agent IPv6 June 2026
8.2. Limited Control over IP Paths
Traditional IP forwarding is primarily based on destination
reachability and dynamic routing. This model is efficient and
scalable, but it is not naturally organized around agent task levels,
data sensitivity, latency objectives, safety requirements, audit
requirements, or compliance constraints.
In cross-cloud, cross-network, and edge scenarios, a high-risk or
high-value agent task may need assurance that traffic has traversed
expected control points, such as authenticated gateways, audit
collection systems, data-loss prevention systems, content filtering
systems, security inspection systems, or compliance boundaries. In
current deployments, this assurance is often provided by overlay
gateways, service meshes, private interconnects, or application
policy systems, each with its own operational boundary.
The resulting path behavior may be difficult to express, verify, or
compare across domains. An application may know the intended task
class, while the network may only know where packets are going. A
network may know the selected route, while the application may not
know whether the route satisfied a task-specific policy expectation.
8.3. Incomplete Audit Chains
Agent invocation can generate records in many places, including
application logs, model platform logs, gateway logs, identity system
logs, service mesh logs, tool logs, API provider logs, and network
telemetry systems. These records often use different formats,
identifiers, retention policies, timestamps, and trust assumptions.
The audit chain is therefore frequently discontinuous. A task may
start in one domain, call a tool in another, trigger an agent in a
third domain, and access data through a gateway in a fourth domain.
Each participant may see only a local fragment of the interaction.
Cross-domain visibility is limited, and the correlation between
application-level events and network-level flow evidence is often
weak.
This problem becomes more serious for high-risk agent tasks. If a
network path cannot require traversal of an audit point, or if the
audit point cannot correlate a flow with the relevant agent session,
then later reconstruction may be incomplete. Determining the actual
path, responsible subject, delegated authority, policy applied, and
tool behavior may require manual correlation across independent
systems.
Yu Expires 4 December 2026 [Page 8]
Internet-Draft AI Agent IPv6 June 2026
8.4. Separation of Registration, Discovery, Addressing, and
Authorization
Agent ecosystems use multiple mechanisms for registration, discovery,
description, naming, identity, authorization, and capability
publication. DNS, DID systems, certificates, API gateways, service
registries, capability directories, agent cards, MCP metadata,
enterprise catalogs, and internal access-control systems may all
participate in the same interaction.
These mechanisms answer different questions. One mechanism may
describe what an agent can do. Another may identify who operates it.
Another may provide a network endpoint. Another may issue runtime
credentials. Another may decide whether a caller is allowed to
invoke a specific capability. Another may select a gateway or
reachable instance.
Because these questions are answered by separate systems, an agent
that has discovered "what can be done" still needs to determine
whether the target is trustworthy, where it should be reached, which
path or gateway should be used, and whether the invocation is
authorized for the current caller, task, data, and context. The lack
of consistent linkage among registration, discovery, addressing, and
authorization creates operational ambiguity.
8.5. Privacy and Privilege Risks from Highly Autonomous Agents
Highly autonomous agents may plan multiple steps, execute
continuously, invoke tools, access data, and adapt their behavior
without a human approving each individual network interaction. If
such an agent has broad privileges, it can create risks of privacy
leakage, unauthorized access, mistaken execution, excessive data
retrieval, unintended delegation, or uncontrolled behavior.
The network and platform environment may have difficulty
distinguishing a normal chain of delegated agent actions from an
excessive or unintended chain of actions. Traditional access-control
decisions may be made per API, per token, or per service, while the
overall agent task spans many calls and may accumulate risk over
time.
Yu Expires 4 December 2026 [Page 9]
Internet-Draft AI Agent IPv6 June 2026
At the same time, governance mechanisms that rely on full content
inspection, prompt capture, or complete logging of every interaction
can themselves increase privacy exposure. Recording all prompts,
tool inputs, tool outputs, user data, and intermediate reasoning may
create new sensitive data stores. The governance problem is
therefore not only how to detect misuse, but also how to avoid
expanding the privacy attack surface while attempting to govern agent
behavior.
9. Summary of the Agent6 Problem Space
The five problems above can be summarized as five missing or
insufficiently connected capabilities in current agent
interconnection.
* Agent identity is not sufficiently recognizable from the network
perspective.
* Agent communication paths are not sufficiently expressible or
verifiable according to task, data, security, latency, audit, or
compliance constraints.
* Agent invocation audit chains are not sufficiently continuous
across application, gateway, platform, tool, and network layers.
* Agent registration, discovery, addressing, and authorization are
not sufficiently associated across mechanisms and domains.
* Agent governance does not yet sufficiently balance autonomy,
privilege control, auditability, and privacy minimization.
In short, Agent6 is concerned with five problem areas: recognizable
identity, accountable paths, auditable invocation, associated
discovery and addressing, and governance that accounts for privacy.
This document intentionally stops at the problem description level.
It does not specify a protocol design or deployment architecture.
10. Security Considerations
The problems described in this document are security-relevant because
agent communication can involve delegated authority, cross-domain
access, tool invocation, and data retrieval. Weak linkage between
agent identity, network flows, authorization decisions, and audit
evidence can make impersonation, misuse, excessive privilege, and
post-incident reconstruction more difficult to manage.
Yu Expires 4 December 2026 [Page 10]
Internet-Draft AI Agent IPv6 June 2026
This document does not introduce a new protocol mechanism and
therefore does not introduce protocol-specific security requirements.
Any future mechanism in this problem space would need to consider
authentication, authorization, replay protection, downgrade risks,
gateway trust, cross-domain policy consistency, telemetry integrity,
and the risk that metadata itself can become sensitive.
11. Privacy Considerations
Agent communication can reveal sensitive information about users,
organizations, tasks, data sources, tools, models, policies, and
business relationships. Privacy risk may arise both from agent
actions and from the records created to govern those actions.
The problem space therefore includes a tension between observability
and minimization. More complete logs, traces, metadata, or
inspection may improve governance, but may also create additional
exposure. Any future work in this area would need to avoid assuming
that full content capture or universal visibility is an acceptable
default.
12. IANA Considerations
This document does not request any IANA action.
13. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
14. Informative References
[I-D.pioli-agent-discovery]
Pioli, L., "Agent Registration and Discovery Protocol",
<https://datatracker.ietf.org/doc/draft-pioli-agent-
discovery/>.
[Agent2Agent-Archive]
IETF, "IETF Agent2Agent Mailing List Archive",
<https://mailarchive.ietf.org/arch/browse/agent2agent/>.
Yu Expires 4 December 2026 [Page 11]
Internet-Draft AI Agent IPv6 June 2026
Author's Address
Haisheng Yu
China Internet Network Information Center
Email: yuhaisheng@cnnic.cn
Yu Expires 4 December 2026 [Page 12]