Independent Submission L. Muscariello
Internet-Draft M. Papalini
Intended status: Informational M. Sardara
Expires: 7 February 2026 Cisco
6 August 2025
Secure Low-Latency Interactive Messaging (SLIM)
draft-agntcy-slim-latest
Abstract
This document specifies the Secure Low-Latency Interactive Real-Time
Messaging (SLIM), a protocol designed to support real-time
interactive AI applications at scale. SLIM leverages gRPC and adds
publish-subscribe capabilities to enable efficient many-to-many
communication patterns between AI agentic applications (AI models,
tools and data). The protocol provides mechanisms for connection
management, stream multiplexing, and flow control while maintaining
compatibility with existing gRPC deployments.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://spec.slim.agntcy.org. Status information for this document
may be found at https://datatracker.ietf.org/doc/draft-agntcy-slim/.
Discussion of this document takes place on the WG Working Group
mailing list (mailto:discussion@agntcy.org).
Source for this draft and an issue tracker can be found at
https://github.com/agntcy/slim.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 7 February 2026.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Conventions and Definitions
2. Introduction
2.1. Summary
3. Protocol Overview
3.1. Messaging Nodes
3.1.1. Connection Table
3.1.2. Control Plane
3.1.3. Session Layer
3.2. Naming Considerations
3.3. Deployment Considerations
4. Security Considerations
4.1. Authentication and Authorization
5. References
5.1. Normative References
5.2. Informative References
Authors' Addresses
1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Introduction
2.1. Summary
The Secure Low-Latency Interactive Messaging (SLIM) protocol
addresses the unique communication requirements of modern AI agentic
applications by providing a secure, scalable, and efficient messaging
infrastructure. SLIM combines the reliability and performance of
gRPC with publish-subscribe messaging capabilities, creating a
comprehensive solution for interactive AI application communication.
At its core, SLIM consists of three primary components: messaging
nodes that serve as intelligent message queues, message producers
that publish encrypted content, and message consumers that subscribe
to and receive messages. The protocol leverages Message Layer
Security (MLS) for end-to-end encryption, ensuring that messages
remain confidential even when passing through intermediate nodes or
experiencing TLS termination along the communication path.
The architecture is built around a distributed network of messaging
nodes, each maintaining connection and subscription tables to enable
efficient message routing. A centralized control plane orchestrates
the entire system, handling node discovery, configuration management,
security policies, and system monitoring. This separation of control
and data planes allows for scalable deployment while maintaining
centralized administrative control.
SLIM employs a hierarchical naming system based on Decentralized
Identifiers (DIDs) to ensure globally unique, secure, and routable
channel names. This naming scheme supports both decentralized and
federated authentication models, enabling flexible deployment across
different organizational boundaries while maintaining security and
interoperability.
The protocol includes a session layer that abstracts the complexity
of MLS operations and messaging infrastructure from applications,
providing simple publish-subscribe APIs while handling
authentication, encryption, connection management, and fault recovery
automatically. This design enables developers to focus on
application logic rather than the underlying messaging complexities.
Security is fundamental to SLIM's design, with authentication and
authorization handled through MLS groups, cryptographic client
identities, and configurable access policies. The protocol supports
deployment in various environments, from data center workloads and
mobile applications, while maintaining consistent security guarantees
and low-latency performance characteristics.
3. Protocol Overview
SLIM is designed to work as a messaging layer for applications
running as workloads in a data center, but also running in a browser
or mobile device while guaranteeing end-to-end security and low-
latency communication. SLIM leverages HTTP/2 end to end as a thin
waist of the communication stack and avoids the need to create
message transcoding along the path. By leveraging message encryption
via MLS [RFC9420] [RFC9750], TLS connection termination along the
path does not negatively affect confidentiality. Authentication and
authorization are handled at the application level and can be managed
in a decentralized or federated way or a mix of both.
In SLIM there are three main communication elements: intermediate
nodes equipped with message queues, message producers and message
consumers.
A producer (also called a "publisher") is an endpoint that
encapsulates content in SLIM messages for transport within the SLIM
message network of nodes. A producer MUST belong to an MLS group to
encrypt messages that can be decrypted by message consumers who are
members of the same group, as specified by the MLS protocol. Once a
SLIM message is encrypted, it can be published under a routable name,
which is human-readable and hierarchical. This routable channel name
is used by intermediate nodes to store and forward messages within
the same channel, allowing consumers to retrieve messages using this
name.
A routable name is a name prefix that is stored in a forwarding table
(FIB). This enables requests to reach the producer and fetch a
response, if one exists.
+-------------+ +---------------------+ +-------------+
| Producer 1 | | | | Consumer 1 |
+-------------+ | Messaging Node | +-------------+
| |<------->| Consumer 2 |
+-------------+ | | +-------------+
| Producer 2 |-------->| |<------->| Consumer 3 |
+-------------+ +---------------------+ +-------------+
| ^ ^ ^
| | | |
| | | |
| | | |
v | | |
+------------------------+ | | |
| MLS Authentication |<-------+---+---+
| Service |
+------------------------+
Legend:
- Producers publish to topics at the Messaging Node.
- Consumers subscribe to topics at the Messaging Node.
- MLS Authentication Service handles group authentication and key management.
- Encryption group coincides with the topic identifier.
Figure 1: Main components of the SLIM architecture.
Secure group members are clients as described in [RFC9750] which can
write messages as producers or read messages as consumers. Most of
the time, clients are able to read and write messages in the same
secure group. Clients join secure groups as described in the MLS
standard [RFC9750] via an authentication service and by exchanging
messages via the delivery service. In the SLIM architecture, the
SLIM nodes constitute the infrastructure that is responsible for
delivering messages in a secure group via a logical SLIM channel.
MLS commit messages are exchanged directly using the SLIM messaging
nodes.
3.1. Messaging Nodes
Messaging nodes are fundamental components of the SLIM architecture
that serve as specialized message queues. They fulfill several
critical functions in the messaging infrastructure. At their core,
nodes efficiently route messages between connected clients using
intelligent routing algorithms while handling the distribution and
delivery of messages across the network infrastructure.
Producer A Producer B Producer C
| | |
v v v
+----------+ +----------+ +----------+
| Node 1 |<---------->| Node 2 |<---------->| Node 3 |
+----------+ +----------+ +----------+
^ ^ ^
| | |
v v v
+----------+ +----------+ +----------+
| Node 4 |<---------->| Node 5 |<---------->| Node 6 |
+----------+ +----------+ +----------+
^ ^ ^
| | |
Consumer X Consumer Y Consumer Z
Legend:
- Each Node maintains connection and subscription tables
- Bidirectional arrows represent inter-node communication paths
- Producers and Consumers connect to their local nodes
- Messages are routed through the node network based on subscriptions
Figure 2: SLIM messaging node network topology.
The node architecture relies on two essential data structures that
work in concert. The connection table forms the foundation for
tracking all active client connections and their states, maintaining
crucial metadata about each connected client. Alongside it, the
subscription table manages topic subscriptions and implements message
filtering rules, determining which messages should be delivered to
which clients.
Through this dual-table architecture, messaging nodes can effectively
coordinate message delivery while maintaining optimal system
performance. The connection and subscription mechanisms work
together seamlessly to ensure reliable message routing, proper client
tracking, and efficient subscription management across the
distributed system. Each node operates autonomously while
participating in the broader network, creating a resilient and
scalable messaging infrastructure.
3.1.1. Connection Table
The connection table serves as a fundamental data structure within
the SLIM messaging node architecture, maintaining a comprehensive
registry of both client-to-node and node-to-node connections. Each
entry in the table contains essential metadata about connected
endpoints, including their unique identifiers, connection timestamps,
authentication status, and current state information.
For client connections, the table tracks end-user applications that
connect to receive or send messages through the system. For node
connections, it maintains the network fabric topology by recording
inter-node relationships and routing paths. This dual-purpose nature
enables SLIM to manage both the edge connectivity with clients and
the internal communication infrastructure between nodes.
Connection states are dynamically tracked and updated to reflect the
real-time status of each endpoint. This includes monitoring whether
clients or nodes are actively connected, temporarily disconnected, or
in various intermediate states. The table maintains crucial session
information such as endpoint capabilities, protocol versions, and
quality of service parameters that influence message handling.
By maintaining this detailed connection state, the table enables
efficient routing decisions across the entire network fabric. It
provides each messaging node with immediate access to both client and
node status information, allowing for rapid determination of message
delivery paths and handling of connection-related events. The
connection table also plays a vital role in system reliability by
tracking connection health and enabling quick detection of
disconnections or network issues at both the client and node levels.
A connection table maps location-independent channel names to
connections to remote nodes. The mapping is used to forward messages
towards nodes that can either route messages or consume them in case
consumers are directly connected to the node.
Channel names are encoded as human-readable hierarchical names for
efficient table lookup operations.
3.1.1.1. Subscription Table and Matching
The subscription table is used to map channel subscriptions to
neighboring nodes. It manages the distribution of messages based on
subscriptions and ensures efficient delivery of messages. A message
carries the data to be delivered as well as the channel name and the
address locator of the message producer.
The control plane manages the configuration and updates of the
connection and subscription tables.
+-------------------------------------------------------------+
| SLIM Message Structure |
+-------------------------------------------------------------+
| Channel Name | Address Locator | Data Payload |
+-------------------------------------------------------------+
| "/foo/bar" | 192.0.2.10:12345 | { ... application ... |
| | | data ... } |
+-------------------------------------------------------------+
Legend:
- Channel Name: Identifies the logical channel/topic for routing.
- Address Locator: Specifies the producer's network address.
- Data Payload: Contains the actual message content.
Figure 3: SLIM message structure carrying channel name, address
locator, and data.
3.1.2. Control Plane
The control plane is responsible for the management and orchestration
of SLIM messaging nodes and their interconnections. It handles the
configuration, provisioning, and monitoring of nodes, ensuring that
the messaging infrastructure operates smoothly and efficiently.
Key functions of the control plane include:
* *Node Discovery and Registration*: New messaging nodes discover
each other and register their presence with the control plane.
This enables the control plane to maintain an up-to-date view of
the messaging infrastructure.
* *Configuration Management*: The control plane distributes
configuration updates to messaging nodes, including connection and
subscription table updates. This ensures consistent and correct
routing behavior across the node network.
* *Monitoring and Analytics*: The control plane collects and
analyzes telemetry data from messaging nodes, providing insights
into system performance, message flow, and potential issues.
* *Security and Access Control*: The control plane manages security
policies, authentication, and authorization of nodes and clients,
ensuring a secure messaging environment.
By centralizing these management functions, the control plane
enhances the overall reliability, security, and performance of the
SLIM messaging infrastructure. It enables efficient scaling, dynamic
reconfiguration, and proactive maintenance of the node network.
3.1.3. Session Layer
The session layer serves as a critical abstraction component that
bridges application frameworks with the underlying SLIM messaging
infrastructure. It provides a unified interface that simplifies the
complexity of secure messaging while handling the details of MLS
client operations and message distribution.
3.1.3.1. Core Responsibilities
The session layer encapsulates several key functionalities:
*MLS Client Operations*: The layer implements comprehensive MLS
client functionality including authentication procedures, message
encryption and decryption, key management, and group membership
operations. It handles the complex cryptographic operations
transparently from the application perspective.
*Channel Management*: It provides seamless channel subscription and
unsubscription capabilities, managing the lifecycle of channel
memberships and maintaining subscription state across connection
interruptions or node failures.
*Message Abstraction*: The session layer abstracts message passing
between applications and the SLIM message distribution network,
handling message formatting, routing, and delivery confirmation while
providing simple send and receive primitives to applications.
*Configuration Abstraction*: It eliminates the need for applications
to manage complex configuration details required to connect to SLIM
nodes, automatically handling node discovery, connection
establishment, and subscription management.
3.1.3.2. API Design Principles
The session layer API is designed with the following principles:
* Simplicity: Applications interact with the messaging system
through intuitive publish/subscribe operations without needing to
understand the underlying MLS or routing complexities.
* Asynchronous Operations: All messaging operations are designed to
be non-blocking, supporting high-performance applications.
* Framework Agnostic: The API provides language bindings and
framework adapters for various application development
environments, ensuring broad compatibility across different
technology stacks.
* Error Handling: Comprehensive error reporting and recovery
mechanisms help applications handle communication issues and
authentication failures.
3.1.3.3. Session Management
The session layer maintains persistent session state at the client
across network disconnections and node failures. It implements
automatic reconnection logic, subscription recovery, and message
queuing to ensure reliable message delivery even in unstable network
conditions. Session persistence includes maintaining MLS group
membership state, channel subscriptions, and pending message queues.
3.2. Naming Considerations
SLIM requires several types of identifiers: node names, channel
names, and client locators.
Node names are used for secure onboarding and authentication. Node
names do not have aggregation requirements and therefore use
decentralized identifiers:
node name A: did:key(node_A)
A channel name identifies a messaging group and must be routable;
that is, it must include a globally unique network prefix that can be
aggregated for scalable lookups and message forwarding.
A group in SLIM is an MLS group with a moderator client responsible
for adding and removing group members. The moderator is identified
by a cryptographic public key as defined in MLS [RFC9750], and in
SLIM, also by a decentralized identifier derived as the hash of the
public key [DID-W3C].
By naming entities with hashes [RFC6920], SLIM achieves secure and
globally unique naming, enabling the creation of permissionless
systems where channel names and client names can be distributed
across administrative boundaries. W3C DIDs are optional but can be
used when hash links are employed and conform to the Named
Information [RFC6920] standard, referencing the IANA registry
[NI-Registry].
SLIM routable name prefixes and client names can use different DID
methods which have different resolution systems such as did:web
[DID-Web], did:key [DID-Key] or did:plc [DID-ATProto]. See
[DID-Methods] for well-known DID methods.
The naming structure follows these patterns:
client locator: did:key(org)/namespace(org)/service/did:key(client)
channel name: did:key(org)/namespace(org)/service/did:key(moderator)
Where the moderator is the special client that has the role to create
a channel, add actual application clients and remove them from the
group. As mentioned above the moderator is a data plane client which
is a decentralized instance of the MLS delivery service as described
in [RFC9420].
The hierarchical structure is required to maximize aggregation in
subscription tables, which can aggregate multiple names under name
prefixes such as organization identifiers, organization namespaces,
and services.
3.3. Deployment Considerations
SLIM helps the deployment of agentic AI applications where a
combination of data streams, tools and LLMs are combined to create a
distributed multi-agent systems that can solve problems via AI.
These applications work as SLIM clients and MAY expose a service to
the secure group. The channel and client naming structure combined
allows for service discovery capabilities by binding the application
a specific application namespace and service name.
4. Security Considerations
Security is a paramount concern for SLIM, given the sensitive nature
of the data being transmitted and the need for reliable access
control. SLIM inherits security features from MLS, gRPC, and TLS,
but also introduces new mechanisms to address its unique
requirements.
4.1. Authentication and Authorization
Authentication and authorization in SLIM are handled at the
application level, leveraging the capabilities of the underlying MLS
groups. Clients must authenticate themselves to the MLS
Authentication Service, which issues credentials that are used to
sign messages. These credentials are then used by other clients to
verify the authenticity of the messages and the identity of the
sender.
Authorization policies determine what actions an authenticated client
is allowed to perform, such as publishing or subscribing to specific
channels.
5. References
5.1. Normative References
[DID-Methods]
Group, W. C. C., "Known DID Methods in the Decentralized
Identifier Ecosystem", 29 April 2025,
.
[DID-W3C] Group, W. C. C., "Decentralized Identifiers (DIDs) v1.0",
19 July 2022, .
[NI-Registry]
IANA, "Named Information Hash Algorithm Registry", 1
August 2013, .
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC6920] Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B.,
Keranen, A., and P. Hallam-Baker, "Naming Things with
Hashes", RFC 6920, DOI 10.17487/RFC6920, April 2013,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC9420] Barnes, R., Beurdouche, B., Robert, R., Millican, J.,
Omara, E., and K. Cohn-Gordon, "The Messaging Layer
Security (MLS) Protocol", RFC 9420, DOI 10.17487/RFC9420,
July 2023, .
[RFC9750] Beurdouche, B., Rescorla, E., Omara, E., Inguva, S., and
A. Duric, "The Messaging Layer Security (MLS)
Architecture", RFC 9750, DOI 10.17487/RFC9750, April 2025,
.
5.2. Informative References
[CID-Spec] Community, M., "CID (Content IDentifier) Specification",
n.d., .
[DID-ATProto]
Community, B. P., "Decentralized Identifiers (DIDs) in the
AT Protocol", n.d.,
.
[DID-Key] Group, W. C. C., "The did:key Method v0.7: A DID Method
for Static Cryptographic Keys", 26 March 2025,
.
[DID-Web] Group, W. C. C., "The did:web Method Specification", n.d.,
.
Authors' Addresses
Luca Muscariello
Cisco
Email: lumuscar@cisco.com
Michele Papalini
Cisco
Email: micpapal@cisco.com
Mauro Sardara
Cisco
Email: msardara@cisco.com