Devoured - May 01, 2026
Post-quantum encryption for Cloudflare IPsec is generally available (6 minute read)

Post-quantum encryption for Cloudflare IPsec is generally available (6 minute read)

DevOps securitycryptographynetworkinginfrastructure Read original

Cloudflare launched post-quantum IPsec encryption to protect enterprise networks against future quantum computers that could decrypt today's harvested traffic.

What: Cloudflare made post-quantum encryption generally available for its IPsec service using the new IETF hybrid ML-KEM standard, with confirmed interoperability with Cisco and Fortinet hardware that organizations already own.
Why it matters: While over two-thirds of TLS traffic to Cloudflare already uses post-quantum crypto, IPsec lagged four years behind because the community pursued Quantum Key Distribution (QKD), which requires specialized hardware and doesn't scale to internet use. Cloudflare moved its full post-quantum target to 2029 due to faster-than-expected quantum computing advances, making the shift to interoperable software-based standards more urgent to prevent harvest-now-decrypt-later attacks.
Takeaway: Check if your network hardware supports the draft-ietf-ipsecme-ikev2-mlkem standard (Cisco 8000 Series v26.1.1+, Fortinet FortiOS 7.6.6+) to enable post-quantum protection for site-to-site connections.
Deep dive
  • Cloudflare's post-quantum IPsec uses hybrid ML-KEM, which runs classical Diffie-Hellman first, then uses its derived key to encrypt a second ML-KEM exchange, mixing both outputs into the session keys that protect actual data traffic via ESP protocol
  • The implementation achieves interoperability with Cisco 8000 Series routers (v26.1.1+) and Fortinet FortiOS (7.6.6+), marking a significant win for the new IETF draft standard after years of fragmentation
  • IPsec post-quantum adoption lagged four years behind TLS partly due to RFC 8784's focus on Quantum Key Distribution, which U.S. NSA, Germany's BSI, and UK's NCSC all warned against relying on solely
  • QKD requires specialized hardware and dedicated physical links between parties, fundamentally incompatible with internet-scale operation, and still requires post-quantum cryptography for authentication anyway
  • RFC 9370 (2023) allowed up to seven parallel key exchanges but didn't specify which ciphersuites to use, leading vendors like Palo Alto to ship incompatible implementations before the ML-KEM draft was available
  • The new draft-ietf-ipsecme-ikev2-mlkem standard fills RFC 9370's gaps by specifying exactly how to implement hybrid ML-KEM alongside classical Diffie-Hellman, avoiding the "ciphersuite bloat" problem NIST warned against
  • Cloudflare accelerated its full post-quantum security deadline to 2029 in response to recent quantum computing advances, creating urgency around completing the cryptographic migration
  • ML-KEM is intentionally designed for software implementation on standard processors rather than requiring special hardware, making it deployable across existing infrastructure
  • The IPsec community still needs standards for post-quantum authentication (not just encryption) to protect against quantum adversaries attacking live systems after Q-Day
  • Cloudflare turned on hybrid post-quantum TLS in 2022 before NIST even finalized ML-KEM standardization because the TLS community converged quickly on a single interoperable approach and pushed it to production
Decoder
  • ML-KEM: Module-Lattice-Based Key-Encapsulation Mechanism, a post-quantum cryptography algorithm based on mathematical problems quantum computers can't efficiently solve
  • IPsec: Internet Protocol Security, a protocol suite for encrypting and authenticating IP packets, commonly used for VPNs and site-to-site WAN connections
  • Hybrid approach: Combining classical cryptography (like Diffie-Hellman) with post-quantum algorithms so security is maintained even if either system is broken
  • Harvest-now-decrypt-later: Attacks where adversaries collect encrypted data today to decrypt it later when quantum computers become powerful enough to break current encryption
  • Q-Day: The future point when quantum computers become powerful enough to break today's public key cryptography
  • QKD (Quantum Key Distribution): A method using quantum physics to distribute encryption keys, requiring specialized hardware and dedicated physical connections
  • FIPS 203: Federal Information Processing Standard 203, the official U.S. government designation for the ML-KEM algorithm
  • ESP (Encapsulating Security Payload): The IPsec protocol that actually encrypts and authenticates the data being transmitted
Original article

Cloudflare made post-quantum encryption in its IPsec service generally available, successfully testing interoperability with branch connectors from Fortinet and Cisco using the new IETF hybrid ML-KEM (FIPS 203) draft standard. The rollout comes as Cloudflare moved its full post-quantum security target to 2029 amid recent quantum computing advances, though IPsec adoption lagged four years behind TLS due to the community's focus on Quantum Key Distribution, which requires specialized hardware and doesn't work at internet scale.