Cloudflare has announced general availability of post-quantum encryption for its IPsec service, a key step in protecting wide-area networks (WANs) against emerging quantum threats. This Q&A covers how the new hybrid ML-KEM standard works, why it took longer to deploy than TLS-based solutions, and what it means for organizations using hardware from Cisco and Fortinet. Learn how Cloudflare IPsec operates, then dive into the specifics of post-quantum protection.
What is Cloudflare IPsec and how does it work?
Cloudflare IPsec is a WAN Network-as-a-Service that replaces traditional networking architectures by connecting data centers, branch offices, and cloud VPCs to Cloudflare’s global IP Anycast network. It uses encrypted IPsec tunnels to route traffic securely, providing simplified configuration, high availability (traffic is automatically rerouted to the nearest healthy data center), and access to Cloudflare’s global network scale. This service supports site-to-site WAN connectivity, outbound internet connections, and integration with the Cloudflare One SASE platform. By leveraging IPsec, organizations can replace legacy MPLS or VPN solutions with a cloud-managed alternative that offers consistent performance and security.
Why is post-quantum encryption needed for IPsec?
Post-quantum encryption is critical for IPsec to defend against harvest-now-decrypt-later attacks. In such attacks, adversaries collect encrypted traffic today and store it, waiting for powerful quantum computers (Q-Day) to break the classical public-key cryptography used in current protocols. As quantum computing advances faster than expected, Cloudflare moved its target for full post-quantum security to 2029. Without post-quantum protection, sensitive data transmitted over IPsec tunnels—such as financial records, intellectual property, or government communications—could be decrypted years later. The new hybrid ML-KEM standard ensures that even after quantum computers become viable, the encrypted data remains secure.
What is hybrid ML-KEM and how does it protect against quantum threats?
Hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, FIPS 203) is a post-quantum cryptography algorithm that combines the proven security of classical Diffie-Hellman key exchange with lattice-based post-quantum protection. ML-KEM is designed to run in software on standard processors—no specialized hardware required—making it practical for Internet-scale deployment. During the IPsec handshake, the hybrid approach exchanges two keys: one classical and one post-quantum. If a quantum computer later breaks the classical key, the post-quantum key remains secure, ensuring confidentiality. This method protects against harvest-now-decrypt-later attacks without disrupting existing hardware or requiring dedicated links.
Why did post-quantum encryption take longer to implement in IPsec compared to TLS?
Implementing post-quantum encryption in IPsec took roughly four years longer than in TLS for several reasons. The IPsec community had to balance Internet-scale interoperability with niche hardware requirements, a challenge less pronounced in the TLS ecosystem which already had standardized post-quantum integrations. IPsec operates at the network layer and involves diverse hardware from multiple vendors, requiring consensus on a new IETF draft (draft-ietf-ipsecme-ikev2-mlkem). Additionally, the hybrid approach—combining classical and post-quantum methods—had to be thoroughly tested across different device types to ensure backward compatibility. Cloudflare’s successful tests with Fortinet and Cisco connectors mark a breakthrough, proving that the standard works at scale without breaking existing deployments.
How does Cloudflare's post-quantum IPsec interoperate with existing hardware (Fortinet, Cisco)?
Cloudflare has tested and validated interoperability of its post-quantum IPsec with branch connectors from Fortinet and Cisco using the new IETF draft for hybrid ML-KEM. This means organizations can deploy post-quantum protection on their current hardware without purchasing new equipment. The hybrid handshake is designed to negotiate a shared secret that includes both classical and post-quantum components, allowing legacy devices that support the draft to participate seamlessly. For environments where older hardware doesn’t support ML-KEM, the protocol can fall back to classical encryption, ensuring continuity. This backward compatibility is crucial for gradual migration, letting enterprises adopt post-quantum security incrementally while maintaining connectivity.
What does Cloudflare's 2029 target mean for customers?
Cloudflare accelerated its target for full post-quantum security to 2029, reflecting the rapid pace of quantum computing advancements. For customers, this means they should start planning post-quantum migration now, especially for long-lived data such as encrypted archives. The general availability of post-quantum IPsec allows early adopters to protect their WAN traffic against harvest-now-decrypt-later attacks immediately. By integrating with existing hardware from Cisco and Fortinet, Cloudflare lowers the barrier to entry. Customers who use Cloudflare IPsec can enable the new hybrid ML-KEM feature through configuration changes, without requiring network redesigns. This proactive step ensures that sensitive data remains secure both today and in the post-quantum future.
How does a harvest-now-decrypt-later attack work and why is it a concern?
A harvest-now-decrypt-later attack involves an adversary intercepting and storing encrypted network traffic over time—without attempting to decrypt it immediately. Once sufficiently powerful quantum computers become available (often called Q-Day), the attacker uses them to break the classical public-key cryptography (e.g., RSA or ECDH) that protected the stored data. This risk is especially concerning for sectors like finance, healthcare, and government, where sensitive information may remain valuable for decades. Cloudflare’s implementation of hybrid ML-KEM prevents this by adding a post-quantum key exchange that is resistant to quantum attacks, ensuring that even if the classical part is broken, the overall encryption remains intact. As Q-Day approaches sooner than anticipated, organizations must act now.