DEV Community

Cover image for Post-Quantum IPsec Is Finally Becoming Boring — And That’s the Point
Mayckon Giovani
Mayckon Giovani

Posted on

Post-Quantum IPsec Is Finally Becoming Boring — And That’s the Point

#architecture #cybersecurity #networking #security

Cloudflare didn’t “innovate” here.

They removed entropy.

They took a space that was degenerating into combinatorial nonsense and forced it into a single, constrained construction: hybrid ML-KEM + Diffie-Hellman for IPsec. (InfoQ)

That sounds incremental.

It isn’t.

It’s the first time IPsec starts behaving like a protocol again instead of a negotiation playground.

This Was Never About Quantum

People keep framing this as a “quantum migration problem.”

It’s not.

It’s a temporal adversary problem.

Attackers don’t need to break your crypto today. They just need patience:

capture(c)store(c)decryptfuture(c) \text{capture}(c) \rightarrow \text{store}(c) \rightarrow \text{decrypt}_{future}(c)

That’s it.

If your confidentiality depends on when an attacker runs the computation, your system is already compromised. You’re just waiting for hardware to catch up.

Cloudflare’s move directly targets this class of failure by making hybrid key exchange default across WAN traffic. (InfoQ)

Not optional. Not opt-in.

Default.

Hybrid Is Not Clever. It’s Defensive

The construction is painfully straightforward:

K=KDF(KDHKML-KEM) K = \mathrm{KDF}(K_{DH} \parallel K_{ML\text{-}KEM})

Security reduces to:

Confidentiality holds if (DHML-KEM) remains unbroken \text{Confidentiality holds if } (DH \lor ML\text{-}KEM) \text{ remains unbroken}

There’s no magic here.

Just redundancy across two threat models:

  • classical adversary → Diffie-Hellman survives
  • quantum adversary → ML-KEM survives

This is not elegance.

This is admitting you don’t trust the future.

The Industry Tried to Be “Flexible” and Broke Itself

Before this, IPsec PQC attempts went through three predictable failure modes:

  • Pre-shared keys
  • QKD fantasies
  • Multi-ciphersuite negotiation (RFC 9370 circus)

The last one is the funniest.

Up to seven algorithms negotiated simultaneously.

Because apparently the solution to uncertainty is adding more undefined states.

Cloudflare called it “ciphersuite bloat.” (InfoQ)

That’s diplomatic.

What it actually is:

S=i=1nAi |\mathcal{S}| = \prod_{i=1}^{n} A_i

A combinatorial explosion of security states you cannot reason about formally.

You don’t get stronger security.

You get a larger attack surface and a smaller understanding of it.

IPsec Is Finally Catching Up With TLS

TLS already converged on hybrid ML-KEM.

IPsec lagged behind because its design historically tolerated negotiation chaos.

Now, with draft-ietf-ipsecme-ikev2-mlkem, it aligns:

  • single hybrid construction
  • predictable handshake semantics
  • bounded state space

This matters more than the algorithm itself.

Because most real-world failures don’t come from broken primitives.

They come from systems nobody can model.

The Quiet Part: No Hardware, No Excuses

Cloudflare rolled this across:

  • IPsec
  • TLS
  • MASQUE
  • full SASE pipeline

Without requiring hardware upgrades. (The Cloudflare Blog)

Which quietly kills the favorite industry excuse:

“We’re waiting for infrastructure readiness.”

No, you’re not.

You’re avoiding rethinking your trust model.

Performance Was Never the Bottleneck

There’s a persistent myth that PQC is too heavy.

Reality:

Δlatency35,ms \Delta_{latency} \approx 3\text{–}5,\mathrm{ms}

That’s the observed overhead for ML-KEM IPsec tunnel setup in real deployments.

Not zero, but irrelevant compared to:

  • network jitter
  • routing instability
  • human decision latency

The real cost is not cycles.

It’s architecture.

What Actually Changed Here

Cloudflare didn’t “add PQC.”

They removed a flawed assumption:

that security is bounded by present-time computation

That assumption was always wrong.

Quantum just made it undeniable.

The Structural Shift

What we’re seeing is not a feature rollout.

It’s a collapse of an old model:

  • security tied to current compute → dead
  • negotiation-heavy protocol design → unstable
  • “crypto agility” without constraints → dangerous

The replacement model is simpler:

  • deterministic constructions
  • minimal negotiation surface
  • explicit composition of assumptions

Not because it’s elegant.

Because anything else fails under adversarial reasoning.

Final Thought

Security failures are rarely exploits.

They are valid executions of a system whose invariants were never properly defined.

Post-quantum IPsec is not about preparing for quantum computers.

It’s about admitting that time is part of the threat model.

And for once, instead of adding more primitives, the industry is doing something unusual:

It is simplifying the system.

That’s the real upgrade.

Top comments (0)