This article discusses Cloudflare's integration of modern post-quantum (PQ) encryption, specifically hybrid ML-KEM, into its Cloudflare One SASE platform. It highlights the architectural considerations and challenges of migrating network traffic to PQ cryptography, emphasizing key agreement and the need for crypto agility in large-scale network infrastructure like IPsec.
Read original on Cloudflare BlogThe transition to post-quantum cryptography (PQC) is a critical upcoming challenge for system architects. This article by Cloudflare details their approach to integrating PQC into their Secure Access Service Edge (SASE) and Wide Area Network (WAN) offerings. It focuses on addressing the 'Harvest Now, Decrypt Later' threat and the NIST 2030 deadline for deprecating classical public-key cryptography.
Achieving quantum safety in network traffic primarily involves two major cryptographic migrations: key agreement and digital signatures. The industry has largely converged on ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) for key agreement, often deployed as 'hybrid ML-KEM' alongside classical Elliptic Curve Diffie Hellman (ECDHE) for immediate 'harvest-now, decrypt-later' protection without performance overhead or specialized hardware. The migration for digital signatures is considered less urgent but is an ongoing area of standardization due to their larger size.
Hybrid ML-KEM Benefits
Hybrid ML-KEM protects against 'harvest-now, decrypt-later' attacks, has minimal performance impact, and does not require specialized hardware like Quantum Key Distribution (QKD), making it suitable for broad internet use cases. Running in parallel with classical ECDHE maintains existing security levels.
The integration of PQC into IPsec presented unique challenges compared to TLS. Historically, IPsec focused less on vendor interoperability. Early proposals like RFC 8784, which suggested Pre-Shared Keys (PSK) or Quantum Key Distribution (QKD), had significant limitations. PSK lacked forward secrecy against quantum adversaries if long-lived keys were compromised, while QKD required specialized hardware or physical connections, making it impractical for widespread WAN deployments. RFC 9370, while supporting hybrid key agreement, lacked specific algorithm mandates, leading to potential 'ciphersuite bloat' and reduced interoperability.
Cloudflare's implementation aligns with the draft-ietf-ipsecme-ikev2-mlkem standard, which specifies hybrid ML-KEM for IPsec key exchange, mirroring the successful TLS approach. This involves a classical Diffie Hellman key exchange followed by an ML-KEM exchange, with the derived keys mixed to secure the IPsec Encapsulating Security Payload (ESP) data plane, which is already quantum-safe due to its use of symmetric cryptography.
This case highlights the importance of 'crypto agility' in system design – the ability to easily swap out cryptographic algorithms without major architectural overhauls. Cloudflare One's approach demonstrates integrating PQC at the network edge and WAN layers, affecting how enterprises secure site-to-site and remote access. Architects must consider the interplay between different cryptographic primitives (key agreement vs. digital signatures) and the trade-offs between security, performance, and interoperability when designing future-proof secure communication systems.