Cloudflare GA Post-Quantum IPsec: Hybrid ML-KEM Standard Defeats QKD, Proprietary Suites
Summary
Key Takeaways
Cloudflare has made post-quantum encryption generally available for its Cloudflare IPsec WAN service. The core implementation uses the IETF draft draft-ietf-ipsecme-ikev2-mlkem, deploying a hybrid ML-KEM (FIPS 203) scheme: a classical Diffie-Hellman exchange runs first, its derived key encrypts a second ML-KEM exchange, and both outputs are mixed into session keys.
Interoperability has been confirmed with Cisco 8000 Series Secure Routers (version 26.1.1+) and Fortinet FortiOS 7.6.6+ as branch connectors. Cloudflare explicitly notes that IPsec PQC standardization lagged TLS by four years, partly due to QKD (RFC 8784). QKD requires dedicated hardware and physical links, cannot scale to the Internet, and provides no authentication.
Cloudflare also highlights a lack of interoperability with Palo Alto Networks’ early RFC 9370 implementation, which defined non-NIST-standardized ciphersuites. Cloudflare expects to add Palo Alto once the industry consolidates around draft-ietf-ipsecme-ikev2-mlkem.
Why It Matters
Encirclement of Palo Alto Networks' ciphersuite wall: Cloudflare's push for draft-ietf-ipsecme-ikev2-mlkem directly attacks Palo Alto's proprietary RFC 9370 ciphersuites. Palo Alto's early implementation defined non-NIST-standardized suites, creating a de facto ecosystem lock. Cloudflare's interoperability tests explicitly exclude Palo Alto, forcing it to either abandon its custom suites or be marginalized.
Covert lock on WAN control plane: Cloudflare subsumes the post-quantum key exchange (IKEv2 phase) into its global Anycast network. Once adopted, all site-to-site encryption policy is governed by Cloudflare's control plane. Branch connectors from Cisco, Fortinet become pure data-plane executors, losing key negotiation autonomy and creating deep dependency on Cloudflare's network.
QKD route's cost and scalability trap exposed: Cloudflare explicitly rejects QKD (RFC 8784), highlighting its need for dedicated hardware and physical links, making it unscalable for the Internet. This directly undermines QKD-dependent vendors (e.g., ID Quantique) and exposes their high deployment costs and limited scalability. Enterprises investing in QKD face stranded assets incompatible with mainstream PQC standards.
PRO Decision
[Vendors (Competitors - Palo Alto Networks, Arista Networks, Juniper Networks)]: Immediately adopt draft-ietf-ipsecme-ikev2-mlkem in your IKEv2 implementations and publicly announce interoperability tests with Cloudflare IPsec. Palo Alto must abandon its RFC 9370-based proprietary ciphersuites or risk marginalization. Arista and Juniper should emphasize your branch connectors' encryption policy autonomy, attacking Cloudflare's control plane lock-in risk.
[Enterprises (CIO/Architects)]: When evaluating Cloudflare IPsec, mandate independent third-party audits to verify that IKEv2 key negotiation executes locally, not hijacked by Cloudflare's control plane. Require full implementation details of draft-ietf-ipsecme-ikev2-mlkem and test interoperability with Cisco, Fortinet. Divest from any QKD investments to avoid stranded assets.
[Investors]: Short ID Quantique and other QKD-dependent hardware encryption vendors, as Cloudflare's software PQC approach is already supported by Cisco and Fortinet, requiring no dedicated hardware. Monitor Palo Alto Networks' WAN security business risk; its proprietary ciphersuite strategy may lose branch connector market share in the standardization wave.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)