Post-quantum encryption for Cloudflare IPsec is generally available

Cloudflare is advancing its efforts to secure site-to-site networking with post-quantum cryptography, aiming for full implementation by 2029, spurred by recent advances in quantum computing. The company has made post-quantum encryption in its IPsec product generally available, utilizing the hybrid ML-KEM (FIPS 203) standard, which combines classical Diffie-Hellman with post-quantum security to protect against harvest-now-decrypt-later attacks. This move marks a significant step as Cloudflare successfully tested interoperability with major vendors like Fortinet and Cisco, offering compatibility with existing hardware. The process has taken longer than the implementation in TLS due to the IPsec community's previous focus on Quantum Key Distribution (QKD), which requires specialized hardware and is not suitable for Internet scale. Draft-ietf-ipsecme-ikev2-mlkem now specifies the use of ML-KEM for IPsec, addressing gaps in earlier standards and promoting interoperability. Cloudflare continues to drive the industry towards a secure, post-quantum Internet by focusing on widely compatible standards that do not require specialized hardware, ensuring that the Internet remains open and interoperable.