Internet Protocol Security, or IPsec, is a collection of security protocols that enable the secure exchange of messages over some untrusted network, for example, the public Internet. It operates at the IP layer in the network stack. IPsec provides multiple security services including confidentiality, authentication, integrity protection, replay protection, compression, Network Address Translation (NAT) traversal, and Traffic Flow Confidentiality (TFC). However, the foundational cryptographic mechanisms that implement these security services face threats from quantum algorithms like Shor’s algorithm and Grover’s algorithm. These quantum algorithms are not only a future threat; they are a threat today due to Harvest Now Decrypt Later (HNDL) attacks, in which adversaries collect the encrypted data and store it until it can be accessed using these quantum algorithms.
Here we’ll explore which parts of IPsec are vulnerable, the degrees of urgency for transitioning to quantum-safe IPsec, and the best methods for implementing quantum-safe IPsec.
What parts of IPsec are quantum-vulnerable, and how urgent is it to fix it?
There are three aspects of IPsecthat are vulnerable to quantum attacks: key agreement, certificate-based authentication, and symmetric encryption.
- Key agreement (e.g., Diffie-Hellman, Elliptic Curve Diffie-Hellman) is the most urgent concern. Cryptographically Relevant Quantum Computers (CRQCs) can break existing key agreement protocols using Shor’s algorithm. Furthermore, these attacks can be performed on recorded traffic, opening the door to Harvest Now, Decrypt Later (HNDL) attacks. Quantum-resistant alternatives are already standardized and widely implemented by vendors. Organizations should prioritize this transition immediately.
- Certificate-based authentication (e.g., RSA, elliptic curve DSA, Edwards Curve DSA) is also vulnerable to Shor’s algorithm, but the risk is less urgent since it requires a real-time man-in-the-middle attack rather than HNDL attacks. Transitioning to quantum-resistant authentication is complex, as public key infrastructure (PKI) standards and products are still evolving to address this vulnerability.
- Symmetric encryption (e.g., AES, Triple DES) faces a lesser threat because Grover’s algorithm provides a quadratic speedup rather than an exponential one. The risk can be mitigated by increasing key sizes, and AES-256 is expected to remain sufficient.
Beyond technical considerations, regulatory requirements are emerging that mandate quantum-resistant security.
The United States government has in the past issued both a memorandum and an executive order requiring government agencies to implement PQC as soon as possible, and include PQC as procurement requirements under certain circumstances.
NIST has published a draft report, nearing finalization, that deprecates some quantum vulnerable algorithms in 2030 and disallows all quantum vulnerable algorithms in 2035, including all of the asymmetric algorithms that have been discussed here: Diffie-Hellman, RSA, Elliptic Curve Diffie-Hellman, Elliptic Curve DSA, and Edwards Curve DSA. The symmetric encryption protocols, with their current key lengths, continue to be allowed.
Other governments in other countries have published similar requirements.
Organizations should begin planning and implementing these upgrades now to stay ahead of both cybersecurity threats and compliance mandates.
Methods for Implementing Quantum-Safe IPsec
There are two main approaches to making IPsec quantum-resistant:
- Post-Quantum Cryptography (PQC): Replaces quantum-vulnerable algorithms like Diffie-Hellman and RSA with quantum-resistant alternatives such as ML-KEM and ML-DSA.
- These algorithms rely on mathematical problems that quantum computers presumably cannot efficiently solve.
- Quantum Key Distribution (QKD): Uses quantum physics-based protocols instead of traditional math-based cryptography to secure key exchanges.
- Prepare-and-measure QKD relies on protocols like BB84.
- Entanglement-based QKD relies on protocols such as BBM92 and MDI. Entanglement-based QKD offers greater security, scalability, and flexibility for future quantum networking applications.
- Any QKD method can be used with IPsec via a standard key delivery interface such as ETSI QKD 014 or SKIP.
It is possible (and common) to use multiple security mechanisms simultaneously in combination with each other: traditional mechanisms (DH, ECDH, RSA, etc.), PQC, and QKD. This is called hybrid quantum resistance and provides several advantages:
- It provides defense-in-depth, requiring an attacker to break multiple algorithms in order to access the data.
- Many security standards and regulations have not yet been updated for the post quantum world, and they still require the use of quantum-vulnerable algorithms such as Diffie-Hellman and RSA. By including them in the hybrid mix, it’s possible to maintain standards compliance and regulations compliance.
Step-by-Step Examples of Implementing Quantum-Safe IPsec
The extensions in IPsec for PQC and QKD are somewhat complex. Fortunately these complexities occur behind the scenes and are not visible to network operators or users. In practice, it's simple and straightforward for operators to configure and monitor PQC and QKD for their IPsec networks, as will be shown in the examples here.
Example 1: Configure PQC
Below is the screenshot of the management web interface of one widely used IPsec gateway product.
It shows the screens for configuring an IKE gateway and an IKE crypto profile. While these screens contain many configuration fields, the vast majority of these fields are things that must be configured anyway as part of the normal workflow for configuring any IPsec tunnel.
The new options for adding PQC are marked in red above. Enabling PQC for your IPsec tunnel is very straightforward and only involves a couple of new configuration fields.
- Check the “enable post quantum key exchange” checkbox.
- Select one or multiple post quantum key exchange methods.
The example shows the selection of Kyber-512. This is all that is required in order to turn on PQC in the network using software that is commercially available today.
Example 2: Configure PQC
Below is a screenshot of the management web interface of another widely-used IPsec product from a different vendor.
The screen for creating an IPsec tunnel pictured above shows that the only step required is selecting one of the PQC key exchange methods. In this example, ML-KEM 512 is selected. This is the only step for turning on PQC in the network using this particular vendor’s software.
Example 3: Configure QKD using CLI
Below is an example of how to configure QKD using SKIP. In this case, the example shows how to configure using QKD with the command line interface (CLI) instead of the graphical user interface.
The configuration (pictured in the background in gray above) is the configuration required for any IPsec tunnel. In black (at the front) is the additional configuration for enabling QKD. Essentially this process is as simple as indicating the need to use QKD and entering some information to identify how to reach the QKD device to get the key.
Example 4: Configure QKD using CLI
This is another example of using QKD. In this case, ETSI QKD 014 is used for the key delivery interface. Shown above is the configuration needed in addition to configuring the IPsec tunnel. A majority of this configuration is about where to get the key and how to authenticate your identity to the key delivery QKD device.
Conclusion
Organizations using IPsec should start planning for quantum-safe security immediately. The most urgent priority is securing key exchange, as Harvest Now, Decrypt Later (HNDL) attacks put encrypted data at risk today. Regulatory requirements also mandate addressing these vulnerabilities soon.
Post-Quantum Cryptography (PQC) is the baseline preparation for a post-quantum security strategy, but for protecting long-term confidential information, you should also consider deploying Quantum Key Distribution (QKD). Applications that benefit from this additional layer of security include critical infrastructure, medical applications, financial applications, high value intellectual property protections, government data, defense security, and anything that requires long-term protection.
For those implementing QKD, entanglement-based QKD offers higher security, more scalability, and more flexibility, enabling a future-ready quantum network for deploying a general purpose quantum network capable of connecting a variety of quantum devices for applications far beyond secure key distribution.
For further information, please see the on-demand webinar Quantum-Safe IPsec. More details are also available in the blog posts How to configure an IPsec tunnel using PQC keys and How to configure an IPsec tunnel using QKD keys. An in-depth explanation of the new extensions to IPsec for quantum security can be found in the white paper Quantum-Safe IPsec.
