Over two-thirds of Cloudflare's TLS traffic already has post-quantum protection, but enterprise IPsec took a full four years to catch up — infrastructure replacement is far slower than the application layer. This is a signal worth noting this week.
What this is
Cloudflare announced its IPsec (Internet Protocol Security, an enterprise-grade encrypted communication standard) service officially supports post-quantum encryption, adopting a hybrid ML-KEM (a post-quantum key encapsulation mechanism adopted by the US National Institute of Standards and Technology) scheme.
The core defense target is "harvest now, decrypt later" attacks: attackers intercept your encrypted data today and store it, waiting to crack it once quantum computers mature. Cloudflare has therefore moved its full quantum-safe target forward to 2029.
Why is IPsec four years behind TLS? IPsec must adapt to various hardware devices (Fortinet, Cisco branch connectors, etc.), and the interoperability threshold is far higher than TLS, which is primarily resolved at the software layer. This time, Cloudflare completed interoperability testing with two network equipment vendors, indicating that standards are finally starting to converge.
Industry view
Positive voices: The IETF's hybrid ML-KEM draft balances the mature security of classic Diffie-Hellman with the quantum resistance of ML-KEM. This "double insurance" reduces migration risks. Being able to enable it on existing hardware without replacing devices is the path enterprises are most happy to see.
However, we note two risks. First, the four-year lag is itself a warning — enterprise dedicated lines involve massive hardware, with long replacement cycles and high costs. SMEs lack the incentive to prioritize investment, and the exact timing of Q-Day remains unknown. Second, as a relatively new algorithm, ML-KEM's long-term security has not been fully verified by time. In 2019, the SIKE algorithm was broken by a classical computer in just a few hours, even though it was also a post-quantum candidate at the time. Prudence towards new cryptography should not disappear because of a sense of urgency.
Impact on regular people
For enterprise IT: If your company uses Cloudflare IPsec or Fortinet/Cisco devices for networking, you can now enable post-quantum encryption on existing hardware, making the barrier to entry lower than expected.
For individual careers: Information security engineers and network architects need to start familiarizing themselves with post-quantum cryptography concepts; it is transitioning from an academic topic to a practical requirement.
For the consumer market: Consumers do not interact with IPsec directly, but if you handle data with long sensitivity lifespans like healthcare or finance, the "harvest now, decrypt later" threat is real, and related compliance requirements will gradually escalate.