Post-Quantum IPsec Is Finally Becoming Boring — And That’s the Point

Cloudflare didn’t “innovate” here. They removed entropy. They took a space that was degenerating into combinatorial nonsense and forced it into a single, constrained construction: hybrid ML-KEM + Diffie-Hellman for IPsec. (InfoQ) That sounds incremental. It isn’t. It’s the first time IPsec starts behaving like a protocol again instead of a negotiation playground. This Was Never About Quantum People keep framing this as a “quantum migration problem.” It’s not. It’s a temporal adversary problem. Attackers don’t need to break your crypto today. They just need patience: capture(c)→store(c)→decryptfuture(c) \text{capture}(c) \rightarrow \text{store}(c) \rightarrow \text{decrypt}_{future}(c) capture(c)→store(c)→decryptfuture​(c) That’s it. If your confidentiality depends on when an attacker runs the computation, your system is already compromised. You’re just waiting for hardware to catch up. Cloudflare’s move directly targets this class of failure by making hybrid key exchange default acros