Add docs for Cloudflare IPsec quantum downgrade protection (beta)#31800
Open
goldbe-cf wants to merge 5 commits into
Open
Add docs for Cloudflare IPsec quantum downgrade protection (beta)#31800goldbe-cf wants to merge 5 commits into
goldbe-cf wants to merge 5 commits into
Conversation
Add info about ipsec downgrade protection: Edit A (small tweak to line 101) and Edit B (new section inserted between lines 259 and 261).
added ipsec downgrades protection row and references to the cloudflare ipsec section
added new paragraph after line 106 on downgrade protection
goldbe-cf
requested review from
a team,
bwesterb,
cjpatton,
elithrar and
lukevalenta
as code owners
Contributor
Review
Code ReviewThis code review is in beta and may not always be helpful — use your judgment. No code review issues found. ConventionsChecks PR title, description, and redirect checklist. No convention issues found. Style Guide ReviewWarnings (3)
Suggestions (1)
RedirectsNo missing redirect entries found. CommandsOnly codeowners can run commands. Post a comment with the command to trigger it.
|
lukevalenta
approved these changes
Jun 30, 2026
lukevalenta
left a comment
lukevalenta
left a comment
Contributor
There was a problem hiding this comment.
I didn't carefully review the technical details of the downgrade protection (@cjpatton can you take a look?), but otherwise lgtm modulo some minor nits.
|
|
||
| Cloudflare IPsec now supports the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` IKEv2 extension to protect against quantum downgrade attacks on IPsec tunnels. Cloudflare helped develop this extension in ([draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/)) with the IETF IPSECME Working Group. | ||
|
|
||
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection. |
Contributor
There was a problem hiding this comment.
Suggested change
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection. | |
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable [on-path attacker](https://www.cloudflare.com/learning/security/threats/on-path-attack/) can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection. |
| | Protection | Status | | ||
| | -------------------- | ------------------------------------------------- | | ||
| | Key agreement | ✅ ML-KEM-768/1024 + DH Group 20 (P-384) in IKEv2 | | ||
| | Downgrade protection | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) | |
Contributor
There was a problem hiding this comment.
'Protection' is already the column header, so maybe just 'Downgrades' here?
Suggested change
| | Downgrade protection | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) | | |
| | Downgrades | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) | |
| - A policy must cover reply-style health checks — that is, they must match traffic selectors — otherwise, Cloudflare drops them, just like any other traffic from an IPsec tunnel that does not match a policy. | ||
| - A single IPsec tunnel can only contain around 100 Child SAs. Therefore, there is effectively a limit on the number of different policies per tunnel. | ||
|
|
||
| ### Downgrade protection (beta) |
Contributor
There was a problem hiding this comment.
If we don't want to have to change all of the anchor links later when we drop the '(beta)' from the title:
Suggested change
| ### Downgrade protection (beta) | |
| ### Downgrade protection (beta) {#downgrade-protection} |
| This feature is in beta. Contact your account team to enable the `ipsec_downgrade_protection` flag on your account. | ||
| ::: | ||
|
|
||
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange. |
Contributor
There was a problem hiding this comment.
Inclusive language and all (https://www.cloudflare.com/learning/security/threats/man-in-the-middle-attack/ redirects to https://www.cloudflare.com/learning/security/threats/on-path-attack/)
Suggested change
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange. | |
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable [on-path attacker](https://www.cloudflare.com/learning/security/threats/on-path-attack/) can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange. |
|
|
||
| The hybrid key agreement is negotiated using ML-KEM as an additional Key Exchange to classical Diffie-Hellman during the IKEv2 handshake, as defined in [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/) and [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/). For the list of validated third-party platforms and their supported parameters, refer to [Tested third-party vendor interoperability](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability). | ||
|
|
||
| Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective, see [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta). |
Contributor
There was a problem hiding this comment.
AI reviewer suggestion:
Suggested change
| Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective, see [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta). | |
| Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective. Refer to [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta). |
| - Available in beta for Cloudflare WAN and Magic Transit IPsec tunnels. | ||
| - Cloudflare sends the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification unconditionally as a responder when the feature flag is enabled. | ||
| - Both the initiator (your device) and responder (Cloudflare) must support the extension for downgrade protection to be effective. | ||
| - This feature is currently gated by a per-account feature flag. Contact your account team to enable it. |
Contributor
There was a problem hiding this comment.
AI review suggestion
Suggested change
| - This feature is currently gated by a per-account feature flag. Contact your account team to enable it. | |
| - This feature is currently gated by a per-account feature flag. Contact your account team to turn it on. |
| ### Downgrade protection (beta) | ||
|
|
||
| :::note[Beta] | ||
| This feature is in beta. Contact your account team to enable the `ipsec_downgrade_protection` flag on your account. |
Contributor
There was a problem hiding this comment.
AI review suggestion
Suggested change
| This feature is in beta. Contact your account team to enable the `ipsec_downgrade_protection` flag on your account. | |
| This feature is in beta. Contact your account team to turn on the `ipsec_downgrade_protection` flag for your account. |
cjpatton
approved these changes
Jun 30, 2026
| - cloudflare-one | ||
| --- | ||
|
|
||
| Cloudflare IPsec now supports the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` IKEv2 extension to protect against quantum downgrade attacks on IPsec tunnels. Cloudflare helped develop this extension in ([draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/)) with the IETF IPSECME Working Group. |
There was a problem hiding this comment.
Opinionated nits (feel free to ignore):
- I don't think we need to take credit in dev docs.
- not just quantum attacks
Suggested change
| Cloudflare IPsec now supports the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` IKEv2 extension to protect against quantum downgrade attacks on IPsec tunnels. Cloudflare helped develop this extension in ([draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/)) with the IETF IPSECME Working Group. | |
| Cloudflare IPsec now supports the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) IKEv2 extension to protect against downgrade attacks on IPsec tunnels. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds documentation for the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH extension (IPsec downgrade protection, beta). This docs update is a companion to the upcoming blog post: https://blog.cloudflare.com/ipsec-downgrade-protection