-
Notifications
You must be signed in to change notification settings - Fork 15.4k
Add docs for Cloudflare IPsec quantum downgrade protection (beta) #31800
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: production
Are you sure you want to change the base?
Changes from all commits
e976f95
e8ad2bc
b5166b5
e856cc2
acd2a9c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,20 @@ | ||||||
| --- | ||||||
| title: IPsec downgrade protection (beta) | ||||||
| description: Cloudflare IPsec now supports the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH extension to prevent quantum downgrade attacks on IKEv2 tunnels. | ||||||
| date: 2026-07-07 | ||||||
| products: | ||||||
| - cloudflare-one | ||||||
| --- | ||||||
|
|
||||||
| Cloudflare IPsec now supports the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` IKEv2 extension to protect against quantum downgrade attacks on IPsec tunnels. Cloudflare helped develop this extension in ([draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/)) with the IETF IPSECME Working Group. | ||||||
|
|
||||||
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection. | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
|
||||||
| Key details: | ||||||
|
|
||||||
| - Available in beta for Cloudflare WAN and Magic Transit IPsec tunnels. | ||||||
| - Cloudflare sends the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification unconditionally as a responder when the feature flag is enabled. | ||||||
| - Both the initiator (your device) and responder (Cloudflare) must support the extension for downgrade protection to be effective. | ||||||
| - This feature is currently gated by a per-account feature flag. Contact your account team to enable it. | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. AI review suggestion
Suggested change
|
||||||
|
|
||||||
| Refer to [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) for more details. | ||||||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -105,6 +105,8 @@ Traffic leaves the Cloudflare network over a post-quantum Cloudflare IPsec link | |||||
|
|
||||||
| The hybrid key agreement is negotiated using ML-KEM as an additional Key Exchange to classical Diffie-Hellman during the IKEv2 handshake, as defined in [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/) and [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/). For the list of validated third-party platforms and their supported parameters, refer to [Tested third-party vendor interoperability](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability). | ||||||
|
|
||||||
| Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective, see [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta). | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. AI reviewer suggestion:
Suggested change
|
||||||
|
|
||||||
| ## Secure Web Gateway | ||||||
|
|
||||||
| A [secure web gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic. | ||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -135,12 +135,13 @@ Reference: [Proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/prox | |||||
|
|
||||||
| IKEv2 key exchange for IPsec tunnels between third-party branch connectors and Cloudflare's global network. | ||||||
|
|
||||||
| | Protection | Status | | ||||||
| | ------------- | ------------------------------------------------- | | ||||||
| | Key agreement | ✅ ML-KEM-768/1024 + DH Group 20 (P-384) in IKEv2 | | ||||||
| | Signatures | Not yet | | ||||||
| | Protection | Status | | ||||||
| | -------------------- | ------------------------------------------------- | | ||||||
| | Key agreement | ✅ ML-KEM-768/1024 + DH Group 20 (P-384) in IKEv2 | | ||||||
| | Downgrade protection | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) | | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 'Protection' is already the column header, so maybe just 'Downgrades' here?
Suggested change
|
||||||
| | Signatures | Not yet | | ||||||
|
|
||||||
| Reference: [PQC SASE](https://blog.cloudflare.com/post-quantum-sase/), [GRE and IPsec tunnels](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability), [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/). | ||||||
| Reference: [PQC SASE](https://blog.cloudflare.com/post-quantum-sase/), [GRE and IPsec tunnels](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability), [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/), [draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/). | ||||||
|
|
||||||
| The IPsec ESP dataplane can alternatively be keyed using the [Cloudflare One Appliance](#cloudflare-one-appliance) control plane instead of IKEv2. | ||||||
|
|
||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -98,7 +98,7 @@ For information on how to set up an IPsec tunnel, refer to <a href={props.tunnel | |||||
|
|
||||||
| {props.productName} uses the following stages to establish an IPsec tunnel: | ||||||
|
|
||||||
| - **Initial Exchange** (`IKE_SA_INIT`): IKE peers negotiate parameters for the IKE Security Association (SA) and establish a shared secret for key derivation, and when relevant, signal support for post-quantum key exchange with [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/). After this exchange, the peers have a secure communication channel but they have not yet authenticated each other. | ||||||
| - **Initial Exchange** (`IKE_SA_INIT`): IKE peers negotiate parameters for the IKE Security Association (SA) and establish a shared secret for key derivation, and when relevant, signal support for post-quantum key exchange with [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/). When [downgrade protection](#downgrade-protection-beta) is enabled, Cloudflare also sends an `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification during this exchange to signal support for full transcript authentication. After this exchange, the peers have a secure communication channel but they have not yet authenticated each other. | ||||||
| - **Intermediate Exchange** (`IKE_INTERMEDIATE`): If both peers support RFC 9370, they perform an additional key exchange using ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), a post-quantum key exchange specified in [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/). This creates a hybrid shared secret by combining a secret derived from classical Diffie-Hellman (established during the `IKE_SA_INIT`) with post-quantum ML-KEM to protect against [harvest-now, decrypt-later](https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later) attacks. | ||||||
| - **Auth Exchange** (`IKE_AUTH`): Using the keys established from both the `IKE_SA_INIT` and the `IKE_INTERMEDIATE` exchange, IKE peers mutually authenticate each other. After authentication, they establish the IKE security association (SA). Next, the peers negotiate and establish an IPsec tunnel, known as a Child SA. | ||||||
| - **Rekeying**: Periodically, or through manual intervention, IKE SAs can be rekeyed to generate new SAs with fresh keys for the session. This rekey operation is performed for both the IKE SA (to refresh the control plane) and the Child SAs (to refresh the data plane). When a hybrid exchange is in use (RFC 9370), the rekey process for the IKE SA will once again perform the parallel classical (DH) and post-quantum (ML-KEM) exchanges to ensure continued quantum resistance. | ||||||
|
|
@@ -258,6 +258,26 @@ If route-based VPNs are not an option and you must use policy-based VPNs, be awa | |||||
| - A policy must cover reply-style health checks — that is, they must match traffic selectors — otherwise, Cloudflare drops them, just like any other traffic from an IPsec tunnel that does not match a policy. | ||||||
| - A single IPsec tunnel can only contain around 100 Child SAs. Therefore, there is effectively a limit on the number of different policies per tunnel. | ||||||
|
|
||||||
| ### Downgrade protection (beta) | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we don't want to have to change all of the anchor links later when we drop the '(beta)' from the title:
Suggested change
|
||||||
|
|
||||||
| :::note[Beta] | ||||||
| This feature is in beta. Contact your account team to enable the `ipsec_downgrade_protection` flag on your account. | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. AI review suggestion
Suggested change
|
||||||
| ::: | ||||||
|
|
||||||
| IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange. | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Inclusive language and all (https://www.cloudflare.com/learning/security/threats/man-in-the-middle-attack/ redirects to https://www.cloudflare.com/learning/security/threats/on-path-attack/)
Suggested change
|
||||||
|
|
||||||
| To address this, Cloudflare supports the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) IKEv2 extension. When enabled, both IKEv2 peers sign the entire handshake transcript during the authentication exchange, rather than only their own messages. This prevents an attacker from downgrading the connection without being detected. | ||||||
|
|
||||||
| **How it works:** | ||||||
|
|
||||||
| - When the feature flag is enabled, Cloudflare (acting as IKE responder) unconditionally includes an `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification in its `IKE_SA_INIT` response. | ||||||
| - If the initiator also supports the extension, both sides use full transcript authentication, which prevents downgrade attacks. | ||||||
| - If the initiator does not support the extension, the handshake proceeds with standard IKEv2 authentication. Both parties must support the extension for downgrade protection to be effective. | ||||||
|
|
||||||
| **Requirements:** | ||||||
|
|
||||||
| - Your IKEv2 initiator must support the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification as defined in [draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/). | ||||||
|
|
||||||
| ### Troubleshooting | ||||||
|
|
||||||
| For help resolving tunnel issues: | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opinionated nits (feel free to ignore):