Towards Quantum-Safe O-RAN -- Experimental Evaluation of ML-KEM-Based IPsec on the E2 Interface

TL;DR

This paper evaluates the practical feasibility of integrating quantum-resistant ML-KEM-based IPsec into the E2 interface of O-RAN, showing minimal latency overhead and stable operation, aiding quantum-safe migration strategies.

Contribution

It provides the first experimental assessment of ML-KEM-based IPsec on the O-RAN E2 interface, demonstrating its practicality and impact on latency and stability.

Findings

ML-KEM adds approximately 3-5 ms to tunnel setup latency.

xApp operation and RIC control loops remain stable with ML-KEM IPsec.

ML-KEM-based IPsec is practically feasible for quantum-safe O-RAN deployment.

Abstract

As Open Radio Access Network (O-RAN) deployments expand and adversaries adopt 'store-now, decrypt-later' strategies, operators need empirical data on the cost of migrating critical control interfaces to post-quantum cryptography (PQC). This paper experimentally evaluates the impact of integrating a NIST-aligned module-lattice KEM (ML-KEM, CRYSTALS-Kyber) into IKEv2/IPsec protecting the E2 interface between the 5G Node B (gNB) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC). Using an open-source testbed built from srsRAN, Open5GS, FlexRIC and strongSwan (with liboqs), we compare three configurations: no IPsec, classical ECDH-based IPsec, and ML-KEM-based IPsec. The study focuses on IPsec tunnel-setup latency and the runtime behaviour of Near-RT RIC xApps under realistic signalling workloads. Results from repeated, automated runs show that ML-KEM integration adds a small overhead to tunnel establishment, which is approximately 3~5 ms in comparison to classical IPsec, while xApp operation and RIC control loops remain stable in our experiments. These findings indicate that ML-KEM based IPsec on the E2 interface is practically feasible and inform quantum-safe migration strategies for O-RAN deployments.