ML-Kem-Based IPsec Advances 5G O-Ran Security Via E2 Interface Evaluation

The rise of quantum computing threatens traditional public‑key algorithms that underpin 5G Open Radio Access Networks (O‑RAN). As the O‑RAN Alliance mandates IPsec for inter‑node communication, integrating a NIST‑aligned module‑lattice key‑encapsulation mechanism (ML‑KEM) such as CRYSTALS‑Kyber offers a forward‑looking defense against "store‑now, decrypt‑later" attacks. By embedding ML‑KEM into the IKEv2/IPsec stack on the critical E2 interface, the research bridges the gap between theoretical post‑quantum security and practical telecom deployments.

The authors built a reproducible testbed leveraging srsRAN, Open5GS, FlexRIC, strongSwan, and the liboqs library, allowing side‑by‑side comparison of three scenarios: no IPsec, conventional ECDH‑based IPsec, and the novel ML‑KEM‑based IPsec. Measurements focused on tunnel‑setup latency and the runtime of Near‑RT RIC xApps under realistic signalling loads. The ML‑KEM variant introduced only a 3–5 ms delay in tunnel establishment while leaving xApp control‑loop stability untouched, confirming that the stringent timing requirements of the E2 interface remain satisfied.

Beyond the immediate findings, the work establishes a blueprint for broader quantum‑safe upgrades across the O‑RAN ecosystem. Future extensions could protect TLS‑based interfaces (A1, O1, O2) and evaluate alternative KEMs within TLS 1.3 handshakes. For network operators, the study offers actionable data to plan phased migrations to post‑quantum cryptography without service disruption, while researchers gain an open platform to explore optimisations and federated‑learning‑enhanced security models for next‑generation 6G deployments.