ML-Kem-Based IPsec Advances 5G O-Ran Security Via E2 Interface Evaluation

Researchers are urgently investigating how to secure next-generation Open Radio Access Networks (O-RAN) against the emerging threat of quantum computing. Mario Perera, Michael Mackay, and Max Hashem Eiza, all from the University of Example, alongside Alessandro Raschellà, Nathan Shone, and Mukesh Kumar Maheshwari et al., present crucial experimental evidence demonstrating the viability of integrating post-quantum cryptography into the E2 interface of 5G networks. Their work assesses the performance impact of using a NIST-aligned module-lattice KEM (CRYSTALS-Kyber) within standard IPsec protocols, revealing a minimal overhead of only 3-5ms for tunnel establishment , a significant step towards safeguarding O-RAN infrastructure against future ‘store-now, decrypt-later’ attacks and enabling practical, quantum-safe deployments.

Researchers experimentally evaluated the impact of incorporating a NIST-aligned module-lattice KEM, specifically, CRYSTALS-Kyber, into the IKEv2/IPsec protocol protecting the critical E2 interface between a 5G Node B (gNB) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC). The team achieved this by constructing an open-source testbed utilising srsRAN, Open5GS, FlexRIC, and strongSwan, enhanced with the liboqs library, allowing for a direct comparison of three distinct configurations: a baseline with no IPsec, a traditional setup employing ECDH-based IPsec, and a novel implementation leveraging ML-KEM-based IPsec. This study meticulously focused on quantifying IPsec tunnel-setup latency and assessing the runtime performance of Near-RT RIC xApps under realistic signalling workloads, providing crucial empirical data for network operators.

Experiments show that integrating ML-KEM introduces a modest overhead to tunnel establishment, increasing latency by approximately 3 to 5 milliseconds compared to classical IPsec, a remarkably small penalty given the enhanced security. Importantly, the research establishes that xApp operation and the stability of RIC control loops remain unaffected by the PQC integration, demonstrating that near-real-time performance requirements are still met. The work opens the door to quantum-safe migration strategies for O-RAN deployments, offering a pathway to protect sensitive control data against future quantum computing threats. This breakthrough reveals that ML-KEM-based IPsec on the E2 interface is not merely theoretically sound, but practically viable within the constraints of a live 5G network.
The research meticulously details the design and deployment of a reproducible experimental platform, emulating a complete 5G O-RAN architecture with a Near-RT RIC. This platform allows for controlled experimentation and detailed analysis of the performance impact of different cryptographic schemes on the E2 interface. By comparing the three configurations under realistic signalling loads, the scientists were able to isolate the performance overhead introduced by ML-KEM, providing quantitative evidence to support their findings. The study’s contribution extends beyond simply demonstrating feasibility; it delivers a documented framework for future research into PQC-enhanced interface security in O-RAN, enabling further investigation and optimisation.

Furthermore, the team’s findings are particularly significant given the O-RAN Alliance Working Group 11’s emphasis on “security by design” and the mandatory use of IPsec for inter-node communication. This work directly addresses the need for stronger cryptographic mechanisms without compromising the stringent timing constraints of the E2 interface. The results inform a pragmatic approach to securing O-RAN deployments against evolving threats, ensuring the long-term resilience of 5G and future 6G systems. The study’s novel contributions include the first empirical evaluation of ML-KEM-based IPsec on the O-RAN E2 interface, a reproducible testbed for PQC research, and quantitative evidence supporting the feasibility of quantum-safe migration strategies.

5G E2 Interface Security with ML-KEM offers enhanced

Scientists experimentally evaluated the integration of a NIST-aligned module-lattice KEM (ML-KEM, CRYSTALS-Kyber) into IKEv2/IPsec to protect the E2 interface between a 5G Node B (gNB) and a Near-Real-Time RAN Intelligent Controller (Near-RT RIC). Researchers constructed an open-source testbed utilising srsRAN, Open5GS, FlexRIC, and strongSwan, augmented with the liboqs library, to facilitate this investigation. The study meticulously compared three distinct configurations: a baseline with no IPsec, a classical ECDH-based IPsec setup, and an IPsec configuration leveraging the ML-KEM implementation. Experiments employed repeated, automated runs to assess IPsec tunnel-setup latency and the runtime behaviour of Near-RT RIC xApps under realistic signalling workloads.

The team engineered a precise measurement protocol, focusing on quantifying the overhead introduced by the ML-KEM integration during tunnel establishment and its impact on the stability of RIC control loops. Specifically, the testbed was configured to simulate typical E2 interface signalling, subjecting the xApps to conditions mirroring real-world deployments. Data collection involved precise timestamping of key events during the IPsec tunnel negotiation process, enabling accurate latency measurements. The system delivers a comparative analysis of the three configurations, meticulously tracking tunnel establishment times and monitoring xApp performance metrics.

Researchers harnessed the automated testbed to generate a statistically significant dataset, allowing for robust evaluation of the ML-KEM integration. This approach enables the identification of any performance degradation or instability introduced by the post-quantum cryptographic module. Results demonstrate that integrating ML-KEM adds approximately 3~5ms to tunnel establishment compared to classical IPsec. Furthermore, the study pioneered a method for evaluating the impact of PQC on RAN control plane functionality, confirming that xApp operation and RIC control loops remained stable throughout the experiments. This finding is crucial, as it indicates that ML-KEM-based IPsec on the E2 interface is practically feasible without disrupting critical RAN operations. Repeated, automated tests revealed that integrating ML-KEM introduces a modest overhead to tunnel establishment, registering an approximate increase of 3~5ms compared to classical IPsec. Crucially, the experiments demonstrated that xApp operation and RIC control loops remained stable throughout testing, confirming the feasibility of implementing PQC without disrupting critical network functions. Measurements confirm that the ML-KEM integration does not introduce instability into the control plane, a vital finding for operators considering quantum-safe upgrades.

These findings, generated from a fully open and reproducible testbed, indicate that ML-KEM-based. Tests. Results from repeated automated runs demonstrated that incorporating ML-KEM introduces a modest overhead to tunnel establishment, increasing latency by approximately 3-5ms compared to classical IPsec. Importantly, xApp operation and RIC control loops remained stable throughout the experiments, suggesting practical feasibility. These findings indicate that employing ML-KEM-based IPsec on the E2 interface is achievable with current server-class hardware and can contribute to early, staged quantum-safe migration strategies for Open RAN deployments.

The authors acknowledge a limitation in the scope of their evaluation, focusing solely on the E2 interface and specific hardware. Future research will extend this framework to protect other O-RAN interfaces reliant on TLS, such as A1, O1, and O2, assessing the impact of ML-KEM and alternative KEMs on TLS 1.3 handshake latency and control-plane message delay. Furthermore, researchers plan to investigate the potential of Federated Learning (FL) to enhance PQC security in OpenRAN environments, optimising algorithm selection, enabling collaborative anomaly detection, and facilitating post-deployment hardening against evolving threats.