Logo Teldat
boton
Contact us

• Cybersecurity Glossary

What is Quantum-Safe SD-WAN?

Quantum-safe SD-WAN is a wide area network architecture in which every encrypted tunnel is protected by cryptographic algorithms that resist attacks from quantum computers. Classical SD-WAN relies on IKEv2/IPsec with ECDH or RSA for key exchange both broken by Shor’s algorithm on a sufficiently powerful quantum machine. A quantum-safe architecture replaces or supplements that key exchange with post-quantum algorithms such as ML-KEM, adds pre-shared post-quantum keys (PS-PPK) as an immediate near-term mitigation, and positions the network for Quantum Key Distribution (QKD) as the technology matures. With NIST finalizing FIPS 203 in August 2024 and the harvest-now-decrypt-later threat already active, the transition from classical to quantum-safe SD-WAN is an operational priority, not a future consideration.

Quantum-safe SD-WAN definition

Quantum-safe SD-WAN is a software-defined wide area network that uses cryptographic algorithms resistant to attacks from both classical and quantum computers to protect all data in transit across WAN tunnels. The term covers the full set of architectural changes required to eliminate quantum-vulnerable cryptography from the SD-WAN control and data planes: replacing quantum-vulnerable key exchange in IKEv2/IPsec, updating digital signature schemes used for device authentication, and ensuring management plane communications are equally protected.

Standard SD-WAN deployments use IKEv2 with Elliptic Curve Diffie-Hellman (ECDH) or RSA for key establishment. Both rely on mathematical problems the discrete logarithm problem and integer factorization respectively that Shor’s algorithm on a quantum computer can solve in polynomial time. A quantum-safe SD-WAN removes that dependency by integrating post-quantum key encapsulation mechanisms (ML-KEM, standardized as NIST FIPS 203) either as a replacement or in a hybrid configuration alongside classical algorithms.

Beyond algorithm replacement, a complete quantum-safe SD-WAN strategy includes three time horizons. In the near term, Pre-Shared Post-Quantum Keys (PS-PPK, RFC 8784) provide immediate protection against harvest-now-decrypt-later attacks on existing infrastructure. In the medium term, ML-KEM integration into IKEv2 key exchange delivers standards-based quantum resistance. In the long term, Quantum Key Distribution (QKD) adds physically verifiable key security for the highest-assurance links.

Why classical SD-WAN is vulnerable to quantum attacks?

The vulnerability of SD-WAN to quantum attacks is specific and well understood. It is not a theoretical risk about future computing power in general it is a concrete weakness in the key exchange mechanism that every IPsec tunnel relies on, combined with a threat that is already active today.

1
The IKEv2 key exchange problem
IKEv2 negotiates the cryptographic keys that protect every IPsec tunnel in an SD-WAN deployment. It does so using Diffie-Hellman key agreement typically over elliptic curves (ECDH) or finite fields. Shor’s algorithm on a cryptographically relevant quantum computer (CRQC) can solve the discrete logarithm problem underlying both, recovering the session keys that protect all traffic in the tunnel. The key exchange is the single point of quantum failure in an otherwise sound architecture.
2
RSA and digital signature exposure
IKEv2 also uses RSA or ECDSA certificates to authenticate the endpoints before key exchange. A quantum computer running Shor’s algorithm can forge these signatures, enabling an attacker to impersonate any SD-WAN node a gateway, a branch router, or the SD-WAN controller itself. This threat applies to the entire Public Key Infrastructure (PKI) that underpins device authentication across the WAN fabric.
3
Harvest now, decrypt later is already active
Nation-state actors and advanced threat groups are capturing and storing encrypted SD-WAN tunnel traffic today. They do not need a quantum computer yet. When a CRQC becomes available expert estimates range from 8 to 15 years the stored handshake data can be used to recover session keys and decrypt all captured traffic retrospectively. Every SD-WAN tunnel carrying data with a confidentiality horizon beyond that window is already at risk.
4
The SD-WAN management plane
Beyond data plane tunnels, SD-WAN controllers communicate with edge devices over encrypted management channels that also rely on TLS with classical key exchange. A compromised management plane means configuration injection, policy tampering, and the ability to redirect traffic at scale. Quantum-safe SD-WAN must protect both the data plane and the management plane.
5
Symmetric encryption is not the problem
AES-256, used for the bulk encryption of tunnel traffic, is not broken by quantum computers. Grover’s algorithm reduces its effective security from 256 to 128 bits, which remains considered safe. The migration burden falls entirely on asymmetric cryptography: the ECDH or RSA key exchange in IKEv2, and the ECDSA or RSA signatures in device certificates.
6
The migration timeline problem
Enterprise network migrations take years. Replacing IPsec key exchange across a distributed SD-WAN fabric requires firmware updates, controller upgrades, PKI changes, and interoperability testing. If organizations wait until a CRQC is announced to begin migration, the transition cannot be completed in time to protect data that is being captured right now.

The core vulnerability: classical SD-WAN has one quantum-vulnerable component the key exchange in IKEv2. Fixing that component, through PS-PPK in the near term and ML-KEM in the medium term, is the entire migration task for most enterprise WAN operators. The bulk encryption (AES-256) stays in place.

The three pillars: PS-PPK, ML-KEM, and QKD

A complete quantum-safe SD-WAN roadmap addresses three time horizons with three complementary technologies. Each pillar can be deployed independently; they are designed to be additive, not mutually exclusive.

1
PS-PPK immediate protection (deploy now)
Pre-Shared Post-Quantum Keys (PS-PPK), standardized in RFC 8784, add a symmetric pre-shared secret into the IKEv2 key exchange without replacing the underlying ECDH or RSA algorithms. The combined key material means that even if a quantum computer breaks the ECDH component, the PS-PPK secret keeps the session key secure. PS-PPK can be deployed on existing hardware and firmware with no changes to the network architecture, providing immediate protection against harvest-now-decrypt-later attacks. Teldat SD-WAN supports PS-PPK deployment today, managed centrally through CNM.
2
ML-KEM standards-based quantum resistance (deploy now to medium term)
ML-KEM (Module Lattice Key Encapsulation Mechanism), standardized as NIST FIPS 203, replaces ECDH in the IKEv2 key exchange with a post-quantum algorithm based on the hardness of the Module Learning With Errors (MLWE) lattice problem. ML-KEM can be deployed in hybrid mode alongside ECDH described in RFC 9370 ensuring backward compatibility with endpoints that have not yet migrated. Teldat Quantum SD-WAN integrates ML-KEM natively into IKEv2, managed through CNM with no per-device manual configuration.
3
QKD physically verifiable key security (long term)
Quantum Key Distribution uses the properties of quantum mechanics to distribute cryptographic keys in a way that makes interception physically detectable. Unlike algorithmic post-quantum cryptography, QKD does not rely on computational hardness assumptions at all its security follows from the laws of physics. Teldat SD-WAN devices are designed to consume QKD-generated keys through standardized interfaces, integrating them into the IPsec key exchange for the highest-assurance links where algorithmic assumptions alone are insufficient.
4
Hybrid deployment the recommended transition approach
During the migration window, running ML-KEM alongside classical ECDH in the same IKEv2 handshake (hybrid key exchange, RFC 9370) ensures that any endpoint not yet upgraded to ML-KEM can still establish a tunnel using the classical component. The hybrid approach provides quantum resistance for migrated endpoints immediately while preserving full network connectivity throughout the transition. Teldat Quantum SD-WAN supports hybrid key exchange out of the box.
5
CNM centralized quantum transition management
Managing a quantum transition across a distributed SD-WAN fabric requires a centralized control plane. Teldat Cloud Net Manager (CNM) provides policy-based configuration of PS-PPK key material, ML-KEM algorithm selection, hybrid mode settings, and key rotation schedules across the entire SD-WAN infrastructure from a single console. CNM audit trails provide the documentation required for regulatory compliance during the transition.
6
be.Safe Pro SSE extending protection beyond the WAN edge
The quantum-safe perimeter does not end at the WAN edge. Teldat be.Safe Pro SSE extends post-quantum ready transport security to cloud-delivered security services Secure Web Gateway, CASB, and ZTNA ensuring that traffic leaving the SD-WAN fabric for cloud destinations is protected by the same post-quantum cryptographic standards as the WAN tunnels themselves.

Classical SD-WAN vs Quantum-Safe SD-WAN

The comparison below isolates the specific architectural differences between a classical SD-WAN and a quantum-safe SD-WAN. The core SD-WAN value proposition dynamic path selection, application-aware routing, centralized management remains unchanged. What changes is the cryptographic foundation of the tunnels that carry the traffic.

Dimension Classical SD-WAN Quantum-safe SD-WAN
IKEv2 key exchange ECDH or RSA broken by Shor’s algorithm ML-KEM (FIPS 203) or hybrid ML-KEM + ECDH per RFC 9370
Near-term HNDL mitigation None all stored handshake traffic is at future quantum risk PS-PPK (RFC 8784) pre-shared post-quantum keys neutralize stored traffic
Device authentication RSA or ECDSA certificates forgeable by a quantum computer Transition to ML-DSA (FIPS 204) certificates for long-lived credentials
Bulk tunnel encryption AES-256 remains quantum safe, no change required AES-256 unchanged, Grover’s algorithm leaves 128-bit equivalent security
Management plane TLS with classical key exchange TLS with hybrid or ML-KEM key exchange as library support matures
Key generation option Not applicable keys derived from classical key exchange QKD-generated keys via standardized interfaces for highest-assurance links
Centralized management Policy, path, and application management via SD-WAN controller Policy, path, application, and cryptographic transition management via CNM
Regulatory compliance No PQC-specific requirements yet for most sectors NIST NCCoE, NSA CNSA 2.0, EU NIS2 migration guidance; federal mandate from 2030

What does not change: application-aware routing, zero-touch provisioning, dynamic path selection, WAN optimization, and centralized management all remain identical. Quantum-safe SD-WAN is a cryptographic upgrade, not a platform replacement. Organizations using Teldat SD-WAN can implement PS-PPK and ML-KEM on their existing hardware without replacing routers or redesigning the overlay topology.

Active threats to enterprise WAN infrastructure

The quantum threat to SD-WAN networks is not a single future event. It operates across a timeline that includes threats that are already active today, threats that become critical as quantum hardware matures, and long-term risks to authentication infrastructure.

1
Harvest now, decrypt later active today
Adversaries are intercepting and archiving SD-WAN tunnel traffic now. The IKEv2 handshakes in that archived traffic contain all the information needed to derive session keys once a CRQC is available. Data flowing over SD-WAN tunnels today with a confidentiality requirement of more than five to ten years is already compromised in a probabilistic sense. PS-PPK deployed now closes this window immediately.
2
Mosca’s theorem applied to WAN operators
If the time to migrate an SD-WAN fabric (X) plus the required confidentiality horizon of the data it carries (Y) exceeds the estimated time until a CRQC exists (Z), migration is already overdue. For enterprise WAN operators carrying intellectual property, financial data, or regulated personal data over multi-year contracts, X + Y routinely exceeds conservative CRQC estimates.
3
SD-WAN controller compromise via signature forgery
The SD-WAN controller authenticates to edge devices using certificates signed with RSA or ECDSA. A quantum computer could forge those signatures before the certificates expire, allowing an attacker to impersonate the controller, push malicious routing policies, and redirect traffic across the entire WAN fabric without any device detecting the compromise. This attack becomes possible when a CRQC exists, not before but PKI migration takes years.
4
Branch office exposure at scale
A single compromised IKEv2 key exchange in an SD-WAN fabric does not expose one tunnel it exposes every session that used the same key material. Branch offices in an SD-WAN deployment share cryptographic dependencies through the controller. A quantum attack on the controller’s PKI or on stored handshake traffic can have fabric-wide consequences that a classical network breach would not.
5
Supply chain and third-party VPN access
Many enterprise SD-WAN deployments include VPN tunnels for third-party access managed service providers, contractors, or cloud provider connectivity. Those third-party tunnels may use older IKEv2 configurations with no post-quantum mitigation. The quantum-safe perimeter is only as strong as its weakest tunnel. Teldat CNM provides visibility into the cryptographic configuration of all tunnels in the fabric.
6
Timeline acceleration from recent research
Google’s 2024 research revised downward the number of physical qubits required to break 256-bit elliptic curve cryptography. NIST has mandated that federal agencies begin PQC migration immediately, with RSA and ECDSA scheduled for deprecation by 2030. Industry estimates for a CRQC capable of breaking enterprise cryptography have shortened from 20 years to 8 to 15 years in the last two years of published research.

The action threshold for WAN operators: NIST NCCoE guidance recommends beginning quantum-safe migration if the confidentiality horizon of data carried over the network exceeds five years. For an enterprise SD-WAN carrying financial records, healthcare data, or intellectual property, that threshold is crossed by default. The recommended first action is PS-PPK deployment, which requires no hardware change and can be rolled out through CNM across the entire fabric in a single policy update.

Deployment framework for Quantum-Safe SD-WAN

Migrating an enterprise SD-WAN to quantum-safe cryptography is a structured process, not a single cutover event. The phased approach below follows NIST NCCoE and NSA CNSA 2.0 guidance, adapted for distributed SD-WAN infrastructure.

1
Cryptographic inventory of the WAN fabric
Map every IKEv2 configuration in the SD-WAN deployment: key exchange algorithms (ECDH group, RSA key size), authentication certificates (algorithm, expiry, issuing CA), and management plane TLS settings. Teldat CNM provides fabric-wide visibility into cryptographic configuration. This inventory identifies which tunnels carry the most sensitive traffic and sets the migration priority order.
2
Risk classification by tunnel sensitivity
Not all SD-WAN tunnels carry equally sensitive traffic. Classify each tunnel by the confidentiality horizon of the data it carries. Tunnels connecting headquarters to data centers carrying financial or regulated data, or site-to-site tunnels for intellectual property transfer, are highest priority. Guest Wi-Fi aggregation tunnels are lowest. Begin PS-PPK deployment from the highest-risk tunnels down.
3
Phase 1 deploy PS-PPK across the fabric
Deploy Pre-Shared Post-Quantum Keys (RFC 8784) on all IKEv2 tunnels, starting with highest-priority links. PS-PPK requires no hardware change and no topology modification. In Teldat SD-WAN, PS-PPK key material is distributed and managed centrally through CNM. This phase provides immediate protection against harvest-now-decrypt-later attacks for all protected tunnels.
4
Phase 2 migrate key exchange to ML-KEM in hybrid mode
Enable ML-KEM (FIPS 203) alongside ECDH in hybrid mode (RFC 9370) for IKEv2 key exchange, starting with fully upgraded tunnel endpoints. Hybrid mode ensures that tunnels to endpoints not yet running ML-KEM continue to function using the classical ECDH component. Migrate remaining endpoints progressively. Teldat CNM tracks ML-KEM adoption status per tunnel across the fabric.
5
Phase 3 update device PKI with PQC signatures
Renew long-lived device certificates and CA certificates with ML-DSA (FIPS 204) signatures. Use hybrid certificates during the transition to maintain compatibility with classical verifiers. Prioritize the SD-WAN controller certificates and gateway certificates with the longest remaining validity, as these represent the longest-lived quantum risk in the PKI chain.
6
Phase 4 evaluate QKD for highest-assurance links
For the subset of WAN links where algorithmic post-quantum cryptography alone is insufficient typically links between primary data centers or between security-classified facilities evaluate QKD integration. Teldat SD-WAN supports QKD-generated key ingestion through standardized interfaces. QKD adds physical security guarantees that no algorithm-based approach can match, at the cost of specialized hardware at each link endpoint.

Teldat Quantum SD-WAN solutions

Teldat is a network hardware manufacturer and cybersecurity software provider with a fully integrated Quantum SD-WAN roadmap. All three pillars of the quantum-safe SD-WAN architecture PS-PPK, ML-KEM, and QKD are implemented within the Teldat SD-WAN platform and managed through a single centralized console. No third-party post-quantum overlay is required.

1
PS-PPK immediate deployment, existing hardware
Teldat SD-WAN implements PS-PPK per RFC 8784, injecting pre-shared post-quantum key material into IKEv2 exchanges on all existing Teldat routers and gateways without firmware replacement or hardware change. PS-PPK key provisioning and rotation are managed centrally through Teldat CNM. Deployment across a distributed SD-WAN fabric can be completed in a single CNM policy push, providing immediate protection against harvest-now-decrypt-later attacks across all managed tunnels.
2
ML-KEM integration NIST FIPS 203
Teldat Quantum SD-WAN integrates ML-KEM natively into the IKEv2 key exchange for IPsec tunnels. Hybrid mode (ML-KEM + ECDH per RFC 9370) is supported for interoperability during the migration window. ML-KEM algorithm selection, hybrid mode configuration, and per-tunnel cryptographic policy are all managed through CNM with no per-device command-line configuration. Teldat tracks the NIST standardization process and updates ML-KEM implementations as FIPS 203 guidance evolves.
3
QKD compatibility future-proof architecture
Teldat SD-WAN devices are designed to accept cryptographic keys generated by external QKD systems through standardized interfaces, integrating QKD-derived key material into the IKEv2 and IPsec key management process. This architecture allows Teldat customers to add QKD for their highest-assurance links without replacing the SD-WAN overlay the QKD system provides the keys, Teldat SD-WAN provides the tunnel management and policy enforcement.
4
CNM centralized quantum transition management
Teldat Cloud Net Manager (CNM) provides a single management plane for the entire quantum transition: PS-PPK key provisioning and rotation, ML-KEM algorithm configuration, hybrid mode rollout tracking, per-tunnel cryptographic status visibility, and audit trails for regulatory compliance. CNM’s fabric-wide view allows security teams to identify which tunnels remain on classical cryptography and prioritize migration without examining individual device configurations.
5
be.Safe Pro SSE cloud security with post-quantum readiness
Teldat be.Safe Pro SSE extends the quantum-safe security perimeter beyond the WAN edge to cloud-delivered services. The SSE platform combining Secure Web Gateway, Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) is designed to incorporate post-quantum key exchange in its TLS transport as standards and library support mature, ensuring that traffic leaving the SD-WAN fabric for SaaS applications and cloud infrastructure is protected by the same standards as the WAN tunnels.
6
Embedded NGFW defense in depth at every node
Each Teldat edge router running the Quantum SD-WAN software stack includes an embedded Next Generation Firewall providing intrusion prevention, application control, and threat intelligence at the network edge. The NGFW layer provides defense in depth independent of the cryptographic transition phase it remains effective during the period when some tunnels are still migrating from classical to quantum-safe key exchange, ensuring that no migration gap creates a security regression.

The Teldat advantage: As a vertically integrated network hardware and cybersecurity platform, Teldat delivers the full quantum-safe SD-WAN stack PS-PPK for immediate protection, ML-KEM for standards-based quantum resistance, QKD compatibility for future-proof key generation, embedded NGFW for defense in depth, and CNM for centralized management from a single vendor. Organizations begin their quantum transition on existing Teldat infrastructure today, without a forklift upgrade or a multi-vendor integration project.

Frequently asked questions about quantum-safe SD-WAN – (FAQ’s)

❯ What is quantum-safe SD-WAN?

Quantum-safe SD-WAN is a software-defined wide area network architecture in which IPsec tunnels use post-quantum cryptographic algorithms primarily ML-KEM for key exchange and PS-PPK as a near-term supplement to resist attacks from quantum computers. The core SD-WAN functionality (dynamic path selection, application routing, centralized management) is unchanged. What changes is the cryptographic foundation of the tunnels, replacing quantum-vulnerable ECDH and RSA with algorithms that have no known efficient quantum attack.

❯ Why is standard SD-WAN vulnerable to quantum computers?

Standard SD-WAN uses IKEv2 with ECDH or RSA for the key exchange that establishes every IPsec tunnel. Shor’s algorithm on a quantum computer can solve the discrete logarithm problem underlying ECDH and the integer factorization problem underlying RSA in polynomial time, recovering the session key for any tunnel whose handshake traffic has been captured. The attack does not require real-time access to the tunnel archived handshake data is sufficient once a quantum computer exists.

❯ What is PS-PPK and how does it protect SD-WAN tunnels?

PS-PPK (Pre-Shared Post-Quantum Keys), standardized in RFC 8784, adds a symmetric pre-shared secret into the IKEv2 key derivation process without replacing the existing ECDH key exchange. The resulting session key depends on both the ECDH output and the PS-PPK secret. A quantum computer that breaks the ECDH component still cannot derive the session key without the PS-PPK secret. PS-PPK can be deployed on existing hardware immediately, making it the fastest path to protecting SD-WAN tunnels against harvest-now-decrypt-later attacks.

❯ How does ML-KEM work in an SD-WAN context?

ML-KEM (FIPS 203) replaces or supplements ECDH in the IKEv2 key exchange. Instead of deriving a shared secret from a Diffie-Hellman exchange, the initiating endpoint encapsulates a secret inside a ciphertext using the responder’s ML-KEM public key. Only the responder holding the corresponding private key can decapsulate it. The resulting shared secret is used for session key derivation. Because ML-KEM security rests on the hardness of the MLWE lattice problem (no efficient quantum algorithm known), the key exchange is quantum-safe. In hybrid mode, ML-KEM and ECDH run in parallel and both outputs are combined, ensuring security as long as either algorithm holds.

❯ When should an enterprise start migrating its SD-WAN to quantum-safe?

Now. The harvest-now-decrypt-later threat means that SD-WAN traffic carrying data with a confidentiality horizon longer than the estimated CRQC arrival window is already at risk. NIST NCCoE recommends beginning migration if the data confidentiality horizon exceeds five years. The first step PS-PPK deployment requires no hardware change and can be rolled out through a CNM policy update across the entire Teldat SD-WAN fabric immediately.

❯ Does quantum-safe SD-WAN require replacing existing routers?

No. PS-PPK and ML-KEM can be deployed on existing Teldat SD-WAN hardware through software and firmware updates, managed centrally through CNM. The QKD integration phase requires external QKD hardware at the endpoints of specific high-assurance links, but does not require SD-WAN router replacement. The quantum-safe SD-WAN transition is a cryptographic upgrade delivered through centralized policy management, not a hardware forklift.

Secure your SD-WAN against Quantum Threats with Teldat

From PS-PPK for immediate harvest-now-decrypt-later protection to ML-KEM for NIST standardized post-quantum key exchange, Teldat Quantum SD-WAN delivers quantum-safe network security from a single integrated platform on your existing hardware, managed through CNM.