PQC in Networking

⚠ Disclaimer: This section may contain incomplete, out of date, or inaccurate entries. It is AI-maintained on a best-effort basis. Do not rely on it as a sole source — verify claims independently using the source materials listed in individual entries.

Overview

This section tracks post-quantum cryptography adoption across networking infrastructure: which vendors have shipped PQC-capable products, which algorithms and protocol layers are supported, and what the realistic deployment landscape looks like as of 2026.

The networking layer is particularly critical for PQC migration because it protects in-transit data across enterprise WANs, VPNs, and internet-facing services — the most direct exposure point for the harvest-now-decrypt-later (HNDL) threat. Migration here requires coordination between standards (IKEv2/IPsec RFCs, TLS extensions), hardware capability (some PQC algorithms require crypto accelerator support for line-rate performance), and interoperability between vendor implementations.

Research status: Phase 1 — active. Sitehop and Juniper have dedicated entries; Cisco, Palo Alto, Fortinet, Check Point, Nokia, and open-source implementations are covered in the vendor survey. As of April 2026, Fortinet (FortiOS 7.6.1), Palo Alto (PAN-OS 12.1), Check Point (Gaia R82), and Cisco (ASA 9.19 transitional; IOS XE 26 full-stack) all ship GA ML-KEM IKEv2 support.

Key Themes

  • IKEv2/IPsec (RFC 9242/9370) is the primary integration point for enterprise networking equipment
  • Most major vendors have PQC on their 2025–2027 roadmaps; production-ready FIPS-validated implementations are limited as of April 2026
  • NSA CNSA 2.0 mandates create a hard deadline for US government network infrastructure by 2030
  • Interoperability between vendor implementations remains an unsolved operational challenge
  • Dedicated PQC networking vendors (Sitehop) offer purpose-built approaches distinct from incumbents’ PQC-added-to-existing-platforms

Vendors

Dedicated PQC Vendors

Company HQ Stage Focus
Sitehop Bristol, UK Private (Series A stage) Hardware-accelerated PQC networking; FPGA-based PQC IPsec appliances; focus on line-rate PQC without CPU overhead penalty. See entry.

Established Networking Vendors

Company PQC Status First GA Release Primary Layer Notes
Juniper Networks Roadmap TBD IKEv2/IPsec Now HPE division; Junos GA version unconfirmed; see entry.
Cisco Systems GA (partial/full) ASA 9.19 (RFC 9370); IOS XE 26 (full-stack, Apr 2026) IKEv2/IPsec, SSH, MACsec, TLS FTD 10.5 with ML-KEM targeted late 2026; see vendor survey.
Palo Alto Networks GA PAN-OS 11.2 (IKEv2); PAN-OS 12.1 Orion (Aug 2025, full) IKEv2/IPsec, TLS (mgmt + inspect), SASE Broadest algorithm coverage (FIPS 203/204/205); PA-5500 Gen5 HW accel; see vendor survey.
Fortinet GA FortiOS 7.6.1 (earliest confirmed GA) IKEv2/IPsec, TLS (7.6.5), Agentless VPN ML-KEM-512/768/1024; software-only (no FortiASIC offload); see vendor survey.
Check Point GA Gaia R82 IKEv2/IPsec; TLS (R82.10 EA) Default ML-KEM-768; API-only config (no GUI); see vendor survey.
Nokia Roadmap / ANYsec SR OS 23.10.R1 (ANYsec AES-256 + QKD) L2/L2.5/L3 (ANYsec), IKEv2 TBC “Quantum-safe” via AES-256 symmetric + QKD; ML-KEM IKEv2 SR OS version unconfirmed; see vendor survey.

Entries

  • Juniper Networks — PQC Support — Post-quantum cryptography implementation status and roadmap for Juniper Networks (acquired by HPE 2024): Junos OS PQC support, IKEv2 integration, and product coverage.
  • Networking PQC — Vendor Survey — Survey of post-quantum cryptography support and roadmaps across major networking vendors: Cisco (IOS XE 26, ASA, FTD), Palo Alto Networks (PAN-OS 12.1 Orion), Fortinet (FortiOS 7.6.x), Check Point (Gaia R82), Nokia (ANYsec/SR OS), Aruba/HPE, and open-source implementations.
  • Sitehop — UK startup building hardware-accelerated post-quantum cryptography networking appliances; FPGA-based PQC IPsec at line rate; spin-out from University of Bristol.