Towards Quantum-Safe O-RAN -- Experimental Evaluation of ML-KEM-Based IPsec on the E2 Interface

Abstract

As Open Radio Access Network (O-RAN) deployments expand and adversaries adopt 'store-now, decrypt-later' strategies, operators need empirical data on the cost of migrating critical control interfaces to post-quantum cryptography (PQC). This paper experimentally evaluates the impact of integrating a NIST-aligned module-lattice KEM (ML-KEM, CRYSTALS-Kyber) into IKEv2/IPsec protecting the E2 interface between the 5G Node B (gNB) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC). Using an open-source testbed built from srsRAN, Open5GS, FlexRIC and strongSwan (with liboqs), we compare three configurations: no IPsec, classical ECDH-based IPsec, and ML-KEM-based IPsec. The study focuses on IPsec tunnel-setup latency and the runtime behaviour of Near-RT RIC xApps under realistic signalling workloads. Results from repeated, automated runs show that ML-KEM integration adds a small overhead to tunnel establishment, which is approximately 3~5 ms in comparison to classical IPsec, while xApp operation and RIC control loops remain stable in our experiments. These findings indicate that ML-KEM based IPsec on the E2 interface is practically feasible and inform quantum-safe migration strategies for O-RAN deployments.