As Open Radio Access Network (O-RAN) deployments expand and adversaries adopt 'store-now, decrypt-later' strategies, operators need empirical data on the cost of migrating critical control interfaces to post-quantum cryptography (PQC). This paper experimentally evaluates the impact of integrating a NIST-aligned module-lattice KEM (ML-KEM, CRYSTALS-Kyber) into IKEv2/IPsec protecting the E2 interface between the 5G Node B (gNB) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC). Using an open-source testbed built from srsRAN, Open5GS, FlexRIC and strongSwan (with liboqs), we compare three configurations: no IPsec, classical ECDH-based IPsec, and ML-KEM-based IPsec. The study focuses on IPsec tunnel-setup latency and the runtime behaviour of Near-RT RIC xApps under realistic signalling workloads. Results from repeated, automated runs show that ML-KEM integration adds a small overhead to tunnel establishment, which is approximately 3~5 ms in comparison to classical IPsec, while xApp operation and RIC control loops remain stable in our experiments. These findings indicate that ML-KEM based IPsec on the E2 interface is practically feasible and inform quantum-safe migration strategies for O-RAN deployments.
翻译:随着开放式无线接入网络(O-RAN)部署规模的扩大以及攻击者采用“先存储、后解密”策略,运营商需要关于将关键控制接口迁移至后量子密码(PQC)所需成本的经验数据。本文通过实验评估了将符合NIST标准的模格密钥封装机制(ML-KEM,即CRYSTALS-Kyber)集成至保护5G基站(gNB)与近实时无线接入网络智能控制器(Near-RT RIC)间E2接口的IKEv2/IPsec协议所产生的影响。利用基于srsRAN、Open5GS、FlexRIC及strongSwan(集成liboqs)构建的开源测试平台,我们比较了三种配置方案:无IPsec、基于经典ECDH的IPsec以及基于ML-KEM的IPsec。研究重点关注IPsec隧道建立时延,以及近实时RIC的xApps在真实信令负载下的运行时行为。通过重复自动化测试获得的结果表明:相较于经典IPsec方案,ML-KEM集成仅对隧道建立过程产生约3~5毫秒的微小开销,且实验中xApp运行状态与RIC控制环路保持稳定。这些发现说明基于ML-KEM的E2接口IPsec方案具备实际可行性,并为O-RAN部署的量子安全迁移策略提供了参考依据。