Integration of QKD at the Application Layer vs Network Layer: a Markov-Chain Model

Standardization bodies are releasing specifications that will help the adoption of Quantum Key Distribution (QKD) technology. The protocols standardized by the European Telecommunications Standards Institute (ETSI) make it possible to distribute keys to network elements operating at any layer of the protocol stack. On the other hand, the IETF released a standard mechanism to integrate post-quantum keys into IPSec. In this work, we introduce a new mechanism to provide QKD keys to IPSec endpoints. This solution was implemented in the PoliQI network at Politecnico di Milano. We also compare this solution to providing keys to applications with the same security level. We model the system using a Continuous-Time Markov Chain and conclude that the two approaches can secure a similar number of applications. Integration with the applications allows a finer control on whether to block new applications or drop rekeying requests. Integration with IPSec makes it easier to introduce QKD in an existing infrastructure.