Data Encryption and the Quantum Threat to TLS, IPsec and MACsec

In modern society, almost all data sent over the internet is encrypted. Data encryption is done by either TLS, IPsec or MACsec.

As a general rule, the higher the layer in which the protocol encrypts, the higher security and scalability are, but lower performance. Together, real networks employ a combination of all three protocols to encrypt data from A to B, providing the best tradeoff possible between security and performance.

Each protocol sits at a different layer of the OSI model, the universal blueprint that describes how data travels across a network, from the physical cable all the way up to the application you are using. Hover over a protocol below to see exactly where it sits in the stack.

Hover a protocol card to highlight its OSI layers, or hover a layer to see which protocol covers it.

Where each protocol is actually used

TLS runs on your device

TLS is the protocol most people interact with every day without realising it. Every time you open a website over HTTPS, log into an account, or send a message through an app, TLS is negotiating an encrypted channel in the background. It sits high in the OSI stack, which means it works at the application level. Your browser or app handles it directly, and the encryption travels end-to-end between you and the server. Because TLS operates above the network layer, it does not matter what path the data takes across the internet or how many routers it passes through. The protection follows the data all the way.

This flexibility is why TLS became the default for internet communication. Any two devices that can run software can use TLS, which is why it protects everything from bank websites to messaging apps to streaming services.

IPsec runs on the internet backbone

IPsec encrypts traffic at the network layer, between routers and gateways rather than between individual applications. When data leaves your local network and enters the internet, routers on either end of the connection can apply IPsec tunnels without any application needing to know about it. This is powerful: IPsec can protect all traffic on a link, even from apps that have no encryption of their own.

VPNs are the most familiar example. A VPN client creates an IPsec tunnel that encrypts everything you send before it reaches your ISP or a public Wi-Fi network. Enterprise networks use IPsec to securely link remote offices, ensuring data between sites is protected even over untrusted connections. Because IPsec works at the router level, it can scale across large and complex networks in a way that point-to-point solutions cannot.

MACsec protects inside data centers

MACsec operates at the lowest layer of the OSI, one step above the physical cable. It encrypts traffic between two directly connected devices: a switch and a server, or two switches within the same data center. Because it does not track IP addresses or application sessions, MACsec adds almost no latency and can run at line rate on 100 Gbit/s, 400 Gbit/s, 800 Gbit/s or even 1.6 Tbit/s links.

The limitation is that MACsec is strictly point-to-point. The moment data hops to a third device, the protection ends. This makes it unsuitable for wide-area networks, but ideal for the internal links of a data center, where enormous volumes of traffic need to be encrypted with zero performance penalty.