Dhruv AHUJAI was mighty upset with Google on 12 Feb. We had discovered that the issue affecting egress filtering for a DiscrimiNAT customer on GCP was in fact Post-Quantum Cryptography TLS handshakes. It was a combination of the most up-to-date OpenSSL version in a container image and server-side #PQC enablement.
Now that the literature has come out on Quantum apocalypse timelines [1,2], I am no longer thinking all that hard work was in vain. The hard work was that a PQC handshake takes TLS ClientHello messages over the network/VPC MTU (usually 1460 or 1500 bytes). This meant that multiple packets, on some occasions, had to be aggregated for proper validation and sanitisation.
This broke the whole per-packet processing model of our egress firewall. Anyway, we got that done over two weeks with clever logic (thanks to some #Rust guarantees) and the immense patience and help from Rui Duarte and Gui Neto who tested this in a live environment. These are the people the UK needs to spur the industry at events such as the upcoming UK Cyber Flywheel by Harmonic. I'll be there.
[1] https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/
[2] https://arxiv.org/abs/2603.28627
