[exabrial]

Why MACSEC isn't the default is pretty crazy! given that is is extremely stateless (encrypting at the frame level) and counters should be pretty reliable (only go up, since there's two parties) you could take advantages of some AES and GCM modes that would pretty quickly spot injection, replay, and other attacks.

But getting back to the main topic of the paper: why not just S2S IPSec the link?

[justsomehnguy]

> Why MACSEC isn't the default

TFA explains it pretty well. Also every encryption is adding the load and latency, so defaulting to it when it wasn't asked for isn't the best way

> why not just S2S IPSec the link?

Because IPSec is still PITA and also sucks bad performance wise against WG.

[nullc]

I don't recall the specifics of macsec but it's possible to build a link encryptor that adds essentially zero latency. (like... no more latency than the gate delay of a single xor gate... plus some once-an-hour packet-length delay of some rekeying traffic).