[justsomehnguy]

> Why MACSEC isn't the default

TFA explains it pretty well. Also every encryption is adding the load and latency, so defaulting to it when it wasn't asked for isn't the best way

> why not just S2S IPSec the link?

Because IPSec is still PITA and also sucks bad performance wise against WG.

[nullc]

I don't recall the specifics of macsec but it's possible to build a link encryptor that adds essentially zero latency. (like... no more latency than the gate delay of a single xor gate... plus some once-an-hour packet-length delay of some rekeying traffic).