← Back to context

Comment by justsomehnguy

1 year ago

> Why MACSEC isn't the default

TFA explains it pretty well. Also every encryption is adding the load and latency, so defaulting to it when it wasn't asked for isn't the best way

> why not just S2S IPSec the link?

Because IPSec is still PITA and also sucks bad performance wise against WG.

1 comment

justsomehnguy

Reply
nullc  1 year ago

I don't recall the specifics of macsec but it's possible to build a link encryptor that adds essentially zero latency. (like... no more latency than the gate delay of a single xor gate... plus some once-an-hour packet-length delay of some rekeying traffic).