MACsec - IPsec - E2E Encryption

End to End encryption is popular among audience, is it not? It happens at application layer(TCP/IP L5). Cryptography in networking has overhead of meta data in the form of frame/packet headers. It can be costly and reduce throughput in network specifically when E2E cryptography, IPsec and MACsec coming into picture together. IPsec protocol is designed to function at l3 whereas MACsec exist at l2/l1 layer. When cryptography is enabled at all these three layers one can assume how much overhead of headers/meta data(E2E meta data, IPsec header, MACsec header) can impact throughput in network. Is it really worth to have E2E encrypted data or MACsec/IPsec can be skipped, which one you will prefer to skip to enhance your network throughput ??

Currently E2E cryptography is consuming cpu cycles to encrypt/decrypt data, not done via HW crypto engine to offload CPU, so you need good enough high processing CPU/processor in your device/system to achieve E2E cryptography without impacting system resiliency and performance by big number.

IPsec(tunnel and transport mode) functionality can be achieved via CPU or HW crypto engine. Nowadays crypto engine is not costly, its foot print is small, one can afford it. IPsec works at l3, most vulnerable layer to attack, most critical layer for security.

MACsec IP can be part of network PHY, there are many MACsec capable PHY is available in market by many vendors like BRCM, Aquantia, etc, even MACsec IP can sit within Packet forwarding engine(PFE). Basically point is MACsec encryption/decryption does not need CPU cycles and not impacting system performance. MACsec works at l1/l2, makes your internal network secure.

I would compromise with layer 5 security/cryptography and select IPsec and MACsec to achieve better throughput(at least l5 layer overhead would be reduced), however if cost is impacting my budget then E2E cryptography might be better solution(skipping IPSec & MACsec). In later case I do not need fund for separate crypto engine and MACsec engine(obviously I would not use cpu cycles for IPsec and MACsec feature).

I think MACsec + IPsec would be deadly combination for hackers and ethical crackers as well(cpu cycles would also be saved, it matters on loaded system).

Hopefully I am making relevant conclusion, appreciate expert comments on it.