encrypting by default

[mglt]

11. Section 5.1- SEC-OP-1: This is a heavy “default” requirement that all traffic should be encrypted. An operator may evaluate the risk and may enable encryption to mitigate such risk, remove “default” requirement.

[mglt]

It is unclear to me where SEC-OP-1 does not address the concern. """

1. SEC-OP-1: A secure deployment of a Geneve overlay SHOULD by default encrypt the inner payload. A Geneve overlay provider MAY disable this capability for example when encryption is performed by the Tenant System and that level of confidentiality is believed to be sufficient. """

SHOULD indicates this is not mandated and the remaining text mentions an operator MAY disable this capability. I believe this address the concern. If not it would be good to provide an example where SEC-OP-1 prevents the deployment as being secured.