macsec, portsec and other 801.1x-2010 features would be totally cool
but as already stated - that imply newer/better Phy/interfaces chips used in devices(and thus poinless for legacy devices without. eg most of RB or CCR -branded) and secondly - it mean Newer linux kernel to support that.