diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index 4fd8a5b6..2179b336 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -102,8 +102,19 @@ type.
 .SS Display MACsec configuration
 .nf
 # ip macsec show
+
+.SH NOTES
+This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES
+with a initialization vector (IV) derived from the packet number. The same key must not be used
+with the same IV more than once. Instead, keys must be frequently regenerated and distibuted.
+This tool is thus mostly for debugging and testing, or in combination with a user-space application
+that reconfigures the keys. It is wrong to just configure the keys statically and assume them to work
+indefinitely. The suggested and standardized way for key management is 802.1X-2010, which is implemented
+by wpa_supplicant.
+
 .SH SEE ALSO
 .br
 .BR ip-link (8)
+.BR wpa_supplicant (8)
 .SH AUTHOR
 Sabrina Dubroca <sd@queasysnail.net>