Spectre/Meltdown and Wirguard Performance

Started by z0rk, December 06, 2022, 08:11:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 06, 2022, 08:11:03 PM
It is my understanding that WG performance can be increased by using the WG kernel module and/or by disabling the spectre/meltdown mitigation under Tunables.

The subject of spectre/meltdown is highly technical and very complex; and apparently still evolving.
I am trying to understand if it's safe to disable the mitigations. It only seems to pose a potential risk when OPNsense is used in multihosted VM environment. Is that correct? Ohterwise, I would very much appreciate it if somebody could provide me with some guidance that would help me in assessing the potential risk/s. I just don't know where to start.

I am using a dedicated desktop as an OPNsense firwall. It's not a dual boot system and I don't run any VMs.

Thank you very much

OPNsense 24.7.2
December 06, 2022, 09:00:05 PM #1 Last Edit: December 06, 2022, 10:13:48 PM by chemlud
I personally would not like the trade-of security vs. performance on my perimeter firewall. Get a decent piece of hardware for the performance you need. The newer the lower the power consumption, the faster you save the money you spent...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 06, 2022, 10:25:49 PM #2
What kind of multi-tenancy do you have on a firewall appliance that makes Spectre/Meltdown a concern?

The attack vector is that a regular user authorised to run individual code can snoop memory of other users running their applications. Do you have shell users on your OPNsense?

I disable these mitigations. If you have an RCE, you are screwed, anyway.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 07, 2022, 12:47:51 AM #3 Last Edit: December 07, 2022, 12:50:42 AM by z0rk
@pmhausen I don't have OPNsense deployed in a multi-tenancy environment. OPNsense is running on dedicated hardware (Optiplex 780), no VMs. This is a single user environment with shell access. I am not familiar with RCE? Thank you

@chemlud I think my hardware is decent enough. This is not an enterprise level production environment, so load is not really a concern at all with the exception of WG, which only provides ~800kps throughput at best. Sources suggest to disable spectre/meltdown mitigation and to enable WG kernel mode. Thank you
OPNsense 24.7.2
December 07, 2022, 09:20:07 AM #4
RCE - remote code execution.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 08, 2022, 04:29:25 PM #5
@pmhausen  ::) silly me, thank you Sir
OPNsense 24.7.2
Print
Go Up Pages1
User actions