Hyperthreading - Yay or Nay?



  • Hi Folks,

    I got a new Appliance with a Intel Core i7-5550U and I am pretty happy with it. I was wondering if I should turn hyperthreading on or off? The only additional package I have installed is Snort. I am just using PfSense with 2 IPSec Tunnels and OpenVPN für a handful Dial-in VPN Users. The Firewall has to cover 1 GBit/s throughput.

    I used "top" as a command to see the CPU usage of the different processes and I noticed that Snort for example only uses one core (or maybe I misunderstood top).

    So would suggest turning HT on or off? Do you use HT?

    Cheers,

    Henry



  • @elmnts Don't have the exact answer, but you are already overkilling it. When to turn on turbo in a Ferrari running in a 2-lane highway island probably falls in the category of don't matter.



  • Thanks SammyWoo! I get your point and you are probably right. But I noticed that one core is maxed out when sync a fileshare through the IPSec VPN. The throughput is around 400 - 500 MBit/s through the tunnel which is great but I wonder if the throughput would be higher if I turn HT. The second thing is Snort. I use the search method AC" not the default "AC-BNFA". Snort with AC configured takes a long time to startup (a few mins) and it maxes out one core. Same thought here - would it make sense to turn off HT?

    Cheers,

    Henry


  • Netgate Administrator

    That is a 2 core device without hyperthreading. There will definitely be an advantage to having 4 cores available.
    The only advantage to disabling HT I could possibly imagine is that it might allow the core pegged at 100% to run at a higher turbo mode. You'd have to test it to find out.

    Steve


  • Rebel Alliance Developer Netgate

    Also consider the newly discovered HT security issues published a couple weeks ago. Not that they usually apply in an appliance role such as pfSense, but it's another factor of concern.



  • Thank you Stephenw10 and jimp! So there are advantages of having HT running. I have another question regarding the newly discovered HT security issues and older ones like meltdown and spectre. Can these security issues be exploited by just processing traffic? I not talking about exploits which need to be executed through the Webui or SSH for example. I was wondering about this before because a lot of devices were/are affected by those CPU issues - I know even a few routers and switches which were affected but they are just passing through traffic and they usually dont executed the payload.


  • Netgate Administrator

    The risk is from processes running on the CPU being able to read data owned by other processes running on the same CPU that should be isolated. In most pfSense deployments that's a pretty minimal risk as you don't have anything running random JS from some site etc. As you say they not executing the payload. You could argue that if you don't have multiple users on the firewall the risk is at or close to zero IMO.

    Steve



  • @stephenw10 Yeah, you are right. It´s only me who has administrative access. Therefore I dont see a huge risk of exploiting security issues like Meltdown. It is still important to fix those issues because not every setup is different and those issues might be a problem for other users.

    Cheers,

    Henry