Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MDS Mitigation: any reason that's not enabled automatically?

    Scheduled Pinned Locked Moved Development
    23 Posts 5 Posters 40.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Where do you read that? Please point out the exact section of that HUGE ASS document that I have ZERO interest in reading ;) Because I am not running anything on esxi currently.

      esxi has provided their own mitigation.. Also did you see the BIG POINT HERE which was the original point of this thread

      "is mitigated through enablement of the ESXi Side-Channel-Aware Scheduler Version 1 or Version 2. These options may impose a non-trivial performance impact and are not enabled by default."

      Do you host this esxi? Then yes you should look into mitigation to be done on the host for your clients running their OSes on your system.

      Do you run your pfsense on some hosted VM? Then you should get with your host that they have mitigated so that their other clients can not gain info about your instance and stuff running on your instance.

      Do you think this mitigation protects your instance from other instances that might be running on this VM host that is open to such attacks and not done any mitigation? That would be a slick trick for sure ;)

      Do you think if you were running a VM on some host it would be ok for the HOST to tell you to turn on this specific mitigation in your VM? I would tell them to get bent, and if their mitigations they are doing are going to slow down my VMs and their performance - then there should be a discount in cost, or a bump in the resources assigned to make up for any loss of performance, etc..

      If you run pfsense on your own esxi instance, and you have no other customers - then there is ZERO point in taking a performance hit.. Unless you plan on letting unknown users run code on your vms, or you run untrusted code yourself on your host or your vms... Which why would you be doing that on pfsense?

      There really is almost no scenario where these mitigations would make sense to run on pfsense.. Since you should not be running untrusted code on pfsense, you should not be for sure allowing non trusted admins from accessing pfsense in the first place, let alone run code. etc. etc.

      They have been provided, because if not users bitch.. But they sure and the hell should not be turned on by default if there would be any performance hit at all.. If you want to run it - have at it, its a clickity clickity thing to turn on.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      S 1 Reply Last reply Reply Quote 1
      • S
        Squuiid @johnpoz
        last edited by

        @johnpoz said in MDS Mitigation: any reason that's not enabled automatically?:

        If you run pfsense on your own esxi instance, and you have no other customers - then there is ZERO point in taking a performance hit.. Unless you plan on letting unknown users run code on your vms, or you run untrusted code yourself on your host or your vms... Which why would you be doing that on pfsense?

        Firstly, thank you for the detailed response. You've essentially answered everything anyone could ever have wondered about this setting and this should hopefully be the last of the questions sent your way as a result!
        I appreciate the time and effort you put into this.

        I do indeed host my own ESXi instance (homelab) and so won't be touching the setting.
        I also have an SG-2440 which also works great and that one was addressed in your first post, again won't enable as a result.
        Thanks.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yeah if your running your esxi in your own lab with your own vms - I wouldn't use any of the mitigation anything for this family of exploits.. If there is any possible performance hit.. Which most all of these mitigations are.. Some can be a pretty stiff hit..

          Do you recall when meltdown first came out.. Lots of hoopla about that.. Even though most use cases of pfsense would have zero need for concern with such an attack vector..

          Lots of traffic about it here and elsewhere, etc.. negate put out this blog back Jan of 2018
          https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html

          The important take away
          Most of our users should not be concerned as long as they follow our basic guidelines for limiting access to the WebGUI, shell as well as physical access to the pfSense appliance.

          Same goes for all of these sorts of exploits..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 3
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.