TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

401

402

403

404

405

406

407

408

409

410

4-109

Firewall

Attack Checking

In Figure 4-72, as bytes are acknowledged by the server, the window “slides”

to the right. That is why it is called a sliding window. The TMS zl Module allows

you to set the range of bytes within the window, called the sequence range.

The advantages and disadvantages of the sequence range sizes are discussed

in the following table.

Table 4-13. Advantages and Disadvantages of Sequence Number Range Sizes

Sequence number ranges are connection-specific, making them hard to apply

universally. Adjusting the range is only suggested when users have similar

characteristics and endpoints can be identically configured. For all other

networks, it is suggested that you rely on the system default.

If you decide to adjust the sequence number window, two factors are

important:

■ End-to-end bandwidth

■ Round-trip latency

This refers to the amount of time between transmission and acknowledge-

ment. Longer latencies allow more data to be on the network at once. For

example, a network with an 80-millisecond delay supports 8 times more

data “in the lines” than a network with a 10-millisecond delay.

The optimal sequence range is the product of these two elements. A correctly

sized range allows data to be sent continuously (without the sender stopping

to wait for acknowledgment) while enabling fast recovery times for lost data.

After you select the Sequence Number Out of Range check box, configure the

following:

■ In the Range field, type a number between 1 and 65535. The larger the TCP

window size, the larger the range of sequence numbers that will be

accepted. As a result, large TCP window size is more susceptible to

sequence number prediction and session hijack.

Sequence Number

Range

Advantages Disadvantages

Small • Limits window of opportunity for sequence-

number attacks.

• Decreases amount of packets sent before

acknowledgment is received, forcing the

sender to stop transmitting while waiting

for acknowledgment.

Large • Allows more octets to be sent at once. • Makes error-recovery more difficult,

degrading performance.

• May allow too much data “in the lines,”

diminishing network throughput.