
		HEAT - Half Ethernet Address Translation

This is a simple tecnique to bypass Cisco Catalyst hardware address limitation
(set port security), or btw i hope so :D
From my experience, the only match performed by the switch is on the outgoing
hardware source addresses from the desired ports, no match from the arp cache
nor arp payload response.. So I've built this simple theory, based on the NAT
tecnology implemented from many vendors.

The difference between NAT and HEAT is the protocol layer where they work.

NAT is performed at layer3 (Network Layer), instead of HEAT, that works at
layer2 (Link Layer).

In that manner HEAT is transparent to any upper layer, and works fine with the
IP protocol and the ARP protocol.
The only well-known way to get rid of port security is that *every* packet
coming to the port on the Catalyst must have the same hardware address, so the
first thing to do is insert a transparent bridge between my hosts (or LAN, or
everything else) and the switch, and make this to overwrite all source hardware
addresses in the bridgin' process.

This is a simple view:

|----------|        /----------\   ._____________.     /~~~|--------|
| OutWorld |---//---| Catalyst |---| HEAT bridge |---<-----| My LAN |
|----------|        \----------/   ~~~~~~~~~~~~~     \___|--------|

Code, compile, try..

Oh-oh-oh!!!

This is enough :D

But let's try to see what happens in few details.
The outgoing packet is HEATed by out bridge, no other data changed. But the
first preamble of any IP connection over an ethernet network is an ARP
request.. The ARP reply is analyzed bu the Catalyst only for its source
hardware address, but the host that performed the ARP request looks at the ARP
resource contained in the packet payload. So, changin' the source doesn't
reflect on the ARP results.
From the other side, external hosts send packets to the right (not HEATed)
hardware address, so there's no need to alter the incoming packet when it
reaches out bridge: it simply passes and reaches the real host.

From here the name of Half (because of only outgoing packets modification)
Ethernet Address Translation.

And so, it is.

Regards.
t.R.
--
tHE rECIdjVO <recidjvo@pkcrew.org>
Member of the Packet Knights
http://www.pkcrew.org/
Public Key at http://www.pkcrew.org/keys/recidjvo.asc
