Port 3288: COPS — The Policy Judge That Never Got Its Case

What Port 3288 Carries

Port 3288 is assigned to COPS — the Common Open Policy Service Protocol. It's not unassigned. It's just quiet.

COPS is a client/server protocol for policy enforcement on networks. The basic idea: instead of every router or switch making its own policy decisions locally, a central Policy Decision Point (PDP) holds the rules, and network devices — Policy Enforcement Points (PEPs) — ask that central server what to do.

One question. One answer. The device enforces whatever the PDP says.

The PDP listens on port 3288. The PEP connects and holds a persistent TCP connection open, sending queries as decisions are needed and receiving authoritative answers in return.

How COPS Works

The protocol is deliberately simple. A PEP establishes a single TCP connection to the PDP at port 3288. Over that connection, it sends Request (REQ) messages when it needs a policy decision and receives Decision (DEC) messages in response. The PDP can also push unsolicited decisions — Report State (RPT) — if policies change and the PEP needs to know immediately.

There are two operating models:

Outsourcing model: The PEP asks before acting. "Can this RSVP flow reserve bandwidth?" The PDP decides. The PEP enforces. The device has no local judgment — it defers entirely to the server.

Provisioning model: The PDP pushes configuration to the PEP in advance. The PEP stores it locally and acts without asking. This is closer to how modern network management works.

The persistent-connection design was intentional. If the PDP goes unreachable, the PEP knows immediately. No polling, no timeouts, no stale cache. The connection failing is the notification.

The History

RFC 2748 was published in January 2000, authored by David Durham (Intel), Jim Boyle (Level 3), Ron Cohen (Cisco), Shai Herzog (IPHighway), Raju Rajan (AT&T), and Arun Sastry (Cisco).¹ Six authors, five companies — a genuine collaborative effort across the industry at a moment when the Internet was growing faster than anyone could manage.

The timing mattered. The late 1990s were the height of RSVP — the Resource Reservation Protocol, which let applications reserve bandwidth across network paths for guaranteed quality of service. RSVP needed policy enforcement: not everyone who asked for bandwidth should get it. COPS was designed, in part, to be that enforcement layer. Routers running RSVP would ask COPS servers whether a given reservation was permitted.

RSVP never became the foundation of the Internet's QoS architecture. The Internet scaled differently — through overprovisioning and traffic engineering rather than per-flow reservation. And when RSVP quietly faded from the picture, COPS lost its most prominent use case.

COPS found a second life in PacketCable — the specification used by cable operators for voice-over-IP and multimedia services over DOCSIS networks. Cable modems and multimedia terminal adapters used COPS for provisioning and authorization.² That kept the protocol alive longer than it might have otherwise survived.

RFC 4261, published in 2005, added TLS support for COPS, securing the connection between PEP and PDP.³ By that point, the window for broad adoption had largely closed.

What Replaced It

Modern network policy lives in NETCONF (RFC 6241), YANG data models, and RESTCONF. Where COPS operated over a custom binary protocol on a persistent TCP connection, these newer frameworks use XML or JSON over standard transports, fitting naturally into REST-based management infrastructure.

The shift reflected a broader change in thinking: rather than devices asking permission from a central authority per-decision, operators push configuration to devices and trust them to execute locally. The centralized decision-maker model — elegant as it was — introduced a single point of failure that network operators grew less comfortable with as networks scaled.

Security

COPS sends policy data — information about which traffic is allowed, what resources are authorized, what configurations should be applied. On an unencrypted connection, that's a meaningful target. An attacker who can intercept or inject COPS messages can alter policy decisions without touching the devices themselves.

RFC 4261 addressed this with TLS. If you encounter a COPS deployment, verify it's using the TLS variant. Unencrypted COPS on an open network is a policy-injection vulnerability waiting to be discovered.

The protocol has no built-in authentication beyond what TLS provides. The PEP trusts whatever the PDP says. That makes the PDP the most valuable target in a COPS deployment.

What's Listening on Port 3288

If you see unexpected activity on port 3288, check what's actually running:

# macOS / Linux — what process owns port 3288?
sudo lsof -i :3288

# Linux alternative
sudo ss -tlnp | grep 3288

# Windows
netstat -ano | findstr :3288

Outside of legacy cable infrastructure or older enterprise network management systems, port 3288 should be quiet. If it's active on a machine with no known COPS deployment, investigate.

Why Unassigned Ports Matter

Port 3288 is a registered port — part of the range from 1024 to 49151 that IANA manages on behalf of specific applications and protocols.⁴ The registered range exists to prevent collisions: if every application picked port numbers at random, two applications would eventually try to listen on the same port on the same machine, and one of them would fail.

Registered doesn't mean required. Assignments are voluntary, and plenty of applications ignore the registry entirely. But having COPS officially at 3288 means a network administrator seeing traffic on that port has a starting point for investigation — and a firewall rule blocking it has a documented rationale.

The registered range is the Internet's version of urban planning: not every lot gets built on, but the addresses are recorded so nobody builds on the same lot twice.