Port 848 carries GDOI—Group Domain of Interpretation—a protocol that solves one of the genuinely hard problems in network security: how do you securely distribute encryption keys to hundreds or thousands of devices at once?
The Problem GDOI Solves
Traditional IPsec works beautifully for point-to-point connections. Two devices negotiate keys, establish a secure tunnel, and communicate. But what happens when you have 500 routers that all need to encrypt traffic to each other? Or a multicast stream that needs to reach 1,000 subscribers securely?
The individual handshake model breaks down. You can't negotiate 249,500 unique tunnels (500 routers talking to each other). You need a different approach.
GDOI provides it. Instead of individual negotiations, a central key server distributes the same encryption keys to an entire group. Every member gets the same key. They all use it to encrypt and decrypt traffic. One key server, hundreds of members, secure group communication at scale.1
How GDOI Works
GDOI introduces two types of keys:
Key Encryption Key (KEK) — Secures the control plane. This key protects the communication between the key server and group members. When the server needs to push a new traffic key to the group, it encrypts that message with the KEK.
Traffic Encryption Key (TEK) — Encrypts the actual data. This is the key that protects your traffic—the multicast stream, the WAN communications, the group data.2
The protocol operates in two phases:
-
Registration — A group member contacts the key server on port 848 and authenticates. The server sends the member its KEK and TEK, along with all the encryption policies (what traffic to encrypt, which algorithms to use, when to rekey).
-
Rekey — Periodically, the key server pushes new keys to all group members simultaneously. Because the rekey message is encrypted with the KEK, only legitimate group members can decrypt it and install the new TEK.
The beauty: group members don't negotiate with each other. They just register with the key server, receive the group keys, and start encrypting. Add a new member? It registers and gets the same keys everyone else has. Scale solved.
The Evolution: RFC 6407 to RFC 9838
GDOI was originally defined in RFC 3547, then updated in RFC 6407. The protocol was based on ISAKMP (Internet Security Association and Key Management Protocol) and IKEv1.3
In January 2025, RFC 9838 was published, modernizing group key management by using IKEv2 instead of the older GDOI framework. But here's the interesting part: RFC 9838 still uses UDP port 848—the same port GDOI used—because the function is the same even as the protocol evolved.4
The port carries group key management, whether that's the original GDOI or its IKEv2-based successor.
Real-World Use: Cisco GET VPN
The most visible deployment of GDOI is Cisco's GET VPN (Group Encrypted Transport VPN). GET VPN combines GDOI with IPsec to secure traffic across private WANs—MPLS networks, metro Ethernet, any topology where you have many sites that need to communicate securely.
Unlike traditional VPNs that create point-to-point tunnels, GET VPN encrypts traffic while preserving the original source and destination IP addresses. Routers can still make routing decisions based on the actual endpoints. The encryption is transparent to the routing infrastructure.5
The key server listens on port 848 for registration requests. Group members (the routers doing the actual encryption) register, receive their keys, and start encrypting traffic. When it's time to rekey, the server pushes new keys to all members at once—using port 848 for the GROUPKEY-PUSH messages.6
This is how enterprises secure communications across hundreds of branch offices without configuring individual tunnels between every pair of sites.
Security Considerations
GDOI itself is cryptographically sound—it's based on the same principles as IKE, with strong authentication and key derivation. But the centralized model introduces a critical dependency: the key server.
If the key server is compromised, the entire group is compromised. An attacker with access to the key server can obtain all group keys and decrypt all traffic. This makes securing the key server absolutely essential—physical security, access controls, monitoring, the full defensive stack.
The protocol also supports key server redundancy. Multiple key servers can serve the same group, with members registering to whichever server is reachable. If one server fails or is compromised, the group can continue operating with the remaining servers.
Rekey intervals matter. The longer a single TEK is used, the more traffic is encrypted with it, and the more valuable that key becomes to an attacker. GDOI supports automatic periodic rekeying to limit the exposure window.
How to Check What's on Port 848
To see if anything is listening on port 848:
Linux/macOS:
Windows:
If you see a process listening on port 848, it's likely a GDOI key server or a device implementing group key management. Cisco routers running GET VPN will show this port active when configured as a key server.
Related Ports
- Port 500 — IKE/ISAKMP, the protocol GDOI was originally built on
- Port 4500 — IPsec NAT-T, used when IPsec needs to traverse NAT devices
- Protocol 50 (ESP) — The actual IPsec encrypted traffic that GDOI's keys protect
- Protocol 51 (AH) — IPsec Authentication Header, another protocol that uses GDOI keys
Why Port 848 Matters
This port carries the keys that protect group communications. Multicast video streams. Enterprise WAN traffic between branch offices. Control systems for critical infrastructure like power grids (RFC 8052 extends GDOI to support IEC 62351 security for energy management systems).7
Every device in the group gets the same key at the same time. One key server manages hundreds of members. Secure group communication at scale. That's what happens on port 848.
The individual handshake model is elegant but doesn't scale. Port 848 is where the Internet learned to distribute secrets to crowds.
Frequently Asked Questions About Port 848
¿Fue útil esta página?