Port 3653: TSP — the Tunnel Negotiator

What Port 3653 Does

Before a machine can send IPv6 traffic through a tunnel, it has to arrange that tunnel with a tunnel broker. That negotiation happens over port 3653, using the Tunnel Setup Protocol (TSP).

TSP runs over both TCP and UDP on port 3653. TCP for reliability when the network supports it, UDP when NAT traversal requires it. The client connects to a tunnel broker, authenticates, and requests a tunnel configuration. The broker assigns an IPv6 address and tunnel parameters. Then the actual tunneled traffic flows, elsewhere.

Port 3653 is the setup, not the tunnel itself.

Why This Exists

The Internet began running out of IPv4 addresses while IPv6 adoption was still slow. The gap between "IPv4 is exhausted" and "everything natively speaks IPv6" needed a bridge. Tunnel brokers provided that bridge: a server that would accept IPv4 connections and deliver IPv6 connectivity through them.

TSP, specified in RFC 5572 (published 2010), standardized how clients and brokers would negotiate these tunnels. Before TSP, every tunnel broker had its own protocol. After TSP, at least in principle, clients could work with any TSP-compliant broker.

The protocol supports multiple tunnel types, including 6in4 (IPv6 inside IPv4), 6over4, and others. Authentication uses SASL, letting brokers support multiple authentication mechanisms without hardcoding any particular one.¹

The Registered Port

IANA assigned port 3653 specifically for TSP. Some port databases list 3653 as unassigned, but that's an error. The assignment is real and documented in RFC 5572.

It sits in the registered ports range (1024-49151), which means it was formally claimed by an application or protocol. Anyone can use registered ports without elevated privileges on the client side, though servers binding to them need the port to be free.

Who Uses This Today

TSP and tunnel brokers were more prominent during the IPv6 transition years, roughly 2005-2015. The most notable implementation is Freenet6/Hexago (now part of Ericsson) and Hurricane Electric's tunnel broker service, which remains active.

As native IPv6 deployment has expanded, demand for tunnel brokers has declined. Most ISPs now offer native IPv6. But networks that still lack it — older business connections, some developing regions, specific ISP holdouts — still use tunnel brokers, and TSP is still how some of them negotiate.

Port 3653 traffic on your network you didn't configure is worth investigating. It could indicate a machine trying to establish an unauthorized IPv6 tunnel, which some organizations block for security policy reasons. RFC 7123 specifically notes that blocking TCP and UDP port 3653 is a way to prevent TSP-based IPv6 tunneling on networks where it isn't permitted.²

Check What's Listening

On Linux or macOS:

ss -tlnp | grep 3653
# or
lsof -i :3653

On Windows:

netstat -ano | findstr :3653

Scan from outside:

nmap -p 3653 <target>

If you see something listening on 3653 and you haven't configured a tunnel broker client, find out what process owns it.

Related Ports

• Port 41 — 6in4 tunnel traffic (the actual tunneled IPv6, after TSP sets it up)
• Port 443 — Some tunnel brokers fall back to HTTPS to get through restrictive firewalls