Port 3323: The Workaround Port — Where RPKI Lives in Practice

What Port 3323 Is

Port 3323 is a registered port — meaning it falls in the range 1024–49151, the band IANA manages for services that applications and vendors can claim. IANA has not officially assigned port 3323 to any service.

But that doesn't mean nothing uses it.

The Unofficial Standard: RPKI-to-Router (RTR)

The most significant real-world use of port 3323 is the RPKI-to-Router (RTR) protocol, the communication channel between RPKI validators and BGP routers.

Here's the context. BGP — the Border Gateway Protocol — is how the Internet's routers tell each other where to send traffic. For decades, BGP had no way to verify that a network was actually authorized to announce a given IP address range. Attackers could (and did) hijack traffic by lying about routes. RPKI (Resource Public Key Infrastructure) was developed to fix this: it's a cryptographic system that lets networks prove they own their IP addresses.

After an RPKI validator checks the global routing table, it needs to share that information with routers. That's what the RTR protocol does.¹ Defined in RFC 8210, RTR lets a router connect to a validator and ask: "Which prefixes are valid right now?"

The IANA-assigned port for RTR is 323. But 323 is a privileged port — binding it requires root access on Linux and Unix systems. Running a security tool as root to solve a security problem is the kind of irony that network engineers find quietly painful. So the community landed on 3323 as the practical default. Same digits, different order, no root required.²

Routinator, the widely deployed RPKI validator from NLnet Labs, listens on 3323 by default. Cisco, RIPE, APNIC tutorials, and most production deployments all point to 3323. If you run an RPKI validator, port 3323 is almost certainly open on that host.³

Registered Ports: What the Range Means

The 1024–49151 range exists for a reason. Well-known ports (0–1023) are reserved for foundational Internet services — HTTP, DNS, SMTP, SSH. They require elevated privileges to bind precisely because they're so fundamental.

Registered ports are different. Any organization can apply to IANA to have a port assigned to their service. Some do. Many don't. Port 3323 sits in this range unassigned — available, but informally occupied by a real and important use.

Security Note

Some port-scanning databases flag 3323 as associated with historical malware — a few trojans used it in the early 2000s. This is true of hundreds of ports. If you see traffic on 3323, the far more likely explanation is an RPKI validator, not malware. Check what's actually listening before concluding anything.

How to Check What's Listening on Port 3323

On Linux or macOS:

# See what process is bound to port 3323
ss -tlnp | grep 3323

# Or with netstat
netstat -tlnp | grep 3323

# Or with lsof
lsof -i :3323

On Windows:

netstat -ano | findstr :3323

If you see output pointing to a Routinator or other RPKI validator process, that's expected. If you see something else — or something you don't recognize — that's worth investigating.

Why Unassigned Ports Matter

IANA's port registry is a coordination system, not a law. Nothing technically prevents software from using any port, assigned or not. The registry exists to reduce collisions — to make it less likely that your database and your logging daemon both try to claim the same port.

Port 3323 is a small example of how the Internet governs itself in practice: through rough consensus and running code. The formal assignment went to 323. The community needed something that worked without root. They picked 3323, it spread, and now it's the de facto standard for a protocol that helps protect global routing integrity.

The gap between what IANA says and what the Internet actually does is, itself, an important thing to understand about how networks work.