Port 323 is officially assigned to RPKI-RTR (Resource Public Key Infrastructure to Router Protocol), the system that helps prevent one of the Internet's most dangerous vulnerabilities: BGP hijacking.
What RPKI-RTR Does
The Border Gateway Protocol (BGP) is how the Internet routes traffic between autonomous systems. For decades, BGP operated on pure trust—if someone announced they owned a block of IP addresses, routers believed them. This created an attack vector: malicious or misconfigured systems could hijack traffic by falsely claiming ownership of IP space.
RPKI-RTR solves this. It's a protocol that delivers validated prefix origin data from a trusted cache to routers. The router asks: "Does AS 64500 actually own 192.0.2.0/24?" The RPKI cache on port 323 answers with cryptographically signed proof.1
How It Works
The protocol uses TCP on port 323. A router connects to an RPKI cache server and receives Route Origin Authorizations (ROAs)—cryptographic statements signed by the legitimate holders of IP address blocks. The router can then validate BGP announcements against this data: valid, invalid, or unknown.2
This is origin validation. It doesn't prevent all BGP attacks, but it stops the most basic form: someone announcing prefixes they don't own.
History and Creation
RFC 6810 standardized RPKI-RTR in January 2013, with RFC 8210 updating it to version 1 in September 2017.3 The protocol emerged from years of work addressing BGP's fundamental security problem. BGP was designed in 1989 when the Internet was small and trusted. By the 2000s, BGP hijacking incidents were common enough to demand a solution.
RPKI provides the infrastructure. RPKI-RTR is the delivery mechanism—the protocol that gets validated route origin data to the routers that need it.
The Port Conflict
Port 323 has an unofficial collision. The chronyd daemon (used for time synchronization as an alternative to NTP) uses UDP port 323 as its default command port for monitoring and controlling the daemon.4 This creates a quiet conflict: the same port number used for verifying routing truth and for controlling time synchronization.
In practice, many RPKI implementations use alternative ports like 3323 since port 323 is a privileged port requiring root access. Chronyd can be configured to bind only to localhost to avoid external conflicts.5
Security Considerations
RPKI-RTR is designed to run over TCP, with the cache and routers ideally on the same trusted network if using unprotected transport. RFC 6810 recommends using TCP-AO, SSHv2, or IPsec for transport security when crossing untrusted networks.6
The protocol itself doesn't authenticate BGP routes completely—it only validates origin AS. An AS can still announce legitimate prefixes with incorrect path information. But origin validation stops the most blatant attacks: claiming to own address space you don't control.
Checking Port 323
To see if RPKI-RTR or chronyd is listening on port 323:
You'll typically see TCP 323 if an RPKI cache is running, or UDP 323 if chronyd is active.
Related Ports
- Port 179: BGP, the routing protocol that RPKI-RTR helps secure
- Port 123: NTP, the standard time synchronization protocol (chronyd also uses this)
Why This Port Matters
Port 323 is part of the infrastructure trying to make the Internet's routing system trustworthy. BGP was built on trust. RPKI-RTR adds verification. Not every network runs RPKI validation yet, but adoption is growing. When it works, it's invisible. When it's missing, IP hijacking becomes trivially easy.
This port carries proof of ownership. Every ROA, every validation query, every cryptographic statement about who actually controls which addresses flows through connections like this. It's the Internet's way of checking IDs at the border.
Was this page helpful?