Port 324: RPKI-RTR-TLS — The Internet's Certificate of Origin

Port 324 TCP carries RPKI-to-Router protocol over TLS (rpki-rtr-tls), the encrypted channel that delivers cryptographically validated routing information from RPKI validators to routers. It's part of the infrastructure designed to solve one of the Internet's most fundamental security problems: BGP hijacking.

What This Port Does

The RPKI-to-Router protocol (RPKI-RTR) is a lightweight protocol that communicates validated routing information from RPKI validators to routers.¹ Port 324 is the TLS-encrypted version of this protocol—the secure channel that protects this critical security data as it flows across networks.²

When a router connects to an RPKI cache on port 324, it receives:

• Validated prefix origin data — Which Autonomous System is authorized to announce which IP prefixes
• Cryptographic proof — ROAs (Route Origin Authorizations) that prove ownership rights
• Real-time updates — Changes to routing authorizations as they happen

The protocol is intentionally simple and has a low memory footprint, allowing routers to receive cryptographically validated data without performing the complex validation themselves.³

The Problem It Solves

The Border Gateway Protocol (BGP) was designed in an era when the Internet consisted of several core autonomous systems that mutually trusted each other. Security wasn't a priority—successful data transmission was.⁴

The fundamental flaw: BGP has no mechanism to validate announcement content. Any network can announce any IP prefix, regardless of whether they have rights to that prefix.⁵ The entire Internet routing system operated on transitive trust: you trust your neighbor, who trusts their neighbor, and so on.

This trust model failed spectacularly and repeatedly:

February 24, 2008: Pakistan Telecom tried to block YouTube domestically by announcing the route 208.65.153.0/24—a more specific route than YouTube's own 208.65.152.0/22. Their upstream provider PCCW Global forwarded this announcement to the rest of the Internet. For hours, the entire world's YouTube traffic was routed to Pakistan, taking the service down globally.⁶

August 17, 2022: Attackers used BGP hijacking to steal approximately $235,000 from the cryptocurrency platform Celer by redirecting users to fake login pages.⁷

June 2024: A Brazilian ISP announced 1.1.1.1/32 as if it owned Cloudflare's DNS resolver, making it unreachable for users worldwide—even though Cloudflare had proper RPKI protections in place, at least one Tier-1 provider accepted the rogue announcement.⁸

These incidents aren't anomalies. They're consequences of the Internet's original architecture: anyone can say anything, and most networks will believe it.

How RPKI Works

Resource Public Key Infrastructure (RPKI) applies the concept of public key infrastructure to Internet number resources. The idea originated from Secure BGP (S-BGP), proposed by BBN in 1997 to solve the prefix hijacking problem.⁹

The system works through a chain of trust:

1. Regional Internet Registries (ARIN, RIPE, APNIC, etc.) issue certificates to IP address holders
2. Organizations create ROAs (Route Origin Authorizations) that cryptographically state which AS is authorized to announce their IP prefixes
3. RPKI validators collect and validate these ROAs, building a verified database
4. Routers connect to validators via port 323 (unencrypted) or port 324 (TLS) to download validated routing information
5. Routers perform origin validation on incoming BGP announcements, checking them against the validated data

When YouTube responds to a hijack by announcing more specific prefixes, that's a workaround. When routers reject unauthorized announcements because they fail RPKI validation, that's actual security.

The Protocol's History

The RPKI architecture was developed in the IETF's Secure Inter-Domain Routing (SIDR) working group, based on threat analysis documented in RFC 4593. The RPKI-to-Router protocol itself was standardized as:

• RFC 6810 (January 2013) — Version 0 of the protocol¹⁰
• RFC 8210 (September 2017) — Version 1, updating RFC 6810¹¹

Port 324 was assigned by IANA for rpki-rtr-tls, the TLS-secured transport for this protocol.² The unencrypted version runs on port 323.

Transport Security

The protocol supports multiple transport options:

• Port 323 (TCP) — Unprotected transport, required implementation²
• Port 324 (TLS) — Transport Layer Security, optional but recommended²
• SSH transport — Alternative secure option using SSH subsystem "rpki-rtr"²

Currently, very few routers implement TLS support, but it's especially valuable when deploying RTR data proxies where traffic flows across the public Internet.³

Router Support

Several major router vendors participated in developing the RPKI standards:

• Cisco IOS — Version 15.2 and newer
• Cisco IOS XR — Version 4.3.2 and newer
• Juniper JUNOS — Version 12.2 and newer on all platforms¹²

These routers can connect to RPKI validators and perform origin validation on BGP announcements, rejecting or deprioritizing routes that fail validation.

The Brutal Truth About Adoption

As of July 2023, only about 45% of IP prefixes routable on the Internet are covered by RPKI ROAs. The remaining 55% of prefixes are highly vulnerable to BGP origin hijacks.¹³

Worse: only 6.5% of Internet users are protected by Route Origin Validation from BGP origin hijacks.¹³

The infrastructure exists. The protocol works. The standards are published. But the Internet still largely operates on trust, not verification.

When a network hijacks a prefix and your ISP's routers aren't performing RPKI validation, your traffic goes wherever the hijacker sends it. The secure channel on port 324 can't help if nobody's listening on the other end.

What This Port Carries

Every connection to port 324 carries:

• Validated prefix origin assertions — The cryptographic truth about who owns what
• Protection against hijacking — The ability to reject fraudulent route announcements
• Real-time security updates — Changes to authorizations as they occur
• The foundation for Secure BGP — Origin validation is the first step; path validation (BGPsec) is next¹⁴

This isn't just routing data. It's the Internet's certificate of origin—cryptographic proof that the routes you're using lead where they claim to lead.

Current Limitations

RPKI currently provides origin validation only—verifying that the AS announcing a prefix is authorized to do so. It doesn't validate the path the traffic takes to get there. That requires BGPsec, standardized separately in RFC 8205, which isn't widely deployed yet.¹⁴

Even when RPKI is deployed correctly, as in Cloudflare's case in June 2024, a single provider accepting invalid routes can cause global disruptions. The system requires widespread adoption to be effective.

Related Ports

• Port 323 — RPKI-to-Router protocol (unencrypted TCP)
• Port 179 — Border Gateway Protocol (BGP)
• Port 22 — SSH (can tunnel RPKI-RTR as subsystem "rpki-rtr")

Security Considerations

What it protects against:

• BGP prefix hijacking
• Route origin spoofing
• Unauthorized IP prefix announcements

What it doesn't protect against:

• Path manipulation (requires BGPsec)
• Man-in-the-middle attacks if using port 323 instead of 324
• Providers who don't implement origin validation

Checking This Port

To see if anything is listening on port 324:

# Check locally
sudo lsof -i :324
sudo netstat -tulpn | grep :324

# Check remotely (if you're running an RPKI validator)
nc -zv validator.example.com 324

If you're running an RPKI validator like Routinator or FORT, you can configure it to serve RTR data on port 324 with TLS enabled.

Why This Port Matters

For 30 years, Internet routing operated on pure trust. Every BGP announcement was accepted at face value. Pakistan took down YouTube. Attackers stole cryptocurrency. Misconfigured routers blackholed traffic for millions of users.

Port 324 exists because the Internet finally built the infrastructure to stop trusting and start verifying.

But infrastructure only works if you use it. The door is open. The protocol is standard. The tools are available.

Only 6.5% of Internet users have walked through it.