Well-Known Port (0-1023)
Protocol: Photuris Session-Key Management Protocol
Status: Assigned but abandoned
Transport: UDP (primarily), TCP
What Port 468 Was Supposed to Carry
Port 468 was officially assigned to Photuris, a session-key management protocol designed for IPsec (IP Security). Photuris was created to establish short-lived cryptographic session keys between two parties without transmitting the keys across the Internet.1
The protocol used Diffie-Hellman key exchange and included an innovative "cookie" anti-clogging defense designed by Phil Karn to prevent denial-of-service attacks. William Simpson handled the packet formats and protocol specification.2
Photuris was documented in RFC 2522 in March 1999.3
What Actually Happened
Photuris never saw real-world deployment.
In the mid-1990s, the IETF was trying to decide on a standard key management protocol for IPsec. Three protocols competed: Photuris, SKIP, and ISAKMP/Oakley (which became IKE).
Photuris lost.
According to historical records, Photuris was dropped from consideration because one of its co-authors refused to make changes to the protocol specification requested by the IETF IPSEC working group chairs.4 In September 1996, the IETF Security Area Director ended the controversy by declaring that ISAKMP/Oakley (IKE) should be the mandatory standard.5
IKE became the dominant IPsec key management protocol. Photuris was abandoned.
Why This Port Matters
Port 468 is a reminder that IANA assignments don't guarantee adoption. A port can be officially registered, documented in an RFC, and still carry nothing because the protocol it was built for lost a political and technical battle.
This is the Internet's version of a fossil—a layer in the sediment that tells you something once tried to live here and didn't make it.
The Well-Known Range (0-1023)
Port 468 sits in the well-known port range (0-1023), managed by IANA. These ports are reserved for system services and standardized protocols. Historically, only root/administrator processes could bind to these ports on Unix-like systems.
Being in this range means Photuris was intended to be a core Internet protocol. It had institutional backing. It was supposed to matter.
It didn't.
Security Considerations
Some security databases flag port 468 as potentially associated with malware, meaning Trojans or viruses have used this port in the past to communicate.6 This is not because Photuris itself is dangerous—it's because abandoned ports become squatter territory. If nothing legitimate is listening, something illegitimate might move in.
If you see traffic on port 468, investigate it. It's almost certainly not Photuris.
How to Check What's Using Port 468
On Linux/macOS:
On Windows:
If something is listening on port 468, it's worth asking why.
Related Ports
- Port 500 (UDP): IKE (Internet Key Exchange)—the protocol that replaced Photuris for IPsec key management
- Port 4500 (UDP): IPsec NAT Traversal—IKE's fallback when NAT is detected
These ports carry what Photuris was supposed to carry. They won the war.
Frequently Asked Questions
The Truthline
Port 468 is a tombstone. It marks the spot where a protocol tried to become part of the Internet's foundation and failed. The IANA assignment remains, but nothing listens. The RFC exists, but no one implements it.
This is what happens when a protocol loses.
Was this page helpful?