Port 520: RIP & EFS — The Router's Gossip Channel

Port 520 is a split personality. Over UDP, it carries the Routing Information Protocol (RIP), one of the oldest routing protocols still in production. Over TCP, it hosts the Extended File Name Server (EFS), a service so obsolete that modern documentation calls it "historic" and warns it's "not usable for use with many common service discovery mechanisms."¹

What Runs on Port 520

UDP/520: Routing Information Protocol (RIP)

RIP is a distance-vector routing protocol that routers use to exchange network topology information. Every 30 seconds, RIP routers broadcast their routing tables to neighbors, announcing which networks they know how to reach and how many hops away those networks are.²

TCP/520: Extended File Name Server (EFS)

EFS was used in DECnet and UNIX environments for mapping file names and managing directory services across networks. It helped users locate files on remote systems transparently. Today, it's a relic.³

How RIP Works

RIP uses UDP exclusively—no TCP involved. The protocol is beautifully simple: routers maintain a routing table showing the best path to each known network, measured in hop count. The maximum hop count is 15. Any destination 16 hops away is considered unreachable.⁴

Here's what happens:

1. Every 30 seconds, a router sends its complete routing table to all neighbors via UDP port 520
2. Neighbors receive the update and compare it against their own routing tables
3. If a neighbor learns about a shorter path to a destination, it updates its table
4. The process repeats, and routing information propagates across the network

This is called distance-vector routing. Each router only knows what its neighbors tell it. No router has a complete map of the network—just a collection of secondhand information about which direction to send packets.

The History

RIP's predecessor was the Gateway Information Protocol (GWINFO), developed by Xerox in the mid-1970s as part of the Xerox Network Systems (XNS) protocol suite.⁵ The version of RIP we know today was based on the routed daemon distributed with 4.3 Berkeley Software Distribution (BSD).

In June 1988, Charles Hedrick at Rutgers University published RFC 1058, which formalized RIP as a standard.⁶ But here's the thing: RIP was already widely deployed. Hedrick's RFC wasn't inventing a new protocol—it was documenting an existing one that had never been formally specified. The memo's stated goal was to "document a protocol and algorithms that are currently in wide use for routing, but which have never been formally documented."⁷

RIP was designed for moderate-size networks with reasonably homogeneous technology. It was never meant to run the entire Internet. But it worked well enough for campus networks, regional networks using serial lines, and small enterprise environments.

Why RIP Still Exists

RIP is considered a legacy protocol today. Modern networks use OSPF, EIGRP, or BGP—protocols that scale better, converge faster, and handle complex topologies more gracefully. But RIP refuses to die:

• Small networks: RIP is simple to configure and requires minimal overhead
• Embedded systems: Routers with limited memory and processing power can run RIP without strain
• Lab environments: Teaching networking fundamentals is easier with RIP's straightforward logic
• Legacy enterprise setups: Some organizations never bothered to migrate

The 15-hop limit seems quaint now, but it was a deliberate design choice to prevent routing loops. If a packet bounces between routers indefinitely, it eventually hits hop 16 and dies. Simple. Effective. Brutal.

Security Considerations

RIP has no built-in authentication in its original form (RIPv1). Anyone on the network can send fake routing updates and hijack traffic. RIPv2 added support for MD5 authentication, but many implementations still run without it.⁸

If you're running RIP:

• Use RIPv2 with authentication
• Limit RIP to trusted internal networks
• Never expose RIP to the Internet
• Consider migrating to OSPF or another modern protocol

RIP updates are broadcast to all neighbors. An attacker on the network can listen to routing tables, learn your network topology, and inject false routes. There's a reason modern networks don't use RIP at the edge.

The Extended File Name Server (TCP/520)

EFS is a ghost. It was part of early UNIX networking, helping systems share file name mappings across the network. Documentation is sparse. Modern systems don't use it. IANA still lists it as assigned to port 520 TCP, but calling it "obsolete" would be generous.⁹

If you see traffic on TCP port 520, it's either legacy equipment or something pretending to be legacy equipment.

How to Check What's Listening on Port 520

On Linux or macOS:

sudo lsof -i :520

On Windows:

netstat -an | findstr :520

To see if RIP is actively sending updates:

sudo tcpdump -i any port 520

You'll see UDP packets every 30 seconds if RIP is running.

Related Ports

• Port 521: RIPng (RIP next generation for IPv6)
• Port 179: BGP (Border Gateway Protocol, the routing protocol that actually runs the Internet)
• Port 89: OSPF (Open Shortest Path First, a modern link-state routing protocol)

Why This Port Matters

Port 520 represents two different philosophies of Internet design.

RIP is gossip-based routing. Routers trust their neighbors, share everything they know, and hope the network converges to a consistent view of reality. It's democratic, simple, and fragile.

The Extended File Name Server represents the dream of transparent distributed file systems—a vision that didn't survive the collision between academia and the real Internet.

RIP is still out there, broadcasting routing tables every 30 seconds, running on small networks and embedded systems where simplicity beats sophistication. It's not the future. But it's still here, doing the same job it did in 1988, one UDP packet at a time.