Port 521 carries RIPng (Routing Information Protocol next generation), the IPv6 version of one of the Internet's oldest routing protocols. Every 30 seconds, routers send multicast updates through this port, sharing what they know about the network topology with their neighbors.
What RIPng Does
RIPng is a distance-vector routing protocol for IPv6 networks. It helps routers learn about available network paths and choose the best routes based on hop count—the number of routers a packet must pass through to reach its destination.
The protocol sends updates on UDP port 521 using the IPv6 multicast address ff02::9 (the "all-RIP-routers" group). Every router running RIPng joins this multicast group and listens for updates from neighbors. When a router's routing table changes, it broadcasts the update. When nothing changes, it still sends updates every 30 seconds to prove it's still alive.1
The maximum path length is 15 hops. Anything beyond that is considered unreachable. This limitation makes RIPng suitable for smaller networks, not massive autonomous systems.
Why Port 521 Instead of 520
The original RIP (for IPv4) uses UDP port 520. When the Internet Engineering Task Force developed RIPng in the mid-1990s, they gave it a new port number—521—to avoid conflicts with the existing IPv4 versions running on the same routers.2
This separation allowed networks to run both protocols simultaneously during the long, slow transition to IPv6. A router could speak RIPv2 on port 520 for its IPv4 networks and RIPng on port 521 for its IPv6 networks without confusion.
The History: Minimum Necessary Change
In the early 1990s, the IETF realized the Internet was running out of IPv4 addresses. By 1992, several proposals emerged for an expanded addressing system. In 1995, the IETF introduced IPv6 as the successor to IPv4.3
Every routing protocol needed an IPv6 version. RIPng was defined in RFC 2080, published in January 1997 and authored by Gary Malkin and Robert Minnear.4 The design philosophy was explicit: make the minimum necessary change to RIP to support IPv6.
The changes were straightforward:
- IPv4 addresses expanded to IPv6 addresses
- IPv4 subnet masks replaced with IPv6 prefix lengths
- Next-hop field eliminated (functionality preserved differently)
- Authentication removed (handled by IPv6's IPsec instead)
- New multicast address: ff02::9 instead of 224.0.0.9
The core algorithm remained unchanged. RIPng still counts hops, still has a 15-hop limit, still sends updates every 30 seconds. The simplicity was intentional—RIPng wasn't meant to compete with more sophisticated protocols like OSPFv3. It was meant to be the simple, reliable option for networks that didn't need the complexity of link-state protocols.5
How It Works
RIPng routers maintain a routing table with known destinations and the hop count to reach them. When a router receives an update on port 521, it compares the new information with what it already knows.
If the update describes a shorter path to a destination, the router updates its table. If the update comes from the router currently used for a particular destination, the router accepts the new metric even if it's worse (the path might have degraded). If a router stops hearing updates from a neighbor, it eventually marks those routes as unreachable and looks for alternatives.
The protocol includes mechanisms to prevent routing loops—situations where packets circle endlessly between routers. Split horizon, route poisoning, and hold-down timers all work to ensure the network converges on accurate routing information after topology changes.
Security Considerations
RIPng removed the authentication mechanisms present in RIPv2, relying instead on IPv6's IPsec for security. This means RIPng itself has no built-in authentication—it trusts that IPsec will protect the routing updates from tampering.
In practice, many networks don't enable IPsec for routing protocols, which means RIPng updates can be spoofed. An attacker on the local network could send malicious routing updates to port 521, redirecting traffic or creating denial-of-service conditions.
Firewall rules should restrict access to port 521. Only routers that need to exchange routing information should be able to reach this port on each other.
Checking What's Listening
To see if anything is listening on port 521:
On Linux/macOS:
On Windows:
If you see a process listening on port 521, it's likely a routing daemon like routed, quagga, or FRRouting implementing RIPng. On Cisco and Juniper routers, RIPng is configured through the router's CLI and appears as part of the routing process.
Related Ports
- Port 520: RIP for IPv4 (RIPv1 and RIPv2)
- Port 2601: Zebra routing daemon (part of Quagga/FRRouting, which can run RIPng)
- Port 179: BGP, used for larger-scale routing between autonomous systems
The Quiet Survivor
RIPng never became the dominant IPv6 routing protocol. OSPFv3 and IS-IS took over for larger networks. BGP handles the Internet's backbone. Modern software-defined networking often bypasses traditional routing protocols entirely.
But RIPng still exists in the corners—small office networks, embedded systems, legacy equipment that was configured once in 2003 and never touched again. Port 521 still carries those 30-second heartbeats, routers still multicasting to ff02::9, distance vectors still propagating across networks that nobody thinks about because they just work.
The "next generation" became the previous generation. The protocol designed for the future became infrastructure. And every 30 seconds, somewhere, a router sends an update on port 521, keeping the map of the network current, one hop count at a time.
Frequently Asked Questions
Was this page helpful?