Port 3623: HAIPE-Discover — Where Military Encryption Boxes Find Each Other

What Port 3623 Does

Port 3623 is assigned to HAIPE-Discover (formally: HAIPIS Dynamic Discovery), registered with IANA in October 2002.¹

HAIPE stands for High Assurance Internet Protocol Encryptor — a category of NSA-certified Type 1 encryption devices used throughout the U.S. Department of Defense to protect classified IP traffic.² When you have a network full of these devices and they need to find each other, they use port 3623 to do it.

What HAIPE Is

In the late 1990s, the DoD was transitioning from legacy circuit-switched networks to IP. The problem: standard commercial encryption wasn't good enough for classified communications. The NSA took IPsec — the same protocol underlying modern VPNs — and hardened it: added restrictions, additional authentication requirements, and support for Suite A and Suite B cryptography (the NSA's own cryptographic algorithms).³

The result is HAIPE IS (High Assurance Internet Protocol Interoperability Specification): a standard that ensures classified traffic can flow securely between DoD enclaves across untrusted networks. Devices certified against this specification include hardware like General Dynamics' TACLANE family of encryptors.

What the Discovery Protocol Does

A HAIPE device sitting at a network boundary needs to know what other HAIPE devices are out there before it can establish encrypted tunnels to them. Manually configuring this in large or mobile deployments — think field networks that move with military units — is impractical.

Port 3623 solves this. HAIPE devices register with a Generic Discovery Server (GDS) using this port, advertising their presence. Other encryptors query the GDS to find peers, then negotiate encrypted sessions. The port is effectively a directory service for classified encryption hardware.⁴

Who Will Ever See This Port

Almost no one. HAIPE infrastructure is DoD-internal. Port 3623 traffic appears on military and intelligence networks — not on commercial infrastructure, home networks, or typical enterprise environments.

If you see port 3623 traffic on a network you administer and it isn't a DoD environment, investigate it. It's either misidentified traffic, a misconfigured device, or something worth understanding.

Checking What's Using This Port

On your own machine, the standard commands apply:

# macOS / Linux
sudo lsof -i :3623
sudo ss -tulpn | grep 3623

# Windows
netstat -ano | findstr :3623

On a DoD network with HAIPE infrastructure, traffic on this port is expected and managed by the security team. On any other network, unexpected traffic here should be investigated.

Why This Port Exists in IANA at All

IANA's registered port range (1024–49151) exists precisely for this: applications and protocols that need a stable, recognized port number without being part of the core Internet infrastructure.¹ Even classified military protocols go through the same public registration process — the port number is public, the protocol details are not.

It's a small reminder that the Internet's administrative layer is genuinely neutral. IANA registered port 3623 for the NSA's discovery protocol the same way it registered ports for video games and databases.