Does Layer Distribution Protocol (LDP) on port 646 need to be open to the Internet? What are the risks associated with it?
Matthew Harrington 
I am a security engineer trying to understand the risks of having LDP exposed to the Internet on port 646. I cannot find much information available on the Internet documenting this. Any information including further reading links would be much appreciated!
Is it common to have LDP TCP port 646 exposed to the Internet?
My assumption is no. I would assume that most network administrators have this port locked down to an allow list of IP addresses of other LDP enabled routers that are allowed to share labels with the rest of the network. Am I wrong?
What are the risks associated with having it exposed?
If the administrator does not use a pre-shared key to sign the TCP segments or a hacker compromises the pre-shared key, then what damage can they do? Will they be able to inject labels into the table and have traffic routed to an attacker-controlled router? I assume this would mean they can take down the network and perform packet inspection.
2 Related questions 191 How do ports work with IPv6? 2 Relevance of link local addresses? 22 Is LDAP a TCP or a UDP protocol? Related questions 191 How do ports work with IPv6? 2 Relevance of link local addresses? 22 Is LDAP a TCP or a UDP protocol? 1 LDAP server configuration 14 Data Link Layer and Transport Layer 0 Connect to LDAP over SSL 0 LDAP server - usage 0 Data link layer + Network layer connections 0 Active directory LDAP SSL over udp 0 Feasibility with LDAP Load 7 more related questions Show fewer related questions Reset to default
