I am a security engineer trying to understand the risks of having LDP exposed to the Internet on port 646. I cannot find much information available on the Internet documenting this. Any information including further reading links would be much appreciated!
Is it common to have LDP TCP port 646 exposed to the Internet?
My assumption is no. I would assume that most network administrators have this port locked down to an allow list of IP addresses of other LDP enabled routers that are allowed to share labels with the rest of the network. Am I wrong?
What are the risks associated with having it exposed?
If the administrator does not use a pre-shared key to sign the TCP segments or a hacker compromises the pre-shared key, then what damage can they do? Will they be able to inject labels into the table and have traffic routed to an attacker-controlled router? I assume this would mean they can take down the network and perform packet inspection.
