Port 3503: MPLS LSP-Ping — The Echo That Tests the Label Path

What Port 3503 Does

Port 3503 is the IANA-assigned UDP port for MPLS LSP-echo—the diagnostic protocol that lets network engineers ping a label-switched path directly.

The port is assigned and active. Every major carrier-grade router understands it.

The Problem It Solves

MPLS (Multiprotocol Label Switching) is how backbone networks move traffic fast. Instead of routing each packet individually by destination IP, MPLS assigns labels at the network edge and forwards everything by label. Packets follow pre-established Label Switched Paths (LSPs)—predefined routes through the network that routers follow without thinking.

This is efficient. It's also opaque.

If an LSP breaks somewhere in the middle, a regular ping won't catch it. ICMP echo requests travel by IP routing, not by labels. You can get a successful ping response while the MPLS path your actual traffic is using is completely broken. The ping went around the problem; your traffic can't.

LSP-ping fixes this. It sends a diagnostic packet that follows the same labels as your real traffic, all the way to the endpoint. If the path is broken, the probe is broken too.

How It Works

An LSP-echo request is a UDP packet sent to port 3503 on the far end, but with two unusual properties:

The destination IP is in the 127/8 loopback range. Not a real host address—a loopback address like 127.0.0.1 or any address in that /8 block. This is intentional. RFC 1122 requires hosts to discard packets destined for loopback addresses, and RFC 1812 prohibits routers from forwarding them. If an echo request leaks out of the MPLS domain because a router isn't doing labels correctly, it dies quietly rather than wandering into the Internet addressed to something real. The loopback destination is a self-destruct mechanism baked into the design.¹

The IP TTL is set to 1. This ensures the packet can only survive one IP hop—the target LSR (Label Switching Router) that should process it. The MPLS labels carry it across the network; IP TTL is just a safety net.

The responding router sends an LSP-echo reply back to the sender, also on UDP port 3503, confirming whether the labeled path delivered the probe as expected.

The RFC

LSP-ping was defined in RFC 4379 in February 2006 by Kireeti Kompella (Juniper Networks) and George Swallow (Cisco Systems).¹ RFC 4379 was later obsoleted by RFC 8029, which updated and expanded the mechanism without changing the fundamental design or the port assignment.²

The port was registered with IANA as lsp-ping on both TCP and UDP, though only UDP sees real use.

Security Note: CVE-2025-6188

In 2025, a vulnerability was discovered in Arista EOS where the operating system would accept UDP packets with source port 3503, in addition to the correct behavior of processing packets with destination port 3503.³

The distinction matters. An attacker could forge packets with source port 3503 and cause Arista devices to treat them as legitimate LSP-echo replies, leading to unexpected behavior in UDP services that don't authenticate their traffic. The CVE carries a CVSS score of 7.5 (High). Arista patched it in EOS 4.30.10 and later.

The lesson: a port number isn't authentication. LSP-ping's lack of cryptographic verification is a known limitation of the original design.

Checking What's on This Port

To see if anything is listening on port 3503 on your system:

# Linux/macOS
sudo ss -tulpn | grep 3503
sudo lsof -i UDP:3503

# Windows
netstat -ano | findstr 3503

On a router or switch in an MPLS network, you'd expect the control plane to be bound here. On a general-purpose server, you'd expect nothing.