Internal IP exposed

Description

A peer reflexive candidate is discovered during ICE connectivity checks when the peer learns a valid address from the remote side (e.g. the address that actually received the binding request).

Under normal conditions, that address should be a public address (e.g. the NAT’s external address). If the address is instead an internal address (e.g. 10.x.x.x, 192.168.x.x, 172.16-31.x.x, or IPv6 fc00::/7), then the system is effectively exposing an internal IP to the remote peer.

It can indicate a misconfigured NAT, VPN, or network setup where private addresses are being used as the “reflexive” address.

What do we do here?

If the local candidate used in a selected pair is of type prflx and it's IP is classified as an internal IPv4 or IPv6 address, we mark it as an observation.