under what scenarios does SERVER REFLEXIVE and PEER REFLEXIVE addresses/candidates differ from each other?

soupybionics picture soupybionics · Nov 11, 2013 · Viewed 7.1k times · Source

I was going through the ICE/STUN specification and had a question. If I am located behind a NAT which could be a Full Cone, Restricted or Port Restricted but not a symmetric NAT and considering I am using UDP, then in this case my SERVER REFLEXIVE and PEER REFLEXIVE addresses/candidates will be same, right? I am not able to imagine under what scenarios (for the above mentioned NAT types) they'll be different from each other? Or if they are really different then it can only mean that my NAT is symmetric one?

Answer

selbie picture selbie · Nov 14, 2013

You are correct - it is usually not different as long as the NAT you are behind is not symmetric.

PEER reflexive addresses are identified during ICE connectivity checks. New peer addresses can be identfied in edge cases involving symmetric NAT in addition to other odd network configurations.

In the symmetric NAT scenario, the IP address between SRFLX and PRFLX will be the same, but the port is likely different.

Some other edge cases to consider:

Perhaps the ISP has implemented carrier grade NAT (double NAT configuration) among the customers it services - which is most likely going to be logically equivalent to a symmetric NAT. If two customers within the same ISP are doing ICE connectivity checks, they may discover the inner NAT public IP address.

You could probably also envision a multihomed machine scenario, something crazy with virtual machines, or an enterprise routing configuration that could influence the IP address mapping another host sees you as.