IPv6 prefix from T-Mobile USA used but not announced in BGP (2607:7700::/32)


While doing statistics on the participants of a public DHT, I was
surprised to see some IP addresses that are not present in the DFZ:


All those IP are in 2607:7700::/32, allocated to T-Mobile USA but never


What could explain their usage in an application? Some form of address
translation? Maybe these addresses have been used as source address in
outgoing packets, which would indicate IPv6 tests in T-Mobile? (but
obviously, nobody is able to answer such packets).


You see these addresses because your DHT is not supporting IP correctly.
Enable ipv6 and your flaw will be resolved and you will no longer see these


While doing statistics on the participants of a public DHT, I was
surprised to see some IP addresses that are not present in the DFZ:

I believe those are used by T-mobile's 464XLAT (RFC 6877) implementation.

Recent Android on T-mobile is IPv6-only and has no ability to connect to
raw IPv4 addresses. T-mobile's DNS servers are only asked by these devices
to translate hostnames to IPv6 addresses. If they can't find an IPv6
address, they will look up the IPv4 address for a hostname, and pack it into
the bottom 32 bits of an IPv6 address that routes to a IPv6-to-IPv4 NAT


4e00:605b ->

                                     -- Aaron

Apple has also required the ability for ipv6-only operations


Thanks, I had forgotten that DNS64 is possible without using the
well-known prefix. The encoded IPv4 addresses seem to belong to other
peers of the DHT.

So, if this is basically DNS64/NAT64, these IP addresses should not be
seen as source or destination address outside of T-Mobile's network, and
are not attached to the interface of any device.

I can see two possible explanations:

1/ packets with src or dest IP in 2607:7700::/32 somehow escaped
   T-Mobile's network, without being translated back to IPv4. They caused
   other DHT nodes to believe they have incoming peers in 2607:7700::/32.

2/ there is an interesting bug in the DHT software when run behind 464XLAT
   (btw, the DHT is dual-stack and supports IPv6 just fine)

I still wonder how this can happen, because the DHT does not use DNS at all...


What behavior do you expect when an ipv6only node connects to an ipv4only
node , which is the tmobile case? How is that address of the address

As far as I know, IPv4-only DHT nodes do not directly communicate with
IPv6-only DHT nodes, I don't see how this would be possible in general.

The code of the DHT client is here:


Based on http://dan.drown.org/android/clat/, it looks like it may be
possible for an IPv4-only application to connect to raw IPv4 addresses
through a IPv4-to-IPv6 NAT service on the Android device itself, which then
is transported over IPv6 to T-mobile's IPv6-to-IPv4 NAT device.

Skimming https://github.com/savoirfairelinux/opendht/blob/master/src/dht.cpp, my
guess is that new peers find your IPv4 address:port (on T-mobile's
IPv6-to-IPv4 NAT device) in the DHT and contact you, which somehow doesn't
get correctly translated back to IPv4 before it makes it to your
application, so you are seeing the untranslated IPv6 address. Replying to
the new peer on the T-mobile-internal IPv6 address should still work as long
as you stay on T-mobile's network but are of limited use otherwise.

                                     -- Aaron