Defined in RFC 6598 (2012), the 100.64.0.0/10 block is not an RFC 1918 range — it is Shared Address Space, a third category of non-routable IPv4 addresses. It was carved out specifically for Carrier-Grade NAT (CGNAT), the mechanism ISPs use to share a single public IP across hundreds of subscribers as the global address pool exhausted. Traffic in this range is never forwarded by Internet routers but, unlike RFC 1918, it is also not intended for general private use — it sits between an ISP's infrastructure and the public internet.
100.64.0.0/10 gives ISPs 4M addresses that are globally reserved, won't appear in customer networks, and won't leak to the public internet — a clean boundary for the SP-to-CPE link.
Assigns every enrolled device a stable 100.x.y.z Tailscale IP from 100.64.0.0/10. Chosen because it doesn't overlap RFC 1918 ranges, so Tailscale IPs won't clash with home or office LANs regardless of the underlying network.
Open-source peer-to-peer VPN that defaults to 100.64.0.0/10 for its WireGuard overlay. Each peer gets a /32 from the management plane. CGNAT space avoids RFC 1918 conflicts and is globally non-routable, ideal for zero-trust overlays.
ISPs assign 100.64.x.x to CPE WAN interfaces; a CGNAT device translates those to a shared public pool. Addresses in 100.64–100.127 visible in traceroute hops are SP infrastructure, not your LAN.