This is a huge WTF. Any idea why they may be doing this?
I believe the tunnelling is part of a load balancing setup. I read an article about the setup at some point in the past. As far as I remember it was written by Phil Dibowitz.
The WTF part is the way the source IP address for the encapsulation was chosen. It may just be that it the time it was implemented nobody really thought about what that source IP should be, and perhaps people thought it didn't matter at all.
Alternatively it might be that the source IP is important to some intermediate router, perhaps there is some packet filtering based on source IP. And preserving source IP as the packet was encapsulated may have been a hack to ensure the filters still worked.
It might also be that somebody thought preserving the source IP address at encapsulation was a good idea as it would get any ICMP errors to the real source of the address.
But this is all guessing, I don't know why they did this.
And from what I see here, it seems its the akamai servers that are doing it, not the facebook servers themselves. Is that consistent with what you see?
No, that is not consistent with what I have seen. I found a packet dump, which I had lying around from December. And I found the following.
There was a SYN packet, which had been sent to 2a03:2880:2040:1f01:face:b00c:0:3. This had been encapsulated in a tunnel with destination address 2401:db00:2040:1166:face:0:11:0 and spoofing my IP as source. And this packet had triggered an ICMPv6 time exceeded error from 2620:0:1cff:dead:beef::1494. All three prefixes are registered to facebook.
I'll look for some more recent packet dumps.
BTW. I recently started trying out gogo6 on the network where I am using the phone from. And this appears to have made facebook much less reliable (in the last few days I have experienced less than 50% of uptime). I'll try switching back to HE to see if facebook gets more reliable that way.