A commenter’s tip has solved the mystery of why my phone’s voice traffic is coming from an IP address owned by the Department of Defense. By entering the code *#*#INFO#*#*, I was able to pull up a hidden menu which shows the rogue IP address as assigned to my phone.
The Department of Defense is squatting on a massive number of IPv4 addresses and is not using most of it. Phone networks like Sprint are borrowing these IP addresses because their networks are larger than the 16 million hosts that the 10.x.x.x network can provide.
It looks, as another MT.Net visitor theorized, like Sprint is assigning the (unused) DoD IP addresses internally to its phones and then NATting the traffic from the phones to the public IPs. Since SIP packets have an additional IP address embedded inside, Sprint’s firewalls aren’t NATting that IP and thus the ordinarily “private” IP address is getting through the NAT process.