A proposal to improve routing security---Route Origin Authorization
(ROA)---has been standardized. A ROA specifies which network is allowed to
announce a set of Internet destinations. While some networks now specify ROAs,
little is known about whether other networks check routes they receive against
these ROAs, a process known as Route Origin Validation (ROV). Which networks
blindly accept invalid routes? Which reject them outright? Which de-preference
them if alternatives exist?
Recent analysis attempts to use uncontrolled experiments to characterize ROV
adoption by comparing valid routes and invalid routes. However, we argue that
gaining a solid understanding of ROV adoption is impossible using currently
available data sets and techniques. Our measurements suggest that, although
some ISPs are not observed using invalid routes in uncontrolled experiments,
they are actually using different routes for (non-security) traffic engineering
purposes, without performing ROV. We conclude with a description of a
controlled, verifiable methodology for measuring ROV and present three ASes
that do implement ROV, confirmed by operators