> Does the netblock "owner" suddenly see all of its traffic dropped?
Assuming everyone implements RPKI validation AND the RIR signs a new valid ROA with a different origin: Yes, eventually. Depends on sync intervals. It's unlikely it would even be legally possible to compel them to do this.
Individual ASNs can still choose to accept the invalid route anyway.
The RIR already has the power to revoke assignments, and IRRs would likely remove the route objects which most large networks use to generate filters. It was simply a slower process, and filtering according to IRR data is much more error-prone and open to abuse.
"It's unlikely it would even be laglly possible to compel them to do this."
But then, at a higher level, look at the unilateral/collective censorship ("deplatforming") that is happening right now... and being carried out in part by Amazon. None of the censors have been legally compelled to take any such actions.
What you are calling "censorship" is a free market business transaction. There are many cloud services, colo facilities, etc. If Amazon chooses not to do business with you there are certainly other options.
This certainly happens at the local level all the time: really toxic customers can get "fired" and banned from all the local movie theaters or all the local grocery stores. It is really no different online - some people just got used to living consequence-free on the internet. Wider society had no idea what the internet was at first then later didn't grasp the seriousness or impact the internet had. Fewer people hold such obviously disprovable beliefs now. The internet is just slowly catching up with how the physical world usually works. Neo-Nazi groups often can't find private venues willing to host their rallies, caterers willing to serve them food, etc. Newspapers refuse to run ads all the time. Broadcast networks don't hand over the microphone to everyone who demands it. If every newspaper in the country refuses to run your political ad that doesn't make it a grand conspiracy to censor you - perhaps you're just an asshole they don't want to do business with.
RIRs are not regular for-profit businesses and operate under very different policies for many reasons not the least of which is there are no alternatives since the RIR controls your access to the internet within your region via IP assignments.
It's pretty clear what trusting Amazon with internet routing will accomplish. The 73% of Republicans think the election was fraudulent - that basket of deplorable assholes will be routed straight to the nearest landfill.
Any protocol which lets them do that will surely face a lot of opposition.
"Only trust Operating Systems signed by us for your own security", "Only trust Apps signed by us for your own security", "Only trust routes signed by us for your own security", yeah I think we all know how that usually goes.
The experience in the Web PKI has been that you can pay lawyers to explain to a judge that they should order the thing they actually want done, rather than accept contorted arguments from other lawyers that a different order will achieve the goals despite not ordering what is actually desired.
For example the EFF spent effort helping US judges understand that if they want to order that stealmovies.example must go away they need to order the example registry to remove this name, not try to force Let's Encrypt to revoke certificates for it as Hollywood lawyers were advocating.
That won't magically stop judges from making orders you disagree with but it does force them to be clear eyed about what they're about, and that means you're more likely to prevail with simple just rationales either in court or subsequently in popular opinion.
>We are happy to have over 99% of our IPv4 and IPv6 -Space covered under a Route Origination Authorization, and that we are right now dropping RPKI invalid routes in every single Point-of-Presence for AS16509.
Does anyone know if AWS is going to push the remaining 1% to implement ROA?
Also, it sounds like an unsigned route - which I think most BGP announcements are - is still accepted, right? Any idea when we can start to require routes be signed?
There can be legitimate use cases why a network maybe have a very few amount of prefixes not signed or even invalid: canaries and beacons.
For example, running tests to a signed, unsigned and invalid prefix can provide insight into how other networks are routing to them.
One example is a beacon to probe to determine if a network has enabled origin validation. Failure to connect, or a change in the routing path can provide insight into which networks on the internet have enabled origin validation.
I believe it is likely that global IPv4 routing goes away before universal adoption of IPv6 at clients.
Transitional technologies allow IPv4 holdouts to have "working" Internet despite an increasing proportion of IPv6 nodes, there's some device somewhere which is mapping your connection to some IPv6-only service as an imaginary IPv4 connection. Such things wouldn't scale with 99% of users and usages, but can handle say, five thousand IPv4 users on your ten million customer ISP who mostly visit Facebook and check email.
Eventually the long distance traffic for IPv4 is tiny, because there's a transition device nearer almost all remaining IPv4 users and that's turning their traffic into IPv6 for the long haul anyway.
At that point if you're a backbone provider, IPv4 is a sizeable cost (the routing tables for it are horrendous) for negligible benefit (hardly any of your traffic) and its future only looks more dismal. So you start deprecating this service for your customers, and they don't bother to buy a replacement because they have a transition device to help any residual IPv4 users.
And so one day, without a fanfare, there just isn't really an IPv4 Internet any more, and the RIRs will just deprecate their management of the numbering for that network because it's obsolete.
Ideally this is an obscure nerd event, like a leap second, which your friends at first don't understand, and then when you explain it they realise it's boring and they don't care.
So, what you do goes like this: You provide DNS service, offering A answers even where (if you were to ask the public Internet) there are none. When you're asked for foo.bar.example you do an AAAA query, and you track for a while a mapping from the answer to a (RFC1918 or assigned for this purpose) IPv4 address, and recording it, then you reply to the A? query with your temporary address as the answer and a chosen timeout (maybe you plan to have this work for one hour, so you give 3600 seconds timeout). You then act as a NAT gateway that translates between IPv6 and IPv4 for that address mapping.
This doesn't work great, it breaks protocols which assume they're transparent (e.g. some FTP modes), it is slower and clunkier than "just" having IPv4 as we do today, and as I said it isn't viable with huge numbers of users (you run out of address space) but it's good enough that a lot of common application software remains usable this way.
This is about the gentle slope down, so it doesn't need to be perfect or even have the potential to be perfect, it just needs to work well enough to reduce the amount of tech support phone calls.
Think of it like the way pulse dialling was deprecated. Nobody needed to figure out a way to have pulse dialling be as good as tone dialling, let alone a truly out-of-band system (as is used by your mobile phone, and most other modern systems), they just needed to minimise the situation where lots of customers discover that they were using pulse dialling only because now it doesn't work.
If you're using DS-Lite then the traffic is IPv4 from the user's device to their local router, v6 from there to... somewhere, and then v4 between that somewhere and the endpoint. Initially that "somewhere" is the user's ISP, but we can imagine it getting outsourced further and further upstream until eventually "the IPv4 internet" is a single datacenter that every ISP outsources to.
The certificate authority that signs the routes. So yeah, this will centralize control of routing and expose it to things like government censorship and corporation exploitation. Sometimes the wild west is better than an authoritarian government.
Like DNSSEC this is only good for megacorps and nationstates. If anything it will expose human people to more abuse and exploitation.
Let's put it another way. Do you think the Arab spring and Libyan civil war would've taken place if DNSSEC had been in place and Gaddafi had control of bit.ly's TLS keys? I don't. Now think of that on kind of thing happening with routes. Yikes.
At least with the way things are now there's no ground truth. Every AS has it's own perception of the routing table and the ability to act on it. That's the way it should be. Securing BGP means less security because there is no global consensus even implied in the protocol. Securing BGP means centralizing BGP, not security.
Obviously for facebook.com he would only be able to serve an unencrypted HTTP version (and HSTS-preloading would prevent that working in most cases), but by controlling the .ly ccTLD he could acquire TLS certificates for any "national" site. I'm not sure if any of that is relevant, though.
For what it's worth this Gaddafi -> Libya -> bit.ly connection has to be one of the weirdest beliefs you've exhibited over a long period.
At first I thought it was just an extended bit, like the whole Cody Johnston "teleporting boars" thing 
But I don't think it can be, I think you're serious and er, that's not great basically. Maybe take a few minutes to think about it more clearly, discuss it with somebody you trust, and see if you can't figure out where you went wrong.
Anyone can still accept routes that don't have the stamp of authority.
I would also point out that the big authorities handing out the certification for this can also just revoke your IP block instead. You could still announce the block but since you're not longer in legitimate ownership of the IP block, it's likely that you'll quickly be blocked from announcing it.