Internet exchange points are ignored, vulnerable, and absent from infrastructure protection plans

Don't use the word "diverse" to describe it

Because the Trump administration has been targeting anything they see as "DEI" related based on word searches (yes, really!)

Though this is aimed at the EU which I suppose have a slightly better track record than the UK and the US

Actually.. The UK does have a pretty decent track record with the relevant PTB keeping an eye on things like the LINX. Or not interfering too much, which could be the bigger issue, ie things like peering agreements are generally left to industry. Give or take mutterings in the direction of national telecomms regulators, regulating interconnection and good'ol 'Net Neutrality.

Most of the challenges would be commercial though, so-

"The path forward is not to centralize more traffic in fewer places, but to build diverse, neutral, and well-governed interconnection points that reflect the same decentralization that made the Internet succeed in the first place.”

Which is what industry has been doing, and mostly works since the good'ol days of FLAPS (Frankfurt, London, Amsterdam, Paris & Spain). So build network to DE-CIX, LINX AMSIX, SFINX, ESPANIX and connect (or try to) to MAE-East and call it good.

Or maybe not because SFINX has been losing members. Which is partly because datacentre operators also do FLAP and built their own IXs. But then picking on Portugal as an example. It has-

https://pulse.internetsociety.org/en/ixp-tracker/?country_code=PT

6 IXPs, 16.23 % Proportion of local networks that are peering at IXPs in this country. But 5 of those IXs are in Lisbon, with only this one-

https://pulse.internetsociety.org/en/ixp-tracker/details/?country_code=PT&ixp_id=368

Outside of Lisbon. Oporto has 2 members, no ISPs and not much prospect of getting more. So OK, Portugal could arguably use more diversity.. But I (OK, my clients) wouldn't want to invest in connecting to that because there's only 2 ASNs/routes, one for FCCN which are Portugal's version of good'ol JANET, the other to root-servers.net that I should be able to reach from at least 2 IXs already. So sure, Portugal could maybe do with some more diversity.. But who's going to pay for it? Building and running an IX itself is cheap because it's basically a minimum of 2 Ethernet switches so people can peer across them, but getting ISPs to connect to them is expensive. Governments could try and regulate maybe by licence conditions, so if you want a Portugese telco licence, you must connect to Lisbon and Oporto, but telcos might politely decline. Especially given most ISPs do 'hot potato' routing and would attempt to offload traffic in Spain instead.

Which has pretty much always been the issue. Some techies might decide it would be a great idea to build an IX, especially if they also think they can charge for traffic across their IX. But an ISP's techies will do some traffic analysis, look at the amount of traffic they could offload at an IX and the cost, and go "Nope".. Especially when the economics are pretty much always driven by cost rather than quality. Which leads to some traffic tromboning that isn't great for latency, but it's an uphill battle to change that perceptin (frowns in Geoff Huston's general direction).

So it's one of those nice ideas that probably won't happen because it would just increase costs. So there's 1,519 active IXPs globally, but many (most) have very few peers and not much traffic. There would also be FUN! with 'neutrality' because definitions of that tend to end up a lil lopsided. If, say, Google & Cloudflare were in Oporto, maybe a business case for peering there would fly.. But they're not, and same is true with the other big traffic generators like Amazon, Microsoft, Facebook etc who''s idea of 'neutrality' is offloading their traffic costs as quickly as possible.

Re: visable structures

I sometimes think that part of the trouble people have with understanding the Internet is that it is mostly invisible in a way that roads, railways, sewers, gas mains &c are not. Not sure what to do about all this given security concerns and so on.

Keeping it that way can be a good start. Security by obscurity has its own vulnerabilities but like a lot of infrastructure, the majority of people don't really need to know how the sausages get made. It can sometimes make finding the damn things a bit of a PITA but after a while, you get the hang of playing spot the datacentre.

Who pays for IXP's?

Indirectly, everyone with an Internet connection. But usually the ISPs. So typically there's a membership fee to join the IXP, then port rental charges. Then it's the ISPs costs to connect to the IXP, port & costs of a BFR for peering and the costs for collocating that kit in or near the IXP. Which can sometimes be a challenge, eg the original LINX was in Telehouse London, and getting rackspace there can be.. challenging.

The bigger IXPs will extend their switch fabrics, so LINX is in multiple datacentres so ISPs can peer across their fabric. Which can also the challenging part given the traffic volumes at large IXPs. So then the IXP needs to run N x 10 or 100Gbps trunks for their peering LANs. But then there comes a point where if ISPs are exchanging Gbps across their peering sessions, private peering makes a lot more sense. Which then gets into 'Net Neutrality issues about the costs of those private peering sessions. 100Gbps ports on BFRs aren't cheap, then there can sometimes be fairly high costs to have IXPs or datacentres run SMF patches between the ISPs routers. Some datacentres used to try tiered pricing, so one price if it was SMF running 100Mbps, then a lot more if it was 10Gbps.. Which was taking the pish because a fibre patch is (mostly) bandwidth agnostic.