Getting to the Root of All E-Mail

30/03/2002 Written by By David McGuire

Squat­ting unob­tru­sively on the banks of a man-​made pond in an unre­mark­able cor­po­rate sub­di­vi­sion a few miles out­side the Belt­way, the home of the Internet’s author­i­ta­tive root server and mas­ter reg­istry of dot-​com addresses is vir­tu­ally indis­tin­guish­able from the other red-​brick office build­ings that sur­round it.

Despite its hum­drum façade, VeriSign’s Net­work Oper­a­tions Cen­ter (NOC) is one of the most impor­tant phys­i­cal loca­tions in the vir­tual world, and since Sept. 11 it has proven irre­sistible to dozens of gov­ern­ment offi­cials who have sought to assure them­selves that the Inter­net is safe from phys­i­cal and elec­tronic attacks.

“Secu­rity and sta­bil­ity are like Siamese twins. You can­not have sta­bil­ity with­out secu­rity,” said Mark Rippe, vice pres­i­dent of tech­ni­cal oper­a­tions for VeriSign Global Reg­istry Ser­vices. “If peo­ple can come and mess with your sys­tem, one way or another, you have no con­trol over your sys­tems.… Our pri­mary func­tion is the sta­bil­ity of the global Inter­net.”

Obscu­rity is the first line of defense. The build­ing is unmarked, its address unspec­i­fied in com­pany lit­er­a­ture and its man­agers tight-​lipped about dis­clos­ing dri­ving direc­tions or iden­ti­fy­ing mark­ings to strangers.

While the loca­tion of the build­ing is not a true secret — dozens if not hun­dreds of Inter­net address­ing insid­ers know where it is — it would be dif­fi­cult for a casual van­dal or crim­i­nal to stum­ble across it, Rippe said.

Vis­i­tors start with a stroll through a metal detec­tor and past a guard desk, much as they would in any mod­er­ately secure office build­ing. They take an ele­va­tor to the top floor, where secu­rity is tight­est and incon­spic­u­ous cam­eras mon­i­tor the hall­ways. The few entrances to the oper­a­tions cen­ter and server rooms can only be reached through antecham­bers called “mantraps” which are out­fit­ted with scan­ners that read the unique con­tours of vis­i­tors’ palms.

If an unau­tho­rized vis­i­tor places his hand in the scan­ner it trig­gers a lock­down, seal­ing the intruder in one of the nar­row, wood-​paneled clos­ets until secu­rity forces arrive to remove them.

Beyond the first mantrap, inside the oper­a­tions cen­ter, a hand­ful of employ­ees keep tabs on rows of com­puter mon­i­tors and a wall of flat screens that con­tin­u­ously scroll diag­nos­tics across maps of the world that show loca­tions of key Inter­net servers. The con­stantly updated fig­ures map the num­ber of requests the servers are receiv­ing each moment, and how well they are han­dling the load.

From here, tech­ni­cians watch for unusual activ­ity that could sig­nal some sort of elec­tronic attack.

“We see a lot of spikes or peaks or things that might indi­cate [denial of ser­vice] attacks,” Rippe said. Those blips rep­re­sent a much more sub­stan­tial secu­rity con­cern for the address­ing offi­cials than do the threat of phys­i­cal attacks, Rippe said. From the oper­a­tions cen­ter, tech­ni­cians can take steps to counter threat­en­ing elec­tronic activ­ity, Rippe added.

Adjoin­ing the oper­a­tions cen­ter, behind another mantrap, are twin rooms that house the essen­tial com­put­ers that serve as the heart of the Net. Here, hun­dreds of whirring com­puter fans and an industrial-​strength air con­di­tioner drown out any­thing qui­eter than a close-​range shout. Black, seven-​foot-​tall com­puter server tow­ers are aligned in rows that stretch nearly the length of the room. The white floor is slot­ted to allow air­flow and a steady, con­di­tioned breeze streams up from below, mak­ing all metal sur­faces in the room cool to the touch. Small dome-​like secu­rity cam­eras, sim­i­lar to those used in casi­nos, pock the white ceil­ing, evenly spaced between chem­i­cal fire sup­pres­sion devices. There isn’t a cranny of the server area where a per­son could hide from sur­veil­lance.

Between the server hedgerows are sev­eral equally tall stor­age units, where the con­tin­u­ally updated mas­ter lists of the addresses reg­is­tered in dot-​com, dot-​net and dot-​org are stored.

And tucked away in a less-​traveled back cor­ner of one of the server rooms, behind the door of a black tower that looks no dif­fer­ent than any of the oth­ers, is the prin­ci­pal rea­son for all the pre­cau­tions: the A root server.

Most peo­ple envi­sion the Inter­net as a global net­work that resides on no sin­gle phys­i­cal sys­tem or net­work of sys­tems. While that pic­ture is roughly cor­rect, key pieces of the Internet’s tech­no­log­i­cal back­bone are con­cen­trated in a hand­ful of phys­i­cal loca­tions around the world.

The Domain Name Sys­tem (DNS) makes the Web easy to nav­i­gate by trans­lat­ing long Inter­net pro­to­col (IP) num­bers into mem­o­rable Web and e-​mail addresses. It relies on a hier­ar­chy of phys­i­cal root servers to inform com­put­ers con­nected to the Inter­net where they need to look to find spe­cific loca­tions online.

At the top of that hier­ar­chy is the A root server, which every 12 hours gen­er­ates a “zone” file, which in turn tells a dozen other root servers spread around the world what Inter­net domains exist and where they can be found.

One rung below the root servers in the Inter­net hier­ar­chy are the servers that house Inter­net domains such as dot-​com, dot-​biz and dot-​info. Three of the largest and most widely used of those domains — dot-​com, dot-​org and dot-​net — are run along­side the A root server at the Net­work Oper­a­tions Cen­ter.

VeriSign man­ages the A root server and dot-​com reg­istry under con­tracts with the Com­merce Depart­ment and global Inter­net address­ing author­i­ties.

But despite the pre­cau­tions that go into pro­tect­ing the assets in the facil­ity, Rippe said the Inter­net would not be irrepara­bly harmed if the build­ing were to vapor­ize tomor­row.

“The last thing I’d want some­one to think is that they could put a bomb around their waist and hug the A root and think they’re going to sig­nif­i­cantly impact the Inter­net,” Rippe said.

Rippe said that while such an attack could kill many employ­ees, the Internet’s address­ing sys­tem is designed to with­stand the destruc­tion of much of the phys­i­cal infra­struc­ture that houses it.

The DNS is built so that eight or more of the world’s 13 mas­ter root servers would have to fail before ordi­nary Inter­net users started to see slow­downs, accord­ing to John Crain, man­ager of tech­ni­cal oper­a­tions for the Inter­net Cor­po­ra­tion for Assigned Names and Num­bers (ICANN).

ICANN man­ages the DNS and sets poli­cies for reg­istry oper­a­tors and domain name retail­ers.

“The­o­ret­i­cally, if ‘A’ were to dis­ap­pear, we could pick it up from one of the other servers,” Crain said. “Mov­ing the place where the zone is picked up is very sim­ple.”

Although the func­tions of the A root server could be moved else­where, Rippe said that VeriSign is well aware that it makes a much more vis­i­ble tar­get than the other root servers, which per­form their func­tions in com­par­a­tive anonymity around the world.

Rippe said that he is always cog­nizant of the poten­tial threat fac­ing the build­ing.

High-​ranking U.S. offi­cials have also started tak­ing a greater inter­est in the secu­rity of the com­plex. After Sept. 11, as agen­cies and depart­ments through­out the fed­eral gov­ern­ment began reex­am­in­ing the secu­rity of the crit­i­cal infra­struc­ture under their juris­dic­tions, VeriSign hosted a slew of high-​ranking vis­i­tors.

While the Web may be world­wide, Amer­i­can sci­en­tists rely­ing on U.S. gov­ern­ment fund­ing cre­ated the tech­nol­ogy at the core of the Inter­net and its global address­ing sys­tem. The Inter­net may be a global resource, but much of its infra­struc­ture is still ulti­mately con­trolled by the U.S. gov­ern­ment.

In recent years, the gov­ern­ment has ceded day-​to-​day man­age­ment of the address­ing sys­tem to the more inter­na­tion­ally rep­re­sen­ta­tive ICANN, but the Com­merce Depart­ment still has final say in any changes made to the DNS.

Deputy Com­merce Sec­re­tary Sam Bod­man and White House elec­tronic secu­rity adviser Richard Clarke took a guided tour of the cen­ter in Novem­ber.

“The Inter­net is a crit­i­cal com­po­nent of our econ­omy,” said Com­merce Depart­ment spokesman Trevor Fran­cis. “The rea­son why you’re see­ing such a focus on VeriSign is that the safety and the integrity of these sys­tems needs to be ana­lyzed and needs to be improved upon regard­less of how safe they cur­rently are.”

Fran­cis said that Bod­man and Clarke walked away from their visit sat­is­fied with the secu­rity mea­sures pro­tect­ing the VeriSign facil­ity.

Still, despite clean report cards from high-​level observers, the cen­ter is likely to remain a focus of scrutiny for some time, as the most vis­i­ble phys­i­cal ele­ment of a global com­mu­ni­ca­tions net­work that has become indis­pens­able in gov­ern­ment, com­merce and day-​to-​day life.