OrionOS · purpose-built carrier OS · full BNG on commodity x86 · XDP data plane
Platform Brief · OrionOS Secure Carrier OS

A hardened, purpose-built carrier OS that does in one commodity box what a chassis does in a rack

Most BNGs are built one of two ways: a general-purpose Linux distribution bent into a router (large attack surface, packages you never use), or a proprietary chassis OS welded to a vendor's silicon (capable, but locked-in and expensive). OrionOS is the third path: a minimal, hardened carrier OS that carries only what a BNG needs — subscriber management, CGNAT, QoS, and edge security — running on commodity x86 with an XDP/eBPF data plane. It boots from an immutable image into a RAM root, so it returns to a known-good state on reboot; and its security lives in the data plane and updates in software, not on a line-card cycle.
Purpose-built
not a general distro
only what a BNG needs ships in the image — a fraction of the attack surface
Commodity x86
no proprietary chassis
no ASIC line cards, no per-feature licences, no vendor lock-in
Security in-line
XDP / eBPF
anti-spoof, DDoS, quarantine, CGNAT — integral and software-updatable
Your schedule
software-defined
fix and ship a patch in software, not wait for a vendor release train
A router OS should be the smallest trusted thing you can build, not the largest. OrionOS ships the BNG and nothing else — fewer services to attack, fewer CVEs to chase, and a reboot that lands on a known-good image every time.

Two common ways to build a BNG OS — and their costs

Path A

A general-purpose distribution

  • Ships a full userland, package manager, and services a router never uses — a broad, constantly-patched attack surface.
  • Forwarding bolted on in userspace often wobbles at scale on commodity boxes.
  • Every distro CVE is now your CVE.
Path B

A proprietary chassis OS

  • Mature and capable — but tied to the vendor's silicon, line cards, and release cadence.
  • Per-feature licensing, expensive spares, and lock-in.
  • You patch and add features on the vendor's schedule, not yours.
OrionOS is the third path. A purpose-built carrier image — small enough to reason about, hardened by omission, running carrier-grade forwarding in the kernel via XDP on hardware you can buy anywhere. You get the control and openness of software with the focus and discipline of an appliance.
Attack surface: ship the BNG, not a general-purpose computer
General-purpose distro kernel + forwarding full userland / shell package manager unused services / daemons broad CVE surface OrionOS kernel + XDP forwarding BNG daemon only minimal hardened image immutable RAM root nothing else to attack
A general-purpose OS carries a shell, a package manager and services a router never runs — each a line in the CVE feed. OrionOS ships the kernel + XDP forwarding + the BNG daemon and little else, from an immutable image into a RAM root: the surface to attack — and to patch — is a fraction of the size.

A smaller thing to attack, by construction

Hardened by omission

If a package, shell service or daemon isn't needed to run a BNG, it isn't in the image. The most secure component is the one that isn't there.

Immutable boot image

The running system boots from a single signed-and-built image into a RAM root — a reboot returns to a known-good state, not to whatever drifted at runtime.

One binary source

The data-plane binary comes only from the built boot image — no ad-hoc package installs on production boxes to audit or trust.

Operator owns it

Your hardware, your config, your logs, your kernel. No opaque licence server deciding what your box may do today.

Patch on your schedule

A fix is a software change you build and ship — not a line-card respin or a wait for the vendor's next train.

Reproducible image

The whole platform is built from source into one artefact and flashed — the same image, verifiably, on every node.

Security isn't a bolt-on — it lives in the data plane

Because forwarding runs in the kernel via XDP, the security controls run in the same fast path as the packets — at line rate, per subscriber, and updatable in software. There is no separate security box to buy, cable, and keep in sync.

OrionOS XDP / eBPF data plane one kernel fast path · per subscriber · line rate Anti-spoofBCP38 source-valid DDoSin + outbound Quarantineauto-contain abuse CGNAT+ logging / LI QoSL4S / AQM
Source validation, DDoS containment, quarantine, CGNAT and QoS all execute in the same XDP fast path — not on five separate appliances. New protections ship as a software update to the image, fleet-wide.

What a chassis costs you — and where it still wins

A proprietary chassis is a remarkable piece of engineering. It is also a large, fixed, vendor-controlled capital commitment: proprietary silicon, line cards, per-feature licences, power and rack, and a roadmap you don't own.

One purpose-built box vs a chassis stack (illustrative — the BNG function, not a price quote)
Proprietary chassis route engine line card · ASIC line card · ASIC per-feature licence vendor lock-in power · rack · spares same BNG function OrionOS on commodity x86 1U / 2U x86 server OrionOS image all features included scale out by adding boxes
The chassis bundles silicon, line cards, licences, lock-in and rack/power into one capital line. OrionOS delivers the BNG function on a commodity server with every feature in the image — and you scale by adding boxes, not by buying the next slot.
DimensionProprietary chassis OSGeneral-purpose distroOrionOS
Attack surfaceLarge feature-rich OSFull userland + packagesMinimal, BNG-only image
HardwareProprietary chassis + line cardsCommodity x86Commodity x86
ForwardingVendor ASICOften userspace, can wobble at scaleIn-kernel XDP / eBPF
Security modelLicensed feature setYou assemble & harden itIntegral, in the data plane
Patch cadenceVendor release trainDistro CVE treadmillYour schedule, in software
Cost modelChassis + cards + per-feature licenceHardware + your integration effortCommodity box; features included
ScalingBuy the next slot / chassisAdd servers (if it scales)Add commodity boxes
The fair comparison. At the very top of the network, a flagship chassis still wins on raw envelope: multi-Tbps per-slot ASIC throughput, hardware redundancy (dual route engines, hot-swap line cards and power), and decades of feature hardening that a single commodity server does not match. For a core or large peering router, that engineering is worth paying for. OrionOS targets the access and aggregation BNG tier, where software flexibility, a minimal attack surface, and commodity economics matter most — and where you scale horizontally across boxes rather than vertically into a bigger chassis. "Better" here means better-fit and better-value for the BNG role, not a claim to out-muscle core iron.

What runs on OrionOS today

OrionOS isn't a concept — it's the platform under the BNGSOFT feature set already in the field:

Edge security

Defend

  • Anti-spoof (BCP38), inbound + outbound DDoS containment, auto-quarantine — in the data plane.
Subscriber & CGNAT

Serve

  • PPPoE / IPoE subscriber management, carrier-grade NAT with compliant logging, IPv6.
Experience

Optimise

  • L4S / AQM low-latency, Flow Intelligence, Autonomous QoE — all on the same image.

The smallest trusted thing that can be a carrier BNG

OrionOS is built on a simple security premise: a router OS should ship the BNG and nothing else. Fewer services to attack, fewer CVEs to chase, an immutable image that reboots to a known-good state, and security that lives in the data plane and patches in software — all on hardware you can buy anywhere, with no per-feature licence deciding what your box may do.

For the access and aggregation BNG tier it is, honestly, the better-fit and better-value choice: the openness and patch-speed of software with the focus of an appliance — and you scale by adding commodity boxes, not by buying the next chassis slot.

Want the deep dive? We'll walk through the image build, the hardening model, the in-data-plane security stack, and the upgrade/rollback flow on a live node.

Sources & honest framing: This is a platform and security brief, not a benchmark or pricing report; no throughput, latency, or price figures are claimed. OrionOS characteristics described — a minimal, purpose-built carrier image; in-kernel XDP/eBPF forwarding; an immutable boot image that runs from a RAM root with the data-plane binary sourced only from the built image; integral in-data-plane security (anti-spoof / BCP38 source-address validation, inbound and outbound DDoS containment, auto-quarantine), subscriber management, CGNAT with compliant logging, and L4S/AQM QoS — reflect the platform's design and shipped feature set. Comparative statements about general-purpose distributions (larger attack surface; userspace forwarding scaling limits) and proprietary chassis platforms (vendor silicon and line cards, per-feature licensing, vendor release cadence, lock-in) reflect well-understood industry trade-offs, framed fairly: the brief explicitly acknowledges that flagship chassis platforms lead on multi-Tbps per-slot ASIC throughput, hardware redundancy, and feature maturity for core/peering roles, and positions OrionOS as the better-fit, better-value choice specifically for the access and aggregation BNG tier, scaling horizontally on commodity x86. Diagrams are conceptual and illustrate architecture, not measured results or quotations. Related per-topic briefs — Edge DDoS Protection, CGNAT Arena, Subscriber Experience, Flow Intelligence — are available alongside this guide.