OrionOS · purpose-built carrier OS · full BNG on commodity x86 · XDP data plane
Platform Brief · OrionOS Secure Carrier OS
A hardened, purpose-built carrier OS that does in one commodity box what a chassis does in a rack
Most BNGs are built one of two ways: a general-purpose Linux distribution bent into a router (large attack surface, packages you never use), or a proprietary chassis OS welded to a vendor's silicon (capable, but locked-in and expensive). OrionOS is the third path: a minimal, hardened carrier OS that carries only what a BNG needs — subscriber management, CGNAT, QoS, and edge security — running on commodity x86 with an XDP/eBPF data plane. It boots from an immutable image into a RAM root, so it returns to a known-good state on reboot; and its security lives in the data plane and updates in software, not on a line-card cycle.
Purpose-built
not a general distro
only what a BNG needs ships in the image — a fraction of the attack surface
Commodity x86
no proprietary chassis
no ASIC line cards, no per-feature licences, no vendor lock-in
Security in-line
XDP / eBPF
anti-spoof, DDoS, quarantine, CGNAT — integral and software-updatable
Your schedule
software-defined
fix and ship a patch in software, not wait for a vendor release train
A router OS should be the smallest trusted thing you can build, not the largest. OrionOS ships the BNG and nothing else — fewer services to attack, fewer CVEs to chase, and a reboot that lands on a known-good image every time.
Two common ways to build a BNG OS — and their costs
Path A
A general-purpose distribution
Ships a full userland, package manager, and services a router never uses — a broad, constantly-patched attack surface.
Forwarding bolted on in userspace often wobbles at scale on commodity boxes.
Every distro CVE is now your CVE.
Path B
A proprietary chassis OS
Mature and capable — but tied to the vendor's silicon, line cards, and release cadence.
Per-feature licensing, expensive spares, and lock-in.
You patch and add features on the vendor's schedule, not yours.
OrionOS is the third path. A purpose-built carrier image — small enough to reason about, hardened by omission, running carrier-grade forwarding in the kernel via XDP on hardware you can buy anywhere. You get the control and openness of software with the focus and discipline of an appliance.
Attack surface: ship the BNG, not a general-purpose computer
A general-purpose OS carries a shell, a package manager and services a router never runs — each a line in the CVE feed. OrionOS ships the kernel + XDP forwarding + the BNG daemon and little else, from an immutable image into a RAM root: the surface to attack — and to patch — is a fraction of the size.
A smaller thing to attack, by construction
Hardened by omission
If a package, shell service or daemon isn't needed to run a BNG, it isn't in the image. The most secure component is the one that isn't there.
Immutable boot image
The running system boots from a single signed-and-built image into a RAM root — a reboot returns to a known-good state, not to whatever drifted at runtime.
One binary source
The data-plane binary comes only from the built boot image — no ad-hoc package installs on production boxes to audit or trust.
Operator owns it
Your hardware, your config, your logs, your kernel. No opaque licence server deciding what your box may do today.
Patch on your schedule
A fix is a software change you build and ship — not a line-card respin or a wait for the vendor's next train.
Reproducible image
The whole platform is built from source into one artefact and flashed — the same image, verifiably, on every node.
Security isn't a bolt-on — it lives in the data plane
Because forwarding runs in the kernel via XDP, the security controls run in the same fast path as the packets — at line rate, per subscriber, and updatable in software. There is no separate security box to buy, cable, and keep in sync.
Source validation, DDoS containment, quarantine, CGNAT and QoS all execute in the same XDP fast path — not on five separate appliances. New protections ship as a software update to the image, fleet-wide.
What a chassis costs you — and where it still wins
A proprietary chassis is a remarkable piece of engineering. It is also a large, fixed, vendor-controlled capital commitment: proprietary silicon, line cards, per-feature licences, power and rack, and a roadmap you don't own.
One purpose-built box vs a chassis stack (illustrative — the BNG function, not a price quote)
The chassis bundles silicon, line cards, licences, lock-in and rack/power into one capital line. OrionOS delivers the BNG function on a commodity server with every feature in the image — and you scale by adding boxes, not by buying the next slot.
Dimension
Proprietary chassis OS
General-purpose distro
OrionOS
Attack surface
Large feature-rich OS
Full userland + packages
Minimal, BNG-only image
Hardware
Proprietary chassis + line cards
Commodity x86
Commodity x86
Forwarding
Vendor ASIC
Often userspace, can wobble at scale
In-kernel XDP / eBPF
Security model
Licensed feature set
You assemble & harden it
Integral, in the data plane
Patch cadence
Vendor release train
Distro CVE treadmill
Your schedule, in software
Cost model
Chassis + cards + per-feature licence
Hardware + your integration effort
Commodity box; features included
Scaling
Buy the next slot / chassis
Add servers (if it scales)
Add commodity boxes
The fair comparison. At the very top of the network, a flagship chassis still wins on raw envelope: multi-Tbps per-slot ASIC throughput, hardware redundancy (dual route engines, hot-swap line cards and power), and decades of feature hardening that a single commodity server does not match. For a core or large peering router, that engineering is worth paying for. OrionOS targets the access and aggregation BNG tier, where software flexibility, a minimal attack surface, and commodity economics matter most — and where you scale horizontally across boxes rather than vertically into a bigger chassis. "Better" here means better-fit and better-value for the BNG role, not a claim to out-muscle core iron.
What runs on OrionOS today
OrionOS isn't a concept — it's the platform under the BNGSOFT feature set already in the field:
Edge security
Defend
Anti-spoof (BCP38), inbound + outbound DDoS containment, auto-quarantine — in the data plane.
L4S / AQM low-latency, Flow Intelligence, Autonomous QoE — all on the same image.
The smallest trusted thing that can be a carrier BNG
OrionOS is built on a simple security premise: a router OS should ship the BNG and nothing else. Fewer services to attack, fewer CVEs to chase, an immutable image that reboots to a known-good state, and security that lives in the data plane and patches in software — all on hardware you can buy anywhere, with no per-feature licence deciding what your box may do.
For the access and aggregation BNG tier it is, honestly, the better-fit and better-value choice: the openness and patch-speed of software with the focus of an appliance — and you scale by adding commodity boxes, not by buying the next chassis slot.
Want the deep dive? We'll walk through the image build, the hardening model, the in-data-plane security stack, and the upgrade/rollback flow on a live node.
Sources & honest framing: This is a platform and security brief, not a benchmark or pricing report; no throughput, latency, or price figures are claimed. OrionOS characteristics described — a minimal, purpose-built carrier image; in-kernel XDP/eBPF forwarding; an immutable boot image that runs from a RAM root with the data-plane binary sourced only from the built image; integral in-data-plane security (anti-spoof / BCP38 source-address validation, inbound and outbound DDoS containment, auto-quarantine), subscriber management, CGNAT with compliant logging, and L4S/AQM QoS — reflect the platform's design and shipped feature set. Comparative statements about general-purpose distributions (larger attack surface; userspace forwarding scaling limits) and proprietary chassis platforms (vendor silicon and line cards, per-feature licensing, vendor release cadence, lock-in) reflect well-understood industry trade-offs, framed fairly: the brief explicitly acknowledges that flagship chassis platforms lead on multi-Tbps per-slot ASIC throughput, hardware redundancy, and feature maturity for core/peering roles, and positions OrionOS as the better-fit, better-value choice specifically for the access and aggregation BNG tier, scaling horizontally on commodity x86. Diagrams are conceptual and illustrate architecture, not measured results or quotations. Related per-topic briefs — Edge DDoS Protection, CGNAT Arena, Subscriber Experience, Flow Intelligence — are available alongside this guide.