High-Performance XDP BNG · CGNAT · Anti-Spoof · DDoS · NOC2 Operations
Carrier Platform · Solution Overview

One XDP Data Plane. BNG, CGNAT, Edge Security and Fleet Operations — on Commodity Servers.

BNGSOFT is a software Broadband Network Gateway built on an in-kernel XDP/eBPF data plane. Subscriber termination, IPv4 conservation, source-spoofing prevention, DDoS protection and centralized operations run as one integrated platform on standard Intel servers — at line rate, without proprietary silicon or per-port licensing.
Most operators stitch the edge together from several boxes — a BNG, a CGNAT appliance, a DDoS scrubber, a separate NMS. BNGSOFT collapses that into one server and one data plane: authorize in software, then forward, translate, validate and police every packet in XDP.
ONE
data plane
BNG · CGNAT · security ·
QoS in a single XDP program
~64k
subscribers per
commodity server
Line
RATE
processing in the NIC
driver path, low CPU
ZERO
downtime
upgrade the software,
traffic keeps flowing

The platform is organized as one control plane that authorizes and one XDP data plane that enforces. Subscribers are authenticated through your existing RADIUS; the moment a session is authorized, its IP→interface mapping, QoS plan, NAT policy and security state are written into the bngxdpd pinned maps. From that instant every packet is forwarded, translated, source-validated and shaped in the fast path — with no round-trip to software. The six pillars below are not separate products; they are facets of the same data plane.

The platform at a glance

1XDP Data Plane

In-kernel eBPF forwarding at line rate on commodity Intel NICs — the foundation every other capability runs on.

2BNG & AAA

PPPoE + IPoE termination, RADIUS auth/accounting/CoA, dual-stack IPv4/IPv6 with prefix delegation.

3CGNAT

Carrier-grade NAT with port-block allocation, multiple NAT modes, deterministic logging and exempt destinations.

4Anti-Spoof (BCP38)

Per-subscriber source validation in XDP — spoofed source addresses dropped at ingress, line rate.

5DDoS Protection

Upload self-protection, outbound-abuse quarantine and inbound attack-pattern drop — in the data plane.

6NOC2 Operations

Fleet metrics, licensing, capacity projection and per-subscriber diagnostics from one pane of glass.

One box, one image, one licence model. Static-public and CGNAT subscribers, PPPoE and IPoE, security and QoS all run concurrently on the same server. There is no separate appliance — or licence tier — for "CGNAT" versus "security" versus "BNG".

1 · XDP data plane — the performance foundation

Every capability in BNGSOFT is implemented in a monolithic eBPF program that runs in the NIC driver path (XDP), before the kernel network stack. Packets are forwarded, translated, filtered and policed at line rate with a fraction of the CPU a stack-based path would burn — which is what makes it viable to run BNG, CGNAT and security together on one commodity server.

IN-KERNEL · XDP
Line rate, low CPU.
  • Forwarding in the NIC driver path on standard Intel NICs (i40e / ice / E810-class).
  • Roughly an order of magnitude less CPU than stack-based forwarding.
  • No proprietary silicon, no per-port licence.
ONE PROGRAM
All facets, one path.
  • BNG, CGNAT, anti-spoof, DDoS and QoS in a single optimized data path.
  • Driven by shared pinned maps the control plane writes.
  • Add capabilities without adding boxes.
ZERO-DOWNTIME
Upgrade live. ISSU
  • Maps and state survive a daemon restart.
  • Software upgrades without dropping subscriber traffic.
  • Routine maintenance stops being an outage window.

2 · BNG & AAA — subscriber termination at the edge

A complete BNG for PPPoE and IPoE on the same box. The platform is a standards-based NAS: it speaks RADIUS authentication, accounting and CoA to your existing RADIUS/billing stack, so plan changes, suspends and reactivations are live changes to the running session — no reconnect, no truck roll.

ACCESS & AAA
Plugs into your RADIUS.
  • PPPoE + IPoE concurrently; dynamic per-customer VLANs incl. QinQ.
  • RADIUS auth · accounting · live Change-of-Authorization.
  • Local chap-secrets mode where there is no RADIUS.
  • ~64k concurrent sessions per commodity server.
  • ▸ See the Subscriber Management & AAA brief
DUAL-STACK & QoS
IPv4 + IPv6, shaped in XDP.
  • IPv4, IPv6 and DHCPv6 Prefix Delegation, including IPv6-unnumbered.
  • Per-plan rate enforced per packet in the XDP fast path.
  • Static-public and CGNAT subscribers on the same node.
  • ▸ See the IPv6 / Dual-Stack and QoS briefs

3 · CGNAT — IPv4 conservation at carrier scale

Carrier-grade NAT that shares public IPv4 efficiently while staying deterministic and traceable — and runs on the same data plane as the BNG, not a separate appliance.

CapabilityWhat it delivers
Port-block allocationEfficient public-IP sharing with predictable per-subscriber port ranges; conserves scarce IPv4.
NAT modesFull-Cone (EIF), Symmetric, FCFS port-preservation and 1:1 — matched to application needs.
Deterministic & loggedLog-reducing deterministic allocation plus IPFIX/syslog records for lawful-intercept and traceability.
Exempt destinationsIPTV and on-net traffic bypass NAT (LPM-matched, hot-reloadable) — no wasted translations.
Graceful restartActive NAT sessions preserved across software upgrades — zero-downtime applies to CGNAT too.
Static-public and CGNAT, concurrently. The subscriber's attributes decide the path — a per-subscriber public /32 or a private address behind the carrier NAT — on one box, one image. ▸ See the full CGNAT and Compliance/Logging briefs.

4 · Anti-Spoof (BCP38) — validated source on every packet

The platform never trusts a subscriber's claimed source address. Each session carries an allow-list of exactly the addresses we assigned it (IPv4 + delegated IPv6); on every uplink packet the XDP program checks the source against that list and drops anything spoofed at line rate, at ingress.

PER-SUBSCRIBER uRPF
Source must match.
  • Allow-list = the exact IPv4 + IPv6 we assigned the session.
  • Enforced for both address families in XDP.
SPOOFING STOPPED
At the source.
  • Reflection/amplification DDoS relies on spoofing the victim's IP — those packets never leave the network.
  • One customer cannot impersonate another.
SAFE ROLLOUT
Observe → enforce.
  • Observe mode first; auto-arms on subscriber-load stability.
  • No legitimate traffic dropped during ramp-up.
Why it matters: source validation at the edge is what keeps your network from being used as a spoofing/DDoS source — the root cause behind most reflection attacks and IP-impersonation abuse. ▸ See the Edge Security brief.

5 · DDoS Protection — in the data plane, not a separate scrubber

Layered defense that protects the BNG itself, the upstream, and every subscriber — built into XDP, so there is no separate scrubbing appliance to license or hairpin traffic through.

UPLOAD SELF-PROTECTION
The box stays healthy.
  • Rate-protects the BNG from upload floods — always on.
  • One abusive line can't starve the control plane or other customers.
OUTBOUND ABUSE
Contain the source.
  • Detects abnormal outbound patterns from compromised CPEs.
  • Flags and contains abusers before traffic reaches upstream.
INBOUND HARDENING
Drop attack patterns.
  • Malformed and known-attack packets dropped in XDP.
  • Attack traffic can't be used to exhaust BNG resources.

6 · NOC2 — operate the whole fleet from one place

Monitoring, licensing, capacity and diagnostics across every node — so the platform is as easy to run at scale as it is to deploy.

VISIBILITY & DIAGNOSTICS
See every node and subscriber.
  • Live per-node and per-subscriber metrics in one JSON snapshot.
  • Built-in diagnose and per-subscriber view (CGNAT state, QoE, latency).
  • Self-test on every start — modules, XDP attach, pinned state.
LICENSING & CAPACITY
Plan and control centrally.
  • Central activation, perpetual or term, with graceful offline grace mode.
  • Historical capacity collection and trend projection per node.
  • Fleet-wide upgrades coordinated with zero-downtime restarts.
  • ▸ See the Operations Intelligence brief

7 · Low latency & subscriber experience

Because the data path is owned end-to-end, the platform also delivers modern L4S / AQM low-latency queue management with per-subscriber QoE telemetry and interactive-flow protection — so real-time traffic stays responsive even under load.

Quality is built in, not bolted on. Latency-aware scheduling and experience scoring run in the same XDP path as forwarding and CGNAT — measured on live multi-thousand-subscriber deployments. ▸ See the L4S Low-Latency, Interactive Flow Protection and Subscriber Experience briefs.

8 · What it means for the business

BNGSOFT Platform · operator value
Collapse the edge into one boxBNG, CGNAT, anti-spoof, DDoS and QoS on one commodity server — fewer appliances, fewer vendors, simpler operations.
Line rate on commodity hardwareAn in-kernel XDP data plane runs the whole platform at a fraction of the CPU — no proprietary silicon or per-port licensing.
$
Conserve IPv4, defer CapExCarrier-grade CGNAT shares scarce public IPv4 efficiently while staying deterministic and lawful-intercept friendly.
🛡
Can't be a DDoS sourcePer-subscriber source validation drops spoofed traffic at the edge — your network stays off blocklists and out of reflection attacks.
Upgrade without an outageZero-downtime restarts — including for CGNAT state — turn maintenance windows into routine changes.
Run the fleet from one paneNOC2 centralizes metrics, licensing, capacity projection and per-subscriber diagnostics across every node.

The bottom line

BNGSOFT is a single software platform for the broadband edge: subscriber termination, IPv4 conservation, source-spoofing prevention, DDoS protection, low-latency QoS and fleet operations — all on one XDP data plane, on the commodity servers you already buy.

Authorize once, in software; enforce every packet, in XDP. One box, one image, line rate — and zero-downtime upgrades across the fleet.

Scope and honest framing: This document is a platform overview of the BNGSOFT XDP BNG and its capability set; each pillar has a dedicated detail brief (XDP/Network Acceleration, Subscriber Management & AAA, IPv6/Dual-Stack, full CGNAT, CGNAT Compliance/Logging, Edge Security, QoS, L4S Low-Latency, Interactive Flow Protection, Subscriber Experience, Operations Intelligence, Zero-Downtime ISSU). The platform is a software BNG whose forwarding, CGNAT, source-validation, DDoS and QoS logic run in an in-kernel XDP/eBPF data plane on commodity x86 servers with standard Intel NICs (i40e / ice / E810-class); the control plane authorizes subscribers and writes per-subscriber state (IP→interface, QoS plan, NAT and security policy) into the bngxdpd pinned maps. AAA: the BNG acts as the NAS (authenticator/accounting client) toward the operator's own RADIUS/billing system, which makes all authorization, lifecycle and CoA decisions; PPPoE and IPoE are supported concurrently with dynamic per-customer VLANs (incl. QinQ); a local chap-secrets mode exists for deployments without RADIUS. CGNAT supports port-block allocation, Full-Cone (EIF)/Symmetric/FCFS/1:1 modes, deterministic allocation, IPFIX/syslog logging, LPM-matched exempt destinations and graceful (zero-downtime) restart. Anti-spoof is per-subscriber source validation (BCP38/uRPF) for IPv4 and IPv6, deployed observe-then-enforce. DDoS protection comprises BNG upload self-protection, outbound-abuse detection/quarantine and inbound attack-pattern drop, all in the data plane. NOC2 provides fleet metrics, licensing (perpetual/term with offline grace mode), capacity history/projection, and per-node/per-subscriber diagnostics. Performance figures are indicative of commodity-server deployments and throughput-driven: approximately 64,000 concurrent subscriber sessions per 2×100G server (capacity ≈ NIC usable line rate ÷ ~3 Mbps busy-hour per-subscriber rate, capped by a ~131,072-entry per-node table ceiling), line-rate XDP processing at substantially lower CPU than a kernel-stack forwarding path, and zero-downtime software upgrades; exact numbers depend on hardware, NIC, traffic mix and enabled features and should be validated per deployment. Prepared as a management and operations overview for large-scale broadband operators. The BNGSOFT logo, product and feature names are property of BNGSOFT.