Architecture

AthenaBNG is a multi-process system where each daemon handles a specific responsibility. This design provides isolation, independent restartability, and clear operational boundaries.

System Overview​

                        ┌─────────────────────────────────┐
                        │         Subscriber VLANs        │
                        │   (PPPoE / DHCP / IPoE traffic) │
                        └──────────────┬──────────────────┘
                                       │
                              ┌────────▼────────┐
                              │   abng-demux    │
                              │  VLAN Demux     │
                              │  (AF_PACKET)    │
                              └────────┬────────┘
                                       │ creates VLAN interfaces
                              ┌────────▼────────┐
                              │     abngd       │
                              │  Orchestrator   │◄──── abng-cli (Unix socket)
                              │  Session DB     │◄──── REST API  (Unix socket)
                              │  IPC Hub        │◄──── SNMP Agent(Unix socket)
                              └───┬────┬────┬───┘
                                  │    │    │
                    ┌─────────────┤    │    ├─────────────┐
                    ▼             ▼    │    ▼             ▼
              ┌──────────┐ ┌──────┴────┤ ┌──────────┐ ┌──────────┐
              │ accel-ppp│ │abng-dhcpd│  │ abng-qos │ │   FRR    │
              │  PPPoE   │ │  DHCP    │  │   CAKE   │ │ BGP/OSPF │
              └──────────┘ └──────────┘  └──────────┘ └──────────┘
                                  │
                           ┌──────▼──────┐
                           │  CGNAT VRF  │
                           │  Steering   │──► External CGNAT
                           └─────────────┘    (e.g. NFware)

Daemon Responsibilities​

abng-demux — VLAN Demultiplexer​

The front door of the BNG. Listens on trunk interfaces using AF_PACKET sockets and watches for:

• PPPoE Discovery (PADI) frames
• DHCP Discover frames

When a new subscriber frame arrives on an unconfigured VLAN, abng-demux:

1. Parses the VLAN tag stack (supports 802.1Q, 802.1ad, and arbitrary nesting)
2. Creates the VLAN interface chain (outer → inner)
3. Brings up the interfaces
4. Notifies abngd

Performance: Processes frames at wire speed using BPF filters and pre-allocated buffers. Rate limiting and deduplication prevent resource exhaustion from malicious or noisy subscribers.

abngd — Central Orchestrator​

The brain of the system. abngd:

• Maintains the subscriber session database
• Manages accel-ppp for PPPoE session termination
• Manages abng-dhcpd for DHCP/IPoE sessions
• Coordinates QoS application and removal
• Handles RADIUS CoA/Disconnect messages
• Manages CGNAT VRF steering to external NAT appliances
• Exposes the IPC socket for CLI, REST API, and SNMP

All session state flows through abngd. External components never modify system state directly.

abng-dhcpd — DHCP Server​

Built-in DHCP server for IPoE subscribers:

• AF_PACKET relay on subscriber VLANs (no IP address required)
• RADIUS authentication per subscriber (MAC-based)
• Full RADIUS accounting (Start/Stop/Interim-Update)
• Interface traffic counter collection for accurate byte/packet reporting
• Graceful shutdown with NAS-Reboot accounting

abng-qos — QoS Orchestrator​

Per-subscriber traffic shaping using the CAKE queuing discipline:

• Creates IFB devices for ingress shaping
• Applies CAKE with correct overhead profiles per encapsulation type
• Supports real-time rate changes via RADIUS CoA (hitless, no packet loss)
• Automatic cleanup on session teardown

abng-cli — Network OS CLI​

JunOS/VyOS-style command-line interface:

• Operational mode — show subscribers, show vlans, monitor, etc.
• Configuration mode — set, delete, commit, rollback
• Tab completion, ? help, pipe filters (| match, | count)
• Non-interactive mode for scripting

Integration Points​

RADIUS​

All RADIUS communication uses standard RFC attributes plus Athena vendor-specific attributes (VSA):

• Authentication — Access-Request/Accept/Reject for PPPoE and IPoE
• Accounting — Start/Stop/Interim-Update with full traffic counters
• CoA — Real-time rate changes, session attributes, and policy updates
• Disconnect — Administrative session termination

FRRouting​

Subscriber /32 routes are injected into the kernel routing table. FRRouting redistributes them into your IGP/EGP:

• BGP — Announce subscriber prefixes to upstream
• OSPF — Distribute within your network
• IS-IS — For large-scale ISP backbones

CGNAT VRF Steering​

CGNAT traffic is steered via a dedicated Linux VRF. AthenaBNG creates the VRF, moves the handoff interface into it, and uses nftables packet marking with policy routing to direct RFC 6598 subscriber traffic to your external CGNAT appliance (e.g. NFware vCGNAT). Built-in deterministic CGNAT is on the roadmap.

Deployment Models​

Single Server​

For smaller ISPs (up to ~5,000 subscribers):

┌──────────────────────────────┐
│        Single Server         │
│  abng-demux + abngd +        │
│  abng-dhcpd + abng-qos +     │
│  accel-ppp + FRR + nftables  │
├──────────────────────────────┤
│  Trunk: 10GbE to access      │
│  Uplink: 10GbE to core       │
│  Mgmt: 1GbE OOB              │
└──────────────────────────────┘

Router-on-a-Stick​

The BNG operates on a single trunk interface with subscriber and upstream traffic separated by QinQ VLANs. Management is always on a separate interface.

Next Steps​

• Features Overview — Detailed feature descriptions
• Why AthenaBNG — Business case and comparisons
• Get in Touch — Discuss your deployment