Saphal's Archive
Go back

Understanding the brain of Internet Service Providers- The BNGs Part I

Updated
0 views

Broadband Network Gateways

Broadband Network Gateways ( BNG ) or also interchangebly called Network Access Servers ( NAS ) are the brains of the ISP infrastructure. They are the critical plane where user traffic funnels through towards the internet border- critical infrastructure that makes the modern internet possible.

Why do we need a BNG ?

When you have millions of subscribers sharing network infrastructure, you need something that knows who is connected, what they are allowed to do, and how much they’re allowed to use. Authentication, authorization, policy enforcement, traffic shapping all at line rate, per subscriber. That is the BNG’s job.

Simplfied diagram of the BNG's role
Simplfied diagram of the BNG's role

Split it in two- Control Plane and Data Plane

BNGs are split into two parts: the control plane, which handles the authentication, authorization, QoS etc. logic; the data plane, which contains packets moving at line rate. Most of the complexity comes from syncing these two planes at scale

The Control Plane

Control plane is a commonly used term in networking which means the brain of the system. In networking, the control plane is responsible for identifying a subscriber, session management, traffic shaping ( limiting speeds ), and policy application. Authentication are handled through different protocols like RADIUS, DIAMETER, 802.1x and so on. Aether, my custom implementation of a virtual BNG ( vBNG ) uses RADIUS for authentication and authorization.

BNG communicating with RADIUS server to authenticate/authorize user packets
BNG communicating with RADIUS server to authenticate/authorize user packets

Subscribers authenticate through PPPoE or IPoE. PPPoE carries its own link-layer authentication via PPP- CHAP being the standard, where the password never travels in plaintext. IPoE skips the PPP handshake entirely- the BNG identifies the subscriber through Option 82, a field injected by the DHCP relay agent at the access switch that tells the BNG where the subscriber is physically connected. Another blog on Option 82 coming up.

BNG authentication process simplified view
BNG authentication process simplified view

This is also where session state lives. The control plane maintains a table of active subscribers: who is online, what IP they were assigned, what policy is applied, how long they have been connected. That table is the source of truth for everything the data plane does.

BNG authentication process simplified view with session table
BNG authentication process simplified view with session table

The Data Plane

The data plane is where the actual packet forwarding happens- taking subscriber traffic and moving it toward the internet border at line rate, with per-subscriber policy enforced on every packet.

It consumes policies defined by the control plane and applies those policies at a per-packet level. Complex logic should never reside in the data plane, since it prioritizes speed and throughput the most. For Aether, I use the default linux networking stack as the data plane, which is not production-grade but more approachable for a first-timer.

The End

This post serves as the starting point of the series of posts where I dive deep into the implementation of Aether and its different components.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email