You are on page 1of 8

OneOS v5.

Operating System for OneAccess MSARs

Multi-Service Access Routers

OneOS is a feature-rich operating system that provides a common IP Fabric, Voice over IP Services, Data Protocols Interworking, Application Layer Management, and Advanced Management Tools. It is deployed on the complete ONE product range. OneOS guarantees a common feature set across the different product lines and uniform support by maintenance and management tools. This document describes all features brought by the V5.1 release.

ABOUT OneAccess
OneAccess designs and develops a range of world-class multi-service routers for over 140 global service provider customers including four of the top five operators in Europe. This makes OneAccess the number two branch office router solution provider in the world by volume. With an international support network operating from offices in North America, Europe and Asia, OneAccess is able to work closely and cooperatively with all its clients throughout the development and roll-out phases for new services.

Interface Characteristics
The definition of an interface on equipment entirely depends on the configuration of the unit and can correspond to the following: A physical interface, e.g. an Ethernet interface, an EFM interface, a DSL interface... A VLAN A Tunnel An ATM PVC A Frame-Relay DLCI Every interface supports all IP services (imput/output QoS, NAT, IPsec, inbound/outbound firewall) and can serve as source IP address for every management protocol.

IP Address Assignement
BOOTP/DHCP server (RFC 2131, RFC 2132) with static or dynamic address assignment DHCP relay agent (RFC 2131, RFC 2132) Static IP address assignment Static ARP entries Automatic IP assignment through BOOTP client (RFC 951) Automatic IP assignment through DHCP client (RFC 2131, RFC 2132), setting of option 60, 61, 77
and vendor-id as DHCP client

Automatic IP assignment through PPP IPCP Unlimited assignment of secondary IP address on LAN interface Unnumbered interfaces (tunnel or (ML-)PPP interfaces) Automatic default route assignment on remotely learned IP address in PPP.

IP Routing
The equipment complies with the router requirements as stated in RFC 1812 and supports the routing of standard IP packets (RFC 791) between the different interfaces on the equipment. Common IP router features: Path MTU discovery Variable Length Subnet Mask (VLSM) RFC1878 Classless Inter-Domain Routing (CIDR) Loopback interfaces Equal Cost Multi-Path Routing (ECMP): load sharing active for routes with equal distance/cost Configurable MTU ICMP redirect TCP Maximum Segment Size (MSS) clamping ARP proxy Several routing protocols are available. The routes are selected in the Routing Information Base by discriminating metric and administrative distance of every route. The administrative distance is configurable for every routing protocol. The following routing modes are available:

OneOS v 5.1
Static Floating Routes

Operating System for OneAccess MSARs


Routing is based on static routing entries in the routing table. Alternate routing is possible through the use of different administrative distance for different routes to the same destination.

Route Tracking
A performance measurement probe can be associated with a route. If the probe considers that certain performance objectives are not met, the associated static route is disabled.

Virtual Routing and Forwarding (VRF)

Virtual routing and forwarding or VRF allows a single router to use multiple routing tables. The main benefit is enhanced VPN support. Multiple customers can now be connected to a single device without address collisions, as they each have a separate routing table assigned to them. Network paths can be segmented without using multiple devices. Traffic is automatically segregated, i.e. prevented from being forwarded outside a specific VRF path, and traffic that should remain outside the VRF path is also kept out. As a result, VRF increases network security and may eliminate the need for encryption and authentication. VRF impacts many functions of OneOS operating system, because they must be made VRF-aware:

RIP1 compliant with RFC 1058 RIP2 compliant with RFC 2453 Split horizon and selective router updates per interface RIP2 authentication with MD5 hashing or clear text Triggered RIP for ISDN interfaces Route Distribution list (prefix-list, ACL) Redistribution of routes: default, static, connected, BGP, OSPF Route redistribution filtering with route maps Validation of update source can be de-activated


Compliant with RFC 2328 (OSPF version 2) Route summarization and route suppression through range

Up to 10 VRF instances Static routing DNS client/proxy DHCP client/server/relay SIP/H.323 gateway SIP server HTTP(S) server SNTP server Ping, Traceroute SLA monitor DynDNS SSH / Telnet server SNMP (select source and trap-source) CWMP Auto-update Telnet client TFTP / HTTP client NAT, ACL, QoS and Policy-Based Routing are functional within

definitions on areas Encryption through simple password or MD5 encryption chains Stub areas, OSPF NSSA (RFC 3101) Virtual links Passive interface support Cost tuning RFC1583 compatibility option MTU check override Overflow management Redistribution of routes: default, static, connected, RIP, BGP Route redistribution filtering with route maps ECMP routes


Policy-based Routing
Normal routing is based on the destination IP address. Policy based routing offers the possibility to define different routing entries based on additional higher layer information. Traffic is routed to a certain interface or gateway based on one or more of the following parameters: Source and destination IP address range Type Of Service (TOS) value range (8 bits in the IP header, also called DSCP bits) IP protocol Source and destination port range for UDP / TCP packets

Border Gateway Protocol version 4 (RFC 1771) (IBGP and EBGP) RFC2385 authentication Peer groups Update source configurable EBGP multi-hop Maximum prefix Allow AS loop Redistribution of routes: default, static, connected, RIP, OSPF Route distribution filtering: route maps, prefix-lists Received routing update filtering Soft peer reset ECMP routes Backdoor routes Local preference Community lists AS path filter AS confederations Route reflector Flap dampening


Virtual Router Redundancy Protocol in accordance with RFC 3768 Multiple VRRP instances Priority adjusted based on critical interface status or route

presence monitoring

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

OneOS v 5.1
Multicast Routing

Operating System for OneAccess MSARs

Layer-2 shaping of bridged traffic using layer-2 and/or layer-3

OneOS supports the routing of multicast flows (such streaming

video over a corporate VPN) IGMPv1/v2/v3 (Internet Group Management protocol, RFC 223) Static multicast routes PIM-SM (Protocol Independent Multicast Sparse Mode) version 2

On the LAN interfaces and in bridge groups, MIB2 performance

counters are available per VLAN. Ethernet jumbo frames (up to 1,600 bytes, support depends of hardware characteristics) Ethernet OAM - 802.3aq - ITU Y.1731


Firewall is based on advanced access-list functions Firewall policies attached to interface inbound/outbound

direction Access lists can be attached to internal server applications (SSH, telnet) IP extended access lists filter on the following parameters: -Source IP address range -Destination IP address range -Type Of Service (TOS) value range (8 bits in the IP header, also called DSCP bits) -IP protocol - Source port range for UDP / TCP packets - Destination port range for UDP / TCP packets Stateful inspection firewall - TCP, FTP - Half open session management - Rule logging - Detection of malicious IP Reflexive filters Reverse path check Zone-based Firewall

Network Address Translation (NAT and PAT)

Compliant with RFC 3022 NAT mode for one-to-one private to public IP address translation PAT mode for many-to-one private to public IP address translation (also called port mapping, single address NAT or NAPT) NAT/PAT configurable on any interface (the interface with the public address(es)) Twice NAT Static NAPT on port range TCP/UDP server load balancing Easy NAT: self learning of overloaded IP address Selective NAT (translate only traffic matching access lists) and NAT bypass (translate all except traffic matching ACL) Application Layer Gateway (ALG) Support H.323, SIP Session limiting, Denial of Service protection.

Tunneling and VPNs

L2TP tunneling
The Layer 2 Tunneling Protocol emulates a point-to-point
connection over an IP network

Misc. IP Router Functions

DNS proxy DHCP relay IP Helper address DHCP server: multiple pools, static MAC-IP binding, configurable
ASCII and hexadecimal options

RFC 2661 compliant Available on WAN and LAN interfaces Tunnel authentication Static and dynamic tunnels. Dynamic tunnels are set-up only
if data is to be sent.


Bridging and VLANs

Bridge virtual interface (BVI). Can be attached to ATM, LAN, VLAN and WiFi interfaces (allows VLAN to PVC mapping) VLAN support (802.1Q) QinQ with configurable EtherType Within a bridge group, an IP address can be defined Between different bridge-groups in the equipment, routing may be enabled Multiple VLANs possible between a bridge group towards the IP router IP TOS to 802.1P COS mapping and COS to TOS mapping are available on the LAN interface and the data sent between a bridge group and the IP router in order to maintain priority information when changing from IP to VLAN or vice versa. Bridging of N VLANs over M ATM PVC (with N>M, in other words, several VLAN can be multiplexed in one PVC)

One L2TP tunnel between each pair of IP addresses One PPP session per L2TP tunnel L2TP tunnels can be set up from an interface running NAT/PAT L2TP backup tunnels Tunnel accounting

GRE Tunneling IPsec Security

Generic Routing Encapsulation (GRE) (RFC 1701-1702)

Compliant with RFC 2401 and succeeding IPsec tunnel mode ESP (Encapsulation Security Payload), allowing authentication

of the sender and encryption of the data (RFC 2406) DES (56 bits; RFC 2405), 3DES (3 * 56 bits; RFC 2451), AES (up to 256 bits) and NULL (RFC 2410) encryption HMAC (Keyed-Hashing for Message Authentication) based on MD5 (RFC 2403) and SHA-1 (RFC 2404) for integrity and authentication

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

OneOS v 5.1

Operating System for OneAccess MSARs

Manual SA (Security Association) IKE pre-shared SAs, EZ-VPN crypto maps, X.509 RFC 2408 Internet Security Association and Key Management
Protocol RFC 2407 IP Security Domain of Interpretation for ISAKMP RFC 2409 Internet Key Exchange (IKE) NAT Traversal (NAT-T) in compliance with RFC 3947 and 3948 L2TP + IPsec (IPsec server for Microsoft VPN clients) ISAKMP (IKE) with X.509 certificate based authentication Self-signed certificate, Certificate enrolment: SCEP Certificate revocation: OCSP, local CRL Note: On the standard equipment, the software handles the IPsec encryption. As this is a processor-consuming task, the forwarding performance of the equipment decreases. Therefore, some products are also available with on-board a hardware accelerator chip. This chip takes care on-board of the encryption / decryption, unburdening the software of this task.

Traffic Shaping

Low Latency Queuing (LLQ) for real-time classes. Maximum latency Class-Based Queuing (CBQ). Remaining bandwidth distribution
strategy is configurable. Congestion avoidance management: - Tail drop - RED, WRED - Class-Based Weighted Fair Queuing: for every class, a queue per detected stream is created dynamically. The bandwidth allocated per class is equally shared between all flows.

Access Security
The equipment is password protected for access through the different maintenance and management tools. For each router one can define a variety of users, where each user can be given a customized access-right to the equipment. The unit also features a Radius client (RFC 2865) and TACACS+, that can be used for authentication, authorization and accounting (AAA) of network maintenance sessions, or for L2TP sessions initiated by remote devices. Per interface, one can enable/disable all access to the device for traffic coming from this interface. Overall access with specific management tools can be prohibited (telnet, SSH, HTTP, SNMP, TFTP, FTP). All accesses (successful and failed logins) are logged.

IP Quality of Service (QoS)

IP QoS can be enabled on any input/output logical IP interface. At the input, it is possible to classify packets and mark them with DSCP/ precedence value and apply policing. At the output, the same processing is possible as well as traffic shaping and congestion avoidance.

Classification Criteria
Access-lists Input interface RTP DSCP / precedence 802.1p tag Virtual QoS group

Performance Probe
Performance probe is an application within OneOS sending ICMP or UDP test packets to measure network performance. The benefits of this measurement tool are to simulate and report an evaluated application performance. Measured performance metrics are: one-way jitter, packet loss and round trip delays. Performance can be reported using SNMP and already integrated in market-leading performance monitoring platforms.


DSCP / precedence 802.1p tag ATM CLP and FR DE tag on selected hardware platforms Virtual QoS group

The data is redirected to the queues based on DiffServ (RFCs 2474, 2475) regarding class and drop precedence. This means that, depending on their Type Of Service (TOS) field, some packets are moved to other queues and/or dropped sooner than other packets in case the queue is full. This simple and flexible policy allows classifying the traffic based on a user-defined range of the TOS field into one of the queues.

Maintenance and Management Tools

Web configurator Industry-standard Command Line Interface (CLI) Local console SSH V2/TELNET with command line Http/https server with customizable configuration web pages PING (RFC 792) request and reply with extended options Traceroute command with extended options TFTP configuration and software download (RFC 1350) FTP configuration and software download (RFC 414) Interface packet capture and decoding

Traffic Conditioning (Policing)

Per class, committed information rate (cir) and peak information rate (pir) are configurable. Traffic that exceeds the cir/pir value is no longer serviced according to the selected priority policy. For traffic conforming/not conforming or violating the policing rates, the packets can be remarked with different precedence or be simply dropped.

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

OneOS v 5.1

Operating System for OneAccess MSARs

SNMP version 1 (RFC 1157) SNMP version 2 (RFCs 3416-3418). SNMP version 3 (RFCs 3413-3415) SNMP MIB2 (RFC 1213), private MIB SNMP traps (RFC 1215) SNMP views SYSLOG event logging generation (RFC 3164) Simple Network Time Protocol client (SNTP) (RFC 2030): client
and server Dual software image allows secure firmware upgrades on selected platforms Mode to automatically recover last working configuration SSH port forwarding

Frame-Relay Encapsulation

Encapsulation compliant with RFCs 1490, 2427 CIR (Committed Information Rate) configurable per DLCI EIR (Excess Information Rate) configurable per DLCI Different types of LMI (Local Management Interface):
- ANSI T1.617 D - ITU-T Q933 Annex A - Group of four Frame-Relay fragmentation (FRF 12) Frame Relay shaping with four-level priority scheduling

ATM Encapsulation
Higher layer protocols:
- Classical IP according to RFC 1577 - Bridged Ethernet (for bridged traffic or routing to ATM interface with IPoEoA encapsulation) - PPPoA (PPP over ATM) according to RFC 2364 - PPPoE (PPP over Ethernet) according to RFC 2516, 2684 Multiprotocol encapsulation using - LLC (Logical Link Control) - VC (Virtual Connection) multiplexing Inverse ARP for automatic IP address resolution Configuration of PCR (Peak Cell Rate) per PVC Service categories UBR, CBR, VBR-rt and VBR-nrt (hardware dependent) ATM forum UNI 3.1/4.0 PVCs OAM F5 loop back response (ITU-T I.610) OAM F5 end-to-end loop back generation (ITU-T I.610) OAM F5 end-to-end RDI response OAM F5 segment and end-to-end CC (Continuity Cells) ATM IMA over E1 links (ATM Forum af-phy-0086.001 and ITU-T G.761) and G.SHDSL

Autoconfiguration enables zero-touch CPE activation. Based on standard protocols, the OneOS products can update its configuration and software image. The products minimizes installation time and risks of errors.

CWMP (TR-069)
SOAP over HTTP or HTTPS with optional MD5 Digest for authentication

Supported RPC:
- Inform - Download (configuration, software image, web pages) - Reboot - FactoryReset - Upload - GetRPCMethods - GetParamaterNames - SetParameterValues - GetParamaterValues Connection request TR-111 section 2 (association)

Up to 10 PPPoE sessions PPPoE in VLAN, ATM or plain Ethernet PPPoE can be multiplexed with IPoE on the same PVC Several PPPoE sessions can be multiplexed in the same PVC PPPoE with IP packets of 1,500 bytes

PPP Encapsulation
Over ATM, ISDN, analog dialup modem, serial interface (E1/T1 or X.21 or V.35) Encapsulation compliant with RFC 1661, 1662 LCP (Link Control Protocol) IPCP (IP Control Protocol, RFC 1332) CHAP authentication with MD5 hashing (RFC 1994), unidirectional or bi-directional authentication PAP (PPP Authentication Protocols, RFC 1334), unidirectional or bi-directional authentication Link aggregation with Multi-link PPP (RFC 1990) on ATM and ISDN MLPPP fragmentation and interleaving on ATM, ISDN and serial interface MLPPPoA and MLPPPoEoA on multi-line SHDSL (ONE80/300 specific) Bandwidth Allocation Protocol (BAP) (RFC 2125) for ISDN interface

Dial-Up Interfaces

Multiple logical dial-up interfaces on a physical link (incoming,

outgoing, specific calling numbers) PPP and Multi-link PPP encapsulation for routed IP traffic Bandwidth on demand for ISDN (with or without Bandwidth Allocation Protocol (BAP) (RFC 2125)) Call filtering on incoming and / or outgoing calls, local and remote telephone number ISDN call-back Interface or route monitoring to cause dial-up interface opening (dialer-watch-list) Interface remaining open only for selected traffic (dialer-group)

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

OneOS v 5.1
Wireless LAN

Operating System for OneAccess MSARs

- CLIP, CLIR, COLP, COLR - ISDN channel specialization Modem pass-through T.38 DTMF: H.245 or RFC2833

Authentication: open, shared, PSK (WPA-PSK or WPA2-PSK)

simultaneous support of WPA and WPA2

Encryption: none, WEP (40/64/128 bit key), TKIP, AES Full WPA support Up to 8 SSID Guest mode (broadcast SSID or not) Power and mode setting MAC filter WMM quality of service Legacy power-save mode as well as U-APSD Bridging between LAN and WLAN, native 802.1q mode Frame capture (data and some 802.11 signaling). ARP ping to detect dead WLAN stations RADIUS accounting (public hotspot) Wireless Protected Setup (WPS): PIN and Push-Button method

Integrated Business Communication (IBC)

Call features: Automatic recall, redial, speed dial, directory (global, personal), music on hold (customizable), call waiting, caller name/number display with directory matching, forwarding display, vocal CLIP, privacy, number blocking, customizable ringback music Call forwards: unconditional, on busy, on no-reply, on unreachable, Follow-me, Daily/weekly unconditional call forward, (daily/weekly) Do Not Disturb Auto-attendant Hunt groups Manager-secretary filtering Direct Inward Service Access (DISA) Mobility management: Coupling of wireless / wired handsets, Presence-based forwarding to mobile, Management of single voice mail box for dual phone, Login (to use another phone as if it was your own extension), Simultaneous ringing Voice mail and voice-to-email Outlook integration IP phone plugnplay installation (selected phones) Web interface for users and administrators

VoIP Processing (DSP)

Codecs: G.711a/, G.726, G.729AB G.165/168 compliant echo cancellation T.38, including Error Correction Mode (ECM) Modem detection DTMF tone detection Caller-id, name, date on FXS FXS Advice of Charge on selected models Local tone generation (ringback, busy) MOS score evaluation based on E-model

SIP Gateway and SIP Proxy

- Overlap and en-bloc ISDN dialing - UDI64k - ISDN channel specialization - Interworking of advanced ISDN services into SIP Supported methods: INVITE (Re-INVITE), ACK, REGISTER, CANCEL, OPTIONS, UPDATE, PRACK, NOTIFY, SUBSCRIBE, REFER Call admission control Built-in SIP signaling debugger Advanced SIP proxy with NAT ALG SIP-H.323 proxy

WAN Optimization visibility

Application-recognition via Deep Packet Inspection (DPI) engine Optimized architecture for high performance Applications belong to categories Monitoring of TCP metrics, tracking network, and server performance

Reporting information is exported using standard Netflow V9

and proprietary extensions

Collector (servers) can draw traffic volume charts based on the

following: IP source/destination, ports, application, application categories, web site Possibility to define custom applications Recognition of web site name for TLS/SSL flows

H.323 version 4 FXS, BRI, PRI RAI support H.235 authentication Hunting ISDN:
- Overlap and en-bloc ISDN dialing - UDI64k

IP HQF Application name and/or application category and/or URL used
as classification criterion for QoS: application-based shaping, policing and marking Policy-based routing using application name and/or application category and/or URL used as classification criterion URL-based filtering

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

OneOS v 5.1
IPv6 Support Interfaces

Operating System for OneAccess MSARs

Support of IPv6 and IPv4 concurrently on FE/GE, EFM, BVI, ATM PPPoA/PPPoEoA, GRE Tunnel and WiFi interfaces Also on VLAN over FE/GE/EFM/AAL5, PPPoE (over VLAN) over any medium, and ATM PVC IPoA/PPPoEoA interfaces Stateless Address Auto-Configuration (SLAAC) for Ethernet and PPP-based interface IPv6CP

Management Protocols
All management protocols supported with IPv4 are supported with IPv6 as well. The source address of management protocols can be forced (IPv4 and/or IPv6 address) and an IPv6 access-list can be attached to listening protocols for security New MIBs: RFC 4293

Static IPv6 Routing, BFD for IPv4 and IPv6 Prefix list V6 DHCPv6 relay IPv6 route cache (performance optimization for IPv6 routing) All QoS and Policy-Based Routing (PBR) features supported
with IPv4 applies to IPv6

Path MTU discovery IPv6 access-list (no stateful inspection) VRRPv3 (VRRP for IPv6) Stateless DHCP server with prefix delegation Manual 6in4 tunneling

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

OneOS v 5.1

Operating System for OneAccess MSARs

Product Supported by OneOS Software
OneOS is made available in various software packages: ADVIP (Advanced IP): all OneOS functions, excluding voice VOIP_H323: same as ADVIP with H.323 gateway support VOIP_SIP: same as ADVIP with SIP gateway and SIP proxy IBC_SIP: same as ADVIP with IBC call manager software supporting SIP trunks PROXY: same as ADVIP with SIP gateway, H.323 gateway and SIPH.323 proxy ONE20A/100A are only supported up to OneOS V4.3. ONE10/30/60/200/400/Cell25 are only supported in OneOS V3.7.
ONE20D ONE50 ONE70 ONE80 ONE80XM ONE540 ONE1520 ONE1540 ONE1560 ONE100D/M ONE150 ONE180/ ONE300 ONE270/ ONE700 ONECell35 x ADVIP x x x x x x x x x x x x x x x x x x x x x x x x x VOIP H323 VOIP SIP PROXY IBC SIP

V5.1: Main changes from OneOS V4.3

New Features
Zone-Based Firewall Nomad VPN clients (XAUTH & MODE-CFG) GET VPN (GDOI with Cisco or Juniper Key Server) WAN optimization - Visibility (Netflow V9) -> NetAPM license - Control (IP HQF, policy based routing) -> NetControl license IPV6 Support - Support of IPv6 and IPv4 concurrently - Static IPv6 Routing, BFD for IPv4 and IPv6 - IPv6 route cache (performance optimization for IPv6 routing) - Stateless DHCP server with prefix delegation Support of G.SHDSL TCPAM 64/128 (ONE540/ONE1540 only)

v4.3: Main Changes From OneOS v4.2

VRF VLAN: QinQ, PPPoE in VLAN WPS Route tracking SSH port forwarding IPsec: L2TP server, PKI, CRL Ethernet OAM Jumbo frames

v4.2: Main Changes From OneOS v4.1

HTTPS server IPsec: Easy VPN crypto maps Enhanced WiFi troubleshooting: capture of 802.11 frames, enhanced STA tracing. SNTP server Bridging of N VLANs over M ATM PVC (with N>M, in other words, several VLAN can be multiplexed in one PVC) Layer-2 shaping of bridged traffic using layer-2 and/or layer-3 criteria CWMP (TR-069) SIP-H.323 proxy V.17 fax processing over T.38 (at 14.4 kbps, without fallback to 9.6 kbps) MOS score evaluation based on E-model

+33(0) | 381 av. du Gnral de Gaulle -92140 Clamart - France |

2012 OneAccess SA all rights reserved - OneAccess reserves the right to change the technical characteristics described in this document without prior notice - OneOS5.1_ 0912

GPON SFP ONE1520/ONE1540 L2CP tunneling Ethernet Pseudo Wire (PWE3) SSH client Load sharing per packet and per session Static route in route-map IP accounting Dynamic Routing: BGP4