Mesh 1.1: Directed Forwarding and Subnet Bridging

Mesh 1.1 Features

Bluetooth Mesh 1.1 (ratified 2023) addresses the three biggest limitations of the 1.0 specification: inefficient flooding, inability to reach isolated subnets from a single provisioner, and slow remote device management. The three headline features — Directed Forwarding, Subnet Bridging, and Remote Provisioning — transform Bluetooth Mesh from a flat flooding network into a managed, scalable infrastructure.

Directed Forwarding

Classic Bluetooth Mesh uses managed flooding: every relay node rebroadcasts every packet it receives (TTL permitting). In a dense network this causes significant air-time contention and wasted energy, as most retransmissions do not contribute to delivery.

Directed Forwarding establishes on-demand routing paths between source and destination. A Directed Forwarding Originator floods a Path Discovery request; relay nodes along the best path respond, creating a Forwarding Table entry. Subsequent messages from the same source to the same destination follow the stored path — only nodes on the path rebroadcast.

Path entries expire (configurable lifetime) and are refreshed automatically when traffic resumes. Lane Count extends each path to carry multiple concurrent streams, similar to MPLS traffic engineering.

Subnet Bridging

A single Bluetooth Mesh network is bounded by a shared Network Key (NetKey). All nodes in the network can decrypt and relay all messages — a flat security model. Large deployments often split into multiple subnets (different NetKeys per floor, building wing, or tenant) for administrative isolation.

Pre-1.1, messages could not cross subnet boundaries without a full application-layer gateway. Subnet Bridging adds a Bridge node role: a node that holds multiple NetKeys and translates messages at the network layer between subnets.

The Bridge maintains a Bridging Table — a list of (NetKey_A, address_A) → (NetKey_B, address_B) entries. The Configuration Client programs these entries remotely. Bridged messages are decrypted under the source NetKey, re-encrypted under the destination NetKey, and retransmitted on the destination subnet.

Security properties:

• Bridge node must be trusted (holds multiple NetKeys)
• Bridge does not decrypt upper-transport layer (app key remains end-to-end)
• Access control is per Bridging Table entry, not per address

Remote Provisioning

In Mesh 1.0, adding a new node required the Provisioner to be within direct BLE advertising range of the unprovisioned device. For large buildings this meant physically walking to each device — impractical for 1,000-node deployments.

Remote Provisioning extends provisioning across the mesh. A Remote Provisioning Server model runs on already-provisioned nodes near the new device. The Provisioner communicates with the Remote Provisioning Server via the mesh (encrypted), and the server acts as a relay for the provisioning protocol packets between Provisioner and the new device.

Remote Provisioning workflow:

1. Provisioner queries Remote Provisioning Servers for scanned unprovisioned devices
2. Server returns list of detected Unprovisioned Device Beacons with ATT">UUID and RSSI
3. Provisioner selects the best server (highest RSSI to target) and opens a Remote Provisioning Link
4. Standard provisioning handshake (invite → capabilities → key exchange → auth → data) tunneled through the mesh
5. New node receives NetKey, AppKey, and address; becomes a full mesh node

This enables zero-touch provisioning workflows where devices are pre-loaded with a UUID at the factory, physically installed anywhere in the building, and provisioned from a dashboard without physical access.

Additional Mesh 1.1 Enhancements

Mesh 1.1 is backward compatible: 1.0 nodes continue to operate as managed-flooding relays on a mixed network. Only nodes that implement 1.1 features (advertised in the node's Features field) participate in Directed Forwarding or Remote Provisioning.