How to use Bluetooth Mesh GATT provisioning with regular BLE stack?

This means that I want to control (on/off/etc) the specific device, without access to whole network. For example, I have a configured light switch and hundred of devices in a single network, and I have a guest that want to control this lightswitch, but this guest is not an owner of this network and there can be a lot of different people who want to control light switch when they are inside a room. 

Thanks for the detailed explanation. There is something called temporary guest access in the mesh specification. The guest node still needs to be provisioned & then it will be provided a temporary network & application key. The light bulb needs to be controlled by the guest would also have a subnet network key, as well as a temporary application key. You will still need to provision this guest node unfortunately.

Take a look at this excerpt from the profile spec in section 3.10.2

"It is possible to provide a node with temporary guest access to a mesh network. This is done by creating a separate guest subnet by providing a separate network key to the guest and to the nodes the guest will have access to.
Separate application keys are also provided to the guest to restrict the models that the guest has access to at the access layer.
The guest never obtains application keys or network keys used by nodes and models that are excluded from guest access. Only nodes that belong to the guest subnet will communicate with the guest node; within these nodes, only models bound to the guest application keys can be used by the guest. This allows guest access to be very finely controlled down to specific nodes and functionalities.
Guests cannot initiate IV Index updates on the primary subnet. This protects the IV Index, which is a network shared resource, from a potentially malicious behavior.
Guest access is configured by a Configuration Client using the Configuration Server model that is secured by device keys. Multiple guests may be provided with guest access, each within their own guest subnet and model domain.
Guest access is revoked by refreshing application and network keys through the Key Refresh procedure (see Section 3.10.4)."

The main reason for making it this "complicated" is increased security.

Do you want the guest node to be another mesh device or a smartphone connected via the proxy node?

If so, it is possible to do the inverse of what we are doing with the nrf mesh app, where the phone can be provisioned via the proxy node. The phone would run the PB-GATT provisionee attribute table on the app (could be a modified nrf mesh app). Another node in the network that allows provisioning will then connect to this guest phone & then do the provisioning process. The main purpose of this exercise is to distribute the network & application keys to the guest so that it can participate as a guest in the mesh network.

You may be able to do this via a proprietary way by distributing a temporary network & app key to the guest smartphone, but it is most likely better to follow the spec like described above.

Kind Regards,

Bjørn

Thanks for response,

Bjørn Kvaale said:

Another node in the network that allows provisioning will then connect to this guest phone

As I know there can be only one provisioner node in the network? And in my case the provisioner can be different smartphone that can't be used for guest. Is it possible to make "virtual" provisioner and use smartphone's BLE as relay (PB-GATT connection) between remote server (as provisioner) and real node?

And if there is a lot of guests, what provisoner will do with unique indexes that should be assigned to every new connected device (smartphone)?

gsegment said:

As I know there can be only one provisioner node in the network?

 Essentially yes. Although you could theoretically have multiple provisioners that make different mesh networks & find a way of communicating within the different mesh networks. I am not sure I would recommend this.

gsegment said:

Is it possible to make "virtual" provisioner and use smartphone's BLE as relay (PB-GATT connection) between remote server (as provisioner) and real node?

 Do you want to use the remote provisioning functionality from our mesh sdk & provision nodes out of reach of the smartphone via relaying the information through intermediary nodes? Could you explain what you mean by virtual provisioner?

gsegment said:

And if there is a lot of guests, what provisoner will do with unique indexes that should be assigned to every new connected device (smartphone)?

The provisioner will store these unique application & network keys in the device state manager.

Bjørn Kvaale said:

Do you want to use the remote provisioning functionality from our mesh sdk & provision nodes out of reach of the smartphone via relaying the information through intermediary nodes? Could you explain what you mean by virtual provisioner?

My idea was not to do a standard provision. I mean that if we know provisioner keys than we can remotely prepare a "new" node and send subnet key and node ID to a guest's smartphone via internet/wifi. And guest's smartphone can become a node instantly without a real device need and not using "provisioning functionality from mesh sdk". What do you think about this?

Bjørn Kvaale said:

The provisioner will store these unique application & network keys in the device state manager.

Yes, but I was talking about node IDs. Bluetooth mesh can handle 16-bit addresses, but at provisioning stage the provisioner acquiring short ID for a new node. So when guest has been provisioned and later leaves, how we can handle >16 bit IDs acquiring? At the same time there is small amount of smartphones connected, but over time it can become large.