Military Mesh Networks Without Central Routing Authority

1. Regulatory and Doctrinal Pressure

Joint All-Domain Command and Control (JADC2), the United States Department of Defense's foundational concept for connecting sensors and shooters across services and domains, was formalized in the JADC2 Strategy of 2022 and the corresponding Implementation Plan, with each service issuing its component: the Air Force's Advanced Battle Management System (ABMS), the Army's Project Convergence, the Navy's Project Overmatch. The doctrine is unambiguous about the operational requirement — any sensor, any shooter, any domain, at machine speed, across degraded and contested electromagnetic environments. The doctrine is also explicit that the legacy stovepipe architecture, in which each service operates its own tactical data links with its own classification regime and its own gateway translators, cannot meet that requirement.

The doctrinal pressure compounds with allied-interoperability obligations. NATO Federated Mission Networking (FMN) Spirals 4 and 5 require member nations to operate cross-national command-and-control flows under coalition-releasability discipline that no single nation's classification authority can adjudicate unilaterally. AUKUS Pillar 2 commits the United States, United Kingdom, and Australia to advanced capability sharing, including autonomy, electronic warfare, and undersea systems, that require cross-nation tactical data flows under classification and releasability constraints encoded into the data itself rather than enforced at gateway crossings. The Five Eyes intelligence-sharing community has operated for decades under exactly this kind of cross-jurisdictional discipline, but the discipline has been procedural and human-mediated; the modern operational tempo demands machine-mediated equivalents.

On the regulatory side, the National Defense Authorization Acts of recent fiscal years have repeatedly directed the Department to demonstrate Zero Trust architecture across tactical networks, with the DoD Zero Trust Strategy of 2022 and Reference Architecture v2.0 mandating per-message authentication, attribute-based access, and continuous verification — a profile that legacy boundary-controlled tactical networks were not architected to deliver. The Cybersecurity and Infrastructure Security Agency, through Binding Operational Directive 23-02 and successor instruments, has tightened the same posture across federal civilian networks that interface with defense data flows.

The combined effect of JADC2, FMN, AUKUS, Zero Trust mandates, and the post-Ukraine recognition that GPS-denied, communications-denied, and electronic-warfare-saturated battlespaces are the reference operational environment rather than the edge case has produced a regulatory and doctrinal climate in which centrally-routed tactical networks are not merely suboptimal — they are non-compliant with stated policy.

2. Architectural Requirement

The architectural requirement that emerges has six components. First, every message must carry its own classification, releasability, and propagation policy as intrinsic, cryptographically attested fields, so that any node can evaluate handling rules without consulting an external authority. Second, routing decisions must compose with governance decisions in a single evaluation pass, so that a node never routes a message it is not authorized to handle and never refuses to route a message it is authorized to handle. Third, trust relationships between nodes must be local, weighted, and updatable from observed behavior, so that compromised or anomalous nodes are degraded by their neighbors without requiring central revocation. Fourth, the protocol must operate correctly under arbitrary partition — when network segments are isolated by jamming, terrain, or kinetic damage, each segment must continue to operate with full governance integrity, and reconnection must reconcile state structurally rather than through synchronization with a central controller.

Fifth, the protocol must compose hierarchically across echelon, jurisdiction, and coalition without changing shape. A platoon-level mesh, a brigade-level mesh, a joint-task-force mesh, and a coalition-level mesh must be the same protocol with the same governance discipline at different scopes, not separate protocols joined by gateway translators. Sixth, the protocol must produce lineage suitable for after-action forensics, accountability investigations, and rules-of-engagement audit, recording for every message the originating authority, the propagation path, the trust evaluations performed at each hop, and the actuation outcomes downstream.

These requirements are jointly satisfied only by an architecture in which governance is a property of the content rather than a property of the transport. Any architecture that locates governance in routers, gateways, controllers, or directory services inherits the failure modes of those components — failure modes that the contested-environment threat model has explicitly elevated to first-order concerns.

3. Why Procedural and Conventional Approaches Fail

Three conventional approaches dominate today's tactical networking landscape, and each fails for an instructive reason.

The first approach is gateway-mediated interoperability — Link 16, Link 22, VMF, CDL, and the various national equivalents, each with its own format, its own classification regime, and its own bridges between regimes. The architecture is functional in benign environments; in contested environments it concentrates failure at the gateway. A gateway that translates between national networks under coalition-releasability rules is, by construction, a high-value target for adversary kinetic and cyber action, because its destruction or compromise severs cross-national tactical data flow. Procedural defenses — hardening, redundancy, alternate routing — do not change the architectural shape; they multiply the targets without eliminating the dependency.

The second approach is software-defined networking with policy controllers — the architecture that civilian Zero Trust deployments have largely adopted, in which a controller distributes policy to enforcement points, and enforcement points consult the controller for attribute-based access decisions. This architecture works in datacenters where the controller is highly available. It does not work in tactical environments where the controller is precisely the kind of high-value asset that adversaries target and where the link between enforcement point and controller is precisely the link that electronic warfare disrupts. Tactical SDN deployments fall back to stale policies under disconnection, which is the failure mode the doctrine specifically prohibits.

The third approach is mobile ad hoc networking (MANET) — OLSR, AODV, B.A.T.M.A.N., and successor protocols that route opportunistically without infrastructure. MANET solves the routing problem in degraded environments and solves it well. It does not solve the governance problem at all. A MANET treats data as opaque payload and routes on topology; classification, releasability, need-to-know, and rules-of-engagement constraints must be enforced by an overlay that the MANET does not know about. In practice, that overlay is the same controller architecture that fails under disconnection. MANET routing plus controller-mediated policy is a composition that inherits the failure modes of both layers — opportunistic transport whose governance evaporates when the controller is unreachable.

Each of these approaches treats governance as a procedural overlay on a transport that does not natively express it. Procedural overlays fail under exactly the conditions that the contested-environment threat model defines as the operational baseline: degraded connectivity, hostile electromagnetic spectrum, partitioned topology, time-critical decision tempo, and adversary action specifically targeting the procedural-overlay components. The pattern is the same one civilian Zero Trust encountered on enterprise networks and resolved by moving identity and policy into the data plane; the tactical equivalent is moving classification, releasability, and routing authority into the message itself.

4. The AQ Memory-Native Protocol Primitive

The Adaptive Query memory-native protocol primitive, disclosed under USPTO provisional 64/049,409, specifies that every message in a conforming network is a self-governing observation with intrinsic, cryptographically attested governance fields, and that every node in the network is a self-governing actuator that evaluates incoming messages against its local trust state and policy without consulting any external authority. The primitive has five structural properties.

The first property is intrinsic governance. Every message carries its classification level, its releasability scope, its propagation constraints (hop count, time-to-live, geographic envelope, modality restrictions), its handling caveats, and its originator authority as cryptographically signed fields. The fields are not metadata appended to the payload; they are part of the message's identity, and the message is invalid if the fields are missing, mutated, or signed by an authority outside the receiving node's trust set.

The second property is local evaluation. Each node evaluates incoming messages against its own credentialed trust relationships, its own classification clearance, its own coalition releasability authorities, and its own operational policy. There is no controller, no directory, and no gateway whose availability the evaluation depends on. A node that loses contact with every other node in the network continues to evaluate correctly against the messages already in its memory; a node that joins a partition reconciles by exchanging credentials with its peers in the partition, not by reaching back to a controller.

The third property is trust-weighted routing. Routing decisions are governance decisions: a node forwards to a peer only if the peer is credentialed for the message's classification and releasability and only if the peer's local trust weight exceeds the threshold encoded in the message's policy. Trust weights decay structurally on observed anomaly — a peer that emits unsigned messages, exhibits time-stamp inconsistency, or violates declared propagation constraints loses weight in its neighbors' routing tables without a central revocation event.

The fourth property is partition-tolerant reconciliation. When the network partitions, each partition continues to operate at full governance integrity, because every node's evaluation state is local. When partitions reconnect, the protocol reconciles through the messages' own lineage and trust signatures rather than through controller-mediated synchronization. Partitions that operated under divergent operational assumptions do not silently merge; the reconciliation surface flags the divergence and forces explicit credential exchange before traffic resumes across the seam.

The fifth property is hierarchical composition. The same protocol operates at platoon scope, brigade scope, joint-task-force scope, and coalition scope, with scope expressed as the credentialed authority taxonomy embedded in messages and held in nodes. Composition does not require gateway translators; it requires the receiving scope's nodes to credential the originating scope's authorities, which is a key-management operation rather than an architectural one.

5. Compliance Map

The memory-native protocol primitive maps directly onto the obligations expressed in JADC2, FMN, AUKUS, and DoD Zero Trust mandates.

For JADC2, the obligation is any-sensor-any-shooter at machine speed across services and domains. The primitive discharges this by making cross-service and cross-domain messages indistinguishable from intra-service messages in the routing layer — they differ only in their authority taxonomy, which the protocol evaluates structurally rather than by reference to gateway translation tables. A Marine sensor's observation can be admitted by an Air Force shooter because the shooter's node credentials the Marine authority, not because a translator interposed between them.

For FMN Spirals 4 and 5, the obligation is coalition-releasability discipline across national networks. The primitive discharges this by making releasability a property of the message that every coalition node enforces locally against its own national authority. A message marked REL-TO with a specified coalition partner set is structurally rejectable by any node whose national authority is not in the set, without a gateway adjudicating the rejection.

For AUKUS Pillar 2, the obligation is advanced-capability sharing under classification and export-control constraints. The primitive discharges this by making export-control caveats enforceable at every hop, not only at the originator's release decision. A message bearing a Pillar 2 caveat propagates only through nodes credentialed to handle that caveat, regardless of physical-layer connectivity to other nodes.

For DoD Zero Trust, the obligation is per-message authentication, attribute-based access, and continuous verification. The primitive discharges all three structurally: authentication is a property of every message, access is determined by the message's intrinsic attributes evaluated against the node's local policy, and verification is continuous by construction because every hop performs the evaluation. The civilian Zero Trust controller-and-enforcement-point pattern is replaced by an architecture in which every node is an enforcement point and there is no controller.

For after-action forensics and rules-of-engagement accountability, the obligation is reconstructable lineage. The primitive's per-message lineage records — originator authority, signed propagation path, per-hop trust evaluations, downstream actuation outcomes — produce the structured record that investigators and inspectors-general require, without depending on the continued availability of any specific node or controller.

6. Adoption Pathway

Adoption is sequenced from the operational environments in which the failure of conventional approaches is most acute, outward toward the broader force.

The first wave is special operations and small-unit tactical deployments that already operate under the assumption of denied or degraded communications and that have the institutional latitude to field protocol-level innovation ahead of program-of-record cycles. Memory-native protocols operating over a handful of platforms produce immediate operational value and generate the doctrinal evidence base for broader adoption.

The second wave is unmanned-system formations — UAV swarms, USV/UUV formations, ground-robotic teams — where the number of nodes and the tempo of inter-node coordination exceed what controller-mediated architectures can support, and where the loss of any individual node is operationally expected. The protocol's partition-tolerance and trust-weighted routing properties are existentially required in this environment, not merely beneficial.

The third wave is coalition tactical operations under FMN and AUKUS Pillar 2, where the gateway-translator architecture is most acutely a liability. A coalition exercise or operation conducted on a memory-native protocol substrate demonstrates cross-national interoperability without per-engagement gateway configuration and produces the doctrinal evidence required for institutional uptake by partner nations.

The fourth wave is service-level tactical-data-link modernization, where the legacy Link 16 / Link 22 / VMF stack reaches end-of-life or end-of-effective-utility against the contested-environment threat model. The memory-native protocol composes with the legacy links during transition — the legacy link becomes a bearer that transports memory-native messages without understanding their governance — so adoption does not require simultaneous replacement of the platform fleet.

The fifth wave is integration with allied and partner national networks under FMN Spiral evolution and bilateral defense-cooperation arrangements. By this stage the protocol's hierarchical-composition property has been exercised at coalition scope, and integration becomes a credential-exchange operation rather than an architectural one.

The architectural shape across all five waves is the same: governance moves into the message, evaluation moves into the node, and the network operates correctly under exactly the conditions — disconnection, partition, contested spectrum, kinetic loss of infrastructure — that doctrine has identified as the operational baseline. The legacy controller-and-gateway architecture is retained where it adds value during transition, but is no longer load-bearing for the question of whether tactical data flows correctly across echelon, service, and coalition. That question becomes structural in a way the existing infrastructure cannot make it.