IMO, the most realistic solution would be the one where the internals are never provided to the developer. Eg, where the developer never sees the IP address or an encoded/encrypted/hashed/etc… version of the IP address.
The developer would only be able to add the IP to a set of IP addresses. They would only know if a user joins with one of these IP addresses – therefore it is less than 100% secure. Ideally the developer would not be able to gain any information about the user’s IP address. To reduce this attack, there would be a minimum and maximum duration instead of the direct ability to remove keys.
In the extreme, a user could learn his ip address, develop a game, only add that one ip to the set, and then change IP using normal means. They could then determine if any other user joins with that IP – giving the exact ip address and userid of a random user. For games popular games, where a dev also lives in an area with many players, this could be a feasible attack.
To avoid this, the logic could potentially be done 100% on the server, or in a lua vm that has severely restricted access. At that point, a user could disclose information on the forums or etc… that would allow the developer to determine the ip address through the same method.
This system could also allow user-id based whitelisting, which could have duration or add/removed based logic. This would allow known-good users, admins, creators, etc… to join the game without being kicked.