I don't know how practical checking IP addresses in the identity framework would be, given the realities of proxies and NAT. That is, you can't guarantee that an IP address will stay the same throughout an identity lifecycle, so you are really going to complicate things if you require a constant IP address in order to maintain your identity. If tied to identity at all, it should be an optional feature.
Here's a thread that does a much better job of summarizing the problem: http://seclists.org/lists/webappsec/2004/Jul-Sep/0377.html As far as the IP tracking per visit goes, I would think it would be better to handle this through an (optional) extension that plugs in to the visit framework rather than adding it as a default. This is just based on my preference to keep visit as lean as possible.
