As described for rlogin above, authentication based on the client's IP address is bad. It used to quite popular twenty years ago, but it has never been a good idea, and isn't today, either. However, there are still some popular security tools such as Wietse Venema´s TCP Wrapper that perform access control based on the client's host address. Whenever a connection is established with a network service protected by the wrapper, the wrapper will first check the client's address against a list of hosts permitted to access the service before handing control over to the network service itself. If the client isn't permitted to connect, the wrapper will simply drop the connection.
Note the difference here: the TCP wrapper does not authenticate a client in the sense the rlogin or NFS daemons blindly trust a client's statement of who he is, simply because the connection comes from the ``right'' IP address. Instead, the TCP wrapper puts an additional layer of access control around a service by refusing connections unless they originate from certain hosts. It's a bit like trying to buy a drink in certain areas of the US. In most parts of the world, the bar tender will give you whatever you want provided you're old enough. In certain states of the US, you have to be a local resident (or be invited by one) or you won't be able to order even a soda.
If you want to know more about TCP wrapper, please refer to XXX. If you want to learn more about bizarre drinking laws, visit Utah.
Anyway, back to the topic at hand. The type of access control implemented by TCP wrapper has been adopted by many other applications. There is even a programming interface to the TCP wrapper code that you can use in your applications. If your OS vendor includes it, documentation should be available through the hosts_access(3) manual page.
XXX: Cover IP address matching, subnet matching
What is common to most of these applications is that access control isn't just configured via a list of numeric IP addresses (which is plain inconvenient). The configuration file will also allow you to specify hostnames, and sometimes even domain names with wildcards in them.
This is where name resolution comes in, i.e. the mapping of hostnames to IP addresses and vice versa. In the next few sections, I will take a fairly close look at this and show why access control based on host names is dangerous in almost all circumstances.