Functionally, the difference is whether they have to connect and then log in before being dropped versus never even reaching the actual forums which has the potential to block the wrong people when the range in question covers more than just the offender.
I'm not sure how one method will block offenders whereas the other won't. If you only accept registered users, then either you accept them at the firewall level or the forum level; vice-versa for refusing them. If the range is applied at the firewall, it'll block just as many people as if the range were applied at the forum.
Basically if your criterion is matching IPs, you can do that equally well at the firewall as at the forum.
And if the criterion is matching against a known username/password (an SSH key is just another form of password after all) then the forum software is already doing that.
So I might be missing something, but I'm not seeing what we'd be able to do with this new thing that we can't already do.