Well, there's a feature request for auth/ident/tap daemons running on OSes
(if any) that can distinguish after-the-fact between connections that
originated locally and those that originated remotely. Assuming that
doesn't break RFCs 931 / 1413, of course (I'd re-read them right now to
check, if I had the time)...