A node creates its own NodeID. The NodeID will contain the node's IP address (as a uniqueness mechanism), but once created/authenticated the IP address is subsequently, generally ignored.
It also creates a private key and a public key. The public key is given along with the NodeID to the first parent node it adopts. That parent will then see if it has heard of that ID before and if it has it will see if the public key matches, if it doesn't then it's an impostor. If it does match then it will encrypt a random piece of data using the public key and challenge the node to decrypt it. If it decrypts then it's the genuine node, otherwise it's an impostor. If the parent hasn't come across that NodeID before (it will still check the public key works for safety) it will store the NodeID and public key and pass it up the hierarchy for authentication (either receiving "never heard of it, it's a new node", or "heard of it, it's ok", or "heard of it, but it's an impostor"). If two nodes try to create the same NodeID (one spoofing the same IP address) at the same time then it's a race condition (only one will succeed though).
A genuine node is interested in being unique and keeping its private key secret. An imposter node will try to have the same IP address, NodeID, and public key. It can only achieve this if it not only spoofs the IP address, but also figures out the same, or another private/public key combination with the same public key.
The NodeID+public key will race to the root of the hiearchy and establish the ability of the genuine node to demonstrate its authenticity. In the case of IP recycling there may be an occasion when an existing NodeID is used by accident. In this case the non-IP portion of the NodeID is adjusted, and it is tried again.
Authenticity relies on the node retaining its ability to identify itself. If it releases its private key then it allows any computer to claim to be that node. In the case when two or more computers (having different IP addresses) are able to demonstrate legitimacy then the NodeID is invalidated (by that node and its children only) and the claimants are invited to apply to the node's parent for adjudication. If at any time only one claimant remains (chooses to demonstrate legitimacy), they are permitted to reclaim the NodeID with a new public key. If it goes all the way up to the root then the root makes a choice as to which claimaint can submit a new public key (in favour of a node if it has a matching IP address, otherwise it probably has to be arbitrary). This system prevents easy invalidation of a NodeID, i.e. a NodeID can only be invalidated with the involvement of at least two nodes. And a NodeID can only have its public key changed by a node that can decrypt (knows the private key) and as long as it can refer to another node who has witnessed two different computers successfully and simultaneously decrypt (mustn't mistake the situation where a node simply suddenly changes its IP address).
In the case where a node is duplicated over one or more IP addresses (if such a thing can happen) then it may appear as if two computers are able to simultaneously claim the same NodeID. Either the NodeID is automatically invalidated or a user prompt might alert the user to a fault as opposed to a security leak. Either way, this should be a rare event.