It's not a daft question.
If it's PII and you don't have explicit, free consent for a legitimate business function you *usually* may not use that information.
This is, technically speaking, the law as it stands now. The only difference in this scenario is IP addresses have been explicitly identified as PII (Recital 30) whereas previously it was a theoretical argument based on a court judgement only applicable in certain scenarios.
There's also not a whole lot you can do. Most techniques that would mask any other data simply don't work on IP addresses. You can't hash them because there's only 4 billion possible values. You can't truncate them because then they're useless to you. More fundamentally pseudo-anonymised data (i.e. where there is a 1:1 mapping) cannot be considered anonymised due to the proven ease of reconstructing an identity from metadata.
Now, I did say consent is *usually* required. There are, as always, exemptions. In fact, obtaining consent is just one of six grounds for processing PII set out in Article 6(1) of GDPR. Option "F" is what is called the "legitimate interests" argument. Put simply, if your interest in processing the data is normal, expected and necessary to performing your normal business functions you do _not_ need to obtain specific consent. Monitoring your own internal infrastructure for unique users, DDoS attacks and so on is an obvious legitimate interest.
In contrast harvesting billions of page views for 3rd party AdTech applications (which are then resold to other 3rd parties) without the user ever knowing about it is a much, much trickier application to justify as it has nothing to do with the business the person is interacting with. Though there is a specific mention of "direct marketing" being acceptable, so this one stays firmly grey.