At layer 2, Ethernet identifies devices using the burned-in address. These are 6 bytes (48 bits) of unique identifiers made up of two halves: the Organizational Unique Identifier (OUI), which denotes the manufacturer of the device, and a vendor-assigned address. This arrangement should ensure that each device is uniquely identified. However, some hardware MAC addresses are programmable, which means that uniqueness is not globally guaranteed.
Layer 2 addressing is only used within a logical (layer 3) network. This means that the lack of globally guaranteed uniqueness isn't normally a problem. The network administrators only need to ensure that there are no duplicates within the network.
One cybersecurity issue exists when data needs to leave the logical (layer 3) network. When this happens, devices need to identify the location of the default gateway. All data exiting the network passes through this device, and this is identified by its MAC address. Because some devices have programmable MAC addresses, an attacker could change its MAC address (spoofing) to that of the default gateway interface so that all outgoing traffic is directed to the attacker's device instead of to the gateway. This could be used to gain unauthorized access to information (affecting confidentiality), or could be used to deny access to other networks (affecting availability).
MAC address spoofing to impersonate existing devices is particularly problematic in wireless environments, where no physical access to the network is required. Wireless devices tend to make decisions based on signal strength, and will, therefore, associate with the nearest device that appears to have legitimate credentials.
The other key issue with MAC addresses is that layer 2 network devices (that is, switches) must maintain a list of which MAC addresses are where. MAC addresses – being burned in at the point of manufacture – are not linked to the position in the network, and therefore cannot be guessed. Imagine trying to figure out the cell phone number of your neighbor. There is no relationship between their geographic location and their cell phone number. In order to be able to contact them, you would need to keep a list (address book). Network devices do the same kind of thing. Devices are asked to identify themselves using address resolution protocol (ARP) broadcasts, and the results are stored in the MAC address table.
MAC address spoofing of non-existent devices could be used to pollute the MAC address table. If the MAC address table gets too large, processing time is affected, and in extremis, the MAC address table could be so large as to deny service to legitimate users.